Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2025-55199 (GCVE-0-2025-55199)
Vulnerability from cvelistv5 – Published: 2025-08-13 23:23 – Updated: 2025-08-14 14:50
VLAI
EPSS
Title
Helm Charts with Specific JSON Schema Values Can Cause Memory Exhaustion
Summary
Helm is a package manager for Charts for Kubernetes. Prior to version 3.18.5, it is possible to craft a JSON Schema file in a manner which could cause Helm to use all available memory and have an out of memory (OOM) termination. This issue has been resolved in Helm 3.18.5. A workaround involves ensuring all Helm charts that are being loaded into Helm do not have any reference of $ref pointing to /dev/zero.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-770 - Allocation of Resources Without Limits or Throttling
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/helm/helm/security/advisories/… | x_refsource_CONFIRM |
| https://github.com/helm/helm/commit/b78692c18f0fb… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-55199",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-14T13:41:12.193883Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-14T14:50:39.218Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "helm",
"vendor": "helm",
"versions": [
{
"status": "affected",
"version": "\u003c 3.18.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Helm is a package manager for Charts for Kubernetes. Prior to version 3.18.5, it is possible to craft a JSON Schema file in a manner which could cause Helm to use all available memory and have an out of memory (OOM) termination. This issue has been resolved in Helm 3.18.5. A workaround involves ensuring all Helm charts that are being loaded into Helm do not have any reference of $ref pointing to /dev/zero."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770: Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-13T23:23:43.304Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/helm/helm/security/advisories/GHSA-9h84-qmv7-982p",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/helm/helm/security/advisories/GHSA-9h84-qmv7-982p"
},
{
"name": "https://github.com/helm/helm/commit/b78692c18f0fb38fe5ba4571a674de067a4c53a5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/helm/helm/commit/b78692c18f0fb38fe5ba4571a674de067a4c53a5"
}
],
"source": {
"advisory": "GHSA-9h84-qmv7-982p",
"discovery": "UNKNOWN"
},
"title": "Helm Charts with Specific JSON Schema Values Can Cause Memory Exhaustion"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-55199",
"datePublished": "2025-08-13T23:23:43.304Z",
"dateReserved": "2025-08-08T21:55:07.965Z",
"dateUpdated": "2025-08-14T14:50:39.218Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2025-55199",
"date": "2026-06-06",
"epss": "0.0002",
"percentile": "0.05857"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2025-55199\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-08-14T00:15:27.960\",\"lastModified\":\"2025-08-21T21:25:20.793\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Helm is a package manager for Charts for Kubernetes. Prior to version 3.18.5, it is possible to craft a JSON Schema file in a manner which could cause Helm to use all available memory and have an out of memory (OOM) termination. This issue has been resolved in Helm 3.18.5. A workaround involves ensuring all Helm charts that are being loaded into Helm do not have any reference of $ref pointing to /dev/zero.\"},{\"lang\":\"es\",\"value\":\"Helm es un gestor de paquetes para gr\u00e1ficos de Kubernetes. Antes de la versi\u00f3n 3.18.5, era posible manipular un archivo de esquema JSON que pudiera provocar que Helm utilizara toda la memoria disponible y terminara por falta de memoria (OOM). Este problema se ha resuelto en Helm 3.18.5. Una soluci\u00f3n alternativa consiste en garantizar que todos los gr\u00e1ficos de Helm que se cargan en Helm no tengan ninguna referencia de $ref que apunte a /dev/zero.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-770\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:helm:helm:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"3.18.5\",\"matchCriteriaId\":\"86EA4912-E62D-4FD6-B405-D21657779F99\"}]}]}],\"references\":[{\"url\":\"https://github.com/helm/helm/commit/b78692c18f0fb38fe5ba4571a674de067a4c53a5\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/helm/helm/security/advisories/GHSA-9h84-qmv7-982p\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"cna\": {\"title\": \"Helm Charts with Specific JSON Schema Values Can Cause Memory Exhaustion\", \"source\": {\"advisory\": \"GHSA-9h84-qmv7-982p\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 6.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"helm\", \"product\": \"helm\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 3.18.5\"}]}], \"references\": [{\"url\": \"https://github.com/helm/helm/security/advisories/GHSA-9h84-qmv7-982p\", \"name\": \"https://github.com/helm/helm/security/advisories/GHSA-9h84-qmv7-982p\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/helm/helm/commit/b78692c18f0fb38fe5ba4571a674de067a4c53a5\", \"name\": \"https://github.com/helm/helm/commit/b78692c18f0fb38fe5ba4571a674de067a4c53a5\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Helm is a package manager for Charts for Kubernetes. Prior to version 3.18.5, it is possible to craft a JSON Schema file in a manner which could cause Helm to use all available memory and have an out of memory (OOM) termination. This issue has been resolved in Helm 3.18.5. A workaround involves ensuring all Helm charts that are being loaded into Helm do not have any reference of $ref pointing to /dev/zero.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-770\", \"description\": \"CWE-770: Allocation of Resources Without Limits or Throttling\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-08-13T23:23:43.304Z\"}}, \"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-55199\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-08-14T13:41:12.193883Z\"}}}], \"providerMetadata\": {\"shortName\": \"CISA-ADP\", \"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"dateUpdated\": \"2025-08-14T13:41:15.378Z\"}}]}",
"cveMetadata": "{\"cveId\": \"CVE-2025-55199\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-08-13T23:23:43.304Z\", \"dateReserved\": \"2025-08-08T21:55:07.965Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-08-13T23:23:43.304Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
SUSE-SU-2026:21434-1
Vulnerability from csaf_suse - Published: 2026-04-30 13:22 - Updated: 2026-04-30 13:22Summary
Security update for helm
Severity
Moderate
Notes
Title of the patch: Security update for helm
Description of the patch: This update for helm fixes the following issues:
Update to version 3.20.2.
Security issued fixed:
- CVE-2025-55199: specially crafted JSON Schema can lead to out of memory (OOM) termination (bsc#1248093).
- CVE-2026-35206: specially crafted Chart will have contents extracted to immediate output directory rather than to
expected output directory suffixed by the Chart's name (bsc#1261938).
Other updates and bugfixes:
- Version 3.20.1:
- chore(deps): bump the k8s-io group with 7 updates a2369ca (dependabot[bot])
- add image index test 90e1056 (Pedro Trres)
- fix pulling charts from OCI indices 911f2e9 (Pedro Trres)
- Remove refactorring changes from coalesce_test.go 76dad33 (Evans Mungai)
- Fix import 45c12f7 (Evans Mungai)
- Update pkg/chart/common/util/coalesce_test.go 26c6f19 (Evans Mungai)
- Fix lint warning 09f5129 (Evans Mungai)
- Preserve nil values in chart already 417deb2 (Evans Mungai)
- fix(values): preserve nil values when chart default is empty map 5417bfa (Evans Mungai)
- Version 3.20.0:
- SDK: bump k8s API versions to v0.35.0
- v3 backport: Fixed a bug where helm uninstall with --keep-history did not suspend previous deployed releases #12564
- v3 backport: Bump Go version to v1.25
- bump version to v3.20
- chore(deps): bump golang.org/x/text from 0.32.0 to 0.33.0
- chore(deps): bump golang.org/x/term from 0.38.0 to 0.39.0
- chore(deps): bump github.com/foxcpp/go-mockdns from 1.1.0 to 1.2.0
- chore(deps): bump the k8s-io group with 7 updates
- [dev-v3] Replace deprecated `NewSimpleClientset`
- [dev-v3] Bump Go v1.25, `golangci-lint` v2
- chore(deps): bump github.com/BurntSushi/toml from 1.5.0 to 1.6.0
- chore(deps): bump github.com/containerd/containerd from 1.7.29 to 1.7.30
- fix(rollback): `errors.Is` instead of string comp
- fix(uninstall): supersede deployed releases
- Use latest patch release of Go in releases
- chore(deps): bump golang.org/x/crypto from 0.45.0 to 0.46.0
- chore(deps): bump golang.org/x/text from 0.31.0 to 0.32.0
- chore(deps): bump golang.org/x/term from 0.37.0 to 0.38.0
- chore(deps): bump github.com/spf13/cobra from 1.10.1 to 1.10.2
- chore(deps): bump github.com/rubenv/sql-migrate from 1.8.0 to 1.8.1
- chore(deps): bump golang.org/x/crypto from 0.44.0 to 0.45.0
- chore(deps): bump github.com/cyphar/filepath-securejoin
- chore(deps): bump golang.org/x/text from 0.30.0 to 0.31.0
- chore(deps): bump golang.org/x/crypto from 0.43.0 to 0.44.0
- Remove dev-v3 `helm-latest-version` publish
- chore(deps): bump golang.org/x/term from 0.36.0 to 0.37.0 1.7.28 to 1.7.29
- Revert "pkg/registry: Login option for passing TLS config in memory"
- jsonschema: warn and ignore unresolved URN $ref to match v3.18.4
- Fix `helm pull` untar dir check with repo urls
- chore(deps): bump golang.org/x/crypto from 0.42.0 to 0.43.0
- chore(deps): bump github.com/gofrs/flock from 0.12.1 to 0.13.0
- chore(deps): bump golang.org/x/text from 0.29.0 to 0.30.0
- [backport] fix: get-helm-3 script use helm3-latest-version
- pkg/registry: Login option for passing TLS config in memory
- Fix deprecation warning
- chore(deps): bump golang.org/x/crypto from 0.41.0 to 0.42.0
- chore(deps): bump golang.org/x/term from 0.34.0 to 0.35.0
- Avoid "panic: interface conversion: interface {} is nil"
- bump version to v3.19.0
- chore(deps): bump github.com/spf13/pflag from 1.0.7 to 1.0.10
- fix: set repo authorizer in registry.Client.Resolve()
- fix null merge
- Add timeout flag to repo add and update flags
- Version 3.19.5:
- Fixed bug where removing subchart value via override resulted in warning #31118
- Fixed bug where helm uninstall with --keep-history did not suspend previous deployed releases #12556
- fix(rollback): errors.Is instead of string comp 4a19a5b (Hidde Beydals)
- fix(uninstall): supersede deployed releases 7a00235 (Hidde Beydals)
- fix null merge 578564e (Ben Foster)
- Version 3.19.4:
- Use latest patch release of Go in releases 7cfb6e4 (Matt Farina)
- chore(deps): bump github.com/gofrs/flock from 0.12.1 to 0.13.0 59c951f (dependabot[bot])
- chore(deps): bump github.com/cyphar/filepath-securejoin d45f3f1
- chore(deps): bump golang.org/x/crypto from 0.44.0 to 0.45.0 d459544 (dependabot[bot])
- chore(deps): bump golang.org/x/term from 0.36.0 to 0.37.0 becd387 (dependabot[bot])
