apptainer (SUSE:Linux Enterprise Module for HPC 15 SP7) — known CVEs & security advisories
Known CVE vulnerabilities and GitHub Security Advisories affecting the SUSE:Linux Enterprise Module for HPC 15 SP7 package apptainer, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (30)
CVE-2026-46595 — CVSS 10.0 (critical): Previously, CVE-2024-45337 fixed an authorization bypass for misused ssh server configurations; if any other type of callback is passed…
CVE-2026-39821 — CVSS 9.6 (critical): The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example…
CVE-2026-39833 — CVSS 9.1 (critical): The in-memory keyring returned by NewKeyring() silently accepted keys with the ConfirmBeforeUse constraint but never enforced it. The key…
CVE-2026-39834 — CVSS 9.1 (critical): When writing data larger than 4GB in a single Write call on an SSH channel, an integer overflow in the internal payload size calculation…
CVE-2026-39830 — CVSS 9.1 (critical): A malicious SSH peer could send unsolicited global request responses to fill an internal buffer, blocking the connection's read loop. The…
CVE-2026-42508 — CVSS 9.1 (critical): Previously, a revoked 'SignatureKey' belonging to a CA was not correctly checked for revocation. Now, both the 'key' and 'key.SignatureKey'…
CVE-2026-33186 — CVSS 9.1 (critical): gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input…
CVE-2026-34986 — CVSS 7.5 (high): Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web…
CVE-2025-47913 — CVSS 7.5 (high): SSH clients receiving SSH_AGENT_SUCCESS when expecting a typed response will panic and cause early termination of the client process.
CVE-2026-46597 — CVSS 7.5 (high): An incorrectly placed cast from bytes to int allowed for server-side panic in the AES-GCM packet decoder for well-crafted inputs.
CVE-2025-22869 — CVSS 7.5 (high): SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key…
CVE-2026-39829 — CVSS 7.5 (high): The RSA and DSA public key parsers did not enforce size limits on key parameters. A crafted public key with an excessively large modulus or…
CVE-2026-33814 — CVSS 7.5 (high): When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a…
CVE-2025-27144: Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web…
CVE-2026-39827 — CVSS 6.5 (medium): An authenticated SSH client that repeatedly opened channels which were rejected by the server caused unbounded memory growth, eventually…
CVE-2025-22872 — CVSS 6.5 (medium): The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When…
CVE-2026-39828 — CVSS 6.3 (medium): When an SSH server authentication callback returned PartialSuccessError with non-nil Permissions, those permissions were silently…
CVE-2026-24137 — CVSS 5.8 (medium): sigstore framework is a common go library shared across sigstore services and clients. In versions 1.10.3 and below, the legacy TUF client…
CVE-2026-46598 — CVSS 5.3 (medium): For certain crafted inputs, a 'ed25519.PrivateKey' was created by casting malformed wire bytes, leading to a panic when used.
CVE-2025-47911 — CVSS 5.3 (medium): The html.Parse function in golang.org/x/net/html has quadratic parsing complexity when processing certain inputs, which can lead to denial…
CVE-2025-47914 — CVSS 5.3 (medium): SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the…
CVE-2025-58181 — CVSS 5.3 (medium): SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker…
CVE-2025-58190 — CVSS 5.3 (medium): The html.Parse function in golang.org/x/net/html has an infinite parsing loop when processing certain inputs, which can lead to denial of…
CVE-2026-39835 — CVSS 5.3 (medium): SSH servers which use CertChecker as a public key callback without setting IsUserAuthority or IsHostAuthority could be caused to panic by a…
CVE-2025-65105 — CVSS 4.5 (medium): Apptainer is an open source container platform. In Apptainer versions less than 1.4.5, a container can disable two of the forms of the…
CVE-2025-22870 — CVSS 4.4 (medium): Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY…
CVE-2025-8556 — CVSS 3.7 (low): A flaw was found in CIRCL's implementation of the FourQ elliptic curve. This vulnerability allows an attacker to compromise session…
CVE-2024-45310 — CVSS 3.6 (low): runc is a CLI tool for spawning and running containers according to the OCI specification. runc 1.1.13 and earlier, as well as 1.2.0-rc2…