Regulatory Triage ICT Providers

Red Hat

Infrastructure & Virtualization

Period: 7d 14d 30d 90d

917

Open CVEs

Exploited

KEV

Unpatched

No Workaround

230

Internet-facing

Why this provider is risky now

This provider has 917 open CVE(s) in the last 90 days. 1 listed in CISA KEV (known exploited). 50 have no vendor patch. 230 affect internet-facing services. 40 impact the management/identity plane.

1 KEV 1 Exploited 50 Unpatched 40 Mgmt / Admin Plane 135 Public PoC 6 No Workaround 230 Internet-facing

Top Risky CVEs

CVE-2026-2441

Act Now

Google Chrome's CSS engine contains a use-after-free vulnerability (CVE-2026-2441, CVSS 8.8) that allows remote attackers to execute arbitrary code within the browser sandbox through crafted HTML pages. KEV-listed with public PoC, this vulnerability enables drive-by exploitation when users visit malicious or compromised websites.

Within 24 hours: Assess Chrome deployment across the organization and identify business-critical systems using vulnerable versions; communicate the threat to all users and restrict Chrome access to non-sensitive tasks where possible. Within 7 days: Implement browser isolation technologies or sandboxed browsing environments for high-risk users; enforce strict web filtering to block known malicious domains; consider deploying alternative browsers for critical workflows. Within 30 days: Monitor Google's security releases closely for patch availability; develop a rapid patching strategy to deploy updates within 48 hours of release; conduct security awareness training on phishing and malicious websites.

ICT dependency Active exploitation KEV PoC Patched

Why flagged?

NIS2 Relevant

• HIGH severity
• Third-party ICT: Red Hat, SUSE
• Exploited in the wild (CISA KEV)
• Strong evidence (KEV / high EPSS / multi-source)

DORA Relevant

• HIGH severity
• ICT provider: Red Hat (Infrastructure & Virtualization)
• ICT provider: SUSE (Infrastructure & Virtualization)
• Known exploited vulnerability (KEV)

8.8

CVSS

0.1%

EPSS

114

Priority

CVE-2025-14009

Act Now

Critical code execution vulnerability in NLTK (Natural Language Toolkit) downloader component. The _unzip_iter function can be exploited to achieve arbitrary code execution through crafted downloads. CVSS 10.0, EPSS 0.57%. PoC available.

Within 24 hours: Identify all systems and applications using NLTK; disable NLTK's download functionality if not actively required for operations. Within 7 days: Implement network segmentation to restrict NLTK processes from accessing sensitive systems; audit logs for suspicious extraction activities. Within 30 days: Migrate to an alternative NLP library or await vendor patch; implement strict input validation on any archive handling; conduct forensic analysis for indicators of compromise.

Edge exposure ICT dependency PoC Patched

Why flagged?

NIS2 Relevant

• CRITICAL severity
• Internet-facing (CWE-94: Code Injection)
• Third-party ICT: Red Hat, SUSE
• Proof of concept available
• Moderate evidence (PoC / elevated EPSS)

DORA Relevant

• CRITICAL severity
• ICT provider: Red Hat (Infrastructure & Virtualization)
• ICT provider: SUSE (Infrastructure & Virtualization)

10.0

CVSS

0.6%

EPSS

Priority

CVE-2026-24054

Act Now

Sandbox escape in Kata Containers allowing guest VM to access host resources. CVSS 10.0 — undermines the core security guarantee of hardware-isolated containers. PoC and patch available.

Within 24 hours: Identify all systems running Kata Containers versions prior to 3.26.0 and assess exposure in production environments. Within 7 days: Apply vendor patch to upgrade Kata Containers to version 3.26.0 or later across all affected systems, beginning with critical infrastructure and production workloads. Within 30 days: Conduct post-patch validation testing, update container image scanning policies to detect malformed layers, and implement enhanced monitoring for suspicious bind-mount activities.

ICT dependency PoC Patched

Why flagged?

NIS2 Relevant

• CRITICAL severity
• Third-party ICT: Red Hat
• Proof of concept available
• Moderate evidence (PoC / elevated EPSS)

DORA Relevant

• CRITICAL severity
• ICT provider: Red Hat (Infrastructure & Virtualization)

10.0

CVSS

0.1%

EPSS

Priority

CVE-2025-68121

Act Now

Critical certificate validation bypass in Go crypto/tls during session resumption. If ClientCAs or RootCAs fields are mutated between creating the config and resuming a session, the TLS stack uses the modified trust store, potentially accepting certificates from unintended CAs. CVSS 10.0, PoC available, patch available.

Within 24 hours: Identify all systems running affected Go versions (pre-1.23.5, pre-1.24.1, or pre-1.25.1) and assess exposure in production environments. Within 7 days: Apply vendor patches to all affected systems and conduct restart/deployment validation. Within 30 days: Audit session resumption configurations, review access logs for suspicious session activity, and validate patch deployment across the entire infrastructure.

Edge exposure ICT dependency PoC Patched

Why flagged?

NIS2 Relevant

• CRITICAL severity
• Internet-facing technique: authentication-bypass
• Third-party ICT: Red Hat, SUSE
• Proof of concept available
• Moderate evidence (PoC / elevated EPSS)

DORA Relevant

• CRITICAL severity
• ICT provider: Red Hat (Infrastructure & Virtualization)
• ICT provider: SUSE (Infrastructure & Virtualization)

10.0

CVSS

0.0%

EPSS

Priority

CVE-2025-56005

Act Now

PLY (Python Lex-Yacc) library 3.11 has an unsafe feature enabling remote code execution through pickle deserialization of cached parser tables, with EPSS 0.91%.

Within 24 hours: Identify all affected systems and apply vendor patches immediately. Restrict deserialization to trusted data sources and implement integrity checks.

Edge exposure ICT dependency PoC Patched

Why flagged?

NIS2 Relevant

• CRITICAL severity
• Internet-facing (CWE-502: Deserialization of Untrusted Data)
• Third-party ICT: GitHub, Red Hat, SUSE
• Proof of concept available
• Moderate evidence (PoC / elevated EPSS)

DORA Relevant

• CRITICAL severity
• ICT provider: GitHub (Dev Platforms & CI/CD)
• ICT provider: Red Hat (Infrastructure & Virtualization)
• ICT provider: SUSE (Infrastructure & Virtualization)

9.8

CVSS

0.9%

EPSS

Priority

CVE-2026-27606

Act Now

Path traversal in Rollup JavaScript module bundler before 2.80.0/3.30.0/4.59.0 allows reading arbitrary files on the build server during bundling. PoC and patch available.

Within 24 hours: Identify all internal and third-party applications using Rollup and document their versions. Within 7 days: Upgrade all instances to patched versions (2.80.0+, 3.30.0+, or 4.59.0+) and validate build integrity. Within 30 days: Conduct code review of recent builds to confirm no malicious artifacts were introduced, and implement supply chain controls to prevent unpatched dependency usage.

Edge exposure ICT dependency PoC Patched

Why flagged?

NIS2 Relevant

• CRITICAL severity
• Internet-facing (CWE-22: Path Traversal)
• Third-party ICT: Red Hat, SUSE
• Proof of concept available
• Moderate evidence (PoC / elevated EPSS)

DORA Relevant

• CRITICAL severity
• ICT provider: Red Hat (Infrastructure & Virtualization)
• ICT provider: SUSE (Infrastructure & Virtualization)

9.8

CVSS

0.6%

EPSS

Priority

CVE-2026-23883

Act Now

FreeRDP prior to 3.21.0 has a use-after-free vulnerability in xf_Pointer_New where cursor data is freed prematurely, allowing malicious RDP servers to execute code on clients.

Within 24 hours: Identify all affected systems and apply vendor patches immediately. If patching is delayed, consider network segmentation to limit exposure.

ICT dependency PoC Patched

Why flagged?

NIS2 Relevant

• CRITICAL severity
• Third-party ICT: Red Hat, SUSE
• Proof of concept available
• Moderate evidence (PoC / elevated EPSS)

DORA Relevant

• CRITICAL severity
• ICT provider: Red Hat (Infrastructure & Virtualization)
• ICT provider: SUSE (Infrastructure & Virtualization)

9.8

CVSS

0.2%

EPSS

Priority

CVE-2026-23884

Act Now

FreeRDP prior to 3.21.0 has a use-after-free vulnerability in offscreen bitmap deletion that leaves dangling pointers, exploitable by malicious RDP servers for client-side code execution.

Within 24 hours: Identify all affected systems and apply vendor patches immediately. If patching is delayed, consider network segmentation to limit exposure.

ICT dependency PoC Patched

Why flagged?

NIS2 Relevant

• CRITICAL severity
• Third-party ICT: Red Hat, SUSE
• Proof of concept available
• Moderate evidence (PoC / elevated EPSS)

DORA Relevant

• CRITICAL severity
• ICT provider: Red Hat (Infrastructure & Virtualization)
• ICT provider: SUSE (Infrastructure & Virtualization)

9.8

CVSS

0.2%

EPSS

Priority

CVE-2026-23530

Act Now

FreeRDP prior to 3.21.0 has a heap buffer overflow in bitmap decompression (planar codec) that can be triggered by a malicious RDP server to execute code on the client.

Within 24 hours: Identify all affected systems and apply vendor patches immediately. If patching is delayed, consider network segmentation to limit exposure.

ICT dependency PoC Patched

Why flagged?

NIS2 Relevant

• CRITICAL severity
• Third-party ICT: Red Hat, SUSE
• Proof of concept available
• Moderate evidence (PoC / elevated EPSS)

DORA Relevant

• CRITICAL severity
• ICT provider: Red Hat (Infrastructure & Virtualization)
• ICT provider: SUSE (Infrastructure & Virtualization)

9.8

CVSS

0.1%

EPSS

Priority

CVE-2026-23533

Act Now

FreeRDP prior to 3.21.0 has another client-side heap buffer overflow that can be exploited by malicious RDP servers to achieve remote code execution on connected clients.

Within 24 hours: Identify all affected systems and apply vendor patches immediately. If patching is delayed, consider network segmentation to limit exposure.

ICT dependency PoC Patched

Why flagged?

NIS2 Relevant

• CRITICAL severity
• Third-party ICT: Red Hat, SUSE
• Proof of concept available
• Moderate evidence (PoC / elevated EPSS)

DORA Relevant

• CRITICAL severity
• ICT provider: Red Hat (Infrastructure & Virtualization)
• ICT provider: SUSE (Infrastructure & Virtualization)

9.8

CVSS

0.1%

EPSS

Priority

By Exposure

Internet-facing

230

Mgmt / Admin Plane

Identity / Auth

Internal only

677

By Exploitability

Known exploited

Public PoC

135

High EPSS (>30%)

Remote unauthenticated

396

Local only

401

By Remediation

Patch available

867

No patch

Workaround available

782

No workaround

Affected Services / Product Families

Redhat

917 CVE(s)

CVE-2026-2808 MEDIUM Patched

CVE-2026-28356 HIGH PoC Patched

CVE-2025-70873 HIGH Patched

CVE-2026-2376 MEDIUM Unpatched

CVE-2025-24528 HIGH Patched

CVE-2025-24531 MEDIUM Patched

CVE-2021-47839 HIGH PoC Unpatched

CVE-2025-62291 HIGH Patched

CVE-2026-23490 HIGH Patched

CVE-2026-23643 MEDIUM Patched

+ 907 more

Recommended Actions

Immediately patch or isolate 1 CVE(s) listed in CISA KEV Evaluate compensating controls for 6 unpatched CVE(s) with no workaround Review WAF/firewall rules for 230 internet-facing CVE(s) Audit authentication and access control for 40 management-plane CVE(s) Track Red Hat vendor advisories for remediation timeline