- chore(deps): bump the k8s-io group with 7 updates edb1579
- Version 3.19.3:
- Bump golang.org/x/crypto to v0.45.0
- Version 3.19.2:
- [backport] fix: get-helm-3 script use helm3-latest-version 8766e71 (George Jenkins)
Patchnames: SUSE-SLES-16.0-661
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
6.5 (Medium)
Affected products
Recommended
14 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:helm-3.20.2-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:helm-3.20.2-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:helm-3.20.2-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:helm-3.20.2-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:helm-bash-completion-3.20.2-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:helm-fish-completion-3.20.2-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:helm-zsh-completion-3.20.2-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:helm-3.20.2-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:helm-3.20.2-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:helm-3.20.2-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:helm-3.20.2-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:helm-bash-completion-3.20.2-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:helm-fish-completion-3.20.2-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:helm-zsh-completion-3.20.2-160000.1.1.noarch | — |
Vendor Fix
|
Threats
Impact
moderate
4.4 (Medium)
Affected products
Recommended
14 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:helm-3.20.2-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:helm-3.20.2-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:helm-3.20.2-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:helm-3.20.2-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:helm-bash-completion-3.20.2-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:helm-fish-completion-3.20.2-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:helm-zsh-completion-3.20.2-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:helm-3.20.2-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:helm-3.20.2-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:helm-3.20.2-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:helm-3.20.2-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:helm-bash-completion-3.20.2-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:helm-fish-completion-3.20.2-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:helm-zsh-completion-3.20.2-160000.1.1.noarch | — |
Vendor Fix
|
Threats
Impact
moderate
References
12 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for helm",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for helm fixes the following issues:\n\nUpdate to version 3.20.2.\n\nSecurity issued fixed:\n\n- CVE-2025-55199: specially crafted JSON Schema can lead to out of memory (OOM) termination (bsc#1248093).\n- CVE-2026-35206: specially crafted Chart will have contents extracted to immediate output directory rather than to\n expected output directory suffixed by the Chart\u0027s name (bsc#1261938).\n\nOther updates and bugfixes:\n\n- Version 3.20.1:\n - chore(deps): bump the k8s-io group with 7 updates a2369ca (dependabot[bot])\n - add image index test 90e1056 (Pedro Trres)\n - fix pulling charts from OCI indices 911f2e9 (Pedro Trres)\n - Remove refactorring changes from coalesce_test.go 76dad33 (Evans Mungai)\n - Fix import 45c12f7 (Evans Mungai)\n - Update pkg/chart/common/util/coalesce_test.go 26c6f19 (Evans Mungai)\n - Fix lint warning 09f5129 (Evans Mungai)\n - Preserve nil values in chart already 417deb2 (Evans Mungai)\n - fix(values): preserve nil values when chart default is empty map 5417bfa (Evans Mungai)\n- Version 3.20.0:\n - SDK: bump k8s API versions to v0.35.0\n - v3 backport: Fixed a bug where helm uninstall with --keep-history did not suspend previous deployed releases #12564\n - v3 backport: Bump Go version to v1.25\n - bump version to v3.20\n - chore(deps): bump golang.org/x/text from 0.32.0 to 0.33.0\n - chore(deps): bump golang.org/x/term from 0.38.0 to 0.39.0\n - chore(deps): bump github.com/foxcpp/go-mockdns from 1.1.0 to 1.2.0\n - chore(deps): bump the k8s-io group with 7 updates\n - [dev-v3] Replace deprecated `NewSimpleClientset`\n - [dev-v3] Bump Go v1.25, `golangci-lint` v2\n - chore(deps): bump github.com/BurntSushi/toml from 1.5.0 to 1.6.0\n - chore(deps): bump github.com/containerd/containerd from 1.7.29 to 1.7.30\n - fix(rollback): `errors.Is` instead of string comp\n - fix(uninstall): supersede deployed releases\n - Use latest patch release of Go in releases\n - chore(deps): bump golang.org/x/crypto from 0.45.0 to 0.46.0\n - chore(deps): bump golang.org/x/text from 0.31.0 to 0.32.0\n - chore(deps): bump golang.org/x/term from 0.37.0 to 0.38.0\n - chore(deps): bump github.com/spf13/cobra from 1.10.1 to 1.10.2\n - chore(deps): bump github.com/rubenv/sql-migrate from 1.8.0 to 1.8.1\n - chore(deps): bump golang.org/x/crypto from 0.44.0 to 0.45.0\n - chore(deps): bump github.com/cyphar/filepath-securejoin\n - chore(deps): bump golang.org/x/text from 0.30.0 to 0.31.0\n - chore(deps): bump golang.org/x/crypto from 0.43.0 to 0.44.0\n - Remove dev-v3 `helm-latest-version` publish\n - chore(deps): bump golang.org/x/term from 0.36.0 to 0.37.0 1.7.28 to 1.7.29\n - Revert \"pkg/registry: Login option for passing TLS config in memory\"\n - jsonschema: warn and ignore unresolved URN $ref to match v3.18.4\n - Fix `helm pull` untar dir check with repo urls\n - chore(deps): bump golang.org/x/crypto from 0.42.0 to 0.43.0\n - chore(deps): bump github.com/gofrs/flock from 0.12.1 to 0.13.0\n - chore(deps): bump golang.org/x/text from 0.29.0 to 0.30.0\n - [backport] fix: get-helm-3 script use helm3-latest-version\n - pkg/registry: Login option for passing TLS config in memory\n - Fix deprecation warning\n - chore(deps): bump golang.org/x/crypto from 0.41.0 to 0.42.0\n - chore(deps): bump golang.org/x/term from 0.34.0 to 0.35.0\n - Avoid \"panic: interface conversion: interface {} is nil\"\n - bump version to v3.19.0\n - chore(deps): bump github.com/spf13/pflag from 1.0.7 to 1.0.10\n - fix: set repo authorizer in registry.Client.Resolve()\n - fix null merge\n - Add timeout flag to repo add and update flags\n- Version 3.19.5:\n - Fixed bug where removing subchart value via override resulted in warning #31118\n - Fixed bug where helm uninstall with --keep-history did not suspend previous deployed releases #12556\n - fix(rollback): errors.Is instead of string comp 4a19a5b (Hidde Beydals)\n - fix(uninstall): supersede deployed releases 7a00235 (Hidde Beydals)\n - fix null merge 578564e (Ben Foster)\n- Version 3.19.4:\n - Use latest patch release of Go in releases 7cfb6e4 (Matt Farina)\n - chore(deps): bump github.com/gofrs/flock from 0.12.1 to 0.13.0 59c951f (dependabot[bot])\n - chore(deps): bump github.com/cyphar/filepath-securejoin d45f3f1\n - chore(deps): bump golang.org/x/crypto from 0.44.0 to 0.45.0 d459544 (dependabot[bot])\n - chore(deps): bump golang.org/x/term from 0.36.0 to 0.37.0 becd387 (dependabot[bot])\n - chore(deps): bump the k8s-io group with 7 updates edb1579\n- Version 3.19.3:\n - Bump golang.org/x/crypto to v0.45.0\n- Version 3.19.2:\n - [backport] fix: get-helm-3 script use helm3-latest-version 8766e71 (George Jenkins)\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-SLES-16.0-661",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2026_21434-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2026:21434-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202621434-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2026:21434-1",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2026-May/025818.html"
},
{
"category": "self",
"summary": "SUSE Bug 1248093",
"url": "https://bugzilla.suse.com/1248093"
},
{
"category": "self",
"summary": "SUSE Bug 1261938",
"url": "https://bugzilla.suse.com/1261938"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-55199 page",
"url": "https://www.suse.com/security/cve/CVE-2025-55199/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-35206 page",
"url": "https://www.suse.com/security/cve/CVE-2026-35206/"
}
],
"title": "Security update for helm",
"tracking": {
"current_release_date": "2026-04-30T13:22:50Z",
"generator": {
"date": "2026-04-30T13:22:50Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2026:21434-1",
"initial_release_date": "2026-04-30T13:22:50Z",
"revision_history": [
{
"date": "2026-04-30T13:22:50Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "helm-3.20.2-160000.1.1.aarch64",
"product": {
"name": "helm-3.20.2-160000.1.1.aarch64",
"product_id": "helm-3.20.2-160000.1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "helm-bash-completion-3.20.2-160000.1.1.noarch",
"product": {
"name": "helm-bash-completion-3.20.2-160000.1.1.noarch",
"product_id": "helm-bash-completion-3.20.2-160000.1.1.noarch"
}
},
{
"category": "product_version",
"name": "helm-fish-completion-3.20.2-160000.1.1.noarch",
"product": {
"name": "helm-fish-completion-3.20.2-160000.1.1.noarch",
"product_id": "helm-fish-completion-3.20.2-160000.1.1.noarch"
}
},
{
"category": "product_version",
"name": "helm-zsh-completion-3.20.2-160000.1.1.noarch",
"product": {
"name": "helm-zsh-completion-3.20.2-160000.1.1.noarch",
"product_id": "helm-zsh-completion-3.20.2-160000.1.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "helm-3.20.2-160000.1.1.ppc64le",
"product": {
"name": "helm-3.20.2-160000.1.1.ppc64le",
"product_id": "helm-3.20.2-160000.1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "helm-3.20.2-160000.1.1.s390x",
"product": {
"name": "helm-3.20.2-160000.1.1.s390x",
"product_id": "helm-3.20.2-160000.1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "helm-3.20.2-160000.1.1.x86_64",
"product": {
"name": "helm-3.20.2-160000.1.1.x86_64",
"product_id": "helm-3.20.2-160000.1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server 16.0",
"product": {
"name": "SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles:16:16.0:server"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server for SAP applications 16.0",
"product": {
"name": "SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles:16:16.0:server-sap"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-3.20.2-160000.1.1.aarch64 as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:helm-3.20.2-160000.1.1.aarch64"
},
"product_reference": "helm-3.20.2-160000.1.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-3.20.2-160000.1.1.ppc64le as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:helm-3.20.2-160000.1.1.ppc64le"
},
"product_reference": "helm-3.20.2-160000.1.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-3.20.2-160000.1.1.s390x as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:helm-3.20.2-160000.1.1.s390x"
},
"product_reference": "helm-3.20.2-160000.1.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-3.20.2-160000.1.1.x86_64 as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:helm-3.20.2-160000.1.1.x86_64"
