## This update for qemu fixes the following issues: Update to version 10.0.9. Security issues fixed: * CVE-2026-3196: unbounded memory allocation and host denial-of-service via PCM_INFO requests sent from the guest (bsc#1259079). * CVE-2026-3195: heap out-of-bounds write when reading input audio in the virtio-snd device input callback (bsc#1259080). * CVE-2026-2243: heap out-of-bounds read and 12-byte information leak when processing specially crafted VMDK files with qemu-img (bsc#1258509). Other updates and bugfixes: * Version 10.0.9: * Full backport list: https://lore.kernel.org/qemu- devel/20260318045608.7E1B513DFF6@think4mjt.localdomain/ * hyperv/syndbg: check length returned by cpu_physical_memory_map() * fuse: Copy write buffer content before polling
* bsc#1258509
* bsc#1259079
* bsc#1259080
* jsc#PED-13174
Cross-
* CVE-2026-2243
* CVE-2026-3195
* CVE-2026-3196
CVSS scores:
* CVE-2026-2243 ( SUSE ): 4.8
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N
* CVE-2026-2243 ( SUSE ): 4.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L
* CVE-2026-2243 ( NVD ): 5.1 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
* CVE-2026-3195 ( SUSE ): 7.1
CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:H/SI:H/SA:H
* CVE-2026-3195 ( SUSE ): 8.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
* CVE-2026-3196 ( SUSE ): 8.2
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H
* CVE-2026-3196 ( SUSE ): 6.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
Affected Products:
* SUSE Linux Enterprise Server 16.0
Get the latest Linux and open source security news straight to your inbox.