Enterprise Linux
Monthly
Denial of service in GNOME GLib (versions before 2.88.1) arises when g_dbus_node_info_new_for_xml() parses malformed D-Bus introspection XML that nests a <node> element inside <method>, <signal>, <property>, or <arg>. This state-confusion bug triggers an unsigned integer underflow/overflow (CWE-191) and a subsequent out-of-bounds read, crashing any application or service that parses attacker-influenced introspection data. No public exploit identified at time of analysis, EPSS is low (0.34%), and CISA SSVC rates exploitation as none with only partial technical impact.
Arbitrary file disclosure in GLib's GDBus client affects the DBUS_COOKIE_SHA1 SASL authentication mechanism, where the client fails to validate the server-supplied cookie_context parameter. A malicious or compromised D-Bus server can send a cookie_context containing path traversal sequences, forcing the client to read attacker-chosen files and leak their contents by confirming guessed values against the returned authentication hash. No public exploit has been identified and it is not in CISA KEV; EPSS is low at 0.30% (22th percentile), consistent with the SSVC assessment of no known exploitation.
Denial of service (and a 1-byte out-of-bounds read) in GNOME GLib before 2.88.1 arises from an off-by-one error in g_key_file_get_locale_string_list() in gkeyfile.c when a parsed key file contains an empty value. Any application built on GLib that loads attacker-influenced .desktop/.ini-style key files can be crashed if the over-read crosses a page boundary, with a minor information-disclosure component from the single out-of-bounds byte. Publicly available exploit code exists (SSVC 'poc'), but it is not on CISA KEV and EPSS is low (0.24%, 15th percentile), indicating no evidence of widespread active exploitation.
Buffer over-read in GLib's giochannel line-reading code (g_io_channel_read_line_backend) affects the GNOME GLib library prior to version 2.88.1, where an application that configures a multi-byte custom line terminator triggers memcmp to read past the end of the internal GString buffer. Depending on memory layout, this leaks up to 7 bytes of adjacent heap memory (minor information disclosure) or crashes the process when the over-read crosses an unmapped page boundary (denial of service). There is no public exploit identified at time of analysis, EPSS is low (0.27%), and CISA SSVC rates exploitation as none.
Buffer over-read in GNOME GLib's g_regex_replace() lets remote attackers leak 1-5 adjacent bytes of process memory and crash applications when regex replacement is performed with the G_REGEX_RAW compile flag combined with case-change replacement escapes. The internal string_append helper applies UTF-8 aware routines to matched substrings even though G_REGEX_RAW treats the buffer as raw bytes, reading past the intended boundary. There is no public exploit identified at time of analysis and EPSS is low (0.26%, 18th percentile), but the flaw is broadly reachable because GLib underpins the GNOME stack and ships across Red Hat Enterprise Linux 6-10.
Out-of-bounds read of two bytes in GLib's g_date_time_get_ymd() (glib/gdatetime.c) lets attackers corrupt date output and trigger logic errors that may cause denial of service when an application processes an invalid GDateTime produced by g_date_time_add_full(). It affects the GNOME GLib core utility library shipped across Red Hat Enterprise Linux 6 through 10, with fixes in GLib 2.88.1 and 2.86.5. There is publicly available exploit code exists per SSVC (proof-of-concept), no confirmed active exploitation, and EPSS is low at 0.27% (19th percentile).
Out-of-bounds read in GNOME GLib's GVariant serialiser allows remote attackers to leak a single byte of adjacent memory and to crash applications that deserialise untrusted GVariant data. The flaw sits in gvs_tuple_is_normal() in glib/gvariant-serialiser.c, where an alignment-padding bounds check uses '>' instead of '>=', reading one byte past the buffer; when that byte falls across a page boundary the process faults, producing a denial of service. No public exploit identified at time of analysis, and EPSS is low (0.26%), but GLib's near-universal presence on Linux systems makes the exposure broad.
Sandbox-escaping information disclosure in Yelp (the GNOME help viewer) lets a malicious Flatpak application read arbitrary user-readable files on the host. By using the OpenURI portal to open crafted help content that embeds an untrusted CSS stylesheet inside a structured SVG document, an attacker abuses an overly permissive Content Security Policy supplied by yelp-xsl to force Yelp to evaluate local XML inclusions and exfiltrate file contents via remote CSS resource requests, defeating Flatpak's intended isolation. The flaw was disclosed publicly (GNOME developer blog by Michael Catanzaro, May 2026) and tracked by Red Hat; no public exploit identified at time of analysis and it is not listed in CISA KEV.
Kernel memory corruption in the Linux memory-management list_lru subsystem (memory cgroup reparenting path) allows a local user to corrupt linked-list pointers and destabilize or potentially escalate privileges on the system. The flaw is a race condition in memcg_reparent_list_lrus(), affecting kernels from 6.13 onward; it carries CVSS 7.8 (High) with full confidentiality, integrity and availability impact but a low EPSS of 0.17% (7th percentile). There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Local privilege escalation and memory corruption in the Linux kernel DRM/GEM subsystem stems from a race condition in the GEM change_handle ioctl when it runs concurrently with gem_close, where botched two-stage idr_replace handling against the wrong idr slot allows a concurrent close to steal the object's only inherited reference. The flaw affects systems using the DRM graphics stack (notably AMD GPU paths, per source tags) and an unprivileged local user with access to a DRM render/card device can trigger a use-after-free, with the upstream resolution disabling the change_handle ioctl entirely until the locking can be proven correct. No public exploit identified at time of analysis and EPSS is low (0.17%, 7th percentile), consistent with a local-only, hard-to-win race rather than mass exploitation.
WORM protection bypass in Samba's vfs_worm VFS module allows authenticated share users to defeat data retention controls by renaming a newly created file over an existing WORM-protected file. Affected users are those operating Samba deployments that have explicitly enabled the vfs_worm module for write-once, read-many data protection - such as compliance, archival, or audit log shares. An attacker with low-privilege write access can silently overwrite files that should be immutable post-grace-period, with high integrity impact (CVSS I:H). No public exploit or CISA KEV listing is identified at time of analysis.
Access control bypass in Samba allows authenticated SMB users who hold write permissions on the underlying filesystem to create or delete NTFS-style reparse point metadata on shares configured with 'read only = yes', defeating the read-only intent of the export. Because the necessary access checks are missing at the SMB layer, an attacker can change how files behave when accessed over SMB - for example, converting a regular file into a symbolic link or another reparse-point type - yielding an integrity and availability impact (CVSS 7.1). There is no public exploit identified at time of analysis, and CISA's SSVC framework rates exploitation as 'none', non-automatable, with partial technical impact.
