Red Hat Linux OS and other open source products
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in any Red Hat product.
RSS Feeds for Red Hat security vulnerabilities
Create a CVE RSS feed including security vulnerabilities found in Red Hat products with stack.watch. Just hit watch, then grab your custom RSS feed url.
Products by Red Hat Sorted by Most Security Vulnerabilities since 2018
Red Hat Enterprise Linux Server1534 vulnerabilities
RedHat Enterprise Linux (RHEL) Server. Includes software bundeled with RHEL server.
Red Hat Enterprise Linux Workstation1504 vulnerabilities
RedHat Enterprise Linux (RHEL) Workstation. Includes software bundled with RHEL Workstation.
Red Hat Enterprise Linux Desktop1493 vulnerabilities
RedHat Enterprise Linux (RHEL) Desktop. Includes software bundled with RHEL desktop
Recent Red Hat Security Advisories
| Advisory | Title | Published |
|---|---|---|
| RHSA-2026:20338 | (RHSA-2026:20338) A Subscription Management tool for finding and reporting Red Hat product usage | May 21, 2026 |
| RHSA-2026:20334 | (RHSA-2026:20334) Red Hat Hardened Images RPMs bug fix and enhancement update | May 21, 2026 |
| RHSA-2026:20299 | (RHSA-2026:20299) Important: kernel security update | May 21, 2026 |
| RHSA-2026:20130 | (RHSA-2026:20130) Important: kernel security update | May 21, 2026 |
| RHSA-2026:20051 | (RHSA-2026:20051) Important: kernel security update | May 21, 2026 |
| RHSA-2026:20074 | (RHSA-2026:20074) Red Hat Hardened Images RPMs bug fix and enhancement update | May 21, 2026 |
| RHSA-2026:19875 | (RHSA-2026:19875) Important: kernel-rt security update | May 20, 2026 |
| RHSA-2026:19839 | (RHSA-2026:19839) Important: grafana-pcp security update | May 20, 2026 |
| RHSA-2026:19835 | (RHSA-2026:19835) Critical: Red Hat Build of Apache Camel 4.14 for Quarkus 3.27 update is now available (RHBQ 3.27.3.SP2) | May 20, 2026 |
| RHSA-2026:19811 | (RHSA-2026:19811) Moderate: freerdp security update | May 20, 2026 |
By the Year
In 2026 there have been 813 vulnerabilities in Red Hat with an average score of 7.0 out of ten. Last year, in 2025 Red Hat had 1128 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in Red Hat in 2026 could surpass last years number. However, the average CVE base score of the vulnerabilities in 2026 is greater by 0.48.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 813 | 7.04 |
| 2025 | 1128 | 6.56 |
| 2024 | 1684 | 6.57 |
| 2023 | 1206 | 6.75 |
| 2022 | 1362 | 6.96 |
| 2021 | 1123 | 6.62 |
| 2020 | 663 | 6.40 |
| 2019 | 772 | 6.98 |
| 2018 | 760 | 7.16 |
It may take a day or so for new Red Hat vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Red Hat Security Vulnerabilities
| CVE | Date | Vulnerability | Products |
|---|---|---|---|
| CVE-2026-9149 | May 20, 2026 |
libsolv Heap B.O. in repo_add_solv via negative .solv sizeA flaw was found in libsolv. This heap buffer overflow vulnerability occurs when a victim processes a specially crafted `.solv` file containing negative size values in the `repo_add_solv` function. This leads to an undersized memory allocation and a subsequent out-of-bounds write. An attacker could exploit this to cause a denial of service (DoS). |
Enterprise Linux (RHEL)
Hummingbird
Openshift
And others... |
| CVE-2026-9150 | May 20, 2026 |
Red Hat libsolv Stack Buffer Overflow in Debian METADATA ParserA flaw was found in libsolv. This stack-based buffer overflow vulnerability occurs in libsolv's Debian metadata parser when processing specially crafted Debian repository metadata. An attacker could exploit this by providing malicious SHA384 or SHA512 checksum tags, leading to memory corruption and a denial of service (DoS) in the affected system. |
Enterprise Linux (RHEL)
Hummingbird
Openshift
And others... |
| CVE-2026-9087 | May 20, 2026 |
Keycloak Cross-Session Verification Key Allows Upstream IdP Account ConsumingA flaw was found in Keycloak. The cross-session verification proof is keyed only by (local userId, idpAlias) and is not bound to the upstream identity that was actually verified, so a second upstream account on the same IdP can consume it and get linked to the victim's local account. |
Build Keycloak
|
| CVE-2026-9064 | May 20, 2026 |
