SUSE-SU-2026:0592-1

See a problem?
Please try reporting it to the source first.
Source
https://www.suse.com/support/update/announcement/2026/suse-su-20260592-1/
Import Source
https://ftp.suse.com/pub/projects/security/osv/SUSE-SU-2026:0592-1.json
JSON Data
https://api.osv.dev/v1/vulns/SUSE-SU-2026:0592-1
Upstream
Related
Published
2026-02-20T14:27:24Z
Modified
2026-02-21T13:17:08.940262Z
Summary
Security update for vexctl
Details

This update for vexctl fixes the following issues:

  • Update to version 0.4.1+git78.f951e3a:
  • CVE-2025-22868: Unexpected memory consumption during token parsing in golang.org/x/oauth2. (bsc#1239186)
  • CVE-2024-45337: Misuse of ServerConfig.PublicKeyCallback may cause authorization bypass in golang.org/x/crypto. (bsc#1234486)
  • CVE-2025-27144: Go JOSE's Parsing Vulnerable to Denial of Service. (bsc#1237611)
  • CVE-2025-22870: proxy bypass using IPv6 zone IDs. (bsc#1238683)
  • CVE-2025-22869: Denial of Service in the Key Exchange of golang.org/x/crypto/ssh. (bsc#1239323)
  • CVE-2025-30204: jwt-go allows excessive memory allocation during header parsing. (bsc#1240444)
  • CVE-2025-58181: invalidated number of mechanisms can cause unbounded memory consumption. (bsc#1253802)
  • CVE-2026-22772: MetaIssuer URL validation bypass can trigger SSRF to arbitrary internal services. (bsc#1256535)
  • CVE-2026-24137: legacy TUF client allows for arbitrary file writes with target cache path traversal. (bsc#1257138)
References

Affected packages

openSUSE:Leap 15.6 / vexctl

Package

Name
vexctl
Purl
pkg:rpm/opensuse/vexctl&distro=openSUSE%20Leap%2015.6

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.4.1+git78.f951e3a-150000.1.11.1

Ecosystem specific 

{
    "binaries": [
        {
            "vexctl": "0.4.1+git78.f951e3a-150000.1.11.1"
        }
    ]
}

Database specific

source 
"https://ftp.suse.com/pub/projects/security/osv/SUSE-SU-2026:0592-1.json"