SUSE Helm Updates Address Critical CVEs in Linux Micro 6.0 and 6.1
Severity: High (Score: 72.0)
Sources: Linuxsecurity
Published: · Updated:
Keywords: helm, infinite, loop, issues, suse, linux, micro
Severity indicators: issue
Summary
SUSE has released important updates for Helm in SUSE Linux Micro 6.0 and 6.1 to address two critical vulnerabilities. CVE-2026-33814 involves an infinite loop in HTTP/2 transport due to bad SETTINGS_MAX_FRAME_SIZE, while CVE-2026-41888 allows tag deletion to bypass storage configuration. Both vulnerabilities could lead to significant disruptions if exploited. The updates include Helm version 3.21.0 and are critical for users of SUSE Linux Micro. Administrators are advised to apply the patches using recommended methods like YaST or 'zypper patch'. The vulnerabilities were published on May 7 and May 14, 2026, respectively, and have been rated with CVSS scores of 7.5 and 6.3. Immediate action is recommended to mitigate potential risks. Key Points: • SUSE released updates for Helm addressing CVE-2026-33814 and CVE-2026-41888. • CVE-2026-33814 can cause an infinite loop in HTTP/2 transport under specific conditions. • CVE-2026-41888 allows unauthorized tag deletion, bypassing storage configurations.
Detailed Analysis
**Impact** SUSE Linux Micro versions 6.0 and 6.1 users are affected by these vulnerabilities in the Helm package, impacting multiple architectures including aarch64, ppc64le, s390x, and x86_64. The vulnerabilities could lead to denial of service (DoS) conditions and unauthorized tag deletion in container registries, potentially disrupting containerized application deployments and operations. No specific sectors or geographic regions are detailed in the sources. **Technical Details** Two vulnerabilities are addressed: CVE-2026-33814, an infinite loop in HTTP/2 transport triggered by malformed SETTINGS_MAX_FRAME_SIZE causing DoS (CVSS 7.5), and CVE-2026-41888, which allows tag deletion bypassing the storage.delete.enabled configuration, enabling unauthorized container image tag removal (CVSS 6.3-6.5). Both affect the Helm package version 3.21.0 and underlying Golang and distribution libraries. No malware, attack infrastructure, or IOCs are provided. The attack vector is network-based, targeting HTTP/2 transport and container registry operations. **Recommended Response** Apply the SUSE-provided patches immediately using YaST online_update or the zypper patch commands: `zypper in -t patch SUSE-SLE-Micro-6.1-554=1` for version 6.1 and `zypper in -t patch SUSE-SLE-Micro-6.0-734=1` for version 6.0. Verify Helm is updated to version 3.21.0. Monitor container registry logs for unauthorized tag deletions and anomalous HTTP/2 traffic patterns. Harden configurations to enforce storage.delete.enabled settings and restrict network access to Helm services where possible.
Source articles (2)
- SUSE Linux Micro 6.0 Helm Important Tag Deletion Issues CVE-2026 — Linuxsecurity · 2026-06-02
## This update for helm fixes the following issues * CVE-2026-33814: golang.org/x/net/http2: infinite loop in HTTP/2 transport when given bad SETTINGS_MAX_FRAME_SIZE (bsc#1265758). * CVE-2026-41888: g… - SUSE Linux Micro Helm Important Tag Deletion Infinite Loop Fix 2026-21881 — Linuxsecurity · 2026-06-02
## This update for helm fixes the following issues * CVE-2026-33814: golang.org/x/net/http2: infinite loop in HTTP/2 transport when given bad SETTINGS_MAX_FRAME_SIZE (bsc#1265758). * CVE-2026-41888: g…
Timeline
- 2026-05-07 — CVE-2026-33814 published: SUSE disclosed a vulnerability causing an infinite loop in HTTP/2 transport with bad SETTINGS_MAX_FRAME_SIZE.
- 2026-05-14 — CVE-2026-41888 published: SUSE reported a vulnerability that allows tag deletion to bypass the storage.delete.enabled configuration.
- 2026-06-01 — SUSE releases Helm update for Micro 6.1: An important update was released for Helm in SUSE Linux Micro 6.1 to fix critical vulnerabilities.
- 2026-06-01 — SUSE releases Helm update for Micro 6.0: An important update was released for Helm in SUSE Linux Micro 6.0 to address the same critical vulnerabilities.
CVEs
Related entities
- SuSE (Company)
- golang.org (Domain)
- Linux (Platform)
- SUSE Linux Micro (Platform)