Red Hat Linux OS and other open source products
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in any Red Hat product.
RSS Feeds for Red Hat security vulnerabilities
Create a CVE RSS feed including security vulnerabilities found in Red Hat products with stack.watch. Just hit watch, then grab your custom RSS feed url.
Products by Red Hat Sorted by Most Security Vulnerabilities since 2018
Red Hat Enterprise Linux Server1534 vulnerabilities
RedHat Enterprise Linux (RHEL) Server. Includes software bundeled with RHEL server.
Red Hat Enterprise Linux Workstation1504 vulnerabilities
RedHat Enterprise Linux (RHEL) Workstation. Includes software bundled with RHEL Workstation.
Red Hat Enterprise Linux Desktop1493 vulnerabilities
RedHat Enterprise Linux (RHEL) Desktop. Includes software bundled with RHEL desktop
Recent Red Hat Security Advisories
| Advisory | Title | Published |
|---|---|---|
| RHSA-2026:27288 | (RHSA-2026:27288) Important: kernel security, bug fix, and enhancement update | June 19, 2026 |
| RHSA-2026:27171 | (RHSA-2026:27171) Red Hat Hardened Images RPMs bug fix and enhancement update | June 19, 2026 |
| RHSA-2026:27126 | (RHSA-2026:27126) Red Hat OpenShift distributed tracing platform (Tempo) 3.10.0 release | June 18, 2026 |
| RHSA-2026:27125 | (RHSA-2026:27125) Red Hat Directory Server 13.2 container image update | June 18, 2026 |
| RHSA-2026:25044 | (RHSA-2026:25044) Important: OpenShift Container Platform 4.16.64 bug fix and security update | June 18, 2026 |
| RHSA-2026:25043 | (RHSA-2026:25043) Important: OpenShift Container Platform 4.16.64 packages and security update | June 18, 2026 |
| RHSA-2026:27114 | (RHSA-2026:27114) Red Hat OpenShift Service Mesh 2.6.17 | June 18, 2026 |
| RHSA-2026:26566 | (RHSA-2026:26566) Important: xorg-x11-server-Xwayland security, bug fix, and enhancement update | June 18, 2026 |
| RHSA-2026:27076 | (RHSA-2026:27076) Important: Satellite 6.16.9 Async Update | June 18, 2026 |
| RHSA-2026:26994 | (RHSA-2026:26994) Red Hat Hardened Images RPMs bug fix and enhancement update | June 18, 2026 |
By the Year
In 2026 there have been 1233 vulnerabilities in Red Hat with an average score of 7.0 out of ten. Last year, in 2025 Red Hat had 1138 security vulnerabilities published. That is, 95 more vulnerabilities have already been reported in 2026 as compared to last year. However, the average CVE base score of the vulnerabilities in 2026 is greater by 0.46.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 1233 | 7.02 |
| 2025 | 1138 | 6.56 |
| 2024 | 1686 | 6.57 |
| 2023 | 1206 | 6.75 |
| 2022 | 1362 | 6.97 |
| 2021 | 1123 | 6.62 |
| 2020 | 663 | 6.39 |
| 2019 | 772 | 6.98 |
| 2018 | 760 | 7.16 |
It may take a day or so for new Red Hat vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Red Hat Security Vulnerabilities
| CVE | Date | Vulnerability | Products |
|---|---|---|---|
| CVE-2026-12706 | Jun 19, 2026 |
FFmpeg RASC Decoder UAF via deallocated buffer in move_tableA use-after-free vulnerability was found in FFmpeg's RASC video decoder. The decode_move() function initializes a read pointer into a decompressed buffer, but a subsequent reallocation of that same buffer during move-table processing leaves the pointer dangling. An attacker could exploit this by providing a specially crafted AVI file containing a malicious RASC video stream. When a user opens or plays the file, the decoder reads from freed heap memory, which could lead to a denial of service (crash). |
Enterprise Linux Ai
Openshift Ai
|
| CVE-2026-11791 | Jun 18, 2026 |
389 DS Use-After-Free via Unref'd Attr_Syntax Swap during Schema ReloadA flaw was found in 389 Directory Server. During schema reload, the attr_syntax_swap_ht() function unconditionally frees attribute syntax information nodes, bypassing the refcount-based deferred deletion used elsewhere in the attribute syntax subsystem. If an administrator triggers schema reload while concurrent LDAP query traffic is active, worker threads may access freed memory, resulting in use-after-free or double-free and a denial of service (server crash). |
Directory Server
Enterprise Linux (RHEL)
|
| CVE-2026-12505 | Jun 18, 2026 |
CIFS-UTILS PrivEsc via request_key and malicious NSS ModuleA flaw was found in the cifs-utils package where the cifs.upcall helper fails to securely drop its root privileges before looking up user information inside a user-controlled environment. A local, low privileged attacker can exploit this by using a crafted request_key payload to trick the root-owned helper into entering a custom environment (namespace) containing a malicious NSS module. This forces the system to load the attacker's controlled NSS Module and configuration, allowing them to execute arbitrary commands as the root user, elevating their privileges and fully compromising the system. |
