623 advisories tracked · Red Hat Security Data API + Ubuntu Security Notices · checked automatically every minute
Pick your distribution release to see every advisory issued for it and its severity mix. Fixes ship as errata — keep the system patched. This is the release's advisory history, not a per-package scan.
Red Hat Security Data API + Ubuntu Security Notices
Combines Red Hat Enterprise Linux errata (RHSA) via the official Red Hat Security Data API — CVE severity, CVSS and affected packages — with Ubuntu Security Notices (USN) via ubuntu.com's public API (affected releases + CVEs). Both are credential-free official sources.
Visit Red Hat & Ubuntu Linux security advisoriesRequest smuggling via re-parsing of Content-Length header. Red Hat rates this moderate (CVSS 6.5). Weakness: CWE-444. Affected package(s): rust-main. Resolved in Red Hat advisory RHSA-2026:34975 — update the affected packages (`sudo dnf update`).
Arbitrary host file read via symlink following in CRI checkpoint restore. Red Hat rates this important (CVSS 6.5). Weakness: CWE-59. Affected package(s): trivy-main. Resolved in Red Hat advisory RHSA-2026:15862 — update the affected packages (`sudo dnf update`).
Arbitrary code execution via CRI checkpoint image tag poisoning. Red Hat rates this moderate (CVSS 6.7). Weakness: CWE-1289. Affected package(s): trivy-main. Resolved in Red Hat advisory RHSA-2026:35111 — update the affected packages (`sudo dnf update`).
Denial of Service via maliciously crafted image leading to unbounded group parsing. Red Hat rates this moderate (CVSS 6.5). Weakness: CWE-770. Affected package(s): syft-main, trivy-main, kubernetes1, grype-main, opentelemetry-collector-contrib-main. Resolved in Red Hat advisory RHSA-2026:35111 — update the affected packages (`sudo dnf update`).
Information disclosure via improper validation of nested request parameters. Red Hat rates this moderate (CVSS 4.3). Weakness: CWE-639. Affected package(s): foreman. Resolved in Red Hat advisory RHSA-2026:34366 — update the affected packages (`sudo dnf update`).
Improper Authentication vulnerability in Apache Tomcat allowed a replay attack against the EncryptionInterceptor in the cluster component. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.22, from 10.1.0-M1 through 10.1.55, from 9.0.13 through 9.0.18, from 8.5.38 through 8.5.100, from 7.0.100 through 7.0.109. Users are recommended to upgrade to version 11.0.23, 10.1.56, 9.0.119, which fixes the issue. A flaw was found in Apache Tomcat. An improper authentication vulnerability in the EncryptionInterceptor component allows a remote attacker to perform a replay attack. This could lead to unauthorized access or manipulation of data within the cluster component. A flaw was found in Apache Tomcat's EncryptionInterceptor used for Tribes cluster communication. An improper authentication vulnerability allows a replay attack against encrypted cluster messages. Exploitation requires the EncryptionInterceptor to be configured for Tomcat clustering, which is a non-default configuration, and the attacker must have access to the cluster network to capture and replay messages. Apache rates this vulnerability as Low severity. Red Hat has corrected the impact from IMPORTANT to MODERATE — the original AI-Bot CVSS of 8.2 (AV:N/AC:L) incorrectly scored this as internet-facing with low complexity, when Tribes cluster traffic is adjacent-network (AV:A) and requires non-default clustering configuration (AC:H). The corrected vector is CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N (4.2). Red Hat severity: Moderate — CVSS 4.2 (CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N). Weakness: CWE-294. Fixed by RHSA-2026:29203, RHSA-2026:32960 — update the affected packages (`sudo dnf update`). Affected Red Hat products: Red Hat Hardened Images.
Always-Incorrect Control Flow Implementation vulnerability in Apache Tomcat's rewrite valve meant that if the first condition in an OR chain matched, subsequent non-OR conditions were skipped. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.22, from 10.1.0-M1 through 10.1.55, from 9.0.0.M1 through 9.0.118, from 8.5.0 through 8.5.100. Other versions that have reached end of support may also be affected. Users are recommended to upgrade to version 11.0.23, 10.1.56 or 9.0.119, which fix the issue. A flaw was found in Apache Tomcat's rewrite valve. This vulnerability involves an incorrect control flow implementation where, during the processing of rewrite rules, if the first condition in an OR chain matched, subsequent non-OR conditions were unexpectedly skipped. This can lead to unintended rule processing, potentially allowing for security bypasses or unauthorized access due to misapplied configurations. A flaw was found in Apache Tomcat's RewriteValve. When rewrite rules use OR-chained conditions followed by non-OR conditions, the processing logic may not evaluate conditions correctly, potentially allowing unintended rule matches. Exploitation requires the RewriteValve to be enabled with specific OR-chained condition patterns, which is not a default configuration. Red Hat severity: Moderate — CVSS 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N). Weakness: CWE-358. Fixed by RHSA-2026:29203, RHSA-2026:32960 — update the affected packages (`sudo dnf update`). Affected Red Hat products: Red Hat Hardened Images.
