Red Hat Enterprise Linux 10
Monthly
Out-of-bounds heap write in QEMU's virtio-blk device allows a high-privileged guest to crash the host QEMU process. The flaw exists because the virtio-blk device omits validation of input descriptor sizes prior to writing data, enabling a malicious guest operator to submit a crafted virtio-blk SCSI request that writes beyond the allocated host heap buffer. The primary confirmed impact is a denial of service (DoS) of the QEMU process on the host; no public exploit code has been identified at time of analysis and it is not listed in the CISA KEV catalog.
Stack buffer overflow in GStreamer's H.265/HEVC codec parser (gst-plugins-bad) allows remote unauthenticated attackers to crash GStreamer-based applications by delivering a crafted H.265 video file or stream that a user opens. The root cause is an incorrect loop bound in the buffering period SEI message parser: the parser mistakenly uses cpb_cnt_minus1[i] (the current loop index variable) rather than cpb_cnt_minus1[0] from the referenced Sequence Parameter Set, causing the loop to iterate beyond the bounds of stack-allocated CPB delay arrays and corrupt stack memory. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, though the deterministic parser logic makes crash reproduction straightforward.
Out-of-bounds write in GStreamer's H.266/VVC PPS picture partition parser (`gst-plugins-bad`) allows an attacker to crash media-processing applications - and potentially achieve code execution - by delivering a crafted H.266/VVC media file. The flaw in `gst_h266_parser_parse_picture_partition()` (gsth266parser.c) permits unbounded slice index increments across three fixed-size arrays in `GstH266PPS` during multi-slice-in-tile processing. A proof-of-concept demonstrating at least a 4-byte write exists; no public exploit beyond that initial POC or CISA KEV listing has been identified at time of analysis, though the code structure permits larger writes across multiple iterations which elevates downstream risk above a pure DoS assessment.
Heap out-of-bounds read in MIT krb5's LDAP KDB plugin allows a compromised or malicious LDAP backend to crash the KDC or kadmind process, or leak heap memory. The flaw exists in berval2tl_data() within libkdb_ldap and is triggered when the LDAP server returns a krbExtraData attribute with bv_len less than 2, causing an unsigned integer underflow that drives a memcpy of up to 65,534 bytes from a near-zero-length source buffer. Exploitation requires prior control of the LDAP KDB backend server (PR:H, AC:H), constraining real-world risk to insider or supply-chain threat scenarios; no public exploit or CISA KEV listing exists at time of analysis.
Heap buffer overflow in Red Hat 389 Directory Server allows an authenticated Directory Manager or a compromised replication supplier to crash the server or corrupt heap memory by creating objectclass definitions with excessively long SUP (oc_superior) values. The flaw exists in schema serialization functions where the SUP field length is excluded from buffer size calculations yet still written via strcat(), producing an off-by-N heap overwrite. This is explicitly an incomplete fix variant of CVE-2025-14905, meaning organizations that patched that prior CVE may remain exposed if the SUP field code path was not remediated; no public exploit has been identified at time of analysis.
Heap buffer overflow in Red Hat Directory Server's audit logging subsystem allows an authenticated high-privilege attacker to corrupt heap memory and tamper with audit log output. The vulnerable function create_masked_entry_string() in auditlog.c writes a fixed-length password mask into a precisely-sized heap buffer without bounds checking, overflowing when a short cleartext password is processed. Exploitation requires two non-default preconditions - audit logging must be enabled AND either CLEAR password storage must be configured or a replication peer must already be compromised - limiting real-world exposure significantly. No public exploit identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.
Stack buffer overflow in 389 Directory Server's pw.c checkPrefix() function allows a network-accessible Directory Manager to crash the LDAP server by storing a crafted credential with an oversized algorithm ID. The vulnerable code copies attacker-controlled input into a fixed 256-byte stack buffer without bounds checking when parsing reversible-encrypted attribute values. FORTIFY_SOURCE compiler hardening constrains impact to denial of service - preventing arbitrary code execution - but service disruption against a critical authentication infrastructure component remains operationally significant. No public exploit identified at time of analysis.
Uncontrolled CPU consumption in Red Hat 389 Directory Server's PBKDF2-SHA256 password storage plugin allows a highly privileged attacker who has write access to stored password hashes to craft a hash embedding an arbitrarily large iteration count, causing the LDAP server to exhaust CPU resources during any subsequent authentication attempt by the targeted user. Affected products span Red Hat Directory Server 11 through 13 and the 389-ds package as shipped across Red Hat Enterprise Linux 6 through 10. No public exploit has been identified at time of analysis, and active exploitation has not been confirmed by CISA KEV.
Denial-of-service in Red Hat's 389 Directory Server allows a highly privileged network attacker to crash the LDAP service by submitting a crafted password hash shorter than 16 bytes during authentication. The SMD5 password storage plugin performs an unsigned integer underflow (CWE-191) when computing salt length from this malformed input, producing a buffer over-read that terminates the server process. No public exploit code exists and this vulnerability has not been confirmed actively exploited (CISA KEV), but the impact is a complete loss of LDAP availability with low attack complexity once the required privilege level is achieved.
Remote denial of service in 389 Directory Server (Red Hat Directory Server 11/12/13 and Red Hat Enterprise Linux 6 through 10) allows unauthenticated network attackers to crash the LDAP daemon by exploiting an unchecked BER structure allocation in the dereference control plugin when the host is under memory pressure. No public exploit identified at time of analysis, and EPSS exploitation probability is very low (0.09%, 25th percentile), but the unauthenticated network-reachable nature warrants prompt patching of internet-facing or business-critical directory services.
Heap buffer over-read in Red Hat Directory Server's ldap_utf8prev() function exposes LDAP deployments to potential confidentiality, integrity, and availability impact via crafted string filter input. The flaw affects authenticated, network-accessible LDAP servers running Red Hat Directory Server 11, 12, and 13 as well as the 389-ds component shipped across Red Hat Enterprise Linux 6 through 10. No public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV; however, its presence in filter parsing logic - a core LDAP code path - warrants prompt patching in internet-exposed or multi-tenant directory environments.
Partial stack address disclosure in Red Hat 389 Directory Server (versions 11, 12, and 13) allows authenticated remote users to extract memory layout information via crafted LDAP extended operation requests. The root cause is a CWE-843 type confusion in the SSO token extended operation handler, which causes stack pointer data to bleed into LDAP response payloads. While the direct impact is limited to low-confidence information disclosure, leaked stack addresses are a classic ASLR-weakening primitive that could facilitate chained exploitation. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV.
Out-of-bounds read in 389 Directory Server's LDIF parser exposes limited heap memory to a highly privileged local attacker during database import operations. Exploitation requires local system access, high attack complexity, and high privileges (administrator-level), producing only minor confidentiality impact with no integrity or availability consequences. No public exploit identified at time of analysis and no KEV listing; the CVSS score of 1.9 reflects the extremely constrained exploitation conditions, making this a low operational priority absent specific threat model considerations.
Denial of service in Red Hat 389 Directory Server's Content Synchronization persistent search plugin enables authenticated network clients to exhaust server memory by initiating a sync operation and halting consumption of responses, causing unbounded queue growth until the server becomes unavailable. Compounding this, race conditions in the plugin's thread lifecycle management can independently trigger server crashes during connection teardown or graceful shutdown. Affected across Red Hat Directory Server 11, 12, and 13 as well as the bundled 389-ds-base package on RHEL 6 through 10. No public exploit identified at time of analysis and no CISA KEV listing.
Use-after-free read in X.Org X server and Xwayland's CreateSaverWindow() function exposes heap memory to local authenticated users, resulting in information disclosure. A low-privileged local X client can manipulate window attributes and force screen saver activation to trigger a read from freed memory, leaking potentially sensitive heap contents (C:H/I:N/A:N). No public exploit identified at time of analysis, and this vulnerability is not listed in CISA KEV; however, an upstream fix commit has been published and a Red Hat advisory is available.
Local privilege escalation in the X.Org X server and Xwayland arises from a use-after-free in FreeCounter() when SyncCounter objects are destroyed across multiple client connections. Authenticated local attackers on affected Red Hat Enterprise Linux 6 through 10 systems can crash the server or escalate to root when the X server runs with elevated privileges. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
GnuTLS's PKCS#7 padding validation during decryption is not implemented as a constant-time operation, creating a timing side-channel (CWE-208) that remote unauthenticated attackers can exploit to infer padding byte values on CBC-mode cipher suites. Affected deployments include GnuTLS as packaged across Red Hat Enterprise Linux 6 through 10, Red Hat Hardened Images, and Red Hat OpenShift Container Platform 4. Red Hat has issued patch RHSA-2026:20613; no active exploitation is confirmed in CISA KEV, and no public exploit code has been identified, but the network-reachable, no-auth-required attack surface warrants patching on systems handling sensitive encrypted traffic.
Local code execution in Poppler's Splash rendering backend allows attackers to compromise applications that open attacker-supplied PDFs by triggering an integer overflow in tilingPatternFill that produces an undersized heap allocation and a subsequent out-of-bounds write. The flaw affects Poppler as shipped across Red Hat Enterprise Linux 6 through 10 and Red Hat Hardened Images, with impact including arbitrary code execution, information disclosure, or denial of service in the rendering process. No public exploit identified at time of analysis, and the CVSS 7.8 vector requires user interaction to open a malicious PDF.
Memory corruption via an off-by-one error in GnuTLS PKCS#12 bag element handling exposes any application using GnuTLS to remote unauthenticated denial of service - and potentially unspecified further impact - when a crafted PKCS#12 structure is parsed. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms exploitation requires no authentication, no user interaction, and no elevated complexity, making internet-exposed services that parse client-supplied PKCS#12 inputs the primary risk surface. No public exploit code exists and the vulnerability is not listed in the CISA KEV catalog at time of analysis.
Certificate validation bypass in GnuTLS (as shipped in Red Hat Enterprise Linux 6 through 10, OpenShift Container Platform 4, and Red Hat Hardened Images) lets a remote attacker defeat hostname verification: when a certificate carries an oversized Subject Alternative Name, the library incorrectly abandons SAN matching and falls back to the legacy Common Name field, accepting certificates it should reject. An attacker positioned to intercept traffic can present such a certificate to impersonate a trusted server and conduct spoofing or man-in-the-middle attacks against TLS clients that rely on GnuTLS. There is no public exploit identified at time of analysis, no CISA KEV listing, and no EPSS score in the provided data.
Heap buffer overflow in libsolv allows local attackers to corrupt memory when a vulnerable application processes a maliciously crafted .solv repository metadata file. The flaw stems from insufficient input validation during decompression of attacker-controlled data, enabling information disclosure, control-flow alteration, or denial of service across multiple Red Hat Enterprise Linux releases and SUSE distributions. SSVC marks exploitation as PoC-level with total technical impact, while EPSS remains very low at 0.01%, indicating limited probability of widespread exploitation despite high severity.
Remote code execution in Samba's printing subsystem allows remote attackers to inject arbitrary shell commands via crafted print job descriptions. The flaw stems from unescaped expansion of the client-controlled '%J' substitution token into the configured 'print command', enabling shell metacharacter injection. No public exploit has been identified at time of analysis, and EPSS scores exploitation probability at only 0.08%, but CVSS 9.0 with scope change reflects high potential impact on any Samba host exposing print services.
Remote code execution in Cockpit's system logs UI allows authenticated users to inject shell metacharacters into unsanitized URL parameters, executing arbitrary commands on RHEL 7/8/9/10 hosts. Attack requires low-complexity exploitation by a logged-in user who can craft malicious links targeting the logs interface. No public exploit identified at time of analysis, though the vulnerable code section is publicly accessible on GitHub. EPSS data not available; CVSS 8.0 reflects high impact across confidentiality, integrity, and availability if user interaction occurs.
Certificate validation in GnuTLS can be bypassed when a certificate chain contains Certificate Authorities with only excluded name constraints followed by CAs with permitted name constraints. Remote attackers can exploit this flaw (CVSS 7.4, AV:N/AC:H) to present invalid certificates that pass validation, enabling man-in-the-middle attacks or service impersonation against TLS-protected communications. The vulnerability affects Red Hat Enterprise Linux versions 6-10, OpenShift Container Platform 4, and Red Hat Hardened Images. No public exploit or active exploitation confirmed at time of analysis, though the technical nature suggests targeted attacks against high-value certificate infrastructure are feasible.
Out-of-bounds read in X.Org X Server XKB modifier map handling allows local authenticated attackers to read sensitive memory or crash the server by sending malformed X11 requests. The vulnerability affects RHEL 6 through 10 and requires local access with user-level privileges; exploitation results in information disclosure or denial of service.
Out-of-bounds read in X.Org X server XKB geometry processing allows local or remote attackers with X11 server access to disclose sensitive memory contents or cause denial of service by crashing the server. The vulnerability exists in CheckSetGeom() and XkbAddGeomKeyAlias functions and requires low privileges but no user interaction. No public exploit code or active exploitation has been identified at time of analysis.
Heap buffer overflow in GnuTLS DTLS handshake allows remote unauthenticated attackers to crash applications or corrupt memory. The vulnerability stems from inconsistent fragment validation in merge_handshake_packet(), where attackers can send crafted DTLS fragments with conflicting message_length values to trigger out-of-bounds writes. Red Hat reported this affecting RHEL 6-10 and OpenShift Container Platform 4. CVSS 7.5 (High) reflects network-accessible denial of service, though memory corruption may enable further exploitation. No EPSS data, KEV status, or POC availability reported at time of analysis, but the remote unauthenticated attack vector (AV:N/PR:N) and low complexity (AC:L) make this a priority for systems using DTLS.
Integer underflow in GnuTLS DTLS handshake reassembly allows remote unauthenticated attackers to trigger denial of service or information disclosure via crafted zero-length fragments with non-zero offsets. The vulnerability affects Red Hat Enterprise Linux versions 6 through 10, OpenShift Container Platform 4, and Red Hat Hardened Images. With CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) and EPSS data unavailable, this represents a clear remote attack surface requiring no authentication, though the CVSS vector indicates availability impact only (A:H) with no confidentiality or integrity impact confirmed, contradicting the description's mention of information disclosure. No CISA KEV listing or public exploit identified at time of analysis.
GnuTLS with OCSP verification enabled incorrectly accepts revoked server certificates when presented with specially crafted multi-record OCSP responses during TLS handshakes, allowing attackers to bypass certificate revocation checks and establish connections to compromised servers. The vulnerability requires high attack complexity and specific OCSP configuration, affecting Red Hat Enterprise Linux 6-10, Red Hat Hardened Images, and OpenShift Container Platform 4. No public exploit code or active exploitation has been identified at the time of analysis.
GnuTLS performs case-sensitive comparisons of nameConstraints labels in DNS and email certificate constraints, allowing remote attackers to bypass certificate policy validation by crafting leaf certificates with differing character casing in the Subject Alternative Name field. This policy bypass could result in acceptance of certificates that should be rejected, potentially enabling unauthorized access or information disclosure. The vulnerability affects GnuTLS across Red Hat Enterprise Linux 6 through 10 and Red Hat OpenShift Container Platform 4, with no confirmed active exploitation at time of analysis.
A flaw was found in libxml2. This vulnerability occurs when the library processes a specially crafted XML Schema Definition (XSD) validated document that includes an internal entity reference. An attacker could exploit this by providing a malicious document, leading to a type confusion error that causes the application to crash. This results in a denial of service (DoS), making the affected system or application unavailable.
A request smuggling vulnerability exists in libsoup's HTTP/1 header parsing logic. The soup_message_headers_append_common() function in libsoup/soup-message-headers.c unconditionally appends each header value without validating for duplicate or conflicting Content-Length fields. This allows an attacker to send HTTP requests containing multiple Content-Length headers with differing values.
A flaw was found in the X.Org X server's XKB key types request validation. A local attacker could send a specially crafted request to the X server, leading to an out-of-bounds memory access vulnerability. This could result in the disclosure of sensitive information or cause the server to crash, leading to a Denial of Service (DoS). In certain configurations, higher impact outcomes may be possible.
A flaw was found in the X.Org X server. This use-after-free vulnerability occurs in the XSYNC fence triggering logic, specifically within the miSyncTriggerFence() function. An attacker with access to the X11 server can exploit this without user interaction, leading to a server crash and potentially enabling memory corruption. This could result in a denial of service or further compromise of the system.
A flaw was found in the X.Org X server. This integer underflow vulnerability, specifically in the XKB compatibility map handling, allows an attacker with local or remote X11 server access to trigger a buffer read overrun. This can lead to memory-safety violations and potentially a denial of service (DoS) or other severe impacts.
Heap buffer overflow in GNU Binutils XCOFF linker allows arbitrary code execution when a local user processes a malicious object file. Red Hat Enterprise Linux versions 6 through 10 are confirmed affected via CPE data. CVSS 7.8 reflects local attack vector requiring user interaction (opening/linking the crafted file). No active exploitation confirmed (not in CISA KEV), and no public proof-of-concept identified at time of analysis. Real-world risk depends heavily on whether development workflows involve linking untrusted XCOFF files, which is uncommon outside AIX/PowerPC cross-compilation scenarios.
The readelf utility in binutils is vulnerable to denial of service through two distinct flaws triggered by maliciously crafted ELF files: a resource exhaustion vulnerability (CWE-400) causing out-of-memory conditions and a null pointer dereference (CWE-476) causing segmentation faults. Both vulnerabilities require local access and user interaction to open a malicious file, resulting in the readelf utility crashing or becoming unresponsive. No public exploit code or active exploitation has been identified at the time of analysis.
Format string vulnerability in nano's statusline() function allows local users to trigger a segmentation fault via directory names containing printf specifiers, causing denial of service. Exploitation requires user interaction (opening a directory with the crafted name) on systems where nano is available to local users. No public exploit code identified at time of analysis.
The readelf utility in binutils is vulnerable to denial of service through null pointer dereference when processing specially crafted ELF files. A local attacker with limited privileges can trigger excessive resource consumption or program crashes by convincing a user to process a malicious ELF binary, affecting Red Hat Enterprise Linux 6, 7, 8, and 10. No public exploit code or active exploitation has been confirmed at this time.
Nano text editor creates ~/.local directory with overly permissive 0777 permissions instead of 0700 in environments with permissive umask settings, allowing local authenticated users to inject malicious .desktop launcher files that could lead to information disclosure or unintended actions when processed. CVSS score 2.5 reflects local attack vector and low integrity impact, with active exploitation status unknown and no public exploit code identified at time of analysis.
Out-of-bounds write in dnsmasq's DHCP split-relay handler allows remote unauthenticated denial of service via crafted BOOTREPLY packets. Affects Red Hat Enterprise Linux 6-10 and OpenShift Container Platform 4 when dnsmasq runs with the --dhcp-split-relay option enabled. CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) indicates trivial network exploitation, but real-world risk is mitigated by the non-default configuration requirement. No public exploit or active exploitation (CISA KEV) confirmed at time of analysis, though CWE-787 (out-of-bounds write) primitives are well-understood by attackers.
Remote unauthenticated attackers can crash GnuTLS servers by sending malformed TLS handshake messages containing invalid Pre-Shared Key binder values, triggering a NULL pointer dereference. Red Hat Enterprise Linux versions 6-10, OpenShift Container Platform 4, and Red Hat Hardened Images are affected. Vendor patches are available. EPSS score of 0.08% (24th percentile) suggests low current exploitation probability despite network-accessible attack vector. SSVC framework classifies this as automatable with partial technical impact but no known exploitation, making this a medium-priority patching target focused on preventing service disruption rather than data breach.
Local privilege escalation in libcap's cap_set_file() function affects Red Hat Enterprise Linux 6 through 10 and OpenShift Container Platform 4, where a TOCTOU race condition allows an unprivileged user with write access to a parent directory to redirect file capability updates onto an attacker-controlled file. Successful exploitation can inject or strip Linux file capabilities on arbitrary executables, yielding full privilege escalation on the host. No public exploit identified at time of analysis and EPSS is 0.01%, but a vendor patch is available.
Libarchive's archive_acl_from_text_nl() function fails to validate malformed ACL strings before dereferencing pointers, allowing local attackers to crash applications that process untrusted archives via specially crafted ACL fields. This NULL pointer dereference results in denial of service with high availability impact. CVSS 5.5 reflects local attack vector and user interaction requirement; no public exploit code or active exploitation confirmed at analysis time.
Tar archive extraction allows hidden file injection by local authenticated users through crafted malicious archives, bypassing pre-extraction inspection mechanisms and enabling introduction of attacker-controlled files. The vulnerability affects Red Hat Enterprise Linux versions 6 through 10, requires local access and user interaction (extraction action), and presents a moderate integrity risk (CVSS 5.0) with no confirmed active exploitation or public proof-of-concept at time of analysis.
Heap-based out-of-bounds read in libtheora's AVI parser allows local attackers with limited privileges to trigger application crashes or leak heap memory via specially crafted AVI files with truncated header sub-chunks. The vulnerability affects Red Hat Enterprise Linux versions 6 through 10 and requires user interaction (opening a malicious file), with real-world impact limited to denial-of-service and potential information disclosure rather than code execution.
Improper hostname canonicalization in util-linux login(1) utility with the -h option allows remote attackers to bypass host-based PAM access control rules by supplying specially crafted hostnames that are modified before being passed to PAM_RHOST, potentially leading to unauthorized access. The vulnerability affects Red Hat Enterprise Linux 7 through 10 and related products; exploitation requires high attack complexity but no authentication or user interaction. No public exploit code has been identified, and this is not currently confirmed as actively exploited.
Remote denial of service via integer overflow in Corosync cluster engine affects Red Hat Enterprise Linux 7-10 and OpenShift Container Platform 4. Unauthenticated attackers can send crafted UDP packets to crash Corosync services running in totemudp/totemudpu mode (CVSS 7.5, AV:N/PR:N). EPSS data not provided; no public exploit identified at time of analysis. Impacts high-availability cluster deployments where Corosync provides quorum and messaging services.
Out-of-bounds read in Corosync allows unauthenticated remote attackers to crash cluster nodes and potentially leak memory via malformed UDP packets. Affects default totemudp/totemudpu configurations across Red Hat Enterprise Linux 7/8/9/10 and OpenShift Container Platform 4. CVSS 8.2 (High) with network attack vector, low complexity, and no authentication required. EPSS and exploitation status data not available; no public exploit identified at time of analysis. Impacts high-availability clustering infrastructure commonly used in enterprise production environments.
Heap-based buffer overflow in gdk-pixbuf's JPEG image loader enables remote denial of service through malformed JPEG images without user interaction. The vulnerability triggers during automated image processing operations like thumbnail generation across Red Hat Enterprise Linux 6 through 10, allowing unauthenticated network attackers to crash applications that process JPEG images. EPSS score of 0.09% (25th percentile) suggests low observed exploitation activity, consistent with SSVC assessment showing no active exploitation despite the vulnerability being fully automatable.
VirtIO Block device driver in virtio-win fails to properly release memory during device reset, enabling a use-after-free vulnerability that allows high-privileged local attackers to corrupt kernel memory and cause system instability or denial of service. Affected versions span Red Hat Enterprise Linux 8, 9, and 10; no public exploit code or active exploitation has been identified at time of analysis, though upstream fix is available via GitHub PR.