Enterprise Linux (RHEL)
Openshift
|
| CVE-2026-47774 | Jun 17, 2026 |
Envoy HTTP/2 OOM DoS (v<1.35.11/1.36.7/1.37.3/1.38.1)Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.35.11, 1.36.7, 1.37.3, and 1.38.1, a vulnerability in Envoy's HTTP/2 downstream request processing allows an unauthenticated remote client to trigger excessive memory consumption, potentially resulting in OOM termination of the Envoy process and denial of service. The issue arises from the combination of two behaviors. First, cookie header bytes are not fully accounted for during request header size validation in Envoy. Second, HPACK header block limits in oghttp2/quiche are enforced on encoded bytes without a corresponding limit on total decoded header size. Together, these behaviors allow a malicious client to cause large decoded header allocations while bypassing the intended request header size protections. Versions 1.35.11, 1.36.7, 1.37.3, and 1.38.1 contain a fix. No complete workaround is known short of applying a fix. Possible temporary mitigations include disabling downstream HTTP/2 where operationally feasible; enforcing stricter request header and cookie limits before traffic reaches Envoy; and monitoring Envoy memory usage for abnormal growth under HTTP/2 traffic. |
|
| CVE-2026-12515 | Jun 17, 2026 |
Katello ContentUploadsController Auth Bypass via Edit ProductsA flaw was found in Katello's of Red Hat Satellite. A content upload functionality where insufficient authorization checks in the ContentUploadsController allowed users with the edit_products permission to query content information for repositories outside the products they were authorized to manage. An authenticated attacker could exploit this issue to determine whether specific content exists within repositories that should otherwise be inaccessible. This issue does not allow unauthorized modification, import, or publication of content. |
Hummingbird
Satellite
|
| CVE-2026-12528 | Jun 17, 2026 |
389 Directory Server heap buffer overflow in aclparse.cA flaw was found in 389 Directory Server in the __aclp__normalize_acltxt() function of aclparse.c. A malformed ACI (Access Control Instruction) string can trigger heap-buffer-overflow writes and reads during ACI parsing. The function fails to validate that the ACI keyword has sufficient length after whitespace stripping, leading to a 1-byte out-of-bounds write and subsequent out-of-bounds reads. An authenticated user with write access to the aci attribute could send a crafted ACI value to silently corrupt heap memory in the directory server process. |
Directory Server
Enterprise Linux (RHEL)
|
| CVE-2026-12491 | Jun 17, 2026 |
vLLM Image Metadata Handling CVE: EXIF/TPNG tRNS VulnerabilityA flaw was found in vLLM, an open-source library for large language model inference. This vulnerability arises from improper handling of image metadata, specifically EXIF orientation and PNG transparency (tRNS) data, during image processing. When images are converted to RGB, transparency information may be implicitly discarded or remapped, leading to unexpected rendering of transparent pixels and distortion of input content. This can result in the model misinterpreting image content, potentially affecting the integrity of processed data. |
Ai Inference Server
Enterprise Linux Ai
Openshift Ai
And others... |
| CVE-2026-2604 | Jun 16, 2026 |
Flatpak D-Bus Traversal in Evolution-Data-Server Enables File DeleteA flaw was found in evolution-data-server. Inconsistent comparison logic in the addressbook file backend allows a Flatpak application with D-Bus access to craft a malicious URI containing directory traversal sequences. This URI is stored without proper validation during contact creation or modification. Later, during contact deletion, the URI is processed with a less strict check, leading to the deletion of arbitrary files on the host filesystem. This could potentially include critical Flatpak override files. |
Enterprise Linux (RHEL)
|
| CVE-2026-4367 | Jun 16, 2026 |
Xpm OOB Read in libXpm Causes DoSA flaw was found in libXpm. A local user with low privileges could exploit an Out-of-Bounds Read vulnerability in the `xpmNextWord()` function by processing a specially crafted or very small XPM (X PixMap) image file. This improper validation of file boundaries can cause an internal pointer to read beyond the file's end, leading to application crashes and Denial of Service conditions. |
