Security update for openssl-3-livepatches SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2026:20607-1 Final 1 1 2026-02-18T16:23:27Z current 2026-02-18T16:23:27Z 2026-02-18T16:23:27Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for openssl-3-livepatches This update for openssl-3-livepatches fixes the following issues: - CVE-2025-11187: Fixed improper validation of PBMAC1 parameters in PKCS#12 MAC verification (bsc#1256878). - CVE-2025-15467: Fixed stack buffer overflow in CMS AuthEnvelopedData parsing (bsc#1256876). - CVE-2025-15468: Fixed NULL dereference in SSL_CIPHER_find() function on unknown cipher ID (bsc#1256880). - CVE-2025-9230: Fixed out-of-bounds read & write in RFC 3211 KEK Unwrap (bsc#1250410). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-SLES-16.0-298 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2026/suse-su-202620607-1/ Link for SUSE-SU-2026:20607-1 https://lists.suse.com/pipermail/sle-security-updates/2026-March/024609.html E-Mail link for SUSE-SU-2026:20607-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1250410 SUSE Bug 1250410 https://bugzilla.suse.com/1256876 SUSE Bug 1256876 https://bugzilla.suse.com/1256878 SUSE Bug 1256878 https://bugzilla.suse.com/1256880 SUSE Bug 1256880 https://www.suse.com/security/cve/CVE-2025-11187/ SUSE CVE CVE-2025-11187 page https://www.suse.com/security/cve/CVE-2025-15467/ SUSE CVE CVE-2025-15467 page https://www.suse.com/security/cve/CVE-2025-15468/ SUSE CVE CVE-2025-15468 page https://www.suse.com/security/cve/CVE-2025-9230/ SUSE CVE CVE-2025-9230 page SUSE Linux Enterprise Server 16.0 SUSE Linux Enterprise Server for SAP applications 16.0 openssl-3-livepatches-0.3-160000.1.1 openssl-3-livepatches-0.3-160000.1.1 as a component of SUSE Linux Enterprise Server 16.0 openssl-3-livepatches-0.3-160000.1.1 as a component of SUSE Linux Enterprise Server for SAP applications 16.0 Issue summary: PBMAC1 parameters in PKCS#12 files are missing validation which can trigger a stack-based buffer overflow, invalid pointer or NULL pointer dereference during MAC verification. Impact summary: The stack buffer overflow or NULL pointer dereference may cause a crash leading to Denial of Service for an application that parses untrusted PKCS#12 files. The buffer overflow may also potentially enable code execution depending on platform mitigations. When verifying a PKCS#12 file that uses PBMAC1 for the MAC, the PBKDF2 salt and keylength parameters from the file are used without validation. If the value of keylength exceeds the size of the fixed stack buffer used for the derived key (64 bytes), the key derivation will overflow the buffer. The overflow length is attacker-controlled. Also, if the salt parameter is not an OCTET STRING type this can lead to invalid or NULL pointer dereference. Exploiting this issue requires a user or application to process a maliciously crafted PKCS#12 file. It is uncommon to accept untrusted PKCS#12 files in applications as they are usually used to store private keys which are trusted by definition. For this reason the issue was assessed as Moderate severity. The FIPS modules in 3.6, 3.5 and 3.4 are not affected by this issue, as PKCS#12 processing is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5 and 3.4 are vulnerable to this issue. OpenSSL 3.3, 3.0, 1.1.1 and 1.0.2 are not affected by this issue as they do not support PBMAC1 in PKCS#12. CVE-2025-11187 SUSE Linux Enterprise Server 16.0:openssl-3-livepatches-0.3-160000.1.1 SUSE Linux Enterprise Server for SAP applications 16.0:openssl-3-livepatches-0.3-160000.1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620607-1/ https://www.suse.com/security/cve/CVE-2025-11187.html CVE-2025-11187 https://bugzilla.suse.com/1256829 SUSE Bug 1256829 https://bugzilla.suse.com/1256878 SUSE Bug 1256878 Issue summary: Parsing CMS AuthEnvelopedData or EnvelopedData message with maliciously crafted AEAD parameters can trigger a stack buffer overflow. Impact summary: A stack buffer overflow may lead to a crash, causing Denial of Service, or potentially remote code execution. When parsing CMS (Auth)EnvelopedData structures that use AEAD ciphers such as AES-GCM, the