High7.5Red Hat & Ubuntu Linux Updated
Denial of Service via quadratic CPU time parsing with merge keys
CVE-2026-59868 Published Jul 8, 2026Updated by vendor Jul 8, 2026
CVE-2026-59868
Affected products & platforms
Red Hat & Ubuntu LinuxUnclassified
Summary
Denial of Service via quadratic CPU time parsing with merge keys. Red Hat rates this important (CVSS 7.5). Weakness: CWE-1333. Affected package(s): rust-main. Resolved in Red Hat advisory RHSA-2026:34975 — update the affected packages (`sudo dnf update`).
Affected versions
- rust-main-1.96.1-1.hum1
Official advisory · high-confidence parse· fetched 2 hours ago·verify at source
Fixed versions
- RHSA-2026:34975
Official advisory · high-confidence parse· fetched 2 hours ago·verify at source
Mitigation checklist
Recommended fix / mitigation
- Upgrade to js-yaml 5.2.0 or later. Where an immediate upgrade is not possible, avoid parsing untrusted YAML documents that use merge keys ('<<'), or apply size and time limits when parsing untrusted YAML input.
Official advisory · high-confidence parse· fetched 2 hours ago·verify at source
Discussion(0)
No comments yet. Share field notes, upgrade gotchas, or questions — verify against the vendor advisory before acting on community advice.
Sign in to join the discussion.