OPENSUSE-SU-2026:21333-1

Vulnerability from csaf_opensuse - Published: 2026-07-13 19:29 - Updated: 2026-07-13 19:29
Summary
Security update for nasm
Severity
Low
Notes
Title of the patch: Security update for nasm
Description of the patch: This update for nasm fixes the following issues - CVE-2026-6067: heap buffer overflow vulnerability due to a lack of bounds checking in the obj_directive() function (bsc#1261986). - CVE-2026-6068: heap use after free vulnerability in response file processing (bsc#1261985). Changes for nasm: - Update to 3.02: * Fix build problems on C23 compilers using a pre-C23 version of <stdbool.h> which defines bool as a macro in violation of the C23 specification. * The immediate form of the JMPE instruction (opcode 0F B8) has been changed to an absolute address, as in the Itanium Architecture Software Developer's Manual, version 2.3, Volume 4, page 4:249. Hopefully this won't break whatever virtual environments use JMPE, but it is the closest thing there is to an official specification for this opcode. * Being an absolute address, treat it equivalent to a FAR jump and do not default to 64 bits in 64-bit mode. * That JMPE has apparently been wrong all these years is probably as good of a hint as any how much it has been actually used, but it does have the possibility of breaking virtual environments. In that case, please file a bug report to https://bugs.nasm.us with details about the virtual environment, and we will figure out a suitable solution. * Various build fixes. Fix the documentation not building on MacOS because of the cp utility lacking -u there. Also fix not building generally due to wrong link formatting. Another fix was a typo in compiler.h related to a C++ check. * Corrections to assembling encodings: + Fix CMP allowing LOCK which is illegal. + Correct multiple AVX512 instructions such as VCVTSD2SI, VCVTSD2USI, VCVTSS2SI, VCVTSS2USI, VCVTTSD2SI, VCVTTSD2USI, VCVTTSS2SI, VCVTTSS2USI, VGETEXPSH, VGETMANTSH, MOVDDUP, VMOVDDUP. + Fixed other encodings or instruction formats for instructions UWRMSR, CMPSD, VCMPSS, V4FMADDSS, V4FNMADDSS, VCVTDQ2PH, VCVTPD2PH, VCVTPH2UDQ, VCVTQQ2PH, VCVTUDQ2PH, VCVTUQQ2PH, VGETEXPSH, VGETMANTSH, VRCPPH, VRSQRTPH, VCVTPH2BF8, VCVTPH2BF8S, VCVTPH2HF8, VCVTPH2HF8S. + Fixed typos in VP4DPWSSD mnemonic. + Fixed BYTE and WORD operands getting the same encoding on arithmetic instructions such as CMP. + Fixed PUSH not assembling when used with a DWORD in 64-bit mode. This is not a recommended syntax as the operand size is still 64 bits, but was permitted by earlier versions of NASM. + Fix parsing of $--escaped symbols in directives (GLOBAL, STATIC, EXTERN, REQUIRED, COMMON). * Corrections to disassembling: + Shift instructions with the unity operand were getting disassembled to a zero operand instead of one. + JMP, CALL and JMPE disassembled incorrectly with the register operands. * Whole bunch of minor fixes to operand sizes, operand size prefixes. Changes mostly return the behavior known from 2.16.03. * MOV [mem], label would be accepted without size specifiers which could cause unintended consequences. Raise an error if no size was specified and one of the operands is a memory reference and another operands is a label. * JMP NEAR is now the same as JMP STRICT NEAR as the STRICT is redundant here. JMP WORD on the other hand is up for optimization as NEAR and WORD relate to different things -- jump lengths and operation sizes respectively. * Using redundant (or not) but valid operands size prefixes was fixed on instructions such as IRET, PUSHF, POPF, PUSH and POP. * Using an operand size prefix on a JMP or CALL instruction could generate an invalid instruction. This appears to have been a long-standing bug. Specifying the operand size by specifying the size of the immediate explicitly (e.g. JMP DWORD label) has always worked correctly, however. * Add support for C2y-style \o escape sequences, braced escape sequences, and as NASM extensions, decimal escape sequences (\d) and control-character escape sequences (\^). See section 3.4.2. * Fix generation of the short opcodes for ADD, OR, ADC, SBB, AND, SUB, XOR, and CMP AL,imm8. * Fix truncation of the generated constant to 63 bits when invoking a single-line macro when an argument is defined as =/b or =/ub. * Add an %env() preprocessor function as a more robust and flexible alternative to the %! construct. See section 5.5.7. * The maximum number of multi-line macro parameters is now a configurable limit. See section 2.1.32. * The --limit- options and %pragma limit now accept the keywords default, maximum, and reset. See section 2.1.32. * Fix parsing of seg:offs--style FAR pointers in EQU. * Fix the %clear preprocessor directive hanging when given parameters. * The never properly implemented (or documented) preprocessor directives %rmacro and %irmacro are now properly disabled; to avoid breaking existing code, they fall back to %macro and %imacro with a suitable warning. Programmers should not rely on this behavior: in the future, these directives might actually be (properly) implemented. * New listing option -Lc to include the contents of INCBIN files, see section 2.1.4. * New listing option -Lt to include the output from every iteration of TIMES and ALIGN directives, see section 2.1.4. * The %pragma list options directive now support resetting options to their command-line default, see section 2.1.4. * New predefined macros __?LIST_OPTIONS?__ and __?LIST_OPTIONS_DEFAULT?__ to query the active and command-line default listing options. See section 2.1.4. - Update to 3.01: * A new obj2 version of the obj output format, intended for use on OS/2. See section 9.5. * The condition after %if or %elif would be evaluated while output is suppressed after %exitrep or %exitmacro. Although no output would be generated in either case, assembly would fail if evaluating the expression triggered an error. * Fix encoding of TCVTROWPS2PHL, correct multiple AVX512-BF16 instructions' operand formats and typoed mnemonics. * The unofficial but obvious alternate form TEST reg,mem was not accepted by NASM 3.00; corrected. * For the obj output format, multiple GROUP directives can now be specified for the same group; the resulting group includes all sections specified in all GROUP directives for the group. * A new %selbits() preprocessor function. See section 5.4.19. * A new --bits option as convenience shorthand for --before "BITS ...". See section 2.1.31. * The options and pragmas for configuring external label mangling were inconsistent, the former using the spelling postfix and the latter suffix. Furthermore, these were also documented as directives in addition to pragmas. Implement the already documented directives (bracketed forms only) and allow both postfix and suffix in all cases. See section 2.1.28 and section 8.10. * Define additional permissive patterns and fix several opcode bugs. * Fix parsing of two-operand forms of x87 instructions. * Fix bogus "absolute address can not be RIP-relative" warning. * Hopefully fix building with OpenWatcom. * Generate a warning, promoted to error by default, on the use of o64 prefixes in 16- or 32-bit mode. If demoted to a warning or suppressed the prefix is ignored, but likely will trigger subsequent, harder to debug, error messages. * More consistent handling of jump and call instructions with specified operand sizes. * Fix an operand size handling bug in the CMPXCHG instruction. - Update to 3.00: * Improve the documentation for building from source (appendix D). * Add support for the APX and AVX10 instruction sets, and various miscellaneous new instructions. * Add new preprocessor functions: %b2hs(), %chr(), %depend(), %find(), %findi(), %hs2b(), %null(), %ord(), %pathsearch(), and %realpath(). See section 5.4. * New preprocessor directive %note to insert a note in the list file, without issuing an external diagnosic. Unlike a comment, it is optionally macro-expanded, see section 5.11. * New preprocessor directive %iffile (and corresponding function %isfile()) to test for the existence of a file. See section 5.6.12. * New preprocessor directive %ifdirective to test for the existence of a preprocessor directive, assembly directive, or pseudo-instruction; see section 5.6.10. * Fix a number of invalid memory references (usually causing crashes) on various invalid inputs. * Fix multiple bugs in the handling of $--escaped symbols. * The use of $ as a prefix for hexadecimal numbers has been deprecated, and will now issue a warning. A new directive [DOLLARHEX] can be used to disable this syntax entirely, see section 8.12. * Fix the generation of segment selector references (mainly used in the obj output format.) * Fix crash in the obj backend when code was emitted into the default segment, without any labels having been defined. * Clean up the command-line help text (-h) and break it down into individual topics, as the previous output was just too verbose to be practical as a quick reference. * The implicit DEFAULT ABS in 64-bit mode is deprecated and may be changed to REL in the future. See section 8.2. A warning is now emitted for this condition. * It is now possible to set the REL/ABS default for memory accesses using FS: or GS:, see section 8.2. * The __?DEFAULT?__ standard macro now reflects the settings of the DEFAULT directive. See section 6.4. * The NASM preprocessor now assumes that an unknown directive starting with %if or %elif is a misspelled or not yet implemented conditional directive, and tries to match it with a corresponding %endif. See section 5.6.14. * The masm macro package now defines a macro for x87 register syntax. See section 7.5. * A new macro package, vtern, to simplify generation of the control immediates for the VPTERNLOGD and VPTERNLOGQ instructions. See section 7.6. * A new command line option -LF allows overriding [LIST -] directives. * In the obj output format, allow a segment in the FLAT pseudo-group to also belong to another (real) group. Used on OS/2. * Add a new build_version directive to the Mach-O backend. See section 9.8.6. * Fix a spec violation in the generation of DWARF debugging information on ELF. * Response files can now be nested. * Many documentation improvements.
Patchnames: openSUSE-Leap-16.0-1237
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
Affected products
Product Identifier Version Remediation
Unresolved product id: openSUSE Leap 16.0:nasm-3.02-160000.1.1.aarch64
Vendor Fix
Unresolved product id: openSUSE Leap 16.0:nasm-3.02-160000.1.1.ppc64le
Vendor Fix
Unresolved product id: openSUSE Leap 16.0:nasm-3.02-160000.1.1.s390x
Vendor Fix
Unresolved product id: openSUSE Leap 16.0:nasm-3.02-160000.1.1.x86_64
Vendor Fix
Threats
Impact low
Affected products
Product Identifier Version Remediation
Unresolved product id: openSUSE Leap 16.0:nasm-3.02-160000.1.1.aarch64
Vendor Fix
Unresolved product id: openSUSE Leap 16.0:nasm-3.02-160000.1.1.ppc64le
Vendor Fix
Unresolved product id: openSUSE Leap 16.0:nasm-3.02-160000.1.1.s390x
Vendor Fix
Unresolved product id: openSUSE Leap 16.0:nasm-3.02-160000.1.1.x86_64
Vendor Fix
Threats
Impact low

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "low"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Security update for nasm",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "This update for nasm fixes the following issues\n\n- CVE-2026-6067: heap buffer overflow vulnerability due to a lack of bounds checking in the obj_directive() function\n  (bsc#1261986).\n- CVE-2026-6068: heap use after free vulnerability in response file processing (bsc#1261985).\n\nChanges for nasm:\n\n- Update to 3.02:\n\n * Fix build problems on C23 compilers using a pre-C23 version of \u003cstdbool.h\u003e\n which defines bool as a macro in violation of the C23 specification.\n * The immediate form of the JMPE instruction (opcode 0F B8) has been changed\n to an absolute address, as in the Itanium Architecture Software Developer\u0027s\n Manual, version 2.3, Volume 4, page 4:249. Hopefully this won\u0027t break\n whatever virtual environments use JMPE, but it is the closest thing there\n is to an official specification for this opcode.\n * Being an absolute address, treat it equivalent to a FAR jump and do not\n default to 64 bits in 64-bit mode.\n * That JMPE has apparently been wrong all these years is probably as good of\n a hint as any how much it has been actually used, but it does have the\n possibility of breaking virtual environments. In that case, please file a\n bug report to https://bugs.nasm.us with details about the virtual\n environment, and we will figure out a suitable solution.\n * Various build fixes. Fix the documentation not building on MacOS because of\n the cp utility lacking -u there. Also fix not building generally due to\n wrong link formatting. Another fix was a typo in compiler.h related to a\n C++ check.\n * Corrections to assembling encodings:\n + Fix CMP allowing LOCK which is illegal.\n + Correct multiple AVX512 instructions such as VCVTSD2SI, VCVTSD2USI,\n VCVTSS2SI, VCVTSS2USI, VCVTTSD2SI, VCVTTSD2USI, VCVTTSS2SI, VCVTTSS2USI,\n VGETEXPSH, VGETMANTSH, MOVDDUP, VMOVDDUP.\n + Fixed other encodings or instruction formats for instructions UWRMSR,\n CMPSD, VCMPSS, V4FMADDSS, V4FNMADDSS, VCVTDQ2PH, VCVTPD2PH, VCVTPH2UDQ,\n VCVTQQ2PH, VCVTUDQ2PH, VCVTUQQ2PH, VGETEXPSH, VGETMANTSH, VRCPPH,\n VRSQRTPH, VCVTPH2BF8, VCVTPH2BF8S, VCVTPH2HF8, VCVTPH2HF8S.\n + Fixed typos in VP4DPWSSD mnemonic.\n + Fixed BYTE and WORD operands getting the same encoding on arithmetic\n instructions such as CMP.\n + Fixed PUSH not assembling when used with a DWORD in 64-bit mode. This is\n not a recommended syntax as the operand size is still 64 bits, but was\n permitted by earlier versions of NASM.\n + Fix parsing of $--escaped symbols in directives (GLOBAL, STATIC, EXTERN,\n REQUIRED, COMMON).\n * Corrections to disassembling:\n + Shift instructions with the unity operand were getting disassembled to a\n zero operand instead of one.\n + JMP, CALL and JMPE disassembled incorrectly with the register operands.\n * Whole bunch of minor fixes to operand sizes, operand size prefixes. Changes\n mostly return the behavior known from 2.16.03.\n * MOV [mem], label would be accepted without size specifiers which could\n cause unintended consequences. Raise an error if no size was specified and\n one of the operands is a memory reference and another operands is a label.\n * JMP NEAR is now the same as JMP STRICT NEAR as the STRICT is redundant\n here. JMP WORD on the other hand is up for optimization as NEAR and WORD\n relate to different things -- jump lengths and operation sizes respectively.\n * Using redundant (or not) but valid operands size prefixes was fixed on\n instructions such as IRET, PUSHF, POPF, PUSH and POP.\n * Using an operand size prefix on a JMP or CALL instruction could generate an\n invalid instruction. This appears to have been a long-standing bug.\n Specifying the operand size by specifying the size of the immediate\n explicitly (e.g. JMP DWORD label) has always worked correctly, however.\n * Add support for C2y-style \\o escape sequences, braced escape sequences, and\n as NASM extensions, decimal escape sequences (\\d) and control-character\n escape sequences (\\^). See section 3.4.2.\n * Fix generation of the short opcodes for ADD, OR, ADC, SBB, AND, SUB, XOR, and CMP AL,imm8.\n * Fix truncation of the generated constant to 63 bits when invoking a\n single-line macro when an argument is defined as =/b or =/ub.\n * Add an %env() preprocessor function as a more robust and flexible\n alternative to the %! construct. See section 5.5.7.\n * The maximum number of multi-line macro parameters is now a configurable\n limit. See section 2.1.32.\n * The --limit- options and %pragma limit now accept the keywords default,\n maximum, and reset. See section 2.1.32.\n * Fix parsing of seg:offs--style FAR pointers in EQU.\n * Fix the %clear preprocessor directive hanging when given parameters.\n * The never properly implemented (or documented) preprocessor directives\n %rmacro and %irmacro are now properly disabled; to avoid breaking existing\n code, they fall back to %macro and %imacro with a suitable warning.\n Programmers should not rely on this behavior: in the future, these\n directives might actually be (properly) implemented.\n * New listing option -Lc to include the contents of INCBIN files, see section 2.1.4.\n * New listing option -Lt to include the output from every iteration of TIMES\n and ALIGN directives, see section 2.1.4.\n * The %pragma list options directive now support resetting options to their\n command-line default, see section 2.1.4.\n * New predefined macros __?LIST_OPTIONS?__ and __?LIST_OPTIONS_DEFAULT?__ to\n query the active and command-line default listing options. See section 2.1.4.\n\n- Update to 3.01:\n\n * A new obj2 version of the obj output format, intended for use on OS/2. See section 9.5.\n * The condition after %if or %elif would be evaluated while output is suppressed\n after %exitrep or %exitmacro. Although no output would be generated in either case,\n assembly would fail if evaluating the expression triggered an error.\n * Fix encoding of TCVTROWPS2PHL, correct multiple AVX512-BF16 instructions\u0027 operand\n formats and typoed mnemonics.\n * The unofficial but obvious alternate form TEST reg,mem was not accepted by NASM 3.00;\n corrected.\n * For the obj output format, multiple GROUP directives can now be specified for the same\n group; the resulting group includes all sections specified in all GROUP directives for\n the group.\n * A new %selbits() preprocessor function. See section 5.4.19.\n * A new --bits option as convenience shorthand for --before \"BITS ...\". See section 2.1.31.\n * The options and pragmas for configuring external label mangling were inconsistent, the\n former using the spelling postfix and the latter suffix. Furthermore, these were also\n documented as directives in addition to pragmas. Implement the already documented\n directives (bracketed forms only) and allow both postfix and suffix in all cases.\n See section 2.1.28 and section 8.10.\n * Define additional permissive patterns and fix several opcode bugs.\n * Fix parsing of two-operand forms of x87 instructions.\n * Fix bogus \"absolute address can not be RIP-relative\" warning.\n * Hopefully fix building with OpenWatcom.\n * Generate a warning, promoted to error by default, on the use of o64 prefixes in\n 16- or 32-bit mode. If demoted to a warning or suppressed the prefix is ignored, but\n likely will trigger subsequent, harder to debug, error messages.\n * More consistent handling of jump and call instructions with specified operand sizes.\n * Fix an operand size handling bug in the CMPXCHG instruction.\n\n- Update to 3.00:\n\n * Improve the documentation for building from source (appendix D).\n * Add support for the APX and AVX10 instruction sets, and various miscellaneous new instructions.\n * Add new preprocessor functions: %b2hs(), %chr(), %depend(), %find(),\n %findi(), %hs2b(), %null(), %ord(), %pathsearch(), and %realpath(). See section 5.4.\n * New preprocessor directive %note to insert a note in the list file,\n without issuing an external diagnosic. Unlike a comment, it is optionally\n macro-expanded, see section 5.11.\n * New preprocessor directive %iffile (and corresponding function %isfile()) to\n test for the existence of a file. See section 5.6.12.\n * New preprocessor directive %ifdirective to test for the existence of a\n preprocessor directive, assembly directive, or pseudo-instruction; see section 5.6.10.\n * Fix a number of invalid memory references (usually causing crashes) on various invalid inputs.\n * Fix multiple bugs in the handling of $--escaped symbols.\n * The use of $ as a prefix for hexadecimal numbers has been deprecated,\n and will now issue a warning. A new directive [DOLLARHEX] can be used to disable\n this syntax entirely, see section 8.12.\n * Fix the generation of segment selector references (mainly used in the obj output format.)\n * Fix crash in the obj backend when code was emitted into the default segment,\n without any labels having been defined.\n * Clean up the command-line help text (-h) and break it down into individual\n topics, as the previous output was just too verbose to be practical as a quick reference.\n * The implicit DEFAULT ABS in 64-bit mode is deprecated and may be changed to REL\n in the future. See section 8.2. A warning is now emitted for this condition.\n * It is now possible to set the REL/ABS default for memory accesses using FS: or GS:,\n see section 8.2.\n * The __?DEFAULT?__ standard macro now reflects the settings of the DEFAULT directive.\n See section 6.4.\n * The NASM preprocessor now assumes that an unknown directive starting with %if or %elif\n is a misspelled or not yet implemented conditional directive, and tries to match it\n with a corresponding %endif. See section 5.6.14.\n * The masm macro package now defines a macro for x87 register syntax. See section 7.5.\n * A new macro package, vtern, to simplify generation of the control immediates for\n the VPTERNLOGD and VPTERNLOGQ instructions. See section 7.6.\n * A new command line option -LF allows overriding [LIST -] directives.\n * In the obj output format, allow a segment in the FLAT pseudo-group to also belong to\n another (real) group. Used on OS/2.\n * Add a new build_version directive to the Mach-O backend. See section 9.8.6.\n * Fix a spec violation in the generation of DWARF debugging information on ELF.\n * Response files can now be nested.\n * Many documentation improvements.\n",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-Leap-16.0-1237",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2026_21333-1.json"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1261985",
        "url": "https://bugzilla.suse.com/1261985"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1261986",
        "url": "https://bugzilla.suse.com/1261986"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-6067 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-6067/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-6068 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-6068/"
      }
    ],
    "title": "Security update for nasm",
    "tracking": {
      "current_release_date": "2026-07-13T19:29:42Z",
      "generator": {
        "date": "2026-07-13T19:29:42Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2026:21333-1",
      "initial_release_date": "2026-07-13T19:29:42Z",
      "revision_history": [
        {
          "date": "2026-07-13T19:29:42Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "nasm-3.02-160000.1.1.aarch64",
                "product": {
                  "name": "nasm-3.02-160000.1.1.aarch64",
                  "product_id": "nasm-3.02-160000.1.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "nasm-3.02-160000.1.1.ppc64le",
                "product": {
                  "name": "nasm-3.02-160000.1.1.ppc64le",
                  "product_id": "nasm-3.02-160000.1.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "nasm-3.02-160000.1.1.s390x",
                "product": {
                  "name": "nasm-3.02-160000.1.1.s390x",
                  "product_id": "nasm-3.02-160000.1.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "nasm-3.02-160000.1.1.x86_64",
                "product": {
                  "name": "nasm-3.02-160000.1.1.x86_64",
                  "product_id": "nasm-3.02-160000.1.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Leap 16.0",
                "product": {
                  "name": "openSUSE Leap 16.0",
                  "product_id": "openSUSE Leap 16.0"
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "nasm-3.02-160000.1.1.aarch64 as component of openSUSE Leap 16.0",
          "product_id": "openSUSE Leap 16.0:nasm-3.02-160000.1.1.aarch64"
        },
        "product_reference": "nasm-3.02-160000.1.1.aarch64",
        "relates_to_product_reference": "openSUSE Leap 16.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "nasm-3.02-160000.1.1.ppc64le as component of openSUSE Leap 16.0",
          "product_id": "openSUSE Leap 16.0:nasm-3.02-160000.1.1.ppc64le"
        },
        "product_reference": "nasm-3.02-160000.1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Leap 16.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "nasm-3.02-160000.1.1.s390x as component of openSUSE Leap 16.0",
          "product_id": "openSUSE Leap 16.0:nasm-3.02-160000.1.1.s390x"
        },
        "product_reference": "nasm-3.02-160000.1.1.s390x",
        "relates_to_product_reference": "openSUSE Leap 16.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "nasm-3.02-160000.1.1.x86_64 as component of openSUSE Leap 16.0",
          "product_id": "openSUSE Leap 16.0:nasm-3.02-160000.1.1.x86_64"
        },
        "product_reference": "nasm-3.02-160000.1.1.x86_64",
        "relates_to_product_reference": "openSUSE Leap 16.0"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-6067",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-6067"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "A heap buffer overflow vulnerability exists in the Netwide Assembler (NASM) due to a lack of bounds checking in the obj_directive() function. This vulnerability can be exploited by a user assembling a malicious .asm file, potentially leading to heap memory corruption, denial of service (crash), and arbitrary code execution.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Leap 16.0:nasm-3.02-160000.1.1.aarch64",
          "openSUSE Leap 16.0:nasm-3.02-160000.1.1.ppc64le",
          "openSUSE Leap 16.0:nasm-3.02-160000.1.1.s390x",
          "openSUSE Leap 16.0:nasm-3.02-160000.1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-6067",
          "url": "https://www.suse.com/security/cve/CVE-2026-6067"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1261986 for CVE-2026-6067",
          "url": "https://bugzilla.suse.com/1261986"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Leap 16.0:nasm-3.02-160000.1.1.aarch64",
            "openSUSE Leap 16.0:nasm-3.02-160000.1.1.ppc64le",
            "openSUSE Leap 16.0:nasm-3.02-160000.1.1.s390x",
            "openSUSE Leap 16.0:nasm-3.02-160000.1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 3.3,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Leap 16.0:nasm-3.02-160000.1.1.aarch64",
            "openSUSE Leap 16.0:nasm-3.02-160000.1.1.ppc64le",
            "openSUSE Leap 16.0:nasm-3.02-160000.1.1.s390x",
            "openSUSE Leap 16.0:nasm-3.02-160000.1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-07-13T19:29:42Z",
          "details": "low"
        }
      ],
      "title": "CVE-2026-6067"
    },
    {
      "cve": "CVE-2026-6068",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-6068"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "NASM contains a heap use after free vulnerability in response file (-@) processing where a dangling pointer to freed memory is stored in the global depend_file and later dereferenced, as the response-file buffer is freed before the pointer is used, allowing for data corruption or remote code execution.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Leap 16.0:nasm-3.02-160000.1.1.aarch64",
          "openSUSE Leap 16.0:nasm-3.02-160000.1.1.ppc64le",
          "openSUSE Leap 16.0:nasm-3.02-160000.1.1.s390x",
          "openSUSE Leap 16.0:nasm-3.02-160000.1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-6068",
          "url": "https://www.suse.com/security/cve/CVE-2026-6068"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1261985 for CVE-2026-6068",
          "url": "https://bugzilla.suse.com/1261985"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Leap 16.0:nasm-3.02-160000.1.1.aarch64",
            "openSUSE Leap 16.0:nasm-3.02-160000.1.1.ppc64le",
            "openSUSE Leap 16.0:nasm-3.02-160000.1.1.s390x",
            "openSUSE Leap 16.0:nasm-3.02-160000.1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 3.3,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Leap 16.0:nasm-3.02-160000.1.1.aarch64",
            "openSUSE Leap 16.0:nasm-3.02-160000.1.1.ppc64le",
            "openSUSE Leap 16.0:nasm-3.02-160000.1.1.s390x",
            "openSUSE Leap 16.0:nasm-3.02-160000.1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-07-13T19:29:42Z",
          "details": "low"
        }
      ],
      "title": "CVE-2026-6068"
    }
  ]
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…