Is Redhat affected by CVE-2026-27980?

CVE-2026-27980 presents notable security risk, a resource exhaustion vulnerability rated CVSS 7.5. Exploitation could cause service disruption or denial of service, impacting availability for legitimate users. A patch is available and should be applied as part of regular vulnerability management.

CVE-2026-27980

HIGH

2026-03-17 https://github.com/vercel/next.js

GHSA-3x4c-7xq6-9pq8

7.5

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Lifecycle Timeline

PoC Detected

Mar 18, 2026 - 19:52 vuln.today

Public exploit code

Analysis Generated

Mar 17, 2026 - 20:30 vuln.today

Patch Released

Mar 17, 2026 - 20:30 nvd

Patch available

CVE Published

Mar 17, 2026 - 16:17 nvd

HIGH 7.5

Description

## Summary The default Next.js image optimization disk cache (`/_next/image`) did not have a configurable upper bound, allowing unbounded cache growth. ## Impact An attacker could generate many unique image-optimization variants and exhaust disk space, causing denial of service. ## Patches Fixed by adding an LRU-backed disk cache with `images.maximumDiskCacheSize`, including eviction of least-recently-used entries when the limit is exceeded. Setting `maximumDiskCacheSize: 0` disables disk caching. ## Workarounds If upgrade is not immediately possible: - Periodically clean `.next/cache/images`. - Reduce variant cardinality (e.g., tighten values for `images.localPatterns`, `images.remotePatterns`, and `images.qualities`)

Analysis

Next.js image optimization caches unbounded disk space by default, enabling attackers to exhaust storage and cause denial of service by requesting numerous image variants. The vulnerability affects applications using the default `/_next/image` optimization feature without explicit cache size limits. …

Remediation

Within 7 days: Identify all affected systems and apply vendor patches promptly. Vendor patch is available.

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +38

POC: +20

Vendor Status

CVE-2026-27980 vulnerability details – vuln.today

Back

CVE-2026-27980

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Analysis

Full analysis requires sign-in

Priority Score

Vendor Status

Share

CVE-2026-27980

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Full analysis requires sign-in

Priority Score

Vendor Status

Share

External POC / Exploit Code