Red Hat Linux OS and other open source products
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in any Red Hat product.
RSS Feeds for Red Hat security vulnerabilities
Create a CVE RSS feed including security vulnerabilities found in Red Hat products with stack.watch. Just hit watch, then grab your custom RSS feed url.
Products by Red Hat Sorted by Most Security Vulnerabilities since 2018
Red Hat Enterprise Linux Server1534 vulnerabilities
RedHat Enterprise Linux (RHEL) Server. Includes software bundeled with RHEL server.
Red Hat Enterprise Linux Workstation1504 vulnerabilities
RedHat Enterprise Linux (RHEL) Workstation. Includes software bundled with RHEL Workstation.
Red Hat Enterprise Linux Desktop1493 vulnerabilities
RedHat Enterprise Linux (RHEL) Desktop. Includes software bundled with RHEL desktop
Recent Red Hat Security Advisories
| Advisory | Title | Published |
|---|---|---|
| RHSA-2026:38091 | (RHSA-2026:38091) Red Hat Hardened Images RPMs Security Update | July 10, 2026 |
| RHSA-2026:38090 | (RHSA-2026:38090) Red Hat Hardened Images RPMs Security Update | July 10, 2026 |
| RHSA-2026:38018 | (RHSA-2026:38018) Red Hat Hardened Images RPMs bug fix and enhancement update | July 10, 2026 |
| RHSA-2026:38019 | (RHSA-2026:38019) Red Hat Hardened Images RPMs Security Update | July 10, 2026 |
| RHSA-2026:38017 | (RHSA-2026:38017) Red Hat Hardened Images RPMs Security Update | July 10, 2026 |
| RHSA-2026:37764 | (RHSA-2026:37764) Red Hat Hardened Images RPMs Security Update | July 10, 2026 |
| RHSA-2026:37729 | (RHSA-2026:37729) Important: kernel security update | July 10, 2026 |
| RHSA-2026:37728 | (RHSA-2026:37728) Important: kernel security, bug fix, and enhancement update | July 10, 2026 |
| RHSA-2026:37577 | (RHSA-2026:37577) Red Hat Hardened Images RPMs Security Update | July 10, 2026 |
| RHSA-2026:37530 | (RHSA-2026:37530) Red Hat Hardened Images RPMs bug fix and enhancement update | July 10, 2026 |
By the Year
In 2026 there have been 2056 vulnerabilities in Red Hat with an average score of 7.3 out of ten. Last year, in 2025 Red Hat had 1162 security vulnerabilities published. That is, 894 more vulnerabilities have already been reported in 2026 as compared to last year. However, the average CVE base score of the vulnerabilities in 2026 is greater by 0.67.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 2056 | 7.26 |
| 2025 | 1162 | 6.58 |
| 2024 | 1688 | 6.57 |
| 2023 | 1206 | 6.75 |
| 2022 | 1362 | 6.97 |
| 2021 | 1123 | 6.61 |
| 2020 | 664 | 6.39 |
| 2019 | 772 | 6.98 |
| 2018 | 760 | 7.16 |
It may take a day or so for new Red Hat vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Red Hat Security Vulnerabilities
| CVE | Date | Vulnerability | Products |
|---|---|---|---|
| CVE-2026-15143 | Jul 10, 2026 |
XSD Injection in guardrails-detectors File_Type Detector Enables SSRF & LFIA flaw was found in the file_type content detector of guardrails-detectors. This vulnerability allows a remote attacker to supply an arbitrary XML Schema Definition (XSD) string, which is processed without proper restrictions. This can lead to server-side requests to arbitrary URLs or local file reads, potentially resulting in sensitive information disclosure, such as cloud provider credentials or access to internal network services. |
|
| CVE-2026-15028 | Jul 10, 2026 |
Heap Overflow in libarchive PAX Header ParsingA flaw was found in libarchive. This vulnerability allows a remote attacker to trigger a heap overflow by providing a specially crafted tar archive. The issue occurs during the parsing of a PAX extended header containing a malformed SUN.holesdata sparse-file attribute. Successful exploitation could lead to a denial of service, making the system unavailable, or potentially allow for arbitrary code execution, giving the attacker control over the affected system. |
And others... |
| CVE-2026-15378 | Jul 10, 2026 |
Red Hat guardrails-detectors SSRF via crafted XSD blind requestA flaw was found in the `guardrails-detectors` component. This vulnerability allows a remote attacker to perform a blind Server-Side Request Forgery (SSRF) by submitting a specially crafted XML Schema Definition (XSD) string. This can lead to unauthorized access to sensitive information, including credentials from cloud metadata services, Kubernetes API, internal MinIO, and other internal network endpoints. Additionally, it enables local file reads of critical data such as service account tokens and pod secrets. |
