ESB-2026.4555

=========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2026.4555 Security update for helm 5 May 2026 =========================================================================== AUSCERT Security Bulletin Summary --------------------------------- Product: helm Publisher: SUSE Operating System: SUSE Resolution: Patch/Upgrade CVE Names: CVE-2025-55199 CVE-2026-35206 Original Bulletin: https://www.suse.com/support/update/announcement/2026/suse-su-202621434-1 Comment: CVSS (Max): 6.5 CVE-2025-55199 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) CVSS Source: SUSE Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H EPSS (Max): 0.0% (4th) CVE-2025-55199 2026-05-03 - --------------------------BEGIN INCLUDED TEXT-------------------- Security update for helm Announcement ID: SUSE-SU-2026:21434-1 Release Date: 2026-04-30T13:26:15Z Rating: moderate o bsc#1248093 References: o bsc#1261938 o CVE-2025-55199 Cross-References: o CVE-2026-35206 o CVE-2025-55199 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N /UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N o CVE-2025-55199 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R /S:U/C:N/I:N/A:H o CVE-2025-55199 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/ S:U/C:N/I:N/A:H o CVE-2026-35206 ( SUSE ): 4.8 CVSS:4.0/AV:L/AC:L/AT:N/PR:N /UI:P/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/ MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/ CVSS scores: MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X o CVE-2026-35206 ( SUSE ): 4.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:R /S:U/C:N/I:L/A:L o CVE-2026-35206 ( NVD ): 4.8 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/ UI:P/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/ MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/ MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X o CVE-2026-35206 ( NVD ): 4.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/ S:U/C:N/I:L/A:L Affected o SUSE Linux Enterprise Server 16.0 Products: o SUSE Linux Enterprise Server for SAP applications 16.0 An update that solves two vulnerabilities can now be installed. Description: This update for helm fixes the following issues: Update to version 3.20.2. Security issued fixed: o CVE-2025-55199: specially crafted JSON Schema can lead to out of memory (OOM) termination (bsc#1248093). o CVE-2026-35206: specially crafted Chart will have contents extracted to immediate output directory rather than to expected output directory suffixed by the Chart's name (bsc#1261938). Other updates and bugfixes: o Version 3.20.1: o chore(deps): bump the k8s-io group with 7 updates a2369ca (dependabot[bot]) o add image index test 90e1056 (Pedro Torres) o fix pulling charts from OCI indices 911f2e9 (Pedro Torres) o Remove refactorring changes from coalesce_test.go 76dad33 (Evans Mungai) o Fix import 45c12f7 (Evans Mungai) o Update pkg/chart/common/util/coalesce_test.go 26c6f19 (Evans Mungai) o Fix lint warning 09f5129 (Evans Mungai) o Preserve nil values in chart already 417deb2 (Evans Mungai) o fix(values): preserve nil values when chart default is empty map 5417bfa (Evans Mungai) o Version 3.20.0: o SDK: bump k8s API versions to v0.35.0 o v3 backport: Fixed a bug where helm uninstall with --keep-history did not suspend previous deployed releases #12564 o v3 backport: Bump Go version to v1.25 o bump version to v3.20 o chore(deps): bump golang.org/x/text from 0.32.0 to 0.33.0 o chore(deps): bump golang.org/x/term from 0.38.0 to 0.39.0 o chore(deps): bump github.com/foxcpp/go-mockdns from 1.1.0 to 1.2.0 o chore(deps): bump the k8s-io group with 7 updates o [dev-v3] Replace deprecated NewSimpleClientset o [dev-v3] Bump Go v1.25, golangci-lint v2 o chore(deps): bump github.com/BurntSushi/toml from 1.5.0 to 1.6.0 o chore(deps): bump github.com/containerd/containerd from 1.7.29 to 1.7.30 o fix(rollback): errors.Is instead of string comp o fix(uninstall): supersede deployed releases o Use latest patch release of Go in releases o chore(deps): bump golang.org/x/crypto from 0.45.0 to 0.46.0 o chore(deps): bump golang.org/x/text from 0.31.0 to 0.32.0 o chore(deps): bump golang.org/x/term from 0.37.0 to 0.38.0 o