Red Hat Linux OS and other open source products
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in any Red Hat product.
RSS Feeds for Red Hat security vulnerabilities
Create a CVE RSS feed including security vulnerabilities found in Red Hat products with stack.watch. Just hit watch, then grab your custom RSS feed url.
Products by Red Hat Sorted by Most Security Vulnerabilities since 2018
Red Hat Enterprise Linux Server1534 vulnerabilities
RedHat Enterprise Linux (RHEL) Server. Includes software bundeled with RHEL server.
Red Hat Enterprise Linux Workstation1504 vulnerabilities
RedHat Enterprise Linux (RHEL) Workstation. Includes software bundled with RHEL Workstation.
Red Hat Enterprise Linux Desktop1493 vulnerabilities
RedHat Enterprise Linux (RHEL) Desktop. Includes software bundled with RHEL desktop
Recent Red Hat Security Advisories
| Advisory | Title | Published |
|---|---|---|
| RHSA-2026:28438 | (RHSA-2026:28438) satellite/foreman-mcp-server-rhel9 container image available as a Technology Preview | June 23, 2026 |
| RHSA-2026:28405 | (RHSA-2026:28405) satellite/foreman-mcp-server-rhel9 container image available as a Technology Preview | June 23, 2026 |
| RHSA-2026:28385 | (RHSA-2026:28385) Important: Satellite 6.18.6 Async Update | June 23, 2026 |
| RHSA-2026:28377 | (RHSA-2026:28377) Critical: Red Hat Ansible Automation Platform 2.6 Product Security Update | June 23, 2026 |
| RHSA-2026:28376 | (RHSA-2026:28376) Critical: Red Hat Ansible Automation Platform 2.5 Product Security Update | June 23, 2026 |
| RHSA-2026:28211 | (RHSA-2026:28211) Red Hat Hardened Images RPMs bug fix and enhancement update | June 23, 2026 |
| RHSA-2026:28210 | (RHSA-2026:28210) Moderate: vim security update | June 23, 2026 |
| RHSA-2026:28209 | (RHSA-2026:28209) Moderate: vim security update | June 23, 2026 |
| RHSA-2026:28208 | (RHSA-2026:28208) Important: postgresql:13 security update | June 23, 2026 |
| RHSA-2026:28198 | (RHSA-2026:28198) Assisted Installer RHEL 8 components for Multicluster Engine for Kubernetes 2.6.12 | June 23, 2026 |
By the Year
In 2026 there have been 1282 vulnerabilities in Red Hat with an average score of 7.0 out of ten. Last year, in 2025 Red Hat had 1139 security vulnerabilities published. That is, 143 more vulnerabilities have already been reported in 2026 as compared to last year. However, the average CVE base score of the vulnerabilities in 2026 is greater by 0.45.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 1282 | 7.01 |
| 2025 | 1139 | 6.56 |
| 2024 | 1686 | 6.57 |
| 2023 | 1206 | 6.75 |
| 2022 | 1362 | 6.97 |
| 2021 | 1123 | 6.62 |
| 2020 | 663 | 6.39 |
| 2019 | 772 | 6.98 |
| 2018 | 760 | 7.16 |
It may take a day or so for new Red Hat vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Red Hat Security Vulnerabilities
| CVE | Date | Vulnerability | Products |
|---|---|---|---|
| CVE-2026-12892 | Jun 23, 2026 |
GStreamer gst-plugins-bad H.264 MVC/SVC NAL Heap OOB ReadA flaw was found in GStreamer's gst-plugins-bad package. When processing a specially crafted H.264 video file containing malformed MVC or SVC extension slice NAL units, a 1-byte heap out-of-bounds read can occur during parsing. This happens when the parser attempts to check slice boundary information without first verifying that the NAL unit contains enough data beyond the extension header. An attacker could exploit this by tricking a user into opening a malicious H.264 video file, potentially causing the application to crash or leak a single byte of heap memory. |
Enterprise Linux (RHEL)
|
| CVE-2026-12891 | Jun 23, 2026 |
OOB Read in GStreamer gst-plugins-bad H.266 ParserA flaw was found in the GStreamer gst-plugins-bad package. When processing a malformed H.266/VVC video stream with a crafted aspect ratio indicator value, the H.266 parser performs an out-of-bounds read of up to 8 bytes from adjacent memory. This flaw allows an attacker to craft a malicious H.266 video file or stream that, when processed by a GStreamer-based application, could leak limited memory contents through video metadata, potentially exposing sensitive information from the application's address space. |
Enterprise Linux (RHEL)
|
| CVE-2026-11820 | Jun 23, 2026 |