|
| CVE-2026-15308 | Jul 09, 2026 |
CPython <3.16 CPU DoS via Unterminated Markup in html.parser.HTMLParserThe incremental HTML parser (html.parser.HTMLParser) allows for CPU denial-of-service through repeated unterminated markup declarations when processing uncontrolled data. |
|
| CVE-2026-59692 | Jul 09, 2026 |
Stack Buffer Overflow in GStreamer DTLS Plugin (CVE-2026-59692)A stack buffer overflow vulnerability was found in GStreamer's DTLS plugin. During a DTLS handshake, the peer certificate Subject Distinguished Name is printed into a fixed-size 2048-byte stack buffer without bounds checking. A remote unauthenticated attacker can send a certificate with an oversized Subject DN that exceeds the buffer, causing a stack buffer overflow and process crash, resulting in denial of service. |
|
| CVE-2026-59691 | Jul 09, 2026 |
GStreamer rfbsrc plugin heap buffer overflow via HextileA heap buffer overflow vulnerability was found in GStreamer's rfbsrc plugin. When a client connects to a malicious RFB/VNC server that advertises a 16bpp framebuffer and sends Hextile-encoded updates, the Hextile background fill path writes 32-bit pixel values into a buffer allocated for 16-bit pixels. This type mismatch causes an out-of-bounds heap write that can lead to denial of service (process crash) and potential memory corruption. |
|
| CVE-2026-56289 | Jul 09, 2026 |
DoS in GNU Patch via Unrealistic Hunk OffsetsGNU patch is vulnerable to a denial of service (DoS) due to improper validation of hunk (single block of changes in diff) line offsets in unified-diff input. A specially crafted patch can specify an extremely large line number, causing the application to enter an effectively infinite processing loop while attempting to locate the requested position. This results in excessive CPU consumption and prevents the process from completing. An attacker can trigger this behavior by supplying a malicious patch file, causing the utility to become unresponsive and require manual termination. This issue has been fixed in the commit faba04ef4f2b410257f76c1b9dc85e350929c4b9 |
|
| CVE-2026-56288 | Jul 09, 2026 |
Null Pointer Dereference in GNU Patch (CVE-2026-56288)GNU patch is vulnerable to a NULL pointer dereference when processing a specially crafted unified-diff patch file. Improper handling of consecutive end-of-file newline markers can corrupt internal hunk (single block of changes in diff) data structures, causing the application to pass a NULL pointer to fwrite() during patch processing. An attacker can trigger this condition with a malicious patch file, causing the utility to crash and resulting in a denial of service. This issue has been fixed in the commit e6d6a4e021660679d7fc9150f981d4920f722313 |
|
| CVE-2026-15154 | Jul 08, 2026 |
ReDoS in guardrails-detectors (Red Hat OpenShift AI)A flaw was found in `guardrails-detectors`, a component of Red Hat OpenShift AI. This vulnerability, known as Regular Expression Denial of Service (ReDoS), allows a remote attacker to provide specially crafted regular expressions to the public detection API. This can cause catastrophic backtracking, leading to a worker process consuming 100% CPU indefinitely and resulting in a denial of service for the entire guardrails-mediated LLM pipeline. |
|
| CVE-2026-59890 | Jul 08, 2026 |
setuptools <83 FileList Unicode normalization bypass (CVE-2026-59890)setuptools is a package that allows users to download, build, install, upgrade, and uninstall Python packages. Prior to 83.0.0, FileList applied MANIFEST.in exclude, global-exclude, recursive-exclude, and prune directives by matching compiled glob patterns against on-disk file names without Unicode normalization, so on macOS APFS or HFS+ an NFD file name could bypass an NFC exclusion rule and be packed into a source distribution. This issue is fixed in version 83.0.0. |
|
| CVE-2026-39822 | Jul 08, 2026 |
