Detections
Analytics

SUSE SLED15 / SLES15 Security Update : alloy (SUSE-SU-2026:2438-1)

medium Nessus Plugin ID 321596

Synopsis

The remote SUSE host is missing one or more security updates.

Description

The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 host has a package installed that is affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:2438-1 advisory.

 This update for alloy fixes the following issues

 Security issues:

 - CVE-2026-4427: github.com/jackc/pgproto3/v2: improper validation of field length allows a malicious PostgreSQL server to crash a client application via a DataRow message (bsc#1259919).
 - CVE-2026-25934: github.com/go-git/go-git/v5: improper verification of data integrity values for .pack and .idx files can lead to the consumption of corrupted files (bsc#1258099).
 - CVE-2026-26958: filippo.io/edwards25519: failure to initialize receiver in MultiScalarMult can produce invalid results and lead to undefined behavior (bsc#1258609).
 - CVE-2026-33186: google.golang.org/grpc: authorization bypass due to improper validation of the HTTP/2:
 path pseudo- header (bsc#1260317).
 - CVE-2026-34986: github.com/go-jose/go-jose/v4: crafted JWE input with a missing encrypted key can lead to a denial of service (bsc#1262955).
 - CVE-2026-41602: github.com/apache/thrift: TFramedTransport frame size headers can lead to a uint32 integer overflow (bsc#1263530).

 Non security issue:

 - Use systemd tmpfiles.d to create /var/lib/alloy hierarchy (jsc#PED-14815).
 - Update to version 1.16.1
 * Bug Fixes logging: Fix startup deadlock when components log before logging config is evaluated Update to Beyla 3.9.8 Migrate from Docker to Moby
 - Use latest openSUSE Tumbleweed image for building web UI assets
 - Install nvm to set node version specified upstream
 - update to 1.16.0:
 * Features
 - Add clustering for loki.source.kubernetes_events (#6027) (3dbf587) (@petewall)
 - Add otelcol.auth.google client auth provider (#5526) (da99a66) (@dashpole, @clayton-cornell)
 - beyla.ebpf: Bump to v3.7.0 (#5966) (5126c2e) (@marctc)
 - database_observability: Add support for GCP Cloud SQL metadata (#5875) (5d23245) (@cristiangreco, @clayton-cornell)
 - database_observability: Make targets optional (#5924) (54664b2) (@matthewnolf)
 - database_observability: Update default excluded schemas and users (#6080) (b386fff) (@cristiangreco)
 - faro.receiver: Add sourcemap fetching from remote locations (#4614) (b6cb5da) (@Oxel40)
 - helm: Add support for global.image.pullPolicy (#6069) (2e2ce72) (@petewall)
 - helm: Allow configuring image pull policy for config reloader (#5923) (991539b) (@kalleep)
 - loki.secretfilter: Add label_timed_out option to mark timed-out log lines (#5898) (2ad8834) (@kleimkuhler)
 - loki.secretfilter: Add secrets_redacted_by_category_total metric combining rule and origin (#5855) (053a2f7) (@kleimkuhler)
 - loki.secretfilter: Change secretfilter to use go-re2 regex library instead of stdlib (#5909) (c16a660) (@mikefat)
 - loki.secretfilter: Remove redundant secrets_redacted_by_rule_total and secrets_redacted_by_origin metrics (#5970) (b16decb) (@kleimkuhler)
 - Oracle exporter can scrape more than one DB (#6008) (6fbad38) (@ptodev)
 - prometheus.exporter.cloudwatch: Upgrade YACE and drop aws-sdk-go v1 support (#5936) (f1c036d) (@x1unix)
 - prometheus.exporter.mysql: Update to mysqld_exporter 0.19.0 (#5836) (4f49b57) (@cristiangreco)
 - prometheus.remote_write: Sync WAL with upstream Prometheus (#5907) (e74a91b) (@x1unix)
 - pyroscope: Add support for extra async-profiler CLI arguments (#5472) (9251e33) (@ivanape)
 - pyroscope: Replace Parca gRPC debuginfo upload with Pyroscope Connect API (#5891) (e7ea34a) (@korniltsev-grafanista)
 - pyroscope: Update debuginfo client for HTTP/1.1 upload API (#6037) (879d8e5) (@korniltsev-grafanista)
 - Change service stop command from 'sc' to 'net' (#5906) (450973d) (@mateuszdrab)
 - database_observability.mysql: Refactor explain plan loop batch size (#5894) (f0fcd6b) (@cristiangreco)
 - database_observability.postgres: Cleanup embedded exporter collectors on reconnection (#6079) (f30d9ae) (@cristiangreco)
 - database_observability.postgres: Fix EXPLAIN param count when placeholders repeat (#6082) (b612b81) (@rgeyer)
 - database_observability: Drop schema_detection from logs (#6076) (b0105cb) (@cristiangreco)
 - database_observability: Ensure connection_info_monitor goroutine exits on Stop (#5874) (1e3334b) (@cristiangreco)
 - deps: Update module github.com/aws/aws-sdk-go-v2/service/s3 to v1.97.3 [SECURITY] (#6004) (38f4346)
 - deps: Update module github.com/go-git/go-git/v5 to v5.17.1 [SECURITY] (#5934) (a5154af)
 - deps: Update module github.com/go-git/go-git/v5 to v5.18.0 [SECURITY] (#6090) (0e59d64)
 - deps: Update module github.com/nwaples/rardecode/v2 to v2.2.0 [SECURITY] (b44d51a) (@jharvey10)
 - deps: Update module go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp to v1.43.0 [SECURITY] (#6016) (d92c5c0) go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp to v1.43.0 [SECURITY] (#6017) (e655bbc)
 - deps: Update module go.opentelemetry.io/otel/sdk to v1.43.0 [SECURITY] (#6018) (94006e8)
 - deps: Update some minor go dep versions (#5896) (4ddd0ed) (@jharvey10)
 - go: Update alloy builder image to Go 1.25.9 (#6012) (d2ae8b8) (@x1unix)
 - go: Upgrade to Go 1.25.9 (#6019) (d777ed1) (@x1unix, @kalleep)
 - Helm: RBAC template handles empty rule arrays (#4860) (c9430e9) (@naptalie, @dehaansa, @kalleep)
 - loki.process: Eliminate per-stream goroutines in multiline stage (#6036) (c089e2e) (@kgeckhart)
 - loki.process: Prevent stage.structured_metadata from adding the same metadata several times (#5965) (0ec8a26) (@kalleep, @thampiotr)
 - loki.process: Wrap template in a custom type and move validation to syntax.Validator (#5910) (700dd7d) (@kalleep)
 - prometheus.exporter.postgres: Close DB connections on update (#6021) (8da97cf) (@kalleep)
 - prometheus.scrape: Update scrape_native_histograms to be updated at runtime (#6087) (18b205c) (@kalleep)
 - pyroscope.ebpf: Fix deadlock on LRU eviction in irsymcache (#5911) (03ca563) (@luweglarz)
 - pyroscope.ebpf: Move Pyroscope ebpf metrics registration after component error handling (#5540) (a3c57c0) (@crbednarz, @marcsanmi)
 - pyroscope: Set user agent on debuginfo connect-go client (#6022) (38ad1ef) (@korniltsev-grafanista)
 - ui: Large arguments are downloaded as files instead of rendered (#5268) (26c67b3) (@ptodev)
 - Update go-m1cpu v0.1.7 -> v0.2.1 to fix M5 chip crash (#6034) (7fa0cbc) (@ymotongpoo)
 - windows-installer: Increase service restart on failure delays (#5969) (add15b1) (@rknightion)
 - add script to package webassets inside a podman container, to not endanger or pollute the host system with npm
 - update to 1.15.1:
 goroutine exits on Stop
 * CVE-2026-34986: Fix panic in JWE decryption (bsc#1262955)
 - update to 1.15.0:
 * BREAKING CHANGES
 - otelcol: Upgrade to OTel Collector v0.147.0
 - Renamed undocumented metrics that was previously prefixed with <component_id><metric_name> to loki_source_awsfirehose<metric_name>
 * Security CVE-2026-26958: Update filippo.io/edwards25519 to version 1.1.1 (bsc#1258609).
 - alloy-mixin: Add filters, groupBy, and multi-select dashboard variables
 - beyla.ebpf: Add support for Prometheus native histograms
 - beyla.ebpf: Bump Beyla to v3.6
 - converters: Support converting Promtail limits_config
 - database_observability.mysql: Add filtering of query samples and wait events by minimum duration
 - database_observability.mysql: Embed prometheus exporter within db-o11y component
 - database_observability.postgres: Add configurable limit to pg_stat_statements query
 - database_observability.postgres: Embed prometheus exporter
 - database_observability: Promote components to stable
 - Expose Functionality to Handle syslogs with Empty MSG Field
 - loki.process: Support structured metadata as source type of stage.labels for loki.process
 - loki.secretfilter: Add sampling for secretfilter entries
 - loki.source.gcplog: Add alloy config for MaxOutstandingBytes and MaxOutstandingMessages
 - loki.write: Add loki pipeline latency metric
 - mixin: Update loki dashboard
 - otelcol.receiver.datadog: Expose intake proxy and trace_id_cache_size settings
 - prometheus.exporter.cloudwatch: Use aws-sdk-go-v2 by default
 - pyroscope.ebpf: Add comm, pid labels and kernel frame options
 - update to 1.14.1:
 - Correctly handle the deprecated topic field in otelcol.receiver.kafka configuration
 - loki.process: Protect against json that does not look like docker json format
 - loki.source.file: Keep positions for compressed files when reading is finished
 - prometheus.scrape: Update arguments and targets even if scrape_native_histograms and extra_metrics are updated
 - update to 1.14.0:
 - loki.secretfilter: Some config options are removed entirely:
 partial_mask (replaced with redact_percent), allowlist (now controlled with custom gitleaks config), enable_entropy, include_generic, types (now controlled with custom gitleaks config).
 - otelcol.receiver.prometheus: otelcol.receiver.prometheus no longer sets start times of OTLP metrics.
 * Security:
 - update to 1.13.2:
 - Expose missing otelcol.processor.tail_sampling options
 - mixin: Add zipped dashboards as a release artifact
 - profiler: Backport Go 1.26 gopclntab textStart fix
 - prometheus.exporter.postgres: Update version of the exporter fork to fix pg_settings
 - pyroscope.ebpf: Backport dotnet nibble map fix
 - update to 1.13.1:
 - timeout before starting new ones
 - update to 1.13.0:
 - otelcol: Upgrade to OTel Collector v0.142.0
 - otelcol.receiver.kafka: The global topic attribute has been deleted; use the topics attributes inside the logs, metrics, and traces blocks instead.
 - otelcol.exporter > sending_queue > batch > min_size changed from 8192 to 2000 and max_size changed from 0 to 3000
 - Add a virtual_node_peer_attributes and virtual_node_extra_label arguments to otelcol.connector.servicegraph
 - Add an otelcol.processor.metric_start_time component
 - Add job level period, length, and add_cloudwatch_timestamp options and labels_snake_case to CW exporter
 - Add missing configuration parameter deployment_name_from_replicaset to k8sattributes processor
 - Add parcas symbols upload to pyroscope.ebpf
 - Add sharding for loki.write
 - Add unexposed otel engine and extension to codebase and change build structure
 - beyla.ebpf: Add meta_cache_address to beyla.ebpf.attributes.kubernetes
 - beyla.ebpf: Upgrade Beyla to v2.8.5
 - Change the defaults for sending_queue > batch block inside otelcol.exporter components
 - cluster: Support DNS discovery mode prefixes in
 --cluster.join-addresses flag
 - converter: Update promtail converter to use file_match block for loki.source.file
 - database_observability: Add health check collector for postgres component
 - database_observability: Expose exclude_schemas and exclude_databases settings
 - database_observability: Support Azure cloud provider config data
 - database_observability.mysql: Support excluding schemas in all collectors
 - database_observability.postgres: Support excluding DBs in all collectors

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected alloy package.

See Also

https://bugzilla.suse.com/1258099

https://bugzilla.suse.com/1258609

https://bugzilla.suse.com/1259919

https://bugzilla.suse.com/1260317

https://bugzilla.suse.com/1262955

https://bugzilla.suse.com/1263530

https://lists.suse.com/pipermail/sle-updates/2026-June/047406.html

https://www.suse.com/security/cve/CVE-2026-25934

https://www.suse.com/security/cve/CVE-2026-26958

https://www.suse.com/security/cve/CVE-2026-33186

https://www.suse.com/security/cve/CVE-2026-34986

https://www.suse.com/security/cve/CVE-2026-41602

Plugin Details

Severity: Medium

ID: 321596

File Name: suse_SU-2026-2438-1.nasl

Version: 1.1

Type: Local

Agent: unix

Published: 6/20/2026

Updated: 6/20/2026

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.0

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N

CVSS Score Source: CVE-2026-25934

CVSS v3

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.9

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS v4

Risk Factor: Medium

Base Score: 6.3

Threat Score: 2.9

Threat Vector: CVSS:4.0/E:P

Vector: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

CVSS Score Source: CVE-2026-26958

Vulnerability Information

CPE: p-cpe:/a:novell:suse_linux:alloy, cpe:/o:novell:suse_linux:15

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 6/17/2026

Vulnerability Publication Date: 2/9/2026

Reference Information

CVE: CVE-2026-25934, CVE-2026-26958, CVE-2026-33186, CVE-2026-34986, CVE-2026-41602

SuSE: SUSE-SU-2026:2438-1