Security update for glib2 SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2026:20493-1 Final 1 1 2026-02-17T09:52:57Z current 2026-02-17T09:52:57Z 2026-02-17T09:52:57Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for glib2 This update for glib2 fixes the following issues: - CVE-2025-13601: Fixed integer overflow in in g_escape_uri_string() (bsc#1254297). - CVE-2025-14087: Fixed buffer underflow in GVariant parser leads to heap corruption (bsc#1254662). - CVE-2025-14512: Fixed integer Overflow in GLib GIO Attribute Escaping Causes Heap Buffer Overflow (bsc#1254878). - CVE-2026-1485: Fixed buffer underflow and out-of-bounds access due to integer wraparound in content type parsing (bsc#1257354). - CVE-2026-1484: Fixed buffer underflow and out-of-bounds access due to miscalculated buffer boundaries in the Base64 encoding routine (bsc#1257355). - CVE-2026-1489: Fixed undersized heap allocation followed by out-of-bounds access due to integer overflow in Unicode case conversion (bsc#1257353). - CVE-2026-0988: Fixed a potential integer overflow in g_buffered_input_stream_peek (bsc#1257049). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-SLE-Micro-6.1-405 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2026/suse-su-202620493-1/ Link for SUSE-SU-2026:20493-1 https://lists.suse.com/pipermail/sle-security-updates/2026-February/024480.html E-Mail link for SUSE-SU-2026:20493-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1254297 SUSE Bug 1254297 https://bugzilla.suse.com/1254662 SUSE Bug 1254662 https://bugzilla.suse.com/1254878 SUSE Bug 1254878 https://bugzilla.suse.com/1257049 SUSE Bug 1257049 https://bugzilla.suse.com/1257353 SUSE Bug 1257353 https://bugzilla.suse.com/1257354 SUSE Bug 1257354 https://bugzilla.suse.com/1257355 SUSE Bug 1257355 https://www.suse.com/security/cve/CVE-2025-13601/ SUSE CVE CVE-2025-13601 page https://www.suse.com/security/cve/CVE-2025-14087/ SUSE CVE CVE-2025-14087 page https://www.suse.com/security/cve/CVE-2025-14512/ SUSE CVE CVE-2025-14512 page https://www.suse.com/security/cve/CVE-2026-0988/ SUSE CVE CVE-2026-0988 page https://www.suse.com/security/cve/CVE-2026-1484/ SUSE CVE CVE-2026-1484 page https://www.suse.com/security/cve/CVE-2026-1485/ SUSE CVE CVE-2026-1485 page https://www.suse.com/security/cve/CVE-2026-1489/ SUSE CVE CVE-2026-1489 page SUSE Linux Micro 6.1 glib2-tools-2.78.6-slfo.1.1_6.1 libgio-2_0-0-2.78.6-slfo.1.1_6.1 libglib-2_0-0-2.78.6-slfo.1.1_6.1 libgmodule-2_0-0-2.78.6-slfo.1.1_6.1 libgobject-2_0-0-2.78.6-slfo.1.1_6.1 glib2-tools-2.78.6-slfo.1.1_6.1 as a component of SUSE Linux Micro 6.1 libgio-2_0-0-2.78.6-slfo.1.1_6.1 as a component of SUSE Linux Micro 6.1 libglib-2_0-0-2.78.6-slfo.1.1_6.1 as a component of SUSE Linux Micro 6.1 libgmodule-2_0-0-2.78.6-slfo.1.1_6.1 as a component of SUSE Linux Micro 6.1 libgobject-2_0-0-2.78.6-slfo.1.1_6.1 as a component of SUSE Linux Micro 6.1 A heap-based buffer overflow problem was found in glib through an incorrect calculation of buffer size in the g_escape_uri_string() function. If the string to escape contains a very large number of unacceptable characters (which would need escaping), the calculation of the length of the escaped string could overflow, leading to a potential write off the end of the newly allocated string. CVE-2025-13601 SUSE Linux Micro 6.1:glib2-tools-2.78.6-slfo.1.1_6.1 SUSE Linux Micro 6.1:libgio-2_0-0-2.78.6-slfo.1.1_6.1 SUSE Linux Micro 6.1:libglib-2_0-0-2.78.6-slfo.1.1_6.1 SUSE Linux Micro 6.1:libgmodule-2_0-0-2.78.6-slfo.1.1_6.1 SUSE Linux Micro 6.1:libgobject-2_0-0-2.78.6-slfo.1.1_6.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620493-1/ https://www.suse.com/security/cve/CVE-2025-13601.html CVE-2025-13601 https://bugzilla.suse.com/1254297 SUSE Bug 1254297 A flaw was found in GLib (Gnome Lib). This vulnerability allows a remote attacker to cause heap corruption, leading to a denial of service or potential code execution via a buffer-underflow in the GVariant parser when processing maliciously crafted input strings. CVE-2025-14087 SUSE Linux Micro 6.1:glib2-tools-2.78.6-slfo.1.1_6.1 SUSE Linux Micro 6.1:libgio-2_0-0-2.78.6-slfo.1.1_6.1 SUSE Linux Micro 6.1:libglib-2_0-0-2.78.6-slfo.1.1_6.1 SUSE Linux Micro 6.1:libgmodule-2_0-0-2.78.6-slfo.1.1_6.1 SUSE Linux Micro 6.1:libgobject-2_0-0-2.78.6-slfo.1.1_6.