Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2026-35206 (GCVE-0-2026-35206)
Vulnerability from cvelistv5 – Published: 2026-04-09 21:02 – Updated: 2026-04-14 14:45
VLAI
EPSS
Title
Helm Chart extraction output directory collapse via `Chart.yaml` name dot-segment
Summary
Helm is a package manager for Charts for Kubernetes. In Helm versions <=3.20.1 and <=4.1.3, a specially crafted Chart will cause helm pull --untar [chart URL | repo/chartname] to write the Chart's contents to the immediate output directory (as defaulted to the current working directory; or as given by the --destination and --untardir flags), rather than the expected output directory suffixed by the chart's name. This vulnerability is fixed in 3.20.2 and 4.1.4.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/helm/helm/security/advisories/… | x_refsource_CONFIRM |
| https://github.com/helm/helm/commit/4e7994d446718… | x_refsource_MISC |
| https://github.com/helm/helm/releases/tag/v4.1.4 | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-35206",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-14T14:45:03.230344Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-14T14:45:12.096Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "helm",
"vendor": "helm",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.0.0, \u003c 4.1.4"
},
{
"status": "affected",
"version": "\u003c 3.20.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Helm is a package manager for Charts for Kubernetes. In Helm versions \u003c=3.20.1 and \u003c=4.1.3, a specially crafted Chart will cause helm pull --untar [chart URL | repo/chartname] to write the Chart\u0027s contents to the immediate output directory (as defaulted to the current working directory; or as given by the --destination and --untardir flags), rather than the expected output directory suffixed by the chart\u0027s name. This vulnerability is fixed in 3.20.2 and 4.1.4."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-09T21:02:13.594Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/helm/helm/security/advisories/GHSA-hr2v-4r36-88hr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/helm/helm/security/advisories/GHSA-hr2v-4r36-88hr"
},
{
"name": "https://github.com/helm/helm/commit/4e7994d4467182f535b6797c94b5b0e994a91436",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/helm/helm/commit/4e7994d4467182f535b6797c94b5b0e994a91436"
},
{
"name": "https://github.com/helm/helm/releases/tag/v4.1.4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/helm/helm/releases/tag/v4.1.4"
}
],
"source": {
"advisory": "GHSA-hr2v-4r36-88hr",
"discovery": "UNKNOWN"
},
"title": "Helm Chart extraction output directory collapse via `Chart.yaml` name dot-segment"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-35206",
"datePublished": "2026-04-09T21:02:13.594Z",
"dateReserved": "2026-04-01T18:48:58.937Z",
"dateUpdated": "2026-04-14T14:45:12.096Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-35206",
"date": "2026-06-26",
"epss": "0.00199",
"percentile": "0.09846"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-35206\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-04-09T21:16:09.993\",\"lastModified\":\"2026-04-16T20:36:08.770\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Helm is a package manager for Charts for Kubernetes. In Helm versions \u003c=3.20.1 and \u003c=4.1.3, a specially crafted Chart will cause helm pull --untar [chart URL | repo/chartname] to write the Chart\u0027s contents to the immediate output directory (as defaulted to the current working directory; or as given by the --destination and --untardir flags), rather than the expected output directory suffixed by the chart\u0027s name. This vulnerability is fixed in 3.20.2 and 4.1.4.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":4.8,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"PASSIVE\",\"vulnConfidentialityImpact\":\"NONE\",\"vulnIntegrityImpact\":\"LOW\",\"vulnAvailabilityImpact\":\"LOW\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L\",\"baseScore\":4.4,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":1.8,\"impactScore\":2.5}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-22\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:helm:helm:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"3.20.2\",\"matchCriteriaId\":\"07487FEE-D6F0-42D6-953A-C1C68CFEB0EE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:helm:helm:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.0.0\",\"versionEndExcluding\":\"4.1.4\",\"matchCriteriaId\":\"800B9949-E36B-45F3-9EA0-CA9DDA3D8868\"}]}]}],\"references\":[{\"url\":\"https://github.com/helm/helm/commit/4e7994d4467182f535b6797c94b5b0e994a91436\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/helm/helm/releases/tag/v4.1.4\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Product\",\"Release Notes\"]},{\"url\":\"https://github.com/helm/helm/security/advisories/GHSA-hr2v-4r36-88hr\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Mitigation\",\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-35206\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-04-14T14:45:03.230344Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-04-14T14:45:08.743Z\"}}], \"cna\": {\"title\": \"Helm Chart extraction output directory collapse via `Chart.yaml` name dot-segment\", \"source\": {\"advisory\": \"GHSA-hr2v-4r36-88hr\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 4.8, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N\", \"userInteraction\": \"PASSIVE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"LOW\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"LOW\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"helm\", \"product\": \"helm\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 4.0.0, \u003c 4.1.4\"}, {\"status\": \"affected\", \"version\": \"\u003c 3.20.2\"}]}], \"references\": [{\"url\": \"https://github.com/helm/helm/security/advisories/GHSA-hr2v-4r36-88hr\", \"name\": \"https://github.com/helm/helm/security/advisories/GHSA-hr2v-4r36-88hr\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/helm/helm/commit/4e7994d4467182f535b6797c94b5b0e994a91436\", \"name\": \"https://github.com/helm/helm/commit/4e7994d4467182f535b6797c94b5b0e994a91436\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/helm/helm/releases/tag/v4.1.4\", \"name\": \"https://github.com/helm/helm/releases/tag/v4.1.4\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Helm is a package manager for Charts for Kubernetes. In Helm versions \u003c=3.20.1 and \u003c=4.1.3, a specially crafted Chart will cause helm pull --untar [chart URL | repo/chartname] to write the Chart\u0027s contents to the immediate output directory (as defaulted to the current working directory; or as given by the --destination and --untardir flags), rather than the expected output directory suffixed by the chart\u0027s name. This vulnerability is fixed in 3.20.2 and 4.1.4.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-22\", \"description\": \"CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-04-09T21:02:13.594Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-35206\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-04-14T14:45:12.096Z\", \"dateReserved\": \"2026-04-01T18:48:58.937Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-04-09T21:02:13.594Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
SUSE-SU-2026:21461-1
Vulnerability from csaf_suse - Published: 2026-04-30 13:22 - Updated: 2026-04-30 13:22Summary
Security update for helm
Severity
Moderate
Notes
Title of the patch: Security update for helm
Description of the patch: This update for helm fixes the following issues:
Update to version 3.20.2.
Security issued fixed:
- CVE-2025-55199: specially crafted JSON Schema can lead to out of memory (OOM) termination (bsc#1248093).
- CVE-2026-35206: specially crafted Chart will have contents extracted to immediate output directory rather than to
expected output directory suffixed by the Chart's name (bsc#1261938).