Ansible Module 'nexmo' leaks API credentials via query stringModule: plugins/modules/nexmo.py CVSS 3.1: 6.5 MEDIUM AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Issue: api_key and api_secret are declared no_log=True at the input level, but both credentials are immediately URL-encoded into a GET request as query parameters, bypassing all no_log protection. Vulnerable Code (lines 82-93): msg = { "api_key": module.params.get("api_key"), "api_secret": module.params.get("api_secret"), "from": module.params.get("src"), "text": module.params.get("msg"), } url = f"{NEXMO_API}?{urlencode(msg)}" response, info = fetch_url(module, url, headers=headers) Observed Output: https://rest.nexmo.com/sms/json?api_key=a1b2c3d4&api_secret=MyS3cr3tK3y!!&from=AnsibleBot&to=15551234567&text=Hello Exposure Vectors: Ansible verbose output (-vvv) logs the full request URL Vonage/Nexmo server access logs record credentials in query string HTTP proxies, SIEM, and network inspection tools capture the full URL AWX/Automation Controller network debug logs Fix: Switch to POST with credentials in the request body: data = urlencode({"api_key": api_key, "api_secret": api_secret, "from": src, "to": number, "text": msg}) fetch_url(module, NEXMO_API, data=data, method="POST", headers={"Content-Type": "application/x-www-form-urlencoded"}) |
Enterprise Linux (RHEL)
|
| CVE-2026-11819 | Jun 23, 2026 |
Ansible keyring_info leak passphrase via no_log omissionModule: plugins/modules/keyring_info.py CVSS 3.1: 5.5 MEDIUM AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Issue: The module retrieves a passphrase from the OS native keyring (GNOME Keyring, macOS Keychain, Windows Credential Manager) and places it directly into result["passphrase"] with no output suppression, no no_log protection, and no documentation warning. Root Cause: Line 105 (protected): keyring_password=dict(type="str", required=True, no_log=True) Line 127 (NOT protected): result["passphrase"] = passphrase Observed Output: { "changed": false, "passphrase": "MyMasterP@ssw0rd!SSH_Key_Secret" } Visible via register + debug: { "keyring_result": { "changed": false, "passphrase": "MyMasterP@ssw0rd!SSH_Key_Secret" } } Impact: Master passwords, SSH key passphrases and service credentials appear in all Ansible output register: keyring_result followed by debug: var=keyring_result prints passphrase in full Ansible fact caching backends (Redis, JSON file, memcached) may persist the passphrase AWX/Tower job logs silently store the live credential Fix: module.exit_json(changed=False, passphrase=passphrase, _ansible_no_log=True) Also add a documentation warning requiring callers to use no_log: true at the task level. PoCs Fig 1: PoC execution showing passphrase in plaintext output Fig 2: Source code showing no_log=True on input (line 105) vs unprotected output (line 127) |
Enterprise Linux (RHEL)
|
| CVE-2026-9073 | Jun 23, 2026 |
foreman-mcp-server LEAKS Auth Tokens via Info & Debug LoggingA flaw was found in foreman-mcp-server. This component utilizes two distinct logging mechanisms that can expose sensitive session and authentication data. One mechanism logs session identifiers, which are treated as authentication credentials, at an informational level. The other, when debug logging is enabled, incompletely sanitizes HTTP request headers, leading to the cleartext logging of sensitive information such as authorization tokens and API keys. This vulnerability can result in a confidentiality breach, as sensitive authentication data is persisted in plain text within container logs, increasing the risk if logs are forwarded to a centralized platform. |
Satellite
|
| CVE-2026-12112 | Jun 23, 2026 |
Redhat Foreman MCP Server Session Hijack, Priv EscalationA flaw was found in the foreman-mcp-server. A session management vulnerability in the MCP Server allows unauthenticated attackers to hijack active administrative sessions due to an improper cache of authenticated client connections, by trusting a non-secret session ID without re-validating authentication tokens and by logging all newly created session IDs to standard logs. This issue can result in privilege escalation and infrastructure-wide code execution. |
Satellite
|
| CVE-2026-11807 | Jun 23, 2026 |
Missing auth in Red Hat EDA WebSocket API leaks credentialsA missing authorization vulnerability was found in the Event-Driven Ansible (EDA) websocket API. The /api/eda/ws/ansible-rulebook endpoint does not verify user permissions when processing Worker messages. Any authenticated user can send a forged message with an arbitrary activation_id to receive plaintext credentials associated with that activation, including OAuth tokens, vault passwords, and SSH keys. |
Ansible Automation Platform
|
| CVE-2026-12969 | Jun 23, 2026 |
dnsmasq OOB Heap Read via find_soa() in NS SectionAn out-of-bounds read vulnerability exists in dnsmasq's find_soa() function in src/rfc1035.c. When parsing NS section records, extract_name() is called with extrabytes=0, failing to validate that 10 additional bytes exist for fixed-length DNS record fields. A remote attacker controlling a DNS zone can exploit this via a crafted NXDOMAIN response to cause a 10-byte heap out-of-bounds read, potentially accessing stale data from prior transactions. |
Enterprise Linux (RHEL)
Openshift
|
| CVE-2026-10609 | Jun 23, 2026 |
OpenShift Cluster Logging Operator: SA Token Escalation via Missing AuthA missing authorization flaw was found in the OpenShift Cluster Logging Operator. The operator creates and forwards ServiceAccount tokens to output destinations without verifying that the ClusterLogForwarder creator has permission to use those credentials, allowing a delegated editor to exfiltrate SA tokens and escalate privileges. |
Logging
|
| CVE-2026-55654 | Jun 23, 2026 |
OpenSSH GSSAPI Trailing NULL -> Heap OOB Read DoSA flaw was found in OpenSSH. This vulnerability, a heap out-of-bounds read, occurs during the cleanup of GSSAPI (Generic Security Service Application Programming Interface) indicators when a trailing NULL termination is missing in the auth-indicators array. A remote attacker, under specific configurations involving GSSAPI authentication and a Kerberos environment, could exploit this to cause the SSH authentication path to crash or abort. This leads to a denial of service (DoS), impacting the availability of the SSH service. |
Enterprise Linux (RHEL)
Hummingbird
Openshift
And others... |
| CVE-2026-55655 | Jun 23, 2026 |
OpenSSH X11 Forwarding Hijack via local X Socket Pre-bindingA flaw was found in OpenSSH. A local unprivileged attacker on a Linux client host can hijack client-side X11 forwarding connections. This is possible by pre-binding the preferred abstract X socket name when X11 forwarding is enabled and a local UNIX-domain X socket is used. A successful attack can compromise the confidentiality of forwarded X11 traffic, including sensitive window contents and input, and may allow some manipulation of the forwarded session. |
Enterprise Linux (RHEL)
Hummingbird
Openshift
And others... |
| CVE-2026-55653 | Jun 23, 2026 |
OpenSSH DH-GEX Double Free DoS in FIPS ModeA flaw was found in OpenSSH. A malicious SSH server can exploit a double free vulnerability in the Diffie-Hellman Group Exchange (DH-GEX) client path. This occurs during FIPS (Federal Information Processing Standards) mode known-group validation when the client processes attacker-controlled DH-GEX group parameters. Successful exploitation leads to client-side process termination, resulting in a Denial of Service (DoS). |
Enterprise Linux (RHEL)
Hummingbird
Openshift
And others... |
| CVE-2026-12549 | Jun 22, 2026 |
Red Hat Apache HTTPD Signed Comparison Range Regres (CVE-2026-12549)The fix for CVE-2026-2443 was regressed by a subsequent rework commit that replaced specific overflow checks with a general signed comparison. When a client sends a Range request with a suffix length exceeding the content size, the resulting negative start value is not properly clamped, leading to malformed HTTP 206 responses and log flooding. |
Enterprise Linux (RHEL)
|
| CVE-2026-12725 | Jun 22, 2026 |
Heap Overflow in dnsmasq Causing DoS with DNSSEC+Query LoggingA heap-based buffer overflow was found in dnsmasq. When DNSSEC validation and query logging are both enabled, logging of DS or DNSKEY replies containing unsupported algorithm or digest types can cause dnsmasq to write past the end of an internal logging buffer. A remote attacker able to supply such a DNS response may crash the dnsmasq process, resulting in denial of service. |
Enterprise Linux (RHEL)
Openshift
|
| CVE-2026-54100 | Jun 22, 2026 |
WMCO SSH Host Key Verification Flaw Exposes Windows Node CredentialsA flaw was found in the Windows Machine Config Operator (WMCO) for Red Hat OpenShift Container Platform. WMCO establishes SSH connections to Windows worker nodes without verifying the remote server host key. An adjacent-network attacker who can intercept or redirect WMCO's SSH session can capture WICD and kubelet bootstrap credentials transferred during node configuration, enabling compromise of Windows node identities in the cluster. |
Openshift
Windows Machine Config
|
| CVE-2026-54099 | Jun 22, 2026 |
Cluster Admin Escalation via WMCO CSR Auto-ApprovalA flaw was found in the Windows Machine Config Operator (WMCO) for Red Hat OpenShift Container Platform. The WICD CSR auto-approver validates that a Certificate Signing Request contains the organization system:wicd-nodes but does not reject additional organization values such as system:masters. A compromised Windows worker node that holds WICD credentials can submit a CSR that is auto-approved and signed by the cluster, yielding a client certificate that grants cluster-administrator privileges and enabling full cluster takeover. |
Openshift
Windows Machine Config
|
| CVE-2026-50559 | Jun 19, 2026 |
Quarkus HTTP Auth Bypass via Encoded ; and / Fixed 3.37.0Quarkus is a Java framework for building cloud-native applications. Prior to versions 3.37.0, 3.36.3, 3.33.2.1, 3.33.3, 3.27.4.1, 3.27.5, and 3.20.6.2, Quarkus HTTP path-based authorization policies can be bypassed using encoded semicolons (%3B) to smuggle matrix parameters past the security layer, and using encoded slashes (%2F) or backslashes (%5C) to access protected static resources. This is a distinct issue from CVE-2026-39852, which addressed only literal semicolon stripping. Versions 3.37.0, 3.36.3, 3.33.2.1, 3.33.3, 3.27.4.1, 3.27.5, and 3.20.6.2 contain a patch. |
|
| CVE-2026-12726 | Jun 19, 2026 |
AWX GitHub Webhook Exposure: Untrusted callback leaks PATA flaw was found in the AWX GitHub webhook integration. When processing GitHub pull_request webhooks, the controller stores the pull_request.statuses_url value from the webhook payload without validating that it points to a trusted GitHub API endpoint. If a job template is configured with a GitHub Personal Access Token as its webhook credential, the controller later POSTs that token to the stored callback URL when posting job status updates. An attacker who can submit a correctly signed forged webhook using the job template's webhook_key can redirect the callback to an attacker-controlled URL and exfiltrate the configured GitHub PAT. |
Ansible Automation Platform
|
| CVE-2026-56211 | Jun 19, 2026 |
RCE via AV1 SVC ID Bounds in libaom EncoderA remote code execution vulnerability was found in libaom, the reference AV1 codec implementation. Insufficient bounds validation in the AV1 encoder's SVC (Scalable Video Coding) layer ID control allows an attacker to supply crafted video frame pixels that overlap with internal encoder layer context structures. In fork-based video processing services, an attacker can use this to hijack the cyclic refresh map pointer, brute-force the process base address via a crash oracle, and redirect control flow to achieve arbitrary command execution. Exploitation requires the target service to use libaom with SVC encoding enabled and accept attacker-supplied video frames. |
Enterprise Linux (RHEL)
Enterprise Linux Ai
Hummingbird
And others... |
| CVE-2026-56210 | Jun 19, 2026 |
libaom Heap-Buffer-Overflow in SVC Layer ID Read (CVE-2026-56210)A heap-buffer-overflow read vulnerability was found in libaom, the reference AV1 codec implementation. A missing bounds check in the SVC (Scalable Video Coding) layer ID control function allows setting a spatial_layer_id exceeding the configured number of layers. This causes an out-of-bounds heap read of approximately 40,728 bytes when computing a layer context array index. An attacker who can influence SVC encoder parameters in a network-facing service could exploit this for information disclosure (heap content leak) or denial of service (segmentation fault from hitting unmapped memory). |
Enterprise Linux (RHEL)
Enterprise Linux Ai
Hummingbird
And others... |
| CVE-2026-56209 | Jun 19, 2026 |
LIBAOM AV1 Codec Arbitrary Address Write via SVC Layer ControlAn arbitrary address write vulnerability was found in libaom, the reference AV1 codec implementation. A missing bounds check in the SVC (Scalable Video Coding) layer ID control function allows an attacker to inject an arbitrary pointer into the cyclic refresh map field via crafted image pixel values. The encoder then writes approximately 1,200 bytes at the attacker-controlled address. This is fully deterministic and does not require a separate information leak. An attacker who can supply frames to a network-facing libaom encoder with SVC enabled could exploit this for denial of service or potential code execution. |
Enterprise Linux (RHEL)
Enterprise Linux Ai
Hummingbird
And others... |
| CVE-2026-56208 | Jun 19, 2026 |
Heap Overflow in libaom's AV1 Encoder LAP ModeA heap buffer overflow vulnerability was found in libaom, the reference AV1 codec implementation. A flaw in the AV1 encoder's Look-Ahead Processing (LAP) mode causes the first-pass stats ring buffer wrap-around guard to be bypassed when g_lag_in_frames is set to 1 or higher. This results in a 232-byte out-of-bounds write on every encoded frame after the second, corrupting adjacent heap objects. An attacker who can influence encoder configuration in a transcoding service or WebRTC session could exploit this to cause a denial of service (process crash) or potentially achieve code execution. |
Enterprise Linux (RHEL)
Enterprise Linux Ai
Hummingbird
And others... |
| CVE-2026-3195 | Jun 19, 2026 |
QEMU virtio-snd Input Callback Heap OOB Write CVE-2026-3195A flaw was found in QEMU. When reading input audio in the virtio-snd device input callback, the `virtio_snd_pcm_in_cb` function did not check whether the iov could fit the data buffer, potentially leading to a heap out-of-bounds write. This issue exists due to an incomplete fix for CVE-2024-7730. |
Enterprise Linux (RHEL)
Openshift
|
| CVE-2026-3196 | Jun 19, 2026 |
Virtio-snd Integer Overflow Host DoS via PCM_INFOAn integer overflow vulnerability was found in the virtio-snd device via PCM_INFO requests from the guest. A malicious guest can provide out-of-bounds stream counts, potentially leading to unbounded memory allocation on the host and a denial of service condition. |
Enterprise Linux (RHEL)
Openshift
|
| CVE-2026-12706 | Jun 19, 2026 |
FFmpeg RASC Decoder UAF via deallocated buffer in move_tableA use-after-free vulnerability was found in FFmpeg's RASC video decoder. The decode_move() function initializes a read pointer into a decompressed buffer, but a subsequent reallocation of that same buffer during move-table processing leaves the pointer dangling. An attacker could exploit this by providing a specially crafted AVI file containing a malicious RASC video stream. When a user opens or plays the file, the decoder reads from freed heap memory, which could lead to a denial of service (crash). |
Enterprise Linux Ai
Openshift Ai
|
| CVE-2026-11791 | Jun 18, 2026 |
389 DS Use-After-Free via Unref'd Attr_Syntax Swap during Schema ReloadA flaw was found in 389 Directory Server. During schema reload, the attr_syntax_swap_ht() function unconditionally frees attribute syntax information nodes, bypassing the refcount-based deferred deletion used elsewhere in the attribute syntax subsystem. If an administrator triggers schema reload while concurrent LDAP query traffic is active, worker threads may access freed memory, resulting in use-after-free or double-free and a denial of service (server crash). |
Directory Server
Enterprise Linux (RHEL)
|
| CVE-2026-12505 | Jun 18, 2026 |
CIFS-UTILS PrivEsc via request_key and malicious NSS ModuleA flaw was found in the cifs-utils package where the cifs.upcall helper fails to securely drop its root privileges before looking up user information inside a user-controlled environment. A local, low privileged attacker can exploit this by using a crafted request_key payload to trick the root-owned helper into entering a custom environment (namespace) containing a malicious NSS module. This forces the system to load the attacker's controlled NSS Module and configuration, allowing them to execute arbitrary commands as the root user, elevating their privileges and fully compromising the system. |
Enterprise Linux (RHEL)
Openshift
|
| CVE-2026-47774 | Jun 17, 2026 |
Envoy HTTP/2 OOM DoS (v<1.35.11/1.36.7/1.37.3/1.38.1)Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.35.11, 1.36.7, 1.37.3, and 1.38.1, a vulnerability in Envoy's HTTP/2 downstream request processing allows an unauthenticated remote client to trigger excessive memory consumption, potentially resulting in OOM termination of the Envoy process and denial of service. The issue arises from the combination of two behaviors. First, cookie header bytes are not fully accounted for during request header size validation in Envoy. Second, HPACK header block limits in oghttp2/quiche are enforced on encoded bytes without a corresponding limit on total decoded header size. Together, these behaviors allow a malicious client to cause large decoded header allocations while bypassing the intended request header size protections. Versions 1.35.11, 1.36.7, 1.37.3, and 1.38.1 contain a fix. No complete workaround is known short of applying a fix. Possible temporary mitigations include disabling downstream HTTP/2 where operationally feasible; enforcing stricter request header and cookie limits before traffic reaches Envoy; and monitoring Envoy memory usage for abnormal growth under HTTP/2 traffic. |
|
| CVE-2026-12515 | Jun 17, 2026 |
Katello ContentUploadsController Auth Bypass via Edit ProductsA flaw was found in Katello's of Red Hat Satellite. A content upload functionality where insufficient authorization checks in the ContentUploadsController allowed users with the edit_products permission to query content information for repositories outside the products they were authorized to manage. An authenticated attacker could exploit this issue to determine whether specific content exists within repositories that should otherwise be inaccessible. This issue does not allow unauthorized modification, import, or publication of content. |
Hummingbird
Satellite
|
| CVE-2026-12528 | Jun 17, 2026 |
389 Directory Server heap buffer overflow in aclparse.cA flaw was found in 389 Directory Server in the __aclp__normalize_acltxt() function of aclparse.c. A malformed ACI (Access Control Instruction) string can trigger heap-buffer-overflow writes and reads during ACI parsing. The function fails to validate that the ACI keyword has sufficient length after whitespace stripping, leading to a 1-byte out-of-bounds write and subsequent out-of-bounds reads. An authenticated user with write access to the aci attribute could send a crafted ACI value to silently corrupt heap memory in the directory server process. |
Directory Server
Enterprise Linux (RHEL)
|
| CVE-2026-12491 | Jun 17, 2026 |
vLLM Image Metadata Handling CVE: EXIF/TPNG tRNS VulnerabilityA flaw was found in vLLM, an open-source library for large language model inference. This vulnerability arises from improper handling of image metadata, specifically EXIF orientation and PNG transparency (tRNS) data, during image processing. When images are converted to RGB, transparency information may be implicitly discarded or remapped, leading to unexpected rendering of transparent pixels and distortion of input content. This can result in the model misinterpreting image content, potentially affecting the integrity of processed data. |
Ai Inference Server
Enterprise Linux Ai
Openshift Ai
And others... |
| CVE-2026-2604 | Jun 16, 2026 |
Flatpak D-Bus Traversal in Evolution-Data-Server Enables File DeleteA flaw was found in evolution-data-server. Inconsistent comparison logic in the addressbook file backend allows a Flatpak application with D-Bus access to craft a malicious URI containing directory traversal sequences. This URI is stored without proper validation during contact creation or modification. Later, during contact deletion, the URI is processed with a less strict check, leading to the deletion of arbitrary files on the host filesystem. This could potentially include critical Flatpak override files. |
Enterprise Linux (RHEL)
|
| CVE-2026-4367 | Jun 16, 2026 |
Xpm OOB Read in libXpm Causes DoSA flaw was found in libXpm. A local user with low privileges could exploit an Out-of-Bounds Read vulnerability in the `xpmNextWord()` function by processing a specially crafted or very small XPM (X PixMap) image file. This improper validation of file boundaries can cause an internal pointer to read beyond the file's end, leading to application crashes and Denial of Service conditions. |
Enterprise Linux (RHEL)
Hummingbird
|
| CVE-2026-10649 | Jun 16, 2026 |
CVE-2026-10649: Integer Overflow in Pacemaker Remote DecompressionA flaw was found in Pacemaker. An unauthenticated remote attacker can exploit an integer overflow vulnerability in the remote message decompression process. By sending a specially crafted compressed remote message before authentication, an attacker can cause memory corruption, leading to a denial of service (DoS) in the CIB remote listener. This can result in the affected service crashing. |
Enterprise Linux (RHEL)
Openshift
|
| CVE-2026-12398 | Jun 16, 2026 |
