Back

Critical Denial of Service Vulnerabilities in SUSE Linux QEMU

Severity: High (Score: 70.5)

Sources: Linuxsecurity

Published: 2026-06-02 · Updated: 2026-06-02

Keywords: qemu, denial, suse, linux, micro, service, update

Summary

SUSE Linux has released updates addressing multiple vulnerabilities in QEMU, affecting versions of SUSE Linux Micro 6.0 and 6.1. Key vulnerabilities include CVE-2025-14876, CVE-2026-0665, CVE-2026-2243, CVE-2026-3195, and CVE-2026-3196. These vulnerabilities can lead to denial of service, memory corruption, and information leaks when processing specially crafted files. The flaws are particularly concerning due to their potential for unbounded memory allocation and heap buffer overflows. Users are advised to apply the patches immediately to mitigate risks. The vulnerabilities were published between February 18 and February 19, 2026, with the updates released on May 28 and June 1, 2026. Affected systems include various configurations of SUSE Linux Micro. Key Points: • Multiple critical vulnerabilities in QEMU affect SUSE Linux Micro 6.0 and 6.1. • CVE-2026-0665 and CVE-2026-3196 can lead to denial of service and memory corruption. • Patches were released on May 28 and June 1, 2026; immediate application is recommended.

Detailed Analysis

**Impact** SUSE Linux Micro versions 6.0 and 6.1 running QEMU are affected by multiple denial-of-service vulnerabilities that can cause service disruptions and potential memory corruption. These issues impact virtualized environments relying on QEMU for hardware emulation, affecting sectors using SUSE Linux Micro for containerized or cloud-native workloads. No specific geographic or sectoral data is provided. Data leakage risk is limited to a 12-byte information leak via crafted VMDK files. **Technical Details** Exploits target QEMU components including virtio-crypto and virtio-snd devices, leveraging unbounded memory allocation, heap buffer overflows, and out-of-bounds heap access. The vulnerabilities include CVE-2025-14876, CVE-2026-0665, CVE-2026-2243, CVE-2026-3195, and CVE-2026-3196. Attack vectors involve crafted VMDK files and PCM_INFO requests from guests, leading to denial-of-service or minor information leaks. No malware, tools, or infrastructure indicators of compromise (IOCs) are provided. **Recommended Response** Apply the security updates SUSE-SU-2026:21883-1 (for Micro 6.1) and SUSE-SU-2026:21912-1 (for Micro 6.0) immediately to mitigate these vulnerabilities. Monitor QEMU logs for unusual PCM_INFO requests or malformed VMDK file processing. Harden virtual machine input validation and restrict guest access to virtio devices where possible. No additional detection signatures or IOCs are currently available.

Source articles (2)

  • SUSE Linux Micro 6.0 QEMU Critical Service Disruption Flaws 2026-21912 — Linuxsecurity · 2026-06-02
    ## This update for qemu fixes the following issues * CVE-2025-14876: qemu-kvm: Unbounded allocation in virtio-crypto (bsc#1255400). * CVE-2026-0665: out-of-bounds heap access can lead to a denial of s…
  • SUSE Linux Micro 6.1 QEMU Important Denial Of Service Vuln 2026-21883 — Linuxsecurity · 2026-06-02
    ## This update for qemu fixes the following issues * CVE-2025-14876: qemu-kvm: Unbounded allocation in virtio-crypto (bsc#1255400). * CVE-2026-0665: out-of-bounds heap access can lead to a denial of s…

Timeline

  • 2026-02-18 — CVE-2025-14876 published: An unbounded allocation vulnerability in virtio-crypto was disclosed, affecting QEMU.
  • 2026-02-18 — CVE-2026-0665 published: An out-of-bounds heap access vulnerability was disclosed, leading to potential memory corruption.
  • 2026-02-19 — CVE-2026-2243 published: An incorrect bounds check vulnerability was disclosed, causing a 12-byte information leak.
  • 2026-05-28 — Patch for SUSE Linux Micro 6.0 released: SUSE released an important update addressing critical vulnerabilities in QEMU.
  • 2026-06-01 — Patch for SUSE Linux Micro 6.1 released: An important update was issued for QEMU vulnerabilities affecting SUSE Linux Micro 6.1.

CVEs

  • CVE-2025-14876
  • CVE-2026-0665
  • CVE-2026-2243
  • CVE-2026-3195
  • CVE-2026-3196

Related entities

  • DDoS (Attack Type)
  • SuSE (Company)
  • Cwe-122 - Heap-based Buffer Overflow (Cwe)
  • Cwe-125 - Out-of-bounds Read (Cwe)
  • Cwe-190 - Integer Overflow Or Wraparound (Cwe)
  • CWE-200 - Exposure of Sensitive Information (Cwe)
  • Cwe-400 - Uncontrolled Resource Consumption (Cwe)
  • Cwe-787 - Out-of-bounds Write (Cwe)
  • QEMU (Platform)
  • SUSE Linux Micro (Platform)
  • Virtio (Platform)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed