Red Hat Red Hat Linux OS and other open source products

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any Red Hat product.

RSS Feeds for Red Hat security vulnerabilities

Create a CVE RSS feed including security vulnerabilities found in Red Hat products with stack.watch. Just hit watch, then grab your custom RSS feed url.

Products by Red Hat Sorted by Most Security Vulnerabilities since 2018

Red Hat Enterprise Linux (RHEL)2522 vulnerabilities

Red Hat Enterprise Linux Server1534 vulnerabilities
RedHat Enterprise Linux (RHEL) Server. Includes software bundeled with RHEL server.

Red Hat Enterprise Linux Workstation1504 vulnerabilities
RedHat Enterprise Linux (RHEL) Workstation. Includes software bundled with RHEL Workstation.

Red Hat Enterprise Linux Desktop1493 vulnerabilities
RedHat Enterprise Linux (RHEL) Desktop. Includes software bundled with RHEL desktop

Red Hat Enterprise Linux Eus1041 vulnerabilities

Red Hat Openshift542 vulnerabilities

Red Hat Rhel Eus490 vulnerabilities

Red Hat Rhel E4s402 vulnerabilities

Red Hat Rhel Aus358 vulnerabilities

Red Hat Rhel Tus356 vulnerabilities

Red Hat Satellite353 vulnerabilities

Red Hat Openshift Ai290 vulnerabilities

Red Hat Openstack274 vulnerabilities

Red Hat Rhel Eus Long Life273 vulnerabilities

Red Hat Rhel Els263 vulnerabilities

Red Hat Hummingbird242 vulnerabilities

Red Hat Jboss Fuse203 vulnerabilities

Red Hat Rhivos199 vulnerabilities

Red Hat Jbosseapxp177 vulnerabilities

Red Hat Build Keycloak174 vulnerabilities

Red Hat Jboss Data Grid156 vulnerabilities

Red Hat Enterprise Linux Ai150 vulnerabilities

Red Hat Openshift Devspaces148 vulnerabilities

Red Hat Quay139 vulnerabilities

Red Hat Single Sign On124 vulnerabilities

Red Hat Keycloak123 vulnerabilities

Red Hat Software Collections123 vulnerabilities

Red Hat Rhdh123 vulnerabilities

Red Hat Cryostat118 vulnerabilities

Red Hat Virtualization115 vulnerabilities

Red Hat Acm112 vulnerabilities

Red Hat Discovery105 vulnerabilities

Red Hat Single Sign On95 vulnerabilities

Red Hat Openshift Pipelines93 vulnerabilities

Red Hat Ceph Storage92 vulnerabilities

Red Hat Apache Camel Hawtio90 vulnerabilities

Red Hat Ai Inference Server88 vulnerabilities

Red Hat Amq Streams83 vulnerabilities

Red Hat Service Mesh82 vulnerabilities

Red Hat Multicluster Engine81 vulnerabilities

Red Hat Logging80 vulnerabilities

Red Hat Camel Spring Boot79 vulnerabilities

Red Hat Ansible Portal76 vulnerabilities

Red Hat Amq Broker75 vulnerabilities

Red Hat Openshift Lightspeed73 vulnerabilities

Red Hat Serverless73 vulnerabilities

Red Hat Ansible Tower69 vulnerabilities

Red Hat Openshift Gitops65 vulnerabilities

Red Hat Rhui62 vulnerabilities

Red Hat Quarkus61 vulnerabilities

Red Hat 3scale Amp61 vulnerabilities

Red Hat Podman Desktop58 vulnerabilities

Red Hat Libvirt55 vulnerabilities

Red Hat Apicurio Registry54 vulnerabilities

Red Hat Service Registry54 vulnerabilities

Red Hat Virtualization Host53 vulnerabilities

Red Hat Camel Quarkus53 vulnerabilities

Red Hat Rhmt53 vulnerabilities

Red Hat Multicluster Globalhub50 vulnerabilities

Red Hat Network Observ Optr50 vulnerabilities

Red Hat Satellite Capsule46 vulnerabilities

Red Hat Jboss Core Services44 vulnerabilities

Red Hat Ansible42 vulnerabilities

Red Hat Http Server42 vulnerabilities

Red Hat Enterprise Linux Aus41 vulnerabilities

Red Hat Gatekeeper40 vulnerabilities

Red Hat Undertow40 vulnerabilities
Java HTTP Server and Servlet Container

Red Hat Kafka40 vulnerabilities

Red Hat Openstack Platform38 vulnerabilities

Recent Red Hat Security Advisories

Advisory Title Published
RHSA-2026:34533 (RHSA-2026:34533) General availability of the satellite/iop-yuptoo-rhel9 container image July 1, 2026
RHSA-2026:34526 (RHSA-2026:34526) Technical preview of the satellite/iop-vmaas-rhel9 container image July 1, 2026
RHSA-2026:34525 (RHSA-2026:34525) Technical preview of the satellite/iop-vulnerability-frontend-rhel9 container image July 1, 2026
RHSA-2026:34508 (RHSA-2026:34508) Important: dnsmasq security update July 1, 2026
RHSA-2026:34478 (RHSA-2026:34478) Red Hat Hardened Images RPMs Security Update July 1, 2026
RHSA-2026:34477 (RHSA-2026:34477) Important: vim security update July 1, 2026
RHSA-2026:34476 (RHSA-2026:34476) Important: vim security update July 1, 2026
RHSA-2026:34374 (RHSA-2026:34374) Red Hat Ansible Automation Platform 2.6 Container Release Update July 1, 2026
RHSA-2026:34372 (RHSA-2026:34372) Important: gnutls security update July 1, 2026
RHSA-2026:34368 (RHSA-2026:34368) Important: Satellite 6.18.7 Async Update July 1, 2026

By the Year

In 2026 there have been 1935 vulnerabilities in Red Hat with an average score of 7.3 out of ten. Last year, in 2025 Red Hat had 1157 security vulnerabilities published. That is, 778 more vulnerabilities have already been reported in 2026 as compared to last year. However, the average CVE base score of the vulnerabilities in 2026 is greater by 0.72.




Year Vulnerabilities Average Score
2026 1935 7.30
2025 1157 6.58
2024 1686 6.57
2023 1206 6.75
2022 1362 6.97
2021 1123 6.62
2020 664 6.39
2019 772 6.98
2018 760 7.16

It may take a day or so for new Red Hat vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Red Hat Security Vulnerabilities

CVE Date Vulnerability Products
CVE-2026-14330 Jul 01, 2026
PulseAudio Unbounded alloca() Calls in Protocol Server Multiple unbounded alloca() calls in the PulseAudio protocol server.
Enterprise Linux (RHEL)
CVE-2026-14324 Jul 01, 2026
RAOP Module Accepts Unbounded ContentLength Values (CVE202614324) RAOP module accepts unbounded Content-Length values and does not check the pw_array_add() return.
Enterprise Linux (RHEL)
CVE-2026-5138 Jul 01, 2026
Auth Bypass in Foreman's Taxonomy Controller Exposing CrossTenant Data A flaw was found in Foreman. An authenticated user with host-edit permissions could exploit a cross-tenant information disclosure vulnerability. This flaw occurs because the taxonomy_scope controller method does not properly validate organization and location IDs from nested request parameters, bypassing existing authorization checks. This allows the user to leak sensitive infrastructure metadata, including subnet topology, IP ranges, gateways, DNS servers, and VLAN IDs, from organizations and locations they are not authorized to access.
Satellite
Satellite Capsule
Satellite Maintenance
And others...
CVE-2026-5135 Jul 01, 2026
Foreman Host Retarget Bypass via Broken Access Control A flaw was found in Foreman. This broken access control vulnerability allows an authenticated user with host-edit permissions to retarget an existing lookup value override to a different host. This is achieved by modifying the match field through nested host attributes, effectively bypassing authorisation checks. The consequence is the potential for unauthorised modification of managed host configurations across different organisational and location boundaries.
Satellite
Satellite Capsule
Satellite Maintenance
And others...
CVE-2026-5142 Jul 01, 2026
Foreman SSH Key Leak via View_Keypairs Permission A flaw was found in foreman. Authenticated users with 'view_keypairs' permission can bypass taxonomy scoping, allowing them to download private SSH (Secure Shell) keys from other organizations by directly querying key pair IDs. This vulnerability leads to cross-tenant data exposure in multi-tenant deployments, potentially compromising sensitive information.
Satellite
Satellite Capsule
Satellite Maintenance
And others...
CVE-2026-23537 Jul 01, 2026
Unauthenticated FS Write via /save-document in Feast Feature Server A vulnerability has been identified in the Feast Feature Servers `/save-document` endpoint that allows an unauthenticated remote attacker to write arbitrary JSON files to the server's filesystem. Although the system attempts to restrict file locations, these protections can be bypassed, enabling an attacker to overwrite vital application configurations or startup scripts. Because this flaw requires no credentials or special privileges, any attacker with network access to the server can potentially compromise the integrity of the system. This could lead to unauthorized system modifications, denial of service through disk exhaustion, or potential remote code execution.
Openshift Ai
CVE-2026-5136 Jul 01, 2026
Foreman Usergroup Role Escalation via Improper Permission Validation A flaw was found in Foreman. The Usergroup model in Foreman does not properly validate role assignments against the calling user's permissions. This allows an authenticated user with usergroup management permissions to attach arbitrary roles, including administrative roles, to a user group and then add themselves as a member. Successful exploitation of this vulnerability leads to full privilege escalation, granting the attacker administrator-level access.
Satellite
Satellite Capsule
Satellite Maintenance
And others...
CVE-2026-14258 Jul 01, 2026
dhcpcd ND Router Advertisement Zero-Length Option DoS A flaw was found in dhcpcd's IPv6 Neighbor Discovery Router Advertisement processing. A specially crafted IPv6 Router Advertisement containing a zero-length Neighbor Discovery option can bypass validation during packet storage and later be reparsed without adequate validation, causing the parser to enter a non-advancing loop. Successful exploitation may result in excessive CPU consumption, leading to a denial of service.
Enterprise Linux (RHEL)
CVE-2026-58015 Jun 30, 2026