IV (Initialization Vector) encoded in the ASN.1 parameters is copied into a fixed-size stack buffer without verifying that its length fits the destination. An attacker can supply a crafted CMS message with an oversized IV, causing a stack-based out-of-bounds write before any authentication or tag verification occurs. Applications and services that parse untrusted CMS or PKCS#7 content using AEAD ciphers (e.g., S/MIME (Auth)EnvelopedData with AES-GCM) are vulnerable. Because the overflow occurs prior to authentication, no valid key material is required to trigger it. While exploitability to remote code execution depends on platform and toolchain mitigations, the stack-based write primitive represents a severe risk. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the CMS implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3 and 3.0 are vulnerable to this issue. OpenSSL 1.1.1 and 1.0.2 are not affected by this issue. CVE-2025-15467 SUSE Linux Enterprise Server 16.0:openssl-3-livepatches-0.3-160000.1.1 SUSE Linux Enterprise Server for SAP applications 16.0:openssl-3-livepatches-0.3-160000.1.1 critical To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620607-1/ https://www.suse.com/security/cve/CVE-2025-15467.html CVE-2025-15467 https://bugzilla.suse.com/1256830 SUSE Bug 1256830 https://bugzilla.suse.com/1256876 SUSE Bug 1256876 Issue summary: If an application using the SSL_CIPHER_find() function in a QUIC protocol client or server receives an unknown cipher suite from the peer, a NULL dereference occurs. Impact summary: A NULL pointer dereference leads to abnormal termination of the running process causing Denial of Service. Some applications call SSL_CIPHER_find() from the client_hello_cb callback on the cipher ID received from the peer. If this is done with an SSL object implementing the QUIC protocol, NULL pointer dereference will happen if the examined cipher ID is unknown or unsupported. As it is not very common to call this function in applications using the QUIC protocol and the worst outcome is Denial of Service, the issue was assessed as Low severity. The vulnerable code was introduced in the 3.2 version with the addition of the QUIC protocol support. The FIPS modules in 3.6, 3.5, 3.4 and 3.3 are not affected by this issue, as the QUIC implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4 and 3.3 are vulnerable to this issue. OpenSSL 3.0, 1.1.1 and 1.0.2 are not affected by this issue. CVE-2025-15468 SUSE Linux Enterprise Server 16.0:openssl-3-livepatches-0.3-160000.1.1 SUSE Linux Enterprise Server for SAP applications 16.0:openssl-3-livepatches-0.3-160000.1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620607-1/ https://www.suse.com/security/cve/CVE-2025-15468.html CVE-2025-15468 https://bugzilla.suse.com/1256831 SUSE Bug 1256831 https://bugzilla.suse.com/1256880 SUSE Bug 1256880 Issue summary: An application trying to decrypt CMS messages encrypted using password based encryption can trigger an out-of-bounds read and write. Impact summary: This out-of-bounds read may trigger a crash which leads to Denial of Service for an application. The out-of-bounds write can cause a memory corruption which can have various consequences including a Denial of Service or Execution of attacker-supplied code. Although the consequences of a successful exploit of this vulnerability could be severe, the probability that the attacker would be able to perform it is low. Besides, password based (PWRI) encryption support in CMS messages is very rarely used. For that reason the issue was assessed as Moderate severity according to our Security Policy. The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this issue, as the CMS implementation is outside the OpenSSL FIPS module boundary. CVE-2025-9230 SUSE Linux Enterprise Server 16.0:openssl-3-livepatches-0.3-160000.1.1 SUSE Linux Enterprise Server for SAP applications 16.0:openssl-3-livepatches-0.3-160000.1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620607-1/ https://www.suse.com/security/cve/CVE-2025-9230.html CVE-2025-9230 https://bugzilla.suse.com/1250232 SUSE Bug 1250232 https://bugzilla.suse.com/1250410 SUSE Bug 1250410