Critical/high still unreviewed, or CISA KEV listed
Heap buffer overflow in sasl_io_recv() via padded SASL UNBIND. Red Hat rates this important (CVSS 8.8). Weakness: CWE-122. No fix erratum has been published yet; monitor the Red Hat CVE page and apply the RHSA when released.
sudo LDAP provider searches entire directory tree for sudoRole objects by default, enabling privilege escalation. Red Hat rates this important (CVSS 8.8). Weakness: CWE-1188. No fix erratum has been published yet; monitor the Red Hat CVE page and apply the RHSA when released.
Denial of Service via crafted BDF font file. Red Hat rates this important (CVSS 7.5). Weakness: CWE-770. No fix erratum has been published yet; monitor the Red Hat CVE page and apply the RHSA when released.
Denial of Service via crafted GD 2.x image file. Red Hat rates this important (CVSS 7.5). Weakness: CWE-1285. No fix erratum has been published yet; monitor the Red Hat CVE page and apply the RHSA when released.
Denial of Service via excessive memory allocation when processing font files. Red Hat rates this important (CVSS 7.5). Weakness: CWE-1050. No fix erratum has been published yet; monitor the Red Hat CVE page and apply the RHSA when released.
Unbounded GraphQL query depth allows authenticated denial of service. Red Hat rates this important (CVSS 7.7). Weakness: CWE-400. No fix erratum has been published yet; monitor the Red Hat CVE page and apply the RHSA when released.
Crypt::DSA: Crypt::DSA: Private key recovery due to biased random number generation. Red Hat rates this important (CVSS 7.5). Weakness: CWE-338. No fix erratum has been published yet; monitor the Red Hat CVE page and apply the RHSA when released.
Arbitrary Code Execution via Untrusted JAR File Loading. Red Hat rates this important (CVSS 7.8). Weakness: CWE-347. No fix erratum has been published yet; monitor the Red Hat CVE page and apply the RHSA when released.
Fix shadow paging use-after-free due to unexpected role. Red Hat rates this important (CVSS 7). Weakness: CWE-825. No fix erratum has been published yet; monitor the Red Hat CVE page and apply the RHSA when released.
Require in-GHCB scratch area if GHCB v2+ is in use. Red Hat rates this important (CVSS 7). Weakness: CWE-787. No fix erratum has been published yet; monitor the Red Hat CVE page and apply the RHSA when released.
In the Linux kernel, the following vulnerability has been resolved: ipv6: account for fraggap on the paged allocation path In __ip6_append_data(), when the paged-allocation branch is taken (MSG_MORE / NETIF_F_SG / large fraglen), alloclen and pagedlen are computed as alloclen = fragheaderlen + transhdrlen; pagedlen = datalen - transhdrlen; datalen already includes fraggap (datalen = length + fraggap). When fraggap is non-zero, this is not the first skb and transhdrlen is zero. The fraggap bytes carried over from the previous skb are copied just past the fragment headers in the new skb's linear area. The linear area is therefore undersized by fraggap bytes while pagedlen is overstated by the same amount, and the copy writes past skb->end into the trailing skb_shared_info. An unprivileged user can trigger this via a UDPv6 socket using MSG_MORE together with MSG_SPLICE_PAGES. The bad accounting was introduced by commit 773ba4fe9104 ("ipv6: avoid partial copy for zc"). Before commit ce650a166335 ("udp6: Fix __ip6_append_data()'s handling of MSG_SPLICE_PAGES"), the negative copy value caused -EINVAL to be returned. That later commit allowed MSG_SPLICE_PAGES to proceed in this case, making the corruption triggerable. The non-paged branch sets alloclen to fraglen, which already accounts for fraggap because datalen does. Bring the paged branch in line by adding fraggap to alloclen and subtracting it from pagedlen. After this adjustment, copy no longer collapses to -fraggap on the paged path, so remove the stale comment describing that old arithmetic. Since a negative copy is no longer expected for a valid MSG_SPLICE_PAGES case, remove the MSG_SPLICE_PAGES exception from the negative copy check. A flaw was found in the Linux kernel's ipv6 networking subsystem. An incorrect parameter length calculation allows an attacker with permissions to create UDP sockets to trigger overwrites of kernel memory, potentially leading to privilege escalation, data corruption, or a system crash. Red Hat severity: Important — CVSS 7.8 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). Weakness: CWE-130. Fixed by RHSA-2026:34911, RHSA-2026:35840 — update the affected packages (`sudo dnf update`). Affected Red Hat products: Red Hat Enterprise Linux 10; Red Hat Enterprise Linux 10.0 Extended Update Support.