Buffer overflow in virtio-win's RhelDoUnMap() function allows local privileged users to trigger a denial of service by supplying an excessive number of descriptors during unmap operations, causing system crashes. Affects Red Hat Enterprise Linux 8, 9, and 10 across multiple architectures. The vulnerability requires high-level privilege (PR:H) but offers no confidentiality or integrity protections beyond the immediate DoS impact, with a CVSS score of 6.7 reflecting the local attack requirement and high-privilege barrier.
Remote code execution in libarchive on 32-bit systems allows unauthenticated attackers to execute arbitrary code via specially crafted ISO9660 images. The vulnerability affects Red Hat Enterprise Linux versions 6 through 10 and OpenShift Container Platform 4, with vendor patches released across multiple RHSA advisories. Despite the CVSS 7.5 score and network attack vector, EPSS exploitation probability is low (0.05%, 16th percentile) and no public exploit is identified at time of analysis, though SSVC classifies the vulnerability as automatable with total technical impact.
Libsoup transmits sensitive session cookies in cleartext within HTTP CONNECT requests when establishing HTTPS tunnels through configured HTTP proxies, allowing network-positioned attackers or malicious proxies to intercept and hijack user sessions. The vulnerability affects Red Hat Enterprise Linux versions 6 through 10 and carries a CVSS 5.9 score with high confidentiality impact; no public exploit code or confirmed active exploitation has been identified at the time of analysis.
HTTP request smuggling in Undertow (the embedded web server underpinning JBoss EAP, Red Hat Data Grid, and Apache Camel for Spring Boot) allows remote unauthenticated attackers to bypass front-end security controls by prepending whitespace to header lines. Undertow strips leading spaces from the first header line in violation of RFC 7230, creating a parser discrepancy between upstream proxies and the application server. No public exploit identified at time of analysis, and EPSS sits at 0.13% (32nd percentile), but the CVSS 9.1 and broad Red Hat middleware exposure make this a high-value target for chained attacks.
HTTP request smuggling in Red Hat Undertow allows remote unauthenticated attackers to bypass front-end security controls by exploiting parsing discrepancies between Undertow and upstream proxies when handling crafted header names. The flaw (CWE-444) affects Undertow embedded in multiple Red Hat products including JBoss EAP 7/8, Data Grid 8, Fuse 7, and Apache Camel for Spring Boot 4, with Red Hat issuing patches via RHSA-2026:25125 and RHSA-2026:25126. There is no public exploit identified at time of analysis and EPSS is low (0.10%), but CVSS 9.1 and SSVC 'total' technical impact warrant prompt patching of internet-facing deployments.
Firewalld on Red Hat Enterprise Linux 7, 8, 9, and 10, as well as OpenShift Container Platform 4, contains an authentication bypass vulnerability in two D-Bus setters (setZoneSettings2 and setPolicySettings) that allows local unprivileged users to modify runtime firewall configurations without proper authorization. An authenticated local attacker can exploit this to change network security policies, potentially enabling lateral movement or service disruption. No public exploit code has been identified at the time of analysis, though Red Hat has issued security advisories (CVE-2026-4948, Bugzilla #2452086).
libssh attempts to open arbitrary files during configuration parsing, allowing local attackers with limited privileges to trigger a denial of service by forcing access to dangerous files such as block devices or large system files. The vulnerability affects Red Hat Enterprise Linux versions 6, 7, 8, 9, and 10, as well as Red Hat OpenShift Container Platform 4, and requires local access with low privileges to exploit. No public exploit code or active exploitation has been confirmed at the time of analysis.
libssh's match_pattern() function is vulnerable to ReDoS (Regular Expression Denial of Service) attacks when processing maliciously crafted hostnames in client configuration or known_hosts files, allowing local attackers with limited privileges and user interaction to trigger inefficient regex backtracking that exhausts system resources and causes client-side timeouts. The vulnerability affects Red Hat Enterprise Linux 6-10 and OpenShift Container Platform 4, with CVSS 2.2 reflecting low severity due to local attack vector and high complexity requirements, though the denial of service impact warrants attention in environments where SSH client availability is critical.
Libssh versions used across Red Hat Enterprise Linux 6-10 and OpenShift Container Platform 4 are vulnerable to a null pointer dereference when processing malformed 'longname' fields in SFTP SSH_FXP_NAME messages, allowing unauthenticated remote attackers to trigger denial of service through application crashes. The attack requires user interaction and high attack complexity (CVSS 3.1, CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L) but affects a widely deployed SSH library; no public exploit identified at time of analysis.
Remote denial-of-service in libssh 0.11.x and earlier allows unauthenticated attackers to crash SSH server daemon processes via malformed GSSAPI authentication OID payloads. The vulnerability affects the ssh_get_hexa() API function when processing zero-length input, exploitable remotely when GSSAPI authentication is enabled and logging verbosity is set to SSH_LOG_PATCH (level 3) or higher. Red Hat, Ubuntu, SUSE, and Debian have released patches (libssh 0.11.4 and 0.12.0). EPSS score of 0.09% and SSVC assessment indicate low real-world exploitation likelihood despite network attack vector, with no active exploitation confirmed. Ubuntu classified this as low priority, and CISA SSVC notes exploitation as 'none' but 'automatable' with partial impact.
libsoup's SoupServer contains a use-after-free vulnerability in the soup_server_disconnect() function that prematurely frees connection objects while TLS handshakes are pending, allowing remote unauthenticated attackers to trigger a server crash via denial of service when a handshake completes after memory deallocation. The vulnerability affects Red Hat Enterprise Linux versions 6, 7, 8, 9, and 10, as well as Ubuntu and Debian distributions across multiple releases. No public exploit code or active exploitation has been confirmed at the time of analysis.
A signed integer overflow vulnerability exists in the libtiff library's putcontig8bitYCbCr44tile function that leads to out-of-bounds heap writes through incorrect memory pointer calculations. Red Hat Enterprise Linux versions 6, 7, 8, 9, and 10 are confirmed affected. An attacker can exploit this by tricking a user into opening a specially crafted TIFF file, potentially achieving arbitrary code execution or causing application crashes.
A security vulnerability in An incomplete fix for CVE-2024-47778 (CVSS 5.1) that allows an out-of-bounds read. Remediation should follow standard vulnerability management procedures.
Heap memory disclosure in libarchive allows remote unauthenticated attackers to read sensitive heap data by submitting a malformed RAR archive. The flaw affects Red Hat Enterprise Linux 6-10 and OpenShift Container Platform 4, with vendor patches available per multiple RHSA advisories (RHSA-2026:8492 through RHSA-2026:8908). Despite the HIGH CVSS score of 7.5 and network-exploitable vector requiring no authentication, the EPSS score of 0.14% (35th percentile) indicates low observed exploitation probability. No public exploit code identified at time of analysis, and not listed in CISA KEV, suggesting this remains a patch-and-monitor priority rather than emergency response.
HTTP/2 server implementations in libsoup across Debian and Red Hat Enterprise Linux versions contain a use-after-free vulnerability that allows unauthenticated remote attackers to trigger application crashes through specially crafted requests. Exploitation results in denial of service by forcing the application to access freed memory, causing instability. No patch is currently available for this medium-severity flaw.
Infinite loop in libarchive's RAR5 decompression (archive_read_data) allows remote unauthenticated denial-of-service via malformed archive that passes checksum validation. Affects Red Hat Enterprise Linux 6-10 and OpenShift Container Platform 4. EPSS 0.04% (11th percentile) suggests low exploitation probability despite CVSS 7.5. Vendor patches available from Red Hat and Ubuntu. Upstream fix in libarchive PR#2877. No active exploitation confirmed (not in CISA KEV).
High severity vulnerability in systemd. A flaw was found in systemd. The systemd-machined service contains an Improper Access Control vulnerability due to insufficient validation of the class parameter in the RegisterMachine D-Bus (Desktop Bus) method. A local unprivileged user can exploit this by attempting to register a machine with a specific class value, which may leave behind a usable, attacker-controlled machine object. This al...
Out-of-bounds heap write in QEMU's virtio-blk device allows a high-privileged guest to crash the host QEMU process. The flaw exists because the virtio-blk device omits validation of input descriptor sizes prior to writing data, enabling a malicious guest operator to submit a crafted virtio-blk SCSI request that writes beyond the allocated host heap buffer. The primary confirmed impact is a denial of service (DoS) of the QEMU process on the host; no public exploit code has been identified at time of analysis and it is not listed in the CISA KEV catalog.
Stack buffer overflow in GStreamer's H.265/HEVC codec parser (gst-plugins-bad) allows remote unauthenticated attackers to crash GStreamer-based applications by delivering a crafted H.265 video file or stream that a user opens. The root cause is an incorrect loop bound in the buffering period SEI message parser: the parser mistakenly uses cpb_cnt_minus1[i] (the current loop index variable) rather than cpb_cnt_minus1[0] from the referenced Sequence Parameter Set, causing the loop to iterate beyond the bounds of stack-allocated CPB delay arrays and corrupt stack memory. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, though the deterministic parser logic makes crash reproduction straightforward.
Out-of-bounds write in GStreamer's H.266/VVC PPS picture partition parser (`gst-plugins-bad`) allows an attacker to crash media-processing applications - and potentially achieve code execution - by delivering a crafted H.266/VVC media file. The flaw in `gst_h266_parser_parse_picture_partition()` (gsth266parser.c) permits unbounded slice index increments across three fixed-size arrays in `GstH266PPS` during multi-slice-in-tile processing. A proof-of-concept demonstrating at least a 4-byte write exists; no public exploit beyond that initial POC or CISA KEV listing has been identified at time of analysis, though the code structure permits larger writes across multiple iterations which elevates downstream risk above a pure DoS assessment.
Heap out-of-bounds read in MIT krb5's LDAP KDB plugin allows a compromised or malicious LDAP backend to crash the KDC or kadmind process, or leak heap memory. The flaw exists in berval2tl_data() within libkdb_ldap and is triggered when the LDAP server returns a krbExtraData attribute with bv_len less than 2, causing an unsigned integer underflow that drives a memcpy of up to 65,534 bytes from a near-zero-length source buffer. Exploitation requires prior control of the LDAP KDB backend server (PR:H, AC:H), constraining real-world risk to insider or supply-chain threat scenarios; no public exploit or CISA KEV listing exists at time of analysis.
Heap buffer overflow in Red Hat 389 Directory Server allows an authenticated Directory Manager or a compromised replication supplier to crash the server or corrupt heap memory by creating objectclass definitions with excessively long SUP (oc_superior) values. The flaw exists in schema serialization functions where the SUP field length is excluded from buffer size calculations yet still written via strcat(), producing an off-by-N heap overwrite. This is explicitly an incomplete fix variant of CVE-2025-14905, meaning organizations that patched that prior CVE may remain exposed if the SUP field code path was not remediated; no public exploit has been identified at time of analysis.
Heap buffer overflow in Red Hat Directory Server's audit logging subsystem allows an authenticated high-privilege attacker to corrupt heap memory and tamper with audit log output. The vulnerable function create_masked_entry_string() in auditlog.c writes a fixed-length password mask into a precisely-sized heap buffer without bounds checking, overflowing when a short cleartext password is processed. Exploitation requires two non-default preconditions - audit logging must be enabled AND either CLEAR password storage must be configured or a replication peer must already be compromised - limiting real-world exposure significantly. No public exploit identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.
Stack buffer overflow in 389 Directory Server's pw.c checkPrefix() function allows a network-accessible Directory Manager to crash the LDAP server by storing a crafted credential with an oversized algorithm ID. The vulnerable code copies attacker-controlled input into a fixed 256-byte stack buffer without bounds checking when parsing reversible-encrypted attribute values. FORTIFY_SOURCE compiler hardening constrains impact to denial of service - preventing arbitrary code execution - but service disruption against a critical authentication infrastructure component remains operationally significant. No public exploit identified at time of analysis.
Uncontrolled CPU consumption in Red Hat 389 Directory Server's PBKDF2-SHA256 password storage plugin allows a highly privileged attacker who has write access to stored password hashes to craft a hash embedding an arbitrarily large iteration count, causing the LDAP server to exhaust CPU resources during any subsequent authentication attempt by the targeted user. Affected products span Red Hat Directory Server 11 through 13 and the 389-ds package as shipped across Red Hat Enterprise Linux 6 through 10. No public exploit has been identified at time of analysis, and active exploitation has not been confirmed by CISA KEV.
Denial-of-service in Red Hat's 389 Directory Server allows a highly privileged network attacker to crash the LDAP service by submitting a crafted password hash shorter than 16 bytes during authentication. The SMD5 password storage plugin performs an unsigned integer underflow (CWE-191) when computing salt length from this malformed input, producing a buffer over-read that terminates the server process. No public exploit code exists and this vulnerability has not been confirmed actively exploited (CISA KEV), but the impact is a complete loss of LDAP availability with low attack complexity once the required privilege level is achieved.
Remote denial of service in 389 Directory Server (Red Hat Directory Server 11/12/13 and Red Hat Enterprise Linux 6 through 10) allows unauthenticated network attackers to crash the LDAP daemon by exploiting an unchecked BER structure allocation in the dereference control plugin when the host is under memory pressure. No public exploit identified at time of analysis, and EPSS exploitation probability is very low (0.09%, 25th percentile), but the unauthenticated network-reachable nature warrants prompt patching of internet-facing or business-critical directory services.
Heap buffer over-read in Red Hat Directory Server's ldap_utf8prev() function exposes LDAP deployments to potential confidentiality, integrity, and availability impact via crafted string filter input. The flaw affects authenticated, network-accessible LDAP servers running Red Hat Directory Server 11, 12, and 13 as well as the 389-ds component shipped across Red Hat Enterprise Linux 6 through 10. No public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV; however, its presence in filter parsing logic - a core LDAP code path - warrants prompt patching in internet-exposed or multi-tenant directory environments.
Partial stack address disclosure in Red Hat 389 Directory Server (versions 11, 12, and 13) allows authenticated remote users to extract memory layout information via crafted LDAP extended operation requests. The root cause is a CWE-843 type confusion in the SSO token extended operation handler, which causes stack pointer data to bleed into LDAP response payloads. While the direct impact is limited to low-confidence information disclosure, leaked stack addresses are a classic ASLR-weakening primitive that could facilitate chained exploitation. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV.
Out-of-bounds read in 389 Directory Server's LDIF parser exposes limited heap memory to a highly privileged local attacker during database import operations. Exploitation requires local system access, high attack complexity, and high privileges (administrator-level), producing only minor confidentiality impact with no integrity or availability consequences. No public exploit identified at time of analysis and no KEV listing; the CVSS score of 1.9 reflects the extremely constrained exploitation conditions, making this a low operational priority absent specific threat model considerations.
Denial of service in Red Hat 389 Directory Server's Content Synchronization persistent search plugin enables authenticated network clients to exhaust server memory by initiating a sync operation and halting consumption of responses, causing unbounded queue growth until the server becomes unavailable. Compounding this, race conditions in the plugin's thread lifecycle management can independently trigger server crashes during connection teardown or graceful shutdown. Affected across Red Hat Directory Server 11, 12, and 13 as well as the bundled 389-ds-base package on RHEL 6 through 10. No public exploit identified at time of analysis and no CISA KEV listing.
Use-after-free read in X.Org X server and Xwayland's CreateSaverWindow() function exposes heap memory to local authenticated users, resulting in information disclosure. A low-privileged local X client can manipulate window attributes and force screen saver activation to trigger a read from freed memory, leaking potentially sensitive heap contents (C:H/I:N/A:N). No public exploit identified at time of analysis, and this vulnerability is not listed in CISA KEV; however, an upstream fix commit has been published and a Red Hat advisory is available.