},
"product_reference": "helm-3.20.2-160000.1.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-bash-completion-3.20.2-160000.1.1.noarch as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:helm-bash-completion-3.20.2-160000.1.1.noarch"
},
"product_reference": "helm-bash-completion-3.20.2-160000.1.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-fish-completion-3.20.2-160000.1.1.noarch as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:helm-fish-completion-3.20.2-160000.1.1.noarch"
},
"product_reference": "helm-fish-completion-3.20.2-160000.1.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-zsh-completion-3.20.2-160000.1.1.noarch as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:helm-zsh-completion-3.20.2-160000.1.1.noarch"
},
"product_reference": "helm-zsh-completion-3.20.2-160000.1.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-3.20.2-160000.1.1.aarch64 as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:helm-3.20.2-160000.1.1.aarch64"
},
"product_reference": "helm-3.20.2-160000.1.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-3.20.2-160000.1.1.ppc64le as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:helm-3.20.2-160000.1.1.ppc64le"
},
"product_reference": "helm-3.20.2-160000.1.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-3.20.2-160000.1.1.s390x as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:helm-3.20.2-160000.1.1.s390x"
},
"product_reference": "helm-3.20.2-160000.1.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-3.20.2-160000.1.1.x86_64 as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:helm-3.20.2-160000.1.1.x86_64"
},
"product_reference": "helm-3.20.2-160000.1.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-bash-completion-3.20.2-160000.1.1.noarch as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:helm-bash-completion-3.20.2-160000.1.1.noarch"
},
"product_reference": "helm-bash-completion-3.20.2-160000.1.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-fish-completion-3.20.2-160000.1.1.noarch as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:helm-fish-completion-3.20.2-160000.1.1.noarch"
},
"product_reference": "helm-fish-completion-3.20.2-160000.1.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-zsh-completion-3.20.2-160000.1.1.noarch as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:helm-zsh-completion-3.20.2-160000.1.1.noarch"
},
"product_reference": "helm-zsh-completion-3.20.2-160000.1.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-55199",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-55199"
}
],
"notes": [
{
"category": "general",
"text": "Helm is a package manager for Charts for Kubernetes. Prior to version 3.18.5, it is possible to craft a JSON Schema file in a manner which could cause Helm to use all available memory and have an out of memory (OOM) termination. This issue has been resolved in Helm 3.18.5. A workaround involves ensuring all Helm charts that are being loaded into Helm do not have any reference of $ref pointing to /dev/zero.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 16.0:helm-3.20.2-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:helm-3.20.2-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:helm-3.20.2-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:helm-3.20.2-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:helm-bash-completion-3.20.2-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:helm-fish-completion-3.20.2-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:helm-zsh-completion-3.20.2-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:helm-3.20.2-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:helm-3.20.2-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:helm-3.20.2-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:helm-3.20.2-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:helm-bash-completion-3.20.2-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:helm-fish-completion-3.20.2-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:helm-zsh-completion-3.20.2-160000.1.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-55199",
"url": "https://www.suse.com/security/cve/CVE-2025-55199"
},
{
"category": "external",
"summary": "SUSE Bug 1248093 for CVE-2025-55199",
"url": "https://bugzilla.suse.com/1248093"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 16.0:helm-3.20.2-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:helm-3.20.2-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:helm-3.20.2-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:helm-3.20.2-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:helm-bash-completion-3.20.2-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:helm-fish-completion-3.20.2-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:helm-zsh-completion-3.20.2-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:helm-3.20.2-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:helm-3.20.2-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:helm-3.20.2-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:helm-3.20.2-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:helm-bash-completion-3.20.2-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:helm-fish-completion-3.20.2-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:helm-zsh-completion-3.20.2-160000.1.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 16.0:helm-3.20.2-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:helm-3.20.2-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:helm-3.20.2-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:helm-3.20.2-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:helm-bash-completion-3.20.2-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:helm-fish-completion-3.20.2-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:helm-zsh-completion-3.20.2-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:helm-3.20.2-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:helm-3.20.2-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:helm-3.20.2-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:helm-3.20.2-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:helm-bash-completion-3.20.2-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:helm-fish-completion-3.20.2-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:helm-zsh-completion-3.20.2-160000.1.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-04-30T13:22:50Z",
"details": "moderate"
}
],
"title": "CVE-2025-55199"
},
{
"cve": "CVE-2026-35206",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-35206"
}
],
"notes": [
{
"category": "general",
"text": "Helm is a package manager for Charts for Kubernetes. In Helm versions \u003c=3.20.1 and \u003c=4.1.3, a specially crafted Chart will cause helm pull --untar [chart URL | repo/chartname] to write the Chart\u0027s contents to the immediate output directory (as defaulted to the current working directory; or as given by the --destination and --untardir flags), rather than the expected output directory suffixed by the chart\u0027s name. This vulnerability is fixed in 3.20.2 and 4.1.4.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 16.0:helm-3.20.2-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:helm-3.20.2-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:helm-3.20.2-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:helm-3.20.2-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:helm-bash-completion-3.20.2-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:helm-fish-completion-3.20.2-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:helm-zsh-completion-3.20.2-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:helm-3.20.2-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:helm-3.20.2-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:helm-3.20.2-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:helm-3.20.2-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:helm-bash-completion-3.20.2-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:helm-fish-completion-3.20.2-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:helm-zsh-completion-3.20.2-160000.1.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-35206",
"url": "https://www.suse.com/security/cve/CVE-2026-35206"
},
{
"category": "external",
"summary": "SUSE Bug 1261938 for CVE-2026-35206",
"url": "https://bugzilla.suse.com/1261938"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 16.0:helm-3.20.2-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:helm-3.20.2-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:helm-3.20.2-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:helm-3.20.2-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:helm-bash-completion-3.20.2-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:helm-fish-completion-3.20.2-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:helm-zsh-completion-3.20.2-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:helm-3.20.2-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:helm-3.20.2-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:helm-3.20.2-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:helm-3.20.2-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:helm-bash-completion-3.20.2-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:helm-fish-completion-3.20.2-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:helm-zsh-completion-3.20.2-160000.1.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 16.0:helm-3.20.2-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:helm-3.20.2-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:helm-3.20.2-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:helm-3.20.2-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:helm-bash-completion-3.20.2-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:helm-fish-completion-3.20.2-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:helm-zsh-completion-3.20.2-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:helm-3.20.2-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:helm-3.20.2-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:helm-3.20.2-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:helm-3.20.2-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:helm-bash-completion-3.20.2-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:helm-fish-completion-3.20.2-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:helm-zsh-completion-3.20.2-160000.1.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-04-30T13:22:50Z",
"details": "moderate"
}
],
"title": "CVE-2026-35206"
}
]
}
SUSE-SU-2026:21461-1
Vulnerability from csaf_suse - Published: 2026-04-30 13:22 - Updated: 2026-04-30 13:22Summary
Security update for helm
Severity
Moderate
Notes
Title of the patch: Security update for helm
Description of the patch: This update for helm fixes the following issues:
Update to version 3.20.2.
