Skip to main content
Regulatory Triage ICT Providers

Red Hat

Infrastructure & Virtualization

Period: 7d 14d 30d 90d
2255
Open CVEs
4
Exploited
4
KEV
72
Unpatched
47
No Workaround
546
Internet-facing

Why this provider is risky now

This provider has 2255 open CVE(s) in the last 90 days. 4 listed in CISA KEV (known exploited). 72 have no vendor patch. 546 affect internet-facing services. 98 impact the management/identity plane.

4 KEV 4 Exploited 72 Unpatched 98 Mgmt / Admin Plane 83 Public PoC 47 No Workaround 546 Internet-facing

Top Risky CVEs

CVE-2026-3910
Act Now
Chrome's V8 JavaScript engine contains an inappropriate implementation (CVE-2026-3910, CVSS 8.8) that allows remote attackers to execute arbitrary code within the browser sandbox via crafted HTML pages. KEV-listed with public PoC, this V8 vulnerability affects all Chromium-based browsers and enables drive-by exploitation through any web page containing malicious JavaScript.
Within 24 hours: Communicate patch availability to all users and enable auto-update enforcement in Chrome policies. Within 7 days: Verify 95%+ of Chrome installations are updated to version 146.0.7680.75 or later through endpoint management tools and conduct spot audits on critical workstations. Within 30 days: Complete 100% patching across the organization, review browser isolation or sandboxing controls for high-risk users, and assess whether additional endpoint detection and response (EDR) tuning is warranted to detect exploitation attempts.
Edge exposure ICT dependency Active exploitation KEV PoC Patched
Why flagged?
NIS2 Relevant
  • HIGH severity
  • Internet-facing technique: rce
  • Third-party ICT: Red Hat, SUSE
  • Exploited in the wild (CISA KEV)
  • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
  • HIGH severity
  • ICT provider: Red Hat (Infrastructure & Virtualization)
  • ICT provider: SUSE (Infrastructure & Virtualization)
  • Known exploited vulnerability (KEV)
8.8
CVSS
0.1%
EPSS
119
Priority
CVE-2026-3909
Act Now
Google Chrome's Skia graphics library contains an out-of-bounds write (CVE-2026-3909, CVSS 8.8) enabling remote attackers to perform memory corruption through crafted HTML pages. KEV-listed with public PoC and patches available, this vulnerability in the core graphics rendering engine affects all Chromium-based browsers.
Within 24 hours: Issue mandatory Chrome update notification to all users and block access to Chrome versions prior to 146.0.7680.75 at the network level if possible. Within 7 days: Verify 100% patching completion through endpoint management tools and conduct spot-check audits on critical user populations. Within 30 days: Review browser usage logs for exploitation indicators, assess any suspicious endpoint behavior during the vulnerability window, and implement browser update enforcement policies to prevent future exploitation delays.
ICT dependency Active exploitation KEV PoC Patched
Why flagged?
NIS2 Relevant
  • HIGH severity
  • Third-party ICT: Red Hat, SUSE
  • Exploited in the wild (CISA KEV)
  • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
  • HIGH severity
  • ICT provider: Red Hat (Infrastructure & Virtualization)
  • ICT provider: SUSE (Infrastructure & Virtualization)
  • Known exploited vulnerability (KEV)
8.8
CVSS
0.1%
EPSS
119
Priority
CVE-2026-42208
Act Now
SQL injection in LiteLLM proxy server versions 1.81.16 through 1.83.6 allows unauthenticated remote attackers to read and modify database contents, gaining unauthorized access to managed LLM API credentials. The vulnerability is exploitable via crafted Authorization headers sent to any LLM API route (e.g., POST /chat/completions), triggering the injection through the proxy's error-handling path. Vendor-released patch available in version 1.83.7. No active exploitation confirmed (not in CISA KEV), but the attack vector is simple (CVSS 4.0: AV:N/AC:L/PR:N) and SQL injection POCs are widely known. Discovered by Tencent YunDing Security Lab.
Within 24 hours: Identify all LiteLLM proxy instances running versions 1.81.16 through 1.83.6 using asset inventory and network scans. Within 7 days: Upgrade all affected instances to version 1.83.7 or later per vendor advisory; test in non-production environment first. Within 30 days: Audit database access logs for suspicious Authorization header patterns; rotate all LLM API credentials stored in affected instances; review access controls to LiteLLM proxy endpoints.
Edge exposure ICT dependency Active exploitation KEV PoC Patched
Why flagged?
NIS2 Relevant
  • CRITICAL severity
  • Internet-facing (CWE-89: SQL Injection)
  • Third-party ICT: Red Hat
  • Exploited in the wild (CISA KEV)
  • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
  • CRITICAL severity
  • ICT provider: Red Hat (Infrastructure & Virtualization)
  • Known exploited vulnerability (KEV)
9.3
CVSS
0.1%
EPSS
117
Priority
CVE-2026-34197
Act Now
