### This update for ovmf fixes the following issues: * CVE-2026-25833: mbedtls: buffer overflow in the `x509_inet_pton_ipv6()` function (bsc#1261476). * CVE-2026-25834: mbedtls: client accepts signature algorithm chosen by server even if not advertised in client hello (bsc#1261477). * CVE-2026-25835: mbedtls: no pseudo-random number generator reseed when cloning an application (bsc#1261478). * CVE-2026-34874: mbedtls: NULL pointer dereference in distinguished name parsing (bsc#1261469). ## Security update for curl ### This update for curl fixes the following issues: Security issues fixed: * CVE-2026-4873: connection reuse ignores TLS requirement (bsc#1262631). * CVE-2026-5545: wrong reuse of HTTP Negotiate connection (bsc#1262632).
* bsc#1259362
* bsc#1261469
* bsc#1261476
* bsc#1261477
* bsc#1261478
* bsc#1262631
* bsc#1262632
* bsc#1262635
* bsc#1262636
* bsc#1262638
Cross-
* CVE-2026-1965
* CVE-2026-25833
* CVE-2026-25834
* CVE-2026-25835
* CVE-2026-34874
* CVE-2026-4873
* CVE-2026-5545
* CVE-2026-6253
* CVE-2026-6276
* CVE-2026-6429
CVSS scores:
* CVE-2026-1965 ( SUSE ): 6.9
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N
* CVE-2026-1965 ( SUSE ): 7.5 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N
* CVE-2026-1965 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
* CVE-2026-25833 ( SUSE ): 8.7
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2026-25833 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Get the latest Linux and open source security news straight to your inbox.