Go os Root symlink traversal before 1.27 (v1.25.12 & 1.26 <1.26.5)On Unix systems, opening a file in an os.Root improperly follows symlinks to locations outside of the Root when the final path component of the a path is a symbolic link and the path ends in /. For example, 'root.Open("symlink/")' will open "symlink" even when "symlink" is a symbolic link pointing outside of the root. |
|
| CVE-2026-59725 | Jul 08, 2026 |
Socket.io 4.1.06.6.6: Engine.IO v4 Polling HTTP Leak DoSSocket.IO enables bidirectional and low-latency communication for every platform. From 4.1.0 before 6.6.7, Engine.IO protocol v4 polling transport does not properly close the HTTP response for invalid binary POST requests with Content-Type: application/octet-stream, allowing an unauthenticated attacker to exhaust server-side connections and sockets. This issue is fixed in version 6.6.7. |
|
| CVE-2026-59869 | Jul 08, 2026 |
js-yaml Quadratic CPU DoS via Merge Keys before 3.15/4.3js-yaml is a JavaScript YAML parser and dumper. From 3.0.0 before 3.15.0 and from 4.0.0 before 4.3.0, js-yaml can spend quadratic CPU time parsing a document whose size grows only linearly when a chain of mappings uses merge keys where each mapping merges the previous one. This issue is fixed in versions 3.15.0 and 4.3.0. |
|
| CVE-2026-15063 | Jul 08, 2026 |
Unauthorized Access via Unproxied Metrics in TrustYai Gorch ServiceA flaw was found in the gorch service template, which is part of the trustyai-service-operator. Even when authentication is enabled, the gorch service exposes unproxied orchestrator and detector metrics ports. This allows any pod on the cluster network to directly access these ports, bypassing the kube-rbac-proxy and its authentication mechanisms. This could lead to unauthorized access to the orchestrator and detector metrics. |
|
| CVE-2026-15044 | Jul 08, 2026 |
CVE-2026-15044: TrustyAI Service Operator Allows Unauthorized Cluster AccessA flaw was found in the TrustyAI Service Operator. When deploying services like gorch or NemoGuardrails, if a specific security setting is not enabled, these services can expose their communication channels without requiring users to prove their identity. This allows any other program within the cluster to access the AI guardrails and orchestrator without proper authorization. An attacker could exploit this to gain unauthorized access to sensitive information and potentially make limited changes to the AI models. |
|
| CVE-2026-15041 | Jul 08, 2026 |
389 Directory Server PBKDF2SHA256 Timing Attack via NonConstant MemcmpA flaw was found in 389 Directory Server. The PBKDF2-SHA256 password verification function uses standard memcmp() for comparing password hashes instead of a constant-time comparison function. A remote attacker could potentially use timing measurements of LDAP bind attempts to infer partial hash information, though practical exploitation is extremely difficult due to PBKDF2 computational overhead. |
|
| CVE-2026-60002 | Jul 08, 2026 |
OpenSSH <=10.3 Use-After-Free via Host Key Change (ssh)ssh in OpenSSH before 10.4 can have a use-after-free when a server changes its host key during a key re-exchange. (This outcome occurs only on the client side.) |
|
| CVE-2026-60001 | Jul 08, 2026 |
OpenSSH sshd min auth delay bypass before 10.4sshd in OpenSSH before 10.4 does not always honor the minimum authentication delay. |
|
| CVE-2026-60000 | Jul 08, 2026 |
OpenSSH <10.4 GSSAPI MaxAuthTries DoSsshd in OpenSSH before 10.4 allows remote attackers to cause a denial of service (resource consumption from excessive authentication attempts) because MaxAuthTries was mishandled for GSSAPIAuthentication. |
|
| CVE-2026-59999 | Jul 08, 2026 |
OpenSSH<10.4 DisableForwarding fails to block PermitTunnelIn sshd in OpenSSH before 10.4, DisableForwarding=yes was supposed to take precedence over PermitTunnel=yes, but did not. |
|
| CVE-2026-59998 | Jul 08, 2026 |
OpenSSH sshd GSSAPIStrictAcceptorCheck Misconfig Pre-10.4 on ADsshd in OpenSSH before 10.4 has an undocumented security-relevant behavior: GSSAPIStrictAcceptorCheck has no value if the server is in Windows Active Directory. |
|
| CVE-2026-59997 | Jul 08, 2026 |
OpenSSH <=10.3 internal-sftp accepts only first 9 argsinternal-sftp in sshd in OpenSSH before 10.4 recognizes only the first 9 command-line arguments, which can be important if a later command-line argument would have helped to ensure the intended security properties of an SFTP connection. |
|
| CVE-2026-59996 | Jul 08, 2026 |
OpenSSH <10.4 SCP Path Traversal Remote Files Pushed to Parent Directoryscp in OpenSSH before 10.4 may place a file in the parent directory of an intended directory when the copy occurs between two remote destinations. |
|
| CVE-2026-59995 | Jul 08, 2026 |
OpenSSH SFTP Server Path Constraint Flaw <10.4sftp in OpenSSH before 10.4 does not properly constrain the location of downloaded files when "sftp server:/path ." is used with an attacker-controlled server. |
|
| CVE-2025-12799 | Jul 07, 2026 |
CVE-2025-12799: XSS in Jastow (and Undertow) via unescaped URL charsA flaw was found in Jastow. Jastow is vulnerable to Cross-Site Scripting (XSS) attack. If using a set of combined configuration to allow unescaped characters in URL with embedded Undertow and Jastow, a server might be vulnerable to improper input handling. |
And others... |
| CVE-2026-14969 | Jul 07, 2026 |
389-ds Base Static IV Attack (AES-CBC/3DES-CBC)A flaw was found in 389-ds-base where the LDBM backend attribute encryption uses a hardcoded static initialization vector for AES-CBC and 3DES-CBC operations, allowing an attacker with privileged filesystem access to detect plaintext equality across encrypted entries by comparing ciphertext blocks. |
|
| CVE-2026-14935 | Jul 07, 2026 |
GStreamer webrtcbin logic flaw bypasses SDP fingerprint checkA logic vulnerability was found in GStreamer's webrtcbin component. The _check_sdp_crypto() function contains an inverted boolean condition that causes it to accept remote SDP offers or answers that lack the required a=fingerprint attribute, while incorrectly rejecting those that include it. An attacker with the ability to intercept and modify WebRTC signaling messages could exploit this to bypass the SDP-level DTLS certificate fingerprint binding, weakening defenses against man-in-the-middle attacks on media streams. |
|
| CVE-2026-14940 | Jul 07, 2026 |
Heap Buffer Overflow in 389Directory Server DN NormalizationA heap-buffer-overflow flaw was found in 389 Directory Server (389-ds-base). When normalizing a Distinguished Name (DN) that contains a legacy-quoted value encoding a multivalued nested Relative Distinguished Name (RDN), the server can write past the end of a heap allocation while sorting RDN attribute-value pairs. An unauthenticated remote attacker can trigger this condition by sending an LDAP operation whose DN reaches the DN normalization routine, such as a search with a crafted base DN. This can corrupt heap memory and may cause denial of service. |
|
| CVE-2026-11610 | Jul 07, 2026 |
389-ds-base 1.3.2+ Heap Buffer Overflow via oversized LDAP UNBINDA heap buffer overflow flaw was found in the SASL I/O layer of 389 Directory Server (389-ds-base). After a successful SASL bind with integrity protection (SSF > 0), an authenticated attacker can send a specially crafted oversized LDAP UNBIND packet that is copied into a 512-byte heap receive buffer without a bounds check in sasl_io_recv() in sasl_io.c. This allows up to approximately 2 megabytes of attacker-controlled data to overflow the buffer, causing a denial of service (server crash). In FreeIPA and Red Hat Identity Management deployments, any domain user with a valid Kerberos ticket, any enrolled host, or any service account can trigger this vulnerability over the network after authenticating via GSSAPI. The vulnerable code path has existed since approximately 2013 (389-ds-base 1.3.2) and was not addressed by the CVE-2025-14905 fix, which patched a separate heap overflow in schema.c only. |
And others... |
| CVE-2026-14476 | Jul 07, 2026 |
SSSD AD GPO Path Traversal Enables Root Write & Auth BypassA path traversal flaw was found in SSSD's AD GPO provider. The ad_gpo_extract_smb_components() function does not sanitize .. sequences in the gPCFileSysPath LDAP attribute, allowing an attacker with AD GPO management access to write files outside the GPO cache directory as root. On default RHEL configurations with SELinux enforcing, this can be used to inject Kerberos configuration leading to authentication bypass. |
|
| CVE-2026-14474 | Jul 07, 2026 |
