SUSE-SU-2026:21560-1
Vulnerability from csaf_suse - Published: 2026-05-06 00:44 - Updated: 2026-05-06 00:44Summary
Security update for distribution
Severity
Important
Notes
Title of the patch: Security update for distribution
Description of the patch: This update for distribution fixes the following issues
Security issues:
- CVE-2026-33186: google.golang.org/grpc: authorization bypass due to improper validation of the HTTP/2: path pseudo-
header (bsc#1260283).
- CVE-2026-33540: information disclosure via improper validation of authentication realm URL (bsc#1261793).
- CVE-2026-34986: github.com/go-jose/go-jose/v4: crafted JWE input with a missing encrypted key can lead to a denial of
service (bsc#1262951).
- CVE-2026-35172: information disclosure via stale references after content deletion (bsc#1262096).
Non security issues:
- add distribution-registry.tmpfiles (jsc#PED-14747).
- distribution builds against go1.24 EOL (bsc#1259718).
Changes for distribution:
- update to 3.1.0
* Adds support for tag pagination
* Fixes default credentials in Azure storage provider
* Drops support for go1.23 and go1.24 and updates to go1.25
* See the full changelog below for the full list of changes.
* docs: Update to refer to new image tag v3
* Fix default_credentials in azure storage provider
* chore: make function comment match function name
* build(deps): bump golang.org/x/net from 0.37.0 to 0.38.0 in
the go_modules group across 1 directory
* fix: implement JWK thumbprint for Ed25519 public keys
* fix: Annotate code block from validation.indexes
configuration docs
* feat: extract redis config to separate struct
* Fix: resolve issue #4478 by using a temporary file for non-
append writes
* build(deps): bump ossf/scorecard-action from 2.4.1 to 2.4.2
* docs: Add note about `OTEL_TRACES_EXPORTER`
* fix: set OTEL traces to disabled by default
* Fix markdown syntax for OTEL traces link in docs
* Switch UUIDs to UUIDv7
* refactor: replace map iteration with maps.Copy/Clone
* s3-aws: fix build for 386
* docs: Add OpenTelemetry links to quickstart docs
* Fix S3 driver loglevel param
* Fixed data race in TestSchedule test
* Fixes #4683 - uses X/Y instead of Gx/Gy for thumbprint of
ecdsa keys
* build(deps): bump actions/checkout from 4 to 5
* Fix broken link to Docker Hub fair use policy
* fix(registry/handlers/app): redis CAs
* build(deps): bump actions/labeler from 5 to 6
* build(deps): bump actions/setup-go from 5 to 6
* build(deps): bump actions/upload-pages-artifact from 3 to 4
* build(deps): bump ossf/scorecard-action from 2.4.2 to 2.4.3
* build(deps): bump github/codeql-action from 3.26.5 to 4.30.7
* build(deps): bump github/codeql-action from 4.30.7 to 4.30.8
* chore: labeler: add area/client mapping for
internal/client/**
* client: add Accept headers to Exists() HEAD
* feat(registry): Make graceful shutdown test robust
* fix(registry): Correct log formatting for upstream challenge
* build(deps): bump github/codeql-action from 4.30.8 to 4.30.9
* build(deps): bump github/codeql-action from 4.30.9 to 4.31.3
* refactor: remove redundant variable declarations in for loops
* "should" -> "must" regarding redis eviction policy
* build(deps): bump actions/checkout from 5 to 6
* Incorrect warning hint
* Add return error when list object
* build(deps): bump actions/checkout from 5.0.1 to 6.0.0
* build(deps): bump peter-evans/dockerhub-description from 4 to
5
* fix: Logging regression for manifest HEAD requests
* Add boolean parsing util
* Expose `useFIPSEndpoint` for S3
* Add Cloudfleet Container Registry to adopters
* fix(ci): Fix broken Azure e2e storage tests
* BUG: Fix notification filtering to work with actions when
mediatypes is empty
* build(deps): bump actions/checkout from 6.0.0 to 6.0.1
* build(deps): bump actions/upload-artifact from 4.6.2 to 6.0.0
* build(deps): bump github/codeql-action from 4.31.3 to 4.31.10
* build(deps): bump github/codeql-action from 4.31.10 to 4.32.2
* build(deps): bump actions/checkout from 6.0.1 to 6.0.2
* update golangci-lint to v2.9 and fix linting issues
* update to go1.25.7, alpine 3.23, xx v1.9.0
* vendor: github.com/sirupsen/logrus v1.9.4
* vendor: update golang.org/x/* dependencies
* vendor: github.com/docker/docker-credential-helpers v0.9.5
* vendor: github.com/opencontainers/image-spec v1.1.1
* vendor: github.com/klauspost/compress v1.18.4
* fix: prefer otel variables over hard coded service name
* vendor: github.com/spf13/cobra v1.10.2
* vendor: github.com/bshuster-repo/logrus-logstash-hook v1.1.0
* fix: sync parent dir to ensure data is reliably stored
* modernize code
* vendor: github.com/docker/go-events 605354379745
* vendor: github.com/go-jose/go-jose/v4 v4.1.3
* build(deps): bump github/codeql-action from 4.32.2 to 4.32.5
* build(deps): bump docker/login-action from 3 to 4
* build(deps): bump actions/upload-artifact from 6.0.0 to 7.0.0
* build(deps): bump docker/setup-buildx-action from 3 to 4
* build(deps): bump docker/bake-action from 6 to 7
* build(deps): bump docker/metadata-action from 5 to 6
* fix: nil-check scheduler in `proxyingRegistry.Close()`
* fix: set MD5 on GCS writer before first `Write` call in
`putContent`
* docs: pull through cache will pull from remote multiple times
* Update s3.md regionendpoint option
* chore(deps): Bump Go to latest 1.25 in CI workflows and
go.mod
* fix: correct Ed25519 JWK thumbprint `kty` from `"OTP"` to
`"OKP"`
* Update vacuum.go
* Opt: refector tag list pagination support (stage 1)
* Correctly match environment variables to YAML-inlined structs
in configuration
* Enable Redis TLS without client certificates
* build(deps): bump actions/deploy-pages from 4 to 5
* build(deps): bump github/codeql-action from 4.32.5 to 4.34.1
* fix(registry/proxy): use detached context when flushing write
buffer
* ci: pin actions and apply zizmor auto-fixes
* build(deps): bump actions/setup-go from 6.3.0 to 6.4.0
* build(deps): bump github.com/go-jose/go-jose/v4 from 4.1.3 to
4.1.4 in the go_modules group across 1 directory
* chore(app): warn when partial TLS config is used in Redis
* feat(registry): enhance authentication checks in htpasswd
implementation
* Opt: refactor tag list pagination support
* build(deps): bump codecov/codecov-action from 5.5.4 to 6.0.0
* build(deps): bump actions/configure-pages from 5.0.0 to 6.0.0
* fix(vendor): fix broke vendor validation
* chore(ci): Prep for v3.1 release
- Update to version 3.1.0:
* fix(vendor): fix broke vendpor validation
* fix redis repo-scoped blob descriptor revocation
* proxy: bind bearer realms to upstream trust boundary
- restore directory ownership after last change
- Move config files in systemd tmpfiles dir for immutable mode
Patchnames: SUSE-SLES-16.0-703
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
8.1 (High)
Affected products
Recommended
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
Affected products
Recommended
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
7.5 (High)
Affected products
Recommended
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.5 (High)
Affected products
Recommended
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
References
21 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for distribution",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for distribution fixes the following issues\n\nSecurity issues:\n\n- CVE-2026-33186: google.golang.org/grpc: authorization bypass due to improper validation of the HTTP/2: path pseudo-\n header (bsc#1260283).\n- CVE-2026-33540: information disclosure via improper validation of authentication realm URL (bsc#1261793).\n- CVE-2026-34986: github.com/go-jose/go-jose/v4: crafted JWE input with a missing encrypted key can lead to a denial of\n service (bsc#1262951).\n- CVE-2026-35172: information disclosure via stale references after content deletion (bsc#1262096).\n\nNon security issues:\n\n- add distribution-registry.tmpfiles (jsc#PED-14747).\n- distribution builds against go1.24 EOL (bsc#1259718).\n\nChanges for distribution:\n\n- update to 3.1.0\n\n * Adds support for tag pagination\n * Fixes default credentials in Azure storage provider\n * Drops support for go1.23 and go1.24 and updates to go1.25\n * See the full changelog below for the full list of changes.\n * docs: Update to refer to new image tag v3\n * Fix default_credentials in azure storage provider\n * chore: make function comment match function name\n * build(deps): bump golang.org/x/net from 0.37.0 to 0.38.0 in\n the go_modules group across 1 directory\n * fix: implement JWK thumbprint for Ed25519 public keys\n * fix: Annotate code block from validation.indexes\n configuration docs\n * feat: extract redis config to separate struct\n * Fix: resolve issue #4478 by using a temporary file for non-\n append writes\n * build(deps): bump ossf/scorecard-action from 2.4.1 to 2.4.2\n * docs: Add note about `OTEL_TRACES_EXPORTER`\n * fix: set OTEL traces to disabled by default\n * Fix markdown syntax for OTEL traces link in docs\n * Switch UUIDs to UUIDv7\n * refactor: replace map iteration with maps.Copy/Clone\n * s3-aws: fix build for 386\n * docs: Add OpenTelemetry links to quickstart docs\n * Fix S3 driver loglevel param\n * Fixed data race in TestSchedule test\n * Fixes #4683 - uses X/Y instead of Gx/Gy for thumbprint of\n ecdsa keys\n * build(deps): bump actions/checkout from 4 to 5\n * Fix broken link to Docker Hub fair use policy\n * fix(registry/handlers/app): redis CAs\n * build(deps): bump actions/labeler from 5 to 6\n * build(deps): bump actions/setup-go from 5 to 6\n * build(deps): bump actions/upload-pages-artifact from 3 to 4\n * build(deps): bump ossf/scorecard-action from 2.4.2 to 2.4.3\n * build(deps): bump github/codeql-action from 3.26.5 to 4.30.7\n * build(deps): bump github/codeql-action from 4.30.7 to 4.30.8\n * chore: labeler: add area/client mapping for\n internal/client/**\n * client: add Accept headers to Exists() HEAD\n * feat(registry): Make graceful shutdown test robust\n * fix(registry): Correct log formatting for upstream challenge\n * build(deps): bump github/codeql-action from 4.30.8 to 4.30.9\n * build(deps): bump github/codeql-action from 4.30.9 to 4.31.3\n * refactor: remove redundant variable declarations in for loops\n * \"should\" -\u003e \"must\" regarding redis eviction policy\n * build(deps): bump actions/checkout from 5 to 6\n * Incorrect warning hint\n * Add return error when list object\n * build(deps): bump actions/checkout from 5.0.1 to 6.0.0\n * build(deps): bump peter-evans/dockerhub-description from 4 to\n 5\n * fix: Logging regression for manifest HEAD requests\n * Add boolean parsing util\n * Expose `useFIPSEndpoint` for S3\n * Add Cloudfleet Container Registry to adopters\n * fix(ci): Fix broken Azure e2e storage tests\n * BUG: Fix notification filtering to work with actions when\n mediatypes is empty\n * build(deps): bump actions/checkout from 6.0.0 to 6.0.1\n * build(deps): bump actions/upload-artifact from 4.6.2 to 6.0.0\n * build(deps): bump github/codeql-action from 4.31.3 to 4.31.10\n * build(deps): bump github/codeql-action from 4.31.10 to 4.32.2\n * build(deps): bump actions/checkout from 6.0.1 to 6.0.2\n * update golangci-lint to v2.9 and fix linting issues\n * update to go1.25.7, alpine 3.23, xx v1.9.0\n * vendor: github.com/sirupsen/logrus v1.9.4\n * vendor: update golang.org/x/* dependencies\n * vendor: github.com/docker/docker-credential-helpers v0.9.5\n * vendor: github.com/opencontainers/image-spec v1.1.1\n * vendor: github.com/klauspost/compress v1.18.4\n * fix: prefer otel variables over hard coded service name\n * vendor: github.com/spf13/cobra v1.10.2\n * vendor: github.com/bshuster-repo/logrus-logstash-hook v1.1.0\n * fix: sync parent dir to ensure data is reliably stored\n * modernize code\n * vendor: github.com/docker/go-events 605354379745\n * vendor: github.com/go-jose/go-jose/v4 v4.1.3\n * build(deps): bump github/codeql-action from 4.32.2 to 4.32.5\n * build(deps): bump docker/login-action from 3 to 4\n * build(deps): bump actions/upload-artifact from 6.0.0 to 7.0.0\n * build(deps): bump docker/setup-buildx-action from 3 to 4\n * build(deps): bump docker/bake-action from 6 to 7\n * build(deps): bump docker/metadata-action from 5 to 6\n * fix: nil-check scheduler in `proxyingRegistry.Close()`\n * fix: set MD5 on GCS writer before first `Write` call in\n `putContent`\n * docs: pull through cache will pull from remote multiple times\n * Update s3.md regionendpoint option\n * chore(deps): Bump Go to latest 1.25 in CI workflows and\n go.mod\n * fix: correct Ed25519 JWK thumbprint `kty` from `\"OTP\"` to\n `\"OKP\"`\n * Update vacuum.go\n * Opt: refector tag list pagination support (stage 1)\n * Correctly match environment variables to YAML-inlined structs\n in configuration\n * Enable Redis TLS without client certificates\n * build(deps): bump actions/deploy-pages from 4 to 5\n * build(deps): bump github/codeql-action from 4.32.5 to 4.34.1\n * fix(registry/proxy): use detached context when flushing write\n buffer\n * ci: pin actions and apply zizmor auto-fixes\n * build(deps): bump actions/setup-go from 6.3.0 to 6.4.0\n * build(deps): bump github.com/go-jose/go-jose/v4 from 4.1.3 to\n 4.1.4 in the go_modules group across 1 directory\n * chore(app): warn when partial TLS config is used in Redis\n * feat(registry): enhance authentication checks in htpasswd\n implementation\n * Opt: refactor tag list pagination support\n * build(deps): bump codecov/codecov-action from 5.5.4 to 6.0.0\n * build(deps): bump actions/configure-pages from 5.0.0 to 6.0.0\n * fix(vendor): fix broke vendor validation\n * chore(ci): Prep for v3.1 release\n- Update to version 3.1.0:\n * fix(vendor): fix broke vendpor validation\n * fix redis repo-scoped blob descriptor revocation\n * proxy: bind bearer realms to upstream trust boundary\n- restore directory ownership after last change\n- Move config files in systemd tmpfiles dir for immutable mode\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-SLES-16.0-703",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2026_21560-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2026:21560-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202621560-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2026:21560-1",
"url": "https://lists.suse.com/pipermail/sle-updates/2026-May/046338.html"
},
{
"category": "self",
"summary": "SUSE Bug 1259718",
"url": "https://bugzilla.suse.com/1259718"
},
{
"category": "self",
"summary": "SUSE Bug 1260283",
"url": "https://bugzilla.suse.com/1260283"
},
{
"category": "self",
"summary": "SUSE Bug 1261793",
"url": "https://bugzilla.suse.com/1261793"
},
{
"category": "self",
"summary": "SUSE Bug 1262096",
"url": "https://bugzilla.suse.com/1262096"
},
{
"category": "self",
"summary": "SUSE Bug 1262951",
"url": "https://bugzilla.suse.com/1262951"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-33186 page",
"url": "https://www.suse.com/security/cve/CVE-2026-33186/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-33540 page",
"url": "https://www.suse.com/security/cve/CVE-2026-33540/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-34986 page",
"url": "https://www.suse.com/security/cve/CVE-2026-34986/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-35172 page",
"url": "https://www.suse.com/security/cve/CVE-2026-35172/"
}
],
"title": "Security update for distribution",
"tracking": {
"current_release_date": "2026-05-06T00:44:14Z",
"generator": {
"date": "2026-05-06T00:44:14Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2026:21560-1",
"initial_release_date": "2026-05-06T00:44:14Z",
"revision_history": [
{
"date": "2026-05-06T00:44:14Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "distribution-registry-3.1.0-160000.1.1.aarch64",
"product": {
"name": "distribution-registry-3.1.0-160000.1.1.aarch64",
"product_id": "distribution-registry-3.1.0-160000.1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "distribution-registry-3.1.0-160000.1.1.ppc64le",
"product": {
"name": "distribution-registry-3.1.0-160000.1.1.ppc64le",
"product_id": "distribution-registry-3.1.0-160000.1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "distribution-registry-3.1.0-160000.1.1.s390x",
"product": {
"name": "distribution-registry-3.1.0-160000.1.1.s390x",
"product_id": "distribution-registry-3.1.0-160000.1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "distribution-registry-3.1.0-160000.1.1.x86_64",
"product": {
"name": "distribution-registry-3.1.0-160000.1.1.x86_64",
"product_id": "distribution-registry-3.1.0-160000.1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server 16.0",
"product": {
"name": "SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles:16:16.0:server"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server for SAP applications 16.0",
"product": {
"name": "SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles:16:16.0:server-sap"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "distribution-registry-3.1.0-160000.1.1.aarch64 as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.aarch64"
},
"product_reference": "distribution-registry-3.1.0-160000.1.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "distribution-registry-3.1.0-160000.1.1.ppc64le as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.ppc64le"
},
"product_reference": "distribution-registry-3.1.0-160000.1.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "distribution-registry-3.1.0-160000.1.1.s390x as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.s390x"
},
"product_reference": "distribution-registry-3.1.0-160000.1.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "distribution-registry-3.1.0-160000.1.1.x86_64 as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.x86_64"
},
"product_reference": "distribution-registry-3.1.0-160000.1.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "distribution-registry-3.1.0-160000.1.1.aarch64 as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.aarch64"
},
"product_reference": "distribution-registry-3.1.0-160000.1.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "distribution-registry-3.1.0-160000.1.1.ppc64le as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.ppc64le"
},
"product_reference": "distribution-registry-3.1.0-160000.1.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "distribution-registry-3.1.0-160000.1.1.s390x as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.s390x"
},
"product_reference": "distribution-registry-3.1.0-160000.1.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "distribution-registry-3.1.0-160000.1.1.x86_64 as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.x86_64"
},
"product_reference": "distribution-registry-3.1.0-160000.1.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-33186",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-33186"
}
],
"notes": [
{
"category": "general",
"text": "gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omitted the mandatory leading slash (e.g., `Service/Method` instead of `/Service/Method`). While the server successfully routed these requests to the correct handler, authorization interceptors (including the official `grpc/authz` package) evaluated the raw, non-canonical path string. Consequently, \"deny\" rules defined using canonical paths (starting with `/`) failed to match the incoming request, allowing it to bypass the policy if a fallback \"allow\" rule was present. This affects gRPC-Go servers that use path-based authorization interceptors, such as the official RBAC implementation in `google.golang.org/grpc/authz` or custom interceptors relying on `info.FullMethod` or `grpc.Method(ctx)`; AND that have a security policy contains specific \"deny\" rules for canonical paths but allows other requests by default (a fallback \"allow\" rule). The vulnerability is exploitable by an attacker who can send raw HTTP/2 frames with malformed `:path` headers directly to the gRPC server. The fix in version 1.79.3 ensures that any request with a `:path` that does not start with a leading slash is immediately rejected with a `codes.Unimplemented` error, preventing it from reaching authorization interceptors or handlers with a non-canonical path string. While upgrading is the most secure and recommended path, users can mitigate the vulnerability using one of the following methods: Use a validating interceptor (recommended mitigation); infrastructure-level normalization; and/or policy hardening.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-33186",
"url": "https://www.suse.com/security/cve/CVE-2026-33186"
},
{
"category": "external",
"summary": "SUSE Bug 1260085 for CVE-2026-33186",
"url": "https://bugzilla.suse.com/1260085"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-06T00:44:14Z",
"details": "important"
}
],
"title": "CVE-2026-33186"
},
{
"cve": "CVE-2026-33540",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-33540"
}
],
"notes": [
{
"category": "general",
"text": "Distribution is a toolkit to pack, ship, store, and deliver container content. Prior to 3.1.0, in pull-through cache mode, distribution discovers token auth endpoints by parsing WWW-Authenticate challenges returned by the configured upstream registry. The realm URL from a bearer challenge is used without validating that it matches the upstream registry host. As a result, an attacker-controlled upstream (or an attacker with MitM position to the upstream) can cause distribution to send the configured upstream credentials via basic auth to an attacker-controlled realm URL. This vulnerability is fixed in 3.1.0.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-33540",
"url": "https://www.suse.com/security/cve/CVE-2026-33540"
},
{
"category": "external",
"summary": "SUSE Bug 1261793 for CVE-2026-33540",
"url": "https://bugzilla.suse.com/1261793"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.1,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-06T00:44:14Z",
"details": "moderate"
}
],
"title": "CVE-2026-33540"
},
{
"cve": "CVE-2026-34986",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-34986"
}
],
"notes": [
{
"category": "general",
"text": "Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. Prior to 4.1.4 and 3.0.5, decrypting a JSON Web Encryption (JWE) object will panic if the alg field indicates a key wrapping algorithm (one ending in KW, with the exception of A128GCMKW, A192GCMKW, and A256GCMKW) and the encrypted_key field is empty. The panic happens when cipher.KeyUnwrap() in key_wrap.go attempts to allocate a slice with a zero or negative length based on the length of the encrypted_key. This code path is reachable from ParseEncrypted() / ParseEncryptedJSON() / ParseEncryptedCompact() followed by Decrypt() on the resulting object. Note that the parse functions take a list of accepted key algorithms. If the accepted key algorithms do not include any key wrapping algorithms, parsing will fail and the application will be unaffected. This panic is also reachable by calling cipher.KeyUnwrap() directly with any ciphertext parameter less than 16 bytes long, but calling this function directly is less common. Panics can lead to denial of service. This vulnerability is fixed in 4.1.4 and 3.0.5.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-34986",
"url": "https://www.suse.com/security/cve/CVE-2026-34986"
},
{
"category": "external",
"summary": "SUSE Bug 1262805 for CVE-2026-34986",
"url": "https://bugzilla.suse.com/1262805"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-06T00:44:14Z",
"details": "important"
}
],
"title": "CVE-2026-34986"
},
{
"cve": "CVE-2026-35172",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-35172"
}
],
"notes": [
{
"category": "general",
"text": "Distribution is a toolkit to pack, ship, store, and deliver container content. Prior to 3.1.0, distribution can restore read access in repo a after an explicit delete when storage.cache.blobdescriptor: redis and storage.delete.enabled: true are both enabled. The delete path clears the shared digest descriptor but leaves stale repo-scoped membership behind, so a later Stat or Get from repo b repopulates the shared descriptor and makes the deleted blob readable from repo a again. This vulnerability is fixed in 3.1.0.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-35172",
"url": "https://www.suse.com/security/cve/CVE-2026-35172"
},
{
"category": "external",
"summary": "SUSE Bug 1262096 for CVE-2026-35172",
"url": "https://bugzilla.suse.com/1262096"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-06T00:44:14Z",
"details": "important"
}
],
"title": "CVE-2026-35172"
}
]
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…