Security update for munge SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2026:0451-1 Final 1 1 2026-02-11T16:15:59Z current 2026-02-11T16:15:59Z 2026-02-11T16:15:59Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for munge This update for munge fixes the following issues: - CVE-2026-25506: buffer overflow in message unpacking (bsc#1257651). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2026-451,SUSE-SLE-Module-HPC-15-SP7-2026-451,SUSE-SLE-Module-Packagehub-Subpackages-15-SP7-2026-451 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2026/suse-su-20260451-1/ Link for SUSE-SU-2026:0451-1 https://lists.suse.com/pipermail/sle-security-updates/2026-February/024130.html E-Mail link for SUSE-SU-2026:0451-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1257651 SUSE Bug 1257651 https://www.suse.com/security/cve/CVE-2026-25506/ SUSE CVE CVE-2026-25506 page SUSE Linux Enterprise Module for HPC 15 SP7 SUSE Linux Enterprise Module for Package Hub 15 SP7 libmunge2-0.5.16-150700.3.6.1 libmunge2-32bit-0.5.16-150700.3.6.1 libmunge2-64bit-0.5.16-150700.3.6.1 munge-0.5.16-150700.3.6.1 munge-devel-0.5.16-150700.3.6.1 munge-devel-32bit-0.5.16-150700.3.6.1 munge-devel-64bit-0.5.16-150700.3.6.1 libmunge2-0.5.16-150700.3.6.1 as a component of SUSE Linux Enterprise Module for HPC 15 SP7 munge-0.5.16-150700.3.6.1 as a component of SUSE Linux Enterprise Module for HPC 15 SP7 munge-devel-0.5.16-150700.3.6.1 as a component of SUSE Linux Enterprise Module for HPC 15 SP7 libmunge2-0.5.16-150700.3.6.1 as a component of SUSE Linux Enterprise Module for Package Hub 15 SP7 munge-0.5.16-150700.3.6.1 as a component of SUSE Linux Enterprise Module for Package Hub 15 SP7 munge-devel-0.5.16-150700.3.6.1 as a component of SUSE Linux Enterprise Module for Package Hub 15 SP7 MUNGE is an authentication service for creating and validating user credentials. From 0.5 to 0.5.17, local attacker can exploit a buffer overflow vulnerability in munged (the MUNGE authentication daemon) to leak cryptographic key material from process memory. With the leaked key material, the attacker could forge arbitrary MUNGE credentials to impersonate any user (including root) to services that rely on MUNGE for authentication. The vulnerability allows a buffer overflow by sending a crafted message with an oversized address length field, corrupting munged's internal state and enabling extraction of the MAC subkey used for credential verification. This vulnerability is fixed in 0.5.18. CVE-2026-25506 SUSE Linux Enterprise Module for HPC 15 SP7:libmunge2-0.5.16-150700.3.6.1 SUSE Linux Enterprise Module for HPC 15 SP7:munge-0.5.16-150700.3.6.1 SUSE Linux Enterprise Module for HPC 15 SP7:munge-devel-0.5.16-150700.3.6.1 SUSE Linux Enterprise Module for Package Hub 15 SP7:libmunge2-0.5.16-150700.3.6.1 SUSE Linux Enterprise Module for Package Hub 15 SP7:munge-0.5.16-150700.3.6.1 SUSE Linux Enterprise Module for Package Hub 15 SP7:munge-devel-0.5.16-150700.3.6.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260451-1/ https://www.suse.com/security/cve/CVE-2026-25506.html CVE-2026-25506 https://bugzilla.suse.com/1257651 SUSE Bug 1257651