Red Hat Openshift Container Platform 4
Monthly
Out-of-bounds heap write in QEMU's virtio-blk device allows a high-privileged guest to crash the host QEMU process. The flaw exists because the virtio-blk device omits validation of input descriptor sizes prior to writing data, enabling a malicious guest operator to submit a crafted virtio-blk SCSI request that writes beyond the allocated host heap buffer. The primary confirmed impact is a denial of service (DoS) of the QEMU process on the host; no public exploit code has been identified at time of analysis and it is not listed in the CISA KEV catalog.
Heap out-of-bounds read in MIT krb5's LDAP KDB plugin allows a compromised or malicious LDAP backend to crash the KDC or kadmind process, or leak heap memory. The flaw exists in berval2tl_data() within libkdb_ldap and is triggered when the LDAP server returns a krbExtraData attribute with bv_len less than 2, causing an unsigned integer underflow that drives a memcpy of up to 65,534 bytes from a near-zero-length source buffer. Exploitation requires prior control of the LDAP KDB backend server (PR:H, AC:H), constraining real-world risk to insider or supply-chain threat scenarios; no public exploit or CISA KEV listing exists at time of analysis.
HAProxy configuration injection in Red Hat OpenShift Container Platform 4 allows a low-privileged tenant with permission to create or modify Route resources to inject controlled directives into the cluster ingress configuration via the spec.path field. No public exploit identified at time of analysis, but the CVSS 8.8 score with scope change (S:C) reflects the ability to break out of the tenant boundary and impact the shared HAProxy router serving the entire cluster.
GnuTLS's PKCS#7 padding validation during decryption is not implemented as a constant-time operation, creating a timing side-channel (CWE-208) that remote unauthenticated attackers can exploit to infer padding byte values on CBC-mode cipher suites. Affected deployments include GnuTLS as packaged across Red Hat Enterprise Linux 6 through 10, Red Hat Hardened Images, and Red Hat OpenShift Container Platform 4. Red Hat has issued patch RHSA-2026:20613; no active exploitation is confirmed in CISA KEV, and no public exploit code has been identified, but the network-reachable, no-auth-required attack surface warrants patching on systems handling sensitive encrypted traffic.
Server-side request forgery in Red Hat OpenShift Container Platform 4's Router component allows authenticated users with EndpointSlice write permissions to coerce the router into proxying requests to cloud provider instance metadata endpoints (e.g., 169.254.169.254), exposing instance credentials and sensitive metadata. The flaw bypasses prior IP-address-based validation by abusing FQDN-backed EndpointSlices that resolve to metadata services. No public exploit identified at time of analysis, and the issue is not present on CISA KEV.
Memory corruption via an off-by-one error in GnuTLS PKCS#12 bag element handling exposes any application using GnuTLS to remote unauthenticated denial of service - and potentially unspecified further impact - when a crafted PKCS#12 structure is parsed. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms exploitation requires no authentication, no user interaction, and no elevated complexity, making internet-exposed services that parse client-supplied PKCS#12 inputs the primary risk surface. No public exploit code exists and the vulnerability is not listed in the CISA KEV catalog at time of analysis.
Certificate validation bypass in GnuTLS (as shipped in Red Hat Enterprise Linux 6 through 10, OpenShift Container Platform 4, and Red Hat Hardened Images) lets a remote attacker defeat hostname verification: when a certificate carries an oversized Subject Alternative Name, the library incorrectly abandons SAN matching and falls back to the legacy Common Name field, accepting certificates it should reject. An attacker positioned to intercept traffic can present such a certificate to impersonate a trusted server and conduct spoofing or man-in-the-middle attacks against TLS clients that rely on GnuTLS. There is no public exploit identified at time of analysis, no CISA KEV listing, and no EPSS score in the provided data.
Heap buffer overflow in libsolv allows local attackers to corrupt memory when a vulnerable application processes a maliciously crafted .solv repository metadata file. The flaw stems from insufficient input validation during decompression of attacker-controlled data, enabling information disclosure, control-flow alteration, or denial of service across multiple Red Hat Enterprise Linux releases and SUSE distributions. SSVC marks exploitation as PoC-level with total technical impact, while EPSS remains very low at 0.01%, indicating limited probability of widespread exploitation despite high severity.
