OpenSuse Tumbleweed

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in OpenSuse Tumbleweed.

By the Year

In 2026 there have been 0 vulnerabilities in OpenSuse Tumbleweed. Last year, in 2025 Tumbleweed had 1 security vulnerability published. Right now, Tumbleweed is on track to have less security vulnerabilities in 2026 than it did last year.

Year	Vulnerabilities	Average Score
2026	0	0.00
2025	1	0.00
2024	0	0.00
2023	1	7.80
2022	1	7.80
2021	1	7.80
2020	3	7.40

It may take a day or so for new Tumbleweed vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent OpenSuse Tumbleweed Security Vulnerabilities

Exim logrotate Symlink Following P8 Escalation before 4.98.2
CVE-2025-53881 - October 02, 2025

A UNIX Symbolic Link (Symlink) Following vulnerability in logrotate config in the exim package allowed privilege escalation from mail user/group to root.This issue affects Tumbleweed: from ? before 4.98.2-lp156.248.1.

Symlink following

hawk2: Default Perms Escalation via hacluster on openSUSE
CVE-2023-32183 7.8 - High - July 07, 2023

Incorrect Default Permissions vulnerability in the openSUSE Tumbleweed hawk2 package allows users with access to the hacluster to escalate to root This issue affects openSUSE Tumbleweed.

Incorrect Default Permissions

A UNIX Symbolic Link (Symlink) Following vulnerability in keylime of openSUSE Tumbleweed
CVE-2022-31250 7.8 - High - July 20, 2022

A UNIX Symbolic Link (Symlink) Following vulnerability in keylime of openSUSE Tumbleweed allows local attackers to escalate from the keylime user to root. This issue affects: openSUSE Tumbleweed keylime versions prior to 6.4.2-1.1.

insecure temporary file

CWE - CWE-287: Improper Authentication vulnerability in SUSE Linux Enterprise Server 15 SP 3; openSUSE Tumbleweed
CVE-2021-25315 7.8 - High - March 03, 2021

CWE - CWE-287: Improper Authentication vulnerability in SUSE Linux Enterprise Server 15 SP 3; openSUSE Tumbleweed allows local attackers to execute arbitrary code via salt without the need to specify valid credentials. This issue affects: SUSE Linux Enterprise Server 15 SP 3 salt versions prior to 3002.2-3. openSUSE Tumbleweed salt version 3002.2-2.1 and prior versions. This issue affects: SUSE Linux Enterprise Server 15 SP 3 salt versions prior to 3002.2-3. openSUSE Tumbleweed salt version 3002.2-2.1 and prior versions.

authentification

A Incorrect Default Permissions vulnerability in the packaging of inn in openSUSE Leap 15.2, openSUSE Tumbleweed, openSUSE Leap 15.1
CVE-2020-8026 8.4 - High - August 07, 2020

A Incorrect Default Permissions vulnerability in the packaging of inn in openSUSE Leap 15.2, openSUSE Tumbleweed, openSUSE Leap 15.1 allows local attackers with control of the new user to escalate their privileges to root. This issue affects: openSUSE Leap 15.2 inn version 2.6.2-lp152.1.26 and prior versions. openSUSE Tumbleweed inn version 2.6.2-4.2 and prior versions. openSUSE Leap 15.1 inn version 2.5.4-lp151.3.3.1 and prior versions.

Incorrect Default Permissions

A Incorrect Execution-Assigned Permissions vulnerability in the permissions package of SUSE Linux Enterprise Server 12-SP4
CVE-2020-8025 6.1 - Medium - August 07, 2020

A Incorrect Execution-Assigned Permissions vulnerability in the permissions package of SUSE Linux Enterprise Server 12-SP4, SUSE Linux Enterprise Server 15-LTSS, SUSE Linux Enterprise Server for SAP 15; openSUSE Leap 15.1, openSUSE Tumbleweed sets the permissions for some of the directories of the pcp package to unintended settings. This issue affects: SUSE Linux Enterprise Server 12-SP4 permissions versions prior to 20170707-3.24.1. SUSE Linux Enterprise Server 15-LTSS permissions versions prior to 20180125-3.27.1. SUSE Linux Enterprise Server for SAP 15 permissions versions prior to 20180125-3.27.1. openSUSE Leap 15.1 permissions versions prior to 20181116-lp151.4.24.1. openSUSE Tumbleweed permissions versions prior to 20200624.

Incorrect Execution-Assigned Permissions

A UNIX Symbolic Link (Symlink) Following vulnerability in the packaging of kopano-spamd of openSUSE Leap 15.1, openSUSE Tumbleweed
CVE-2020-8014 7.7 - High - June 29, 2020

A UNIX Symbolic Link (Symlink) Following vulnerability in the packaging of kopano-spamd of openSUSE Leap 15.1, openSUSE Tumbleweed allowed local attackers with the privileges of the kopano user to escalate to root. This issue affects: openSUSE Leap 15.1 kopano-spamd versions prior to 10.0.5-lp151.4.1. openSUSE Tumbleweed kopano-spamd versions prior to 10.0.5-1.1.

Symlink following

Stay on top of Security Vulnerabilities

Want an email whenever new vulnerabilities are published for OpenSuse Tumbleweed or by OpenSuse? Click the Watch button to subscribe.

OpenSuse
Vendor

OpenSuse Tumbleweed
Product

OpenSuse Tumbleweed

Don't miss out!

By the Year

Recent OpenSuse Tumbleweed Security Vulnerabilities

Exim logrotate Symlink Following P8 Escalation before 4.98.2 CVE-2025-53881 - October 02, 2025

hawk2: Default Perms Escalation via hacluster on openSUSE CVE-2023-32183 7.8 - High - July 07, 2023

A UNIX Symbolic Link (Symlink) Following vulnerability in keylime of openSUSE Tumbleweed CVE-2022-31250 7.8 - High - July 20, 2022

CWE - CWE-287: Improper Authentication vulnerability in SUSE Linux Enterprise Server 15 SP 3; openSUSE Tumbleweed CVE-2021-25315 7.8 - High - March 03, 2021

A Incorrect Default Permissions vulnerability in the packaging of inn in openSUSE Leap 15.2, openSUSE Tumbleweed, openSUSE Leap 15.1 CVE-2020-8026 8.4 - High - August 07, 2020

A Incorrect Execution-Assigned Permissions vulnerability in the permissions package of SUSE Linux Enterprise Server 12-SP4 CVE-2020-8025 6.1 - Medium - August 07, 2020

A UNIX Symbolic Link (Symlink) Following vulnerability in the packaging of kopano-spamd of openSUSE Leap 15.1, openSUSE Tumbleweed CVE-2020-8014 7.7 - High - June 29, 2020