Remote code execution in Apache ActiveMQ Classic versions before 5.19.5 and 6.0.0-6.2.2 allows authenticated attackers to execute arbitrary code on the broker's JVM via Jolokia MBean operations. Attackers with low-privilege web console access can invoke BrokerService.addNetworkConnector() with a malicious discovery URI containing a VM transport brokerConfig parameter that loads remote Spring XML contexts, triggering bean instantiation and code execution through factory methods like Runtime.exec(
Within 24 hours: Identify and document all ActiveMQ Classic deployments, versions, and network exposure (particularly web console access). Within 7 days: Restrict web console access to trusted networks only via firewall or network segmentation; disable Jolokia MBean operations if not operationally required. Within 30 days: Upgrade to ActiveMQ Classic 5.19.5 or later (5.x line) or 6.2.3+ (6.x line) following vendor advisory timeline; conduct post-patch validation testing.
Edge exposure ICT dependency Active exploitation KEV PoC Patched
Why flagged?
NIS2 Relevant
  • HIGH severity
  • Internet-facing (CWE-20: Improper Input Validation)
  • Third-party ICT: Red Hat
  • Exploited in the wild (CISA KEV)
  • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
  • HIGH severity
  • ICT provider: Red Hat (Infrastructure & Virtualization)
  • Known exploited vulnerability (KEV)
8.8
CVSS
0.1%
EPSS
114
Priority
CVE-2026-4689
Act Now
A sandbox escape vulnerability exists in Firefox's XPCOM component due to incorrect boundary conditions and integer overflow, allowing attackers to bypass security sandboxing mechanisms. This affects Firefox versions below 149, Firefox ESR below 115.34, and Firefox ESR below 140.9. An attacker can exploit this flaw to escape the browser sandbox and potentially execute arbitrary code with elevated privileges on the affected system.
Within 24 hours: Identify all affected systems and apply vendor patches immediately. If patching is delayed, consider network segmentation to limit exposure.
ICT dependency PoC Patched
Why flagged?
NIS2 Relevant
  • CRITICAL severity
  • Third-party ICT: Red Hat, SUSE
  • Proof of concept available
  • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
  • CRITICAL severity
  • ICT provider: Red Hat (Infrastructure & Virtualization)
  • ICT provider: SUSE (Infrastructure & Virtualization)
10.0
CVSS
0.0%
EPSS
70
Priority
CVE-2026-24118
Act Now
Remote code execution in VM2 sandbox (npm package) versions ≤3.10.4 allows attackers to escape the JavaScript isolation boundary and execute arbitrary system commands on the host. The vulnerability exploits prototype chain traversal through Buffer.apply and __lookupGetter__ to access the host Function constructor, bypassing VM2's context isolation. Publicly available exploit code exists, and vendor-released patch version 3.11.0 addresses the issue. This is a complete sandbox escape requiring no authentication or user interaction, making it critical for environments executing untrusted code within VM2 contexts.
Within 24 hours: Audit all systems and applications using VM2 ≤3.10.4 (check package-lock.json and npm ls vm2). Immediately isolate or restrict network access to systems running vulnerable versions. Within 7 days: Upgrade VM2 to version 3.11.0 or later on all production and development systems; test in non-production environment first. Within 30 days: Implement Software Composition Analysis (SCA) tooling to detect vulnerable npm dependencies in CI/CD pipelines and enforce minimum version policies for VM2.
Edge exposure ICT dependency PoC Patched
Why flagged?
NIS2 Relevant
  • CRITICAL severity
  • Internet-facing (CWE-94: Code Injection)
  • Third-party ICT: Red Hat
  • Proof of concept available
  • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
  • CRITICAL severity
  • ICT provider: Red Hat (Infrastructure & Virtualization)
9.8
CVSS
0.1%
EPSS
69
Priority
CVE-2026-26956
Act Now
Full sandbox escape with arbitrary code execution allows remote attackers to break out of vm2's Node.js sandbox environment (version 3.10.4) and execute commands on the host system. Attacker-controlled code running inside VM.run() can obtain the host process object and execute arbitrary host commands without any cooperation from the host application. EPSS data not available, but this represents complete failure of the sandbox security boundary. Patch released in version 3.10.5 addresses eleven distinct escape vectors including Function constructor leakage, proxy unwrapping, util.inspect exposure, and WebAssembly exception handling.
Within 24 hours: Identify all systems running vm2 versions ≤3.10.4 using dependency scanning (npm audit, SBOM tools). Within 7 days: Upgrade all instances to vm2 version 3.10.5 or later and validate in staging environment. Within 30 days: Audit logs for suspicious code execution patterns in vm2 sandboxes and confirm full deployment across production, development, and CI/CD environments.
Edge exposure ICT dependency PoC Patched
Why flagged?
NIS2 Relevant
  • CRITICAL severity
  • Internet-facing technique: rce
  • Third-party ICT: Red Hat
  • Proof of concept available
  • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
  • CRITICAL severity
  • ICT provider: Red Hat (Infrastructure & Virtualization)
9.8
CVSS
0.1%
EPSS
69
Priority
CVE-2026-24120
Act Now
Sandbox escape in vm2 for Node.js allows remote unauthenticated attackers to execute arbitrary commands on the host system. The vulnerability represents an insufficient fix for CVE-2023-37466, enabling attackers to circumvent sandbox protections through multiple attack vectors including Function constructor extraction, proxy unwrapping, property descriptor manipulation, and WebAssembly JSTag exploitation. CVSS 9.8 (Critical) with EPSS data unavailable, but the existence of a detailed security advisory and comprehensive patch from GitHub indicates active vendor awareness and rapid response. Patched in version 3.10.5 with eleven distinct fixes addressing various bypass techniques.
Within 24 hours: Identify all applications and services using vm2 across your infrastructure and assess exposure scope. Within 7 days: Upgrade vm2 to version 3.10.5 or later on all affected systems; if upgrade is not immediately possible, implement network-level restrictions to prevent untrusted external input from reaching vm2-dependent services. Within 30 days: Conduct code review of all vm2 usage patterns to evaluate whether sandboxing requirements can be met through alternative approaches or vendor products with active security maintenance.
Edge exposure ICT dependency PoC Patched
Why flagged?
NIS2 Relevant
  • CRITICAL severity
  • Internet-facing technique: rce
  • Third-party ICT: Red Hat
  • Proof of concept available
  • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
  • CRITICAL severity
  • ICT provider: Red Hat (Infrastructure & Virtualization)
9.8
CVSS
0.1%
EPSS
69
Priority
CVE-2026-32304
Act Now
create_function() sandbox bypass via unsanitized args passed to Function constructor. PoC available.
Within 24 hours: Identify all applications and dependencies using locutus versions < 3.0.14 through supply chain scanning; isolate affected systems from production traffic if feasible. Within 7 days: Implement network segmentation, disable the create_function() method if possible, and deploy WAF rules to detect exploitation attempts; begin code review for alternative packages. Within 30 days: Replace locutus with a patched version (3.0.14+) or a thoroughly vetted alternative library; complete migration testing and full deployment to production.
Edge exposure ICT dependency PoC Patched
Why flagged?
NIS2 Relevant
  • CRITICAL severity
  • Internet-facing (CWE-94: Code Injection)
  • Third-party ICT: Red Hat
  • Proof of concept available
  • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
  • CRITICAL severity
  • ICT provider: Red Hat (Infrastructure & Virtualization)
9.8
CVSS
0.1%
EPSS
69
Priority
CVE-2026-31072
Act Now
Remote code execution in APScheduler (all versions through 3.10.x and 4.0.0a5) is achievable when applications deserialize attacker-controlled data via the bundled JSONSerializer or CBORSerializer. The unmarshal_object routine dynamically imports modules and invokes __setstate__ on arbitrary classes, letting an attacker pivot an untrusted payload into code execution; publicly available exploit code exists, though EPSS remains low at 0.06% (19th percentile).
24 hours: Audit all systems running APScheduler versions ≤3.10.x or ≤4.0.0a5 to determine exposure and data sources. 7 days: For systems processing untrusted serialized input, immediately implement controls: disable JSONSerializer and CBORSerializer deserialization, restrict network access to APScheduler instances, or containerize with execution constraints. 30 days: Establish upgrade plan and prepare to deploy patched APScheduler version once vendor releases a fix.
Edge exposure ICT dependency PoC Patched
Why flagged?
NIS2 Relevant
  • CRITICAL severity
  • Internet-facing (CWE-502: Deserialization of Untrusted Data)
  • Third-party ICT: Red Hat, SUSE
  • Proof of concept available
  • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
  • CRITICAL severity
  • ICT provider: Red Hat (Infrastructure & Virtualization)
  • ICT provider: SUSE (Infrastructure & Virtualization)
9.8
CVSS
0.1%
EPSS
69
Priority

By Exposure

Internet-facing
546
Mgmt / Admin Plane
98
Identity / Auth
56
Internal only
1685

By Exploitability

Known exploited
4
Public PoC
83
High EPSS (>30%)
0
Remote unauthenticated
1049
Local only
987

By Remediation

Patch available
2183
No patch
72
Workaround available
971
No workaround
47

Affected Services / Product Families

Red Hat
2255 CVE(s)
CVE-2026-2808 MEDIUM Patched
CVE-2026-3234 MEDIUM Unpatched
CVE-2026-3099 MEDIUM Patched
CVE-2026-32141 HIGH Patched
CVE-2026-2376 MEDIUM Unpatched
CVE-2026-32235 MEDIUM Patched
CVE-2026-3497 MEDIUM Patched
CVE-2026-25884 HIGH PoC Patched
CVE-2026-27596 HIGH Patched
CVE-2026-27631 MEDIUM Patched
+ 2245 more

Recommended Actions

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy