{"document":{"aggregate_severity":{"namespace":"https://www.suse.com/support/security/rating/","text":"not set"},"category":"csaf_vex","csaf_version":"2.0","distribution":{"text":"Copyright 2024 SUSE LLC. All rights reserved.","tlp":{"label":"WHITE","url":"https://www.first.org/tlp/"}},"lang":"en","notes":[{"category":"summary","text":"SUSE CVE-2026-24044","title":"Title"},{"category":"description","text":"Element Server Suite Community Edition (ESS Community) deploys a Matrix stack using the provided Helm charts and Kubernetes distribution. The ESS Community Helm Chart secrets initialization hook (using matrix-tools container before 0.5.7) is using an insecure Matrix server key generation method, allowing network attackers to potentially recreate the same key pair, allowing them to impersonate the victim server. The secret is generated by the secrets initialization hook, in the ESS Community Helm Chart values, if both initSecrets.enabled is not set to false and synapse.signingKey is not defined. Given a server key in Matrix authenticates both requests originating from and events constructed on a given server, this potentially impacts confidentiality, integrity and availability of rooms which have a vulnerable server present as a member. The confidentiality of past conversations in end-to-end encrypted rooms is not impacted. The key generation issue was fixed in matrix-tools 0.5.7, released as part of ESS Community Helm Chart 25.12.1.","title":"Description of the CVE"},{"category":"legal_disclaimer","text":"CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).","title":"Terms of use"}],"publisher":{"category":"vendor","contact_details":"https://www.suse.com/support/security/contact/","name":"SUSE Product Security Team","namespace":"https://www.suse.com/"},"references":[{"category":"external","summary":"CVE-2026-24044","url":"https://www.suse.com/security/cve/CVE-2026-24044"},{"category":"external","summary":"SUSE Security Ratings","url":"https://www.suse.com/support/security/rating/"}],"title":"SUSE CVE CVE-2026-24044","tracking":{"current_release_date":"2026-02-15T00:24:24Z","generator":{"date":"2026-02-15T00:24:24Z","engine":{"name":"cve-database.git:bin/generate-csaf-vex.pl","version":"1"}},"id":"CVE-2026-24044","initial_release_date":"2026-02-15T00:24:24Z","revision_history":[{"date":"2026-02-15T00:24:24Z","number":"2","summary":"vulnerabilities added,references added,severity changed from  to not set"}],"status":"interim","version":"2"}},"product_tree":{"branches":[{"branches":[{"branches":[{"category":"product_name","name":"openSUSE Tumbleweed","product":{"name":"openSUSE Tumbleweed","product_id":"openSUSE Tumbleweed","product_identification_helper":{"cpe":"cpe:/o:opensuse:tumbleweed"}}},{"category":"product_version","name":"matrix-synapse-1.147.1-1.1","product":{"name":"matrix-synapse-1.147.1-1.1","product_id":"matrix-synapse-1.147.1-1.1","product_identification_helper":{"cpe":"cpe:2.3:a:matrix:synapse:1.147.1:*:*:*:*:*:*:*","purl":"pkg:rpm/suse/matrix-synapse@1.147.1-1.1"}}}],"category":"product_family","name":"SUSE Linux Enterprise"}],"category":"vendor","name":"SUSE"}],"relationships":[{"category":"default_component_of","full_product_name":{"name":"matrix-synapse-1.147.1-1.1 as component of openSUSE Tumbleweed","product_id":"openSUSE Tumbleweed:matrix-synapse-1.147.1-1.1"},"product_reference":"matrix-synapse-1.147.1-1.1","relates_to_product_reference":"openSUSE Tumbleweed"}]},"vulnerabilities":[{"cve":"CVE-2026-24044","ids":[{"system_name":"SUSE CVE Page","text":"https://www.suse.com/security/cve/CVE-2026-24044"}],"notes":[{"category":"general","text":"Element Server Suite Community Edition (ESS Community) deploys a Matrix stack using the provided Helm charts and Kubernetes distribution. The ESS Community Helm Chart secrets initialization hook (using matrix-tools container before 0.5.7) is using an insecure Matrix server key generation method, allowing network attackers to potentially recreate the same key pair, allowing them to impersonate the victim server. The secret is generated by the secrets initialization hook, in the ESS Community Helm Chart values, if both initSecrets.enabled is not set to false and synapse.signingKey is not defined. Given a server key in Matrix authenticates both requests originating from and events constructed on a given server, this potentially impacts confidentiality, integrity and availability of rooms which have a vulnerable server present as a member. The confidentiality of past conversations in end-to-end encrypted rooms is not impacted. The key generation issue was fixed in matrix-tools 0.5.7, released as part of ESS Community Helm Chart 25.12.1.","title":"CVE description"}],"product_status":{"recommended":["openSUSE Tumbleweed:matrix-synapse-1.147.1-1.1"]},"references":[{"category":"external","summary":"CVE-2026-24044","url":"https://www.suse.com/security/cve/CVE-2026-24044"},{"category":"external","summary":"SUSE Security Ratings","url":"https://www.suse.com/support/security/rating/"}],"remediations":[{"category":"vendor_fix","details":"To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n","product_ids":["openSUSE Tumbleweed:matrix-synapse-1.147.1-1.1"]}],"threats":[{"category":"impact","date":"2026-02-12T21:02:57Z","details":"not set"}],"title":"CVE-2026-24044"}]}