Security issued fixed:
- CVE-2025-55199: specially crafted JSON Schema can lead to out of memory (OOM) termination (bsc#1248093).
- CVE-2026-35206: specially crafted Chart will have contents extracted to immediate output directory rather than to
expected output directory suffixed by the Chart's name (bsc#1261938).
Other updates and bugfixes:
- Version 3.20.1:
- chore(deps): bump the k8s-io group with 7 updates a2369ca (dependabot[bot])
- add image index test 90e1056 (Pedro Trres)
- fix pulling charts from OCI indices 911f2e9 (Pedro Trres)
- Remove refactorring changes from coalesce_test.go 76dad33 (Evans Mungai)
- Fix import 45c12f7 (Evans Mungai)
- Update pkg/chart/common/util/coalesce_test.go 26c6f19 (Evans Mungai)
- Fix lint warning 09f5129 (Evans Mungai)
- Preserve nil values in chart already 417deb2 (Evans Mungai)
- fix(values): preserve nil values when chart default is empty map 5417bfa (Evans Mungai)
- Version 3.20.0:
- SDK: bump k8s API versions to v0.35.0
- v3 backport: Fixed a bug where helm uninstall with --keep-history did not suspend previous deployed releases #12564
- v3 backport: Bump Go version to v1.25
- bump version to v3.20
- chore(deps): bump golang.org/x/text from 0.32.0 to 0.33.0
- chore(deps): bump golang.org/x/term from 0.38.0 to 0.39.0
- chore(deps): bump github.com/foxcpp/go-mockdns from 1.1.0 to 1.2.0
- chore(deps): bump the k8s-io group with 7 updates
- [dev-v3] Replace deprecated `NewSimpleClientset`
- [dev-v3] Bump Go v1.25, `golangci-lint` v2
- chore(deps): bump github.com/BurntSushi/toml from 1.5.0 to 1.6.0
- chore(deps): bump github.com/containerd/containerd from 1.7.29 to 1.7.30
- fix(rollback): `errors.Is` instead of string comp
- fix(uninstall): supersede deployed releases
- Use latest patch release of Go in releases
- chore(deps): bump golang.org/x/crypto from 0.45.0 to 0.46.0
- chore(deps): bump golang.org/x/text from 0.31.0 to 0.32.0
- chore(deps): bump golang.org/x/term from 0.37.0 to 0.38.0
- chore(deps): bump github.com/spf13/cobra from 1.10.1 to 1.10.2
- chore(deps): bump github.com/rubenv/sql-migrate from 1.8.0 to 1.8.1
- chore(deps): bump golang.org/x/crypto from 0.44.0 to 0.45.0
- chore(deps): bump github.com/cyphar/filepath-securejoin
- chore(deps): bump golang.org/x/text from 0.30.0 to 0.31.0
- chore(deps): bump golang.org/x/crypto from 0.43.0 to 0.44.0
- Remove dev-v3 `helm-latest-version` publish
- chore(deps): bump golang.org/x/term from 0.36.0 to 0.37.0 1.7.28 to 1.7.29
- Revert "pkg/registry: Login option for passing TLS config in memory"
- jsonschema: warn and ignore unresolved URN $ref to match v3.18.4
- Fix `helm pull` untar dir check with repo urls
- chore(deps): bump golang.org/x/crypto from 0.42.0 to 0.43.0
- chore(deps): bump github.com/gofrs/flock from 0.12.1 to 0.13.0
- chore(deps): bump golang.org/x/text from 0.29.0 to 0.30.0
- [backport] fix: get-helm-3 script use helm3-latest-version
- pkg/registry: Login option for passing TLS config in memory
- Fix deprecation warning
- chore(deps): bump golang.org/x/crypto from 0.41.0 to 0.42.0
- chore(deps): bump golang.org/x/term from 0.34.0 to 0.35.0
- Avoid "panic: interface conversion: interface {} is nil"
- bump version to v3.19.0
- chore(deps): bump github.com/spf13/pflag from 1.0.7 to 1.0.10
- fix: set repo authorizer in registry.Client.Resolve()
- fix null merge
- Add timeout flag to repo add and update flags
- Version 3.19.5:
- Fixed bug where removing subchart value via override resulted in warning #31118
- Fixed bug where helm uninstall with --keep-history did not suspend previous deployed releases #12556
- fix(rollback): errors.Is instead of string comp 4a19a5b (Hidde Beydals)
- fix(uninstall): supersede deployed releases 7a00235 (Hidde Beydals)
- fix null merge 578564e (Ben Foster)
- Version 3.19.4:
- Use latest patch release of Go in releases 7cfb6e4 (Matt Farina)
- chore(deps): bump github.com/gofrs/flock from 0.12.1 to 0.13.0 59c951f (dependabot[bot])
- chore(deps): bump github.com/cyphar/filepath-securejoin d45f3f1
- chore(deps): bump golang.org/x/crypto from 0.44.0 to 0.45.0 d459544 (dependabot[bot])
- chore(deps): bump golang.org/x/term from 0.36.0 to 0.37.0 becd387 (dependabot[bot])
- chore(deps): bump the k8s-io group with 7 updates edb1579
- Version 3.19.3:
- Bump golang.org/x/crypto to v0.45.0
- Version 3.19.2:
- [backport] fix: get-helm-3 script use helm3-latest-version 8766e71 (George Jenkins)
Patchnames: SUSE-SL-Micro-6.2-661
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
6.5 (Medium)
Affected products
Recommended
5 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Micro 6.2:helm-3.20.2-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Micro 6.2:helm-3.20.2-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Micro 6.2:helm-3.20.2-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Micro 6.2:helm-3.20.2-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Micro 6.2:helm-bash-completion-3.20.2-160000.1.1.noarch | — |
Vendor Fix
|
Threats
Impact
moderate
4.4 (Medium)
Affected products
Recommended
5 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Micro 6.2:helm-3.20.2-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Micro 6.2:helm-3.20.2-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Micro 6.2:helm-3.20.2-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Micro 6.2:helm-3.20.2-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Micro 6.2:helm-bash-completion-3.20.2-160000.1.1.noarch | — |
Vendor Fix
|
Threats
Impact
moderate
References
12 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for helm",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for helm fixes the following issues:\n\nUpdate to version 3.20.2.\n\nSecurity issued fixed:\n\n- CVE-2025-55199: specially crafted JSON Schema can lead to out of memory (OOM) termination (bsc#1248093).\n- CVE-2026-35206: specially crafted Chart will have contents extracted to immediate output directory rather than to\n expected output directory suffixed by the Chart\u0027s name (bsc#1261938).\n\nOther updates and bugfixes:\n\n- Version 3.20.1:\n - chore(deps): bump the k8s-io group with 7 updates a2369ca (dependabot[bot])\n - add image index test 90e1056 (Pedro Trres)\n - fix pulling charts from OCI indices 911f2e9 (Pedro Trres)\n - Remove refactorring changes from coalesce_test.go 76dad33 (Evans Mungai)\n - Fix import 45c12f7 (Evans Mungai)\n - Update pkg/chart/common/util/coalesce_test.go 26c6f19 (Evans Mungai)\n - Fix lint warning 09f5129 (Evans Mungai)\n - Preserve nil values in chart already 417deb2 (Evans Mungai)\n - fix(values): preserve nil values when chart default is empty map 5417bfa (Evans Mungai)\n- Version 3.20.0:\n - SDK: bump k8s API versions to v0.35.0\n - v3 backport: Fixed a bug where helm uninstall with --keep-history did not suspend previous deployed releases #12564\n - v3 backport: Bump Go version to v1.25\n - bump version to v3.20\n - chore(deps): bump golang.org/x/text from 0.32.0 to 0.33.0\n - chore(deps): bump golang.org/x/term from 0.38.0 to 0.39.0\n - chore(deps): bump github.com/foxcpp/go-mockdns from 1.1.0 to 1.2.0\n - chore(deps): bump the k8s-io group with 7 updates\n - [dev-v3] Replace deprecated `NewSimpleClientset`\n - [dev-v3] Bump Go v1.25, `golangci-lint` v2\n - chore(deps): bump github.com/BurntSushi/toml from 1.5.0 to 1.6.0\n - chore(deps): bump github.com/containerd/containerd from 1.7.29 to 1.7.30\n - fix(rollback): `errors.Is` instead of string comp\n - fix(uninstall): supersede deployed releases\n - Use latest patch release of Go in releases\n - chore(deps): bump golang.org/x/crypto from 0.45.0 to 0.46.0\n - chore(deps): bump golang.org/x/text from 0.31.0 to 0.32.0\n - chore(deps): bump golang.org/x/term from 0.37.0 to 0.38.0\n - chore(deps): bump github.com/spf13/cobra from 1.10.1 to 1.10.2\n - chore(deps): bump github.com/rubenv/sql-migrate from 1.8.0 to 1.8.1\n - chore(deps): bump golang.org/x/crypto from 0.44.0 to 0.45.0\n - chore(deps): bump github.com/cyphar/filepath-securejoin\n - chore(deps): bump golang.org/x/text from 0.30.0 to 0.31.0\n - chore(deps): bump golang.org/x/crypto from 0.43.0 to 0.44.0\n - Remove dev-v3 `helm-latest-version` publish\n - chore(deps): bump golang.org/x/term from 0.36.0 to 0.37.0 1.7.28 to 1.7.29\n - Revert \"pkg/registry: Login option for passing TLS config in memory\"\n - jsonschema: warn and ignore unresolved URN $ref to match v3.18.4\n - Fix `helm pull` untar dir check with repo urls\n - chore(deps): bump golang.org/x/crypto from 0.42.0 to 0.43.0\n - chore(deps): bump github.com/gofrs/flock from 0.12.1 to 0.13.0\n - chore(deps): bump golang.org/x/text from 0.29.0 to 0.30.0\n - [backport] fix: get-helm-3 script use helm3-latest-version\n - pkg/registry: Login option for passing TLS config in memory\n - Fix deprecation warning\n - chore(deps): bump golang.org/x/crypto from 0.41.0 to 0.42.0\n - chore(deps): bump golang.org/x/term from 0.34.0 to 0.35.0\n - Avoid \"panic: interface conversion: interface {} is nil\"\n - bump version to v3.19.0\n - chore(deps): bump github.com/spf13/pflag from 1.0.7 to 1.0.10\n - fix: set repo authorizer in registry.Client.Resolve()\n - fix null merge\n - Add timeout flag to repo add and