Other updates and bugfixes:
- Version 3.20.1:
- chore(deps): bump the k8s-io group with 7 updates a2369ca (dependabot[bot])
- add image index test 90e1056 (Pedro Trres)
- fix pulling charts from OCI indices 911f2e9 (Pedro Trres)
- Remove refactorring changes from coalesce_test.go 76dad33 (Evans Mungai)
- Fix import 45c12f7 (Evans Mungai)
- Update pkg/chart/common/util/coalesce_test.go 26c6f19 (Evans Mungai)
- Fix lint warning 09f5129 (Evans Mungai)
- Preserve nil values in chart already 417deb2 (Evans Mungai)
- fix(values): preserve nil values when chart default is empty map 5417bfa (Evans Mungai)
- Version 3.20.0:
- SDK: bump k8s API versions to v0.35.0
- v3 backport: Fixed a bug where helm uninstall with --keep-history did not suspend previous deployed releases #12564
- v3 backport: Bump Go version to v1.25
- bump version to v3.20
- chore(deps): bump golang.org/x/text from 0.32.0 to 0.33.0
- chore(deps): bump golang.org/x/term from 0.38.0 to 0.39.0
- chore(deps): bump github.com/foxcpp/go-mockdns from 1.1.0 to 1.2.0
- chore(deps): bump the k8s-io group with 7 updates
- [dev-v3] Replace deprecated `NewSimpleClientset`
- [dev-v3] Bump Go v1.25, `golangci-lint` v2
- chore(deps): bump github.com/BurntSushi/toml from 1.5.0 to 1.6.0
- chore(deps): bump github.com/containerd/containerd from 1.7.29 to 1.7.30
- fix(rollback): `errors.Is` instead of string comp
- fix(uninstall): supersede deployed releases
- Use latest patch release of Go in releases
- chore(deps): bump golang.org/x/crypto from 0.45.0 to 0.46.0
- chore(deps): bump golang.org/x/text from 0.31.0 to 0.32.0
- chore(deps): bump golang.org/x/term from 0.37.0 to 0.38.0
- chore(deps): bump github.com/spf13/cobra from 1.10.1 to 1.10.2
- chore(deps): bump github.com/rubenv/sql-migrate from 1.8.0 to 1.8.1
- chore(deps): bump golang.org/x/crypto from 0.44.0 to 0.45.0
- chore(deps): bump github.com/cyphar/filepath-securejoin
- chore(deps): bump golang.org/x/text from 0.30.0 to 0.31.0
- chore(deps): bump golang.org/x/crypto from 0.43.0 to 0.44.0
- Remove dev-v3 `helm-latest-version` publish
- chore(deps): bump golang.org/x/term from 0.36.0 to 0.37.0 1.7.28 to 1.7.29
- Revert "pkg/registry: Login option for passing TLS config in memory"
- jsonschema: warn and ignore unresolved URN $ref to match v3.18.4
- Fix `helm pull` untar dir check with repo urls
- chore(deps): bump golang.org/x/crypto from 0.42.0 to 0.43.0
- chore(deps): bump github.com/gofrs/flock from 0.12.1 to 0.13.0
- chore(deps): bump golang.org/x/text from 0.29.0 to 0.30.0
- [backport] fix: get-helm-3 script use helm3-latest-version
- pkg/registry: Login option for passing TLS config in memory
- Fix deprecation warning
- chore(deps): bump golang.org/x/crypto from 0.41.0 to 0.42.0
- chore(deps): bump golang.org/x/term from 0.34.0 to 0.35.0
- Avoid "panic: interface conversion: interface {} is nil"
- bump version to v3.19.0
- chore(deps): bump github.com/spf13/pflag from 1.0.7 to 1.0.10
- fix: set repo authorizer in registry.Client.Resolve()
- fix null merge
- Add timeout flag to repo add and update flags
- Version 3.19.5:
- Fixed bug where removing subchart value via override resulted in warning #31118
- Fixed bug where helm uninstall with --keep-history did not suspend previous deployed releases #12556
- fix(rollback): errors.Is instead of string comp 4a19a5b (Hidde Beydals)
- fix(uninstall): supersede deployed releases 7a00235 (Hidde Beydals)
- fix null merge 578564e (Ben Foster)
- Version 3.19.4:
- Use latest patch release of Go in releases 7cfb6e4 (Matt Farina)
- chore(deps): bump github.com/gofrs/flock from 0.12.1 to 0.13.0 59c951f (dependabot[bot])
- chore(deps): bump github.com/cyphar/filepath-securejoin d45f3f1
- chore(deps): bump golang.org/x/crypto from 0.44.0 to 0.45.0 d459544 (dependabot[bot])
- chore(deps): bump golang.org/x/term from 0.36.0 to 0.37.0 becd387 (dependabot[bot])
- chore(deps): bump the k8s-io group with 7 updates edb1579
- Version 3.19.3:
- Bump golang.org/x/crypto to v0.45.0
- Version 3.19.2:
- [backport] fix: get-helm-3 script use helm3-latest-version 8766e71 (George Jenkins)
Patchnames: SUSE-SL-Micro-6.2-661
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
6.5 (Medium)
Affected products
Recommended
5 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Micro 6.2:helm-3.20.2-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Micro 6.2:helm-3.20.2-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Micro 6.2:helm-3.20.2-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Micro 6.2:helm-3.20.2-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Micro 6.2:helm-bash-completion-3.20.2-160000.1.1.noarch | — |
Vendor Fix
|
Threats
Impact
moderate
4.4 (Medium)
Affected products
Recommended
5 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Micro 6.2:helm-3.20.2-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Micro 6.2:helm-3.20.2-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Micro 6.2:helm-3.20.2-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Micro 6.2:helm-3.20.2-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Micro 6.2:helm-bash-completion-3.20.2-160000.1.1.noarch | — |
Vendor Fix
|
Threats
Impact
moderate
References
12 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for helm",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for helm fixes the following issues:\n\nUpdate to version 3.20.2.\n\nSecurity issued fixed:\n\n- CVE-2025-55199: specially crafted JSON Schema can lead to out of memory (OOM) termination (bsc#1248093).\n- CVE-2026-35206: specially crafted Chart will have contents extracted to immediate output directory rather than to\n expected output directory suffixed by the Chart\u0027s name (bsc#1261938).\n\nOther updates and bugfixes:\n\n- Version 3.20.1:\n - chore(deps): bump the k8s-io group with 7 updates a2369ca (dependabot[bot])\n - add image index test 90e1056 (Pedro Trres)\n - fix pulling charts from OCI indices 911f2e9 (Pedro Trres)\n - Remove refactorring changes from coalesce_test.go 76dad33 (Evans Mungai)\n - Fix import 45c12f7 (Evans Mungai)\n - Update pkg/chart/common/util/coalesce_test.go 26c6f19 (Evans Mungai)\n - Fix lint warning 09f5129 (Evans Mungai)\n - Preserve nil values in chart already 417deb2 (Evans Mungai)\n - fix(values): preserve nil values when chart default is empty map 5417bfa (Evans Mungai)\n- Version 3.20.0:\n - SDK: bump k8s API versions to v0.35.0\n - v3 backport: Fixed a bug where helm uninstall with --keep-history did not suspend previous deployed releases #12564\n - v3 backport: Bump Go version to v1.25\n - bump version to v3.20\n - chore(deps): bump golang.org/x/text from 0.32.0 to 0.33.0\n - chore(deps): bump golang.org/x/term from 0.38.0 to 0.39.0\n - chore(deps): bump github.com/foxcpp/go-mockdns from 1.1.0 to 1.2.0\n - chore(deps): bump the k8s-io group with 7 updates\n - [dev-v3] Replace deprecated `NewSimpleClientset`\n - [dev-v3] Bump Go v1.25, `golangci-lint` v2\n - chore(deps): bump github.com/BurntSushi/toml from 1.5.0 to 1.6.0\n - chore(deps): bump github.com/containerd/containerd from 1.7.29 to 1.7.30\n - fix(rollback): `errors.Is` instead of string comp\n - fix(uninstall): supersede deployed releases\n - Use latest patch release of Go in releases\n - chore(deps): bump golang.org/x/crypto from 0.45.0 to 0.46.0\n - chore(deps): bump golang.org/x/text from 0.31.0 to 0.32.0\n - chore(deps): bump golang.org/x/term from 0.37.0 to 0.38.0\n - chore(deps): bump github.com/spf13/cobra from 1.10.1 to 1.10.2\n - chore(deps): bump github.com/rubenv/sql-migrate from 1.8.0 to 1.8.1\n - chore(deps): bump golang.org/x/crypto from 0.44.0 to 0.45.0\n - chore(deps): bump github.com/cyphar/filepath-securejoin\n - chore(deps): bump golang.org/x/text from 0.30.0 to 0.31.0\n - chore(deps): bump golang.org/x/crypto from 0.43.0 to 0.44.0\n - Remove dev-v3 `helm-latest-version` publish\n - chore(deps): bump golang.org/x/term from 0.36.0 to 0.37.0 1.7.28 to 1.7.29\n - Revert \"pkg/registry: Login option for passing TLS config in memory\"\n - jsonschema: warn and ignore unresolved URN $ref to match v3.18.4\n - Fix `helm pull` untar dir check with repo urls\n - chore(deps): bump golang.org/x/crypto from 0.42.0 to 0.43.0\n - chore(deps): bump github.com/gofrs/flock from 0.12.1 to 0.13.0\n - chore(deps): bump golang.org/x/text from 0.29.0 to 0.30.0\n - [backport] fix: get-helm-3 script use helm3-latest-version\n - pkg/registry: Login option for passing TLS config in memory\n - Fix deprecation warning\n - chore(deps): bump golang.org/x/crypto from 0.41.0 to 0.42.0\n - chore(deps): bump golang.org/x/term from 0.34.0 to 0.35.0\n - Avoid \"panic: interface conversion: interface {} is nil\"\n - bump version to v3.19.0\n - chore(deps): bump github.com/spf13/pflag from 1.0.7 to 1.0.10\n - fix: set repo authorizer in registry.Client.Resolve()\n - fix null merge\n - Add timeout flag to repo add and update flags\n- Version 3.19.5:\n - Fixed bug where removing subchart value via override resulted in warning #31118\n - Fixed bug where helm uninstall with --keep-history did not suspend previous deployed releases #12556\n - fix(rollback): errors.Is instead of string comp 4a19a5b (Hidde Beydals)\n - fix(uninstall): supersede deployed releases 7a00235 (Hidde Beydals)\n - fix null merge 578564e (Ben Foster)\n- Version 3.19.4:\n - Use latest patch release of Go in releases 7cfb6e4 (Matt Farina)\n - chore(deps): bump github.com/gofrs/flock from 0.12.1 to 0.13.0 59c951f (dependabot[bot])\n - chore(deps): bump github.com/cyphar/filepath-securejoin d45f3f1\n - chore(deps): bump golang.org/x/crypto from 0.44.0 to 0.45.0 d459544 (dependabot[bot])\n - chore(deps): bump golang.org/x/term from 0.36.0 to 0.37.0 becd387 (dependabot[bot])\n - chore(deps): bump the k8s-io group with 7 updates edb1579\n- Version 3.19.3:\n - Bump golang.org/x/crypto to v0.45.0\n- Version 3.19.2:\n - [backport] fix: get-helm-3 script use helm3-latest-version 8766e71 (George Jenkins)\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-SL-Micro-6.2-661",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2026_21461-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2026:21461-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202621461-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2026:21461-1",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2026-May/025795.html"
},
{
"category": "self",
"summary": "SUSE Bug 1248093",
"url": "https://bugzilla.suse.com/1248093"
},
{
"category": "self",
"summary": "SUSE Bug 1261938",
"url": "https://bugzilla.suse.com/1261938"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-55199 page",
"url": "https://www.suse.com/security/cve/CVE-2025-55199/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-35206 page",
"url": "https://www.suse.com/security/cve/CVE-2026-35206/"
}
],
"title": "Security update for helm",
"tracking": {
"current_release_date": "2026-04-30T13:22:50Z",
"generator": {
"date": "2026-04-30T13:22:50Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2026:21461-1",
"initial_release_date": "2026-04-30T13:22:50Z",
"revision_history": [
{
"date": "2026-04-30T13:22:50Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "helm-3.20.2-160000.1.1.aarch64",
"product": {
"name": "helm-3.20.2-160000.1.1.aarch64",
"product_id": "helm-3.20.2-160000.1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "helm-bash-completion-3.20.2-160000.1.1.noarch",
"product": {
"name": "helm-bash-completion-3.20.2-160000.1.1.noarch",
"product_id": "helm-bash-completion-3.20.2-160000.1.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "helm-3.20.2-160000.1.1.ppc64le",
"product": {
"name": "helm-3.20.2-160000.1.1.ppc64le",
"product_id": "helm-3.20.2-160000.1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "helm-3.20.2-160000.1.1.s390x",
"product": {
"name": "helm-3.20.2-160000.1.1.s390x",
"product_id": "helm-3.20.2-160000.1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "helm-3.20.2-160000.1.1.x86_64",
"product": {
"name": "helm-3.20.2-160000.1.1.x86_64",
"product_id": "helm-3.20.2-160000.1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Micro 6.2",
"product": {
"name": "SUSE Linux Micro 6.2",
"product_id": "SUSE Linux Micro 6.2",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sl-micro:6.2"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-3.20.2-160000.1.1.aarch64 as component of SUSE Linux Micro 6.2",
"product_id": "SUSE Linux Micro 6.2:helm-3.20.2-160000.1.1.aarch64"
},
"product_reference": "helm-3.20.2-160000.1.1.aarch64",
"relates_to_product_reference": "SUSE Linux Micro 6.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-3.20.2-160000.1.1.ppc64le as component of SUSE Linux Micro 6.2",
"product_id": "SUSE Linux Micro 6.2:helm-3.20.2-160000.1.1.ppc64le"
},
"product_reference": "helm-3.20.2-160000.1.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Micro 6.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-3.20.2-160000.1.1.s390x as component of SUSE Linux Micro 6.2",
"product_id": "SUSE Linux Micro 6.2:helm-3.20.2-160000.1.1.s390x"
},
"product_reference": "helm-3.20.2-160000.1.1.s390x",
"relates_to_product_reference": "SUSE Linux Micro 6.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-3.20.2-160000.1.1.x86_64 as component of SUSE Linux Micro 6.2",
"product_id": "SUSE Linux Micro 6.2:helm-3.20.2-160000.1.1.x86_64"
},
"product_reference": "helm-3.20.2-160000.1.1.x86_64",
"relates_to_product_reference": "SUSE Linux Micro 6.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-bash-completion-3.20.2-160000.1.1.noarch as component of SUSE Linux Micro 6.2",
"product_id": "SUSE Linux Micro 6.2:helm-bash-completion-3.20.2-160000.1.1.noarch"
},
"product_reference": "helm-bash-completion-3.20.2-160000.1.1.noarch",
"relates_to_product_reference": "SUSE Linux Micro 6.2"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-55199",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-55199"
}
],
"notes": [
{
"category": "general",
"text": "Helm is a package manager for Charts for Kubernetes. Prior to version 3.18.5, it is possible to craft a JSON Schema file in a manner which could cause Helm to use all available memory and have an out of memory (OOM) termination. This issue has been resolved in Helm 3.18.5. A workaround involves ensuring all Helm charts that are being loaded into Helm do not have any reference of $ref pointing to /dev/zero.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Micro 6.2:helm-3.20.2-160000.1.1.aarch64",
"SUSE Linux Micro 6.2:helm-3.20.2-160000.1.1.ppc64le",
"SUSE Linux Micro 6.2:helm-3.20.2-160000.1.1.s390x",
"SUSE Linux Micro 6.2:helm-3.20.2-160000.1.1.x86_64",
"SUSE Linux Micro 6.2:helm-bash-completion-3.20.2-160000.1.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-55199",
"url": "https://www.suse.com/security/cve/CVE-2025-55199"
},
{
"category": "external",
"summary": "SUSE Bug 1248093 for CVE-2025-55199",
"url": "https://bugzilla.suse.com/1248093"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Micro 6.2:helm-3.20.2-160000.1.1.aarch64",
"SUSE Linux Micro 6.2:helm-3.20.2-160000.1.1.ppc64le",
"SUSE Linux Micro 6.2:helm-3.20.2-160000.1.1.s390x",
"SUSE Linux Micro 6.2:helm-3.20.2-160000.1.1.x86_64",
"SUSE Linux Micro 6.2:helm-bash-completion-3.20.2-160000.1.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Micro 6.2:helm-3.20.2-160000.1.1.aarch64",
"SUSE Linux Micro 6.2:helm-3.20.2-160000.1.1.ppc64le",
"SUSE Linux Micro 6.2:helm-3.20.2-160000.1.1.s390x",
"SUSE Linux Micro 6.2:helm-3.20.2-160000.1.1.x86_64",
"SUSE Linux Micro 6.2:helm-bash-completion-3.20.2-160000.1.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-04-30T13:22:50Z",
"details": "moderate"
}
],
"title": "CVE-2025-55199"
},
{
"cve": "CVE-2026-35206",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-35206"
}
],
"notes": [
{
"category": "general",
"text": "Helm is a package manager for Charts for Kubernetes. In Helm versions \u003c=3.20.1 and \u003c=4.1.3, a specially crafted Chart will cause helm pull --untar [chart URL | repo/chartname] to write the Chart\u0027s contents to the immediate output directory (as defaulted to the current working directory; or as given by the --destination and --untardir flags), rather than the expected output directory suffixed by the chart\u0027s name. This vulnerability is fixed in 3.20.2 and 4.1.4.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Micro 6.2:helm-3.20.2-160000.1.1.aarch64",
"SUSE Linux Micro 6.2:helm-3.20.2-160000.1.1.ppc64le",
"SUSE Linux Micro 6.2:helm-3.20.2-160000.1.1.s390x",
"SUSE Linux Micro 6.2:helm-3.20.2-160000.1.1.x86_64",
"SUSE Linux Micro 6.2:helm-bash-completion-3.20.2-160000.1.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-35206",
"url": "https://www.suse.com/security/cve/CVE-2026-35206"
},
{
"category": "external",
"summary": "SUSE Bug 1261938 for CVE-2026-35206",
"url": "https://bugzilla.suse.com/1261938"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Micro 6.2:helm-3.20.2-160000.1.1.aarch64",
"SUSE Linux Micro 6.2:helm-3.20.2-160000.1.1.ppc64le",
"SUSE Linux Micro 6.2:helm-3.20.2-160000.1.1.s390x",
"SUSE Linux Micro 6.2:helm-3.20.2-160000.1.1.x86_64",
"SUSE Linux Micro 6.2:helm-bash-completion-3.20.2-160000.1.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L",
"version": "3.1"
},
"products": [
"SUSE Linux Micro 6.2:helm-3.20.2-160000.1.1.aarch64",
"SUSE Linux Micro 6.2:helm-3.20.2-160000.1.1.ppc64le",
"SUSE Linux Micro 6.2:helm-3.20.2-160000.1.1.s390x",
"SUSE Linux Micro 6.2:helm-3.20.2-160000.1.1.x86_64",
"SUSE Linux Micro 6.2:helm-bash-completion-3.20.2-160000.1.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-04-30T13:22:50Z",
"details": "moderate"
}
],
"title": "CVE-2026-35206"
}
]
}
SUSE-SU-2026:21628-1
Vulnerability from csaf_suse - Published: 2026-05-12 09:44 - Updated: 2026-05-12 09:44Summary
Security update for helm
Severity
Moderate
Notes
Title of the patch: Security update for helm
Description of the patch: This update for helm fixes the following issues
Security issues:
- CVE-2025-55199: crafted JSON Schema can lead to out of memory (OOM) termination (bsc#1248093).
- CVE-2026-35206: github.com/helm/helm: Helm: Files written to unexpected directory via specially crafted Chart
(bsc#1261938).
Non security issue:
- Update to version 3.20.2
- Fix packages for %suse_version bump (jsc#PED-15794).
Patchnames: SUSE-SLE-Micro-6.0-705
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
6.5 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Micro 6.0:helm-3.20.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Micro 6.0:helm-3.20.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Micro 6.0:helm-3.20.2-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Micro 6.0:helm-bash-completion-3.20.2-1.1.noarch | — |
Vendor Fix
|
Threats
Impact
moderate
4.4 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Micro 6.0:helm-3.20.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Micro 6.0:helm-3.20.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Micro 6.0:helm-3.20.2-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Micro 6.0:helm-bash-completion-3.20.2-1.1.noarch | — |
Vendor Fix
|
Threats
Impact
moderate
References
12 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for helm",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for helm fixes the following issues\n\nSecurity issues:\n\n- CVE-2025-55199: crafted JSON Schema can lead to out of memory (OOM) termination (bsc#1248093).\n- CVE-2026-35206: github.com/helm/helm: Helm: Files written to unexpected directory via specially crafted Chart\n (bsc#1261938).\n\nNon security issue:\n\n- Update to version 3.20.2 \n- Fix packages for %suse_version bump (jsc#PED-15794).\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-SLE-Micro-6.0-705",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2026_21628-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2026:21628-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202621628-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2026:21628-1",
"url": "https://lists.suse.com/pipermail/sle-updates/2026-May/046486.html"
},
{
"category": "self",
"summary": "SUSE Bug 1248093",
"url": "https://bugzilla.suse.com/1248093"
},
{
"category": "self",
"summary": "SUSE Bug 1261938",
"url": "https://bugzilla.suse.com/1261938"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-55199 page",
"url": "https://www.suse.com/security/cve/CVE-2025-55199/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-35206 page",
"url": "https://www.suse.com/security/cve/CVE-2026-35206/"
}
],
"title": "Security update for helm",
"tracking": {
"current_release_date": "2026-05-12T09:44:44Z",
"generator": {
"date": "2026-05-12T09:44:44Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2026:21628-1",
"initial_release_date": "2026-05-12T09:44:44Z",
"revision_history": [
{
"date": "2026-05-12T09:44:44Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "helm-3.20.2-1.1.aarch64",
"product": {
"name": "helm-3.20.2-1.1.aarch64",
"product_id": "helm-3.20.2-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "helm-bash-completion-3.20.2-1.1.noarch",
"product": {
"name": "helm-bash-completion-3.20.2-1.1.noarch",
"product_id": "helm-bash-completion-3.20.2-1.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "helm-3.20.2-1.1.s390x",
"product": {
"name": "helm-3.20.2-1.1.s390x",
"product_id": "helm-3.20.2-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "helm-3.20.2-1.1.x86_64",
"product": {
"name": "helm-3.20.2-1.1.x86_64",
"product_id": "helm-3.20.2-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Micro 6.0",
"product": {
"name": "SUSE Linux Micro 6.0",
"product_id": "SUSE Linux Micro 6.0",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sl-micro:6.0"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-3.20.2-1.1.aarch64 as component of SUSE Linux Micro 6.0",
"product_id": "SUSE Linux Micro 6.0:helm-3.20.2-1.1.aarch64"
},
"product_reference": "helm-3.20.2-1.1.aarch64",
"relates_to_product_reference": "SUSE Linux Micro 6.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-3.20.2-1.1.s390x as component of SUSE Linux Micro 6.0",
"product_id": "SUSE Linux Micro 6.0:helm-3.20.2-1.1.s390x"
},
"product_reference": "helm-3.20.2-1.1.s390x",
"relates_to_product_reference": "SUSE Linux Micro 6.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-3.20.2-1.1.x86_64 as component of SUSE Linux Micro 6.0",
"product_id": "SUSE Linux Micro 6.0:helm-3.20.2-1.1.x86_64"
},
"product_reference": "helm-3.20.2-1.1.x86_64",
"relates_to_product_reference": "SUSE Linux Micro 6.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-bash-completion-3.20.2-1.1.noarch as component of SUSE Linux Micro 6.0",
"product_id": "SUSE Linux Micro 6.0:helm-bash-completion-3.20.2-1.1.noarch"
},
"product_reference": "helm-bash-completion-3.20.2-1.1.noarch",
"relates_to_product_reference": "SUSE Linux Micro 6.0"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-55199",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-55199"
}
],
"notes": [
{
"category": "general",
"text": "Helm is a package manager for Charts for Kubernetes. Prior to version 3.18.5, it is possible to craft a JSON Schema file in a manner which could cause Helm to use all available memory and have an out of memory (OOM) termination. This issue has been resolved in Helm 3.18.5. A workaround involves ensuring all Helm charts that are being loaded into Helm do not have any reference of $ref pointing to /dev/zero.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Micro 6.0:helm-3.20.2-1.1.aarch64",
"SUSE Linux Micro 6.0:helm-3.20.2-1.1.s390x",
"SUSE Linux Micro 6.0:helm-3.20.2-1.1.x86_64",
"SUSE Linux Micro 6.0:helm-bash-completion-3.20.2-1.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-55199",
"url": "https://www.suse.com/security/cve/CVE-2025-55199"
},
{
"category": "external",
"summary": "SUSE Bug 1248093 for CVE-2025-55199",
"url": "https://bugzilla.suse.com/1248093"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Micro 6.0:helm-3.20.2-1.1.aarch64",
"SUSE Linux Micro 6.0:helm-3.20.2-1.1.s390x",
"SUSE Linux Micro 6.0:helm-3.20.2-1.1.x86_64",
"SUSE Linux Micro 6.0:helm-bash-completion-3.20.2-1.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Micro 6.0:helm-3.20.2-1.1.aarch64",
"SUSE Linux Micro 6.0:helm-3.20.2-1.1.s390x",
"SUSE Linux Micro 6.0:helm-3.20.2-1.1.x86_64",
"SUSE Linux Micro 6.0:helm-bash-completion-3.20.2-1.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-12T09:44:44Z",
"details": "moderate"
}
],
"title": "CVE-2025-55199"
},
{
"cve": "CVE-2026-35206",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-35206"
}
],
"notes": [
{
"category": "general",
"text": "Helm is a package manager for Charts for Kubernetes. In Helm versions \u003c=3.20.1 and \u003c=4.1.3, a specially crafted Chart will cause helm pull --untar [chart URL | repo/chartname] to write the Chart\u0027s contents to the immediate output directory (as defaulted to the current working directory; or as given by the --destination and --untardir flags), rather than the expected output directory suffixed by the chart\u0027s name. This vulnerability is fixed in 3.20.2 and 4.1.4.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Micro 6.0:helm-3.20.2-1.1.aarch64",
"SUSE Linux Micro 6.0:helm-3.20.2-1.1.s390x",
"SUSE Linux Micro 6.0:helm-3.20.2-1.1.x86_64",
"SUSE Linux Micro 6.0:helm-bash-completion-3.20.2-1.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-35206",
"url": "https://www.suse.com/security/cve/CVE-2026-35206"
},
{
"category": "external",
"summary": "SUSE Bug 1261938 for CVE-2026-35206",
"url": "https://bugzilla.suse.com/1261938"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Micro 6.0:helm-3.20.2-1.1.aarch64",
"SUSE Linux Micro 6.0:helm-3.20.2-1.1.s390x",
"SUSE Linux Micro 6.0:helm-3.20.2-1.1.x86_64",
"SUSE Linux Micro 6.0:helm-bash-completion-3.20.2-1.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L",
"version": "3.1"
},
"products": [
"SUSE Linux Micro 6.0:helm-3.20.2-1.1.aarch64",
"SUSE Linux Micro 6.0:helm-3.20.2-1.1.s390x",
"SUSE Linux Micro 6.0:helm-3.20.2-1.1.x86_64",
"SUSE Linux Micro 6.0:helm-bash-completion-3.20.2-1.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-12T09:44:44Z",
"details": "moderate"
}
],
"title": "CVE-2026-35206"
}
]
}
SUSE-SU-2026:21635-1
Vulnerability from csaf_suse - Published: 2026-05-12 10:16 - Updated: 2026-05-12 10:16Summary
Security update for helm
Severity
Moderate
Notes
Title of the patch: Security update for helm
Description of the patch: This update for helm fixes the following issues
Security issues:
- CVE-2025-55199: crafted JSON Schema can lead to out of memory (OOM) termination (bsc#1248093).