389-DS LDAP DoS: Unbounded Controls Enable Remote OverloadA flaw was found in 389-ds-base. The get_ldapmessage_controls_ext() function in the LDAP server does not enforce an upper bound on the number of controls per LDAP message. A remote, unauthenticated attacker can send a specially crafted LDAP request containing hundreds of thousands of minimal controls within the default maximum BER message size (2 MB), causing excessive CPU consumption and heap allocation on the server. Under concurrent exploitation, this leads to significant latency degradation, worker thread starvation, or out-of-memory termination, resulting in a denial of service. |
Directory Server
Enterprise Linux (RHEL)
|
| CVE-2026-7571 | May 19, 2026 |
Keycloak OIDC implicit flow bypass & token leakageA flaw was found in Keycloak. A low-privilege user, with knowledge of user credentials and client ID, can bypass a security control intended to disable the implicit flow in OpenID Connect (OIDC) clients. By manipulating client data during a session restart, an attacker can obtain an access token that should not be available. This vulnerability can also lead to the exposure of these access tokens in server logs, proxy logs, and HTTP Referrer headers, resulting in sensitive information disclosure. |
Build Keycloak
|
| CVE-2026-7507 | May 19, 2026 |
Session Fixation in Keycloak /login-actions restart endpoint (SSO takeover)A session fixation vulnerability was found in Keycloak's login-actions endpoints. An unauthenticated attacker could exploit this flaw by pre-creating an authentication session and tricking a victim into visiting a maliciously crafted link. By leveraging the /login-actions/restart endpointwhich processes session handles without adequate CSRF protection or cookie ownership validationan attacker can reset the authentication flow state. This causes Single Sign-On (SSO) to authenticate the victim transparently upon clicking the link, allowing the attacker to hijack the required-action form without needing the victim's credentials. A successful exploit could lead to complete account takeover, including highly privileged administrative accounts. |
Build Keycloak
|
| CVE-2026-7504 | May 19, 2026 |
Keycloak Wildcard Redirect URI Validation Bypass (CVE-2026-7504)A flaw was found in Keycloak's URL validation logic during redirect operations. By crafting a malicious request, an attacker could bypass validation to redirect users to unauthorized URLs, potentially leading to the exposure of sensitive information within the domain or facilitating further attacks. This vulnerability specifically affects Keycloak clients configured with a wildcard (*) in the "Valid Redirect URIs" field and requires user interaction to be successfully exploited. The issue stems from a discrepancy in how Keycloak and the underlying Java URI implementation handle the user-info component of a URL. If a malicious redirect URL is constructed using multiple @ characters in the user-info section, Java's URI parser fails to extract the user-info, leaving only the raw authority field. Consequently, Keycloak's validation check fails to detect the malformed user-info, falls back to a wildcard comparison, and incorrectly permits the malicious redirect. |
Build Keycloak
|
| CVE-2026-37982 | May 19, 2026 |
Keycloak WebAuthn Replay of ExecuteActionsActionTokenA flaw was found in Keycloak. This authentication vulnerability allows a remote attacker to replay `ExecuteActionsActionToken` tokens within Keycloak's WebAuthn (Web Authentication) flow. By intercepting an execute-actions email link, an attacker can register their own authenticator to a victim's account. This leads to unauthorized enrollment of a hardware-backed credential, enabling persistent account takeover. |
Build Keycloak
|
| CVE-2026-37978 | May 19, 2026 |
Keycloak Admin API PII Leak via view-clients evaluate-scopesA flaw was found in Keycloak. A low-privilege administrator with the 'view-clients' role can exploit this by invoking the 'evaluate-scopes' Admin API endpoints with an arbitrary user ID (userId) parameter. This vulnerability allows for cross-role personally identifiable information (PII) leakage, enabling unauthorized visibility into user identities and authorizations across the realm. Exploitation is possible remotely via network access to the Admin API. |
Build Keycloak
|
| CVE-2026-37979 | May 19, 2026 |