Remote code execution in Samba's printing subsystem allows remote attackers to inject arbitrary shell commands via crafted print job descriptions. The flaw stems from unescaped expansion of the client-controlled '%J' substitution token into the configured 'print command', enabling shell metacharacter injection. No public exploit has been identified at time of analysis, and EPSS scores exploitation probability at only 0.08%, but CVSS 9.0 with scope change reflects high potential impact on any Samba host exposing print services.
Certificate validation in GnuTLS can be bypassed when a certificate chain contains Certificate Authorities with only excluded name constraints followed by CAs with permitted name constraints. Remote attackers can exploit this flaw (CVSS 7.4, AV:N/AC:H) to present invalid certificates that pass validation, enabling man-in-the-middle attacks or service impersonation against TLS-protected communications. The vulnerability affects Red Hat Enterprise Linux versions 6-10, OpenShift Container Platform 4, and Red Hat Hardened Images. No public exploit or active exploitation confirmed at time of analysis, though the technical nature suggests targeted attacks against high-value certificate infrastructure are feasible.
Heap buffer overflow in GnuTLS DTLS handshake allows remote unauthenticated attackers to crash applications or corrupt memory. The vulnerability stems from inconsistent fragment validation in merge_handshake_packet(), where attackers can send crafted DTLS fragments with conflicting message_length values to trigger out-of-bounds writes. Red Hat reported this affecting RHEL 6-10 and OpenShift Container Platform 4. CVSS 7.5 (High) reflects network-accessible denial of service, though memory corruption may enable further exploitation. No EPSS data, KEV status, or POC availability reported at time of analysis, but the remote unauthenticated attack vector (AV:N/PR:N) and low complexity (AC:L) make this a priority for systems using DTLS.
Integer underflow in GnuTLS DTLS handshake reassembly allows remote unauthenticated attackers to trigger denial of service or information disclosure via crafted zero-length fragments with non-zero offsets. The vulnerability affects Red Hat Enterprise Linux versions 6 through 10, OpenShift Container Platform 4, and Red Hat Hardened Images. With CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) and EPSS data unavailable, this represents a clear remote attack surface requiring no authentication, though the CVSS vector indicates availability impact only (A:H) with no confidentiality or integrity impact confirmed, contradicting the description's mention of information disclosure. No CISA KEV listing or public exploit identified at time of analysis.
GnuTLS with OCSP verification enabled incorrectly accepts revoked server certificates when presented with specially crafted multi-record OCSP responses during TLS handshakes, allowing attackers to bypass certificate revocation checks and establish connections to compromised servers. The vulnerability requires high attack complexity and specific OCSP configuration, affecting Red Hat Enterprise Linux 6-10, Red Hat Hardened Images, and OpenShift Container Platform 4. No public exploit code or active exploitation has been identified at the time of analysis.
GnuTLS performs case-sensitive comparisons of nameConstraints labels in DNS and email certificate constraints, allowing remote attackers to bypass certificate policy validation by crafting leaf certificates with differing character casing in the Subject Alternative Name field. This policy bypass could result in acceptance of certificates that should be rejected, potentially enabling unauthorized access or information disclosure. The vulnerability affects GnuTLS across Red Hat Enterprise Linux 6 through 10 and Red Hat OpenShift Container Platform 4, with no confirmed active exploitation at time of analysis.
A flaw was found in libxml2. This vulnerability occurs when the library processes a specially crafted XML Schema Definition (XSD) validated document that includes an internal entity reference. An attacker could exploit this by providing a malicious document, leading to a type confusion error that causes the application to crash. This results in a denial of service (DoS), making the affected system or application unavailable.
Heap buffer overflow in GNU Binutils XCOFF linker allows arbitrary code execution when a local user processes a malicious object file. Red Hat Enterprise Linux versions 6 through 10 are confirmed affected via CPE data. CVSS 7.8 reflects local attack vector requiring user interaction (opening/linking the crafted file). No active exploitation confirmed (not in CISA KEV), and no public proof-of-concept identified at time of analysis. Real-world risk depends heavily on whether development workflows involve linking untrusted XCOFF files, which is uncommon outside AIX/PowerPC cross-compilation scenarios.
The readelf utility in binutils is vulnerable to denial of service through two distinct flaws triggered by maliciously crafted ELF files: a resource exhaustion vulnerability (CWE-400) causing out-of-memory conditions and a null pointer dereference (CWE-476) causing segmentation faults. Both vulnerabilities require local access and user interaction to open a malicious file, resulting in the readelf utility crashing or becoming unresponsive. No public exploit code or active exploitation has been identified at the time of analysis.
