openSUSE Leap 16.0 Security Updates Address Multiple Vulnerabilities
Severity: Medium (Score: 57.9)
Sources: Linuxsecurity
Published: · Updated:
Keywords: opensuse, leap, update, access, zypper, networkmanager, moderate
Severity indicators: rat
Summary
openSUSE Leap 16.0 has released updates to address several vulnerabilities, including CVE-2026-5107, CVE-2026-28532, CVE-2026-37457, and CVE-2026-37458. These vulnerabilities affect the EVPN Type-2 Route Handler and NetworkManager, posing risks such as improper access controls and potential denial of service. The updates were published between March and May 2026, with the latest being on June 8, 2026. Users are advised to apply the patches using YaST or zypper commands to mitigate the risks. The vulnerabilities could allow attackers to exploit systems running openSUSE Leap 16.0, highlighting the importance of timely updates. The overall impact is significant, as these vulnerabilities could lead to unauthorized access and service disruptions. Key Points: • Multiple vulnerabilities in openSUSE Leap 16.0 require immediate patching. • CVE-2026-5107 involves improper access controls in the EVPN Type-2 Route Handler. • Users should apply updates via YaST or zypper to secure their systems.
Detailed Analysis
**Impact** openSUSE Leap 16.0 users across all sectors relying on FRRouting (frr) and NetworkManager components are affected by multiple vulnerabilities. These issues could lead to unauthorized access or disruption of network routing and management services, potentially impacting operational continuity. No specific geographic or sectoral data is provided. **Technical Details** The vulnerabilities include CVE-2026-5107 (improper access controls in EVPN Type-2 Route Handler), CVE-2026-28532 (malformed TE/SR TLV iteration), CVE-2026-37457 (off-by-one error in FlowSpec operator bounds), and CVE-2026-37458 (MP_REACH_NLRI attribute validation). Additionally, a moderate severity CVE from 2025 affects NetworkManager 1.52.0. Attack vectors involve exploitation of improper access controls and malformed network protocol data during routing and network management operations. No malware or IOCs are reported. **Recommended Response** Apply the openSUSE Leap 16.0 patches immediately using YaST online_update or the "zypper patch" command to update frr to version 10.2.6 and NetworkManager to version 1.52.0. Monitor network routing and management components for unusual access or malformed packet activity. Harden configurations related to EVPN and NetworkManager services. No additional detection signatures or IOCs are provided.
Source articles (2)
- openSUSE Leap 16.0 frr Introduces Update to Address Access Control Issues — Linuxsecurity · 2026-06-05
- CVE-2026-5107: Fixed an improper access controls in EVPN Type-2 Route Handler (bsc#1261013). - CVE-2026-28532: Harden TE/SR TLV iteration against malformed lengths (bsc#1263859). - CVE-2026-37457: F… - openSUSE Leap 16.0 NetworkManager Moderate CVE-2025 — Linuxsecurity · 2026-06-08
To install this openSUSE security update use the suse recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: zypper…
Timeline
- 2026-03-30 — CVE-2026-5107 published: An improper access control vulnerability was disclosed affecting openSUSE Leap 16.0.
- 2026-04-30 — CVE-2026-28532 published: A vulnerability was identified in TE/SR TLV iteration, affecting the stability of the system.
- 2026-05-01 — CVE-2026-37457 published: An off-by-one error was found in FlowSpec operator array bounds check, posing risks to users.
- 2026-05-04 — CVE-2026-37458 published: Validation issues in MP_REACH_NLRI attribute were disclosed, affecting network routing.
- 2026-06-08 — openSUSE NetworkManager update released: An update for NetworkManager was released to address moderate vulnerabilities, enhancing system security.
CVEs
Related entities
- Linux (Platform)
- OpenSUSE Leap 16.0 (Platform)