Back

SUSE Fixes Critical Authorization Bypass and DoS Vulnerabilities in Cloud Agents

Severity: High (Score: 72.0)

Sources: Linuxsecurity

Published: 2026-06-11 · Updated: 2026-06-11

Keywords: issue, suse, google-osconfig-agent, bypass, google-cloud-sap-agent, update, fixes

Severity indicators: critical, issue

Summary

SUSE has released updates for two cloud agents, addressing critical vulnerabilities. The google-osconfig-agent update resolves CVE-2026-33186, which allows for authorization bypass due to improper validation of HTTP/2 path pseudo-headers. This vulnerability has a CVSS score of 9.1, indicating a high severity level. The google-cloud-sap-agent update fixes CVE-2026-33814, which can cause an infinite loop in HTTP/2 transport, rated at 7.5 on the CVSS scale. Both vulnerabilities affect the Public Cloud Module 12 and various SUSE Linux Enterprise versions. Administrators are advised to apply the patches using SUSE's recommended installation methods. The updates were released on June 10, 2026, and are critical for maintaining system security. Key Points: • CVE-2026-33186 allows for authorization bypass in google-osconfig-agent. • CVE-2026-33814 can cause an infinite loop in google-cloud-sap-agent's HTTP/2 transport. • Both vulnerabilities affect SUSE's Public Cloud Module 12 and require immediate patching.

Detailed Analysis

**Impact** SUSE Linux Enterprise Server and High Performance Computing users across multiple versions (12 through 12 SP5) and architectures (aarch64, ppc64le, s390x, x86_64) are affected. The vulnerabilities impact cloud agents used in public cloud environments, potentially disrupting operations through denial-of-service (DoS) or unauthorized access. The affected sectors include enterprises relying on SAP and cloud infrastructure management, with no specific geographic limitations provided. **Technical Details** Two critical vulnerabilities were addressed: CVE-2026-33186 involves an authorization bypass in google-osconfig-agent due to improper validation of the HTTP/2 path pseudo-header, with CVSS scores up to 9.1, enabling privilege escalation and unauthorized access. CVE-2026-33814 affects google-cloud-sap-agent, causing an infinite loop DoS via malformed HTTP/2 SETTINGS_MAX_FRAME_SIZE frames, scored 7.5 CVSS. Both exploit weaknesses in HTTP/2 protocol handling within Golang libraries, impacting the kill chain at the initial access and denial of service stages. No specific malware or IOCs were reported. **Recommended Response** Apply the SUSE patches SUSE-SLE-Module-Public-Cloud-12-2026-2347=1 for google-osconfig-agent and SUSE-SLE-Module-Public-Cloud-12-2026-2348=1 for google-cloud-sap-agent immediately using YaST online_update or zypper patch. Monitor HTTP/2 traffic for abnormal SETTINGS_MAX_FRAME_SIZE values and unauthorized path pseudo-header manipulations. Harden HTTP/2 protocol handling configurations where possible and review access controls on cloud agents. No additional IOCs or detection signatures were provided.

Source articles (2)

  • SUSE google-cloud-sap-agent Important DoS Issue Fixed 2026-2348 — Linuxsecurity · 2026-06-11
    ## This update for google-cloud-sap-agent fixes the following issue * CVE-2026-33814: golang.org/x/net/http2: infinite loop in HTTP/2 transport when given bad SETTINGS_MAX_FRAME_SIZE (bsc#1265764). Ch…
  • SUSE 2026-2347-1 google-osconfig-agent Critical Issue Bypass CVE-2026 — Linuxsecurity · 2026-06-11
    ## This update for google-osconfig-agent fixes the following issue * CVE-2026-33186: google.golang.org/grpc: authorization bypass due to improper validation of the HTTP/2: path pseudo- header (bsc#126…

Timeline

  • 2026-03-20 — CVE-2026-33186 published: SUSE disclosed a critical authorization bypass vulnerability in google-osconfig-agent.
  • 2026-04-07 — First public PoC for CVE-2026-33186: A proof of concept for the authorization bypass vulnerability was made public, increasing risk exposure.
  • 2026-05-07 — CVE-2026-33814 published: SUSE announced a denial of service vulnerability in google-cloud-sap-agent related to HTTP/2 transport.
  • 2026-06-10 — Patches released for both vulnerabilities: SUSE released updates for google-osconfig-agent and google-cloud-sap-agent to address critical vulnerabilities.

CVEs

  • CVE-2026-33186
  • CVE-2026-33814

Related entities

  • Denial of Service (Attack Type)
  • CWE-287 - Improper Authentication (Cwe)
  • Cwe-400 - Uncontrolled Resource Consumption (Cwe)
  • golang.org (Domain)
  • google.golang.org (Domain)
  • Google-cloud-sap-agent (Platform)
  • Public Cloud Module 12 (Platform)
  • SUSE Linux Enterprise High Performance Computing 12 SP2 (Platform)
  • SUSE Linux Enterprise High Performance Computing 12 SP3 (Platform)
  • SUSE Linux Enterprise High Performance Computing 12 SP4 (Platform)
  • SUSE Linux Enterprise High Performance Computing 12 SP5 (Platform)
  • SUSE Linux Enterprise Server 12 (Platform)
  • SUSE Linux Enterprise Server 12 SP1 (Platform)
  • SUSE Linux Enterprise Server 12 SP2 (Platform)
  • SUSE Linux Enterprise Server 12 SP3 (Platform)
  • SUSE Linux Enterprise Server 12 SP4 (Platform)
  • SUSE Linux Enterprise Server 12 SP5 (Platform)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed