<div class="container">
<h1>Security update for helm</h1>
<table class="table table-striped table-bordered">
<tbody>
<tr>
<th>Announcement ID:</th>
<td>SUSE-SU-2026:21461-1</td>
</tr>
<tr>
<th>Release Date:</th>
<td>2026-04-30T13:26:15Z</td>
</tr>
<tr>
<th>Rating:</th>
<td>moderate</td>
</tr>
<tr>
<th>References:</th>
<td>
<ul>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1248093">bsc#1248093</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1261938">bsc#1261938</a>
</li>
</ul>
</td>
</tr>
<tr>
<th>
Cross-References:
</th>
<td>
<ul>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2025-55199.html">CVE-2025-55199</a>
</li>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2026-35206.html">CVE-2026-35206</a>
</li>
</ul>
</td>
</tr>
<tr>
<th>CVSS scores:</th>
<td>
<ul class="list-group">
<li class="list-group-item">
<span class="cvss-reference">CVE-2025-55199</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">6.9</span>
<span class="cvss-vector">CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2025-55199</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">6.5</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2025-55199</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">6.5</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2026-35206</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">4.8</span>
<span class="cvss-vector">CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2026-35206</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">4.4</span>
<span class="cvss-vector">CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2026-35206</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">4.8</span>
<span class="cvss-vector">CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2026-35206</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">4.4</span>
<span class="cvss-vector">CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L</span>
</li>
</ul>
</td>
</tr>
<tr>
<th>Affected Products:</th>
<td>
<ul class="list-group">
<li class="list-group-item">SUSE Linux Micro 6.2</li>
</ul>
</td>
</tr>
</tbody>
</table>
<p>An update that solves two vulnerabilities can now be installed.</p>
<h2>Description:</h2>
<p>This update for helm fixes the following issues:</p>
<p>Update to version 3.20.2.</p>
<p>Security issued fixed:</p>
<ul>
<li>CVE-2025-55199: specially crafted JSON Schema can lead to out of memory (OOM) termination (bsc#1248093).</li>
<li>CVE-2026-35206: specially crafted Chart will have contents extracted to immediate output directory rather than to
expected output directory suffixed by the Chart's name (bsc#1261938).</li>
</ul>
<p>Other updates and bugfixes:</p>
<ul>
<li>Version 3.20.1:</li>
<li>chore(deps): bump the k8s-io group with 7 updates a2369ca (dependabot[bot])</li>
<li>add image index test 90e1056 (Pedro Tôrres)</li>
<li>fix pulling charts from OCI indices 911f2e9 (Pedro Tôrres)</li>
<li>Remove refactorring changes from coalesce_test.go 76dad33 (Evans Mungai)</li>
<li>Fix import 45c12f7 (Evans Mungai)</li>
<li>Update pkg/chart/common/util/coalesce_test.go 26c6f19 (Evans Mungai)</li>
<li>Fix lint warning 09f5129 (Evans Mungai)</li>
<li>Preserve nil values in chart already 417deb2 (Evans Mungai)</li>
<li>fix(values): preserve nil values when chart default is empty map 5417bfa (Evans Mungai)</li>
<li>Version 3.20.0:</li>
<li>SDK: bump k8s API versions to v0.35.0</li>
<li>v3 backport: Fixed a bug where helm uninstall with --keep-history did not suspend previous deployed releases #12564</li>
<li>v3 backport: Bump Go version to v1.25</li>
<li>bump version to v3.20</li>
<li>chore(deps): bump golang.org/x/text from 0.32.0 to 0.33.0</li>
<li>chore(deps): bump golang.org/x/term from 0.38.0 to 0.39.0</li>
<li>chore(deps): bump github.com/foxcpp/go-mockdns from 1.1.0 to 1.2.0</li>
<li>chore(deps): bump the k8s-io group with 7 updates</li>
<li>[dev-v3] Replace deprecated <code>NewSimpleClientset</code></li>
<li>[dev-v3] Bump Go v1.25, <code>golangci-lint</code> v2</li>
<li>chore(deps): bump github.com/BurntSushi/toml from 1.5.0 to 1.6.0</li>
<li>chore(deps): bump github.com/containerd/containerd from 1.7.29 to 1.7.30</li>
<li>fix(rollback): <code>errors.Is</code> instead of string comp</li>
<li>fix(uninstall): supersede deployed releases</li>
<li>Use latest patch release of Go in releases</li>
<li>chore(deps): bump golang.org/x/crypto from 0.45.0 to 0.46.0</li>
<li>chore(deps): bump golang.org/x/text from 0.31.0 to 0.32.0</li>
<li>chore(deps): bump golang.org/x/term from 0.37.0 to 0.38.0</li>
<li>chore(deps): bump github.com/spf13/cobra from 1.10.1 to 1.10.2</li>
<li>chore(deps): bump github.com/rubenv/sql-migrate from 1.8.0 to 1.8.1</li>
<li>chore(deps): bump golang.org/x/crypto from 0.44.0 to 0.45.0</li>
<li>chore(deps): bump github.com/cyphar/filepath-securejoin</li>
<li>chore(deps): bump golang.org/x/text from 0.30.0 to 0.31.0</li>
<li>chore(deps): bump golang.org/x/crypto from 0.43.0 to 0.44.0</li>
<li>Remove dev-v3 <code>helm-latest-version</code> publish</li>
<li>chore(deps): bump golang.org/x/term from 0.36.0 to 0.37.0 1.7.28 to 1.7.29</li>
<li>Revert "pkg/registry: Login option for passing TLS config in memory"</li>
<li>jsonschema: warn and ignore unresolved URN $ref to match v3.18.4</li>
<li>Fix <code>helm pull</code> untar dir check with repo urls</li>
<li>chore(deps): bump golang.org/x/crypto from 0.42.0 to 0.43.0</li>
<li>chore(deps): bump github.com/gofrs/flock from 0.12.1 to 0.13.0</li>
<li>chore(deps): bump golang.org/x/text from 0.29.0 to 0.30.0</li>
<li>[backport] fix: get-helm-3 script use helm3-latest-version</li>
<li>pkg/registry: Login option for passing TLS config in memory</li>
<li>Fix deprecation warning</li>
<li>chore(deps): bump golang.org/x/crypto from 0.41.0 to 0.42.0</li>
<li>chore(deps): bump golang.org/x/term from 0.34.0 to 0.35.0</li>
<li>Avoid "panic: interface conversion: interface {} is nil"</li>
<li>bump version to v3.19.0</li>
<li>chore(deps): bump github.com/spf13/pflag from 1.0.7 to 1.0.10</li>
<li>fix: set repo authorizer in registry.Client.Resolve()</li>
<li>fix null merge</li>
<li>Add timeout flag to repo add and update flags</li>
<li>Version 3.19.5:</li>
<li>Fixed bug where removing subchart value via override resulted in warning #31118</li>
<li>Fixed bug where helm uninstall with --keep-history did not suspend previous deployed releases #12556</li>
<li>fix(rollback): errors.Is instead of string comp 4a19a5b (Hidde Beydals)</li>
<li>fix(uninstall): supersede deployed releases 7a00235 (Hidde Beydals)</li>
<li>fix null merge 578564e (Ben Foster)</li>
<li>Version 3.19.4:</li>
<li>Use latest patch release of Go in releases 7cfb6e4 (Matt Farina)</li>
<li>chore(deps): bump github.com/gofrs/flock from 0.12.1 to 0.13.0 59c951f (dependabot[bot])</li>
<li>chore(deps): bump github.com/cyphar/filepath-securejoin d45f3f1</li>
<li>chore(deps): bump golang.org/x/crypto from 0.44.0 to 0.45.0 d459544 (dependabot[bot])</li>
<li>chore(deps): bump golang.org/x/term from 0.36.0 to 0.37.0 becd387 (dependabot[bot])</li>
<li>chore(deps): bump the k8s-io group with 7 updates edb1579</li>
<li>Version 3.19.3:</li>
<li>Bump golang.org/x/crypto to v0.45.0</li>
<li>Version 3.19.2:</li>
<li>[backport] fix: get-helm-3 script use helm3-latest-version 8766e71 (George Jenkins)</li>
</ul>
<h2>Patch Instructions:</h2>
<p>
To install this SUSE update use the SUSE recommended
installation methods like YaST online_update or "zypper patch".<br/>
Alternatively you can run the command listed for your product:
</p>
<ul class="list-group">
<li class="list-group-item">
SUSE Linux Micro 6.2
<br/>
<code>zypper in -t patch SUSE-SL-Micro-6.2-661=1</code>
</li>
</ul>
<h2>Package List:</h2>
<ul>
<li>
SUSE Linux Micro 6.2 (aarch64 ppc64le s390x x86_64)
<ul>
<li>helm-3.20.2-160000.1.1</li>
<li>helm-debuginfo-3.20.2-160000.1.1</li>
</ul>
</li>
<li>
SUSE Linux Micro 6.2 (noarch)
<ul>
<li>helm-bash-completion-3.20.2-160000.1.1</li>
</ul>
</li>
</ul>
<h2>References:</h2>
<ul>
<li>
<a href="https://www.suse.com/security/cve/CVE-2025-55199.html">https://www.suse.com/security/cve/CVE-2025-55199.html</a>
</li>
<li>
<a href="https://www.suse.com/security/cve/CVE-2026-35206.html">https://www.suse.com/security/cve/CVE-2026-35206.html</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1248093">https://bugzilla.suse.com/show_bug.cgi?id=1248093</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1261938">https://bugzilla.suse.com/show_bug.cgi?id=1261938</a>
</li>
</ul>
</div>