Trust-store poisoning in Samba's certificate auto-enrollment lets an adjacent-network attacker install an attacker-controlled CA certificate when auto-enrollment is enabled. Because Samba retrieves the CA certificate over plaintext HTTP and adds it to the local trust store without verifying authenticity, a man-in-the-middle can have a rogue CA trusted system-wide, enabling interception or spoofing of otherwise trusted TLS communications. The issue carries CVSS 8.0 with high confidentiality and integrity impact and a changed scope; EPSS is 0.00% and no public exploit identified at time of analysis.
Heap-based buffer overflow in libsolv's repo_add_solv() function enables a remote unauthenticated attacker to crash the parsing process by delivering a specially crafted .solv repository metadata file containing negative values in the maxsize or allsize header fields. The malformed values bypass allocation sizing logic, producing an undersized heap buffer that is subsequently written past its bounds, yielding a denial of service. No public exploit identified at time of analysis; however, an upstream fix has been submitted via openSUSE/libsolv GitHub PR #617, and Red Hat has acknowledged the issue via a dedicated security advisory.
Stack-based buffer overflow in libsolv's Debian metadata parser allows remote, unauthenticated attackers to cause a denial of service by serving maliciously crafted Debian repository metadata containing SHA384 or SHA512 checksum tags. The root cause, confirmed by the GitHub PR #616 diff, is a statically allocated 65-byte stack buffer in `ext/repo_deb.c` sized only for SHA256 digests, which is overflowed by the larger SHA384 (96 hex chars) and SHA512 (128 hex chars) values. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis; an upstream fix is available as an open pull request.
Denial of service in 389-ds-base LDAP server allows remote unauthenticated attackers to exhaust CPU and heap memory by sending a single LDAP request packed with hundreds of thousands of minimal controls. Because get_ldapmessage_controls_ext() does not cap the per-message control count, the 2 MB default BER message limit is the only ceiling, and concurrent abuse causes worker thread starvation or OOM termination. No public exploit identified at time of analysis, and the issue is not on CISA KEV.
Denial of service in GnuTLS affects the Datagram Transport Layer Security (DTLS) packet reordering logic, where the comparator function fails to correctly handle packets with duplicate sequence numbers. Remote unauthenticated attackers can send specially crafted DTLS packet sequences to trigger unstable ordering or undefined behavior, causing service disruption. No public exploit identified at time of analysis, and the issue is rated CVSS 7.5 (High) for availability impact only.
Authentication bypass in GnuTLS affects servers that enable the RSA-PSK key exchange, where the PSK identity comparison treats a username containing an embedded NUL byte as equal to a legitimate truncated username. Remote attackers can send a crafted username to circumvent pre-shared-key authentication and gain unauthorized access. There is no public exploit identified at time of analysis, the EPSS probability is low (0.15%), and CISA SSVC scores exploitation as none - indicating high theoretical severity but no observed real-world abuse.
Polkit's polkit-agent-helper-1 setuid binary fails to bound input length on stdin, allowing local authenticated users to trigger out-of-memory conditions and deny system availability. An attacker with local login privileges can supply excessively long input to exhaust memory resources, causing a system-wide denial of service. No public exploit code or active exploitation has been confirmed at the time of analysis.
Libarchive fails to properly validate the pz_log2_bs field in ISO9660 Rock Ridge extensions during zisofs decompression, allowing remote attackers to supply a crafted ISO file that triggers undefined behavior and causes denial-of-service through incorrect memory allocation and application crashes. The vulnerability requires user interaction (ISO file opening) but no authentication, affects libarchive across multiple distributions, and carries a moderate EPSS score (0.11%, 30th percentile) suggesting low current exploitation probability despite the moderate CVSS severity.
Vulnerability in the OpenSSH GSSAPI delta included in various Linux distributions. This vulnerability affects the GSSAPI patches added by various Linux distributions and does not affect the OpenSSH upstream project itself.
A vulnerability was recently discovered in the rpc.mountd daemon in the nfs-utils package for Linux, that allows a NFSv3 client to escalate the privileges assigned to it in the /etc/exports file at mount time. [CVSS 6.5 MEDIUM]
Improper authorization in the udisks D-Bus API allows local unprivileged users to manipulate LUKS encryption headers on block devices with root privileges, potentially destroying encryption keys and rendering volumes inaccessible. An attacker with local access can exploit this to cause permanent data loss through denial-of-service. No patch is currently available for this vulnerability.
Authentication bypass in the Keylime registrar (versions 7.12.0 and later) lets unauthenticated network attackers perform administrative actions because the registrar fails to enforce client-side mutual TLS. Attackers connecting without a client certificate can list registered agents, read public TPM data, and delete agents - undermining the integrity of the remote-attestation trust chain. EPSS is low (0.04%, 11th percentile) and there is no public exploit identified at time of analysis, but the flaw is trivially reachable (CVSS 9.8) and patched across Red Hat and SUSE channels.
A flaw was found in the libxml2 library. This uncontrolled resource consumption vulnerability occurs when processing XML catalogs that contain repeated <nextCatalog> elements pointing to the same downstream catalog. [CVSS 2.9 LOW]
libxml2's xmlCatalogXMLResolveURI function is vulnerable to uncontrolled recursion when processing self-referencing delegate URI entries in XML catalogs, allowing remote attackers to trigger stack exhaustion and crash applications. This configuration-dependent denial of service requires specially crafted XML input but no authentication, affecting any application using the vulnerable library to parse untrusted catalogs. No patch is currently available.
A flaw was identified in the RelaxNG parser of libxml2 related to how external schema inclusions are handled. The parser does not enforce a limit on inclusion depth when resolving nested <include> directives. [CVSS 3.7 LOW]
Integer overflow in GLib's GIO escape_byte_string() function enables heap buffer overflow and denial-of-service when processing malicious filesystem attribute values over the network. The vulnerability affects GLib across GNOME, Red Hat Enterprise Linux 7-10, and OpenShift 4.0+, requiring only unauthenticated network access and user interaction. EPSS score of 0.07% (percentile 22) indicates low exploitation probability despite CVSS 6.5, suggesting the attack requires specific file/attribute handling conditions; no public exploit or active exploitation (CISA KEV) confirmed at analysis time.
Heap corruption in GLib (GNOME's core C utility library) lets remote attackers trigger a buffer-underflow in the GVariant parser by supplying maliciously crafted serialized/text input, resulting in denial of service and potentially arbitrary code execution. Any application linking GLib that deserializes untrusted GVariant data is exposed, which spans broad swaths of the Linux desktop and system stack across Red Hat Enterprise Linux 7-10 and SUSE. There is no public exploit identified at time of analysis, and EPSS exploitation probability is low (0.26%, 49th percentile) despite the 9.8 CVSS, indicating the headline severity is not yet matched by observed exploitation interest.
Use-after-free memory corruption in X.Org X server's Xkb extension allows local authenticated attackers to achieve high confidentiality impact, low integrity impact, and high availability impact (CVSS 7.3) through improper resource cleanup during client disconnection. The vulnerability affects Red Hat Enterprise Linux distributions with multiple security advisories released (RHSA-2025:19432 through RHSA-2025:22055). EPSS data not provided, but the local attack vector (AV:L) and low complexity (AC:L) indicate exploitation requires authenticated local access. No CISA KEV listing or public POC identified at time of analysis.
Local privilege escalation in X.Org X server's Xkb extension affects RHEL-family distributions, allowing authenticated users to corrupt memory or crash the X server via integer overflow in XkbSetCompatMap(). Attack requires local access with low-privilege credentials. EPSS data not available; no CISA KEV listing indicates targeted rather than widespread exploitation. Red Hat has released patches across multiple RHEL versions (RHSA-2025:19432 through RHSA-2025:22055).
Undertow, a Java web server used across Red Hat's JBoss Enterprise Application Platform, Fuse, and other middleware products, contains a vulnerability that allows attackers to trigger server-side HTTP/2 stream resets without incrementing abuse counters. This 'MadeYouReset' attack enables remote unauthenticated attackers to cause denial of service by repeatedly forcing the server to abort streams and perform unnecessary cleanup work. With an EPSS score of 1.17% (78th percentile), exploitation probability is moderate but rising, and patches have been released across multiple Red Hat product lines as of early 2025.
DNS resolve confusion in netavark, the Rust-based network stack for Podman containers, causes container name lookups to be forwarded to unexpected external DNS servers due to a regression that removed the dns.podman search domain. Affected deployments on Red Hat Enterprise Linux 8/9/10 and OpenShift Container Platform 4.0 running netavark < 1.15.1 are subject to misdirected container DNS resolution when host resolv.conf search domains contain a record matching a running container's hostname. The impact is limited to information disclosure (CVSS 3.7, Low), with no confirmed active exploitation and no public exploit identified at time of analysis.
A flaw was found in polkit. When processing an XML policy with 32 or more nested elements in depth, an out-of-bounds write can be triggered. This issue can lead to a crash or other unexpected behavior, and arbitrary code execution is not discarded. To exploit this flaw, a high-privilege account is needed as it's required to place the malicious policy file properly.
CVE-2025-7424 is a type confusion vulnerability in the libxslt library where the psvi (Post-Schema-Validation Infoset) memory field is reused for both stylesheet and input document processing, enabling memory corruption during XML transformations. This affects any application using vulnerable libxslt versions to process untrusted XML stylesheets or documents, allowing unauthenticated remote attackers to trigger denial of service or memory corruption without requiring user interaction. The vulnerability has a high CVSS score (7.5) with high availability impact, though real-world exploitation probability and active KEV status require confirmation from official sources.
A heap-buffer-overflow (off-by-one) flaw was found in the GnuTLS software in the template parsing logic within the certtool utility. When it reads certain settings from a template file, it allows an attacker to cause an out-of-bounds (OOB) NULL pointer write, resulting in memory corruption and a denial-of-service (DoS) that could potentially crash the system.
A heap-buffer-overread vulnerability was found in GnuTLS in how it handles the Certificate Transparency (CT) Signed Certificate Timestamp (SCT) extension during X.509 certificate parsing. This flaw allows a malicious user to create a certificate containing a malformed SCT extension (OID 1.3.6.1.4.1.11129.2.4.2) that contains sensitive data. This issue leads to the exposure of confidential information when GnuTLS verifies certificates from certain websites when the certificate (SCT) is not checked correctly.
Memory corruption and denial of service in GnuTLS arises from a double-free (CWE-415) in the code that exports X.509 Subject Alternative Name entries containing an otherName field. When the type-id OID inside such an entry is invalid or malformed, GnuTLS calls asn1_delete_structure() on an ASN.1 node it does not own, so the same structure is freed again by the calling function, corrupting allocator state. The flaw is reachable through public GnuTLS APIs - meaning any application that parses or re-exports an attacker-supplied certificate is exposed - and there is no public exploit identified at time of analysis (EPSS 0.04%, 12th percentile; not in CISA KEV).
A security vulnerability in A flaw (CVSS 6.5). Remediation should follow standard vulnerability management procedures.
Cryptographic key derivation failure in libssh versions prior to 0.11.2 (when built against OpenSSL older than 3.0) can cause SSH sessions to proceed with uninitialized key material, allowing remote attackers to undermine session confidentiality and integrity. The flaw stems from inverted return-value semantics between OpenSSL and libssh in ssh_kdf(), so a silent KDF failure is treated as success. No public exploit identified at time of analysis and EPSS risk is low (0.07%), but the issue is widely shipped across Red Hat, Ubuntu, Debian and SUSE distributions and has vendor patches available.
Sudo before 1.9.17p1 contains a local root escalation vulnerability (CVE-2025-32463, CVSS 9.3) through the --chroot option, which loads /etc/nsswitch.conf from the user-controlled chroot directory instead of the host system. KEV-listed with EPSS 26.5% and public PoC, this vulnerability allows any user with sudo --chroot access to achieve root privileges by placing a malicious nsswitch configuration and library in their chroot.
CVE-2025-5318 is an out-of-bounds read vulnerability in libssh versions before 0.11.2 caused by an incorrect comparison check in the sftp_handle function that allows authenticated remote attackers to access memory beyond the valid handle list and retrieve invalid pointers for further processing. This vulnerability enables exposure of sensitive information or denial of service, with a CVSS score of 8.1 indicating high severity. The vulnerability requires authentication and network access but has high confidentiality and availability impact.
A flaw was found in the interactive shell of the xmllint command-line tool, used for parsing XML files.
Stack-based buffer overflow in libxml2's xmlBuildQName function allows remote unauthenticated attackers to crash affected systems via crafted XML input. The vulnerability affects libxml2 directly and downstream Red Hat products including OpenShift Container Platform 4.12-4.19, RHEL 7-10, and JBoss Core Services. With CVSS 7.5 (AV:N/AC:L/PR:N/UI:N), EPSS 0.75% (73rd percentile), and publicly available exploit code, this represents a moderate real-world risk focused on availability disruption rather than code execution or data compromise.
A vulnerability has been identified in the libarchive library. This flaw can be triggered when file streams are piped into bsdtar, potentially allowing for reading past the end of the file. This out-of-bounds read can lead to unintended consequences, including unpredictable program behavior, memory corruption, or a denial-of-service condition.
A vulnerability has been identified in the libarchive library. This flaw involves an 'off-by-one' miscalculation when handling prefixes and suffixes for file names. This can lead to a 1-byte write overflow. While seemingly small, such an overflow can corrupt adjacent memory, leading to unpredictable program behavior, crashes, or in specific circumstances, could be leveraged as a building block for more sophisticated exploitation. This bug affects libarchive versions prior to 3.8.0.
A vulnerability has been identified in the libarchive library. This flaw involves an integer overflow that can be triggered when processing a Web Archive (WARC) file that claims to have more than INT64_MAX - 4 content bytes. An attacker could craft a malicious WARC archive to induce this overflow, potentially leading to unpredictable program behavior, memory corruption, or a denial-of-service condition within applications that process such archives using libarchive. This bug affects libarchive versions prior to 3.8.0.
A vulnerability has been identified in the libarchive library. This flaw can lead to a heap buffer over-read due to the size of a filter block potentially exceeding the Lempel-Ziv-Storer-Schieber (LZSS) window. This means the library may attempt to read beyond the allocated memory buffer, which can result in unpredictable program behavior, crashes (denial of service), or the disclosure of sensitive information from adjacent memory regions.
CVE-2025-5914 is an integer overflow vulnerability in libarchive's archive_read_format_rar_seek_data() function that leads to a double-free memory corruption condition. This affects all users of libarchive who process untrusted RAR archive files, potentially allowing arbitrary code execution or denial-of-service with user interaction (opening a malicious RAR file). While no KEV listing or confirmed public exploits are currently documented, the high CVSS score (7.8) and memory safety nature of the vulnerability indicate significant real-world risk if weaponized.
CVE-2025-47711 is a security vulnerability (CVSS 6.5). Remediation should follow standard vulnerability management procedures.
A vulnerability was found in systemd-coredump. Rated medium severity (CVSS 4.7). Public exploit code available and no vendor patch available.
A flaw was found in the FreeRDP used by Anaconda's remote install feature, where a crafted RDP packet could trigger a segmentation fault. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This NULL Pointer Dereference vulnerability could allow attackers to crash the application by dereferencing a null pointer.
A flaw was found in the mod_auth_openidc module for Apache httpd. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In xfig diagramming tool, a segmentation fault while running fig2dev allows an attacker to availability via local input manipulation via read_arcobject function. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.
A flaw was found in fig2dev. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.
In xfig diagramming tool, a stack-overflow while running fig2dev allows memory corruption via local input manipulation via read_objects function. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.
A flaw was found in xfig. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.
A flaw was found in Yelp. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A flaw was found in libsoup. Rated high severity (CVSS 7.0), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.
A flaw was found in grub2. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
A flaw was found in the HFS filesystem. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
A stack overflow flaw was found when reading a BFS file system. Rated medium severity (CVSS 4.1). No vendor patch available.
A use-after-free flaw was found in X.Org and Xwayland. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
A use-after-free flaw was found in X.Org and Xwayland. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
An access to an uninitialized pointer flaw was found in X.Org and Xwayland. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
An out-of-bounds write flaw was found in X.Org and Xwayland. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
A buffer overflow flaw was found in X.Org and Xwayland. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
A heap overflow flaw was found in X.Org and Xwayland. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
A buffer overflow flaw was found in X.Org and Xwayland. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
A use-after-free flaw was found in X.Org and Xwayland. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
A flaw was found in grub2. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.
A vulnerability was found in OpenSSH when the VerifyHostKeyDNS option is enabled. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable, no authentication required. Epss exploitation probability 60.0%.
A heap-based buffer overflow flaw was found in the rsync daemon. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Arbitrary file write outside the intended destination in rsync's client-side `--safe-links` handling allows a malicious or compromised rsync server to bypass the symlink safety check via a path-traversal flaw (CWE-22). The client fails to recursively verify whether a symbolic-link target supplied by the server itself contains a nested symlink, so a controlled server can place files anywhere the rsync process can write. A detailed advisory was published by Google's security-research team (GHSA-p5pg-x43v-mvqj) as part of the January 2025 rsync vulnerability cluster, but the issue is not in CISA KEV and no public exploit identified at time of analysis; EPSS is moderate at 2.89% (86th percentile).
Server-to-client path traversal in rsync lets a malicious or compromised rsync server write files outside the client's intended destination directory by abusing the `--inc-recursive` incremental-recursion mode. Because the server can negotiate `--inc-recursive` even when the client does not request it, missing symlink validation combined with per-file-list deduplication allows arbitrary file placement on the connecting client. Publicly available exploit code exists, EPSS is 3.19% (87th percentile), and Red Hat has shipped fixes, but it is not currently listed in CISA KEV.
A flaw was found in rsync. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.
A flaw was found in rsync which could be triggered when rsync compares file checksums. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 19.1%.
In mutt and neomutt, PGP encryption does not use the --hidden-recipient mode which may leak the Bcc email header field by inferring from the recipients info. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In mutt and neomutt the In-Reply-To email header field is not protected by cryptographic signing which allows an attacker to reuse an unencrypted but signed email message to impersonate the original. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In neomutt and mutt, the To and Cc email headers are not validated by cryptographic signing which allows an attacker that intercepts a message to change their value and include himself as a one of. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
In the Linux kernel, the following vulnerability has been resolved: parport: Proper fix for array out-of-bounds access The recent fix for array out-of-bounds accesses replaced sprintf() calls blindly. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. This Out-of-bounds Read vulnerability could allow attackers to read data from memory outside the intended buffer boundaries.
A flaw was found in QEMU. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.
An issue was discovered in FRRouting (FRR) through 10.1. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
A null pointer dereference flaw was found in Libtiff via `tif_dirinfo.c`. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A flaw was found in Podman. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable. No vendor patch available.
A flaw was found in the 389 Directory Server. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A flaw was found in the virtio-net device in QEMU. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Remote code execution in OpenSSH's sshd server (regression of CVE-2006-5051) allows unauthenticated remote attackers to exploit a signal handler race condition by failing to authenticate within the LoginGraceTime window, potentially yielding root-level code execution on glibc-based Linux systems. The flaw - widely known as 'regreSSHion' - affects numerous distributions and vendor appliances including Ubuntu 23.10/24.04, AlmaLinux 9, SonicWall SMA firmware, Arista EOS, NetApp ONTAP, and others. Publicly available exploit code exists and EPSS scores it at 48.06% (98th percentile), reflecting very high exploitation likelihood, though it is not currently listed in CISA KEV.
A vulnerability was found in GNU Nano that allows a possible privilege escalation through an insecure temporary file. Rated medium severity (CVSS 6.7). No vendor patch available.
A vulnerability was found in FreeIPA in a way when a Kerberos TGS-REQ is encrypted using the client’s session key. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Denial of service in GNOME GLib (versions before 2.88.1) arises when g_dbus_node_info_new_for_xml() parses malformed D-Bus introspection XML that nests a <node> element inside <method>, <signal>, <property>, or <arg>. This state-confusion bug triggers an unsigned integer underflow/overflow (CWE-191) and a subsequent out-of-bounds read, crashing any application or service that parses attacker-influenced introspection data. No public exploit identified at time of analysis, EPSS is low (0.34%), and CISA SSVC rates exploitation as none with only partial technical impact.
Arbitrary file disclosure in GLib's GDBus client affects the DBUS_COOKIE_SHA1 SASL authentication mechanism, where the client fails to validate the server-supplied cookie_context parameter. A malicious or compromised D-Bus server can send a cookie_context containing path traversal sequences, forcing the client to read attacker-chosen files and leak their contents by confirming guessed values against the returned authentication hash. No public exploit has been identified and it is not in CISA KEV; EPSS is low at 0.30% (22th percentile), consistent with the SSVC assessment of no known exploitation.
Denial of service (and a 1-byte out-of-bounds read) in GNOME GLib before 2.88.1 arises from an off-by-one error in g_key_file_get_locale_string_list() in gkeyfile.c when a parsed key file contains an empty value. Any application built on GLib that loads attacker-influenced .desktop/.ini-style key files can be crashed if the over-read crosses a page boundary, with a minor information-disclosure component from the single out-of-bounds byte. Publicly available exploit code exists (SSVC 'poc'), but it is not on CISA KEV and EPSS is low (0.24%, 15th percentile), indicating no evidence of widespread active exploitation.
Buffer over-read in GLib's giochannel line-reading code (g_io_channel_read_line_backend) affects the GNOME GLib library prior to version 2.88.1, where an application that configures a multi-byte custom line terminator triggers memcmp to read past the end of the internal GString buffer. Depending on memory layout, this leaks up to 7 bytes of adjacent heap memory (minor information disclosure) or crashes the process when the over-read crosses an unmapped page boundary (denial of service). There is no public exploit identified at time of analysis, EPSS is low (0.27%), and CISA SSVC rates exploitation as none.
Buffer over-read in GNOME GLib's g_regex_replace() lets remote attackers leak 1-5 adjacent bytes of process memory and crash applications when regex replacement is performed with the G_REGEX_RAW compile flag combined with case-change replacement escapes. The internal string_append helper applies UTF-8 aware routines to matched substrings even though G_REGEX_RAW treats the buffer as raw bytes, reading past the intended boundary. There is no public exploit identified at time of analysis and EPSS is low (0.26%, 18th percentile), but the flaw is broadly reachable because GLib underpins the GNOME stack and ships across Red Hat Enterprise Linux 6-10.
Out-of-bounds read of two bytes in GLib's g_date_time_get_ymd() (glib/gdatetime.c) lets attackers corrupt date output and trigger logic errors that may cause denial of service when an application processes an invalid GDateTime produced by g_date_time_add_full(). It affects the GNOME GLib core utility library shipped across Red Hat Enterprise Linux 6 through 10, with fixes in GLib 2.88.1 and 2.86.5. There is publicly available exploit code exists per SSVC (proof-of-concept), no confirmed active exploitation, and EPSS is low at 0.27% (19th percentile).
Out-of-bounds read in GNOME GLib's GVariant serialiser allows remote attackers to leak a single byte of adjacent memory and to crash applications that deserialise untrusted GVariant data. The flaw sits in gvs_tuple_is_normal() in glib/gvariant-serialiser.c, where an alignment-padding bounds check uses '>' instead of '>=', reading one byte past the buffer; when that byte falls across a page boundary the process faults, producing a denial of service. No public exploit identified at time of analysis, and EPSS is low (0.26%), but GLib's near-universal presence on Linux systems makes the exposure broad.
Sandbox-escaping information disclosure in Yelp (the GNOME help viewer) lets a malicious Flatpak application read arbitrary user-readable files on the host. By using the OpenURI portal to open crafted help content that embeds an untrusted CSS stylesheet inside a structured SVG document, an attacker abuses an overly permissive Content Security Policy supplied by yelp-xsl to force Yelp to evaluate local XML inclusions and exfiltrate file contents via remote CSS resource requests, defeating Flatpak's intended isolation. The flaw was disclosed publicly (GNOME developer blog by Michael Catanzaro, May 2026) and tracked by Red Hat; no public exploit identified at time of analysis and it is not listed in CISA KEV.
Kernel memory corruption in the Linux memory-management list_lru subsystem (memory cgroup reparenting path) allows a local user to corrupt linked-list pointers and destabilize or potentially escalate privileges on the system. The flaw is a race condition in memcg_reparent_list_lrus(), affecting kernels from 6.13 onward; it carries CVSS 7.8 (High) with full confidentiality, integrity and availability impact but a low EPSS of 0.17% (7th percentile). There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Local privilege escalation and memory corruption in the Linux kernel DRM/GEM subsystem stems from a race condition in the GEM change_handle ioctl when it runs concurrently with gem_close, where botched two-stage idr_replace handling against the wrong idr slot allows a concurrent close to steal the object's only inherited reference. The flaw affects systems using the DRM graphics stack (notably AMD GPU paths, per source tags) and an unprivileged local user with access to a DRM render/card device can trigger a use-after-free, with the upstream resolution disabling the change_handle ioctl entirely until the locking can be proven correct. No public exploit identified at time of analysis and EPSS is low (0.17%, 7th percentile), consistent with a local-only, hard-to-win race rather than mass exploitation.
WORM protection bypass in Samba's vfs_worm VFS module allows authenticated share users to defeat data retention controls by renaming a newly created file over an existing WORM-protected file. Affected users are those operating Samba deployments that have explicitly enabled the vfs_worm module for write-once, read-many data protection - such as compliance, archival, or audit log shares. An attacker with low-privilege write access can silently overwrite files that should be immutable post-grace-period, with high integrity impact (CVSS I:H). No public exploit or CISA KEV listing is identified at time of analysis.
Access control bypass in Samba allows authenticated SMB users who hold write permissions on the underlying filesystem to create or delete NTFS-style reparse point metadata on shares configured with 'read only = yes', defeating the read-only intent of the export. Because the necessary access checks are missing at the SMB layer, an attacker can change how files behave when accessed over SMB - for example, converting a regular file into a symbolic link or another reparse-point type - yielding an integrity and availability impact (CVSS 7.1). There is no public exploit identified at time of analysis, and CISA's SSVC framework rates exploitation as 'none', non-automatable, with partial technical impact.