Format string vulnerability in nano's statusline() function allows local users to trigger a segmentation fault via directory names containing printf specifiers, causing denial of service. Exploitation requires user interaction (opening a directory with the crafted name) on systems where nano is available to local users. No public exploit code identified at time of analysis.
The readelf utility in binutils is vulnerable to denial of service through null pointer dereference when processing specially crafted ELF files. A local attacker with limited privileges can trigger excessive resource consumption or program crashes by convincing a user to process a malicious ELF binary, affecting Red Hat Enterprise Linux 6, 7, 8, and 10. No public exploit code or active exploitation has been confirmed at this time.
Nano text editor creates ~/.local directory with overly permissive 0777 permissions instead of 0700 in environments with permissive umask settings, allowing local authenticated users to inject malicious .desktop launcher files that could lead to information disclosure or unintended actions when processed. CVSS score 2.5 reflects local attack vector and low integrity impact, with active exploitation status unknown and no public exploit code identified at time of analysis.
Out-of-bounds write in dnsmasq's DHCP split-relay handler allows remote unauthenticated denial of service via crafted BOOTREPLY packets. Affects Red Hat Enterprise Linux 6-10 and OpenShift Container Platform 4 when dnsmasq runs with the --dhcp-split-relay option enabled. CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) indicates trivial network exploitation, but real-world risk is mitigated by the non-default configuration requirement. No public exploit or active exploitation (CISA KEV) confirmed at time of analysis, though CWE-787 (out-of-bounds write) primitives are well-understood by attackers.
Remote unauthenticated attackers can crash GnuTLS servers by sending malformed TLS handshake messages containing invalid Pre-Shared Key binder values, triggering a NULL pointer dereference. Red Hat Enterprise Linux versions 6-10, OpenShift Container Platform 4, and Red Hat Hardened Images are affected. Vendor patches are available. EPSS score of 0.08% (24th percentile) suggests low current exploitation probability despite network-accessible attack vector. SSVC framework classifies this as automatable with partial technical impact but no known exploitation, making this a medium-priority patching target focused on preventing service disruption rather than data breach.
Local privilege escalation in libcap's cap_set_file() function affects Red Hat Enterprise Linux 6 through 10 and OpenShift Container Platform 4, where a TOCTOU race condition allows an unprivileged user with write access to a parent directory to redirect file capability updates onto an attacker-controlled file. Successful exploitation can inject or strip Linux file capabilities on arbitrary executables, yielding full privilege escalation on the host. No public exploit identified at time of analysis and EPSS is 0.01%, but a vendor patch is available.
Libarchive's archive_acl_from_text_nl() function fails to validate malformed ACL strings before dereferencing pointers, allowing local attackers to crash applications that process untrusted archives via specially crafted ACL fields. This NULL pointer dereference results in denial of service with high availability impact. CVSS 5.5 reflects local attack vector and user interaction requirement; no public exploit code or active exploitation confirmed at analysis time.
Improper hostname canonicalization in util-linux login(1) utility with the -h option allows remote attackers to bypass host-based PAM access control rules by supplying specially crafted hostnames that are modified before being passed to PAM_RHOST, potentially leading to unauthorized access. The vulnerability affects Red Hat Enterprise Linux 7 through 10 and related products; exploitation requires high attack complexity but no authentication or user interaction. No public exploit code has been identified, and this is not currently confirmed as actively exploited.
Remote denial of service via integer overflow in Corosync cluster engine affects Red Hat Enterprise Linux 7-10 and OpenShift Container Platform 4. Unauthenticated attackers can send crafted UDP packets to crash Corosync services running in totemudp/totemudpu mode (CVSS 7.5, AV:N/PR:N). EPSS data not provided; no public exploit identified at time of analysis. Impacts high-availability cluster deployments where Corosync provides quorum and messaging services.
Out-of-bounds read in Corosync allows unauthenticated remote attackers to crash cluster nodes and potentially leak memory via malformed UDP packets. Affects default totemudp/totemudpu configurations across Red Hat Enterprise Linux 7/8/9/10 and OpenShift Container Platform 4. CVSS 8.2 (High) with network attack vector, low complexity, and no authentication required. EPSS and exploitation status data not available; no public exploit identified at time of analysis. Impacts high-availability clustering infrastructure commonly used in enterprise production environments.
Remote code execution in libarchive on 32-bit systems allows unauthenticated attackers to execute arbitrary code via specially crafted ISO9660 images. The vulnerability affects Red Hat Enterprise Linux versions 6 through 10 and OpenShift Container Platform 4, with vendor patches released across multiple RHSA advisories. Despite the CVSS 7.5 score and network attack vector, EPSS exploitation probability is low (0.05%, 16th percentile) and no public exploit is identified at time of analysis, though SSVC classifies the vulnerability as automatable with total technical impact.
Firewalld on Red Hat Enterprise Linux 7, 8, 9, and 10, as well as OpenShift Container Platform 4, contains an authentication bypass vulnerability in two D-Bus setters (setZoneSettings2 and setPolicySettings) that allows local unprivileged users to modify runtime firewall configurations without proper authorization. An authenticated local attacker can exploit this to change network security policies, potentially enabling lateral movement or service disruption. No public exploit code has been identified at the time of analysis, though Red Hat has issued security advisories (CVE-2026-4948, Bugzilla #2452086).
libssh attempts to open arbitrary files during configuration parsing, allowing local attackers with limited privileges to trigger a denial of service by forcing access to dangerous files such as block devices or large system files. The vulnerability affects Red Hat Enterprise Linux versions 6, 7, 8, 9, and 10, as well as Red Hat OpenShift Container Platform 4, and requires local access with low privileges to exploit. No public exploit code or active exploitation has been confirmed at the time of analysis.
libssh's match_pattern() function is vulnerable to ReDoS (Regular Expression Denial of Service) attacks when processing maliciously crafted hostnames in client configuration or known_hosts files, allowing local attackers with limited privileges and user interaction to trigger inefficient regex backtracking that exhausts system resources and causes client-side timeouts. The vulnerability affects Red Hat Enterprise Linux 6-10 and OpenShift Container Platform 4, with CVSS 2.2 reflecting low severity due to local attack vector and high complexity requirements, though the denial of service impact warrants attention in environments where SSH client availability is critical.
Libssh versions used across Red Hat Enterprise Linux 6-10 and OpenShift Container Platform 4 are vulnerable to a null pointer dereference when processing malformed 'longname' fields in SFTP SSH_FXP_NAME messages, allowing unauthenticated remote attackers to trigger denial of service through application crashes. The attack requires user interaction and high attack complexity (CVSS 3.1, CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L) but affects a widely deployed SSH library; no public exploit identified at time of analysis.
Remote denial-of-service in libssh 0.11.x and earlier allows unauthenticated attackers to crash SSH server daemon processes via malformed GSSAPI authentication OID payloads. The vulnerability affects the ssh_get_hexa() API function when processing zero-length input, exploitable remotely when GSSAPI authentication is enabled and logging verbosity is set to SSH_LOG_PATCH (level 3) or higher. Red Hat, Ubuntu, SUSE, and Debian have released patches (libssh 0.11.4 and 0.12.0). EPSS score of 0.09% and SSVC assessment indicate low real-world exploitation likelihood despite network attack vector, with no active exploitation confirmed. Ubuntu classified this as low priority, and CISA SSVC notes exploitation as 'none' but 'automatable' with partial impact.
Heap memory disclosure in libarchive allows remote unauthenticated attackers to read sensitive heap data by submitting a malformed RAR archive. The flaw affects Red Hat Enterprise Linux 6-10 and OpenShift Container Platform 4, with vendor patches available per multiple RHSA advisories (RHSA-2026:8492 through RHSA-2026:8908). Despite the HIGH CVSS score of 7.5 and network-exploitable vector requiring no authentication, the EPSS score of 0.14% (35th percentile) indicates low observed exploitation probability. No public exploit code identified at time of analysis, and not listed in CISA KEV, suggesting this remains a patch-and-monitor priority rather than emergency response.
Infinite loop in libarchive's RAR5 decompression (archive_read_data) allows remote unauthenticated denial-of-service via malformed archive that passes checksum validation. Affects Red Hat Enterprise Linux 6-10 and OpenShift Container Platform 4. EPSS 0.04% (11th percentile) suggests low exploitation probability despite CVSS 7.5. Vendor patches available from Red Hat and Ubuntu. Upstream fix in libarchive PR#2877. No active exploitation confirmed (not in CISA KEV).
High severity vulnerability in systemd. A flaw was found in systemd. The systemd-machined service contains an Improper Access Control vulnerability due to insufficient validation of the class parameter in the RegisterMachine D-Bus (Desktop Bus) method. A local unprivileged user can exploit this by attempting to register a machine with a specific class value, which may leave behind a usable, attacker-controlled machine object. This al...