Enterprise Linux (RHEL)
Hummingbird
|
| CVE-2026-10649 | Jun 16, 2026 |
CVE-2026-10649: Integer Overflow in Pacemaker Remote DecompressionA flaw was found in Pacemaker. An unauthenticated remote attacker can exploit an integer overflow vulnerability in the remote message decompression process. By sending a specially crafted compressed remote message before authentication, an attacker can cause memory corruption, leading to a denial of service (DoS) in the CIB remote listener. This can result in the affected service crashing. |
Enterprise Linux (RHEL)
Openshift
|
| CVE-2026-12398 | Jun 16, 2026 |
Command Injection in galaxy_ng Legacy Role Import APIA command injection vulnerability was found in galaxy_ng. The do_git_checkout() function in the legacy role import API (v1) interpolates unsanitized git ref names (branch/tag names) into shell commands executed via subprocess.run() with shell=True. An authenticated user who controls a git repository can create a branch or tag with shell metacharacters in the name to achieve remote code execution on the pulp worker. The vulnerable endpoint is only reachable when GALAXY_ENABLE_LEGACY_ROLES is set to True, which is not the default configuration. |
Ansible Automation Platform
|
| CVE-2026-46331 | Jun 16, 2026 |
Linux Kernel net/sched pedit partial COW causing cache corruptionIn the Linux kernel, the following vulnerability has been resolved: net/sched: fix pedit partial COW leading to page cache corruption tcf_pedit_act() computes the COW range for skb_ensure_writable() once before the key loop using tcfp_off_max_hint, but the hint does not account for the runtime header offset added by typed keys. This can leave part of the write region un-COW'd. Fix by moving skb_ensure_writable() inside the per-key loop where the actual write offset is known, and add overflow checking on the offset arithmetic. For negative offsets (e.g. Ethernet header edits at ingress), use skb_cow() to COW the headroom instead. Guard offset_valid() against INT_MIN, where negation is undefined. |
|
| CVE-2026-42014 | Jun 16, 2026 |
GnuTLS UAF in pkcs11_token_set_pin on NULL SO PINA flaw was found in GnuTLS. The `gnutls_pkcs11_token_set_pin` function, used for changing the Security Officer PIN, can lead to a use-after-free vulnerability. This occurs when an attacker attempts to change the PIN with a NULL old PIN for a token that lacks a protected authentication path. |
Enterprise Linux (RHEL)
Hummingbird
Openshift
And others... |
| CVE-2026-1767 | Jun 16, 2026 |
GNOME localsearch MP3 Extractor: tracker-extract-mp3 Heap OverflowA flaw was found in the GNOME localsearch (previously known as tracker-miners) MP3 Extractor `tracker-extract-mp3` component. A remote attacker could exploit this heap buffer overflow vulnerability by providing a specially crafted MP3 file containing malformed ID3 tags. This incorrect length calculation during the parsing of performer tags can lead to a read beyond the allocated buffer, potentially causing a Denial of Service (DoS) due to a crash or enabling information disclosure. |
Enterprise Linux (RHEL)
|
| CVE-2026-1766 | Jun 16, 2026 |
GNOME localsearch MP3 extractor HEAP buffer overflow via malformed ID3 COMMA flaw was found in GNOME localsearch (previously known as tracker-miners) MP3 Extractor, specifically within the tracker-extract-mp3 component. This heap buffer overflow vulnerability occurs when processing specially crafted MP3 files containing malformed ID3v2.3 COMM (Comment) tags. An attacker could exploit this by providing a malicious MP3 file, leading to a denial of service (DoS), which causes an application crash, and potentially disclosing sensitive information from the heap memory. |
Enterprise Linux (RHEL)
|
| CVE-2026-1765 | Jun 16, 2026 |
GNOME Tracker-Extract-MP3 Heap Buffer Overflow Allowing DoSA flaw was found in the `tracker-extract-mp3` component of GNOME localsearch (previously known as tracker-miners). This vulnerability, a heap buffer overflow, occurs when processing specially crafted MP3 files. A remote attacker could exploit this by providing a malicious MP3 file, leading to a Denial of Service (DoS) where the application crashes. It may also potentially expose sensitive information from the system's memory. |
Enterprise Linux (RHEL)
|
| CVE-2026-1764 | Jun 16, 2026 |
GNOME localsearch MP3 Extractor Heap Buffer OverflowA flaw was found in GNOME localsearch (previously known as tracker-miners) MP3 Extractor. When processing specially crafted MP3 files containing ID3v2.4 tags, a missing bounds check in the `extract_performers_tags` function can lead to a heap buffer overflow. This vulnerability allows a remote attacker to cause a Denial of Service (DoS) by triggering a read of unmapped memory. In some cases, it could also lead to information disclosure by reading visible heap data. |
Enterprise Linux (RHEL)
|
| CVE-2026-52718 | Jun 15, 2026 |
DoS: GStreamer AV1 Parser Desync via gst_plugins_badA denial of service vulnerability was found in GStreamer's AV1 codec parser in gst-plugins-bad. The gst_av1_parser_parse_tile_list_obu() function passes a byte count to a bit-reader API that expects a bit count, causing parser desynchronization. A remote attacker could trick a user into opening a specially crafted AV1 media file, triggering an assertion abort and causing the application to crash. |
Enterprise Linux (RHEL)
|
| CVE-2026-52722 | Jun 15, 2026 |
Signed Int Overflow in GStreamer VMnc DecoderA signed integer overflow vulnerability was found in GStreamer's VMnc decoder. A crafted VMnc stream with large cursor dimensions can overflow signed integer payload-size arithmetic, bypassing a length check and leading to out-of-bounds reads. A remote attacker could trick a user into opening a specially crafted VMnc file, potentially causing a crash or information disclosure. |
Enterprise Linux (RHEL)
|
| CVE-2026-52720 | Jun 15, 2026 |
Heap Overflow in GStreamer librfb (RFB/VNC Client)A heap buffer overflow vulnerability was found in GStreamer's librfb (RFB/VNC client). The rectangle bounds check incorrectly validates area rather than individual dimensions, allowing a malicious VNC server to send a rectangle that extends beyond the framebuffer. A remote attacker could set up a malicious VNC server and trick a user into connecting, resulting in an out-of-bounds heap write that could lead to code execution or a crash. |
Enterprise Linux (RHEL)
|
| CVE-2026-53704 | Jun 15, 2026 |
GStreamer RealMedia demuxer Re-entrancy / Infinite Loop CVE-2026-53704A flaw was found in GStreamer's RealMedia demuxer in the gst-plugins-ugly package. When processing a RealMedia file containing a specially crafted FILEINFO metadata section, the demuxer parses variable-name and variable-value pairs using re_skip_pascal_string() without validating that offsets remain within the mapped buffer. Additionally, the element count controlling the parsing loop is read from attacker-controlled data without validation, which can cause an infinite loop. A crafted RealMedia file can cause the application to crash, hang, or potentially read limited adjacent memory contents. |
Enterprise Linux (RHEL)
|
| CVE-2026-53703 | Jun 15, 2026 |
Overflow in GStreamer RM Demuxer: MDPR Chunk Parsing CrashA vulnerability was found in the GStreamer RealMedia demuxer (gst-plugins-ugly). When processing a RealMedia (.rm) file, the demuxer parses MDPR (media properties) chunks to configure audio streams. For audio stream header versions 4 and 5, the parser reads fields such as codec type, packet size, sample rate, channel count, and extra codec data length from fixed offsets within the chunk without first checking that the chunk contains enough data. If a malicious file provides an MDPR chunk that is too small to contain a complete audio stream header, the parser reads beyond the end of the buffer. This can cause the application to crash. In some cases, bytes read past the buffer boundary may be incorporated into stream metadata, which could result in limited information disclosure. |
Enterprise Linux (RHEL)
|
| CVE-2026-52721 | Jun 15, 2026 |
OOB Read in GStreamer pcapparse Local PCAP Crash/Info DisclosureMultiple out-of-bounds read vulnerabilities were found in GStreamer's pcapparse element. Malformed PCAP records can trigger reads beyond buffer boundaries during IPv4/TCP header parsing. This element is primarily used in debugging pipelines, limiting real-world exposure. A local attacker could trick a user into processing a specially crafted PCAP file, potentially leading to a crash or information disclosure. |
Enterprise Linux (RHEL)
|
| CVE-2026-53705 | Jun 15, 2026 |
GStreamer gst-plugins-good: WavPack Decoder Integer Overflow Heap CorruptionA flaw was found in GStreamer's WavPack audio decoder in gst-plugins-good. When processing a specially crafted WavPack file, an integer overflow in the buffer size calculation (4 * block_samples * channels) in gst_wavpack_dec_handle_frame() causes a very small heap allocation. The WavPack library then writes decoded audio samples far beyond the allocated buffer, resulting in heap memory corruption. This affects both 32-bit and 64-bit systems since the arithmetic is performed in 32-bit integers before promotion to the allocation size type. A remote attacker could use this flaw to crash an application or potentially execute arbitrary code by convincing a user to open a malicious WavPack audio file. |
Enterprise Linux (RHEL)
|
| CVE-2026-52719 | Jun 15, 2026 |
OOB read in GStreamer VA JPEG decoder leads to crashAn out-of-bounds read vulnerability was found in the VA JPEG decoder in GStreamer's gst-plugins-bad. The JPEG parser reads a segment length value from the bitstream without validating it against available data. A remote attacker could trick a user into opening a specially crafted JPEG file, causing downstream parsing to read beyond the provided input buffer, leading to a crash or potential information disclosure. |
Enterprise Linux (RHEL)
|
| CVE-2026-44188 | Jun 15, 2026 |
Ansible Lightspeed OAuth Token Persistence via Insufficient Sess ExpA flaw was found in Ansible Lightspeed. This vulnerability, related to insufficient session expiration, allows a remote attacker to maintain persistent access to the Ansible Lightspeed instance. If an attacker exfiltrates a valid OAuth (Open Authorization) access token before a user logs out, they can continue to authenticate and access sensitive data. This is because the application fails to invalidate the token on the backend, leaving it valid until its natural expiration. This can lead to unauthorized read access to Ansible resources such as inventories, playbooks, and configuration data. |
Ansible Automation Platform
|
| CVE-2026-54231 | Jun 13, 2026 |
Content Injection in libreport ABRT handler via unsanitized journal logsA content injection vulnerability was found in the ABRT post-create event handler scripts in libreport. The event script queries the systemd journal for log entries matching the crashed process and writes the results to files in the dump directory without sanitizing embedded control characters. A local user can inject arbitrary content into the journal output by embedding newline characters in syslog messages, controlling the content that root writes to dump directory files. |
Enterprise Linux (RHEL)
|
| CVE-2026-54230 | Jun 13, 2026 |
Symlink Following in libreport postcreate Scripts Enables Arbitrary File OverwriteA symlink following vulnerability was found in the ABRT post-create event handler scripts in libreport. Event scripts write output files using shell redirections without the O_NOFOLLOW flag. If the target file is replaced with a symlink, the shell process running as root follows the symlink and writes content to the symlink target, allowing arbitrary file overwrites on the system. |
Enterprise Linux (RHEL)
|
| CVE-2026-54229 | Jun 13, 2026 |
Race Condition in abrt-dbus ChownProblemDir Enables Privilege EscalationA race condition was found in the abrt-dbus D-Bus service's ChownProblemDir method. ChownProblemDir opens the dump directory with DD_OPEN_READONLY and calls dd_chown to change ownership of all files to the caller's uid, succeeding even while post-create event handlers hold a write lock. This allows an attacker to gain filesystem-level control of the dump directory while privileged event scripts are still running. |
Enterprise Linux (RHEL)
|
| CVE-2026-54228 | Jun 13, 2026 |
Red Hat ABRT D-Bus SetElement TOCTOUA time-of-check time-of-use (TOCTOU) race condition was found in the abrt-dbus D-Bus service's SetElement method. Between dump directory creation and post-create event execution, any local user can call SetElement to write arbitrary text files into the root-owned dump directory, bypassing package validation and allowing crashes of unpackaged binaries to survive post-create processing. |
Enterprise Linux (RHEL)
|
| CVE-2026-50560 | Jun 12, 2026 |
Netty HTTP/2 Max Header Size Bug before 4.1.135/4.2.15 (CVE-2026-50560)Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, Netty HTTP/2 max header size handling produces an attack similar to HTTP/2 Rapid Reset. There is a setting in the http2 specification called `SETTINGS_MAX_HEADER_LIST_SIZE`. When a client sends that setting to Netty, it appears that Netty will behave as follows: read the request; proxy the request to the origin; attempt to produce a response; and create an exception while writing the headers for the response. Functionally, this should be similar to the http2 reset attack, but with a different on-the-wire signature. Versions 4.1.135.Final and 4.2.15.Final patch the issue. |
|
| CVE-2026-50020 | Jun 12, 2026 |
Netty HttpObjectDecoder skips control chars pre-4.2.15, boundary confusionNetty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, before reading the first request-line, `HttpObjectDecoder` skips every byte for which `Character.isISOControl(b)` is `true` (0x000x1F and 0x7F) as well as all whitespace. RFC 9112 §2.2 only asks servers to ignore empty CRLF lines preceding the request-line a carefully scoped robustness allowance intended to handle HTTP/1.0 POST workarounds. Silently absorbing NUL bytes, SOH, STX, and other non-CRLF control characters goes significantly beyond this, and can be exploited for request-boundary confusion in pipelined or multiplexed transports where a front-end component treats those bytes differently. Versions 4.1.135.Final and 4.2.15.Final patch the issue. |
|
| CVE-2026-50010 | Jun 12, 2026 |
Netty 4.1/4.2 X509MT Wrapper Bug: No Hostname VerificationNetty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, SimpleTrustManagerFactory.engineGetTrustManagers() and related paths wrap any user-supplied plain X509TrustManager in X509TrustManagerWrapper, which extends X509ExtendedTrustManager but implements the 3-arg checkServerTrusted(chain, authType, SSLEngine) by discarding the SSLEngine and calling the 2-arg delegate. Because the object now IS an X509ExtendedTrustManager, neither SunJSSE's internal AbstractTrustManagerWrapper nor Netty's own OpenSslX509TrustManagerWrapper will re-wrap it to add endpoint-identification. Consequently, even though Netty 4.2 sets endpointIdentificationAlgorithm="HTTPS" by default, a client built with `SslContextBuilder.forClient().trustManager(somePlainX509TrustManager)` performs no hostname verification at all. Versions 4.1.135.Final and 4.2.15.Final patch the issue. |
|
| CVE-2026-48059 | Jun 12, 2026 |
Netty <4.1.135 / <4.2.15 HAProxy PROXY v2 codec memory leak (PP2_TYPE_SSL)Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, the HAProxy PROXY protocol v2 codec in netty leaks native or heap memory on every connection when a client sends a syntactically valid header containing nested `PP2_TYPE_SSL` TLVs (type-length-value records) at depth two or greater. The leak occurs on the successful parse path no exception is thrown, the message fires downstream, the decoder removes itself, and the application releases the `HAProxyMessage` normally. Yet the underlying cumulation buffer (a pooled, potentially direct `ByteBuf` allocated by the channel) remains permanently pinned. Versions 4.1.135.Final and 4.2.15.Final patch the issue. |
|
| CVE-2026-48043 | Jun 12, 2026 |
Netty netty-codec-http2 HTTP2 Decompressor Resource Leak pre 4.1.135/4.2.15Netty is a network application framework for development of protocol servers and clients. In netty-codec-http2 prior to versions 4.1.135.Final and 4.2.15.Final, the `DelegatingDecompressorFrameListener` class orchestrates HTTP/2 decompression by embedding a per-stream `EmbeddedChannel` that runs the appropriate decompression codec (gzip, deflate, zstd) and forwards decompressed chunks to a wrapped listener. Each decompressed chunk is a pooled `ByteBuf` handed to an anonymous `ChannelInboundHandlerAdapter` tail handler, which becomes the sole owner responsible for releasing it. A remote peer could send frames that would result in the flow-controller throwing and so trigger a resource leak which at the end might take down the whole JVM due OOME. Versions 4.1.135.Final and 4.2.15.Final patch the issue. |
|
| CVE-2026-47691 | Jun 12, 2026 |
Netty <=4.2.15 DNS Cache Poisoning via DnsResolveContextNetty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, Netty's `DnsResolveContext` insufficiently validates the bailiwick of NS records, enabling DNS Cache Poisoning. An attacker controlling an authoritative name server for a subdomain can poison the cache for parent domains (like `.co.uk`). In `io.netty.resolver.dns.DnsResolveContext.AuthoritativeNameServerList#add` method accepts any NS record from the AUTHORITY section as long as the record's name is a suffix of the questionName. Subsequently, the `handleWithAdditional` method caches the associated A records from the ADDITIONAL section directly into the `authoritativeDnsServerCache` under the parent domain's key. This bypasses standard bailiwick rules, where a server authoritative for a subdomain should not be trusted to provide authoritative records for its parent. The poisoned cache is then used for all future resolutions under the parent domain's key. Versions 4.1.135.Final and 4.2.15.Final patch the issue. |
|
| CVE-2026-47244 | Jun 12, 2026 |