Local privilege escalation in the X.Org X server and Xwayland arises from a use-after-free in FreeCounter() when SyncCounter objects are destroyed across multiple client connections. Authenticated local attackers on affected Red Hat Enterprise Linux 6 through 10 systems can crash the server or escalate to root when the X server runs with elevated privileges. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
GnuTLS's PKCS#7 padding validation during decryption is not implemented as a constant-time operation, creating a timing side-channel (CWE-208) that remote unauthenticated attackers can exploit to infer padding byte values on CBC-mode cipher suites. Affected deployments include GnuTLS as packaged across Red Hat Enterprise Linux 6 through 10, Red Hat Hardened Images, and Red Hat OpenShift Container Platform 4. Red Hat has issued patch RHSA-2026:20613; no active exploitation is confirmed in CISA KEV, and no public exploit code has been identified, but the network-reachable, no-auth-required attack surface warrants patching on systems handling sensitive encrypted traffic.
Local code execution in Poppler's Splash rendering backend allows attackers to compromise applications that open attacker-supplied PDFs by triggering an integer overflow in tilingPatternFill that produces an undersized heap allocation and a subsequent out-of-bounds write. The flaw affects Poppler as shipped across Red Hat Enterprise Linux 6 through 10 and Red Hat Hardened Images, with impact including arbitrary code execution, information disclosure, or denial of service in the rendering process. No public exploit identified at time of analysis, and the CVSS 7.8 vector requires user interaction to open a malicious PDF.
Memory corruption via an off-by-one error in GnuTLS PKCS#12 bag element handling exposes any application using GnuTLS to remote unauthenticated denial of service - and potentially unspecified further impact - when a crafted PKCS#12 structure is parsed. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms exploitation requires no authentication, no user interaction, and no elevated complexity, making internet-exposed services that parse client-supplied PKCS#12 inputs the primary risk surface. No public exploit code exists and the vulnerability is not listed in the CISA KEV catalog at time of analysis.
Certificate validation bypass in GnuTLS (as shipped in Red Hat Enterprise Linux 6 through 10, OpenShift Container Platform 4, and Red Hat Hardened Images) lets a remote attacker defeat hostname verification: when a certificate carries an oversized Subject Alternative Name, the library incorrectly abandons SAN matching and falls back to the legacy Common Name field, accepting certificates it should reject. An attacker positioned to intercept traffic can present such a certificate to impersonate a trusted server and conduct spoofing or man-in-the-middle attacks against TLS clients that rely on GnuTLS. There is no public exploit identified at time of analysis, no CISA KEV listing, and no EPSS score in the provided data.
Heap buffer overflow in libsolv allows local attackers to corrupt memory when a vulnerable application processes a maliciously crafted .solv repository metadata file. The flaw stems from insufficient input validation during decompression of attacker-controlled data, enabling information disclosure, control-flow alteration, or denial of service across multiple Red Hat Enterprise Linux releases and SUSE distributions. SSVC marks exploitation as PoC-level with total technical impact, while EPSS remains very low at 0.01%, indicating limited probability of widespread exploitation despite high severity.
Remote code execution in Samba's printing subsystem allows remote attackers to inject arbitrary shell commands via crafted print job descriptions. The flaw stems from unescaped expansion of the client-controlled '%J' substitution token into the configured 'print command', enabling shell metacharacter injection. No public exploit has been identified at time of analysis, and EPSS scores exploitation probability at only 0.08%, but CVSS 9.0 with scope change reflects high potential impact on any Samba host exposing print services.
Remote code execution in Cockpit's system logs UI allows authenticated users to inject shell metacharacters into unsanitized URL parameters, executing arbitrary commands on RHEL 7/8/9/10 hosts. Attack requires low-complexity exploitation by a logged-in user who can craft malicious links targeting the logs interface. No public exploit identified at time of analysis, though the vulnerable code section is publicly accessible on GitHub. EPSS data not available; CVSS 8.0 reflects high impact across confidentiality, integrity, and availability if user interaction occurs.
Certificate validation in GnuTLS can be bypassed when a certificate chain contains Certificate Authorities with only excluded name constraints followed by CAs with permitted name constraints. Remote attackers can exploit this flaw (CVSS 7.4, AV:N/AC:H) to present invalid certificates that pass validation, enabling man-in-the-middle attacks or service impersonation against TLS-protected communications. The vulnerability affects Red Hat Enterprise Linux versions 6-10, OpenShift Container Platform 4, and Red Hat Hardened Images. No public exploit or active exploitation confirmed at time of analysis, though the technical nature suggests targeted attacks against high-value certificate infrastructure are feasible.
Out-of-bounds read in X.Org X Server XKB modifier map handling allows local authenticated attackers to read sensitive memory or crash the server by sending malformed X11 requests. The vulnerability affects RHEL 6 through 10 and requires local access with user-level privileges; exploitation results in information disclosure or denial of service.
Out-of-bounds read in X.Org X server XKB geometry processing allows local or remote attackers with X11 server access to disclose sensitive memory contents or cause denial of service by crashing the server. The vulnerability exists in CheckSetGeom() and XkbAddGeomKeyAlias functions and requires low privileges but no user interaction. No public exploit code or active exploitation has been identified at time of analysis.
Heap buffer overflow in GnuTLS DTLS handshake allows remote unauthenticated attackers to crash applications or corrupt memory. The vulnerability stems from inconsistent fragment validation in merge_handshake_packet(), where attackers can send crafted DTLS fragments with conflicting message_length values to trigger out-of-bounds writes. Red Hat reported this affecting RHEL 6-10 and OpenShift Container Platform 4. CVSS 7.5 (High) reflects network-accessible denial of service, though memory corruption may enable further exploitation. No EPSS data, KEV status, or POC availability reported at time of analysis, but the remote unauthenticated attack vector (AV:N/PR:N) and low complexity (AC:L) make this a priority for systems using DTLS.
Integer underflow in GnuTLS DTLS handshake reassembly allows remote unauthenticated attackers to trigger denial of service or information disclosure via crafted zero-length fragments with non-zero offsets. The vulnerability affects Red Hat Enterprise Linux versions 6 through 10, OpenShift Container Platform 4, and Red Hat Hardened Images. With CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) and EPSS data unavailable, this represents a clear remote attack surface requiring no authentication, though the CVSS vector indicates availability impact only (A:H) with no confidentiality or integrity impact confirmed, contradicting the description's mention of information disclosure. No CISA KEV listing or public exploit identified at time of analysis.
GnuTLS with OCSP verification enabled incorrectly accepts revoked server certificates when presented with specially crafted multi-record OCSP responses during TLS handshakes, allowing attackers to bypass certificate revocation checks and establish connections to compromised servers. The vulnerability requires high attack complexity and specific OCSP configuration, affecting Red Hat Enterprise Linux 6-10, Red Hat Hardened Images, and OpenShift Container Platform 4. No public exploit code or active exploitation has been identified at the time of analysis.
GnuTLS performs case-sensitive comparisons of nameConstraints labels in DNS and email certificate constraints, allowing remote attackers to bypass certificate policy validation by crafting leaf certificates with differing character casing in the Subject Alternative Name field. This policy bypass could result in acceptance of certificates that should be rejected, potentially enabling unauthorized access or information disclosure. The vulnerability affects GnuTLS across Red Hat Enterprise Linux 6 through 10 and Red Hat OpenShift Container Platform 4, with no confirmed active exploitation at time of analysis.
A flaw was found in libxml2. This vulnerability occurs when the library processes a specially crafted XML Schema Definition (XSD) validated document that includes an internal entity reference. An attacker could exploit this by providing a malicious document, leading to a type confusion error that causes the application to crash. This results in a denial of service (DoS), making the affected system or application unavailable.
A request smuggling vulnerability exists in libsoup's HTTP/1 header parsing logic. The soup_message_headers_append_common() function in libsoup/soup-message-headers.c unconditionally appends each header value without validating for duplicate or conflicting Content-Length fields. This allows an attacker to send HTTP requests containing multiple Content-Length headers with differing values.