Out-of-bounds heap write in QEMU's virtio-blk device allows a high-privileged guest to crash the host QEMU process. The flaw exists because the virtio-blk device omits validation of input descriptor sizes prior to writing data, enabling a malicious guest operator to submit a crafted virtio-blk SCSI request that writes beyond the allocated host heap buffer. The primary confirmed impact is a denial of service (DoS) of the QEMU process on the host; no public exploit code has been identified at time of analysis and it is not listed in the CISA KEV catalog.
Heap out-of-bounds read in MIT krb5's LDAP KDB plugin allows a compromised or malicious LDAP backend to crash the KDC or kadmind process, or leak heap memory. The flaw exists in berval2tl_data() within libkdb_ldap and is triggered when the LDAP server returns a krbExtraData attribute with bv_len less than 2, causing an unsigned integer underflow that drives a memcpy of up to 65,534 bytes from a near-zero-length source buffer. Exploitation requires prior control of the LDAP KDB backend server (PR:H, AC:H), constraining real-world risk to insider or supply-chain threat scenarios; no public exploit or CISA KEV listing exists at time of analysis.
HAProxy configuration injection in Red Hat OpenShift Container Platform 4 allows a low-privileged tenant with permission to create or modify Route resources to inject controlled directives into the cluster ingress configuration via the spec.path field. No public exploit identified at time of analysis, but the CVSS 8.8 score with scope change (S:C) reflects the ability to break out of the tenant boundary and impact the shared HAProxy router serving the entire cluster.
GnuTLS's PKCS#7 padding validation during decryption is not implemented as a constant-time operation, creating a timing side-channel (CWE-208) that remote unauthenticated attackers can exploit to infer padding byte values on CBC-mode cipher suites. Affected deployments include GnuTLS as packaged across Red Hat Enterprise Linux 6 through 10, Red Hat Hardened Images, and Red Hat OpenShift Container Platform 4. Red Hat has issued patch RHSA-2026:20613; no active exploitation is confirmed in CISA KEV, and no public exploit code has been identified, but the network-reachable, no-auth-required attack surface warrants patching on systems handling sensitive encrypted traffic.
Server-side request forgery in Red Hat OpenShift Container Platform 4's Router component allows authenticated users with EndpointSlice write permissions to coerce the router into proxying requests to cloud provider instance metadata endpoints (e.g., 169.254.169.254), exposing instance credentials and sensitive metadata. The flaw bypasses prior IP-address-based validation by abusing FQDN-backed EndpointSlices that resolve to metadata services. No public exploit identified at time of analysis, and the issue is not present on CISA KEV.
Memory corruption via an off-by-one error in GnuTLS PKCS#12 bag element handling exposes any application using GnuTLS to remote unauthenticated denial of service - and potentially unspecified further impact - when a crafted PKCS#12 structure is parsed. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms exploitation requires no authentication, no user interaction, and no elevated complexity, making internet-exposed services that parse client-supplied PKCS#12 inputs the primary risk surface. No public exploit code exists and the vulnerability is not listed in the CISA KEV catalog at time of analysis.
Certificate validation bypass in GnuTLS (as shipped in Red Hat Enterprise Linux 6 through 10, OpenShift Container Platform 4, and Red Hat Hardened Images) lets a remote attacker defeat hostname verification: when a certificate carries an oversized Subject Alternative Name, the library incorrectly abandons SAN matching and falls back to the legacy Common Name field, accepting certificates it should reject. An attacker positioned to intercept traffic can present such a certificate to impersonate a trusted server and conduct spoofing or man-in-the-middle attacks against TLS clients that rely on GnuTLS. There is no public exploit identified at time of analysis, no CISA KEV listing, and no EPSS score in the provided data.
Heap buffer overflow in libsolv allows local attackers to corrupt memory when a vulnerable application processes a maliciously crafted .solv repository metadata file. The flaw stems from insufficient input validation during decompression of attacker-controlled data, enabling information disclosure, control-flow alteration, or denial of service across multiple Red Hat Enterprise Linux releases and SUSE distributions. SSVC marks exploitation as PoC-level with total technical impact, while EPSS remains very low at 0.01%, indicating limited probability of widespread exploitation despite high severity.
Remote code execution in Samba's printing subsystem allows remote attackers to inject arbitrary shell commands via crafted print job descriptions. The flaw stems from unescaped expansion of the client-controlled '%J' substitution token into the configured 'print command', enabling shell metacharacter injection. No public exploit has been identified at time of analysis, and EPSS scores exploitation probability at only 0.08%, but CVSS 9.0 with scope change reflects high potential impact on any Samba host exposing print services.