- CVE-2026-35206: github.com/helm/helm: Helm: Files written to unexpected directory via specially crafted Chart
(bsc#1261938).
Non security issue:
- Update to version 3.20.2
- Fix packages for %suse_version bump (jsc#PED-15794).
Patchnames: SUSE-SLE-Micro-6.1-525
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
6.5 (Medium)
Affected products
Recommended
5 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Micro 6.1:helm-3.20.2-slfo.1.1_1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Micro 6.1:helm-3.20.2-slfo.1.1_1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Micro 6.1:helm-3.20.2-slfo.1.1_1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Micro 6.1:helm-3.20.2-slfo.1.1_1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Micro 6.1:helm-bash-completion-3.20.2-slfo.1.1_1.1.noarch | — |
Vendor Fix
|
Threats
Impact
moderate
4.4 (Medium)
Affected products
Recommended
5 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Micro 6.1:helm-3.20.2-slfo.1.1_1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Micro 6.1:helm-3.20.2-slfo.1.1_1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Micro 6.1:helm-3.20.2-slfo.1.1_1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Micro 6.1:helm-3.20.2-slfo.1.1_1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Micro 6.1:helm-bash-completion-3.20.2-slfo.1.1_1.1.noarch | — |
Vendor Fix
|
Threats
Impact
moderate
References
12 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for helm",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for helm fixes the following issues\n\nSecurity issues:\n\n- CVE-2025-55199: crafted JSON Schema can lead to out of memory (OOM) termination (bsc#1248093).\n- CVE-2026-35206: github.com/helm/helm: Helm: Files written to unexpected directory via specially crafted Chart\n (bsc#1261938).\n\nNon security issue:\n\n- Update to version 3.20.2\n- Fix packages for %suse_version bump (jsc#PED-15794).\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-SLE-Micro-6.1-525",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2026_21635-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2026:21635-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202621635-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2026:21635-1",
"url": "https://lists.suse.com/pipermail/sle-updates/2026-May/046479.html"
},
{
"category": "self",
"summary": "SUSE Bug 1248093",
"url": "https://bugzilla.suse.com/1248093"
},
{
"category": "self",
"summary": "SUSE Bug 1261938",
"url": "https://bugzilla.suse.com/1261938"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-55199 page",
"url": "https://www.suse.com/security/cve/CVE-2025-55199/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-35206 page",
"url": "https://www.suse.com/security/cve/CVE-2026-35206/"
}
],
"title": "Security update for helm",
"tracking": {
"current_release_date": "2026-05-12T10:16:57Z",
"generator": {
"date": "2026-05-12T10:16:57Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2026:21635-1",
"initial_release_date": "2026-05-12T10:16:57Z",
"revision_history": [
{
"date": "2026-05-12T10:16:57Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "helm-3.20.2-slfo.1.1_1.1.aarch64",
"product": {
"name": "helm-3.20.2-slfo.1.1_1.1.aarch64",
"product_id": "helm-3.20.2-slfo.1.1_1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "helm-bash-completion-3.20.2-slfo.1.1_1.1.noarch",
"product": {
"name": "helm-bash-completion-3.20.2-slfo.1.1_1.1.noarch",
"product_id": "helm-bash-completion-3.20.2-slfo.1.1_1.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "helm-3.20.2-slfo.1.1_1.1.ppc64le",
"product": {
"name": "helm-3.20.2-slfo.1.1_1.1.ppc64le",
"product_id": "helm-3.20.2-slfo.1.1_1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "helm-3.20.2-slfo.1.1_1.1.s390x",
"product": {
"name": "helm-3.20.2-slfo.1.1_1.1.s390x",
"product_id": "helm-3.20.2-slfo.1.1_1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "helm-3.20.2-slfo.1.1_1.1.x86_64",
"product": {
"name": "helm-3.20.2-slfo.1.1_1.1.x86_64",
"product_id": "helm-3.20.2-slfo.1.1_1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Micro 6.1",
"product": {
"name": "SUSE Linux Micro 6.1",
"product_id": "SUSE Linux Micro 6.1",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sl-micro:6.1"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-3.20.2-slfo.1.1_1.1.aarch64 as component of SUSE Linux Micro 6.1",
"product_id": "SUSE Linux Micro 6.1:helm-3.20.2-slfo.1.1_1.1.aarch64"
},
"product_reference": "helm-3.20.2-slfo.1.1_1.1.aarch64",
"relates_to_product_reference": "SUSE Linux Micro 6.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-3.20.2-slfo.1.1_1.1.ppc64le as component of SUSE Linux Micro 6.1",
"product_id": "SUSE Linux Micro 6.1:helm-3.20.2-slfo.1.1_1.1.ppc64le"
},
"product_reference": "helm-3.20.2-slfo.1.1_1.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Micro 6.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-3.20.2-slfo.1.1_1.1.s390x as component of SUSE Linux Micro 6.1",
"product_id": "SUSE Linux Micro 6.1:helm-3.20.2-slfo.1.1_1.1.s390x"
},
"product_reference": "helm-3.20.2-slfo.1.1_1.1.s390x",
"relates_to_product_reference": "SUSE Linux Micro 6.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-3.20.2-slfo.1.1_1.1.x86_64 as component of SUSE Linux Micro 6.1",
"product_id": "SUSE Linux Micro 6.1:helm-3.20.2-slfo.1.1_1.1.x86_64"
},
"product_reference": "helm-3.20.2-slfo.1.1_1.1.x86_64",
"relates_to_product_reference": "SUSE Linux Micro 6.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-bash-completion-3.20.2-slfo.1.1_1.1.noarch as component of SUSE Linux Micro 6.1",
"product_id": "SUSE Linux Micro 6.1:helm-bash-completion-3.20.2-slfo.1.1_1.1.noarch"
},
"product_reference": "helm-bash-completion-3.20.2-slfo.1.1_1.1.noarch",
"relates_to_product_reference": "SUSE Linux Micro 6.1"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-55199",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-55199"
}
],
"notes": [
{
"category": "general",
