VulniPulse uses Google Ads measurement to understand visits from advertisements and campaign performance. It runs cookie-free until you choose — accepting enables cookies for more accurate attribution. Rejecting keeps it cookie-free and never limits the site.
See exactly what is measuredComplete feed
Critical/high still unreviewed, or CISA KEV listed
Cross-site scripting (XSS) via case-insensitive URI validation bypass. Red Hat rates this important (CVSS 7.3). Weakness: CWE-79. Red Hat lists fixing advisory RHSA-2026:30049 with package rhbk/keycloak-operator-bundle:26.4.13-1, rhbk/keycloak-rhel9-operator:26.4-19, rhbk/keycloak-rhel9, rhbk/keycloak-rhel9:26.6-8.
Vim is an open source, command line text editor. Prior to 9.2.0653, the tree_count_words() function in src/spellfile.c fills in the word-count fields of a spell-file word trie by walking it iteratively with a depth counter. The counter is bounded only by the trie structure itself; it is never checked against the size of the fixed MAXWLEN-element stack arrays it indexes (arridx[], curi[], wordcount[]). A crafted .spl/.sug file pair, loaded when the user invokes spell suggestion, can drive the descent arbitrarily deep, so the function writes past the end of those arrays. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0653. Red Hat severity: Moderate — CVSS 7.3 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:H). Affected Red Hat products: Red Hat Enterprise Linux 10; Red Hat Enterprise Linux 6; Red Hat Enterprise Linux 7; Red Hat Enterprise Linux 8; Red Hat Enterprise Linux 9; Red Hat Hardened Images; Red Hat OpenShift Container Platform 4. Red Hat does not currently list a fixing RHSA for this CVE.
Arbitrary code execution via Vimscript code injection in netrw plugin. Red Hat rates this important (CVSS 7.8). Weakness: CWE-94.
Arbitrary code execution via malicious docstrings in Python omni-completion. Red Hat rates this important (CVSS 7.8). Weakness: CWE-94. Red Hat lists fixing advisory RHSA-2026:35387 with package vim-main-9.2.780-1.hum1.
A specially crafted SVCB RR can cause a heap overflow of up to 65509 attacker controlled bytes. Red Hat rates this important (CVSS 8). Weakness: CWE-787.
Denial of DNS over TLS service by any DoT client. Red Hat rates this important (CVSS 7.5). Weakness: CWE-617.
Out of bounds stack write with crafted APL RR. Red Hat rates this important (CVSS 8). Weakness: CWE-787.
Fix buffer overflow in SDMA queue checkpoint/restore on GFX11. Red Hat rates this important (CVSS 7). Weakness: CWE-131.
Try to fix change_handle ioctl, attempt 4. Red Hat rates this important (CVSS 7). Weakness: CWE-367.
Clamp XDomain response data copy to allocation size. Red Hat rates this important (CVSS 7). Weakness: CWE-787.
drain before clearing xarray entry on reparent. Red Hat rates this important (CVSS 7). Weakness: CWE-820.
fix use-after-free caused by the fqdir_pre_exit() flush. Red Hat rates this important (CVSS 7).
Fix signed integer truncation in IPC receive. Red Hat rates this important (CVSS 7).
Add buffer overflow check in MS get_info_ioctl. Red Hat rates this important (CVSS 7). Weakness: CWE-120.
Take the SRCU lock for page table walks in fault injection and AT emulation. Red Hat rates this important (CVSS 7). Weakness: CWE-820.
When a provide-xfr is given with a tls-auth-name, a secondary requesting a transfer should provide a client certificate with that name. However, no client certificate is needed when the request comes in over TLS over the regular tls-port (and not the tls-auth-port) or over over TCP over the regular port, when the other conditions of the provide-xfr rule match. A flaw was found in nsd. This authentication bypass allows an attacker to perform unauthorized zone transfers, leading to information disclosure. This flaw is rated as Moderate. This allows unauthorized zone transfers and information disclosure if requests are made over the regular TLS or TCP port, as the `tls-auth-xfr-only` option is not enabled by default. This vulnerability doesn't affect any supported Red Hat Product. Red Hat severity: Moderate — CVSS 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). Weakness: CWE-303.
In the Linux kernel, the following vulnerability has been resolved: fuse: reject fuse_notify() pagecache ops on directories The operations FUSE_NOTIFY_STORE and FUSE_NOTIFY_RETRIEVE allow the FUSE daemon to actively write/read pagecache contents. For directories with FOPEN_CACHE_DIR, the pagecache is used as kernel-internal cache storage, and userspace is not supposed to have direct access to this cache - in particular, fuse_parse_cache() will hit WARN_ON() if the cache contains bogus data. Reject FUSE_NOTIFY_STORE and FUSE_NOTIFY_RETRIEVE on anything other than regular files with -EINVAL. A flaw was found in the Linux kernel's Filesystem in Userspace (FUSE) component. When these operations are performed on directories configured with `FOPEN_CACHE_DIR`, userspace can improperly access and manipulate kernel-internal cache storage. This could lead to system instability or a denial of service if the cache contains invalid data, potentially triggering a kernel warning. Red Hat severity: Moderate — CVSS 7 (CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H). Weakness: CWE-266. Affected Red Hat products: Red Hat Enterprise Linux 10; Red Hat Enterprise Linux 8; Red Hat Enterprise Linux 9. Red Hat does not currently list a fixing RHSA for this CVE.
In the Linux kernel, the following vulnerability has been resolved: tcp: restrict SO_ATTACH_FILTER to priv users This patch restricts the use of SO_ATTACH_FILTER (cBPF) on TCP sockets to users with CAP_NET_ADMIN capability. This blocks potential side-channel attack where an unprivileged application attaches a filter to leak TCP sequence/acknowledgment numbers. An unprivileged application can exploit this vulnerability by attaching a Berkeley Packet Filter (BPF) using the SO_ATTACH_FILTER option. This allows the application to conduct a side-channel attack, leading to the leakage of sensitive TCP sequence and acknowledgment numbers. This information disclosure could potentially be used to aid further attacks. Red Hat severity: Moderate — CVSS 7 (CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H). Weakness: CWE-266. Affected Red Hat products: Red Hat Enterprise Linux 10; Red Hat Enterprise Linux 6; Red Hat Enterprise Linux 7; Red Hat Enterprise Linux 8; Red Hat Enterprise Linux 9. Will not fix / out of support: Red Hat Enterprise Linux 6. Red Hat does not currently list a fixing RHSA for this CVE.
In the Linux kernel, the following vulnerability has been resolved: ALSA: PCM: Fix wait queue list corruption in snd_pcm_drain() on linked streams snd_pcm_drain() uses init_waitqueue_entry which does not clear entry.prev/next, and add_wait_queue with a conditional remove_wait_queue that is skipped when to_check is no longer in the group after concurrent UNLINK. The orphaned wait entry remains on the unlinked substream sleep queue. On the next drain iteration, add_wait_queue adds the entry to a new queue while still linked on the old one, corrupting both lists. A subsequent wake_up dereferences NULL at the func pointer (mapped from the spinlock at offset 0 of the misinterpreted wait_queue_head_t), causing a kernel panic. Replace init_waitqueue_entry/add_wait_queue/conditional remove_wait_queue with init_wait_entry/prepare_to_wait/ finish_wait. init_wait_entry clears prev/next via INIT_LIST_HEAD on each iteration and sets autoremove_wake_function which auto-removes the entry on wake-up. finish_wait safely handles both the already-removed and still-queued cases. A flaw was found in the Advanced Linux Sound Architecture (ALSA) Pulse-Code Modulation (PCM) component of the Linux kernel. An attacker could exploit this issue to trigger a kernel panic, leading to a Denial of Service (DoS) on the affected system.
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: RFCOMM: hold listener socket in rfcomm_connect_ind() rfcomm_get_sock_by_channel() scans rfcomm_sk_list under the list lock, but returns the selected listener after dropping that lock without taking a reference. rfcomm_connect_ind() then locks the listener, queues a child socket on it, and may notify it after unlocking it. The buggy scenario involves two paths, with each column showing the order within that path: rfcomm_connect_ind(): listener close: 1. Find parent in 1. close() enters rfcomm_get_sock_by_channel() rfcomm_sock_release(). 2. Drop rfcomm_sk_list.lock 2. rfcomm_sock_shutdown() without pinning parent. closes the listener. 3. Call lock_sock(parent) and 3. rfcomm_sock_kill() bt_accept_enqueue(parent, unlinks and puts parent. sk, true). 4. Read parent flags and may 4. parent can be freed. call sk_state_change(). If close wins the race, parent can be freed before rfcomm_connect_ind() reaches lock_sock(), bt_accept_enqueue(), or the deferred-setup callback. After lock_sock() succeeds, recheck that it is still in BT_LISTEN before queueing a child, cache the deferred-setup bit while the parent is locked, and drop the reference after the last parent use.