update flags\n- Version 3.19.5:\n - Fixed bug where removing subchart value via override resulted in warning #31118\n - Fixed bug where helm uninstall with --keep-history did not suspend previous deployed releases #12556\n - fix(rollback): errors.Is instead of string comp 4a19a5b (Hidde Beydals)\n - fix(uninstall): supersede deployed releases 7a00235 (Hidde Beydals)\n - fix null merge 578564e (Ben Foster)\n- Version 3.19.4:\n - Use latest patch release of Go in releases 7cfb6e4 (Matt Farina)\n - chore(deps): bump github.com/gofrs/flock from 0.12.1 to 0.13.0 59c951f (dependabot[bot])\n - chore(deps): bump github.com/cyphar/filepath-securejoin d45f3f1\n - chore(deps): bump golang.org/x/crypto from 0.44.0 to 0.45.0 d459544 (dependabot[bot])\n - chore(deps): bump golang.org/x/term from 0.36.0 to 0.37.0 becd387 (dependabot[bot])\n - chore(deps): bump the k8s-io group with 7 updates edb1579\n- Version 3.19.3:\n - Bump golang.org/x/crypto to v0.45.0\n- Version 3.19.2:\n - [backport] fix: get-helm-3 script use helm3-latest-version 8766e71 (George Jenkins)\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-SL-Micro-6.2-661",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2026_21461-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2026:21461-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202621461-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2026:21461-1",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2026-May/025795.html"
},
{
"category": "self",
"summary": "SUSE Bug 1248093",
"url": "https://bugzilla.suse.com/1248093"
},
{
"category": "self",
"summary": "SUSE Bug 1261938",
"url": "https://bugzilla.suse.com/1261938"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-55199 page",
"url": "https://www.suse.com/security/cve/CVE-2025-55199/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-35206 page",
"url": "https://www.suse.com/security/cve/CVE-2026-35206/"
}
],
"title": "Security update for helm",
"tracking": {
"current_release_date": "2026-04-30T13:22:50Z",
"generator": {
"date": "2026-04-30T13:22:50Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2026:21461-1",
"initial_release_date": "2026-04-30T13:22:50Z",
"revision_history": [
{
"date": "2026-04-30T13:22:50Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "helm-3.20.2-160000.1.1.aarch64",
"product": {
"name": "helm-3.20.2-160000.1.1.aarch64",
"product_id": "helm-3.20.2-160000.1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "helm-bash-completion-3.20.2-160000.1.1.noarch",
"product": {
"name": "helm-bash-completion-3.20.2-160000.1.1.noarch",
"product_id": "helm-bash-completion-3.20.2-160000.1.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "helm-3.20.2-160000.1.1.ppc64le",
"product": {
"name": "helm-3.20.2-160000.1.1.ppc64le",
"product_id": "helm-3.20.2-160000.1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "helm-3.20.2-160000.1.1.s390x",
"product": {
"name": "helm-3.20.2-160000.1.1.s390x",
"product_id": "helm-3.20.2-160000.1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "helm-3.20.2-160000.1.1.x86_64",
"product": {
"name": "helm-3.20.2-160000.1.1.x86_64",
"product_id": "helm-3.20.2-160000.1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Micro 6.2",
"product": {
"name": "SUSE Linux Micro 6.2",
"product_id": "SUSE Linux Micro 6.2",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sl-micro:6.2"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-3.20.2-160000.1.1.aarch64 as component of SUSE Linux Micro 6.2",
"product_id": "SUSE Linux Micro 6.2:helm-3.20.2-160000.1.1.aarch64"
},
"product_reference": "helm-3.20.2-160000.1.1.aarch64",
"relates_to_product_reference": "SUSE Linux Micro 6.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-3.20.2-160000.1.1.ppc64le as component of SUSE Linux Micro 6.2",
"product_id": "SUSE Linux Micro 6.2:helm-3.20.2-160000.1.1.ppc64le"
},
"product_reference": "helm-3.20.2-160000.1.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Micro 6.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-3.20.2-160000.1.1.s390x as component of SUSE Linux Micro 6.2",
"product_id": "SUSE Linux Micro 6.2:helm-3.20.2-160000.1.1.s390x"
},
"product_reference": "helm-3.20.2-160000.1.1.s390x",
"relates_to_product_reference": "SUSE Linux Micro 6.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-3.20.2-160000.1.1.x86_64 as component of SUSE Linux Micro 6.2",
"product_id": "SUSE Linux Micro 6.2:helm-3.20.2-160000.1.1.x86_64"
},
"product_reference": "helm-3.20.2-160000.1.1.x86_64",
"relates_to_product_reference": "SUSE Linux Micro 6.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-bash-completion-3.20.2-160000.1.1.noarch as component of SUSE Linux Micro 6.2",
"product_id": "SUSE Linux Micro 6.2:helm-bash-completion-3.20.2-160000.1.1.noarch"
},
"product_reference": "helm-bash-completion-3.20.2-160000.1.1.noarch",
"relates_to_product_reference": "SUSE Linux Micro 6.2"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-55199",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-55199"
}
],
"notes": [
{
"category": "general",
"text": "Helm is a package manager for Charts for Kubernetes. Prior to version 3.18.5, it is possible to craft a JSON Schema file in a manner which could cause Helm to use all available memory and have an out of memory (OOM) termination. This issue has been resolved in Helm 3.18.5. A workaround involves ensuring all Helm charts that are being loaded into Helm do not have any reference of $ref pointing to /dev/zero.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Micro 6.2:helm-3.20.2-160000.1.1.aarch64",
"SUSE Linux Micro 6.2:helm-3.20.2-160000.1.1.ppc64le",
"SUSE Linux Micro 6.2:helm-3.20.2-160000.1.1.s390x",
"SUSE Linux Micro 6.2:helm-3.20.2-160000.1.1.x86_64",
"SUSE Linux Micro 6.2:helm-bash-completion-3.20.2-160000.1.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-55199",
"url": "https://www.suse.com/security/cve/CVE-2025-55199"
},
{
"category": "external",
"summary": "SUSE Bug 1248093 for CVE-2025-55199",
"url": "https://bugzilla.suse.com/1248093"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Micro 6.2:helm-3.20.2-160000.1.1.aarch64",
"SUSE Linux Micro 6.2:helm-3.20.2-160000.1.1.ppc64le",
"SUSE Linux Micro 6.2:helm-3.20.2-160000.1.1.s390x",
"SUSE Linux Micro 6.2:helm-3.20.2-160000.1.1.x86_64",
"SUSE Linux Micro 6.2:helm-bash-completion-3.20.2-160000.1.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Micro 6.2:helm-3.20.2-160000.1.1.aarch64",
"SUSE Linux Micro 6.2:helm-3.20.2-160000.1.1.ppc64le",
"SUSE Linux Micro 6.2:helm-3.20.2-160000.1.1.s390x",
"SUSE Linux Micro 6.2:helm-3.20.2-160000.1.1.x86_64",
"SUSE Linux Micro 6.2:helm-bash-completion-3.20.2-160000.1.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-04-30T13:22:50Z",
"details": "moderate"
}
],
"title": "CVE-2025-55199"
},
{
"cve": "CVE-2026-35206",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-35206"
}
],
"notes": [
{
"category": "general",
"text": "Helm is a package manager for Charts for Kubernetes. In Helm versions \u003c=3.20.1 and \u003c=4.1.3, a specially crafted Chart will cause helm pull --untar [chart URL | repo/chartname] to write the Chart\u0027s contents to the immediate output directory (as defaulted to the current working directory; or as given by the --destination and --untardir flags), rather than the expected output directory suffixed by the chart\u0027s name. This vulnerability is fixed in 3.20.2 and 4.1.4.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Micro 6.2:helm-3.20.2-160000.1.1.aarch64",
"SUSE Linux Micro 6.2:helm-3.20.2-160000.1.1.ppc64le",
"SUSE Linux Micro 6.2:helm-3.20.2-160000.1.1.s390x",
"SUSE Linux Micro 6.2:helm-3.20.2-160000.1.1.x86_64",
"SUSE Linux Micro 6.2:helm-bash-completion-3.20.2-160000.1.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-35206",
"url": "https://www.suse.com/security/cve/CVE-2026-35206"
},
{
"category": "external",
"summary": "SUSE Bug 1261938 for CVE-2026-35206",
"url": "https://bugzilla.suse.com/1261938"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Micro 6.2:helm-3.20.2-160000.1.1.aarch64",
"SUSE Linux Micro 6.2:helm-3.20.2-160000.1.1.ppc64le",
"SUSE Linux Micro 6.2:helm-3.20.2-160000.1.1.s390x",
"SUSE Linux Micro 6.2:helm-3.20.2-160000.1.1.x86_64",
"SUSE Linux Micro 6.2:helm-bash-completion-3.20.2-160000.1.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L",
"version": "3.1"
},
"products": [
"SUSE Linux Micro 6.2:helm-3.20.2-160000.1.1.aarch64",
"SUSE Linux Micro 6.2:helm-3.20.2-160000.1.1.ppc64le",
"SUSE Linux Micro 6.2:helm-3.20.2-160000.1.1.s390x",
"SUSE Linux Micro 6.2:helm-3.20.2-160000.1.1.x86_64",
"SUSE Linux Micro 6.2:helm-bash-completion-3.20.2-160000.1.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-04-30T13:22:50Z",
"details": "moderate"
}
],
"title": "CVE-2026-35206"
}
]
}
SUSE-SU-2026:21628-1
Vulnerability from csaf_suse - Published: 2026-05-12 09:44 - Updated: 2026-05-12 09:44Summary
Security update for helm
Severity
Moderate
Notes
Title of the patch: Security update for helm
Description of the patch: This update for helm fixes the following issues
Security issues:
- CVE-2025-55199: crafted JSON Schema can lead to out of memory (OOM) termination (bsc#1248093).