A flaw was found in the X.Org X server's XKB key types request validation. A local attacker could send a specially crafted request to the X server, leading to an out-of-bounds memory access vulnerability. This could result in the disclosure of sensitive information or cause the server to crash, leading to a Denial of Service (DoS). In certain configurations, higher impact outcomes may be possible.
A flaw was found in the X.Org X server. This use-after-free vulnerability occurs in the XSYNC fence triggering logic, specifically within the miSyncTriggerFence() function. An attacker with access to the X11 server can exploit this without user interaction, leading to a server crash and potentially enabling memory corruption. This could result in a denial of service or further compromise of the system.
A flaw was found in the X.Org X server. This integer underflow vulnerability, specifically in the XKB compatibility map handling, allows an attacker with local or remote X11 server access to trigger a buffer read overrun. This can lead to memory-safety violations and potentially a denial of service (DoS) or other severe impacts.
Heap buffer overflow in GNU Binutils XCOFF linker allows arbitrary code execution when a local user processes a malicious object file. Red Hat Enterprise Linux versions 6 through 10 are confirmed affected via CPE data. CVSS 7.8 reflects local attack vector requiring user interaction (opening/linking the crafted file). No active exploitation confirmed (not in CISA KEV), and no public proof-of-concept identified at time of analysis. Real-world risk depends heavily on whether development workflows involve linking untrusted XCOFF files, which is uncommon outside AIX/PowerPC cross-compilation scenarios.
The readelf utility in binutils is vulnerable to denial of service through two distinct flaws triggered by maliciously crafted ELF files: a resource exhaustion vulnerability (CWE-400) causing out-of-memory conditions and a null pointer dereference (CWE-476) causing segmentation faults. Both vulnerabilities require local access and user interaction to open a malicious file, resulting in the readelf utility crashing or becoming unresponsive. No public exploit code or active exploitation has been identified at the time of analysis.
Format string vulnerability in nano's statusline() function allows local users to trigger a segmentation fault via directory names containing printf specifiers, causing denial of service. Exploitation requires user interaction (opening a directory with the crafted name) on systems where nano is available to local users. No public exploit code identified at time of analysis.
The readelf utility in binutils is vulnerable to denial of service through null pointer dereference when processing specially crafted ELF files. A local attacker with limited privileges can trigger excessive resource consumption or program crashes by convincing a user to process a malicious ELF binary, affecting Red Hat Enterprise Linux 6, 7, 8, and 10. No public exploit code or active exploitation has been confirmed at this time.
Nano text editor creates ~/.local directory with overly permissive 0777 permissions instead of 0700 in environments with permissive umask settings, allowing local authenticated users to inject malicious .desktop launcher files that could lead to information disclosure or unintended actions when processed. CVSS score 2.5 reflects local attack vector and low integrity impact, with active exploitation status unknown and no public exploit code identified at time of analysis.
Out-of-bounds write in dnsmasq's DHCP split-relay handler allows remote unauthenticated denial of service via crafted BOOTREPLY packets. Affects Red Hat Enterprise Linux 6-10 and OpenShift Container Platform 4 when dnsmasq runs with the --dhcp-split-relay option enabled. CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) indicates trivial network exploitation, but real-world risk is mitigated by the non-default configuration requirement. No public exploit or active exploitation (CISA KEV) confirmed at time of analysis, though CWE-787 (out-of-bounds write) primitives are well-understood by attackers.
Remote unauthenticated attackers can crash GnuTLS servers by sending malformed TLS handshake messages containing invalid Pre-Shared Key binder values, triggering a NULL pointer dereference. Red Hat Enterprise Linux versions 6-10, OpenShift Container Platform 4, and Red Hat Hardened Images are affected. Vendor patches are available. EPSS score of 0.08% (24th percentile) suggests low current exploitation probability despite network-accessible attack vector. SSVC framework classifies this as automatable with partial technical impact but no known exploitation, making this a medium-priority patching target focused on preventing service disruption rather than data breach.
Local privilege escalation in libcap's cap_set_file() function affects Red Hat Enterprise Linux 6 through 10 and OpenShift Container Platform 4, where a TOCTOU race condition allows an unprivileged user with write access to a parent directory to redirect file capability updates onto an attacker-controlled file. Successful exploitation can inject or strip Linux file capabilities on arbitrary executables, yielding full privilege escalation on the host. No public exploit identified at time of analysis and EPSS is 0.01%, but a vendor patch is available.
Libarchive's archive_acl_from_text_nl() function fails to validate malformed ACL strings before dereferencing pointers, allowing local attackers to crash applications that process untrusted archives via specially crafted ACL fields. This NULL pointer dereference results in denial of service with high availability impact. CVSS 5.5 reflects local attack vector and user interaction requirement; no public exploit code or active exploitation confirmed at analysis time.
Tar archive extraction allows hidden file injection by local authenticated users through crafted malicious archives, bypassing pre-extraction inspection mechanisms and enabling introduction of attacker-controlled files. The vulnerability affects Red Hat Enterprise Linux versions 6 through 10, requires local access and user interaction (extraction action), and presents a moderate integrity risk (CVSS 5.0) with no confirmed active exploitation or public proof-of-concept at time of analysis.
Heap-based out-of-bounds read in libtheora's AVI parser allows local attackers with limited privileges to trigger application crashes or leak heap memory via specially crafted AVI files with truncated header sub-chunks. The vulnerability affects Red Hat Enterprise Linux versions 6 through 10 and requires user interaction (opening a malicious file), with real-world impact limited to denial-of-service and potential information disclosure rather than code execution.
Improper hostname canonicalization in util-linux login(1) utility with the -h option allows remote attackers to bypass host-based PAM access control rules by supplying specially crafted hostnames that are modified before being passed to PAM_RHOST, potentially leading to unauthorized access. The vulnerability affects Red Hat Enterprise Linux 7 through 10 and related products; exploitation requires high attack complexity but no authentication or user interaction. No public exploit code has been identified, and this is not currently confirmed as actively exploited.
Remote denial of service via integer overflow in Corosync cluster engine affects Red Hat Enterprise Linux 7-10 and OpenShift Container Platform 4. Unauthenticated attackers can send crafted UDP packets to crash Corosync services running in totemudp/totemudpu mode (CVSS 7.5, AV:N/PR:N). EPSS data not provided; no public exploit identified at time of analysis. Impacts high-availability cluster deployments where Corosync provides quorum and messaging services.
Out-of-bounds read in Corosync allows unauthenticated remote attackers to crash cluster nodes and potentially leak memory via malformed UDP packets. Affects default totemudp/totemudpu configurations across Red Hat Enterprise Linux 7/8/9/10 and OpenShift Container Platform 4. CVSS 8.2 (High) with network attack vector, low complexity, and no authentication required. EPSS and exploitation status data not available; no public exploit identified at time of analysis. Impacts high-availability clustering infrastructure commonly used in enterprise production environments.
Heap-based buffer overflow in gdk-pixbuf's JPEG image loader enables remote denial of service through malformed JPEG images without user interaction. The vulnerability triggers during automated image processing operations like thumbnail generation across Red Hat Enterprise Linux 6 through 10, allowing unauthenticated network attackers to crash applications that process JPEG images. EPSS score of 0.09% (25th percentile) suggests low observed exploitation activity, consistent with SSVC assessment showing no active exploitation despite the vulnerability being fully automatable.
VirtIO Block device driver in virtio-win fails to properly release memory during device reset, enabling a use-after-free vulnerability that allows high-privileged local attackers to corrupt kernel memory and cause system instability or denial of service. Affected versions span Red Hat Enterprise Linux 8, 9, and 10; no public exploit code or active exploitation has been identified at time of analysis, though upstream fix is available via GitHub PR.