Keycloak OIDC Introspection Audience Bypass VulnerabilityA flaw was found in Keycloak. This access control vulnerability in Keycloak's OpenID Connect (OIDC) token introspection endpoint allows a confidential client to bypass audience restrictions. An attacker-controlled client with valid credentials can retrieve sensitive token claims intended for other resource servers, compromising the confidentiality of lightweight access tokens. This issue can be exploited remotely by any confidential client in the realm with valid credentials. |
Build Keycloak
|
| CVE-2026-7307 | May 19, 2026 |
Keycloak SAML XML DoS: Unauth Remote Attacker via Crafted InputA flaw was found in Keycloak. A remote, unauthenticated attacker can send a specially crafted XML input to the Security Assertion Markup Language (SAML) endpoint. This malicious input can cause high CPU usage and worker thread starvation, leading to a Denial of Service (DoS) where the server becomes unavailable. |
Build Keycloak
|
| CVE-2026-37981 | May 19, 2026 |
Keycloak: Broken Access Control in Account Resources Lookup EndpointA flaw was found in Keycloak. A broken access control vulnerability in the Account Resources user lookup endpoint allows a remote authenticated user, who owns at least one User-Managed Access (UMA) resource, to enumerate and harvest personally identifiable information (PII) for all realm users. By sending crafted requests with arbitrary usernames or email values, the endpoint returns full profile objects for unrelated users. This leads to broad profile-level information disclosure. |
Build Keycloak
|
| CVE-2026-4630 | May 19, 2026 |
Keycloak IDOR in Authorization Services APIA flaw was found in Keycloak. An authenticated client could exploit an Insecure Direct Object Reference (IDOR) vulnerability in the Authorization Services Protection API endpoint. By knowing or obtaining a resource's unique identifier (UUID) belonging to another Resource Server within the same realm, the client could bypass authorization checks. This allows the client to perform unauthorized GET, PUT, and DELETE operations on resources, leading to information disclosure and potential unauthorized modification or deletion of data. |
Build Keycloak
|
| CVE-2026-8922 | May 19, 2026 |
Keycloak OIDC Introspection ignores realm-level notBefore revocationA flaw was found in Keycloak. When both realm-level and client-level `notBefore` revocation policies are configured, Keycloak's OpenID Connect (OIDC) Introspection feature fails to properly honor the realm-level policy. This allows tokens that should have been revoked to remain active, potentially leading to unauthorized access or continued session validity. This could impact the security of systems utilizing Keycloak for identity and access management. |
Build Keycloak
|
| CVE-2026-8830 | May 19, 2026 |
Keycloak WebAuthn Policy Bypass via Client JS ManipulationA flaw was found in Keycloak. An authenticated user can bypass configured WebAuthn policies during credential registration by manipulating client-side JavaScript. This occurs because the server-side processAction() fails to validate that the newly created credential's parameters, such as public key algorithms, match the realm's configured WebAuthn policies. This could lead to the creation of credentials that do not adhere to administrative security requirements, potentially weakening the overall security posture of the system by allowing non-compliant authentication methods. |
Build Keycloak
|
| CVE-2026-42009 | May 18, 2026 |
GnuTLS DTLS DoS via Duplicate Seq Number ReorderingA flaw was found in gnutls. A remote attacker could exploit an issue in the Datagram Transport Layer Security (DTLS) packet reordering logic. The comparator function, responsible for ordering DTLS packets by sequence numbers, did not correctly handle packets with duplicate sequence numbers. This could lead to unstable packet ordering or undefined behavior, resulting in a denial of service. |
Enterprise Linux (RHEL)
Hummingbird
Openshift
And others... |
| CVE-2026-46333 | May 15, 2026 |
Linux kernel: ptrace dumpability logic flawIn the Linux kernel, the following vulnerability has been resolved: ptrace: slightly saner 'get_dumpable()' logic The 'dumpability' of a task is fundamentally about the memory image of the task - the concept comes from whether it can core dump or not - and makes no sense when you don't have an associated mm. And almost all users do in fact use it only for the case where the task has a mm pointer. But we have one odd special case: ptrace_may_access() uses 'dumpable' to check various other things entirely independently of the MM (typically explicitly using flags like PTRACE_MODE_READ_FSCREDS). Including for threads that no longer have a VM (and maybe never did, like most kernel threads). It's not what this flag was designed for, but it is what it is. The ptrace code does check that the uid/gid matches, so you do have to be uid-0 to see kernel thread details, but this means that the traditional "drop capabilities" model doesn't make any difference for this all. Make it all make a *bit* more sense by saying that if you don't have a MM pointer, we'll use a cached "last dumpability" flag if the thread ever had a MM (it will be zero for kernel threads since it is never set), and require a proper CAP_SYS_PTRACE capability to override. |
|
| CVE-2026-44432 | May 13, 2026 |
urllib3 2.6.0-<2.7.0 Decompress Whole Response DoS via Brotliurllib3 is an HTTP client library for Python. From 2.6.0 to before 2.7.0, urllib3 could decompress the whole response instead of the requested portion (1) during the second HTTPResponse.read(amt=N) call when the response was decompressed using the official Brotli library or (2) when HTTPResponse.drain_conn() was called after the response had been read and decompressed partially (compression algorithm did not matter here). These issues could cause urllib3 to fully decode a small amount of highly compressed data in a single operation. This could result in excessive resource consumption (high CPU usage and massive memory allocation for the decompressed data) on the client side. This vulnerability is fixed in 2.7.0. |
|
| CVE-2026-42945 | May 13, 2026 |
Heap Buffer Overflow in NGINX ngx_http_rewrite_module via PCRE CaptureNGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module. This vulnerability exists when the rewrite directive is followed by a rewrite, if, or set directive and an unnamed Perl-Compatible Regular Expression (PCRE) capture (for example, $1, $2) with a replacement string that includes a question mark (?). An unauthenticated attacker along with conditions beyond its control can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. |
|
| CVE-2026-4893 | May 11, 2026 |
DNSMasq 2.92rel2 DNS Info Disclosure via RFC 7871 PacketAn information disclosure vulnerability in dnsmasq allows remote attackers to bypass source checks via a crafted DNS packet with RFC 7871 client subnet information. |
|
| CVE-2026-4892 | May 11, 2026 |
dnsmasq 2.92rel2 DHCPv6 Heap OOB Write Allow Exec as RootA heap-based out-of-bounds write vulnerability in the DHCPv6 implementation of dnsmasq allows local attackers to execute arbitrary code with root privileges via a crafted DHCPv6 packet. |
|
| CVE-2026-4891 | May 11, 2026 |
dnsmasq 2.92rel2 DNSSEC OOB Read in DNS Validation (DoS)A heap-based out-of-bounds read vulnerability in the DNSSEC validation of dnsmasq allows remote attackers to cause a denial of service via a crafted DNS packet. |
|
| CVE-2026-4890 | May 11, 2026 |
dnsmasq 2.92rel2: DNSSEC Validation DoS (CVE-2026-4890)A Denial of Service (DoS) vulnerability in the DNSSEC validation of dnsmasq allows remote attackers to cause a denial of service via a crafted DNS packet. |
|
| CVE-2026-2291 | May 11, 2026 |
dnsmasq 2.92rel2 Heap OOB via extract_name() can cause Cache Poisoningdnsmasqs extract_name() function can be abused to cause a heap buffer overflow, allowing an attacker to inject false DNS cache entries, which could result in DNS lookups to redirect to an attacker-controlled IP address, or to cause a DoS. |
|
| CVE-2026-4802 | May 11, 2026 |
Remote Command Execution via Unsanitized UI Parameters in CockpitA flaw was found in Cockpit. This vulnerability allows a remote attacker to achieve arbitrary command execution on the host by exploiting unsanitized user-controlled parameters within crafted links in the system logs user interface (UI). An attacker can inject shell metacharacters and command substitutions into these parameters, leading to the execution of arbitrary shell commands on the affected system. This could result in a complete system compromise. |
Enterprise Linux (RHEL)
|
| CVE-2026-42311 | May 09, 2026 |
CVE-2026-42311 Pillow PSD memory corruption before 12.2.0Pillow is a Python imaging library. From version 10.3.0 to before version 12.2.0, processing a malicious PSD file could lead to memory corruption, potentially resulting in a crash or arbitrary code execution. This issue has been patched in version 12.2.0. |
|
| CVE-2026-42310 | May 09, 2026 |
Pillow 4.2.012.2.0 PDF Parser DoS (CPU Exhaustion)Pillow is a Python imaging library. From version 4.2.0 to before version 12.2.0, an attacker can supply a malicious PDF that causes the process to hang indefinitely, consuming 100% CPU and making the application unresponsive. This issue has been patched in version 12.2.0. |
|
| CVE-2026-42308 | May 09, 2026 |
Pillow <12.2.0 Integer Overflow from Excessive Glyph AdvancePillow is a Python imaging library. Prior to version 12.2.0, if a font advances for each glyph by an exceeding large amount, when Pillow keeps track of the current position, it may lead to an integer overflow. This issue has been patched in version 12.2.0. |
|
| CVE-2026-42309 | May 09, 2026 |
Pillow 11.2.1-12.1.9 Heap Buffer Overflow via Nested List CoordinatesPillow is a Python imaging library. From version 11.2.1 to before version 12.2.0, passing nested lists as coordinates to APIs that accept coordinates such as ImagePath.Path, ImageDraw.ImageDraw.polygon and ImageDraw.ImageDraw.line could cause a heap buffer overflow, as nested lists were recursively unpacked beyond the allocated buffer. Coordinate lists are now validated to contain exactly two numeric coordinates. This issue has been patched in version 12.2.0. |
|
| CVE-2026-43284 | May 08, 2026 |
Linux Kernel ESP: Prevent In-Place Decrypt on Shared skb FragsIn the Linux kernel, the following vulnerability has been resolved: xfrm: esp: avoid in-place decrypt on shared skb frags MSG_SPLICE_PAGES can attach pages from a pipe directly to an skb. TCP marks such skbs with SKBFL_SHARED_FRAG after skb_splice_from_iter(), so later paths that may modify packet data can first make a private copy. The IPv4/IPv6 datagram append paths did not set this flag when splicing pages into UDP skbs. That leaves an ESP-in-UDP packet made from shared pipe pages looking like an ordinary uncloned nonlinear skb. ESP input then takes the no-COW fast path for uncloned skbs without a frag_list and decrypts in place over data that is not owned privately by the skb. Mark IPv4/IPv6 datagram splice frags with SKBFL_SHARED_FRAG, matching TCP. Also make ESP input fall back to skb_cow_data() when the flag is present, so ESP does not decrypt externally backed frags in place. Private nonlinear skb frags still use the existing fast path. This intentionally does not change ESP output. In esp_output_head(), the path that appends the ESP trailer to existing skb tailroom without calling skb_cow_data() is not reachable for nonlinear skbs: skb_tailroom() returns zero when skb->data_len is nonzero, while ESP tailen is positive. Thus ESP output will either use the separate destination-frag path or fall back to skb_cow_data(). |
|
| CVE-2026-42011 | May 07, 2026 |
GNUTLS Name Constraint Bypass (CVE-2026-42011)A flaw was found in gnutls. This vulnerability occurs because permitted name constraints were incorrectly ignored when previous Certificate Authorities (CAs) only had excluded name constraints. A remote attacker could exploit this to bypass critical name constraint checks during certificate validation. This bypass could lead to the acceptance of invalid certificates, potentially enabling spoofing or man-in-the-middle attacks against affected systems. |
Enterprise Linux (RHEL)
Hummingbird
Openshift
And others... |
| CVE-2026-42010 | May 07, 2026 |
GNUTLS RSA-PSK Username NUL Bypass AuthA flaw was found in gnutls. Servers configured with RSA-PSK (RivestShamirAdleman Pre-Shared Key) wrongfully matched usernames containing a NUL character with truncated usernames. A remote attacker could exploit this by sending a specially crafted username, leading to an authentication bypass. This vulnerability allows an attacker to gain unauthorized access by circumventing the authentication process. |
Enterprise Linux (RHEL)
Hummingbird
Openshift
And others... |
| CVE-2026-6420 | May 06, 2026 |
Keylime Verifier Hardcoded Nonce Enables TPM Quote ReplayA flaw was found in Keylime. An attacker with root access on an enrolled monitored machine, where the Keylime agent runs, can exploit a vulnerability in the Keylime verifier. The verifier uses a hardcoded challenge nonce for Trusted Platform Module (TPM) quote attestation instead of a cryptographically random value. This allows the attacker to stockpile valid TPM quotes and replay them to evade detection after compromising the system. This issue affects only the push model deployment. |
Enterprise Linux (RHEL)
|
| CVE-2026-39852 | May 05, 2026 |
Quarkus Path Normalization Bypass (unpatched < v3.20.6.1)Quarkus is a Java framework for building cloud-native applications. In versions prior to 3.20.6.1, 3.27.3.1, 3.33.1.1, 3.35.1.1, 3.34.7, and 3.35.2, a path normalization inconsistency between the security layer and the routing layer allows unauthenticated or lower-privileged users to bypass HTTP path-based authorization policies. Quarkus's security layer performs authorization checks on the raw URL path which preserves matrix parameters (semicolons), while RESTEasy Reactive's routing layer strips matrix parameters before matching endpoints. An attacker can append a semicolon and arbitrary text to a request URL (e.g., /api/admin;anything) to bypass policies protecting /api/admin while still routing to the protected endpoint. This issue has been fixed in versions 3.20.6.1, 3.27.3.1, 3.33.1.1, 3.35.1.1, 3.34.7, and 3.35.2. |
|
| CVE-2026-34956 | May 05, 2026 |
Open vSwitch FTP Helper Heap OOB Leads to DoSA flaw was found in Open vSwitch. When Open vSwitch is configured with a conntrack flow using FTP helpers over the userspace datapath, a remote attacker can send a specially crafted FTP stream with an EPASV command exceeding 255 characters. This heap access error can lead to a crash, resulting in a Denial of Service (DoS) for the affected system. |
Enterprise Linux (RHEL)
Openshift
Openstack
And others... |
| CVE-2026-34002 | May 05, 2026 |
XKB Modmap OOB Read in X.Org X ServerA flaw was found in the X.Org X server. This vulnerability, an out-of-bounds read, affects the XKB (X Keyboard Extension) modifier map handling. An attacker with access to the X11 server can exploit this by sending a malformed request, which causes the server to read beyond its intended memory boundaries. This can lead to the exposure of sensitive information or cause the server to crash, resulting in a denial of service. |
Enterprise Linux (RHEL)
|
| CVE-2026-34000 | May 05, 2026 |
OOB Read in XKB Geometry (CheckSetGeom) of X.Org X ServerA flaw was found in the X.Org X server. This out-of-bounds read vulnerability in the XKB geometry processing, specifically within the `CheckSetGeom()` and `XkbAddGeomKeyAlias` functions, allows an attacker to read uninitialized or out-of-bounds memory. An attacker with a connection to the X11 server, either locally or remotely, can exploit this without user interaction. This could lead to the disclosure of memory contents or cause a denial of service by crashing the server. |
Enterprise Linux (RHEL)
|
| CVE-2026-6321 | May 04, 2026 |
Fast-URI Path Normalization Bypass Fast-URI <=3.1.0fast-uri decoded percent-encoded path separators and dot segments before applying dot-segment removal in its normalize() and equal() functions. Encoded path data was treated like real slashes and parent-directory references, so distinct URIs could collapse onto the same normalized path. Applications that normalize or compare attacker-controlled URLs to enforce path-based policy can be bypassed, with a path that appears confined under an allowed prefix normalizing to a different location. Versions <= 3.1.0 are affected. Update to 3.1.1 or later. |
|
| CVE-2026-6266 | May 04, 2026 |
AAP 2.6 IDP Auto-Link Email Matching Bypass Enables HijackA flaw was found in the AAP gateway. The user auto-link strategy, introduced in AAP 2.6, automatically links an external Identity Provider (IDP) identity to an existing AAP user account based on email matching without verifying email ownership. This allows a remote attacker to potentially hijack a victim's account or gain unauthorized access to other accounts, including administrative accounts, by manipulating the IDP-provided email. |
