This update for docker-stable fixes the following issues
- CVE-2026-33186: google.golang.org/grpc: authorization bypass due to improper validation of the HTTP/2 :path pseudo-
header (bsc#1260279).
- CVE-2026-33814: golang.org/x/net/http2: infinite loop in HTTP/2 transport when given bad SETTINGS_MAX_FRAME_SIZE
(bsc#1265782).
- CVE-2026-33997: moby: docker: github.com/moby/moby: Moby: Privilege validation bypass during plugin installation
(bsc#1265907).
- CVE-2026-34040: Authz zero length regression (bsc#1265929).
- CVE-2026-39821: golang.org/x/net/idna: failure to reject ASCII-only Punycode-encoded labels allows for validation
bypass and privilege escalation (bsc#1266625).
- CVE-2026-41567: arbitrary code execution with full daemon privileges when a user uploads a compressed archive into
that container (bsc#1267827).
Patch instructions:
To install this openSUSE security update use the suse recommended installation methods
like YaST online_update or "zypper patch".
Read the Full Advisory- openSUSE Leap 16.0:
docker-stable-24.0.9_ce-160000.6.1
docker-stable-bash-completion-24.0.9_ce-160000.6.1
docker-stable-buildx-0.25.0-160000.6.1
docker-stable-fish-completion-24.0.9_ce-160000.6.1
docker-stable-rootless-extras-24.0.9_ce-160000.6.1
docker-stable-zsh-completion-24.0.9_ce-160000.6.1
* bsc#1260279
* bsc#1265782
* bsc#1265907
* bsc#1265929
* bsc#1266625
* bsc#1267827
References:
* https://www.suse.com/security/cve/CVE-2026-33186.html
* https://www.suse.com/security/cve/CVE-2026-33814.html
* https://www.suse.com/security/cve/CVE-2026-33997.html
* https://www.suse.com/security/cve/CVE-2026-34040.html
* https://www.suse.com/security/cve/CVE-2026-39821.html
* https://www.suse.com/security/cve/CVE-2026-41567.html
Get the latest Linux and open source security news straight to your inbox.