Certificate validation in GnuTLS can be bypassed when a certificate chain contains Certificate Authorities with only excluded name constraints followed by CAs with permitted name constraints. Remote attackers can exploit this flaw (CVSS 7.4, AV:N/AC:H) to present invalid certificates that pass validation, enabling man-in-the-middle attacks or service impersonation against TLS-protected communications. The vulnerability affects Red Hat Enterprise Linux versions 6-10, OpenShift Container Platform 4, and Red Hat Hardened Images. No public exploit or active exploitation confirmed at time of analysis, though the technical nature suggests targeted attacks against high-value certificate infrastructure are feasible.
Heap buffer overflow in GnuTLS DTLS handshake allows remote unauthenticated attackers to crash applications or corrupt memory. The vulnerability stems from inconsistent fragment validation in merge_handshake_packet(), where attackers can send crafted DTLS fragments with conflicting message_length values to trigger out-of-bounds writes. Red Hat reported this affecting RHEL 6-10 and OpenShift Container Platform 4. CVSS 7.5 (High) reflects network-accessible denial of service, though memory corruption may enable further exploitation. No EPSS data, KEV status, or POC availability reported at time of analysis, but the remote unauthenticated attack vector (AV:N/PR:N) and low complexity (AC:L) make this a priority for systems using DTLS.
Integer underflow in GnuTLS DTLS handshake reassembly allows remote unauthenticated attackers to trigger denial of service or information disclosure via crafted zero-length fragments with non-zero offsets. The vulnerability affects Red Hat Enterprise Linux versions 6 through 10, OpenShift Container Platform 4, and Red Hat Hardened Images. With CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) and EPSS data unavailable, this represents a clear remote attack surface requiring no authentication, though the CVSS vector indicates availability impact only (A:H) with no confidentiality or integrity impact confirmed, contradicting the description's mention of information disclosure. No CISA KEV listing or public exploit identified at time of analysis.
GnuTLS with OCSP verification enabled incorrectly accepts revoked server certificates when presented with specially crafted multi-record OCSP responses during TLS handshakes, allowing attackers to bypass certificate revocation checks and establish connections to compromised servers. The vulnerability requires high attack complexity and specific OCSP configuration, affecting Red Hat Enterprise Linux 6-10, Red Hat Hardened Images, and OpenShift Container Platform 4. No public exploit code or active exploitation has been identified at the time of analysis.
GnuTLS performs case-sensitive comparisons of nameConstraints labels in DNS and email certificate constraints, allowing remote attackers to bypass certificate policy validation by crafting leaf certificates with differing character casing in the Subject Alternative Name field. This policy bypass could result in acceptance of certificates that should be rejected, potentially enabling unauthorized access or information disclosure. The vulnerability affects GnuTLS across Red Hat Enterprise Linux 6 through 10 and Red Hat OpenShift Container Platform 4, with no confirmed active exploitation at time of analysis.
A flaw was found in libxml2. This vulnerability occurs when the library processes a specially crafted XML Schema Definition (XSD) validated document that includes an internal entity reference. An attacker could exploit this by providing a malicious document, leading to a type confusion error that causes the application to crash. This results in a denial of service (DoS), making the affected system or application unavailable.
Heap buffer overflow in GNU Binutils XCOFF linker allows arbitrary code execution when a local user processes a malicious object file. Red Hat Enterprise Linux versions 6 through 10 are confirmed affected via CPE data. CVSS 7.8 reflects local attack vector requiring user interaction (opening/linking the crafted file). No active exploitation confirmed (not in CISA KEV), and no public proof-of-concept identified at time of analysis. Real-world risk depends heavily on whether development workflows involve linking untrusted XCOFF files, which is uncommon outside AIX/PowerPC cross-compilation scenarios.
The readelf utility in binutils is vulnerable to denial of service through two distinct flaws triggered by maliciously crafted ELF files: a resource exhaustion vulnerability (CWE-400) causing out-of-memory conditions and a null pointer dereference (CWE-476) causing segmentation faults. Both vulnerabilities require local access and user interaction to open a malicious file, resulting in the readelf utility crashing or becoming unresponsive. No public exploit code or active exploitation has been identified at the time of analysis.
Format string vulnerability in nano's statusline() function allows local users to trigger a segmentation fault via directory names containing printf specifiers, causing denial of service. Exploitation requires user interaction (opening a directory with the crafted name) on systems where nano is available to local users. No public exploit code identified at time of analysis.
The readelf utility in binutils is vulnerable to denial of service through null pointer dereference when processing specially crafted ELF files. A local attacker with limited privileges can trigger excessive resource consumption or program crashes by convincing a user to process a malicious ELF binary, affecting Red Hat Enterprise Linux 6, 7, 8, and 10. No public exploit code or active exploitation has been confirmed at this time.
Nano text editor creates ~/.local directory with overly permissive 0777 permissions instead of 0700 in environments with permissive umask settings, allowing local authenticated users to inject malicious .desktop launcher files that could lead to information disclosure or unintended actions when processed. CVSS score 2.5 reflects local attack vector and low integrity impact, with active exploitation status unknown and no public exploit code identified at time of analysis.
Out-of-bounds write in dnsmasq's DHCP split-relay handler allows remote unauthenticated denial of service via crafted BOOTREPLY packets. Affects Red Hat Enterprise Linux 6-10 and OpenShift Container Platform 4 when dnsmasq runs with the --dhcp-split-relay option enabled. CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) indicates trivial network exploitation, but real-world risk is mitigated by the non-default configuration requirement. No public exploit or active exploitation (CISA KEV) confirmed at time of analysis, though CWE-787 (out-of-bounds write) primitives are well-understood by attackers.
Remote unauthenticated attackers can crash GnuTLS servers by sending malformed TLS handshake messages containing invalid Pre-Shared Key binder values, triggering a NULL pointer dereference. Red Hat Enterprise Linux versions 6-10, OpenShift Container Platform 4, and Red Hat Hardened Images are affected. Vendor patches are available. EPSS score of 0.08% (24th percentile) suggests low current exploitation probability despite network-accessible attack vector. SSVC framework classifies this as automatable with partial technical impact but no known exploitation, making this a medium-priority patching target focused on preventing service disruption rather than data breach.
Local privilege escalation in libcap's cap_set_file() function affects Red Hat Enterprise Linux 6 through 10 and OpenShift Container Platform 4, where a TOCTOU race condition allows an unprivileged user with write access to a parent directory to redirect file capability updates onto an attacker-controlled file. Successful exploitation can inject or strip Linux file capabilities on arbitrary executables, yielding full privilege escalation on the host. No public exploit identified at time of analysis and EPSS is 0.01%, but a vendor patch is available.
Libarchive's archive_acl_from_text_nl() function fails to validate malformed ACL strings before dereferencing pointers, allowing local attackers to crash applications that process untrusted archives via specially crafted ACL fields. This NULL pointer dereference results in denial of service with high availability impact. CVSS 5.5 reflects local attack vector and user interaction requirement; no public exploit code or active exploitation confirmed at analysis time.
Improper hostname canonicalization in util-linux login(1) utility with the -h option allows remote attackers to bypass host-based PAM access control rules by supplying specially crafted hostnames that are modified before being passed to PAM_RHOST, potentially leading to unauthorized access. The vulnerability affects Red Hat Enterprise Linux 7 through 10 and related products; exploitation requires high attack complexity but no authentication or user interaction. No public exploit code has been identified, and this is not currently confirmed as actively exploited.
Remote denial of service via integer overflow in Corosync cluster engine affects Red Hat Enterprise Linux 7-10 and OpenShift Container Platform 4. Unauthenticated attackers can send crafted UDP packets to crash Corosync services running in totemudp/totemudpu mode (CVSS 7.5, AV:N/PR:N). EPSS data not provided; no public exploit identified at time of analysis. Impacts high-availability cluster deployments where Corosync provides quorum and messaging services.
Out-of-bounds read in Corosync allows unauthenticated remote attackers to crash cluster nodes and potentially leak memory via malformed UDP packets. Affects default totemudp/totemudpu configurations across Red Hat Enterprise Linux 7/8/9/10 and OpenShift Container Platform 4. CVSS 8.2 (High) with network attack vector, low complexity, and no authentication required. EPSS and exploitation status data not available; no public exploit identified at time of analysis. Impacts high-availability clustering infrastructure commonly used in enterprise production environments.