- CVE-2026-35206: github.com/helm/helm: Helm: Files written to unexpected directory via specially crafted Chart
(bsc#1261938).
Non security issue:
- Update to version 3.20.2
- Fix packages for %suse_version bump (jsc#PED-15794).
Patchnames: SUSE-SLE-Micro-6.0-705
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
6.5 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Micro 6.0:helm-3.20.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Micro 6.0:helm-3.20.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Micro 6.0:helm-3.20.2-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Micro 6.0:helm-bash-completion-3.20.2-1.1.noarch | — |
Vendor Fix
|
Threats
Impact
moderate
4.4 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Micro 6.0:helm-3.20.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Micro 6.0:helm-3.20.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Micro 6.0:helm-3.20.2-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Micro 6.0:helm-bash-completion-3.20.2-1.1.noarch | — |
Vendor Fix
|
Threats
Impact
moderate
References
12 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for helm",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for helm fixes the following issues\n\nSecurity issues:\n\n- CVE-2025-55199: crafted JSON Schema can lead to out of memory (OOM) termination (bsc#1248093).\n- CVE-2026-35206: github.com/helm/helm: Helm: Files written to unexpected directory via specially crafted Chart\n (bsc#1261938).\n\nNon security issue:\n\n- Update to version 3.20.2 \n- Fix packages for %suse_version bump (jsc#PED-15794).\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-SLE-Micro-6.0-705",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2026_21628-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2026:21628-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202621628-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2026:21628-1",
"url": "https://lists.suse.com/pipermail/sle-updates/2026-May/046486.html"
},
{
"category": "self",
"summary": "SUSE Bug 1248093",
"url": "https://bugzilla.suse.com/1248093"
},
{
"category": "self",
"summary": "SUSE Bug 1261938",
"url": "https://bugzilla.suse.com/1261938"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-55199 page",
"url": "https://www.suse.com/security/cve/CVE-2025-55199/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-35206 page",
"url": "https://www.suse.com/security/cve/CVE-2026-35206/"
}
],
"title": "Security update for helm",
"tracking": {
"current_release_date": "2026-05-12T09:44:44Z",
"generator": {
"date": "2026-05-12T09:44:44Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2026:21628-1",
"initial_release_date": "2026-05-12T09:44:44Z",
"revision_history": [
{
"date": "2026-05-12T09:44:44Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "helm-3.20.2-1.1.aarch64",
"product": {
"name": "helm-3.20.2-1.1.aarch64",
"product_id": "helm-3.20.2-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "helm-bash-completion-3.20.2-1.1.noarch",
"product": {
"name": "helm-bash-completion-3.20.2-1.1.noarch",
"product_id": "helm-bash-completion-3.20.2-1.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "helm-3.20.2-1.1.s390x",
"product": {
"name": "helm-3.20.2-1.1.s390x",
"product_id": "helm-3.20.2-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "helm-3.20.2-1.1.x86_64",
"product": {
"name": "helm-3.20.2-1.1.x86_64",
"product_id": "helm-3.20.2-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Micro 6.0",
"product": {
"name": "SUSE Linux Micro 6.0",
"product_id": "SUSE Linux Micro 6.0",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sl-micro:6.0"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-3.20.2-1.1.aarch64 as component of SUSE Linux Micro 6.0",
"product_id": "SUSE Linux Micro 6.0:helm-3.20.2-1.1.aarch64"
},
"product_reference": "helm-3.20.2-1.1.aarch64",
"relates_to_product_reference": "SUSE Linux Micro 6.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-3.20.2-1.1.s390x as component of SUSE Linux Micro 6.0",
"product_id": "SUSE Linux Micro 6.0:helm-3.20.2-1.1.s390x"
},
"product_reference": "helm-3.20.2-1.1.s390x",
"relates_to_product_reference": "SUSE Linux Micro 6.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-3.20.2-1.1.x86_64 as component of SUSE Linux Micro 6.0",
"product_id": "SUSE Linux Micro 6.0:helm-3.20.2-1.1.x86_64"
},
"product_reference": "helm-3.20.2-1.1.x86_64",
"relates_to_product_reference": "SUSE Linux Micro 6.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-bash-completion-3.20.2-1.1.noarch as component of SUSE Linux Micro 6.0",
"product_id": "SUSE Linux Micro 6.0:helm-bash-completion-3.20.2-1.1.noarch"
},
"product_reference": "helm-bash-completion-3.20.2-1.1.noarch",
"relates_to_product_reference": "SUSE Linux Micro 6.0"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-55199",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-55199"
}
],
"notes": [
{
"category": "general",
"text": "Helm is a package manager for Charts for Kubernetes. Prior to version 3.18.5, it is possible to craft a JSON Schema file in a manner which could cause Helm to use all available memory and have an out of memory (OOM) termination. This issue has been resolved in Helm 3.18.5. A workaround involves ensuring all Helm charts that are being loaded into Helm do not have any reference of $ref pointing to /dev/zero.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Micro 6.0:helm-3.20.2-1.1.aarch64",
"SUSE Linux Micro 6.0:helm-3.20.2-1.1.s390x",
"SUSE Linux Micro 6.0:helm-3.20.2-1.1.x86_64",
"SUSE Linux Micro 6.0:helm-bash-completion-3.20.2-1.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-55199",
"url": "https://www.suse.com/security/cve/CVE-2025-55199"
},
{
"category": "external",
"summary": "SUSE Bug 1248093 for CVE-2025-55199",
"url": "https://bugzilla.suse.com/1248093"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Micro 6.0:helm-3.20.2-1.1.aarch64",
"SUSE Linux Micro 6.0:helm-3.20.2-1.1.s390x",
"SUSE Linux Micro 6.0:helm-3.20.2-1.1.x86_64",
"SUSE Linux Micro 6.0:helm-bash-completion-3.20.2-1.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Micro 6.0:helm-3.20.2-1.1.aarch64",
"SUSE Linux Micro 6.0:helm-3.20.2-1.1.s390x",
"SUSE Linux Micro 6.0:helm-3.20.2-1.1.x86_64",
"SUSE Linux Micro 6.0:helm-bash-completion-3.20.2-1.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-12T09:44:44Z",
"details": "moderate"
}
],
"title": "CVE-2025-55199"
},
{
"cve": "CVE-2026-35206",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-35206"
}
],
"notes": [
{
"category": "general",
"text": "Helm is a package manager for Charts for Kubernetes. In Helm versions \u003c=3.20.1 and \u003c=4.1.3, a specially crafted Chart will cause helm pull --untar [chart URL | repo/chartname] to write the Chart\u0027s contents to the immediate output directory (as defaulted to the current working directory; or as given by the --destination and --untardir flags), rather than the expected output directory suffixed by the chart\u0027s name. This vulnerability is fixed in 3.20.2 and 4.1.4.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Micro 6.0:helm-3.20.2-1.1.aarch64",
"SUSE Linux Micro 6.0:helm-3.20.2-1.1.s390x",
"SUSE Linux Micro 6.0:helm-3.20.2-1.1.x86_64",
"SUSE Linux Micro 6.0:helm-bash-completion-3.20.2-1.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-35206",
"url": "https://www.suse.com/security/cve/CVE-2026-35206"
},
{
"category": "external",
"summary": "SUSE Bug 1261938 for CVE-2026-35206",
"url": "https://bugzilla.suse.com/1261938"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Micro 6.0:helm-3.20.2-1.1.aarch64",
"SUSE Linux Micro 6.0:helm-3.20.2-1.1.s390x",
"SUSE Linux Micro 6.0:helm-3.20.2-1.1.x86_64",
"SUSE Linux Micro 6.0:helm-bash-completion-3.20.2-1.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L",
"version": "3.1"
},
"products": [
"SUSE Linux Micro 6.0:helm-3.20.2-1.1.aarch64",
"SUSE Linux Micro 6.0:helm-3.20.2-1.1.s390x",
"SUSE Linux Micro 6.0:helm-3.20.2-1.1.x86_64",
"SUSE Linux Micro 6.0:helm-bash-completion-3.20.2-1.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-12T09:44:44Z",
"details": "moderate"
}
],
"title": "CVE-2026-35206"
}
]
}
SUSE-SU-2026:21635-1
Vulnerability from csaf_suse - Published: 2026-05-12 10:16 - Updated: 2026-05-12 10:16Summary
Security update for helm
Severity
Moderate
Notes
Title of the patch: Security update for helm
Description of the patch: This update for helm fixes the following issues
Security issues:
- CVE-2025-55199: crafted JSON Schema can lead to out of memory (OOM) termination (bsc#1248093).