SSSD LDAP Sudo Escalation: Unconfigured Search Base Allowing Root PrivilegesA flaw was found in SSSD's LDAP sudo provider. When the ldap_sudo_search_base option is not explicitly configured, SSSD searches the entire LDAP directory tree for sudoRole objects. An authenticated attacker with write access to any subtree can inject a sudoRole object granting root-level sudo privileges on all SSSD-enrolled hosts. |
|
| CVE-2026-58384 | Jul 07, 2026 |
Integer Overflow in GIMP PSD Parser read_RLE_channelA flaw was found in GIMP's PSD parser. An integer overflow in read_RLE_channel() can cause an undersized heap allocation for the RLE row-length table, after which subsequent per-row writes corrupt heap memory. This could lead to memory corruption, potentially resulting in denial of service or arbitrary code execution. |
|
| CVE-2026-50811 | Jul 07, 2026 |
FreeType 2.14.3 OOB Read in ttgxvar.c (TT_Get_Var_Design)An out-of-bounds read vulnerability exists in FreeType 2.14.3 and versions before commit 5a280ecde6f324de0d226261036e736e0cb49a71 in src/truetype/ttgxvar.c, in the TT_Get_Var_Design implementation used by FT_Get_Var_Design_Coordinates |
|
| CVE-2026-59089 | Jul 06, 2026 |
GIMP TIM Loader int Overflow in CLUT multiplier causing DoSA flaw was found in GIMP. The PlayStation TIM loader, responsible for handling PlayStation image files, incorrectly calculates the size of the Color Look-Up Table (CLUT) due to an integer overflow. This occurs when multiplying num_colors and num_cluts, both 16-bit unsigned short integers, resulting in a value exceeding the maximum integer limit. An attacker could exploit this by providing a specially crafted image file, leading to undefined behavior and causing the GIMP plug-in to abort, effectively resulting in a denial of service. |
|
| CVE-2026-50133 | Jul 06, 2026 |
Hugo Stored XSS with Untrusted HTML before v0.162.0Hugo is a static site generator. Prior to 0.162.0, Hugo accepts content files in several markup formats. Files mapped to the text/html media type (typically .html files under /content, or pages produced by a content adapter that sets content.mediaType = "text/html") had their body emitted verbatim into the rendered page. A site that ingests HTML content from an untrusted source could therefore be served stored cross-site scripting. This vulnerability is fixed in 0.162.0. |
|
| CVE-2026-58403 | Jul 06, 2026 |
Hugo FS Symlink Traversal (v0.123.0v0.163.0)Hugo is a static site generator. From v0.123.0 through v0.163.0, Hugo's virtual filesystem is designed so that files under a mount cannot reach outside the mount tree, but a regression caused RootMappingFs.statRoot to call Stat, which follows symlinks, instead of Lstat, so a direct os.ReadFile "somefile" where somefile was a symlink pointing outside the mount would return the target's contents. This effectively let a symlink planted inside a theme or local mount read arbitrary files reachable to the user running hugo. This issue is fixed in v0.163.1. |
|
| CVE-2026-58402 | Jul 06, 2026 |
Hugo XSS via unescaped codefence language 0.60.00.163.2Hugo is a static site generator. From 0.60.0 until 0.163.3, Hugo's default code-block renderer wrote the Markdown code-fence language or info-string into the code class="language-" data-lang="" wrapper without HTML escaping. A fence info-string containing a quote and a script payload breaks out of the attribute and injects a live script element. This issue is fixed in 0.163.3. |
|
| CVE-2026-58404 | Jul 06, 2026 |
Hugo 0.162.00.163.0 Loopback URL Injection via resources.GetRemoteHugo is a static site generator. From v0.162.0 through v0.163.0, the default security.http.urls policy denies requests to loopback, internal, and cloud-metadata IPv4 literals, but the deny rule only matched dotted-decimal notation, so alternate IPv4 encodings of the same addresses, including integer, hex, or octal, passed the policy. When a template passes an untrusted or data-derived URL to resources.GetRemote and the host platform uses the cgo system resolver, these encodings resolve to the blocked address, allowing build-time server-side requests to loopback and internal services, including the cloud-metadata endpoint in hosted or CI builds; the same check is reused on redirects, so the gap also applies to each redirect hop. This issue is fixed in v0.163.1. |
|
| CVE-2026-58380 | Jul 06, 2026 |
GIMP PNM Parser Off-By-One Buffer OverrunA flaw was found in GIMP's PNM file format parser. When parsing a specially crafted PNM file, the pnmscanner_gettoken() function writes a null terminator one byte past the end of a stack-allocated buffer due to an off-by-one error in the loop boundary check. This could lead to memory corruption, potentially resulting in denial of service or arbitrary code execution. |
|
| CVE-2026-9165 | Jul 06, 2026 |
RHACS GraphQL API Depth Bypass Leading to DoSA flaw was found in Red Hat Advanced Cluster Security for Kubernetes (RHACS). Central does not limit the depth of GraphQL queries served on the authenticated GraphQL API. An authenticated user with a valid API token can send deeply nested queries that cause excessive resource consumption in Central, resulting in a denial of service for the management plane. |
|
| CVE-2026-14781 | Jul 05, 2026 |
Keycloak OIDC Broker Email-Verified Claim BypassA flaw exists in the org.keycloak.broker.oidc package where the OIDC broker incorrectly synchronizes the email_verified claim. When an OIDC identity provider is configured with trustEmail=true and the userinfo endpoint is enabled, Keycloak retrieves the email address from the userinfo response but retrieves the email_verified status exclusively from the id_token. The root cause is a lack of validation ensuring that the email_verified claim in the id_token actually refers to the email address returned by the userinfo endpoint. If these two sources return different email addresses, the id_token's email_verified=true claim is blindly applied to the userinfo email. Exploitation Conditions: The OIDC identity provider must have trustEmail set to true (non-default). The userinfo endpoint must be enabled (default). The attacker must control or have compromised the upstream OIDC provider. Concrete Impact: Mark arbitrary email addresses as verified in the Keycloak database. Bypass email-based security controls or verification workflows. Potential account takeover if the application relies solely on the email_verified flag from the IdP to link accounts. |
And others... |
| CVE-2026-53359 | Jul 04, 2026 |
Linux KVM x86 Shadow Paging UAF via Role MismatchIn the Linux kernel, the following vulnerability has been resolved: KVM: x86: Fix shadow paging use-after-free due to unexpected role Commit 0cb2af2ea66ad ("KVM: x86: Fix shadow paging use-after-free due to unexpected GFN") fixed a shadow paging mismatch between stored and computed GFNs; the bug could be triggered by changing a PDE mapping from outside the guest, and then deleting a memslot. The rmap_remove() call would miss entries created after the PDE change because the GFN of the leaf SPTE does not match the GFN of the struct kvm_mmu_page. A similar hole however remains if the modified PDE points to a non-leaf page. In this case the gfn can be made to match, but the role does not match: the original large 2MB page creates a kvm_mmu_page with direct=1, while the new 4KB needs a kvm_mmu_page with direct=0. However, kvm_mmu_get_child_sp() does not compare the role, and therefore reuses the page. The next step is installing a leaf (4KB) SPTE on the new path which records an rmap entry under the gfn resolved by the walk. But when that child is zapped its parent kvm_mmu_page has direct=1 and kvm_mmu_page_get_gfn() computes the gfn for the 4KB page as sp->gfn + index instead of using sp->shadowed_translation[] (or sp->gfns[] in older kernels). It therefore fails to remove the recorded entry. When the memslot is dropped the shadow page is freed but the rmap entry survives, as in the scenario that was already fixed. Code that later walks that gfn (dirty logging, MMU notifier invalidation, and so on) dereferences an sptep that lies in the freed page, causing the use-after-free. |
|
| CVE-2026-14355 | Jul 03, 2026 |