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620493-1/ https://www.suse.com/security/cve/CVE-2025-14087.html CVE-2025-14087 https://bugzilla.suse.com/1254662 SUSE Bug 1254662 A flaw was found in glib. This vulnerability allows a heap buffer overflow and denial-of-service (DoS) via an integer overflow in GLib's GIO (GLib Input/Output) escape_byte_string() function when processing malicious file or remote filesystem attribute values. CVE-2025-14512 SUSE Linux Micro 6.1:glib2-tools-2.78.6-slfo.1.1_6.1 SUSE Linux Micro 6.1:libgio-2_0-0-2.78.6-slfo.1.1_6.1 SUSE Linux Micro 6.1:libglib-2_0-0-2.78.6-slfo.1.1_6.1 SUSE Linux Micro 6.1:libgmodule-2_0-0-2.78.6-slfo.1.1_6.1 SUSE Linux Micro 6.1:libgobject-2_0-0-2.78.6-slfo.1.1_6.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620493-1/ https://www.suse.com/security/cve/CVE-2025-14512.html CVE-2025-14512 https://bugzilla.suse.com/1254878 SUSE Bug 1254878 A flaw was found in glib. Missing validation of offset and count parameters in the g_buffered_input_stream_peek() function can lead to an integer overflow during length calculation. When specially crafted values are provided, this overflow results in an incorrect size being passed to memcpy(), triggering a buffer overflow. This can cause application crashes, leading to a Denial of Service (DoS). CVE-2026-0988 SUSE Linux Micro 6.1:glib2-tools-2.78.6-slfo.1.1_6.1 SUSE Linux Micro 6.1:libgio-2_0-0-2.78.6-slfo.1.1_6.1 SUSE Linux Micro 6.1:libglib-2_0-0-2.78.6-slfo.1.1_6.1 SUSE Linux Micro 6.1:libgmodule-2_0-0-2.78.6-slfo.1.1_6.1 SUSE Linux Micro 6.1:libgobject-2_0-0-2.78.6-slfo.1.1_6.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620493-1/ https://www.suse.com/security/cve/CVE-2026-0988.html CVE-2026-0988 https://bugzilla.suse.com/1257049 SUSE Bug 1257049 A flaw was found in the GLib Base64 encoding routine when processing very large input data. Due to incorrect use of integer types during length calculation, the library may miscalculate buffer boundaries. This can cause memory writes outside the allocated buffer. Applications that process untrusted or extremely large Base64 input using GLib may crash or behave unpredictably. CVE-2026-1484 SUSE Linux Micro 6.1:glib2-tools-2.78.6-slfo.1.1_6.1 SUSE Linux Micro 6.1:libgio-2_0-0-2.78.6-slfo.1.1_6.1 SUSE Linux Micro 6.1:libglib-2_0-0-2.78.6-slfo.1.1_6.1 SUSE Linux Micro 6.1:libgmodule-2_0-0-2.78.6-slfo.1.1_6.1 SUSE Linux Micro 6.1:libgobject-2_0-0-2.78.6-slfo.1.1_6.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620493-1/ https://www.suse.com/security/cve/CVE-2026-1484.html CVE-2026-1484 https://bugzilla.suse.com/1257355 SUSE Bug 1257355 A flaw was found in Glib's content type parsing logic. This buffer underflow vulnerability occurs because the length of a header line is stored in a signed integer, which can lead to integer wraparound for very large inputs. This results in pointer underflow and out-of-bounds memory access. Exploitation requires a local user to install or process a specially crafted treemagic file, which can lead to local denial of service or application instability. CVE-2026-1485 SUSE Linux Micro 6.1:glib2-tools-2.78.6-slfo.1.1_6.1 SUSE Linux Micro 6.1:libgio-2_0-0-2.78.6-slfo.1.1_6.1 SUSE Linux Micro 6.1:libglib-2_0-0-2.78.6-slfo.1.1_6.1 SUSE Linux Micro 6.1:libgmodule-2_0-0-2.78.6-slfo.1.1_6.1 SUSE Linux Micro 6.1:libgobject-2_0-0-2.78.6-slfo.1.1_6.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620493-1/ https://www.suse.com/security/cve/CVE-2026-1485.html CVE-2026-1485 https://bugzilla.suse.com/1257354 SUSE Bug 1257354 A flaw was found in GLib. An integer overflow vulnerability in its Unicode case conversion implementation can lead to memory corruption. By processing specially crafted and extremely large Unicode strings, an attacker could trigger an undersized memory allocation, resulting in out-of-bounds writes. This could cause applications utilizing GLib for string conversion to crash or become unstable. CVE-2026-1489 SUSE Linux Micro 6.1:glib2-tools-2.78.6-slfo.1.1_6.1 SUSE Linux Micro 6.1:libgio-2_0-0-2.78.6-slfo.1.1_6.1 SUSE Linux Micro 6.1:libglib-2_0-0-2.78.6-slfo.1.1_6.1 SUSE Linux Micro 6.1:libgmodule-2_0-0-2.78.6-slfo.1.1_6.1 SUSE Linux Micro 6.1:libgobject-2_0-0-2.78.6-slfo.1.1_6.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620493-1/ https://www.suse.com/security/cve/CVE-2026-1489.html CVE-2026-1489 https://bugzilla.suse.com/1257353 SUSE Bug 1257353