Ansible Automation Platform
Ansible Automation Platform Developer
Ansible Automation Platform Inside
And others... |
| CVE-2026-33846 | May 04, 2026 |
Heap Buffer Overflow in GnuTLS DTLS Fragment Reassembly (CVE-2026-33846)A heap buffer overflow vulnerability exists in the DTLS handshake fragment reassembly logic of GnuTLS. The issue arises in merge_handshake_packet() where incoming handshake fragments are matched and merged based solely on handshake type, without validating that the message_length field remains consistent across all fragments of the same logical message. An attacker can exploit this by sending crafted DTLS fragments with conflicting message_length values, causing the implementation to allocate a buffer based on a smaller initial fragment and subsequently write beyond its bounds using larger, inconsistent fragments. Because the merge operation does not enforce proper bounds checking against the allocated buffer size, this results in an out-of-bounds write on the heap. The vulnerability is remotely exploitable without authentication via the DTLS handshake path and can lead to application crashes or potential memory corruption. |
Enterprise Linux (RHEL)
Hummingbird
Openshift
And others... |
| CVE-2026-42404 | May 01, 2026 |
Apache Neethi Remote URI Fetch VULN before 3.2.2Apache Neethi does not impose any restrictions on URIs when manually fetching remote policy references through the PolicyReference API. When an application explicitly calls the API to retrieve a policy from a remote URI, an outbound request is made for arbitrary protocols and internal IP adddresses. From 3.2.2, only http or https URIs are allowed, and link-local/multicast/any-local addresses are forbidden. Users are recommended to upgrade to version 3.2.2, which fixes this issue. |
|
| CVE-2026-42402 | May 01, 2026 |
Apache Neethi CVE-2026-42402 DoS via Policy Normalization (Upgrade to 3.2.2)Apache Neethi is vulnerable to a Denial of Service attack through algorithmic complexity in policy normalization. Specially crafted WS-Policy documents can trigger an exponential Cartesian cross-product expansion during the normalization process, causing unbounded memory allocation that exhausts the JVM heap. This occurs when the normalization process generates an excessive number of policy alternatives without bounds, leading to runtime memory exhaustion. Users should upgrade to 3.2.2 which limits the maximum number of normalized policy alternatives. |
|
| CVE-2026-42403 | May 01, 2026 |
Apache Neethi Recursion DoS via Circular Policy (<3.2.2)Apache Neethi does not properly detect circular references in policy definitions. When a WS-Policy document contains circular policy references (where Policy A references Policy B which references Policy A), the policy normalization process can enter an infinite loop or cause excessive recursion, leading to a stack overflow or application hang. An attacker can craft malicious policy documents with circular references to cause a Denial of Service condition Users are recommended to upgrade to version 3.2.2, which fixes this issue. |
|
| CVE-2026-33845 | Apr 30, 2026 |
OOB Read via DTLS Fragment Underflow in GnuTLSA flaw in GnuTLS DTLS handshake parsing allows malformed fragments with zero length and non-zero offset, leading to an integer underflow during reassembly and resulting in an out-of-bounds read. This issue is remotely exploitable and may cause information disclosure or denial of service. |
Enterprise Linux (RHEL)
Hummingbird
Openshift
And others... |
| CVE-2026-3832 | Apr 30, 2026 |
GnuTLS OCSP Multi-Record Logic Error Allows Revoked Cert AcceptanceA flaw was found in gnutls. A remote attacker could exploit this vulnerability by presenting a specially crafted Online Certificate Status Protocol (OCSP) response during a TLS handshake. Due to a logic error in how gnutls processes multi-record OCSP responses, a client with OCSP verification enabled may incorrectly accept a revoked server certificate, potentially leading to a compromise of trust. |
Enterprise Linux (RHEL)
Hummingbird
Openshift
And others... |
| CVE-2026-3833 | Apr 30, 2026 |
GnuTLS SAN case-sensitivity flaw can bypass nameConstraintsA flaw was found in gnutls. This vulnerability occurs because gnutls performs case-sensitive comparisons of `nameConstraints` labels, specifically for `dNSName` (DNS) or `rfc822Name` (email) constraints within `excludedSubtrees` or `permittedSubtrees`. A remote attacker can exploit this by crafting a leaf certificate with casing differences in the Subject Alternative Name (SAN), leading to a policy bypass where a certificate that should be rejected is instead accepted. This could result in unauthorized access or information disclosure. |
Enterprise Linux (RHEL)
Hummingbird
Openshift
And others... |
| CVE-2026-7500 | Apr 30, 2026 |
Privilege Escalation: Keycloak Account REST API Partially DisabledWhen Keycloak is started with `--features-disabled=account,account-api`, the Account REST API is only partially disabled. Five endpoints under the versioned path `/account/v1alpha1` remain fully functional including both read and write operations because they lack the `checkAccountApiEnabled()` gate that correctly blocks four other endpoints in the same REST service class. The user needs to have permissions to use the API. |
Build Keycloak
|
| CVE-2026-7163 | Apr 30, 2026 |
MCE Assisted Service API exposes kubeadmin creds via GET endpointA vulnerability in the assisted-service REST API, an optional Assisted Installer (assisted-service) component in the Multicluster Engine (MCE), allows an authenticated user with minimal namespace-scoped privileges to obtain administrative credentials for arbitrary clusters provisioned through the hub. The credentials download endpoint (GET /v2/clusters/{cluster_id}/credentials, which returns the kubeadmin password) and the kubeconfig download endpoint are operational in AUTH_TYPE=local mode, the only authentication mode available in on-premises ACM/MCE hub deployments. The local authenticator unconditionally grants full administrative access to any request bearing a valid JWT, with no per-endpoint restrictions. A valid local JWT is embedded as a plaintext query parameter in InfraEnvStatus.ISODownloadURL and is readable by any user who has get rights on an InfraEnv object in their own namespace. The affected components ship as part of Multicluster Engine (MCE). The Red Hat Advanced Cluster Management (ACM) deployments that include MCE are equally affected. This issue does not affect the hosted SaaS offering (console.redhat.com), which uses a different authentication mode. Successful exploitation gives the attacker the kubeadmin password and kubeconfig for any OpenShift cluster provisioned through the affected hub, granting unrestricted root-level administrative access to those spoke clusters. |
Multicluster Engine
|
| CVE-2026-42198 | Apr 29, 2026 |
pgjdbc 42.2.042.7.10 DoS via SCRAM PBKDF2pgjdbc is an open source postgresql JDBC Driver. From version 42.2.0 to before version 42.7.11, pgjdbc is vulnerable to a client-side denial of service during SCRAM-SHA-256 authentication. A malicious server can instruct the driver to perform SCRAM authentication with a very large iteration count. With a large enough value, the client spends an unbounded amount of CPU time inside PBKDF2 before authentication can fail. A single attempt ties up a CPU core. Repeated or concurrent attempts exhaust client CPU and can wedge connection pools. In affected versions, loginTimeout did not fully mitigate this problem. When loginTimeout expired, the caller could stop waiting, but the worker thread performing the connection attempt could continue running and burning CPU inside the SCRAM PBKDF2 computation. This issue has been patched in version 42.7.11. |
|
| CVE-2026-37555 | Apr 29, 2026 |
libsndfile 1.2.2 IMA ADPCM overflow allows heap buffer overflowAn issue was discovered in libsndfile 1.2.2 IMA ADPCM codec. The AIFF code path (line 241) was fixed with (sf_count_t) cast, but the WAV code path (line 235) and close path (line 167) were not. When samplesperblock (int) * blocks (int) exceeds INT_MAX, the 32-bit multiplication overflows before being assigned to sf.frames (sf_count_t/int64). With samplesperblock=50000 and blocks=50000, the product 2500000000 overflows to -1794967296. This causes incorrect frame count leading to heap buffer overflow or denial of service. Both values come from the WAV file header and are attacker-controlled. This issue was discovered after an incomplete fix for CVE-2022-33065. |