SUSE-SU-2026:20061-1: important: Security update for openvswitch

SLE-SECURITY-UPDATES null at suse.de
Thu Jan 15 08:31:00 UTC 2026 


# Security update for openvswitch

Announcement ID: SUSE-SU-2026:20061-1  
Release Date: 2026-01-08T14:44:35Z  
Rating: important  
References:

  * bsc#1216002
  * bsc#1219465
  * bsc#1236353
  * bsc#1255435

  
Cross-References:

  * CVE-2023-3966
  * CVE-2023-5366
  * CVE-2024-2182
  * CVE-2025-0650

  
CVSS scores:

  * CVE-2023-3966 ( SUSE ):  7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  * CVE-2023-3966 ( NVD ):  7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  * CVE-2023-3966 ( NVD ):  7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  * CVE-2023-5366 ( SUSE ):  7.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H
  * CVE-2023-5366 ( NVD ):  5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
  * CVE-2024-2182 ( SUSE ):  6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
  * CVE-2024-2182 ( NVD ):  6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
  * CVE-2025-0650 ( SUSE ):  9.2
    CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
  * CVE-2025-0650 ( SUSE ):  8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
  * CVE-2025-0650 ( NVD ):  8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

  
Affected Products:

  * SUSE Linux Micro 6.1

  
  
An update that solves four vulnerabilities can now be installed.

## Description:

This update for openvswitch fixes the following issues:

Update OpenvSwitch to v3.1.7 and OVN to v23.03.3:

Security issues fixed:

  * CVE-2023-3966: ovs: invalid memory access and potential denial of service
    via specially crafted Geneve packets (bsc#1219465).
  * CVE-2023-5366: ovs: OpenFlow rules may be bypassed via specially crafted
    ICMPv6 Neighbor Advertisement packets sent between virtual machines
    t(bsc#1216002).
  * CVE-2024-2182: ovn: denial of service via injection of specially crafted BFD
    packets from inside unprivileged workloads (bsc#1255435).
  * CVE-2025-0650: ovn: egress ACLs may be bypassed via specially crafted UDP
    packet (bsc#1236353).

Other updates and bugfixes:

  * OpenvSwitch upstream bugfix updates:
  * https://www.openvswitch.org/releases/NEWS-3.1.7.txt
  * v3.1.7
    * Bug fixes
    * OVS validated with DPDK 22.11.7.
  * v3.1.6
    * Bug fixes
    * OVS validated with DPDK 22.11.6.
  * v3.1.5
    * Bug fixes
    * OVS validated with DPDK 22.11.5.
  * v3.1.4

    * Bug fixes
    * OVS validated with DPDK 22.11.4.
  * OVN upstream bugfix updates:

  * https://github.com/ovn-org/ovn/blob/branch-23.03/NEWS
  * v23.03.3
    * Bug fixes
    * Add "garp-max-timeout-sec" config option to vswitchd external-ids to cap the time between when ovn-controller sends gARP packets.
  * v23.03.1
    * Bug fixes
    * CT entries are not flushed by default anymore whenever a load balancer backend is removed. A new, per-LB, option 'ct_flush' can be used to restore the previous behavior. Disabled by default.
    * Always allow IPv6 Router Discovery, Neighbor Discovery, and Multicast Listener Discovery protocols, regardless of ACLs defined.
    * Send ICMP Fragmentation Needed packets back to offending ports when communicating with multichassis ports using frames that don't fit through a tunnel. This is done only for logical switches that are attached to a physical network via a localnet port, in which case multichassis ports may have an effective MTU different from regular ports and hence may need this mechanism to maintain connectivity with other peers in the network.
    * ECMP routes use L4_SYM dp-hash by default if the datapath supports it. Existing sessions might get re-hashed to a different ECMP path when OVN detects the algorithm support in the datapath during an upgrade or restart of ovn-controller.

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".  
Alternatively you can run the command listed for your product:

  * SUSE Linux Micro 6.1  
    zypper in -t patch SUSE-SLE-Micro-6.1-367=1

## Package List:

  * SUSE Linux Micro 6.1 (aarch64 ppc64le s390x x86_64)
    * libopenvswitch-3_1-0-debuginfo-3.1.7-slfo.1.1_2.1
    * openvswitch-debuginfo-3.1.7-slfo.1.1_2.1
    * libopenvswitch-3_1-0-3.1.7-slfo.1.1_2.1
    * openvswitch-debugsource-3.1.7-slfo.1.1_2.1
    * openvswitch-3.1.7-slfo.1.1_2.1

## References:

  * https://www.suse.com/security/cve/CVE-2023-3966.html
  * https://www.suse.com/security/cve/CVE-2023-5366.html
  * https://www.suse.com/security/cve/CVE-2024-2182.html
  * https://www.suse.com/security/cve/CVE-2025-0650.html
  * https://bugzilla.suse.com/show_bug.cgi?id=1216002
  * https://bugzilla.suse.com/show_bug.cgi?id=1219465
  * https://bugzilla.suse.com/show_bug.cgi?id=1236353
  * https://bugzilla.suse.com/show_bug.cgi?id=1255435

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.suse.com/pipermail/sle-security-updates/attachments/20260115/1ae1bd9c/attachment.htm>

More information about the sle-security-updates mailing list