chore(deps): bump github.com/spf13/cobra from 1.10.1 to 1.10.2 o chore(deps): bump github.com/rubenv/sql-migrate from 1.8.0 to 1.8.1 o chore(deps): bump golang.org/x/crypto from 0.44.0 to 0.45.0 o chore(deps): bump github.com/cyphar/filepath-securejoin o chore(deps): bump golang.org/x/text from 0.30.0 to 0.31.0 o chore(deps): bump golang.org/x/crypto from 0.43.0 to 0.44.0 o Remove dev-v3 helm-latest-version publish o chore(deps): bump golang.org/x/term from 0.36.0 to 0.37.0 1.7.28 to 1.7.29 o Revert "pkg/registry: Login option for passing TLS config in memory" o jsonschema: warn and ignore unresolved URN $ref to match v3.18.4 o Fix helm pull untar dir check with repo urls o chore(deps): bump golang.org/x/crypto from 0.42.0 to 0.43.0 o chore(deps): bump github.com/gofrs/flock from 0.12.1 to 0.13.0 o chore(deps): bump golang.org/x/text from 0.29.0 to 0.30.0 o [backport] fix: get-helm-3 script use helm3-latest-version o pkg/registry: Login option for passing TLS config in memory o Fix deprecation warning o chore(deps): bump golang.org/x/crypto from 0.41.0 to 0.42.0 o chore(deps): bump golang.org/x/term from 0.34.0 to 0.35.0 o Avoid "panic: interface conversion: interface {} is nil" o bump version to v3.19.0 o chore(deps): bump github.com/spf13/pflag from 1.0.7 to 1.0.10 o fix: set repo authorizer in registry.Client.Resolve() o fix null merge o Add timeout flag to repo add and update flags o Version 3.19.5: o Fixed bug where removing subchart value via override resulted in warning # 31118 o Fixed bug where helm uninstall with --keep-history did not suspend previous deployed releases #12556 o fix(rollback): errors.Is instead of string comp 4a19a5b (Hidde Beydals) o fix(uninstall): supersede deployed releases 7a00235 (Hidde Beydals) o fix null merge 578564e (Ben Foster) o Version 3.19.4: o Use latest patch release of Go in releases 7cfb6e4 (Matt Farina) o chore(deps): bump github.com/gofrs/flock from 0.12.1 to 0.13.0 59c951f (dependabot[bot]) o chore(deps): bump github.com/cyphar/filepath-securejoin d45f3f1 o chore(deps): bump golang.org/x/crypto from 0.44.0 to 0.45.0 d459544 (dependabot[bot]) o chore(deps): bump golang.org/x/term from 0.36.0 to 0.37.0 becd387 (dependabot[bot]) o chore(deps): bump the k8s-io group with 7 updates edb1579 o Version 3.19.3: o Bump golang.org/x/crypto to v0.45.0 o Version 3.19.2: o [backport] fix: get-helm-3 script use helm3-latest-version 8766e71 (George Jenkins) Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: o SUSE Linux Enterprise Server for SAP applications 16.0 zypper in -t patch SUSE-SLES-16.0-661=1 o SUSE Linux Enterprise Server 16.0 zypper in -t patch SUSE-SLES-16.0-661=1 Package List: o SUSE Linux Enterprise Server for SAP applications 16.0 (ppc64le x86_64) helm-3.20.2-160000.1.1 helm-debuginfo-3.20.2-160000.1.1 o SUSE Linux Enterprise Server for SAP applications 16.0 (noarch) helm-fish-completion-3.20.2-160000.1.1 helm-bash-completion-3.20.2-160000.1.1 helm-zsh-completion-3.20.2-160000.1.1 o SUSE Linux Enterprise Server 16.0 (aarch64 ppc64le s390x x86_64) helm-3.20.2-160000.1.1 helm-debuginfo-3.20.2-160000.1.1 o SUSE Linux Enterprise Server 16.0 (noarch) helm-fish-completion-3.20.2-160000.1.1 helm-bash-completion-3.20.2-160000.1.1 helm-zsh-completion-3.20.2-160000.1.1 References: o https://www.suse.com/security/cve/CVE-2025-55199.html o https://www.suse.com/security/cve/CVE-2026-35206.html o https://bugzilla.suse.com/show_bug.cgi?id=1248093 o https://bugzilla.suse.com/show_bug.cgi?id=1261938 - --------------------------END INCLUDED TEXT---------------------- You have received this e-mail bulletin as a result of your organisation's registration with AUSCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AUSCERT's members. As AUSCERT did not write the document quoted above, AUSCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AUSCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://portal.auscert.org.au/bulletins/ =========================================================================== AUSCERT The University of Queensland, Brisbane QLD 4072 Australia e: auscert@auscert.org.au t: +61 (0)7 3365 4417 Allies in Cyber Security ===========================================================================