Buffer overflow in virtio-win's RhelDoUnMap() function allows local privileged users to trigger a denial of service by supplying an excessive number of descriptors during unmap operations, causing system crashes. Affects Red Hat Enterprise Linux 8, 9, and 10 across multiple architectures. The vulnerability requires high-level privilege (PR:H) but offers no confidentiality or integrity protections beyond the immediate DoS impact, with a CVSS score of 6.7 reflecting the local attack requirement and high-privilege barrier.
Remote code execution in libarchive on 32-bit systems allows unauthenticated attackers to execute arbitrary code via specially crafted ISO9660 images. The vulnerability affects Red Hat Enterprise Linux versions 6 through 10 and OpenShift Container Platform 4, with vendor patches released across multiple RHSA advisories. Despite the CVSS 7.5 score and network attack vector, EPSS exploitation probability is low (0.05%, 16th percentile) and no public exploit is identified at time of analysis, though SSVC classifies the vulnerability as automatable with total technical impact.
Libsoup transmits sensitive session cookies in cleartext within HTTP CONNECT requests when establishing HTTPS tunnels through configured HTTP proxies, allowing network-positioned attackers or malicious proxies to intercept and hijack user sessions. The vulnerability affects Red Hat Enterprise Linux versions 6 through 10 and carries a CVSS 5.9 score with high confidentiality impact; no public exploit code or confirmed active exploitation has been identified at the time of analysis.
HTTP request smuggling in Undertow (the embedded web server underpinning JBoss EAP, Red Hat Data Grid, and Apache Camel for Spring Boot) allows remote unauthenticated attackers to bypass front-end security controls by prepending whitespace to header lines. Undertow strips leading spaces from the first header line in violation of RFC 7230, creating a parser discrepancy between upstream proxies and the application server. No public exploit identified at time of analysis, and EPSS sits at 0.13% (32nd percentile), but the CVSS 9.1 and broad Red Hat middleware exposure make this a high-value target for chained attacks.
HTTP request smuggling in Red Hat Undertow allows remote unauthenticated attackers to bypass front-end security controls by exploiting parsing discrepancies between Undertow and upstream proxies when handling crafted header names. The flaw (CWE-444) affects Undertow embedded in multiple Red Hat products including JBoss EAP 7/8, Data Grid 8, Fuse 7, and Apache Camel for Spring Boot 4, with Red Hat issuing patches via RHSA-2026:25125 and RHSA-2026:25126. There is no public exploit identified at time of analysis and EPSS is low (0.10%), but CVSS 9.1 and SSVC 'total' technical impact warrant prompt patching of internet-facing deployments.
Firewalld on Red Hat Enterprise Linux 7, 8, 9, and 10, as well as OpenShift Container Platform 4, contains an authentication bypass vulnerability in two D-Bus setters (setZoneSettings2 and setPolicySettings) that allows local unprivileged users to modify runtime firewall configurations without proper authorization. An authenticated local attacker can exploit this to change network security policies, potentially enabling lateral movement or service disruption. No public exploit code has been identified at the time of analysis, though Red Hat has issued security advisories (CVE-2026-4948, Bugzilla #2452086).
libssh attempts to open arbitrary files during configuration parsing, allowing local attackers with limited privileges to trigger a denial of service by forcing access to dangerous files such as block devices or large system files. The vulnerability affects Red Hat Enterprise Linux versions 6, 7, 8, 9, and 10, as well as Red Hat OpenShift Container Platform 4, and requires local access with low privileges to exploit. No public exploit code or active exploitation has been confirmed at the time of analysis.
libssh's match_pattern() function is vulnerable to ReDoS (Regular Expression Denial of Service) attacks when processing maliciously crafted hostnames in client configuration or known_hosts files, allowing local attackers with limited privileges and user interaction to trigger inefficient regex backtracking that exhausts system resources and causes client-side timeouts. The vulnerability affects Red Hat Enterprise Linux 6-10 and OpenShift Container Platform 4, with CVSS 2.2 reflecting low severity due to local attack vector and high complexity requirements, though the denial of service impact warrants attention in environments where SSH client availability is critical.
Libssh versions used across Red Hat Enterprise Linux 6-10 and OpenShift Container Platform 4 are vulnerable to a null pointer dereference when processing malformed 'longname' fields in SFTP SSH_FXP_NAME messages, allowing unauthenticated remote attackers to trigger denial of service through application crashes. The attack requires user interaction and high attack complexity (CVSS 3.1, CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L) but affects a widely deployed SSH library; no public exploit identified at time of analysis.
Remote denial-of-service in libssh 0.11.x and earlier allows unauthenticated attackers to crash SSH server daemon processes via malformed GSSAPI authentication OID payloads. The vulnerability affects the ssh_get_hexa() API function when processing zero-length input, exploitable remotely when GSSAPI authentication is enabled and logging verbosity is set to SSH_LOG_PATCH (level 3) or higher. Red Hat, Ubuntu, SUSE, and Debian have released patches (libssh 0.11.4 and 0.12.0). EPSS score of 0.09% and SSVC assessment indicate low real-world exploitation likelihood despite network attack vector, with no active exploitation confirmed. Ubuntu classified this as low priority, and CISA SSVC notes exploitation as 'none' but 'automatable' with partial impact.
libsoup's SoupServer contains a use-after-free vulnerability in the soup_server_disconnect() function that prematurely frees connection objects while TLS handshakes are pending, allowing remote unauthenticated attackers to trigger a server crash via denial of service when a handshake completes after memory deallocation. The vulnerability affects Red Hat Enterprise Linux versions 6, 7, 8, 9, and 10, as well as Ubuntu and Debian distributions across multiple releases. No public exploit code or active exploitation has been confirmed at the time of analysis.
A signed integer overflow vulnerability exists in the libtiff library's putcontig8bitYCbCr44tile function that leads to out-of-bounds heap writes through incorrect memory pointer calculations. Red Hat Enterprise Linux versions 6, 7, 8, 9, and 10 are confirmed affected. An attacker can exploit this by tricking a user into opening a specially crafted TIFF file, potentially achieving arbitrary code execution or causing application crashes.
A security vulnerability in An incomplete fix for CVE-2024-47778 (CVSS 5.1) that allows an out-of-bounds read. Remediation should follow standard vulnerability management procedures.
Heap memory disclosure in libarchive allows remote unauthenticated attackers to read sensitive heap data by submitting a malformed RAR archive. The flaw affects Red Hat Enterprise Linux 6-10 and OpenShift Container Platform 4, with vendor patches available per multiple RHSA advisories (RHSA-2026:8492 through RHSA-2026:8908). Despite the HIGH CVSS score of 7.5 and network-exploitable vector requiring no authentication, the EPSS score of 0.14% (35th percentile) indicates low observed exploitation probability. No public exploit code identified at time of analysis, and not listed in CISA KEV, suggesting this remains a patch-and-monitor priority rather than emergency response.
HTTP/2 server implementations in libsoup across Debian and Red Hat Enterprise Linux versions contain a use-after-free vulnerability that allows unauthenticated remote attackers to trigger application crashes through specially crafted requests. Exploitation results in denial of service by forcing the application to access freed memory, causing instability. No patch is currently available for this medium-severity flaw.
Infinite loop in libarchive's RAR5 decompression (archive_read_data) allows remote unauthenticated denial-of-service via malformed archive that passes checksum validation. Affects Red Hat Enterprise Linux 6-10 and OpenShift Container Platform 4. EPSS 0.04% (11th percentile) suggests low exploitation probability despite CVSS 7.5. Vendor patches available from Red Hat and Ubuntu. Upstream fix in libarchive PR#2877. No active exploitation confirmed (not in CISA KEV).
High severity vulnerability in systemd. A flaw was found in systemd. The systemd-machined service contains an Improper Access Control vulnerability due to insufficient validation of the class parameter in the RegisterMachine D-Bus (Desktop Bus) method. A local unprivileged user can exploit this by attempting to register a machine with a specific class value, which may leave behind a usable, attacker-controlled machine object. This al...