Netty 4.1.x/4.2.x HTTP/2 Unlimited Streams DoS (pre 4.1.135/4.2.15)Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, DefaultHttp2Connection.DefaultEndpoint initialises maxActiveStreams/maxStreams to Integer.MAX_VALUE, and Http2Settings never inserts SETTINGS_MAX_CONCURRENT_STREAMS by default (Http2Settings.java:305-307 only clamps a user-supplied value). Unless the application explicitly calls initialSettings().maxConcurrentStreams(n), a Netty HTTP/2 server advertises no limit and enforces none locally. Each open stream allocates a DefaultStream object, PropertyMap slots, flow-controller state and IntObjectHashMap entry; with ~2^30 permissible odd stream IDs a single TCP connection can create hundreds of thousands of long-lived stream objects. This is also the precondition for CVE-2023-44487-style Rapid-Reset amplification, where the absence of a low concurrent cap multiplies backend work. Versions 4.1.135.Final and 4.2.15.Final patch the issue. |
|
| CVE-2026-45674 | Jun 12, 2026 |
Netty DnsResolveContext CNAME Bailiwick Validation Flaw (before 4.1.135,4.2.15)Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, Netty's DnsResolveContext fails to validate the origin (bailiwick) of CNAME records in DNS responses. Versions 4.1.135.Final and 4.2.15.Final patch the issue. |
|
| CVE-2026-45673 | Jun 12, 2026 |
Netty DNS Resolver PRNG Flaw Enables Cache Poisoning (pre4.1.135/4.2.15)Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, Netty's DNS resolver uses a predictable PRNG for generating DNS transaction IDs and defaults to a static UDP source port. This combination reduces the entropy of DNS queries, enabling DNS Cache Poisoning (Kaminsky attack). Versions 4.1.135.Final and 4.2.15.Final patch the issue. |
|
| CVE-2026-45416 | Jun 12, 2026 |
Netty <4.1.135 / <4.2.15 TLS ClientHello Buffer OverflowNetty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, SslClientHelloHandler.decode() reads the 24-bit TLS handshake length and, when the ClientHello does not fit in the first record, eagerly allocates `ctx.alloc().buffer(handshakeLength)` (line 161). The guard at line 140 is `handshakeLength > maxClientHelloLength && maxClientHelloLength != 0`, and the commonly-used SniHandler/AbstractSniHandler constructors (SniHandler(Mapping), SniHandler(AsyncMapping), AbstractSniHandler()) pass maxClientHelloLength=0 and handshakeTimeoutMillis=0, so the length guard is disabled and no timeout is scheduled. A 16 MiB request exceeds the default pooled chunk size and becomes a huge/unpooled allocation performed immediately. The buffer is retained in the handler until the channel closes. Versions 4.1.135.Final and 4.2.15.Final patch the issue. |
|
| CVE-2026-44893 | Jun 12, 2026 |
Netty netty-codec-haproxy 4.1.x/4.2.x Memory Leak via HAProxyMessage TLVNetty is a network application framework for development of protocol servers and clients. In netty-codec-haproxy prior to versions 4.1.135.Final and 4.2.15.Final, when decoding a PP2_TYPE_SSL TLV, HAProxyMessage.readNextTLV() first calls `header.retainedSlice(header.readerIndex(), length)` and only then reads the 1-byte client field and 4-byte verify field. If the attacker sets the TLV length below 5, the subsequent readByte/readInt throws IndexOutOfBoundsException. HAProxyMessageDecoder only catches HAProxyProtocolException around this call, so the IOOBE propagates and the retained slice on the pooled cumulation buffer is never released. Versions 4.1.135.Final and 4.2.15.Final patch the issue. |
|
| CVE-2026-48914 | Jun 12, 2026 |
QEMU virtio-blk OOB Write via Malformed SCSIA flaw was found in QEMU's virtio-blk device. The issue arises because the device does not properly validate the size of input descriptors before writing data. A malicious guest with high privileges could exploit this vulnerability by submitting a malformed virtio-blk SCSI request, leading to an out-of-bounds write in the host heap memory and a potential denial of service (DoS) for the QEMU process. |
Enterprise Linux (RHEL)
Enterprise Linux Nvidia
Openshift
And others... |
| CVE-2026-44249 | Jun 11, 2026 |
Netty IpSubnetFilterRule IPv6 Bypass < 4.1.135/4.2.15Netty is a network application framework for development of protocol servers and clients. In netty-handler prior to versions 4.1.135.Final and 4.2.15.Final, an attacker can bypass IPv6 subnet rules due to an incorrect masking operation in IpSubnetFilterRule.compareTo(). Valid public IP addresses can bypass the restrictions. Versions 4.1.135.Final and 4.2.15.Final patch the issue. |
|
| CVE-2026-53702 | Jun 11, 2026 |
GStreamer H.265 Parser Stack Buffer Overflow via SEI Loop IndexA stack buffer overflow flaw was found in the GStreamer H.265 codec parser library (gst-plugins-bad). When parsing a buffering period SEI message, the parser uses an incorrect loop bound derived from cpb_cnt_minus1[i] (the loop index) instead of the sub-layer 0 CPB count cpb_cnt_minus1[0] from the referenced Sequence Parameter Set. A crafted H.265 video file or stream can cause the parser to write beyond the bounds of stack-allocated CPB delay arrays, resulting in a crash or potential stack memory corruption. |