GLib D-Bus DBUS_COOKIE_SHA1 Auth: CookieCtx Path Traversal CVE-2026-58015 A flaw was found in GLib. The D-Bus client-side implementation of the DBUS_COOKIE_SHA1 SASL authentication mechanism does not validate the cookie_context parameter received from the server. A malicious D-Bus server can supply a cookie_context containing path traversal sequences, causing the client to read an arbitrary file and exfiltrate sensitive data by verifying guessed file contents against a generated hash.
Enterprise Linux (RHEL)
Hummingbird
CVE-2026-58016 Jun 30, 2026
GLib g_dbus_node_info_new_for_xml uint overflow OOB read DoS A flaw was found in GLib. A state confusion issue exists in g_dbus_node_info_new_for_xml() in the gio/gdbusintrospection.c file when processing malformed D-Bus introspection XML, specifically with a <node> element nested within other elements like <method>, <signal>, <property> or <arg>. This issue can cause an unsigned integer overflow and lead to an out-of-bounds read, resulting in a denial of service.
Enterprise Linux (RHEL)
Hummingbird
CVE-2026-58014 Jun 30, 2026
GLib g_key_file Off-By-One Array Index Bug Causing OOB Access A flaw was found in GLib. An off-by-one error can occur in the g_key_file_get_locale_string_list function in the gkeyfile.c file when loading a key file with an empty value. This flaw can cause an out-of-bounds access of 1 byte or a denial of service when the out-of-bounds access crosses a page boundary.
Enterprise Linux (RHEL)
Hummingbird
CVE-2026-58013 Jun 30, 2026
GLib Buffer Over-Read in giochannel.c Minor Info Disclosure & DoS A flaw was found in GLib. A buffer over-read can occur in g_io_channel_read_line_backend() in the giochannel.c file when a custom line terminator with a length greater than one is set, causing memcmp to read past the GString buffer. This vulnerability can cause a minor information disclosure of 7 bytes or a denial of service when the buffer over-read crosses a page boundary.
Enterprise Linux (RHEL)
Hummingbird
CVE-2026-58012 Jun 30, 2026
GLib g_regex_replace over-read via G_REGEX_RAW causing info leak & DoS A flaw was found in GLib. A buffer over-read can occur in the g_regex_replace function when used with the `G_REGEX_RAW` compile flag and case-change replacement escapes because the string_append function processes matched substrings using UTF-8 functions that assume valid UTF-8 input, even when the string is treated as raw bytes. This vulnerability can cause a minor information disclosure of 1-5 bytes and a denial of service when the buffer over-read crosses a page boundary.
Enterprise Linux (RHEL)
Hummingbird
CVE-2026-58011 Jun 30, 2026
Out-of-bounds read in GLib g_date_time_get_ymd A flaw was found in GLib. An out-of-bounds read of only 2 bytes can occur in the g_date_time_get_ymd function in the glib/gdatetime.c file when an invalid GDateTime object produced by the g_date_time_add_full function is processed. This flaw can corrupt the date output and potentially cause logic errors that may lead to a denial of service.
Enterprise Linux (RHEL)
Hummingbird
CVE-2026-58010 Jun 30, 2026
GLib Off-by-One in gvs_tuple_is_normal leads to 1byte OOB Read A flaw was found in GLib. An off-by-one error can occur in the gvs_tuple_is_normal function in the glib/gvariant-serialiser.c file when doing an alignment padding check because the bounds check uses > instead of >=, causing an out-of-bounds read of only 1 byte. This issue can cause a minor information disclosure of 1 byte and a denial of service when the out-of-bounds read crosses a page boundary.
Enterprise Linux (RHEL)
Hummingbird
CVE-2026-12388 Jun 30, 2026
Privilege Escalation in Keycloak via Hardcoded Role Mapper A flaw was found in the Identity Provider (IdP) mapper component of Keycloak, which is used to manage how user information from external services is mapped to Keycloak users. An administrator with limited permissions to manage identity providers can exploit this flaw by creating a "Hardcoded Role" mapper that assigns high-level administrative roles (like realm-admin) to themselves or others. This allows a restricted administrator to bypass security checks and gain full control over the entire realm.
Build Keycloak
CVE-2026-4629 Jun 30, 2026
Keycloak Privilege Escalation via Role Mapper Injection A flaw was found in Keycloak. A highly privileged user with `manage-clients` permission can exploit this vulnerability by injecting a hardcoded role mapper into any client. This action allows the user to bypass existing scope restrictions and inject the `realm-admin` role into generated tokens, resulting in privilege escalation and full administrative access to the realm.
Build Keycloak
CVE-2026-14209 Jun 30, 2026
Keycloak Admin UI: FGAP bypass via brute-force-user endpoint A vulnerability was discovered in Keycloak's Admin UI extension that allows certain administrative users to bypass security restrictions. When Fine-Grained Admin Permissions (FGAPv2) are enabled, an administrator who should only be able to search for users (but not view their full details) can use a specific "brute-force-user" endpoint to access a user's full profile. This includes sensitive information and security metadata. The issue occurs because the system fails to check if the administrator has the required "view" permission for that specific user when using this particular search path.
Build Keycloak
Jbosseapxp
CVE-2026-13316 Jun 30, 2026
Foreman SSRF via http_proxies_controller to Cloud Metadata A flaw has been found in foreman when HTTP parameters are modified in http_proxies_controller and http_proxy files. Attackers can perform an SSRF attack and steal cloud metadata service on AWS/GCP/Azure environment through foreman component.
Satellite
CVE-2026-13149 Jun 30, 2026
brace-expansion npm <=5.0.6 DoS via exponential brace groups brace-expansion through 5.0.6 is vulnerable to denial of service. The expand() function exhibits exponential-time complexity in the number of consecutive non-expanding '{}' brace groups. An attacker who passes a crafted string to expand(), directly or transitively, can cause significant CPU consumption and event-loop blocking. The max option does not mitigate this, as it bounds the output size rather than the recursion work.
CVE-2026-12610 Jun 30, 2026
SSSD PAM Responder UAF Crash via YubiKey Manipulation DOS & Possible Priv Esc A flaw was found in sssd. When authenticating with a YubiKey, the SSSD PAM responder can crash due to a use-after-free vulnerability, where a memory pointer is incorrectly handled. A local attacker could exploit this flaw by manipulating smartcard or YubiKey contents, leading to a denial of service that disrupts authentication. This vulnerability also presents a potential for privilege escalation, although it is difficult to exploit.
Enterprise Linux (RHEL)
Hummingbird
Openshift
And others...
CVE-2026-14164 Jun 30, 2026
Double-Free in libarchive RAR5 Reader A double free issue has been identified in libarchive's RAR5 reader. During parsing of a specially crafted RAR5 archive, the filtered_buf pointer may remain stale after being freed during unpacking state reinitialization. Subsequent processing of another archive entry can trigger a second free of the same memory region, resulting in a double-free condition. Successful exploitation may cause applications using the vulnerable libarchive API to terminate unexpectedly, leading to a denial of service.
Enterprise Linux (RHEL)
Hummingbird
Openshift
And others...
CVE-2026-55957 Jun 29, 2026
Apache Tomcat JNDIRealm GSSAPI Auth Bypass (11.0.4) Missing Critical Step in Authentication vulnerability in Apache Tomcat when the JNDIRealm was configured to authenticate binds using GSSAPI allowed attackers to authenticate without provided the correct password. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.4, from 10.1.0-M1 through 10.1.36, from 9.0.0.M1 through 9.0.100, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109. Users are recommended to upgrade to version 11.0.5, 10.1.37 or 9.0.101, which fixes the issue.
CVE-2026-55956 Jun 29, 2026
Apache Tomcat 11.0.22 Improper Auth: Default Servlet Ignores Constraints Improper Authorization vulnerability in Apache Tomcat leads to security constraints specified for the default servlet ignoring any method or method omission configured as part of the constraint. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.22, from 10.1.0-M1 through 10.1.55, from 9.0.0.M1 through 9.0.118, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109. Other versions that have reached end of support may also be affected. Users are recommended to upgrade to version 11.0.23, 10.1.56 or 9.0.119, which fix the issue.
CVE-2026-55955 Jun 29, 2026
Apache Tomcat Replay Auth via EncryptionInterceptor v8.5-11.x Improper Authentication vulnerability in Apache Tomcat allowed a replay attack against the EncryptionInterceptor in the cluster component. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.22, from 10.1.0-M1 through 10.1.55, from 9.0.13 through 9.0.18, from 8.5.38 through 8.5.100, from 7.0.100 through 7.0.109. Users are recommended to upgrade to version 11.0.23, 10.1.56, 9.0.119, which fixes the issue.
CVE-2026-55276 Jun 29, 2026
Apache Tomcat 11.0.22: Incorrect Control Flow Log Issue Always-Incorrect Control Flow Implementation vulnerability in Apache Tomcat meant that special roles and empty authorisation constraints were not included when the effective web.xml was logged. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.22, from 10.1.0-M1 through 10.1.55, from 9.0.0.M1 through 9.0.118, from 8.5.0 through 8.5.100. Other versions that have reached end of support may also be affected. Users are recommended to upgrade to version 11.0.23, 10.1.56 or 9.0.119 which fixes the issue.
CVE-2026-53404 Jun 29, 2026
Apache Tomcat Rewrite Valve OR Logic Bypass 8.5.100 Always-Incorrect Control Flow Implementation vulnerability in Apache Tomcat's rewrite valve meant that if the first condition in an OR chain matched, subsequent non-OR conditions were skipped. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.22, from 10.1.0-M1 through 10.1.55, from 9.0.0.M1 through 9.0.118, from 8.5.0 through 8.5.100. Other versions that have reached end of support may also be affected. Users are recommended to upgrade to version 11.0.23, 10.1.56 or 9.0.119, which fix the issue.
CVE-2026-50229 Jun 29, 2026
Apache Tomcat (<=11.0.22) Basic XSS in Number Guess Example - CVE-2026-50229 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in the number guess example for Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.22, from 10.1.0-M1 through 10.1.55, from 9.0.0.M1 through 9.0.118, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109. Other versions that have reached end of support may also be affected. Users are recommended to upgrade to version 11.0.23, 10.1.56 or 9.0.119, which fix the issue.
CVE-2026-13757 Jun 29, 2026
Stack Exhaustion in p11-kit via Nested CKA Template Recursion A flaw was found in p11-kit. The RPC message attribute parsing functions p11_rpc_message_get_attribute() and p11_rpc_message_get_attribute_array_value() form a mutually-recursive call chain with no recursion depth limit when processing nested CKA_WRAP_TEMPLATE, CKA_UNWRAP_TEMPLATE, and CKA_DERIVE_TEMPLATE attributes. An unauthenticated attacker with local access to the p11-kit RPC Unix domain socket can send a specially crafted request with deeply nested template attributes, causing stack exhaustion and crashing the p11-kit server process and its dependent services.
Enterprise Linux (RHEL)
Hummingbird
Openshift
And others...
CVE-2026-12912 Jun 29, 2026
Heap-based Buffer Overflow in libtiff PixarLog Decoder A flaw was found in libtiff. A remote attacker could exploit this vulnerability by providing a specially crafted PixarLog-compressed TIFF image. This issue occurs when decoding Pixarlog codec images with the PIXARLOGDATAFMT_8BITABGR output format and a specific stride value, leading to a heap-based buffer overflow. This could potentially result in arbitrary code execution or a denial of service (DoS).
Enterprise Linux (RHEL)
Hummingbird
CVE-2026-13676 Jun 29, 2026
fast-uri <=3.1.2/4.0.0 Unicode IDN Canonicalization Bug fast-uri versions 2.3.1 through 3.1.2 and 4.0.0 fail to canonicalize Unicode (IDN) hostnames for HTTP-family URLs. The IDN conversion path calls a helper that does not exist on the global URL constructor, silently leaving the host in its original Unicode form while normalize() and equal() still return values that differ from a WHATWG-compatible URL parser. Applications that use fast-uri to enforce host-based policy (denylists, loopback filtering, redirect validation, outbound proxy routing) before passing the same URL to Node's URL or fetch can be bypassed when the two implementations resolve the same input to different hosts. Patches: upgrade to fast-uri 3.1.3 for the 3.x line or 4.0.1 for the 4.x line. Workarounds: enforce host policy using the same URL parser used for the actual request, or reject non-ASCII hosts before policy checks.
Confidential Compute Attestation
Cryostat
Migration Toolkit Applications
And others...
CVE-2026-11979 Jun 29, 2026
Stack Overflow in libxml2 xmlcatalog --shell mode libxml2 is vulnerable to multiple stack-based buffer overflows in the xmlcatalog utility when running in --shell mode. The usershell() function processes user input using fixed-size stack buffers without proper bounds checking. By supplying an overly long input line, an attacker can overflow internal buffers (command, arg, and argv) during input parsing. This results in memory corruption within the stack frame. Successful exploitation may cause a crash or potentially allow arbitrary code execution in the context of the xmlcatalog process. This issue has been fixed in the commit c2e233fc. NOTE: The maintainers of this project did not agree that this issue is a vulnerability and considered it a bug.
CVE-2026-54371 Jun 29, 2026
Local Priv Escalation via Symlink Traversal in attr <2.6.0 Getfattr/Setfattr attr before version 2.6.0 contains a symlink traversal vulnerability in the getfattr and setfattr utilities that allows local attackers to escalate privileges by replacing a pathname component with a symbolic link during directory hierarchy traversal. Attackers who control a pathname component can redirect getfattr and setfattr operations to arbitrary files by substituting a symlink, leading to local privilege escalation when getfattr or setfattr is invoked by a privileged process over an attacker-controlled path.
Enterprise Linux (RHEL)
Hummingbird
Openshift
And others...
CVE-2026-54370 Jun 29, 2026
acl before 2.4.0 Local Priv Esc via TOCTOU Symlink Race acl before version 2.4.0 contains a time-of-check to time-of-use (TOCTOU) race condition vulnerability that allows local attackers to escalate privileges by replacing a pathname component with a symbolic link between an lstat() check and subsequent symlink-following operations such as stat(), chown(), chmod(), acl_get_file(), and acl_set_file(). Attackers who control a pathname component can redirect file access control list operations to arbitrary files when getfacl, setfacl, or chacl is invoked by a privileged process over an attacker-controlled path, resulting in local privilege escalation.
CVE-2026-54369 Jun 29, 2026
Linux ACL pre-2.4.0 Symlink Traversal in acl_get_file() & others - Priv Esc acl before version 2.4.0 contains a symlink traversal vulnerability in the libacl pathname-based functions acl_get_file(), acl_set_file(), acl_extended_file(), and acl_delete_def_file() that allows local attackers to escalate privileges by replacing any pathname component with a symbolic link. Attackers who control any component of a pathname processed by a privileged caller can redirect ACL read or write operations to arbitrary files or directories, enabling unauthorized manipulation of access control lists and local privilege escalation.
Enterprise Linux (RHEL)
Hummingbird
Openshift
And others...
CVE-2026-12856 Jun 29, 2026
Arbitrary CMD Exec via JavaDoc Hover in VSCode Java Ext (CVE-2026-12856) A flaw was found in the vscode-java extension, which provides Java language support for Visual Studio Code. The extension incorrectly trusts all Markdown content in JavaDoc hovers, allowing a malicious Java file to include hidden commands. If a user clicks a specially crafted link within a JavaDoc hover popup, an attacker can execute arbitrary VS Code commands, which can lead to full system compromise in trusted workspaces.
Openshift Devspaces
CVE-2026-41991 Jun 29, 2026
GNU gzip gzexe TOCTOU File Overwrite via Symlink GNU gzip contains a vulnerability in the gzexe utility related to insecure temporary file handling. When the mktemp utility is not available in the users PATH, gzexe falls back to constructing a temporary file path based solely on the process ID (PID). This predictable filename is created without exclusive access or existence checks. A local attacker can precreate the predicted temporary file path as a symbolic link pointing to an arbitrary file writable by the victim. When gzexe runs, it follows the symlink and overwrites the target file, resulting in a timeofcheck to timeofuse (TOCTOU) condition that allows arbitrary file overwrite. This issue has been fixed in the commit 4e6f8b24ab823146ab8776f0b7fe486ab34d4269
CVE-2026-13601 Jun 29, 2026
Yelp yelp-xsl CSP Permissiveness Lets Flatpak Bypass Sandbox A flaw was found in Yelp due to an overly permissive Content Security Policy (CSP) implementation provided by yelp-xsl. A malicious Flatpak application can open crafted help content through the OpenURI portal. By embedding an untrusted CSS stylesheet within a structured SVG document, attacker-controlled content can bypass Flatpak's intended sandbox isolation, allowing Yelp to evaluate local XML inclusions and disclose arbitrary user-readable host files through remote CSS resource requests. This may result in the unauthorized disclosure of sensitive information.
Enterprise Linux (RHEL)
CVE-2026-13595 Jun 29, 2026
Heap UAF in util-linux libblkid during nested probing A flaw was found in the libblkid library of util-linux. During nested partition probing, the BSD, Minix, Solaris x86, and UnixWare partition probers cache a raw pointer to a parent partition entry in a dynamically allocated array. When subsequent partition additions cause the array to be reallocated, this pointer becomes stale, leading to a heap use-after-free read. An attacker who can present a crafted block device image (for example, via USB insertion or a loop-mounted disk image) can trigger this flaw without user interaction, as libblkid is invoked automatically by udev/udisks as root on block-device hot-plug events. This could lead to limited information disclosure or denial of service.
Enterprise Linux (RHEL)
Hummingbird
Openshift
And others...
CVE-2026-57966 Jun 29, 2026
Path Traversal in spice-vdagent Enables Arbitrary File Write A path traversal vulnerability was found in spice-vdagent. This flaw allows a malicious or compromised SPICE host to write arbitrary files to any location on the guest operating system. This occurs because the filename provided by the SPICE host during file transfers is not properly sanitized before being used. An attacker could exploit this to write to sensitive locations with the privileges of the spice-vdagent process, typically the logged-in user. This issue requires the SPICE host to be untrusted or compromised for exploitation.
Enterprise Linux (RHEL)
CVE-2026-57965 Jun 29, 2026
spice-vdagent Integer Overflow Heap Buffer Overflow DoS A flaw was found in spice-vdagent. A malicious or compromised SPICE host can trigger an integer overflow by sending a specially crafted message. This vulnerability can lead to a heap buffer overflow, causing the spice-vdagent daemon to crash and resulting in a Denial of Service (DoS) for the virtual machine. This issue requires the SPICE host to be untrusted or compromised for exploitation.
Enterprise Linux (RHEL)
CVE-2026-58049 Jun 28, 2026
FFmpeg RASC Decoder OOB Heap Write via Malformed Frame FFmpeg's RASC video decoder (decode_dlta in libavcodec/rasc.c) performs 32-bit reads and writes at the row cursor before the NEXT_LINE row-boundary check and validates the DLTA region in pixel rather than byte units, so a DLTA run on a PAL8 frame can access several bytes past the row allocation. A crafted media stream using the RASC FourCC, decoded by libavcodec, triggers a bitstream-controlled out-of-bounds heap write and adjacent out-of-bounds read, leading to memory corruption.
Enterprise Linux Ai
Openshift Ai
CVE-2026-53322 Jun 26, 2026
Linux Kernel VFIO PCI: Clean DMABUF before Function Disable In the Linux kernel, the following vulnerability has been resolved: vfio/pci: Clean up DMABUFs before disabling function On device shutdown, make vfio_pci_core_close_device() call vfio_pci_dma_buf_cleanup() before the function is disabled via vfio_pci_core_disable(). This ensures that all access via DMABUFs is revoked before the function's BARs become inaccessible. This fixes an issue where, if the function is disabled first, a tiny window exists in which the function's MSE is cleared and yet BARs could still be accessed via the DMABUF. The resources would also be freed and up for grabs by a different driver.
Enterprise Linux (RHEL)
CVE-2026-53281 Jun 26, 2026
Linux Kernel: iommu/vt-d NULL pointer deref (Use-After-Free) In the Linux kernel, the following vulnerability has been resolved: iommu/vt-d: Avoid NULL pointer dereference or refcount corruption Commit 60f030f7418d ("iommu/vt-d: Avoid use of NULL after WARN_ON_ONCE") fixed a NULL pointer dereference in an unlikely situation partly. If dev_pasid is not found in the dev_pasids list, it remains NULL. However, the teardown operations are executed unconditionally, this lead to a NULL pointer dereference or refcount corruption. If the domain was never attached to this IOMMU, info will be NULL, which would cause an immediate dereference when checking --info->refcnt. Even if info is not NULL, decrementing the refcount without having removed a valid PASID might unbalance the count. This could lead to premature dropping of the refcount to 0, potentially causing a use-after-free for the remaining active devices sharing the domain. Fix it by returning early if dev_pasid is NULL, before executing the teardown operations. Issue found by AI review and suggested by Kevin Tian. https://sashiko.dev/#/patchset/20260421031347.1408890-1-zhenzhong.duan%40intel.com
Enterprise Linux (RHEL)
CVE-2026-47220 Jun 26, 2026
Envoy 1.371.38 Crash via HOST_FIRST/SNI_FIRST Log Format Envoy is an open source edge and service proxy designed for cloud-native applications. From 1.37.0 until 1.37.5 and 1.38.3, when the %REQUESTED_SERVER_NAME(X:Y)% is used in log format and host related options is specified, like HOST_FIRST, SNI_FIRST, it's possible to crash Envoy when the specified host header is missing in the request headers. This vulnerability is fixed in 1.37.5 and 1.38.3.
Service Mesh
CVE-2026-13434 Jun 26, 2026
KubeVirt v1.8.0 Network Annotation Injection Allows Cross-namespace Impersonation A flaw was found in KubeVirt's network annotation generator. When a tenant creates a VirtualMachineInstance with a Multus network configuration, the supplied networkName value is written verbatim into the launcher pod's v1.multus-cni.io/default-network annotation without format validation or sanitization. The only admission check rejects empty strings; no DNS-1123 format validation, JSON detection, or special character rejection is performed. When the ExternalNetResourceInjection Beta feature gate is enabled (off by default, cluster-admin only), the NAD lookup that would otherwise catch malformed names is skipped by design. A tenant with kubevirt.io:edit permissions can inject a JSON-formatted NetworkSelectionElement array specifying an arbitrary namespace, NAD name, static IP address, and MAC address. Multus on the node parses this JSON and attaches the launcher pod to the specified network attachment in any namespace, enabling cross-namespace network access and IP/MAC impersonation on network segments normally segregated from tenant workloads. The ExternalNetResourceInjection feature gate was introduced in KubeVirt v1.8.0 (first shipped in OpenShift Virtualization 4.21).
Container Native Virtualization
CVE-2026-57915 Jun 26, 2026
Apache Kerby Kerberos Pre-Auth Bypass, Pre v2.1.2 (PA-DATA) It is possible to bypass the Kerberos pre-authentication check in Apache Kerby by sending a PA-DATA with an unrecognized or unsupported type. Users are recommended to upgrade to version 2.1.2, which fixes this issue.
Amq Clients
Jbosseapxp
Amq Streams
And others...
CVE-2026-13325 Jun 26, 2026
KubeVirt migration proxy disableTLS exposes unauthenticated TCP listener to pod net A flaw was found in KubeVirt's migration proxy. When spec.configuration.migrations.disableTLS is set to true on the KubeVirt custom resource, the target virt-handler binds a plain TCP listener on all interfaces (0.0.0.0/::) on a random port with no authentication, peer allow-list, or handshake token. This listener proxies directly into the target virt-launcher's virtqemud control socket. An attacker with a running pod on the cluster network can connect to this listener and issue unfiltered libvirt RPC commands against another tenant's virtual machine, including reading VM memory and configuration, modifying VM state via QMP, or destroying the VM. The bind address is unconditionally 0.0.0.0 configuring a dedicated migration network via migrations.network only changes the advertised migration IP, not the listener bind address, so the port remains reachable on the pod network even when a dedicated migration network is configured. The API documentation describes disableTLS as removing "the additional layer of live migration encryption" without disclosing that it also removes all mutual authentication.
Container Native Virtualization
CVE-2026-48618 Jun 26, 2026
Node.js TLS Hostname Normalization Bypass via Unicode Dot Separator A flaw in Node.js TLS hostname handling can cause Node.js unicode dot separator handling can lead to tls wildcard-depth authentication bypass due to resolver and verifier hostname normalization mismat. This can lead to confidentiality impact or bypass of the intended security boundary under affected configurations. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.
CVE-2026-48933 Jun 26, 2026
Node.js WebCrypto Crash via 2GiB Input in subtle.encrypt A flaw in Node.js WebCrypto implementation can crash the process if the input of `subtle.encrypt()` is a multiple of 2GiB. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.
Hummingbird
Enterprise Linux (RHEL)
Built by Foundeo Inc., with data from the National Vulnerability Database (NVD). Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.