Security update for shim SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2026:0741-1 Final 1 1 2026-03-02T08:11:15Z current 2026-03-02T08:11:15Z 2026-03-02T08:11:15Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for shim This update for shim fixes the following issues: shim is updated to version 16.1: - shim_start_image(): fix guid/handle pairing when uninstalling protocols - Fix uncompressed ipv6 netboot - fix test segfaults caused by uninitialized memory - SbatLevel_Variable.txt: minor typo fix. - Realloc() needs to allocate one more byte for sprintf() - IPv6: Add more check to avoid multiple double colon and illegal char - Loader proto v2 - loader-protocol: add workaround for EDK2 2025.02 page fault on FreePages - Generate Authenticode for the entire PE file - README: mention new loader protocol and interaction with UKIs - shim: change automatically enable MOK_POLICY_REQUIRE_NX - Save var info - add SbatLevel entry 2025051000 for PSA-2025-00012-1 - Coverity fixes 20250804 - fix http boot - Fix double free and leak in the loader protocol shim is updated to version 16.0: - Validate that a supplied vendor cert is not in PEM format - sbat: Add grub.peimage,2 to latest (CVE-2024-2312) - sbat: Also bump latest for grub,4 (and to todays date) - undo change that limits certificate files to a single file - shim: don't set second_stage to the empty string - Fix SBAT.md for today's consensus about numbers - Update Code of Conduct contact address - make-certs: Handle missing OpenSSL installation - Update MokVars.txt - export DEFINES for sub makefile - Drop unused EFI_IMAGE_SECURITY_DATABASE_GUID definition - Null-terminate 'arguments' in fallback - Fix 'Verifiying' typo in error message - Update Fedora CI targets - Force gcc to produce DWARF4 so that gdb can use it - Minor housekeeping 2024121700 - Discard load-options that start with WINDOWS - Fix the issue that the gBS->LoadImage pointer was empty. - shim: Allow data after the end of device path node in load options - Handle network file not found like disks - Update gnu-efi submodule for EFI_HTTP_ERROR - Increase EFI file alignment - avoid EFIv2 runtime services on Apple x86 machines - Improve shortcut performance when comparing two boolean expressions - Provide better error message when MokManager is not found - tpm: Boot with a warning if the event log is full - MokManager: remove redundant logical constraints - Test import_mok_state() when MokListRT would be bigger than available size - test-mok-mirror: minor bug fix - Fix file system browser hang when enrolling MOK from disk - Ignore a minor clang-tidy nit - Allow fallback to default loader when encountering errors on network boot - test.mk: don't use a temporary random.bin - pe: Enhance debug report for update_mem_attrs - Multiple certificate handling improvements - Generate SbatLevel Metadata from SbatLevel_Variable.txt - Apply EKU check with compile option - Add configuration option to boot an alternative 2nd stage - Loader protocol (with Device Path resolution support) - netboot cleanup for additional files - Document how revocations can be delivered - post-process-pe: add tests to validate NX compliance - regression: CopyMem() in ad8692e copies out of bounds - Save the debug and error logs in mok-variables - Add features for the Host Security ID program - Mirror some more efi variables to mok-variables - This adds DXE Services measurements to HSI and uses them for NX - Add shim's current NX_COMPAT status to HSIStatus - README.tpm: reflect that vendor_db is in fact logged as 'vendor_db' - Reject HTTP message with duplicate Content-Length header fields - Disable log saving - fallback: don't add new boot order entries backwards - README.tpm: Update MokList entry to MokListRT - SBAT Level update for February 2025 GRUB CVEs The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Container suse/sle-micro/base-5.5:latest-2026-741,Image SLES15-SP5-BYOS-EC2-2026-741,SUSE-2026-741,SUSE-SLE-Micro-5.3-2026-741,SUSE-SLE-Micro-5.4-2026-741,SUSE-SLE-Micro-5.5-2026-741,SUSE-SLE-Module-Basesystem-15-SP7-2026-741,SUSE-SLE-Product-HPC-15-SP4-ESPOS-2026-741,SUSE-SLE-Product-HPC-15-SP4-LTSS-2026-741,SUSE-SLE-Product-HPC-15-SP5-ESPOS-2026-741,SUSE-SLE-Product-HPC-15-SP5-LTSS-2026-741,SUSE-SLE-Product-SLES-15-SP4-LTSS-2026-741,SUSE-SLE-Product-SLES-15-SP5-LTSS-2026-741,SUSE-SLE-Product-SLES_SAP-15-SP4-2026-741,SUSE-SLE-Product-SLES_SAP-15-SP5-2026-741,SUSE-SUSE-MicroOS-5.2-2026-741,openSUSE-SLE-15.6-2026-741 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2026/suse-su-20260741-1/ Link for SUSE-SU-2026:0741-1 https://lists.suse.com/pipermail/sle-security-updates/2026-March/024522.html E-Mail link for SUSE-SU-2026:0741-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1240871 SUSE Bug 1240871 https://bugzilla.suse.com/1247432 SUSE Bug 1247432 https://www.suse.com/security/cve/CVE-2024-2312/ SUSE CVE CVE-2024-2312 page Container suse/sle-micro/base-5.5:latest Image SLES15-SP5-BYOS-EC2 SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS SUSE Linux Enterprise Micro 5.2 SUSE Linux Enterprise Micro 5.3 SUSE Linux Enterprise Micro 5.4 SUSE Linux Enterprise Micro 5.5 SUSE Linux Enterprise Module for Basesystem 15 SP7 SUSE Linux Enterprise Server 15 SP4-LTSS SUSE Linux Enterprise Server 15 SP5-LTSS SUSE Linux Enterprise Server for SAP Applications 15 SP4 SUSE Linux Enterprise Server for SAP Applications 15 SP5 openSUSE Leap 15.6 shim-16.1-150300.4.31.3 shim-16.1-150300.4.31.3 as a component of Container suse/sle-micro/base-5.5:latest shim-16.1-150300.4.31.3 as a component of Image SLES15-SP5-BYOS-EC2 shim-16.1-150300.4.31.3 as a component of SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS shim-16.1-150300.4.31.3 as a component of SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS shim-16.1-150300.4.31.3 as a component of SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS shim-16.1-150300.4.31.3 as a component of SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS shim-16.1-150300.4.31.3 as a component of SUSE Linux Enterprise Micro 5.2 shim-16.1-150300.4.31.3 as a component of SUSE Linux Enterprise Micro 5.3 shim-16.1-150300.4.31.3 as a component of SUSE Linux Enterprise Micro 5.4 shim-16.1-150300.4.31.3 as a component of SUSE Linux Enterprise Micro 5.5 shim-16.1-150300.4.31.3 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP7 shim-16.1-150300.4.31.3 as a component of SUSE Linux Enterprise Server 15 SP4-LTSS shim-16.1-150300.4.31.3 as a component of SUSE Linux Enterprise Server 15 SP5-LTSS shim-16.1-150300.4.31.3 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP4 shim-16.1-150300.4.31.3 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP5 shim-16.1-150300.4.31.3 as a component of openSUSE Leap 15.6 GRUB2 does not call the module fini functions on exit, leading to Debian/Ubuntu's peimage GRUB2 module leaving UEFI system table hooks after exit. This lead to a use-after-free condition, and could possibly lead to secure boot bypass. CVE-2024-2312 Container suse/sle-micro/base-5.5:latest:shim-16.1-150300.4.31.3 Image SLES15-SP5-BYOS-EC2:shim-16.1-150300.4.31.3 SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:shim-16.1-150300.4.31.3 SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:shim-16.1-150300.4.31.3 SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:shim-16.1-150300.4.31.3 SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:shim-16.1-150300.4.31.3 SUSE Linux Enterprise Micro 5.2:shim-16.1-150300.4.31.3 SUSE Linux Enterprise Micro 5.3:shim-16.1-150300.4.31.3 SUSE Linux Enterprise Micro 5.4:shim-16.1-150300.4.31.3 SUSE Linux Enterprise Micro 5.5:shim-16.1-150300.4.31.3 SUSE Linux Enterprise Module for Basesystem 15 SP7:shim-16.1-150300.4.31.3 SUSE Linux Enterprise Server 15 SP4-LTSS:shim-16.1-150300.4.31.3 SUSE Linux Enterprise Server 15 SP5-LTSS:shim-16.1-150300.4.31.3 SUSE Linux Enterprise Server for SAP Applications 15 SP4:shim-16.1-150300.4.31.3 SUSE Linux Enterprise Server for SAP Applications 15 SP5:shim-16.1-150300.4.31.3 openSUSE Leap 15.6:shim-16.1-150300.4.31.3 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260741-1/ https://www.suse.com/security/cve/CVE-2024-2312.html CVE-2024-2312 https://bugzilla.suse.com/1222868 SUSE Bug 1222868