Enterprise Linux (RHEL)
|
| CVE-2026-53701 | Jun 11, 2026 |
GStreamer gst-plugins-bad: H.266/VVC PPS parser OOB writeAn out-of-bounds write vulnerability was found in GStreamer's H.266/VVC PPS picture partition parser in gst-plugins-bad. In the multi-slice-in-tile processing of gst_h266_parser_parse_picture_partition() (gsth266parser.c), the loop iterates without checking that the slice index stays within bounds, writing past three fixed-size arrays (slice_height_in_ctus, slice_top_left_ctu_x, slice_top_left_ctu_y) in the GstH266PPS structure. While the initial proof-of-concept demonstrated a 4-byte out-of-bounds write, the code permits larger writes across multiple iterations. A crafted H.266/VVC media file can trigger this vulnerability. |
Enterprise Linux (RHEL)
|
| CVE-2026-11774 | Jun 11, 2026 |
389-Ds SASL_IO Integer Overflow: DoS/RCE via Crafted PacketAn integer overflow flaw was found in the SASL I/O layer of 389 Directory Server (389-ds-base). In sasl_io_start_packet(), adding sizeof(uint32_t) to a crafted SASL packet length prefix of 0xFFFFFFFC causes unsigned wraparound to zero, bypassing the nsslapd-maxsasliosize limit and leading to a heap buffer overflow of up to approximately 2 megabytes of attacker-controlled data. After a successful SASL bind with integrity protection (SSF > 0), a remote attacker can cause a Denial of Service (DoS) or achieve Remote Code Execution (RCE). In FreeIPA and Red Hat Identity Management deployments, any domain user with a valid Kerberos ticket, enrolled host, or service account can trigger this vulnerability over the network. This flaw is independent of CVE-2025-14905, which patched schema.c only and did not modify sasl_io.c. |
Directory Server
Enterprise Linux (RHEL)
|
| CVE-2026-49261 | Jun 11, 2026 |
MariaDB Server <10.6.27, <10.11.18 Exec via wsrep_notify_cmdMariaDB server is a community developed fork of MySQL server. Versions 10.6.1 through 10.6.26, 10.11.1 through 10.11.17, 11.4.1 through 11.4.11, 11.8.1 through 11.8.7, and 12.3.1 with `wsrep_notify_cmd` enabled would execute shell commands embedded in the name of the joiner node. This is fixed in 10.6.27, 10.11.18, 11.4.12, 11.8.8, and 12.3.2. As a workaround, anyone who cannot upgrade now should disable `wsrep_notify_cmd`. |
|
| CVE-2026-11986 | Jun 11, 2026 |
Privilege Escalation in Keycloak admin-ui-ext Bulk Role-RemovalA flaw was found in the admin-ui-ext component of Keycloak, which provides extended administrative user interface capabilities. The issue occurs because certain bulk role-removal endpoints fail to perform granular permission checks when deleting role mappings. This allows a delegated administrator with limited permissions to remove highly privileged roles from other users or groups, potentially disrupting administrative access control. |
Build Keycloak
Jbosseapxp
|
| CVE-2026-11850 | Jun 11, 2026 |
Integer Underflow in MIT krb5 LDAP KDB to Heap OOB ReadAn integer underflow vulnerability was found in MIT krb5 in the berval2tl_data() function in plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c. The function performs an unsigned subtraction (bv_len - 2) without a prior bounds check. When bv_len is 0 or 1, the subtraction wraps to a large value which is then truncated to uint16_t, yielding 0xFFFE (65534) or 0xFFFF (65535). The subsequent malloc succeeds and memcpy reads up to 65534 bytes from a 0-1 byte buffer, resulting in a heap out-of-bounds read. The attack vector involves a malicious or compromised LDAP KDB backend returning a krbExtraData attribute with bv_len < 2, triggering the underflow when the KDC or kadmind reads principal data. |
Enterprise Linux (RHEL)
Hummingbird
Openshift
And others... |
| CVE-2026-6893 | Jun 10, 2026 |
Command Injection via Unescaped DHCP Options in dracut Legacy PathA flaw was found in dracut. A remote attacker on the adjacent network can exploit this vulnerability by providing specially crafted DHCP (Dynamic Host Configuration Protocol) options, such as a malicious hostname, to a system using dracut's legacy DHCP path. These options are improperly handled and written into temporary shell scripts without proper escaping, leading to command injection. This allows the attacker to achieve root code execution within the initramfs, potentially compromising the system's boot and network behavior. |
Enterprise Linux (RHEL)
Hummingbird
Openshift
And others... |