"text": "Helm is a package manager for Charts for Kubernetes. Prior to version 3.18.5, it is possible to craft a JSON Schema file in a manner which could cause Helm to use all available memory and have an out of memory (OOM) termination. This issue has been resolved in Helm 3.18.5. A workaround involves ensuring all Helm charts that are being loaded into Helm do not have any reference of $ref pointing to /dev/zero.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Micro 6.1:helm-3.20.2-slfo.1.1_1.1.aarch64",
"SUSE Linux Micro 6.1:helm-3.20.2-slfo.1.1_1.1.ppc64le",
"SUSE Linux Micro 6.1:helm-3.20.2-slfo.1.1_1.1.s390x",
"SUSE Linux Micro 6.1:helm-3.20.2-slfo.1.1_1.1.x86_64",
"SUSE Linux Micro 6.1:helm-bash-completion-3.20.2-slfo.1.1_1.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-55199",
"url": "https://www.suse.com/security/cve/CVE-2025-55199"
},
{
"category": "external",
"summary": "SUSE Bug 1248093 for CVE-2025-55199",
"url": "https://bugzilla.suse.com/1248093"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Micro 6.1:helm-3.20.2-slfo.1.1_1.1.aarch64",
"SUSE Linux Micro 6.1:helm-3.20.2-slfo.1.1_1.1.ppc64le",
"SUSE Linux Micro 6.1:helm-3.20.2-slfo.1.1_1.1.s390x",
"SUSE Linux Micro 6.1:helm-3.20.2-slfo.1.1_1.1.x86_64",
"SUSE Linux Micro 6.1:helm-bash-completion-3.20.2-slfo.1.1_1.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Micro 6.1:helm-3.20.2-slfo.1.1_1.1.aarch64",
"SUSE Linux Micro 6.1:helm-3.20.2-slfo.1.1_1.1.ppc64le",
"SUSE Linux Micro 6.1:helm-3.20.2-slfo.1.1_1.1.s390x",
"SUSE Linux Micro 6.1:helm-3.20.2-slfo.1.1_1.1.x86_64",
"SUSE Linux Micro 6.1:helm-bash-completion-3.20.2-slfo.1.1_1.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-12T10:16:57Z",
"details": "moderate"
}
],
"title": "CVE-2025-55199"
},
{
"cve": "CVE-2026-35206",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-35206"
}
],
"notes": [
{
"category": "general",
"text": "Helm is a package manager for Charts for Kubernetes. In Helm versions \u003c=3.20.1 and \u003c=4.1.3, a specially crafted Chart will cause helm pull --untar [chart URL | repo/chartname] to write the Chart\u0027s contents to the immediate output directory (as defaulted to the current working directory; or as given by the --destination and --untardir flags), rather than the expected output directory suffixed by the chart\u0027s name. This vulnerability is fixed in 3.20.2 and 4.1.4.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Micro 6.1:helm-3.20.2-slfo.1.1_1.1.aarch64",
"SUSE Linux Micro 6.1:helm-3.20.2-slfo.1.1_1.1.ppc64le",
"SUSE Linux Micro 6.1:helm-3.20.2-slfo.1.1_1.1.s390x",
"SUSE Linux Micro 6.1:helm-3.20.2-slfo.1.1_1.1.x86_64",
"SUSE Linux Micro 6.1:helm-bash-completion-3.20.2-slfo.1.1_1.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-35206",
"url": "https://www.suse.com/security/cve/CVE-2026-35206"
},
{
"category": "external",
"summary": "SUSE Bug 1261938 for CVE-2026-35206",
"url": "https://bugzilla.suse.com/1261938"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Micro 6.1:helm-3.20.2-slfo.1.1_1.1.aarch64",
"SUSE Linux Micro 6.1:helm-3.20.2-slfo.1.1_1.1.ppc64le",
"SUSE Linux Micro 6.1:helm-3.20.2-slfo.1.1_1.1.s390x",
"SUSE Linux Micro 6.1:helm-3.20.2-slfo.1.1_1.1.x86_64",
"SUSE Linux Micro 6.1:helm-bash-completion-3.20.2-slfo.1.1_1.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L",
"version": "3.1"
},
"products": [
"SUSE Linux Micro 6.1:helm-3.20.2-slfo.1.1_1.1.aarch64",
"SUSE Linux Micro 6.1:helm-3.20.2-slfo.1.1_1.1.ppc64le",
"SUSE Linux Micro 6.1:helm-3.20.2-slfo.1.1_1.1.s390x",
"SUSE Linux Micro 6.1:helm-3.20.2-slfo.1.1_1.1.x86_64",
"SUSE Linux Micro 6.1:helm-bash-completion-3.20.2-slfo.1.1_1.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-12T10:16:57Z",
"details": "moderate"
}
],
"title": "CVE-2026-35206"
}
]
}
WID-SEC-W-2026-1048
Vulnerability from csaf_certbund - Published: 2026-04-09 22:00 - Updated: 2026-06-16 22:00Summary
helm: Mehrere Schwachstellen
Severity
Hoch
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung: Helm ist ein Open-Source-Paketmanager für Kubernetes, der die Bereitstellung und Verwaltung von Anwendungen vereinfacht.
Angriff: Ein Angreifer kann mehrere Schwachstellen in helm ausnutzen, um Dateien zu manipulieren, um Sicherheitsvorkehrungen zu umgehen, und potenziell um beliebigen Code auszuführen.
Betroffene Betriebssysteme: - Linux
- UNIX
Affected products
Known affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SUSE Linux
SUSE
|
cpe:/o:suse:suse_linux:-
|
— | |
|
Open Source helm <4.1.4
Open Source / helm
|
<4.1.4 | ||
|
Red Hat Enterprise Linux
Red Hat
|
cpe:/o:redhat:enterprise_linux:-
|
— | |
|
SUSE openSUSE
SUSE
|
cpe:/o:suse:opensuse:-
|
— | |
|
Microsoft Azure Linux azl3
Microsoft / Azure Linux
|
cpe:/o:microsoft:azure_linux:azl3
|
azl3 | |
|
Open Source helm <3.20.2
Open Source / helm
|
<3.20.2 |
Affected products
Known affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SUSE Linux
SUSE
|
cpe:/o:suse:suse_linux:-
|
— | |
|
Open Source helm <4.1.4
Open Source / helm
|
<4.1.4 | ||
|
Red Hat Enterprise Linux
Red Hat
|
cpe:/o:redhat:enterprise_linux:-
|
— | |
|
SUSE openSUSE
SUSE
|
cpe:/o:suse:opensuse:-
|
— | |
|
Microsoft Azure Linux azl3
Microsoft / Azure Linux
|
cpe:/o:microsoft:azure_linux:azl3
|
azl3 | |
|
Open Source helm <3.20.2
Open Source / helm
|
<3.20.2 |
Affected products
Known affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SUSE Linux
SUSE
|
cpe:/o:suse:suse_linux:-
|
— | |
|
Open Source helm <4.1.4
Open Source / helm
|
<4.1.4 | ||
|
Red Hat Enterprise Linux
Red Hat
|
cpe:/o:redhat:enterprise_linux:-
|
— | |
|
SUSE openSUSE
SUSE
|
cpe:/o:suse:opensuse:-
|
— | |
|
Microsoft Azure Linux azl3
Microsoft / Azure Linux
|
cpe:/o:microsoft:azure_linux:azl3
|
azl3 | |
|
Open Source helm <3.20.2
Open Source / helm
|
<3.20.2 |
References
16 references
{
"document": {
"aggregate_severity": {
"text": "hoch"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "Helm ist ein Open-Source-Paketmanager f\u00fcr Kubernetes, der die Bereitstellung und Verwaltung von Anwendungen vereinfacht.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein Angreifer kann mehrere Schwachstellen in helm ausnutzen, um Dateien zu manipulieren, um Sicherheitsvorkehrungen zu umgehen, und potenziell um beliebigen Code auszuf\u00fchren.",
"title": "Angriff"
},
{
"category": "general",
"text": "- Linux\n- UNIX",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2026-1048 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2026/wid-sec-w-2026-1048.json"
},
{
"category": "self",
"summary": "WID-SEC-2026-1048 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-1048"
},
{
"category": "external",
"summary": "Helm 4.1.4 Release Notes vom 2026-04-09",
"url": "https://github.com/helm/helm/releases/tag/v4.1.4"
},
{
"category": "external",
"summary": "GitHub Security Advisory GHSA-VMX8-MQV2-9GMG vom 2026-04-09",
"url": "https://github.com/helm/helm/security/advisories/GHSA-vmx8-mqv2-9gmg"
},
{
"category": "external",
"summary": "GitHub Security Advisory GHSA-Q5JF-9VFQ-H4H7 vom 2026-04-09",
"url": "https://github.com/helm/helm/security/advisories/GHSA-Q5JF-9VFQ-H4H7"
},
{
"category": "external",
"summary": "GitHub Security Advisory GHSA-HR2V-4R36-88HR vom 2026-04-09",
"url": "https://github.com/helm/helm/security/advisories/GHSA-HR2V-4R36-88HR"
},
{
"category": "external",
"summary": "openSUSE Security Update OPENSUSE-SU-2026:10532-1 vom 2026-04-12",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/37XDZV6RMG5EUCBYWHRRFRJ5NP3M52FR/"
},
{
"category": "external",
"summary": "openSUSE Security Update OPENSUSE-SU-2026:10538-1 vom 2026-04-14",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/3VDV4VWVWTC6KXD36FKFNZRFVBRHOKIB/"
},
{
"category": "external",
"summary": "Microsoft Security Update Guide vom 2026-04-14",
"url": "https://msrc.microsoft.com/update-guide/"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2026:1483-1 vom 2026-04-20",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2026-April/025460.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2026:21434-1 vom 2026-05-04",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2026-May/025818.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2026:21461-1 vom 2026-05-04",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2026-May/025795.html"
},
{
"category": "external",
"summary": "openSUSE Security Update OPENSUSE-SU-2026:20655-1 vom 2026-05-04",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/E3IHNXEG2P5U44VJFWYSBUQWBQ4GFJYP/"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2026:21635-1 vom 2026-05-15",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2026-May/026057.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2026:21628-1 vom 2026-05-15",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2026-May/026064.html"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2026:26441 vom 2026-06-16",
"url": "https://access.redhat.com/errata/RHSA-2026:26441"
}
],
"source_lang": "en-US",
"title": "helm: Mehrere Schwachstellen",
"tracking": {
"current_release_date": "2026-06-16T22:00:00.000+00:00",
"generator": {
"date": "2026-06-17T09:00:33.059+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.6.0"
}
},
"id": "WID-SEC-W-2026-1048",
"initial_release_date": "2026-04-09T22:00:00.000+00:00",
"revision_history": [
{
"date": "2026-04-09T22:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
},
{
"date": "2026-04-12T22:00:00.000+00:00",
"number": "2",
"summary": "Neue Updates von openSUSE aufgenommen"
},
{
"date": "2026-04-14T22:00:00.000+00:00",
"number": "3",
"summary": "Neue Updates von openSUSE aufgenommen"
},
{
"date": "2026-04-20T22:00:00.000+00:00",
"number": "4",
"summary": "Neue Updates von SUSE aufgenommen"
},
{
"date": "2026-05-03T22:00:00.000+00:00",
"number": "5",
"summary": "Neue Updates von SUSE aufgenommen"
},
{
"date": "2026-05-04T22:00:00.000+00:00",
"number": "6",
"summary": "Neue Updates von openSUSE aufgenommen"
},
{
"date": "2026-05-17T22:00:00.000+00:00",
"number": "7",
"summary": "Neue Updates von SUSE aufgenommen"
},
{
"date": "2026-06-16T22:00:00.000+00:00",
"number": "8",
"summary": "Neue Updates von Red Hat aufgenommen"
}
],
"status": "final",
"version": "8"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "azl3",
"product": {
"name": "Microsoft Azure Linux azl3",
"product_id": "T049210",
"product_identification_helper": {
"cpe": "cpe:/o:microsoft:azure_linux:azl3"
}
}
}
],
"category": "product_name",
"name": "Azure Linux"
}
],
"category": "vendor",
"name": "Microsoft"
},
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c4.1.4",
"product": {
"name": "Open Source helm \u003c4.1.4",
"product_id": "T052649"
}
},
{
"category": "product_version",
"name": "4.1.4",
"product": {
"name": "Open Source helm 4.1.4",
"product_id": "T052649-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:helm:helm:4.1.4"
}
}
},
{
"category": "product_version_range",
"name": "\u003c3.20.2",
"product": {
"name": "Open Source helm \u003c3.20.2",
"product_id": "T052650"
}
},
{
"category": "product_version",
"name": "3.20.2",
"product": {
"name": "Open Source helm 3.20.2",
"product_id": "T052650-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:helm:helm:3.20.2"
}
}
}
],
"category": "product_name",
"name": "helm"
}
],
"category": "vendor",
"name": "Open Source"
},
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux",
"product": {
"name": "Red Hat Enterprise Linux",
"product_id": "67646",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:-"
}
}
}
],
"category": "vendor",
"name": "Red Hat"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux",
"product": {
"name": "SUSE Linux",
"product_id": "T002207",
"product_identification_helper": {
"cpe": "cpe:/o:suse:suse_linux:-"
}
}
},
{
"category": "product_name",
"name": "SUSE openSUSE",
"product": {
"name": "SUSE openSUSE",
"product_id": "T027843",
"product_identification_helper": {
"cpe": "cpe:/o:suse:opensuse:-"
}
}
}
],
"category": "vendor",
"name": "SUSE"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-35204",
"product_status": {
"known_affected": [
"T002207",
"T052649",
"67646",
"T027843",
"T049210",
"T052650"
]
},
"release_date": "2026-04-09T22:00:00.000+00:00",
"title": "CVE-2026-35204"
},
{
"cve": "CVE-2026-35205",
"product_status": {
"known_affected": [
"T002207",
"T052649",
"67646",
"T027843",
"T049210",
"T052650"
]
},
"release_date": "2026-04-09T22:00:00.000+00:00",
"title": "CVE-2026-35205"
},
{
"cve": "CVE-2026-35206",
"product_status": {
"known_affected": [
"T002207",
"T052649",
"67646",
"T027843",
"T049210",
"T052650"
]
},
"release_date": "2026-04-09T22:00:00.000+00:00",
"title": "CVE-2026-35206"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…