Back

SUSE Security Updates Address Multiple Denial of Service Vulnerabilities

Severity: Medium (Score: 57.9)

Sources: Linuxsecurity

Published: 2026-06-02 · Updated: 2026-06-02

Keywords: overflow, denial, service, suse, cups, heap, python-pillow

Severity indicators: heap overflow

Summary

SUSE released security updates for python-Pillow and CUPS addressing several vulnerabilities. The python-Pillow update fixes three CVEs: CVE-2026-42308, CVE-2026-42309, and CVE-2026-42310, which involve integer overflow, heap buffer overflow, and infinite loops, potentially leading to denial of service. The CUPS update addresses six vulnerabilities, including CVE-2026-34979, a heap overflow in `get_options()`, and CVE-2026-39314, which can also cause denial of service. These vulnerabilities affect SUSE Linux Enterprise Server and other products. Admins are advised to apply the patches using SUSE's recommended methods. The updates were released on May 28 and May 26, 2026, respectively. The vulnerabilities have varying CVSS scores, indicating differing levels of severity. Key Points: • SUSE patches critical vulnerabilities in python-Pillow and CUPS affecting multiple systems. • CVE-2026-42310 and CVE-2026-39314 can lead to denial of service under specific conditions. • System administrators are urged to apply patches immediately to mitigate risks.

Detailed Analysis

**Impact** SUSE Linux Enterprise Server 16.0 and SUSE Linux Enterprise Server for SAP applications 16.0 users are affected by multiple denial of service (DoS) vulnerabilities in python-Pillow and CUPS packages. The vulnerabilities can cause service outages, resource exhaustion, and potential unauthorized access in printing services, impacting operational continuity in sectors relying on SUSE infrastructure. No specific geographic or sectoral data was provided. **Technical Details** Exploits target integer overflow (CVE-2026-42308), heap buffer overflow (CVE-2026-42309, CVE-2026-34979), infinite loops (CVE-2026-42310), authorization bypass (CVE-2026-27447), path traversal (CVE-2026-34978), and denial of service via resource exhaustion (CVE-2026-39314, CVE-2026-39316). Attack vectors include crafted PDFs, nested list coordinates, and network print job requests. No malware or specific threat actor infrastructure details were provided. **Recommended Response** Apply SUSE patches SUSE-SLES-16.0-820 and SUSE-SU-2026:21850-1 immediately using YaST online_update or "zypper patch" commands. Harden print services by reviewing access controls and monitoring for anomalous print job requests. Deploy detection rules for abnormal resource usage and heap overflow indicators. Monitor for exploitation attempts targeting the listed CVEs.

Source articles (2)

  • SUSE Python-Pillow Denial of Service and Overflow Security Fix 2026-21861 — Linuxsecurity · 2026-06-01
    ## This update for python-Pillow fixes the following issues * CVE-2026-42308: integer overflow in font processing can lead to denial of service (bsc#1265359). * CVE-2026-42309: heap buffer overflow wh…
  • SUSE CUPS Important Denial of Service Heap Overflow Vuln 2026-21850 — Linuxsecurity · 2026-06-01
    ## This update for cups fixes the following issues * CVE-2026-27447: Authorization bypass via case-insensitive group-member lookup (bsc#1261572). * CVE-2026-34978: Path traversal in RSS notify-recipie…

Timeline

  • 2026-04-03 — CVE-2026-34979 published: Heap overflow vulnerability in CUPS identified, affecting multiple configurations.
  • 2026-04-03 — CVE-2026-27447 published: Authorization bypass vulnerability in CUPS disclosed, impacting user permissions.
  • 2026-04-03 — CVE-2026-34980 published: Path traversal vulnerability in CUPS allows unauthorized file writes.
  • 2026-04-03 — CVE-2026-34990 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2026-04-03 — CVE-2026-34978 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2026-04-07 — CVE-2026-39316 published: Dangling subscription pointer vulnerability in CUPS leads to denial of service.
  • 2026-04-07 — CVE-2026-39314 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2026-05-09 — CVE-2026-42310 published: Infinite loop vulnerability in python-Pillow discovered, risking resource exhaustion.
  • 2026-05-09 — CVE-2026-42308 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2026-05-09 — CVE-2026-42309 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.

CVEs

  • CVE-2026-27447
  • CVE-2026-34978
  • CVE-2026-34979
  • CVE-2026-34980
  • CVE-2026-34990
  • CVE-2026-39314
  • CVE-2026-39316
  • CVE-2026-42308
  • CVE-2026-42309
  • CVE-2026-42310

Related entities

  • DDoS (Attack Type)
  • Denial of Service (Attack Type)
  • Cwe-122 - Heap-based Buffer Overflow (Cwe)
  • Cwe-190 - Integer Overflow Or Wraparound (Cwe)
  • CWE-200 - Exposure of Sensitive Information (Cwe)
  • CWE-22 - Path Traversal (Cwe)
  • CWE-287 - Improper Authentication (Cwe)
  • Cwe-362 - Race Condition (Cwe)
  • Cwe-416 - Use After Free (Cwe)
  • CWE-94 - Code Injection (Cwe)
  • CUPS (Platform)
  • SUSE Linux Enterprise Server 16.0 (Platform)
  • SUSE Linux Enterprise Server For SAP Applications 16.0 (Platform)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed