SUSE SLED15 / SLES15 Security Update : alloy (SUSE-SU-2026:2824-1)

medium Nessus Plugin ID 326329

Synopsis

The remote SUSE host is missing one or more security updates.

Description

The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 host has a package installed that is affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:2824-1 advisory.

This update for alloy fixes the following issues

- CVE-2026-10722: github.com/cilium/ebpf: BTF string offset boundary check can lead to crash when parsing malformed ELF/BTF input (bsc#1267811).
- CVE-2026-25680,CVE-2026-25681,CVE-2026-27136,CVE-2026-42502,CVE-2026-42506: golang.org/x/net/html:
multiple issues when parsing HTML files (bsc#1267185).
- CVE-2026-33532: Denial of Service via deeply nested YAML document parsing (bsc#1260981).
- CVE-2026-39821: golang.org/x/net/idna: failure to reject ASCII-only Punycode-encoded labels allows for validation bypass and privilege escalation (bsc#1266654).
- CVE-2026-39827,CVE-2026-39828,CVE-2026-39829,CVE-2026-39830,CVE-2026-39831,CVE-2026-39832,CVE-2026- 39833,CVE-2026-39834,CVE-2026-39835,CVE-2026-42508,CVE-2026-46595,CVE-2026-46597,CVE-2026-46598:
golang.org/x/crypto/ssh: multiple issues (bsc#1266196).
- CVE-2026-41889: github.com/jackc/pgx/v5/internal/sanitize: SQL injection when placeholders in dollar- quoted string literals are used in the SQL query (bsc#1265440).
- CVE-2026-44740: github.com/go-git/go-billy/v5: improper input handling in many components can lead to DoS via infinite loops, panics or resource consumption (bsc#1267333).
- CVE-2026-45678: go.opentelemetry.io/obi: Postgres BIND parsing can lead to a panic when malformed payloads are processed (bsc#1267481).
- CVE-2026-45682: go.opentelemetry.io/obi: keys not deleted by `CappedConcurrentHashMap` after removals allows repeated connection churn to grow the queue without bound and exhaust heap memory (bsc#1267485).
- CVE-2026-45685: go.opentelemetry.io/obi: MongoDB TCP parser panics on malformed wire messages and causes a DoS (bsc#1267488).
- CVE-2026-45686: go.opentelemetry.io/obi: integer overflow in memcached text protocol parser can crash the OBI process and cause denial of service (bsc#1267489).

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected alloy package.

See Also

https://bugzilla.suse.com/1260981

https://bugzilla.suse.com/1265440

https://bugzilla.suse.com/1266196

https://bugzilla.suse.com/1266654

https://bugzilla.suse.com/1267185

https://bugzilla.suse.com/1267333

https://bugzilla.suse.com/1267481

https://bugzilla.suse.com/1267485

https://bugzilla.suse.com/1267488

https://bugzilla.suse.com/1267489

https://bugzilla.suse.com/1267811

https://lists.suse.com/pipermail/sle-updates/2026-July/048076.html

https://www.suse.com/security/cve/CVE-2026-10722

https://www.suse.com/security/cve/CVE-2026-25680

https://www.suse.com/security/cve/CVE-2026-25681

https://www.suse.com/security/cve/CVE-2026-27136

https://www.suse.com/security/cve/CVE-2026-33532

https://www.suse.com/security/cve/CVE-2026-39821

https://www.suse.com/security/cve/CVE-2026-39827

https://www.suse.com/security/cve/CVE-2026-39828

https://www.suse.com/security/cve/CVE-2026-39829

https://www.suse.com/security/cve/CVE-2026-39830

https://www.suse.com/security/cve/CVE-2026-39831

https://www.suse.com/security/cve/CVE-2026-39832

https://www.suse.com/security/cve/CVE-2026-39833

https://www.suse.com/security/cve/CVE-2026-39834

https://www.suse.com/security/cve/CVE-2026-39835

https://www.suse.com/security/cve/CVE-2026-41889

https://www.suse.com/security/cve/CVE-2026-42502

https://www.suse.com/security/cve/CVE-2026-42506

https://www.suse.com/security/cve/CVE-2026-42508

https://www.suse.com/security/cve/CVE-2026-44740

https://www.suse.com/security/cve/CVE-2026-45678

https://www.suse.com/security/cve/CVE-2026-45682

https://www.suse.com/security/cve/CVE-2026-45685

https://www.suse.com/security/cve/CVE-2026-45686

https://www.suse.com/security/cve/CVE-2026-46595

https://www.suse.com/security/cve/CVE-2026-46597

https://www.suse.com/security/cve/CVE-2026-46598

Plugin Details

Severity: Medium

ID: 326329

File Name: suse_SU-2026-2824-1.nasl

Version: 1.1

Type: Local

Agent: unix

Published: 7/10/2026

Updated: 7/10/2026

Supported Sensors: Continuous Assessment, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 58.03

CVSS v2

Risk Factor: Low

Base Score: 1.7

Temporal Score: 1.3

Vector: CVSS2#AV:L/AC:L/Au:S/C:N/I:N/A:P

CVSS Score Source: CVE-2026-10722

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS Score Source: CVE-2026-41889

CVSS v4

Risk Factor: Medium

Base Score: 4.8

Threat Score: 1.9

Threat Vector: CVSS:4.0/E:P

Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Vulnerability Information

CPE: p-cpe:/a:novell:suse_linux:alloy, cpe:/o:novell:suse_linux:15

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 7/9/2026

Vulnerability Publication Date: 3/25/2026

Reference Information

CVE: CVE-2026-10722, CVE-2026-25680, CVE-2026-25681, CVE-2026-27136, CVE-2026-33532, CVE-2026-39821, CVE-2026-39827, CVE-2026-39828, CVE-2026-39829, CVE-2026-39830, CVE-2026-39831, CVE-2026-39832, CVE-2026-39833, CVE-2026-39834, CVE-2026-39835, CVE-2026-41889, CVE-2026-42502, CVE-2026-42506, CVE-2026-42508, CVE-2026-44740, CVE-2026-45678, CVE-2026-45682, CVE-2026-45685, CVE-2026-45686, CVE-2026-46595, CVE-2026-46597, CVE-2026-46598

SuSE: SUSE-SU-2026:2824-1