Incomplete Fix for CVE-2026-8631. Red Hat rates this important (CVSS 9.8). Weakness: CWE-190. No fix erratum has been published yet; monitor the Red Hat CVE page and apply the RHSA when released.
Arbitrary code execution via deserialization vulnerability. Red Hat rates this important (CVSS 8.8). Weakness: CWE-502. No fix erratum has been published yet; monitor the Red Hat CVE page and apply the RHSA when released.
Man-in-the-middle attack via SSH host key bypass. Red Hat rates this important (CVSS 7.4). Weakness: CWE-347. No fix erratum has been published yet; monitor the Red Hat CVE page and apply the RHSA when released.
Information disclosure due to persistent Referer header. Red Hat rates this important (CVSS 7.5). Weakness: CWE-201. No fix erratum has been published yet; monitor the Red Hat CVE page and apply the RHSA when released.
Information disclosure via cached SSL session and early data. Red Hat rates this important (CVSS 7.5). Weakness: CWE-295. No fix erratum has been published yet; monitor the Red Hat CVE page and apply the RHSA when released.
Use-after-free via curl_easy_pause() in CURLMOPT_SOCKETFUNCTION callback. Red Hat rates this important (CVSS 7.3). Weakness: CWE-825. No fix erratum has been published yet; monitor the Red Hat CVE page and apply the RHSA when released.
Information disclosure due to failure to clear proxy authentication credentials. Red Hat rates this important (CVSS 7.5). Weakness: CWE-212. No fix erratum has been published yet; monitor the Red Hat CVE page and apply the RHSA when released.
Security feature bypass due to improper mTLS connection reuse. Red Hat rates this important (CVSS 7.5). Weakness: CWE-1025. No fix erratum has been published yet; monitor the Red Hat CVE page and apply the RHSA when released.
Information disclosure due to uncleared proxy authentication state. Red Hat rates this important (CVSS 7.5). Weakness: CWE-201. No fix erratum has been published yet; monitor the Red Hat CVE page and apply the RHSA when released.
Double-free vulnerability in SASL authentication. Red Hat rates this important (CVSS 8.1). Weakness: CWE-1341. No fix erratum has been published yet; monitor the Red Hat CVE page and apply the RHSA when released.
Insecure connection establishment due to TLS configuration mismatch. Red Hat rates this important (CVSS 8.1). Weakness: CWE-295. No fix erratum has been published yet; monitor the Red Hat CVE page and apply the RHSA when released.
SSH host verification bypass when using schemeless URLs with SFTP/SCP. Red Hat rates this important (CVSS 7.5). Weakness: CWE-358. No fix erratum has been published yet; monitor the Red Hat CVE page and apply the RHSA when released.
Denial of Service via WebSocket PING flood. Red Hat rates this important (CVSS 7.5). Weakness: CWE-770. No fix erratum has been published yet; monitor the Red Hat CVE page and apply the RHSA when released.
Remote denial of service via QUIC UDP receive function vulnerability. Red Hat rates this important (CVSS 7.5). Weakness: CWE-835. No fix erratum has been published yet; monitor the Red Hat CVE page and apply the RHSA when released.
Arbitrary file read and code execution via path traversal. Red Hat rates this important (CVSS 7.5). Weakness: CWE-22. No fix erratum has been published yet; monitor the Red Hat CVE page and apply the RHSA when released.
Denial of Service in TLS 1.3 session ticket handling. Red Hat rates this important (CVSS 7.5). Weakness: CWE-130. No fix erratum has been published yet; monitor the Red Hat CVE page and apply the RHSA when released.
Denial of Service via unvalidated endpoint URL length. Red Hat rates this important (CVSS 7.5). Weakness: CWE-1284. No fix erratum has been published yet; monitor the Red Hat CVE page and apply the RHSA when released.
Denial of Service via uncontrolled resource consumption in JSON parsing. Red Hat rates this important (CVSS 7.5). Weakness: CWE-770. No fix erratum has been published yet; monitor the Red Hat CVE page and apply the RHSA when released.
It was discovered that the Linux kernel algif_aead module did not properly handle in-place cryptographic operations. This flaw is known as Copy Fail. A local attacker could use this to escalate privileges, or possibly escape a container. (CVE-2026-31431) It was discovered that the Linux kernel did not properly handle shared page fragments during socket buffer operations, collectively known as Dirty Frag. A logic flaw existed in the XFRM ESP-in-TCP subsystem and in the RxRPC networking subsystem when processing paged fragments. A local attacker could use this to escalate privileges, or possibly escape a container. (CVE-2026-43284, CVE-2026-43500, CVE-2026-45998, CVE-2026-46000) It was discovered that a logic flaw existed in the XFRM ESP-in-TCP subsystem in the Linux kernel when handling socket buffer fragments. This flaw is known as Fragnesia. A local attacker could use this to escalate privileges, or possibly escape a container. (CVE-2026-43503, CVE-2026-46300) Qualys discovered that a race condition existed in the ptrace subsystem of the Linux kernel when privileged processes are exiting. An unprivileged local attacker could use this issue to expose sensitive information. (CVE-2026-46333) Tristan Madani discovered that Ubuntu Linux kernel 6.8, 6.17 and 7.0 contain a memory leak when handling AppArmor notifications. A local attacker could use this to cause resource exhaustion. Affected Ubuntu releases: 24.04. CVEs: CVE-2026-43314, CVE-2026-45974, CVE-2025-71291, CVE-2026-45870, CVE-2026-43341, CVE-2026-47332, CVE-2026-23229, CVE-2026-47326….
Authentication bypass due to improper input neutralization. Red Hat rates this critical (CVSS 9.1). Weakness: CWE-140. No fix erratum has been published yet; monitor the Red Hat CVE page and apply the RHSA when released.
Remote code execution via JNDI injection. Red Hat rates this important (CVSS 7.5). Weakness: CWE-502. No fix erratum has been published yet; monitor the Red Hat CVE page and apply the RHSA when released.
SQL Injection vulnerability. Red Hat rates this important (CVSS 7.3). Weakness: CWE-89. No fix erratum has been published yet; monitor the Red Hat CVE page and apply the RHSA when released.
Security bypass via Container Device Interface (CDI) annotation smuggling during checkpoint restoration.. Red Hat rates this important (CVSS 8.2). Weakness: CWE-807. Affected package(s): syft-main, trivy-main. Resolved in Red Hat advisory RHSA-2026:15862 — update the affected packages (`sudo dnf update`).
Privilege escalation via incorrect user ID handling. Red Hat rates this important (CVSS 7.8). Weakness: CWE-681. Affected package(s): trivy-main. Resolved in Red Hat advisory RHSA-2026:35111 — update the affected packages (`sudo dnf update`).
Denial of Service via excessive HTTP headers. Red Hat rates this important (CVSS 7.5). Weakness: CWE-770. No fix erratum has been published yet; monitor the Red Hat CVE page and apply the RHSA when released.
Denial of Service via crafted ALZ file. Red Hat rates this important (CVSS 7.5). Weakness: CWE-120. No fix erratum has been published yet; monitor the Red Hat CVE page and apply the RHSA when released.
Denial of Service via crafted DMG file. Red Hat rates this important (CVSS 7.5). Weakness: CWE-190. No fix erratum has been published yet; monitor the Red Hat CVE page and apply the RHSA when released.
Denial of Service via crafted 7z file. Red Hat rates this important (CVSS 7.5). Weakness: CWE-120. No fix erratum has been published yet; monitor the Red Hat CVE page and apply the RHSA when released.
Denial of Service via crafted PESpin file. Red Hat rates this important (CVSS 7.5). Weakness: CWE-120. No fix erratum has been published yet; monitor the Red Hat CVE page and apply the RHSA when released.
Denial of Service via crafted InstallShield file. Red Hat rates this important (CVSS 7.5). Weakness: CWE-770. No fix erratum has been published yet; monitor the Red Hat CVE page and apply the RHSA when released.
Denial of Service via crafted Portable Executable (PE) files. Red Hat rates this important (CVSS 7.5). Weakness: CWE-787. No fix erratum has been published yet; monitor the Red Hat CVE page and apply the RHSA when released.
Denial of Service via crafted FSG file parsing. Red Hat rates this important (CVSS 7.5). Weakness: CWE-787. No fix erratum has been published yet; monitor the Red Hat CVE page and apply the RHSA when released.
Privilege escalation to administrator-level access via usergroup role assignment manipulation. Red Hat rates this important (CVSS 8.8). Weakness: CWE-266. Affected package(s): foreman. Resolved in Red Hat advisory RHSA-2026:34366 — update the affected packages (`sudo dnf update`).
Authentication bypass via predictable session IDs. Red Hat rates this important (CVSS 7.4). Weakness: CWE-331. No fix erratum has been published yet; monitor the Red Hat CVE page and apply the RHSA when released.
Host-root command execution via unvalidated image config labels in CRI plugin. Red Hat rates this important (CVSS 8.8). Weakness: CWE-78. Affected package(s): multicluster-engine/assisted-service, trivy-main. Resolved in Red Hat advisory RHSA-2026:36167 — update the affected packages (`sudo dnf update`).
c3p0 is a JDBC Connection pooling library. In versions prior to 0.14.0, c3p0 in combination with other libraries, can compose to a "sink" for deserialization gadgets. The JDBC spec's DataSource.getConnection() and ConnectionPoolDataSource.getPooledConnection() match the getXXX() form, so JavaBean libraries treat them as "properties" assumed safe while they actually call into JDBC drivers. Attackers can thus craft malicious DataSource objects whose property lookups invoke vulnerable drivers, then smuggle them in serialized form to where an application deserializes and auto-resolves bean properties — triggering the attack. This requires a susceptible DataSource/ConnectionPoolDataSource and JDBC driver on the CLASSPATH, plus a carrier that auto-looks-up JavaBean properties on = deserialization, most commonly a collection paired with an Apache commons-beanutils Comparator that sorts by bean properties. c3p0 supplied that susceptible DataSource/ConnectionPoolDataSource, which was an essential component of the trigger. This issue has been fixed in version 0.14.0. A flaw was found in c3p0, a JDBC Connection pooling library. This vulnerability allows a remote attacker to potentially execute arbitrary code by crafting a malicious data source object. When an application deserializes this object and automatically resolves its properties, it can trigger vulnerable JDBC drivers. This requires specific conditions, including the presence of a susceptible JDBC driver and a mechanism for automatic property resolution during deserialization. A flaw was found in c3p0. Prior to version 0.14.0, c3p0's DataSource and ConnectionPoolDataSource implementations expose getConnection() and getPooledConnection() as JavaBean properties. During deserialization, carrier libraries such as Apache Commons BeanUtils automatically invoke these getters, which can trigger calls into JDBC drivers. An attacker who can deliver a crafted serialized object to an application could exploit this to achieve remote code execution. Successful exploitation requires all of the following prerequisites to be met: 1. c3p0 < 0.14.0 on the application classpath 2. A vulnerable JDBC driver on the classpath 3. A carrier library that auto-reads JavaBean properties during deserialization (e.g., commons-beanutils with a Comparator in a sorted collection) 4. A deserialization entry point that processes attacker-controlled data (e.g., via RMI, JMX, or HTTP) This is a gadget chain attack where c3p0 provides one essential component. Removing any single prerequisite from the classpath prevents exploitation. Red Hat severity: Important — CVSS 7.5 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H). Weakness: CWE-502. No fixing RHSA erratum has published yet; monitor the Red Hat CVE page and patch when it ships. Will not fix / out of support: Red Hat Fuse 7.
Discuss the latest advisories, swap patch-day notes with other infra teams, and get support — straight from the people who run VulniPulse.
Join the communityIf you want to support server/domain costs, please donate below — much love ❤️
Donate