Back

openSUSE Leap 16.0 Security Updates Address Critical Vulnerabilities

Severity: High (Score: 60.8)

Sources: Linuxsecurity

Published: 2026-06-09 · Updated: 2026-06-10

Keywords: opensuse, leap, heap, memory, update, files, install

Severity indicators: rat

Summary

Two significant vulnerabilities have been identified in openSUSE Leap 16.0. CVE-2026-25645 involves a moderate risk due to predictable filenames in zip extraction, allowing potential overwriting of existing files. CVE-2026-8177 presents a major risk, enabling out-of-bounds memory access when parsing XML, which could lead to information disclosure. Both vulnerabilities affect users of openSUSE Leap 16.0 and require immediate patching. Users are advised to apply the recommended updates via YaST or zypper commands. The vulnerabilities were published on March 25, 2026, and May 10, 2026, respectively. The current status indicates that patches are available and should be applied promptly to mitigate risks. Key Points: • CVE-2026-25645 allows file overwriting due to predictable filenames in zip extraction. • CVE-2026-8177 enables out-of-bounds memory access when parsing XML, posing a major risk. • Users of openSUSE Leap 16.0 must apply security patches immediately to protect their systems.

Detailed Analysis

**Impact** Users of openSUSE Leap 16.0 running affected versions of python-requests and perl-XML-LibXML are impacted. The vulnerabilities could lead to unauthorized file overwrites and memory corruption, potentially causing application crashes or data manipulation. No specific sectors, geographies, or data breach details are provided. **Technical Details** CVE-2026-25645 affects the python-requests package by using predictable filenames during zip extraction, allowing reuse of existing target files without validation. CVE-2026-8177 affects perl-XML-LibXML by reading out-of-bounds heap memory when parsing XML node names with truncated UTF-8 sequences. Both vulnerabilities relate to input validation flaws and occur during data parsing stages. No malware, attack infrastructure, or IOCs are mentioned. **Recommended Response** Apply the openSUSE Leap 16.0 patches for python-requests (python313-requests-2.32.4-160000.3.1) and perl-XML-LibXML (perl-XML-LibXML-2.0210-160000.3.1) immediately using YaST online_update or the zypper patch command. Monitor for unusual file modifications or application crashes related to zip extraction and XML parsing. No additional detection rules or configurations are specified.

Source articles (2)

  • openSUSE Leap 16.0 perl-XML-LibXML Major Heap Memory Update 2026-20908 — Linuxsecurity · 2026-06-08
    - CVE-2026-8177: read out-of-bounds heap memory when parsing XML node names containing truncated UTF-8 byte sequences To install this openSUSE security update use the suse recommended installation met…
  • openSUSE Leap 16.0 python-requests Moderate Zip Extraction 2026-20926 — Linuxsecurity · 2026-06-09
    - CVE-2026-25645: `extract_zipped_paths()` uses predictable filenames when extracting files from zip archives and reuses target files that already exist without validation (bsc#1260589). To install th…

Timeline

  • 2026-03-25 — CVE-2026-25645 published: A vulnerability in zip extraction allows predictable filenames, risking file overwrites.
  • 2026-05-10 — CVE-2026-8177 published: A major vulnerability allows out-of-bounds memory access when parsing XML node names.
  • 2026-06-09 — Security updates released: openSUSE released patches for both CVEs, urging users to update their systems immediately.

CVEs

  • CVE-2026-25645
  • CVE-2026-8177

Related entities

  • Zero-day Exploit (Attack Type)
  • Cwe-125 - Out-of-bounds Read (Cwe)
  • Linux (Platform)
  • OpenSUSE Leap 16.0 (Platform)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed