rpm package
opensuse/google-guest-agent&distro=openSUSE Tumbleweed
pkg:rpm/opensuse/google-guest-agent&distro=openSUSE%20Tumbleweed
Vulnerabilities (13)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-39821 | Cri | 9.6 | < 20260529.00-1.1 | 20260529.00-1.1 | May 22, 2026 | The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example, ToUnicode("xn--example-.com") incorrectly returns the name "example.com" rather than an error. This behavior can lead to privilege escalation in program | |
| CVE-2026-46595 | Cri | 10.0 | < 20260529.00-2.1 | 20260529.00-2.1 | May 22, 2026 | Previously, CVE-2024-45337 fixed an authorization bypass for misused ssh server configurations; if any other type of callback is passed other than public key, then the source-address validation would be skipped. | |
| CVE-2026-39830 | Cri | 9.1 | < 20260529.00-2.1 | 20260529.00-2.1 | May 22, 2026 | A malicious SSH peer could send unsolicited global request responses to fill an internal buffer, blocking the connection's read loop. The blocked goroutine could not be released by calling Close(), resulting in a resource leak per connection. Unsolicited global responses are now | |
| CVE-2026-39829 | Hig | 7.5 | < 20260529.00-2.1 | 20260529.00-2.1 | May 22, 2026 | The RSA and DSA public key parsers did not enforce size limits on key parameters. A crafted public key with an excessively large modulus or DSA parameter could cause several minutes of CPU consumption during signature verification. This could be triggered by unauthenticated clien | |
| CVE-2026-39827 | Med | 6.5 | < 20260529.00-2.1 | 20260529.00-2.1 | May 22, 2026 | An authenticated SSH client that repeatedly opened channels which were rejected by the server caused unbounded memory growth, eventually crashing the server process and affecting all connected users. Rejected channels are now properly removed from the connection's internal state | |
| CVE-2026-33814 | Hig | 7.5 | < 20260529.00-1.1 | 20260529.00-1.1 | May 7, 2026 | When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0. | |
| CVE-2026-34986 | Hig | 7.5 | < 20260402.00-2.1 | 20260402.00-2.1 | Apr 6, 2026 | Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. Prior to 4.1.4 and 3.0.5, decrypting a JSON Web Encryption (JW | |
| CVE-2026-33186 | Cri | 9.1 | < 20260529.00-1.1 | 20260529.00-1.1 | Mar 20, 2026 | gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omi | |
| CVE-2025-22868 | — | < 20250116.00-3.1 | 20250116.00-3.1 | Feb 26, 2025 | An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing. | ||
| CVE-2025-22869 | — | < 20260529.00-1.1 | 20260529.00-1.1 | Feb 26, 2025 | SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted. | ||
| CVE-2024-45337 | Cri | 9.1 | < 20250327.01-1.1 | 20250327.01-1.1 | Dec 12, 2024 | Applications and libraries which misuse connection.serverAuthenticate (via callback field ServerConfig.PublicKeyCallback) may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that | |
| CVE-2023-45288 | Hig | 7.5 | < 20260529.00-1.1 | 20260529.00-1.1 | Apr 4, 2024 | An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed Ma | |
| CVE-2021-38297 | — | < 20230221.00-2.1 | 20230221.00-2.1 | Oct 18, 2021 | Go before 1.16.9 and 1.17.x before 1.17.2 has a Buffer Overflow via large arguments in a function invocation from a WASM module, when GOARCH=wasm GOOS=js is used. |
- affected < 20260529.00-1.1fixed 20260529.00-1.1
The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example, ToUnicode("xn--example-.com") incorrectly returns the name "example.com" rather than an error. This behavior can lead to privilege escalation in program
- affected < 20260529.00-2.1fixed 20260529.00-2.1
Previously, CVE-2024-45337 fixed an authorization bypass for misused ssh server configurations; if any other type of callback is passed other than public key, then the source-address validation would be skipped.
- affected < 20260529.00-2.1fixed 20260529.00-2.1
A malicious SSH peer could send unsolicited global request responses to fill an internal buffer, blocking the connection's read loop. The blocked goroutine could not be released by calling Close(), resulting in a resource leak per connection. Unsolicited global responses are now
- affected < 20260529.00-2.1fixed 20260529.00-2.1
The RSA and DSA public key parsers did not enforce size limits on key parameters. A crafted public key with an excessively large modulus or DSA parameter could cause several minutes of CPU consumption during signature verification. This could be triggered by unauthenticated clien
- affected < 20260529.00-2.1fixed 20260529.00-2.1
An authenticated SSH client that repeatedly opened channels which were rejected by the server caused unbounded memory growth, eventually crashing the server process and affecting all connected users. Rejected channels are now properly removed from the connection's internal state
- affected < 20260529.00-1.1fixed 20260529.00-1.1
When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0.
- affected < 20260402.00-2.1fixed 20260402.00-2.1
Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. Prior to 4.1.4 and 3.0.5, decrypting a JSON Web Encryption (JW
- affected < 20260529.00-1.1fixed 20260529.00-1.1
gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omi
- CVE-2025-22868Feb 26, 2025affected < 20250116.00-3.1fixed 20250116.00-3.1
An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing.
- CVE-2025-22869Feb 26, 2025affected < 20260529.00-1.1fixed 20260529.00-1.1
SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.
- affected < 20250327.01-1.1fixed 20250327.01-1.1
Applications and libraries which misuse connection.serverAuthenticate (via callback field ServerConfig.PublicKeyCallback) may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that
- affected < 20260529.00-1.1fixed 20260529.00-1.1
An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed Ma
- CVE-2021-38297Oct 18, 2021affected < 20230221.00-2.1fixed 20230221.00-2.1
Go before 1.16.9 and 1.17.x before 1.17.2 has a Buffer Overflow via large arguments in a function invocation from a WASM module, when GOARCH=wasm GOOS=js is used.