CVE-2025-68131 SUSE CVE security@suse.de SUSE Security Team SUSE CVE-2025-68131 Interim 1 1 2026-03-05T00:25:56Z current 2026-03-05T00:25:56Z 2026-03-05T00:25:56Z cve-database/bin/generate-cvrf-cve.pl 2020-12-27T01:00:00Z CVE-2025-68131 cbor2 provides encoding and decoding for the Concise Binary Object Representation (CBOR) serialization format. Starting in version 3.0.0 and prior to version 5.8.0, whhen a CBORDecoder instance is reused across multiple decode operations, values marked with the shareable tag (28) persist in memory and can be accessed by subsequent CBOR messages using the sharedref tag (29). This allows an attacker-controlled message to read data from previously decoded messages if the decoder is reused across trust boundaries. Version 5.8.0 patches the issue. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://www.suse.com/support/security/rating/ SUSE Security Ratings SUSE Linux Enterprise Server 16.0 SUSE Linux Enterprise Server for SAP applications 16.0 openSUSE Tumbleweed python-cbor2 python311-cbor2-5.8.0-2.1 python312-cbor2-5.8.0-2.1 python313-cbor2 python313-cbor2-5.8.0-2.1 python311-cbor2-5.8.0-2.1 as a component of openSUSE Tumbleweed python312-cbor2-5.8.0-2.1 as a component of openSUSE Tumbleweed python313-cbor2-5.8.0-2.1 as a component of openSUSE Tumbleweed python313-cbor2 as a component of SUSE Linux Enterprise Server 16.0 python-cbor2 as a component of SUSE Linux Enterprise Server 16.0 python313-cbor2 as a component of SUSE Linux Enterprise Server for SAP applications 16.0 python-cbor2 as a component of SUSE Linux Enterprise Server for SAP applications 16.0 cbor2 provides encoding and decoding for the Concise Binary Object Representation (CBOR) serialization format. Starting in version 3.0.0 and prior to version 5.8.0, whhen a CBORDecoder instance is reused across multiple decode operations, values marked with the shareable tag (28) persist in memory and can be accessed by subsequent CBOR messages using the sharedref tag (29). This allows an attacker-controlled message to read data from previously decoded messages if the decoder is reused across trust boundaries. Version 5.8.0 patches the issue. CVE-2025-68131 openSUSE Tumbleweed:python311-cbor2-5.8.0-2.1 openSUSE Tumbleweed:python312-cbor2-5.8.0-2.1 openSUSE Tumbleweed:python313-cbor2-5.8.0-2.1 moderate 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N