- CVE-2026-35206: github.com/helm/helm: Helm: Files written to unexpected directory via specially crafted Chart
(bsc#1261938).
Non security issue:
- Update to version 3.20.2
- Fix packages for %suse_version bump (jsc#PED-15794).
Patchnames: SUSE-SLE-Micro-6.1-525
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
6.5 (Medium)
Affected products
Recommended
5 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Micro 6.1:helm-3.20.2-slfo.1.1_1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Micro 6.1:helm-3.20.2-slfo.1.1_1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Micro 6.1:helm-3.20.2-slfo.1.1_1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Micro 6.1:helm-3.20.2-slfo.1.1_1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Micro 6.1:helm-bash-completion-3.20.2-slfo.1.1_1.1.noarch | — |
Vendor Fix
|
Threats
Impact
moderate
4.4 (Medium)
Affected products
Recommended
5 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Micro 6.1:helm-3.20.2-slfo.1.1_1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Micro 6.1:helm-3.20.2-slfo.1.1_1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Micro 6.1:helm-3.20.2-slfo.1.1_1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Micro 6.1:helm-3.20.2-slfo.1.1_1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Micro 6.1:helm-bash-completion-3.20.2-slfo.1.1_1.1.noarch | — |
Vendor Fix
|
Threats
Impact
moderate
References
12 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for helm",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for helm fixes the following issues\n\nSecurity issues:\n\n- CVE-2025-55199: crafted JSON Schema can lead to out of memory (OOM) termination (bsc#1248093).\n- CVE-2026-35206: github.com/helm/helm: Helm: Files written to unexpected directory via specially crafted Chart\n (bsc#1261938).\n\nNon security issue:\n\n- Update to version 3.20.2\n- Fix packages for %suse_version bump (jsc#PED-15794).\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-SLE-Micro-6.1-525",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2026_21635-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2026:21635-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202621635-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2026:21635-1",
"url": "https://lists.suse.com/pipermail/sle-updates/2026-May/046479.html"
},
{
"category": "self",
"summary": "SUSE Bug 1248093",
"url": "https://bugzilla.suse.com/1248093"
},
{
"category": "self",
"summary": "SUSE Bug 1261938",
"url": "https://bugzilla.suse.com/1261938"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-55199 page",
"url": "https://www.suse.com/security/cve/CVE-2025-55199/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-35206 page",
"url": "https://www.suse.com/security/cve/CVE-2026-35206/"
}
],
"title": "Security update for helm",
"tracking": {
"current_release_date": "2026-05-12T10:16:57Z",
"generator": {
"date": "2026-05-12T10:16:57Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2026:21635-1",
"initial_release_date": "2026-05-12T10:16:57Z",
"revision_history": [
{
"date": "2026-05-12T10:16:57Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "helm-3.20.2-slfo.1.1_1.1.aarch64",
"product": {
"name": "helm-3.20.2-slfo.1.1_1.1.aarch64",
"product_id": "helm-3.20.2-slfo.1.1_1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "helm-bash-completion-3.20.2-slfo.1.1_1.1.noarch",
"product": {
"name": "helm-bash-completion-3.20.2-slfo.1.1_1.1.noarch",
"product_id": "helm-bash-completion-3.20.2-slfo.1.1_1.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "helm-3.20.2-slfo.1.1_1.1.ppc64le",
"product": {
"name": "helm-3.20.2-slfo.1.1_1.1.ppc64le",
"product_id": "helm-3.20.2-slfo.1.1_1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "helm-3.20.2-slfo.1.1_1.1.s390x",
"product": {
"name": "helm-3.20.2-slfo.1.1_1.1.s390x",
"product_id": "helm-3.20.2-slfo.1.1_1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "helm-3.20.2-slfo.1.1_1.1.x86_64",
"product": {
"name": "helm-3.20.2-slfo.1.1_1.1.x86_64",
"product_id": "helm-3.20.2-slfo.1.1_1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Micro 6.1",
"product": {
"name": "SUSE Linux Micro 6.1",
"product_id": "SUSE Linux Micro 6.1",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sl-micro:6.1"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-3.20.2-slfo.1.1_1.1.aarch64 as component of SUSE Linux Micro 6.1",
"product_id": "SUSE Linux Micro 6.1:helm-3.20.2-slfo.1.1_1.1.aarch64"
},
"product_reference": "helm-3.20.2-slfo.1.1_1.1.aarch64",
"relates_to_product_reference": "SUSE Linux Micro 6.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-3.20.2-slfo.1.1_1.1.ppc64le as component of SUSE Linux Micro 6.1",
"product_id": "SUSE Linux Micro 6.1:helm-3.20.2-slfo.1.1_1.1.ppc64le"
},
"product_reference": "helm-3.20.2-slfo.1.1_1.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Micro 6.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-3.20.2-slfo.1.1_1.1.s390x as component of SUSE Linux Micro 6.1",
"product_id": "SUSE Linux Micro 6.1:helm-3.20.2-slfo.1.1_1.1.s390x"
},
"product_reference": "helm-3.20.2-slfo.1.1_1.1.s390x",
"relates_to_product_reference": "SUSE Linux Micro 6.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-3.20.2-slfo.1.1_1.1.x86_64 as component of SUSE Linux Micro 6.1",
"product_id": "SUSE Linux Micro 6.1:helm-3.20.2-slfo.1.1_1.1.x86_64"
},
"product_reference": "helm-3.20.2-slfo.1.1_1.1.x86_64",
"relates_to_product_reference": "SUSE Linux Micro 6.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-bash-completion-3.20.2-slfo.1.1_1.1.noarch as component of SUSE Linux Micro 6.1",
"product_id": "SUSE Linux Micro 6.1:helm-bash-completion-3.20.2-slfo.1.1_1.1.noarch"
},
"product_reference": "helm-bash-completion-3.20.2-slfo.1.1_1.1.noarch",
"relates_to_product_reference": "SUSE Linux Micro 6.1"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-55199",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-55199"
}
],
"notes": [
{
"category": "general",
"text": "Helm is a package manager for Charts for Kubernetes. Prior to version 3.18.5, it is possible to craft a JSON Schema file in a manner which could cause Helm to use all available memory and have an out of memory (OOM) termination. This issue has been resolved in Helm 3.18.5. A workaround involves ensuring all Helm charts that are being loaded into Helm do not have any reference of $ref pointing to /dev/zero.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Micro 6.1:helm-3.20.2-slfo.1.1_1.1.aarch64",
"SUSE Linux Micro 6.1:helm-3.20.2-slfo.1.1_1.1.ppc64le",
"SUSE Linux Micro 6.1:helm-3.20.2-slfo.1.1_1.1.s390x",
"SUSE Linux Micro 6.1:helm-3.20.2-slfo.1.1_1.1.x86_64",
"SUSE Linux Micro 6.1:helm-bash-completion-3.20.2-slfo.1.1_1.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-55199",
"url": "https://www.suse.com/security/cve/CVE-2025-55199"
},
{
"category": "external",
"summary": "SUSE Bug 1248093 for CVE-2025-55199",
"url": "https://bugzilla.suse.com/1248093"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Micro 6.1:helm-3.20.2-slfo.1.1_1.1.aarch64",
"SUSE Linux Micro 6.1:helm-3.20.2-slfo.1.1_1.1.ppc64le",
"SUSE Linux Micro 6.1:helm-3.20.2-slfo.1.1_1.1.s390x",
"SUSE Linux Micro 6.1:helm-3.20.2-slfo.1.1_1.1.x86_64",
"SUSE Linux Micro 6.1:helm-bash-completion-3.20.2-slfo.1.1_1.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Micro 6.1:helm-3.20.2-slfo.1.1_1.1.aarch64",
"SUSE Linux Micro 6.1:helm-3.20.2-slfo.1.1_1.1.ppc64le",
"SUSE Linux Micro 6.1:helm-3.20.2-slfo.1.1_1.1.s390x",
"SUSE Linux Micro 6.1:helm-3.20.2-slfo.1.1_1.1.x86_64",
"SUSE Linux Micro 6.1:helm-bash-completion-3.20.2-slfo.1.1_1.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-12T10:16:57Z",