Trust-store poisoning in Samba's certificate auto-enrollment lets an adjacent-network attacker install an attacker-controlled CA certificate when auto-enrollment is enabled. Because Samba retrieves the CA certificate over plaintext HTTP and adds it to the local trust store without verifying authenticity, a man-in-the-middle can have a rogue CA trusted system-wide, enabling interception or spoofing of otherwise trusted TLS communications. The issue carries CVSS 8.0 with high confidentiality and integrity impact and a changed scope; EPSS is 0.00% and no public exploit identified at time of analysis.
Heap-based buffer overflow in libsolv's repo_add_solv() function enables a remote unauthenticated attacker to crash the parsing process by delivering a specially crafted .solv repository metadata file containing negative values in the maxsize or allsize header fields. The malformed values bypass allocation sizing logic, producing an undersized heap buffer that is subsequently written past its bounds, yielding a denial of service. No public exploit identified at time of analysis; however, an upstream fix has been submitted via openSUSE/libsolv GitHub PR #617, and Red Hat has acknowledged the issue via a dedicated security advisory.
Stack-based buffer overflow in libsolv's Debian metadata parser allows remote, unauthenticated attackers to cause a denial of service by serving maliciously crafted Debian repository metadata containing SHA384 or SHA512 checksum tags. The root cause, confirmed by the GitHub PR #616 diff, is a statically allocated 65-byte stack buffer in `ext/repo_deb.c` sized only for SHA256 digests, which is overflowed by the larger SHA384 (96 hex chars) and SHA512 (128 hex chars) values. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis; an upstream fix is available as an open pull request.
Denial of service in 389-ds-base LDAP server allows remote unauthenticated attackers to exhaust CPU and heap memory by sending a single LDAP request packed with hundreds of thousands of minimal controls. Because get_ldapmessage_controls_ext() does not cap the per-message control count, the 2 MB default BER message limit is the only ceiling, and concurrent abuse causes worker thread starvation or OOM termination. No public exploit identified at time of analysis, and the issue is not on CISA KEV.
Denial of service in GnuTLS affects the Datagram Transport Layer Security (DTLS) packet reordering logic, where the comparator function fails to correctly handle packets with duplicate sequence numbers. Remote unauthenticated attackers can send specially crafted DTLS packet sequences to trigger unstable ordering or undefined behavior, causing service disruption. No public exploit identified at time of analysis, and the issue is rated CVSS 7.5 (High) for availability impact only.
Authentication bypass in GnuTLS affects servers that enable the RSA-PSK key exchange, where the PSK identity comparison treats a username containing an embedded NUL byte as equal to a legitimate truncated username. Remote attackers can send a crafted username to circumvent pre-shared-key authentication and gain unauthorized access. There is no public exploit identified at time of analysis, the EPSS probability is low (0.15%), and CISA SSVC scores exploitation as none - indicating high theoretical severity but no observed real-world abuse.
Polkit's polkit-agent-helper-1 setuid binary fails to bound input length on stdin, allowing local authenticated users to trigger out-of-memory conditions and deny system availability. An attacker with local login privileges can supply excessively long input to exhaust memory resources, causing a system-wide denial of service. No public exploit code or active exploitation has been confirmed at the time of analysis.
Libarchive fails to properly validate the pz_log2_bs field in ISO9660 Rock Ridge extensions during zisofs decompression, allowing remote attackers to supply a crafted ISO file that triggers undefined behavior and causes denial-of-service through incorrect memory allocation and application crashes. The vulnerability requires user interaction (ISO file opening) but no authentication, affects libarchive across multiple distributions, and carries a moderate EPSS score (0.11%, 30th percentile) suggesting low current exploitation probability despite the moderate CVSS severity.
Vulnerability in the OpenSSH GSSAPI delta included in various Linux distributions. This vulnerability affects the GSSAPI patches added by various Linux distributions and does not affect the OpenSSH upstream project itself.
A vulnerability was recently discovered in the rpc.mountd daemon in the nfs-utils package for Linux, that allows a NFSv3 client to escalate the privileges assigned to it in the /etc/exports file at mount time. [CVSS 6.5 MEDIUM]
Improper authorization in the udisks D-Bus API allows local unprivileged users to manipulate LUKS encryption headers on block devices with root privileges, potentially destroying encryption keys and rendering volumes inaccessible. An attacker with local access can exploit this to cause permanent data loss through denial-of-service. No patch is currently available for this vulnerability.
Authentication bypass in the Keylime registrar (versions 7.12.0 and later) lets unauthenticated network attackers perform administrative actions because the registrar fails to enforce client-side mutual TLS. Attackers connecting without a client certificate can list registered agents, read public TPM data, and delete agents - undermining the integrity of the remote-attestation trust chain. EPSS is low (0.04%, 11th percentile) and there is no public exploit identified at time of analysis, but the flaw is trivially reachable (CVSS 9.8) and patched across Red Hat and SUSE channels.
A flaw was found in the libxml2 library. This uncontrolled resource consumption vulnerability occurs when processing XML catalogs that contain repeated <nextCatalog> elements pointing to the same downstream catalog. [CVSS 2.9 LOW]
libxml2's xmlCatalogXMLResolveURI function is vulnerable to uncontrolled recursion when processing self-referencing delegate URI entries in XML catalogs, allowing remote attackers to trigger stack exhaustion and crash applications. This configuration-dependent denial of service requires specially crafted XML input but no authentication, affecting any application using the vulnerable library to parse untrusted catalogs. No patch is currently available.
A flaw was identified in the RelaxNG parser of libxml2 related to how external schema inclusions are handled. The parser does not enforce a limit on inclusion depth when resolving nested <include> directives. [CVSS 3.7 LOW]
Integer overflow in GLib's GIO escape_byte_string() function enables heap buffer overflow and denial-of-service when processing malicious filesystem attribute values over the network. The vulnerability affects GLib across GNOME, Red Hat Enterprise Linux 7-10, and OpenShift 4.0+, requiring only unauthenticated network access and user interaction. EPSS score of 0.07% (percentile 22) indicates low exploitation probability despite CVSS 6.5, suggesting the attack requires specific file/attribute handling conditions; no public exploit or active exploitation (CISA KEV) confirmed at analysis time.
Heap corruption in GLib (GNOME's core C utility library) lets remote attackers trigger a buffer-underflow in the GVariant parser by supplying maliciously crafted serialized/text input, resulting in denial of service and potentially arbitrary code execution. Any application linking GLib that deserializes untrusted GVariant data is exposed, which spans broad swaths of the Linux desktop and system stack across Red Hat Enterprise Linux 7-10 and SUSE. There is no public exploit identified at time of analysis, and EPSS exploitation probability is low (0.26%, 49th percentile) despite the 9.8 CVSS, indicating the headline severity is not yet matched by observed exploitation interest.
