Security update for munge SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2026:0484-1 Final 1 1 2026-02-12T18:22:45Z current 2026-02-12T18:22:45Z 2026-02-12T18:22:45Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for munge This update for munge fixes the following issues: - CVE-2026-25506: buffer overflow in message unpacking (bsc#1257651). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2026-484,SUSE-SLE-Product-SLES-15-SP6-LTSS-2026-484,openSUSE-SLE-15.6-2026-484 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2026/suse-su-20260484-1/ Link for SUSE-SU-2026:0484-1 https://lists.suse.com/pipermail/sle-security-updates/2026-February/024147.html E-Mail link for SUSE-SU-2026:0484-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1257651 SUSE Bug 1257651 https://www.suse.com/security/cve/CVE-2026-25506/ SUSE CVE CVE-2026-25506 page SUSE Linux Enterprise Server 15 SP6-LTSS openSUSE Leap 15.6 libmunge2-0.5.15-150600.25.6.1 libmunge2-32bit-0.5.15-150600.25.6.1 libmunge2-64bit-0.5.15-150600.25.6.1 munge-0.5.15-150600.25.6.1 munge-devel-0.5.15-150600.25.6.1 munge-devel-32bit-0.5.15-150600.25.6.1 munge-devel-64bit-0.5.15-150600.25.6.1 libmunge2-0.5.15-150600.25.6.1 as a component of SUSE Linux Enterprise Server 15 SP6-LTSS munge-0.5.15-150600.25.6.1 as a component of SUSE Linux Enterprise Server 15 SP6-LTSS munge-devel-0.5.15-150600.25.6.1 as a component of SUSE Linux Enterprise Server 15 SP6-LTSS libmunge2-0.5.15-150600.25.6.1 as a component of openSUSE Leap 15.6 libmunge2-32bit-0.5.15-150600.25.6.1 as a component of openSUSE Leap 15.6 munge-0.5.15-150600.25.6.1 as a component of openSUSE Leap 15.6 munge-devel-0.5.15-150600.25.6.1 as a component of openSUSE Leap 15.6 munge-devel-32bit-0.5.15-150600.25.6.1 as a component of openSUSE Leap 15.6 MUNGE is an authentication service for creating and validating user credentials. From 0.5 to 0.5.17, local attacker can exploit a buffer overflow vulnerability in munged (the MUNGE authentication daemon) to leak cryptographic key material from process memory. With the leaked key material, the attacker could forge arbitrary MUNGE credentials to impersonate any user (including root) to services that rely on MUNGE for authentication. The vulnerability allows a buffer overflow by sending a crafted message with an oversized address length field, corrupting munged's internal state and enabling extraction of the MAC subkey used for credential verification. This vulnerability is fixed in 0.5.18. CVE-2026-25506 SUSE Linux Enterprise Server 15 SP6-LTSS:libmunge2-0.5.15-150600.25.6.1 SUSE Linux Enterprise Server 15 SP6-LTSS:munge-0.5.15-150600.25.6.1 SUSE Linux Enterprise Server 15 SP6-LTSS:munge-devel-0.5.15-150600.25.6.1 openSUSE Leap 15.6:libmunge2-0.5.15-150600.25.6.1 openSUSE Leap 15.6:libmunge2-32bit-0.5.15-150600.25.6.1 openSUSE Leap 15.6:munge-0.5.15-150600.25.6.1 openSUSE Leap 15.6:munge-devel-0.5.15-150600.25.6.1 openSUSE Leap 15.6:munge-devel-32bit-0.5.15-150600.25.6.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260484-1/ https://www.suse.com/security/cve/CVE-2026-25506.html CVE-2026-25506 https://bugzilla.suse.com/1257651 SUSE Bug 1257651