"details": "moderate"
}
],
"title": "CVE-2025-55199"
},
{
"cve": "CVE-2026-35206",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-35206"
}
],
"notes": [
{
"category": "general",
"text": "Helm is a package manager for Charts for Kubernetes. In Helm versions \u003c=3.20.1 and \u003c=4.1.3, a specially crafted Chart will cause helm pull --untar [chart URL | repo/chartname] to write the Chart\u0027s contents to the immediate output directory (as defaulted to the current working directory; or as given by the --destination and --untardir flags), rather than the expected output directory suffixed by the chart\u0027s name. This vulnerability is fixed in 3.20.2 and 4.1.4.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Micro 6.1:helm-3.20.2-slfo.1.1_1.1.aarch64",
"SUSE Linux Micro 6.1:helm-3.20.2-slfo.1.1_1.1.ppc64le",
"SUSE Linux Micro 6.1:helm-3.20.2-slfo.1.1_1.1.s390x",
"SUSE Linux Micro 6.1:helm-3.20.2-slfo.1.1_1.1.x86_64",
"SUSE Linux Micro 6.1:helm-bash-completion-3.20.2-slfo.1.1_1.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-35206",
"url": "https://www.suse.com/security/cve/CVE-2026-35206"
},
{
"category": "external",
"summary": "SUSE Bug 1261938 for CVE-2026-35206",
"url": "https://bugzilla.suse.com/1261938"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Micro 6.1:helm-3.20.2-slfo.1.1_1.1.aarch64",
"SUSE Linux Micro 6.1:helm-3.20.2-slfo.1.1_1.1.ppc64le",
"SUSE Linux Micro 6.1:helm-3.20.2-slfo.1.1_1.1.s390x",
"SUSE Linux Micro 6.1:helm-3.20.2-slfo.1.1_1.1.x86_64",
"SUSE Linux Micro 6.1:helm-bash-completion-3.20.2-slfo.1.1_1.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L",
"version": "3.1"
},
"products": [
"SUSE Linux Micro 6.1:helm-3.20.2-slfo.1.1_1.1.aarch64",
"SUSE Linux Micro 6.1:helm-3.20.2-slfo.1.1_1.1.ppc64le",
"SUSE Linux Micro 6.1:helm-3.20.2-slfo.1.1_1.1.s390x",
"SUSE Linux Micro 6.1:helm-3.20.2-slfo.1.1_1.1.x86_64",
"SUSE Linux Micro 6.1:helm-bash-completion-3.20.2-slfo.1.1_1.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-12T10:16:57Z",
"details": "moderate"
}
],
"title": "CVE-2026-35206"
}
]
}
WID-SEC-W-2025-2727
Vulnerability from csaf_certbund - Published: 2025-12-02 23:00 - Updated: 2026-05-04 22:00Summary
Red Hat OpenShift Container Platform: Mehrere Schwachstellen ermöglichen Denial of Service
Severity
Mittel
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung: Red Hat OpenShift ist eine "Platform as a Service" (PaaS) Lösung zur Bereitstellung von Applikationen in der Cloud.
Angriff: Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Red Hat OpenShift Container Platform ausnutzen, um einen Denial of Service Angriff durchzuführen.
Betroffene Betriebssysteme: - Linux
Affected products
Known affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SUSE Linux
SUSE
|
cpe:/o:suse:suse_linux:-
|
— | |
|
SUSE openSUSE
SUSE
|
cpe:/o:suse:opensuse:-
|
— | |
|
Red Hat OpenShift Container Platform <4.21.1
Red Hat / OpenShift
|
Container Platform <4.21.1 | ||
|
Red Hat OpenShift Container Platform <4.20.6
Red Hat / OpenShift
|
Container Platform <4.20.6 |
Affected products
Known affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SUSE Linux
SUSE
|
cpe:/o:suse:suse_linux:-
|
— | |
|
SUSE openSUSE
SUSE
|
cpe:/o:suse:opensuse:-
|
— | |
|
Red Hat OpenShift Container Platform <4.21.1
Red Hat / OpenShift
|
Container Platform <4.21.1 | ||
|
Red Hat OpenShift Container Platform <4.20.6
Red Hat / OpenShift
|
Container Platform <4.20.6 |
References
6 references
{
"document": {
"aggregate_severity": {
"text": "mittel"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "Red Hat OpenShift ist eine \"Platform as a Service\" (PaaS) L\u00f6sung zur Bereitstellung von Applikationen in der Cloud.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Red Hat OpenShift Container Platform ausnutzen, um einen Denial of Service Angriff durchzuf\u00fchren.",
"title": "Angriff"
},
{
"category": "general",
"text": "- Linux",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2025-2727 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2025/wid-sec-w-2025-2727.json"
},
{
"category": "self",
"summary": "WID-SEC-2025-2727 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2025-2727"
},
{
"category": "external",
"summary": "Red Hat Security Advisory vom 2025-12-02",
"url": "https://access.redhat.com/errata/RHSA-2025:22257"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2026:2129 vom 2026-02-10",
"url": "https://access.redhat.com/errata/RHSA-2026:2129"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2026:21461-1 vom 2026-05-04",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2026-May/025795.html"
},
{
"category": "external",
"summary": "openSUSE Security Update OPENSUSE-SU-2026:20655-1 vom 2026-05-04",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/E3IHNXEG2P5U44VJFWYSBUQWBQ4GFJYP/"
}
],
"source_lang": "en-US",
"title": "Red Hat OpenShift Container Platform: Mehrere Schwachstellen erm\u00f6glichen Denial of Service",
"tracking": {
"current_release_date": "2026-05-04T22:00:00.000+00:00",
"generator": {
"date": "2026-05-05T08:26:12.731+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.5.0"
}
},
"id": "WID-SEC-W-2025-2727",
"initial_release_date": "2025-12-02T23:00:00.000+00:00",
"revision_history": [
{
"date": "2025-12-02T23:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
},
{
"date": "2026-02-09T23:00:00.000+00:00",
"number": "2",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2026-05-03T22:00:00.000+00:00",
"number": "3",
"summary": "Neue Updates von SUSE aufgenommen"
},
{
"date": "2026-05-04T22:00:00.000+00:00",
"number": "4",
"summary": "Neue Updates von openSUSE aufgenommen"
}
],
"status": "final",
"version": "4"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "Container Platform \u003c4.20.6",
"product": {
"name": "Red Hat OpenShift Container Platform \u003c4.20.6",
"product_id": "T049018"
}
},
{
"category": "product_version",
"name": "Container Platform 4.20.6",
"product": {
"name": "Red Hat OpenShift Container Platform 4.20.6",
"product_id": "T049018-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openshift:container_platform__4.20.6"
}
}
},
{
"category": "product_version_range",
"name": "Container Platform \u003c4.21.1",
"product": {
"name": "Red Hat OpenShift Container Platform \u003c4.21.1",
"product_id": "T050641"
}
},
{
"category": "product_version",
"name": "Container Platform 4.21.1",
"product": {
"name": "Red Hat OpenShift Container Platform 4.21.1",
"product_id": "T050641-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openshift:container_platform__4.21.1"
}
}
}
],
"category": "product_name",
"name": "OpenShift"
}
],
"category": "vendor",
"name": "Red Hat"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux",
"product": {
"name": "SUSE Linux",
"product_id": "T002207",
"product_identification_helper": {
"cpe": "cpe:/o:suse:suse_linux:-"
}
}
},
{
"category": "product_name",
"name": "SUSE openSUSE",
"product": {
"name": "SUSE openSUSE",
"product_id": "T027843",
"product_identification_helper": {
"cpe": "cpe:/o:suse:opensuse:-"
}
}
}
],
"category": "vendor",
"name": "SUSE"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-55198",
"product_status": {
"known_affected": [
"T002207",
"T027843",
"T050641",
"T049018"
]
},
"release_date": "2025-12-02T23:00:00.000+00:00",
"title": "CVE-2025-55198"
},
{
"cve": "CVE-2025-55199",
"product_status": {
"known_affected": [
"T002207",
"T027843",
"T050641",
"T049018"
]
},
"release_date": "2025-12-02T23:00:00.000+00:00",
"title": "CVE-2025-55199"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…