Use-after-free memory corruption in X.Org X server's Xkb extension allows local authenticated attackers to achieve high confidentiality impact, low integrity impact, and high availability impact (CVSS 7.3) through improper resource cleanup during client disconnection. The vulnerability affects Red Hat Enterprise Linux distributions with multiple security advisories released (RHSA-2025:19432 through RHSA-2025:22055). EPSS data not provided, but the local attack vector (AV:L) and low complexity (AC:L) indicate exploitation requires authenticated local access. No CISA KEV listing or public POC identified at time of analysis.
Local privilege escalation in X.Org X server's Xkb extension affects RHEL-family distributions, allowing authenticated users to corrupt memory or crash the X server via integer overflow in XkbSetCompatMap(). Attack requires local access with low-privilege credentials. EPSS data not available; no CISA KEV listing indicates targeted rather than widespread exploitation. Red Hat has released patches across multiple RHEL versions (RHSA-2025:19432 through RHSA-2025:22055).
Undertow, a Java web server used across Red Hat's JBoss Enterprise Application Platform, Fuse, and other middleware products, contains a vulnerability that allows attackers to trigger server-side HTTP/2 stream resets without incrementing abuse counters. This 'MadeYouReset' attack enables remote unauthenticated attackers to cause denial of service by repeatedly forcing the server to abort streams and perform unnecessary cleanup work. With an EPSS score of 1.17% (78th percentile), exploitation probability is moderate but rising, and patches have been released across multiple Red Hat product lines as of early 2025.
DNS resolve confusion in netavark, the Rust-based network stack for Podman containers, causes container name lookups to be forwarded to unexpected external DNS servers due to a regression that removed the dns.podman search domain. Affected deployments on Red Hat Enterprise Linux 8/9/10 and OpenShift Container Platform 4.0 running netavark < 1.15.1 are subject to misdirected container DNS resolution when host resolv.conf search domains contain a record matching a running container's hostname. The impact is limited to information disclosure (CVSS 3.7, Low), with no confirmed active exploitation and no public exploit identified at time of analysis.
A flaw was found in polkit. When processing an XML policy with 32 or more nested elements in depth, an out-of-bounds write can be triggered. This issue can lead to a crash or other unexpected behavior, and arbitrary code execution is not discarded. To exploit this flaw, a high-privilege account is needed as it's required to place the malicious policy file properly.
CVE-2025-7424 is a type confusion vulnerability in the libxslt library where the psvi (Post-Schema-Validation Infoset) memory field is reused for both stylesheet and input document processing, enabling memory corruption during XML transformations. This affects any application using vulnerable libxslt versions to process untrusted XML stylesheets or documents, allowing unauthenticated remote attackers to trigger denial of service or memory corruption without requiring user interaction. The vulnerability has a high CVSS score (7.5) with high availability impact, though real-world exploitation probability and active KEV status require confirmation from official sources.
A heap-buffer-overflow (off-by-one) flaw was found in the GnuTLS software in the template parsing logic within the certtool utility. When it reads certain settings from a template file, it allows an attacker to cause an out-of-bounds (OOB) NULL pointer write, resulting in memory corruption and a denial-of-service (DoS) that could potentially crash the system.
A heap-buffer-overread vulnerability was found in GnuTLS in how it handles the Certificate Transparency (CT) Signed Certificate Timestamp (SCT) extension during X.509 certificate parsing. This flaw allows a malicious user to create a certificate containing a malformed SCT extension (OID 1.3.6.1.4.1.11129.2.4.2) that contains sensitive data. This issue leads to the exposure of confidential information when GnuTLS verifies certificates from certain websites when the certificate (SCT) is not checked correctly.
Memory corruption and denial of service in GnuTLS arises from a double-free (CWE-415) in the code that exports X.509 Subject Alternative Name entries containing an otherName field. When the type-id OID inside such an entry is invalid or malformed, GnuTLS calls asn1_delete_structure() on an ASN.1 node it does not own, so the same structure is freed again by the calling function, corrupting allocator state. The flaw is reachable through public GnuTLS APIs - meaning any application that parses or re-exports an attacker-supplied certificate is exposed - and there is no public exploit identified at time of analysis (EPSS 0.04%, 12th percentile; not in CISA KEV).
A security vulnerability in A flaw (CVSS 6.5). Remediation should follow standard vulnerability management procedures.
Cryptographic key derivation failure in libssh versions prior to 0.11.2 (when built against OpenSSL older than 3.0) can cause SSH sessions to proceed with uninitialized key material, allowing remote attackers to undermine session confidentiality and integrity. The flaw stems from inverted return-value semantics between OpenSSL and libssh in ssh_kdf(), so a silent KDF failure is treated as success. No public exploit identified at time of analysis and EPSS risk is low (0.07%), but the issue is widely shipped across Red Hat, Ubuntu, Debian and SUSE distributions and has vendor patches available.
Sudo before 1.9.17p1 contains a local root escalation vulnerability (CVE-2025-32463, CVSS 9.3) through the --chroot option, which loads /etc/nsswitch.conf from the user-controlled chroot directory instead of the host system. KEV-listed with EPSS 26.5% and public PoC, this vulnerability allows any user with sudo --chroot access to achieve root privileges by placing a malicious nsswitch configuration and library in their chroot.
CVE-2025-5318 is an out-of-bounds read vulnerability in libssh versions before 0.11.2 caused by an incorrect comparison check in the sftp_handle function that allows authenticated remote attackers to access memory beyond the valid handle list and retrieve invalid pointers for further processing. This vulnerability enables exposure of sensitive information or denial of service, with a CVSS score of 8.1 indicating high severity. The vulnerability requires authentication and network access but has high confidentiality and availability impact.
A flaw was found in the interactive shell of the xmllint command-line tool, used for parsing XML files.
Stack-based buffer overflow in libxml2's xmlBuildQName function allows remote unauthenticated attackers to crash affected systems via crafted XML input. The vulnerability affects libxml2 directly and downstream Red Hat products including OpenShift Container Platform 4.12-4.19, RHEL 7-10, and JBoss Core Services. With CVSS 7.5 (AV:N/AC:L/PR:N/UI:N), EPSS 0.75% (73rd percentile), and publicly available exploit code, this represents a moderate real-world risk focused on availability disruption rather than code execution or data compromise.
A vulnerability has been identified in the libarchive library. This flaw can be triggered when file streams are piped into bsdtar, potentially allowing for reading past the end of the file. This out-of-bounds read can lead to unintended consequences, including unpredictable program behavior, memory corruption, or a denial-of-service condition.
