Security update for crun SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2026:20452-1 Final 1 1 2026-02-17T08:51:47Z current 2026-02-17T08:51:47Z 2026-02-17T08:51:47Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for crun This update for crun fixes the following issues: - CVE-2025-24965: .krun_config.json symlink attack creates or overwrites file on the host (bsc#1237421). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-SLE-Micro-6.0-588 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2026/suse-su-202620452-1/ Link for SUSE-SU-2026:20452-1 https://lists.suse.com/pipermail/sle-updates/2026-February/044347.html E-Mail link for SUSE-SU-2026:20452-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1237421 SUSE Bug 1237421 https://www.suse.com/security/cve/CVE-2025-24965/ SUSE CVE CVE-2025-24965 page SUSE Linux Micro 6.0 crun-1.14-2.1 crun-1.14-2.1 as a component of SUSE Linux Micro 6.0 crun is an open source OCI Container Runtime fully written in C. In affected versions A malicious container image could trick the krun handler into escaping the root filesystem, allowing file creation or modification on the host. No special permissions are needed, only the ability for the current user to write to the target file. The problem is fixed in crun 1.20 and all users are advised to upgrade. There are no known workarounds for this vulnerability. CVE-2025-24965 SUSE Linux Micro 6.0:crun-1.14-2.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620452-1/ https://www.suse.com/security/cve/CVE-2025-24965.html CVE-2025-24965 https://bugzilla.suse.com/1237421 SUSE Bug 1237421