Remote code execution in libarchive on 32-bit systems allows unauthenticated attackers to execute arbitrary code via specially crafted ISO9660 images. The vulnerability affects Red Hat Enterprise Linux versions 6 through 10 and OpenShift Container Platform 4, with vendor patches released across multiple RHSA advisories. Despite the CVSS 7.5 score and network attack vector, EPSS exploitation probability is low (0.05%, 16th percentile) and no public exploit is identified at time of analysis, though SSVC classifies the vulnerability as automatable with total technical impact.
Firewalld on Red Hat Enterprise Linux 7, 8, 9, and 10, as well as OpenShift Container Platform 4, contains an authentication bypass vulnerability in two D-Bus setters (setZoneSettings2 and setPolicySettings) that allows local unprivileged users to modify runtime firewall configurations without proper authorization. An authenticated local attacker can exploit this to change network security policies, potentially enabling lateral movement or service disruption. No public exploit code has been identified at the time of analysis, though Red Hat has issued security advisories (CVE-2026-4948, Bugzilla #2452086).
libssh attempts to open arbitrary files during configuration parsing, allowing local attackers with limited privileges to trigger a denial of service by forcing access to dangerous files such as block devices or large system files. The vulnerability affects Red Hat Enterprise Linux versions 6, 7, 8, 9, and 10, as well as Red Hat OpenShift Container Platform 4, and requires local access with low privileges to exploit. No public exploit code or active exploitation has been confirmed at the time of analysis.
libssh's match_pattern() function is vulnerable to ReDoS (Regular Expression Denial of Service) attacks when processing maliciously crafted hostnames in client configuration or known_hosts files, allowing local attackers with limited privileges and user interaction to trigger inefficient regex backtracking that exhausts system resources and causes client-side timeouts. The vulnerability affects Red Hat Enterprise Linux 6-10 and OpenShift Container Platform 4, with CVSS 2.2 reflecting low severity due to local attack vector and high complexity requirements, though the denial of service impact warrants attention in environments where SSH client availability is critical.
Libssh versions used across Red Hat Enterprise Linux 6-10 and OpenShift Container Platform 4 are vulnerable to a null pointer dereference when processing malformed 'longname' fields in SFTP SSH_FXP_NAME messages, allowing unauthenticated remote attackers to trigger denial of service through application crashes. The attack requires user interaction and high attack complexity (CVSS 3.1, CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L) but affects a widely deployed SSH library; no public exploit identified at time of analysis.
Remote denial-of-service in libssh 0.11.x and earlier allows unauthenticated attackers to crash SSH server daemon processes via malformed GSSAPI authentication OID payloads. The vulnerability affects the ssh_get_hexa() API function when processing zero-length input, exploitable remotely when GSSAPI authentication is enabled and logging verbosity is set to SSH_LOG_PATCH (level 3) or higher. Red Hat, Ubuntu, SUSE, and Debian have released patches (libssh 0.11.4 and 0.12.0). EPSS score of 0.09% and SSVC assessment indicate low real-world exploitation likelihood despite network attack vector, with no active exploitation confirmed. Ubuntu classified this as low priority, and CISA SSVC notes exploitation as 'none' but 'automatable' with partial impact.
Heap memory disclosure in libarchive allows remote unauthenticated attackers to read sensitive heap data by submitting a malformed RAR archive. The flaw affects Red Hat Enterprise Linux 6-10 and OpenShift Container Platform 4, with vendor patches available per multiple RHSA advisories (RHSA-2026:8492 through RHSA-2026:8908). Despite the HIGH CVSS score of 7.5 and network-exploitable vector requiring no authentication, the EPSS score of 0.14% (35th percentile) indicates low observed exploitation probability. No public exploit code identified at time of analysis, and not listed in CISA KEV, suggesting this remains a patch-and-monitor priority rather than emergency response.
Infinite loop in libarchive's RAR5 decompression (archive_read_data) allows remote unauthenticated denial-of-service via malformed archive that passes checksum validation. Affects Red Hat Enterprise Linux 6-10 and OpenShift Container Platform 4. EPSS 0.04% (11th percentile) suggests low exploitation probability despite CVSS 7.5. Vendor patches available from Red Hat and Ubuntu. Upstream fix in libarchive PR#2877. No active exploitation confirmed (not in CISA KEV).
High severity vulnerability in systemd. A flaw was found in systemd. The systemd-machined service contains an Improper Access Control vulnerability due to insufficient validation of the class parameter in the RegisterMachine D-Bus (Desktop Bus) method. A local unprivileged user can exploit this by attempting to register a machine with a specific class value, which may leave behind a usable, attacker-controlled machine object. This al...