PHP 8.2-8.5 OpenSSL AES-WRAP-PAD Buffer Overwrite (pre 8.4.23)In PHP versions 8.2.* before 8.2.32, 8.3.* before 8.3.32, 8.4.* before 8.4.23, 8.5.* before 8.5.8, the AES-WRAP-PAD algorithm implementation in OpenSSL extension contains a buffer allocation flaw. The output buffer for the AES key-wrap-with-padding operation is sized from the plaintext length without accounting for RFC 5649 expansion. This may cause OpenSSL to write beyond allocated memory, corrupting heap metadata and triggering application abort. |
|
| CVE-2026-58379 | Jul 03, 2026 |
GIMP PSP Parser Heap Overflow Arbitrary Code ExecutionA flaw was found in GIMP's Paint Shop Pro (PSP) file format parser. This heap buffer overflow vulnerability allows a remote attacker to cause arbitrary code execution or a denial of service (DoS) by tricking a user into opening a specially crafted PSP image file. The vulnerability occurs because the software incorrectly calculates buffer sizes when processing low bit-depth images, leading to an overwrite of adjacent memory. |
|
| CVE-2026-14615 | Jul 03, 2026 |
Admin Permission Leak in Keycloak FGAP v2A flaw was found in the Fine-Grained Admin Permissions (FGAP) v2 implementation within Keycloak's administrative services. When FGAP v2 is enabled, the system fails to properly filter child groups based on the caller's specific permissions when requested through a parent group. This allows a delegated administrator to view details of child groups they are not authorized to access directly, including group names, paths, and custom attributes. |
|
| CVE-2026-14614 | Jul 03, 2026 |
Keycloak ClientResource Permission Bypass via FGAP v2A flaw was found in the ClientResource component of Keycloak's admin services when Fine-Grained Admin Permissions (FGAP) v2 is enabled. This issue allows a delegated administrator, who should only have limited control over specific clients, to attach or remove hidden client scopes that they are not authorized to see or manage. As a result, an attacker could inject unauthorized data or permissions into the security tokens issued to end-users, potentially tricking other applications into granting higher levels of access than intended. |
And others... |
| CVE-2026-14613 | Jul 03, 2026 |
Keycloak FGAP v2: Admin RLS Bypass Exposes Hidden GroupsA vulnerability was discovered in Keycloak's administrative interface that allows certain administrators to see information about groups they shouldn't have access to. When the new Fine-Grained Admin Permissions (FGAP v2) are turned on, an administrator who is allowed to see a specific "role" can also see a list of all groups assigned to that role. The system fails to check if the administrator has permission to see those specific groups. This could allow a restricted administrator to discover "hidden" groups and see their details, such as internal names and custom settings, which might contain sensitive deployment information. |
And others... |
| CVE-2026-14612 | Jul 03, 2026 |
Off-by-One in FreeIPA ipa-otpd OAuth2 Handler OOB Memory AccessTwo off-by-one errors in the FreeIPA ipa-otpd daemon's OAuth2 device authorization handler can cause out-of-bounds memory access when processing an oversized response from a configured external OAuth2/OIDC Identity Provider. An attacker who controls or can man-in-the-middle the IdP endpoint may be able to trigger ipa-otpd to write or read one byte past the end of a fixed-size buffer. Exploitation requires FreeIPA to be configured with an external IdP, attacker control or MITM of that IdP, and a user to initiate the OAuth2 device authorization flow. The most likely impact is limited denial of service affecting the ipa-otpd daemon. |
|
| CVE-2026-14544 | Jul 03, 2026 |
Integer Overflow in HP HPLIP hpcups Remote Priv EscalationA flaw was found in HPLIP (HP Linux Imaging and Printing Software). This vulnerability, an incomplete fix for CVE-2026-8631, may allow a remote attacker to escalate privileges or achieve arbitrary code execution. This can occur through an integer overflow in the hpcups processing path when handling specially crafted print data. |
|
| CVE-2026-58381 | Jul 02, 2026 |
GIMP PSP File Parser Double-Free VulnerabilityA flaw was found in GIMP's PSP file format parser. A double-free condition occurs in the read_layer_block() function when processing a specially crafted PSP file. This could allow an attacker to cause memory corruption, potentially leading to denial of service or arbitrary code execution. |
|