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in the number guess example for Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.22, from 10.1.0-M1 through 10.1.55, from 9.0.0.M1 through 9.0.118, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109. Other versions that have reached end of support may also be affected. Users are recommended to upgrade to version 11.0.23, 10.1.56 or 9.0.119, which fix the issue. A flaw was found in Apache Tomcat. This vulnerability, known as Cross-Site Scripting (XSS), allows a remote attacker to inject malicious scripts into the 'number guess example' web page. When other users view the compromised page, these scripts can execute in their web browsers. This could lead to unauthorized access to sensitive information or allow an attacker to alter the content of the website. A flaw was found in Apache Tomcat. A Cross-Site Scripting (XSS) vulnerability exists in the "number guess" example web application shipped with Tomcat. An attacker can inject malicious scripts into the example page, which execute in other users' browsers when they view the page. This vulnerability only affects the example web application, not the Tomcat servlet container itself. Red Hat Tomcat packages do not deploy example applications by default — they are in separate optional packages (e.g., tomcat-webapps) that are not installed in production environments. Red Hat severity: Moderate — CVSS 5.4 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N). Weakness: CWE-79. Fixed by RHSA-2026:32960 — update the affected packages (`sudo dnf update`). Affected Red Hat products: Red Hat Hardened Images.
libxml2 is vulnerable to multiple stack-based buffer overflows in the xmlcatalog utility when running in --shell mode. The usershell() function processes user input using fixed-size stack buffers without proper bounds checking. By supplying an overly long input line, an attacker can overflow internal buffers (command, arg, and argv) during input parsing. This results in memory corruption within the stack frame. Successful exploitation may cause a crash or potentially allow arbitrary code execution in the context of the xmlcatalog process. This issue has been fixed in the commit c2e233fc. NOTE: The maintainers of this project did not agree that this issue is a vulnerability and considered it a bug. A flaw was found in libxml2, specifically within the xmlcatalog utility when operating in shell mode. An attacker can exploit multiple stack-based buffer overflows by providing an excessively long input line. This leads to memory corruption, which may cause the application to crash or potentially allow the attacker to execute arbitrary code within the context of the xmlcatalog process. Red Hat severity: Moderate — CVSS 4.8 (CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L). Weakness: CWE-120. Fixed by RHSA-2026:33840 — update the affected packages (`sudo dnf update`). Affected Red Hat products: Red Hat Hardened Images.
acl before version 2.4.0 contains a time-of-check to time-of-use (TOCTOU) race condition vulnerability that allows local attackers to escalate privileges by replacing a pathname component with a symbolic link between an lstat() check and subsequent symlink-following operations such as stat(), chown(), chmod(), acl_get_file(), and acl_set_file(). Attackers who control a pathname component can redirect file access control list operations to arbitrary files when getfacl, setfacl, or chacl is invoked by a privileged process over an attacker-controlled path, resulting in local privilege escalation. A time-of-check to time-of-use (TOCTOU) race condition vulnerability was found in `acl`. By replacing a pathname component with a symbolic link between a security check and subsequent file operations, an attacker can redirect file access control list operations. This occurs when privileged processes invoke `getfacl` or `setfacl` over an attacker-controlled path, potentially leading to local privilege escalation. Red Hat severity: Moderate — CVSS 6.3 (CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N). Weakness: CWE-367. Fixed by RHSA-2026:34351 — update the affected packages (`sudo dnf update`). Affected Red Hat products: Red Hat Hardened Images.
attr before version 2.6.0 contains a symlink traversal vulnerability in the getfattr and setfattr utilities that allows local attackers to escalate privileges by replacing a pathname component with a symbolic link during directory hierarchy traversal. Attackers who control a pathname component can redirect getfattr and setfattr operations to arbitrary files by substituting a symlink, leading to local privilege escalation when getfattr or setfattr is invoked by a privileged process over an attacker-controlled path. A flaw was found in the `attr` package. This vulnerability allows a local attacker to perform a symlink traversal attack by replacing a pathname component with a symbolic link - either during directory hierarchy traversal by `getfattr` or during backup restoration by `setfattr`, which reads and resolves full pathnames from backup files. In both cases, when these utilities are executed by a privileged process over a path controlled by the attacker, this can lead to local privilege escalation. Red Hat severity: Moderate — CVSS 6.3 (CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N). Weakness: CWE-59. Fixed by RHSA-2026:34889 — update the affected packages (`sudo dnf update`). Affected Red Hat products: Red Hat Hardened Images.
GNU gzip contains a vulnerability in the gzexe utility related to insecure temporary file handling. When the mktemp utility is not available in the user’s PATH, gzexe falls back to constructing a temporary file path based solely on the process ID (PID). This predictable filename is created without exclusive access or existence checks. A local attacker can pre‑create the predicted temporary file path as a symbolic link pointing to an arbitrary file writable by the victim. When gzexe runs, it follows the symlink and overwrites the target file, resulting in a time‑of‑check to time‑of‑use (TOCTOU) condition that allows arbitrary file overwrite. This issue has been fixed in the commit 4e6f8b24ab823146ab8776f0b7fe486ab34d4269 A flaw was found in the `gzexe` utility of GNU `gzip`. When the `mktemp` utility is not available, `gzexe` creates temporary files with predictable names based on the process ID. A local attacker can exploit this by pre-creating a symbolic link to an arbitrary file at the predicted temporary file path. This can lead to a Time-of-Check to Time-of-Use (TOCTOU) condition, allowing the attacker to overwrite arbitrary files on the system. A flaw was found in the gzexe utility of GNU gzip. When the mktemp utility is not available in the user's PATH, gzexe creates temporary files with predictable names based on the process ID. A local attacker can exploit this by creating a symbolic link at the predicted temporary file path, leading to a TOCTOU race condition that allows arbitrary file overwrite. On Red Hat Enterprise Linux, mktemp is provided by coreutils which is always installed, making the vulnerable fallback code path effectively unreachable in standard deployments. Red Hat severity: Moderate — CVSS 6 (CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:H). Weakness: CWE-59. Fixed by RHSA-2026:33771 — update the affected packages (`sudo dnf update`). Affected Red Hat products: Red Hat Hardened Images.
A flaw in Node.js TLS hostname handling can cause Embedded-nul hostnames can lead to silent authority rebinding due to c-string truncation in resolver bindings. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**. A flaw was found in Node.js. This vulnerability in the TLS (Transport Layer Security) hostname handling allows embedded null characters in hostnames. This can lead to silent authority rebinding, potentially enabling an attacker to redirect network traffic to an unintended server and disclose sensitive information. Red Hat severity: Moderate — CVSS 5.6 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L). Weakness: CWE-170. Fixed by RHSA-2026:35841, RHSA-2026:35842 — update the affected packages (`sudo dnf update`). Affected Red Hat products: Red Hat Enterprise Linux 10.
A flaw in Node.js HTTP/2 client allows a server to send an unlimited number of ORIGIN frames, which could lead to an Out of Memory error on the client. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**. A flaw was found in Node.js. A malicious server can exploit the HTTP/2 client by sending an unlimited number of ORIGIN frames. This can lead to an Out of Memory error on the client, resulting in a denial of service. This Moderate flaw in the Node.js HTTP/2 client can lead to a denial of service. A malicious server could exploit this by sending an excessive number of ORIGIN frames, causing the client to consume all available memory. This affects Red Hat products utilizing Node.js as an HTTP/2 client. Red Hat severity: Moderate — CVSS 5.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). Weakness: CWE-770. Fixed by RHSA-2026:35841, RHSA-2026:35842 — update the affected packages (`sudo dnf update`). Affected Red Hat products: Red Hat Enterprise Linux 10.
A flaw in Node.js TLS host verification can cause an attacker to bypass certification validation. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**. A flaw was found in Node.js. An attacker can exploit a vulnerability in the Transport Layer Security (TLS) host verification process to bypass certification validation. This bypass could allow an attacker to intercept or alter communications, potentially leading to information disclosure or integrity compromise. Red Hat severity: Moderate — CVSS 4.3 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N). Weakness: CWE-295. Fixed by RHSA-2026:35841, RHSA-2026:35842 — update the affected packages (`sudo dnf update`). Affected Red Hat products: Red Hat Enterprise Linux 10.
A inconsistency in Node.js hostname matching can cause a trust-policy bypass in multi-context mTLS setups. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**. A flaw was found in Node.js. An inconsistency in how Node.js matches hostnames can be exploited by a remote attacker in multi-context mTLS (mutual Transport Layer Security) setups. This vulnerability allows for a trust-policy bypass, potentially leading to unauthorized access to sensitive information or integrity compromise within the affected system. Red Hat severity: Moderate — CVSS 4.2 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N). Weakness: CWE-289. Fixed by RHSA-2026:35841, RHSA-2026:35842 — update the affected packages (`sudo dnf update`). Affected Red Hat products: Red Hat Enterprise Linux 10.
A flaw in Node.js proxy tunnel error handling could expose proxy credentials in `ERR_PROXY_TUNNEL` error messages. When proxy credentials are embedded in the proxy URL, they may be exposed through error handling paths and captured by logs, diagnostics, or other error consumers. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**. A flaw was found in Node.js. When proxy credentials are embedded in a proxy URL, an issue in the proxy tunnel error handling can lead to the exposure of these credentials. This information disclosure vulnerability allows an attacker to potentially capture sensitive proxy credentials through logs, diagnostics, or other error-consuming mechanisms. Red Hat severity: Moderate — CVSS 5.9 (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N). Weakness: CWE-209. Fixed by RHSA-2026:35841, RHSA-2026:35842, RHSA-2026:28727, RHSA-2026:29012, RHSA-2026:30172, RHSA-2026:7378 and more — update the affected packages (`sudo dnf update`). Affected Red Hat products: Red Hat Enterprise Linux 10; Red Hat Hardened Images.
Use after free in Payments in Google Chrome on Android prior to 149.0.7827.201 allowed a local attacker to potentially exploit heap corruption via physical access to the device. (Chromium security severity: High) An use after free flaw was found in the Payments component of the Chromium browser. Upstream bug(s): https://code.google.com/p/chromium/issues/detail?id=517522620 Red Hat Product Security rates the severity of this flaw as determined by the Google Chrome Security Advisory. Red Hat severity: Important — CVSS 6.6 (CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). Weakness: CWE-825. No fixing RHSA erratum has published yet; monitor the Red Hat CVE page and patch when it ships.
jq is a command-line JSON processor. Prior to 1.8.2, comparing two sufficiently deeply nested arrays with the == operator exhausts the C stack on jq's ordinary command-line surface, resulting in denial of service via stack exhaustion (uncontrolled recursion). The crash occurs in jq's recursive structural comparison code, with the recursion repeating through jvp_array_equal() and jv_equal() in src/jv.c when comparing deeply nested arrays; a nearby sort comparator path through jv_cmp() in src/jv_aux.c overflows the stack at a larger nesting depth from the same missing recursion guard. Anyone running jq comparisons on attacker-controlled deeply nested JSON values, or embedding jq in a context where untrusted data can reach the == comparison path, is affected. This vulnerability is fixed in 1.8.2. A flaw was found in jq, a command-line JSON processor. This vulnerability allows a local user or an attacker providing malicious input to cause a denial of service (DoS) by comparing two sufficiently deeply nested arrays using the '==' operator. This action exhausts the C stack due to uncontrolled recursion, leading to a crash of the jq process. Red Hat severity: Moderate — CVSS 5.5 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H). Weakness: CWE-770. Fixed by RHSA-2026:29986 — update the affected packages (`sudo dnf update`). Affected Red Hat products: Red Hat Hardened Images.
jq is a command-line JSON processor. Prior to 1.8.2,` jq --rawfile` can turn a handled oversized-string error into invalid-state reuse and a real heap out-of-bounds write in assertion-disabled builds. When jv_load_file(raw=1) reads an attacker-controlled file, it repeatedly appends file chunks to the same jv string accumulator. Once jv_string_append_buf() returns jv_invalid_with_msg("String too long"), the raw-file loop does not stop. If the file contains at least one more byte, the next loop iteration appends a new chunk to an object that is already invalid. With assertions enabled this aborts in jvp_string_ptr(). With assertions disabled, the invalid object is interpreted as a string object and ASan reports heap-buffer-overflow. This vulnerability is fixed in 1.8.2. A flaw was found in jq, a command-line JSON processor. This vulnerability allows an attacker to trigger a heap out-of-bounds write by providing a specially crafted, oversized file to the `jq --rawfile` option. This can lead to a denial of service (DoS), making the affected system or application unavailable, and may also impact data integrity. Exploitation requires user interaction, as a user must process the malicious file. A flaw was found in jq, a command-line JSON processor. When using the `--rawfile` option to process an oversized file, jq can trigger a heap out-of-bounds write in assertion-disabled builds (typical for release builds). Exploitation requires a local user to explicitly process an attacker-controlled file. With assertions enabled, the process aborts instead of corrupting memory. Red Hat severity: Moderate — CVSS 6.6 (CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:H). Weakness: CWE-787. Fixed by RHSA-2026:29986 — update the affected packages (`sudo dnf update`). Affected Red Hat products: Red Hat Hardened Images.
jq is a command-line JSON processor. Prior to 1.8.2, on 32bit system, jvp_string_append has a chance of integer/multiple overflowing and then causing a massive buffer overrun. This vulnerability is fixed in 1.8.2. A flaw was found in jq, a command-line JSON processor. On 32-bit systems, a local attacker could exploit an integer overflow vulnerability in the `jvp_string_append` function. This could lead to a massive buffer overrun, resulting in a denial of service (DoS) condition. Red Hat severity: Moderate — CVSS 5.5 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). Weakness: CWE-190. Fixed by RHSA-2026:29986 — update the affected packages (`sudo dnf update`). Affected Red Hat products: Red Hat Hardened Images.
A flaw was found in Keycloak's client registration service. A remote attacker, possessing a previously issued Registration Access Token (RAT), could exploit this vulnerability to re-enable a client that an administrator had explicitly disabled. This bypasses security controls, allowing the attacker to reset the client's secret and potentially regain privileged API access. The primary impact includes unauthorized information disclosure and potential integrity compromise. A flaw was found in Keycloak's client registration service. A remote attacker, possessing a previously issued Registration Access Token (RAT), could exploit this vulnerability to re-enable a client that an administrator had explicitly disabled. This bypasses security controls, allowing the attacker to reset the client's secret and potentially regain privileged API access. The primary impact includes unauthorized information disclosure and potential integrity compromise. A Moderate flaw was found in Keycloak where a disabled client can be re-enabled by an attacker who retains a Registration Access Token (RAT) from a prior legitimate client registration. This allows the attacker to bypass the administrator's explicit intent to disable the client, reset its secret, and restore OAuth client_credentials capability, potentially leading to unauthorized access to resources. Red Hat severity: Moderate — CVSS 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N). Weakness: CWE-613. Fixed by RHSA-2026:30050, RHSA-2026:30049, RHSA-2026:30084, RHSA-2026:30083 — update the affected packages (`sudo dnf update`). Affected Red Hat products: Red Hat build of Keycloak 26.4; Red Hat build of Keycloak 26.4.13; Red Hat build of Keycloak 26.6; Red Hat build of Keycloak 26.6.4.
A flaw was found in Keycloak. A realm administrator with the "manage-realm" role can exploit this vulnerability by submitting an arbitrary filesystem path as a keystore parameter when creating a key provider component. This allows the administrator to probe arbitrary filesystem paths, determining which files exist and are readable by the Keycloak process. This information disclosure could be used to identify high-value targets for follow-on attacks. A flaw was found in Keycloak. A realm administrator with the "manage-realm" role can exploit this vulnerability by submitting an arbitrary filesystem path as a keystore parameter when creating a key provider component. This allows the administrator to probe arbitrary filesystem paths, determining which files exist and are readable by the Keycloak process. This information disclosure could be used to identify high-value targets for follow-on attacks. Medium: This flaw in Keycloak allows a highly privileged realm administrator with the "manage-realm" role to perform arbitrary filesystem path probing. By submitting a crafted keystore path, an authenticated attacker can determine the existence and readability of files on the Keycloak server, potentially identifying high-value targets for further attacks. Exploitation requires an attacker to possess the "manage-realm" role, which is a high-level administrative permission. Red Hat severity: Moderate — CVSS 4.9 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N). Weakness: CWE-22. Fixed by RHSA-2026:30050, RHSA-2026:30049, RHSA-2026:30084, RHSA-2026:30083 — update the affected packages (`sudo dnf update`). Affected Red Hat products: Red Hat build of Keycloak 26.4; Red Hat build of Keycloak 26.4.13; Red Hat build of Keycloak 26.6; Red Hat build of Keycloak 26.6.4.
Vim is an open source, command line text editor. Prior to 9.2.0671, when Vim opens a file encrypted with the VimCrypt~04! or VimCrypt~05! method (xchacha20poly1305, requires the +sodium feature) whose body is shorter than a single libsodium secretstream header, an unsigned length calculation underflows and a subsequent decryption call reads far past the end of the input buffer, crashing Vim. This vulnerability is fixed in 9.2.0671. A flaw was found in Vim, an open source command-line text editor. When opening a specially crafted encrypted file using the VimCrypt~04! or VimCrypt~05! methods, an attacker could trigger an unsigned length calculation error. This issue leads to an out-of-bounds read, causing Vim to crash and resulting in a denial of service. This Moderate impact vulnerability in Vim arises from an out-of-bounds read when processing a specially crafted libsodium-encrypted file. If a user opens a malicious file encrypted with VimCrypt~04! or VimCrypt~05! and the file body is shorter than a single libsodium secretstream header, Vim may crash. This issue requires user interaction to open a malformed file and the +sodium feature to be enabled, limiting its exploitability in typical Red Hat environments. Red Hat severity: Moderate — CVSS 4.7 (CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H). Weakness: CWE-125. Fixed by RHSA-2026:30267 — update the affected packages (`sudo dnf update`). Affected Red Hat products: Red Hat Hardened Images. Will not fix / out of support: Red Hat Enterprise Linux 6; Red Hat Enterprise Linux 7.
Vim is an open source, command line text editor. Prior to 9.2.0698, the single-byte branch of spell_soundfold_sofo() in src/spell.c translates a word through a spell file's SOFO (sound-folding) byte map into a caller-owned result buffer. Its copy loop advances the output index ri with no upper bound and terminates only on the input NUL, writing one byte per input byte into the MAXWLEN-element stack buffer the caller provides. A word longer than MAXWLEN, passed to soundfold() (or reached via sound-based spell suggestion) while a SOFO-based spell language is active, therefore writes past the end of that buffer. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0698. A memory corruption flaw in Vim allows an attacker to cause a Denial of Service (DoS). When a SOFO-based spell language is active, providing an excessively long word to the spell checker triggers a stack out-of-bounds write in the spell_soundfold_sofo() function, causing the editor to crash. This Moderate impact flaw in Vim, a command-line text editor, is due to a stack out-of-bounds write in the spell checker. Exploitation requires a user to open a specially crafted file or encounter a long word via spell suggestion while a SOFO-based spell language is active, leading to a Denial of Service. This is not a default configuration in most Red Hat environments, limiting the attack surface. Red Hat severity: Moderate — CVSS 4.7 (CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H). Weakness: CWE-787. Fixed by RHSA-2026:30267 — update the affected packages (`sudo dnf update`). Affected Red Hat products: Red Hat Hardened Images.
Uninitialized Use in GPU in Google Chrome prior to 149.0.7827.197 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High) An uninitialized use flaw was found in the GPU component of the Chromium browser. Upstream bug(s): https://code.google.com/p/chromium/issues/detail?id=517080836 Red Hat Product Security rates the severity of this flaw as determined by the Google Chrome Security Advisory. Red Hat severity: Important — CVSS 5.3 (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N). Weakness: CWE-824. No fixing RHSA erratum has published yet; monitor the Red Hat CVE page and patch when it ships.
Insufficient validation of untrusted input in Navigation in Google Chrome prior to 149.0.7827.197 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: High) An insufficient validation of untrusted input flaw was found in the Navigation component of the Chromium browser. Upstream bug(s): https://code.google.com/p/chromium/issues/detail?id=517148260 Red Hat Product Security rates the severity of this flaw as determined by the Google Chrome Security Advisory. Red Hat severity: Important — CVSS 5.8 (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N). Weakness: CWE-1286. No fixing RHSA erratum has published yet; monitor the Red Hat CVE page and patch when it ships.
When using the "tarfile" module with a file opened in "streaming mode" (mode="r|") the tarfile module did not properly handle EOF, making archive parsing take exponentially longer. A flaw was found in the Python `tarfile` module. When processing a specially crafted tar archive opened in 'streaming mode' (mode='r|'), the module does not properly handle the end-of-file (EOF) condition. This can cause the `tarfile` module to enter an infinite loop, leading to a Denial of Service (DoS) for applications processing such archives. A flaw was found in the Python tarfile module. When processing a tar archive in streaming mode (mode='r|'), the _Stream.seek function does not properly check for end-of-file, which can cause an infinite loop when processing a specially crafted archive. Red Hat ships Python as part of many products, and applications using tarfile's streaming mode are potentially affected by this denial of service vulnerability. Red Hat severity: Moderate — CVSS 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H). Weakness: CWE-835. Fixed by RHSA-2026:35806, RHSA-2026:35807, RHSA-2026:35812, RHSA-2026:35813 — update the affected packages (`sudo dnf update`). Affected Red Hat products: Red Hat Hardened Images.
A flaw was found in foreman-mcp-server. This component utilizes two distinct logging mechanisms that can expose sensitive session and authentication data. One mechanism logs session identifiers, which are treated as authentication credentials, at an informational level. The other, when debug logging is enabled, incompletely sanitizes HTTP request headers, leading to the cleartext logging of sensitive information such as authorization tokens and API keys. This vulnerability can result in a confidentiality breach, as sensitive authentication data is persisted in plain text within container logs, increasing the risk if logs are forwarded to a centralized platform. A flaw was found in foreman-mcp-server. This component utilizes two distinct logging mechanisms that can expose sensitive session and authentication data. One mechanism logs session identifiers, which are treated as authentication credentials, at an informational level. The other, when debug logging is enabled, incompletely sanitizes HTTP request headers, leading to the cleartext logging of sensitive information such as authorization tokens and API keys. This vulnerability can result in a confidentiality breach, as sensitive authentication data is persisted in plain text within container logs, increasing the risk if logs are forwarded to a centralized platform. This Moderate impact flaw in `foreman-mcp-server` within Red Hat Satellite can lead to a confidentiality breach. The component logs sensitive session identifiers, which are treated as authentication credentials, at an informational level by default. Additionally, when debug logging is enabled, HTTP request headers containing authorization tokens and API keys are incompletely sanitized and logged in cleartext. This exposes sensitive authentication data in plain text within container logs, increasing risk if logs are aggregated or accessed by unauthorized parties. Red Hat severity: Moderate — CVSS 6.2 (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). Weakness: CWE-532. Fixed by RHSA-2026:28438 — update the affected packages (`sudo dnf update`). Affected Red Hat products: Red Hat Satellite 6.19.
Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to 0.6.5 and 0.5.15, several Net::IMAP commands accept a raw string argument which is only validated to prevent CRLF injection and then sent verbatim. If this string is derived from user-controlled input, an attacker can force the next command to be absorbed as a continuation of the first command. This will cause the first command to eventually fail, but also prevents it from returning until another command is sent (from another thread). That other command will not return until the connection is closed. This vulnerability is fixed in 0.6.5 and 0.5.15. A flaw was found in Net::IMAP, a Ruby client library for the Internet Message Access Protocol (IMAP). This vulnerability allows a remote attacker to cause a denial of service by sending specially crafted input to certain Net::IMAP commands. When a raw string argument, derived from user-controlled input, is not properly validated, it can force subsequent commands to be absorbed, leading to a hung connection and preventing further processing until the connection is closed. A Moderate denial of service flaw was found in the Net::IMAP Ruby client library. This issue occurs when a remote attacker sends specially crafted input to certain Net::IMAP commands, causing the client connection to hang indefinitely. This can prevent further processing of IMAP commands until the connection is manually closed, impacting the availability of services relying on the Net::IMAP client. Red Hat severity: Moderate — CVSS 5.9 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H). Weakness: CWE-88. Fixed by RHSA-2026:33551, RHSA-2026:34293 — update the affected packages (`sudo dnf update`). Affected Red Hat products: Red Hat Hardened Images.
js-yaml is a JavaScript YAML parser and dumper. Prior to 4.2.0 and 3.15.0, a crafted YAML document can trigger algorithmic CPU exhaustion in js-yaml merge-key processing (<<) by repeating the same alias many times in a merge sequence. This causes quadratic parse-time behavior relative to input size and can block a Node.js worker/event loop for seconds with a relatively small payload (tens of KB), resulting in denial of service. The issue is in merge handling inside lib/loader.js. This vulnerability is fixed in 4.2.0 and 3.15.0. A flaw was found in js-yaml, a JavaScript YAML parser and dumper. A remote attacker can exploit this vulnerability by providing a specially crafted YAML document that repeatedly uses the same alias in a merge sequence. This can lead to algorithmic CPU exhaustion, causing the Node.js worker or event loop to be blocked for an extended period, resulting in a denial of service (DoS) for the affected system. Red Hat rates this flaw as Moderate impact, consistent with the upstream CVEORG assessment. The vulnerability causes CPU exhaustion via quadratic merge-key processing in js-yaml's YAML parser. In Red Hat products, all confirmed vulnerable code paths run client-side in the browser (OpenShift Console plugins, Kiali frontend, monitoring dashboard editors). A denial of service is limited to freezing the user's own browser tab when processing crafted YAML input, not server-side resource exhaustion. The user can recover by closing the tab. Red Hat severity: Moderate — CVSS 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). Weakness: CWE-1333. Fixed by RHSA-2026:33866 — update the affected packages (`sudo dnf update`). Affected Red Hat products: Red Hat Hardened Images.
In libexpat before 2.8.2, there is a heap-based buffer overflow in doProlog in xmlparse.c because scaffold backing array reallocation is mishandled when there is data-structure sharing across parsers. A flaw was found in libexpat, a library used for parsing XML data. An attacker could exploit a heap-based buffer overflow, a type of memory error, by providing specially crafted XML input. This vulnerability occurs when the library mishandles memory reallocation while processing XML, particularly when multiple parsers share data. Successful exploitation could allow the attacker to execute arbitrary code, access sensitive information, or cause the application to crash, leading to a denial of service. Red Hat severity: Moderate — CVSS 6.9 (CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L). Weakness: CWE-131. Fixed by RHSA-2026:30647 — update the affected packages (`sudo dnf update`). Affected Red Hat products: Red Hat Hardened Images. Will not fix / out of support: Red Hat Enterprise Linux 6.
libssh2 through 1.11.1, fixed in commit 2dae302, contains an out-of-bounds heap read vulnerability in the sftp_symlink() function in src/sftp.c that allows a malicious SSH server or man-in-the-middle attacker to disclose heap memory contents or cause a crash by sending a crafted SSH_FXP_NAME response. Attackers can supply a link_len value larger than the actual packet data in SSH_FXP_NAME responses for SFTP READLINK and REALPATH operations, triggering a heap buffer over-read of up to target_len minus one bytes due to the missing validation of available packet buffer size before the memcpy operation. A flaw in libssh2's sftp_symlink() function allows a malicious SSH server or man-in-the-middle attacker to trigger an out-of-bounds heap read via a crafted SSH_FXP_NAME response. This can disclose heap memory contents or crash the application, causing a denial of service (DoS). This Moderate-impact out-of-bounds heap read flaw in libssh2 allows a malicious SSH server or man-in-the-middle attacker to crash the application (DoS) or disclose heap memory by sending a crafted SFTP response. Red Hat severity: Moderate — CVSS 6.5 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:H). Weakness: CWE-125. Fixed by RHSA-2026:30132 — update the affected packages (`sudo dnf update`). Affected Red Hat products: Red Hat Hardened Images. Will not fix / out of support: Red Hat Enterprise Linux 6; Red Hat Enterprise Linux 7.
joserfc is a Python library that provides an implementation of several JSON Object Signing and Encryption (JOSE) standards. In versions 1.3.4 through 1.6.5, joserfc accepts oversized RFC7797 b64=false JWS payloads without applying JWSRegistry.max_payload_length, which can lead to resource exhaustion. The normal JWS compact and flattened JSON paths reject payloads above the configured payload-size limit with ExceededSizeError. The RFC7797 unencoded payload paths do not make the same check. A valid b64=false compact or flattened JSON JWS can therefore deserialize successfully with a payload larger than JWSRegistry.max_payload_length. Applications that accept lower-trust JWS values and rely on joserfc to reject oversized token content during verification have a moderate availability risk. This issue has been fixed in version 1.6.7. A flaw was found in joserfc, a Python library for JSON Object Signing and Encryption (JOSE). This vulnerability allows a remote attacker to cause resource exhaustion, leading to a Denial of Service (DoS), by sending oversized JSON Web Signature (JWS) payloads. The library fails to apply size limits, specifically JWSRegistry.max_payload_length, when processing RFC7797 b64=false JWS payloads. Red Hat severity: Moderate — CVSS 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). Weakness: CWE-770. Fixed by RHSA-2026:25039 — update the affected packages (`sudo dnf update`). Affected Red Hat products: Red Hat Hardened Images.
libssh2 through 1.11.1, fixed in commit 1762685, contains a pre-authentication denial of service vulnerability in the SSH_MSG_EXT_INFO handler in src/packet.c that allows a malicious SSH server to cause a client CPU exhaustion loop by sending a crafted extension count value. A malicious server can set nr_extensions to 0xFFFFFFFF during key exchange, causing the client to spin in a tight CPU loop for over 60 seconds because return values from _libssh2_get_string() are unchecked and the session timeout does not apply to CPU-bound loops. A vulnerability in libssh2 allows a malicious SSH server to freeze connected clients during the handshake process. By sending a malformed packet, the server triggers a loop that exhausts the client's CPU, resulting in a denial of service. A Moderate-rated denial of service vulnerability in the libssh2 client allows a malicious SSH server to freeze the connecting application. By triggering an infinite CPU loop during the initial connection handshake, the server can render the client unresponsive. Note: Red Hat Enterprise Linux (RHEL) 8 and newer are not affected by this flaw, as they do not ship the libssh2 package. Red Hat severity: Moderate — CVSS 5.9 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H). Weakness: CWE-606. Fixed by RHSA-2026:29950 — update the affected packages (`sudo dnf update`). Affected Red Hat products: Red Hat Hardened Images. Will not fix / out of support: Red Hat Enterprise Linux 6; Red Hat Enterprise Linux 7.
Undici's cache interceptor incorrectly classifies some responses as cacheable when the upstream Cache-Control header uses whitespace-padded qualified private or no-cache field names such as private=" authorization" or no-cache="\tauthorization". The parser preserves the surrounding whitespace, so later comparisons against the literal authorization field name fail and the response is stored. In shared-cache mode, this allows a response containing one user's authenticated data to be served from cache to a subsequent caller, including an unauthenticated caller, when both requests resolve to the same cache key. Affected applications are those that explicitly enable the cache interceptor (interceptors.cache()) in shared mode, forward Authorization headers upstream, and receive cacheable responses with non-canonical qualified private or no-cache directives. Patches: Upgrade to undici v7.28.0 or v8.5.0. Workarounds: If upgrade is not immediately possible, disable shared-cache mode for traffic that includes Authorization headers, avoid caching responses to authenticated requests, or add Vary: Authorization upstream. A flaw was found in Undici. The cache interceptor in shared-cache mode incorrectly classifies certain responses as cacheable due to improper handling of whitespace-padded Cache-Control header field names. This vulnerability allows an unauthenticated attacker to access authenticated user data from the cache, leading to information disclosure. This occurs when both authenticated and unauthenticated requests resolve to the same cache key. This Moderate information disclosure flaw in Undici's cache interceptor, when configured in shared-cache mode, allows an unauthenticated attacker to retrieve sensitive authenticated user data. This is due to incorrect parsing of Cache-Control headers containing whitespace-padded field names, leading to cached responses being served improperly. Red Hat products are affected if they explicitly enable shared-cache mode, forward Authorization headers, and process non-canonical Cache-Control directives. Red Hat severity: Moderate — CVSS 5.9 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N). Weakness: CWE-1286. Fixed by RHSA-2026:35841, RHSA-2026:35842, RHSA-2026:22380, RHSA-2026:7378 — update the affected packages (`sudo dnf update`). Affected Red Hat products: Red Hat Enterprise Linux 10; Red Hat Hardened Images.
The undici WebSocket client enforces maxPayloadSize per-frame but does not enforce the cumulative size of fragmented uncompressed messages. A malicious WebSocket server can stream many small fragments that each pass per-frame validation but collectively exceed the configured limit, causing unbounded memory growth in the client process. The result is memory exhaustion and a denial of service. Affected applications are those using the undici WebSocket client (new WebSocket(...)) that can be induced to connect to an attacker-controlled or compromised WebSocket endpoint. This is a regression specific to undici 8.1.0. The 6.25.0 line shipped the equivalent cumulative check from the start and is unaffected. The 7.x line never had the maxPayloadSize feature and is also unaffected. Patches: Upgrade to undici >= 8.5.0. Workarounds: No workaround is available. The fix must be applied through an upgrade. A flaw was found in undici. A malicious WebSocket server could exploit this vulnerability by sending fragmented messages that individually meet size limits but collectively exceed them. This can lead to unbounded memory growth in the client process, resulting in memory exhaustion and a denial of service (DoS). This is rated Moderate by Red Hat (CVSS 5.9) because successful exploitation requires the undici WebSocket client to connect to an attacker-controlled server (AC:H), which is unlikely in typical Red Hat product deployments where WebSocket endpoints are trusted internal services. No Red Hat product is affected — all streams shipping undici bundle versions 5.x through 7.x, which are outside the vulnerable range of 8.0.0 to 8.4.x. The vulnerable code path (unbounded WebSocket frame accumulation) was introduced in undici 8.0.0 and is not present in earlier major versions. Red Hat severity: Moderate — CVSS 5.9 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H). Weakness: CWE-400. Fixed by RHSA-2026:22934, RHSA-2026:25561, RHSA-2026:7378 — update the affected packages (`sudo dnf update`). Affected Red Hat products: Red Hat Hardened Images.
NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_charset_module module. When content is served or proxied through a location block with both source_charset utf-8; and a charset directive (for example, charset koi8-r;) configured, remote, unauthenticated attackers can send requests (in conjunction with conditions beyond their control) to cause a heap buffer over-read in the NGINX worker process, leading to limited disclosure of memory or a restart. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. A flaw was found in NGINX. Remote, unauthenticated attackers can exploit a vulnerability in the `ngx_http_charset_module` when specific charset configurations are present. This can lead to a heap buffer over-read, potentially causing limited disclosure of memory or a denial of service by restarting the NGINX worker process. Red Hat severity: Moderate — CVSS 4.8 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L). Weakness: CWE-125. Fixed by RHSA-2026:27197 — update the affected packages (`sudo dnf update`). Affected Red Hat products: Red Hat Hardened Images.
Incorrect boundary conditions in the Internationalization component. Red Hat rates this moderate (CVSS 6.1). Weakness: CWE-131. Affected package(s): firefox, thunderbird. Resolved in Red Hat advisory RHSA-2026:29940 — update the affected packages (`sudo dnf update`).
Memory safety bugs fixed in Firefox ESR 140.12, Thunderbird ESR 140.12, Firefox 152 and Thunderbird 152. Red Hat rates this moderate (CVSS 6.1). Weakness: CWE-787. Affected package(s): firefox, thunderbird. Resolved in Red Hat advisory RHSA-2026:29940 — update the affected packages (`sudo dnf update`).