A vulnerability has been identified in the libarchive library. This flaw involves an 'off-by-one' miscalculation when handling prefixes and suffixes for file names. This can lead to a 1-byte write overflow. While seemingly small, such an overflow can corrupt adjacent memory, leading to unpredictable program behavior, crashes, or in specific circumstances, could be leveraged as a building block for more sophisticated exploitation. This bug affects libarchive versions prior to 3.8.0.
A vulnerability has been identified in the libarchive library. This flaw involves an integer overflow that can be triggered when processing a Web Archive (WARC) file that claims to have more than INT64_MAX - 4 content bytes. An attacker could craft a malicious WARC archive to induce this overflow, potentially leading to unpredictable program behavior, memory corruption, or a denial-of-service condition within applications that process such archives using libarchive. This bug affects libarchive versions prior to 3.8.0.
A vulnerability has been identified in the libarchive library. This flaw can lead to a heap buffer over-read due to the size of a filter block potentially exceeding the Lempel-Ziv-Storer-Schieber (LZSS) window. This means the library may attempt to read beyond the allocated memory buffer, which can result in unpredictable program behavior, crashes (denial of service), or the disclosure of sensitive information from adjacent memory regions.
CVE-2025-5914 is an integer overflow vulnerability in libarchive's archive_read_format_rar_seek_data() function that leads to a double-free memory corruption condition. This affects all users of libarchive who process untrusted RAR archive files, potentially allowing arbitrary code execution or denial-of-service with user interaction (opening a malicious RAR file). While no KEV listing or confirmed public exploits are currently documented, the high CVSS score (7.8) and memory safety nature of the vulnerability indicate significant real-world risk if weaponized.
CVE-2025-47711 is a security vulnerability (CVSS 6.5). Remediation should follow standard vulnerability management procedures.
A vulnerability was found in systemd-coredump. Rated medium severity (CVSS 4.7). Public exploit code available and no vendor patch available.
A flaw was found in the FreeRDP used by Anaconda's remote install feature, where a crafted RDP packet could trigger a segmentation fault. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This NULL Pointer Dereference vulnerability could allow attackers to crash the application by dereferencing a null pointer.
A flaw was found in the mod_auth_openidc module for Apache httpd. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In xfig diagramming tool, a segmentation fault while running fig2dev allows an attacker to availability via local input manipulation via read_arcobject function. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.
A flaw was found in fig2dev. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.
In xfig diagramming tool, a stack-overflow while running fig2dev allows memory corruption via local input manipulation via read_objects function. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.
A flaw was found in xfig. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.
A flaw was found in Yelp. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A flaw was found in libsoup. Rated high severity (CVSS 7.0), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.
A flaw was found in grub2. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
A flaw was found in the HFS filesystem. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
A stack overflow flaw was found when reading a BFS file system. Rated medium severity (CVSS 4.1). No vendor patch available.
A use-after-free flaw was found in X.Org and Xwayland. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
A use-after-free flaw was found in X.Org and Xwayland. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
An access to an uninitialized pointer flaw was found in X.Org and Xwayland. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
An out-of-bounds write flaw was found in X.Org and Xwayland. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
A buffer overflow flaw was found in X.Org and Xwayland. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
A heap overflow flaw was found in X.Org and Xwayland. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
A buffer overflow flaw was found in X.Org and Xwayland. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
A use-after-free flaw was found in X.Org and Xwayland. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
A flaw was found in grub2. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.
A vulnerability was found in OpenSSH when the VerifyHostKeyDNS option is enabled. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable, no authentication required. Epss exploitation probability 60.0%.
A heap-based buffer overflow flaw was found in the rsync daemon. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Arbitrary file write outside the intended destination in rsync's client-side `--safe-links` handling allows a malicious or compromised rsync server to bypass the symlink safety check via a path-traversal flaw (CWE-22). The client fails to recursively verify whether a symbolic-link target supplied by the server itself contains a nested symlink, so a controlled server can place files anywhere the rsync process can write. A detailed advisory was published by Google's security-research team (GHSA-p5pg-x43v-mvqj) as part of the January 2025 rsync vulnerability cluster, but the issue is not in CISA KEV and no public exploit identified at time of analysis; EPSS is moderate at 2.89% (86th percentile).
Server-to-client path traversal in rsync lets a malicious or compromised rsync server write files outside the client's intended destination directory by abusing the `--inc-recursive` incremental-recursion mode. Because the server can negotiate `--inc-recursive` even when the client does not request it, missing symlink validation combined with per-file-list deduplication allows arbitrary file placement on the connecting client. Publicly available exploit code exists, EPSS is 3.19% (87th percentile), and Red Hat has shipped fixes, but it is not currently listed in CISA KEV.
A flaw was found in rsync. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.
A flaw was found in rsync which could be triggered when rsync compares file checksums. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 19.1%.
In mutt and neomutt, PGP encryption does not use the --hidden-recipient mode which may leak the Bcc email header field by inferring from the recipients info. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In mutt and neomutt the In-Reply-To email header field is not protected by cryptographic signing which allows an attacker to reuse an unencrypted but signed email message to impersonate the original. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In neomutt and mutt, the To and Cc email headers are not validated by cryptographic signing which allows an attacker that intercepts a message to change their value and include himself as a one of. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
In the Linux kernel, the following vulnerability has been resolved: parport: Proper fix for array out-of-bounds access The recent fix for array out-of-bounds accesses replaced sprintf() calls blindly. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. This Out-of-bounds Read vulnerability could allow attackers to read data from memory outside the intended buffer boundaries.
A flaw was found in QEMU. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.
An issue was discovered in FRRouting (FRR) through 10.1. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
A null pointer dereference flaw was found in Libtiff via `tif_dirinfo.c`. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A flaw was found in Podman. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable. No vendor patch available.
A flaw was found in the 389 Directory Server. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A flaw was found in the virtio-net device in QEMU. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Remote code execution in OpenSSH's sshd server (regression of CVE-2006-5051) allows unauthenticated remote attackers to exploit a signal handler race condition by failing to authenticate within the LoginGraceTime window, potentially yielding root-level code execution on glibc-based Linux systems. The flaw - widely known as 'regreSSHion' - affects numerous distributions and vendor appliances including Ubuntu 23.10/24.04, AlmaLinux 9, SonicWall SMA firmware, Arista EOS, NetApp ONTAP, and others. Publicly available exploit code exists and EPSS scores it at 48.06% (98th percentile), reflecting very high exploitation likelihood, though it is not currently listed in CISA KEV.
A vulnerability was found in GNU Nano that allows a possible privilege escalation through an insecure temporary file. Rated medium severity (CVSS 6.7). No vendor patch available.
A vulnerability was found in FreeIPA in a way when a Kerberos TGS-REQ is encrypted using the client’s session key. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.