Security update for freetype2

Announcement ID:	SUSE-SU-2026:20726-1
Release Date:	2026-03-16T09:25:28Z
Rating:	moderate
References:	bsc#1192869 bsc#1217580 bsc#1217584 bsc#1217585 bsc#1241661 bsc#1252148 bsc#1253245 bsc#1258163 bsc#1258167 bsc#1259118
Cross-References:	CVE-2021-42380 CVE-2023-42363 CVE-2023-42364 CVE-2023-42365 CVE-2025-46394 CVE-2025-60876 CVE-2026-23865 CVE-2026-26157 CVE-2026-26158
CVSS scores:	CVE-2021-42380 ( SUSE ): 6.6 CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H CVE-2021-42380 ( NVD ): 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVE-2021-42380 ( NVD ): 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVE-2023-42363 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2023-42363 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2023-42364 ( SUSE ): 5.1 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVE-2023-42364 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2023-42364 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2023-42364 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2023-42365 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2023-42365 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2025-46394 ( SUSE ): 5.9 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:N/SI:H/SA:N CVE-2025-46394 ( SUSE ): 6.3 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N CVE-2025-46394 ( NVD ): 3.2 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N CVE-2025-46394 ( NVD ): 3.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N CVE-2025-60876 ( SUSE ): 8.8 CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:L/SC:H/SI:H/SA:N CVE-2025-60876 ( SUSE ): 8.0 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N CVE-2025-60876 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVE-2026-23865 ( SUSE ): 4.6 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N CVE-2026-23865 ( SUSE ): 5.3 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L CVE-2026-23865 ( NVD ): 5.3 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L CVE-2026-26157 ( SUSE ): 7.1 CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVE-2026-26157 ( SUSE ): 7.0 CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2026-26157 ( NVD ): 7.0 CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2026-26158 ( SUSE ): 7.1 CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVE-2026-26158 ( SUSE ): 7.0 CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2026-26158 ( NVD ): 7.0 CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected Products:	SUSE Linux Micro 6.0 SUSE Linux Micro 6.1

An update that solves nine vulnerabilities and has one fix can now be installed.

Security update for freetype2

Description:

This update for freetype2 fixes the following issue:

Update to freetype2 2.14.2:

• CVE-2026-23865: Integer overflow in the tt_var_load_item_variation_store function (bsc#1259118).

Changelog:

• Several changes related to LCD filtering are implemented to achieve better performance and encourage sound practices.
• Instead of blanket LCD filtering over the entire bitmap, it is now applied only to non-zero spans using direct rendering. This speeds up the ClearType-like rendering by more than 40% at sizes above 32 ppem.
• Setting the filter weights with FT_Face_Properties is no longer supported. The default and light filters are optimized to work with any face.
• The legacy libXft LCD filter algorithm is no longer provided.
• A bunch of potential security problems have been found (bsc#1259118, CVE-2026-23865). All users should update.
• The italic angle in PS_FontInfo is now stored as a fixed-point value in degrees for all Type 1 fonts and their derivatives, consistent with CFF fonts and common practices. The broken underline position and thickness values are fixed for CFF fonts.
• The x field in the FT_Span structure is now unsigned.
• Demo program ftgrid got an option -m to select a start character to display.
• Similarly, demo program ftmulti got an option -m to select a text string for rendering.
• Option -d in the demo program ttdebug is now called -a, expecting a comma-separated list of axis values. The user interface is also slightly improved.
• The ftinspect demo program can now be compiled with Qt6, too.
• The auto-hinter got new abilities. It can now better separate diacritic glyphs from base glyphs at small sizes by artificially moving diacritics up (or down) if necessary
• Tilde accent glyphs get vertically stretched at small sizes so that they don't degenerate to horizontal lines.
• Diacritics directly attached to a base glyph (like the ogonek in character 'ę') no longer distort the shape of the base glyph
• The TrueType instruction interpreter was optimized to produce a 15% gain in the glyph loading speed.
• Handling of Variation Fonts is now considerably faster
• TrueType and CFF glyph loading speed has been improved by 5-10% on modern 64-bit platforms as a result of better handling of fixed-point multiplication.
• The BDF driver now loads fonts 75% faster.

Security update for busybox

Description:

This update for busybox fixes the following issues:

• CVE-2023-42363: use-after-free vulnerability in xasprintf function in xfuncs_printf.c (bsc#1217580).
• CVE-2023-42364: use-after-free in the awk.c evaluate function (bsc#1217584).
• CVE-2023-42365: use-after-free in the awk.c copyvar function (bsc#1217585).
• CVE-2025-46394: files in a TAR archive can have their filenames hidden from a listing if terminal escape sequences are used when naming other files included in the archive (bsc#1241661).
• CVE-2025-60876: request line incorrectly neutralized mat lead to header injection (bsc#1253245).
• CVE-2026-26157: Arbitrary file overwrite and potential code execution via incomplete path sanitization (bsc#1258163).
• CVE-2026-26158: Arbitrary file modification and privilege escalation via unvalidated tar archive entries (bsc#1258167).
• CVE-2021-42380: Additional fix for use-after-realloc in awk (bsc#1192869).

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Linux Micro 6.0
  zypper in -t patch SUSE-SLE-Micro-6.0-619=1
• SUSE Linux Micro 6.1
  zypper in -t patch SUSE-SLE-Micro-6.1-442=1

Package List:

• SUSE Linux Micro 6.0 (aarch64 s390x x86_64)
  • busybox-1.36.1-3.1
• SUSE Linux Micro 6.1 (aarch64 ppc64le s390x x86_64)
  • libfreetype6-2.14.2-slfo.1.1_1.1
  • libfreetype6-debuginfo-2.14.2-slfo.1.1_1.1
  • freetype2-debugsource-2.14.2-slfo.1.1_1.1

References:

• https://www.suse.com/security/cve/CVE-2021-42380.html
• https://www.suse.com/security/cve/CVE-2023-42363.html
• https://www.suse.com/security/cve/CVE-2023-42364.html
• https://www.suse.com/security/cve/CVE-2023-42365.html
• https://www.suse.com/security/cve/CVE-2025-46394.html
• https://www.suse.com/security/cve/CVE-2025-60876.html
• https://www.suse.com/security/cve/CVE-2026-23865.html
• https://www.suse.com/security/cve/CVE-2026-26157.html
• https://www.suse.com/security/cve/CVE-2026-26158.html
• https://bugzilla.suse.com/show_bug.cgi?id=1192869
• https://bugzilla.suse.com/show_bug.cgi?id=1217580
• https://bugzilla.suse.com/show_bug.cgi?id=1217584
• https://bugzilla.suse.com/show_bug.cgi?id=1217585
• https://bugzilla.suse.com/show_bug.cgi?id=1241661
• https://bugzilla.suse.com/show_bug.cgi?id=1252148
• https://bugzilla.suse.com/show_bug.cgi?id=1253245
• https://bugzilla.suse.com/show_bug.cgi?id=1258163
• https://bugzilla.suse.com/show_bug.cgi?id=1258167
• https://bugzilla.suse.com/show_bug.cgi?id=1259118