Security update for libmicrohttpd SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2026:20029-1 Final 1 1 2026-01-12T11:15:02Z current 2026-01-12T11:15:02Z 2026-01-12T11:15:02Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for libmicrohttpd This update for libmicrohttpd fixes the following issues: - CVE-2025-62689: Fixed heap-based buffer overflow through a specially crafted packet (bsc#1253178) - CVE-2025-59777: Fixed NULL pointer dereference through a specially crafted packet (bsc#1253177) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-SLES-16.0-130 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2026/suse-su-202620029-1/ Link for SUSE-SU-2026:20029-1 https://lists.suse.com/pipermail/sle-security-updates/2026-January/023775.html E-Mail link for SUSE-SU-2026:20029-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1253177 SUSE Bug 1253177 https://bugzilla.suse.com/1253178 SUSE Bug 1253178 https://www.suse.com/security/cve/CVE-2025-59777/ SUSE CVE CVE-2025-59777 page https://www.suse.com/security/cve/CVE-2025-62689/ SUSE CVE CVE-2025-62689 page SUSE Linux Enterprise Server 16.0 SUSE Linux Enterprise Server for SAP applications 16.0 libmicrohttpd-devel-1.0.1-160000.3.1 libmicrohttpd12-1.0.1-160000.3.1 libmicrohttpd-devel-1.0.1-160000.3.1 as a component of SUSE Linux Enterprise Server 16.0 libmicrohttpd12-1.0.1-160000.3.1 as a component of SUSE Linux Enterprise Server 16.0 libmicrohttpd-devel-1.0.1-160000.3.1 as a component of SUSE Linux Enterprise Server for SAP applications 16.0 libmicrohttpd12-1.0.1-160000.3.1 as a component of SUSE Linux Enterprise Server for SAP applications 16.0 NULL pointer dereference vulnerability exists in GNU libmicrohttpd v1.0.2 and earlier. The vulnerability was fixed in commit ff13abc on the master branch of the libmicrohttpd Git repository, after the v1.0.2 tag. A specially crafted packet sent by an attacker could cause a denial-of-service (DoS) condition. CVE-2025-59777 SUSE Linux Enterprise Server 16.0:libmicrohttpd-devel-1.0.1-160000.3.1 SUSE Linux Enterprise Server 16.0:libmicrohttpd12-1.0.1-160000.3.1 SUSE Linux Enterprise Server for SAP applications 16.0:libmicrohttpd-devel-1.0.1-160000.3.1 SUSE Linux Enterprise Server for SAP applications 16.0:libmicrohttpd12-1.0.1-160000.3.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620029-1/ https://www.suse.com/security/cve/CVE-2025-59777.html CVE-2025-59777 https://bugzilla.suse.com/1253177 SUSE Bug 1253177 NULL pointer dereference vulnerability exists in GNU libmicrohttpd v1.0.2 and earlier. The vulnerability was fixed in commit ff13abc on the master branch of the libmicrohttpd Git repository, after the v1.0.2 tag. A specially crafted packet sent by an attacker could cause a denial-of-service (DoS) condition. CVE-2025-62689 SUSE Linux Enterprise Server 16.0:libmicrohttpd-devel-1.0.1-160000.3.1 SUSE Linux Enterprise Server 16.0:libmicrohttpd12-1.0.1-160000.3.1 SUSE Linux Enterprise Server for SAP applications 16.0:libmicrohttpd-devel-1.0.1-160000.3.1 SUSE Linux Enterprise Server for SAP applications 16.0:libmicrohttpd12-1.0.1-160000.3.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620029-1/ https://www.suse.com/security/cve/CVE-2025-62689.html CVE-2025-62689 https://bugzilla.suse.com/1253178 SUSE Bug 1253178