Command Injection in galaxy_ng Legacy Role Import APIA command injection vulnerability was found in galaxy_ng. The do_git_checkout() function in the legacy role import API (v1) interpolates unsanitized git ref names (branch/tag names) into shell commands executed via subprocess.run() with shell=True. An authenticated user who controls a git repository can create a branch or tag with shell metacharacters in the name to achieve remote code execution on the pulp worker. The vulnerable endpoint is only reachable when GALAXY_ENABLE_LEGACY_ROLES is set to True, which is not the default configuration. |
Ansible Automation Platform
|
| CVE-2026-46331 | Jun 16, 2026 |
Linux Kernel net/sched pedit partial COW causing cache corruptionIn the Linux kernel, the following vulnerability has been resolved: net/sched: fix pedit partial COW leading to page cache corruption tcf_pedit_act() computes the COW range for skb_ensure_writable() once before the key loop using tcfp_off_max_hint, but the hint does not account for the runtime header offset added by typed keys. This can leave part of the write region un-COW'd. Fix by moving skb_ensure_writable() inside the per-key loop where the actual write offset is known, and add overflow checking on the offset arithmetic. For negative offsets (e.g. Ethernet header edits at ingress), use skb_cow() to COW the headroom instead. Guard offset_valid() against INT_MIN, where negation is undefined. |
|
| CVE-2026-42014 | Jun 16, 2026 |
GnuTLS UAF in pkcs11_token_set_pin on NULL SO PINA flaw was found in GnuTLS. The `gnutls_pkcs11_token_set_pin` function, used for changing the Security Officer PIN, can lead to a use-after-free vulnerability. This occurs when an attacker attempts to change the PIN with a NULL old PIN for a token that lacks a protected authentication path. |
Enterprise Linux (RHEL)
Hummingbird
Openshift
And others... |
| CVE-2026-1767 | Jun 16, 2026 |
GNOME localsearch MP3 Extractor: tracker-extract-mp3 Heap OverflowA flaw was found in the GNOME localsearch (previously known as tracker-miners) MP3 Extractor `tracker-extract-mp3` component. A remote attacker could exploit this heap buffer overflow vulnerability by providing a specially crafted MP3 file containing malformed ID3 tags. This incorrect length calculation during the parsing of performer tags can lead to a read beyond the allocated buffer, potentially causing a Denial of Service (DoS) due to a crash or enabling information disclosure. |
Enterprise Linux (RHEL)
|
| CVE-2026-1766 | Jun 16, 2026 |
GNOME localsearch MP3 extractor HEAP buffer overflow via malformed ID3 COMMA flaw was found in GNOME localsearch (previously known as tracker-miners) MP3 Extractor, specifically within the tracker-extract-mp3 component. This heap buffer overflow vulnerability occurs when processing specially crafted MP3 files containing malformed ID3v2.3 COMM (Comment) tags. An attacker could exploit this by providing a malicious MP3 file, leading to a denial of service (DoS), which causes an application crash, and potentially disclosing sensitive information from the heap memory. |
Enterprise Linux (RHEL)
|
| CVE-2026-1765 | Jun 16, 2026 |
GNOME Tracker-Extract-MP3 Heap Buffer Overflow Allowing DoSA flaw was found in the `tracker-extract-mp3` component of GNOME localsearch (previously known as tracker-miners). This vulnerability, a heap buffer overflow, occurs when processing specially crafted MP3 files. A remote attacker could exploit this by providing a malicious MP3 file, leading to a Denial of Service (DoS) where the application crashes. It may also potentially expose sensitive information from the system's memory. |
Enterprise Linux (RHEL)
|
| CVE-2026-1764 | Jun 16, 2026 |
GNOME localsearch MP3 Extractor Heap Buffer OverflowA flaw was found in GNOME localsearch (previously known as tracker-miners) MP3 Extractor. When processing specially crafted MP3 files containing ID3v2.4 tags, a missing bounds check in the `extract_performers_tags` function can lead to a heap buffer overflow. This vulnerability allows a remote attacker to cause a Denial of Service (DoS) by triggering a read of unmapped memory. In some cases, it could also lead to information disclosure by reading visible heap data. |
Enterprise Linux (RHEL)
|
| CVE-2026-52718 | Jun 15, 2026 |
DoS: GStreamer AV1 Parser Desync via gst_plugins_badA denial of service vulnerability was found in GStreamer's AV1 codec parser in gst-plugins-bad. The gst_av1_parser_parse_tile_list_obu() function passes a byte count to a bit-reader API that expects a bit count, causing parser desynchronization. A remote attacker could trick a user into opening a specially crafted AV1 media file, triggering an assertion abort and causing the application to crash. |
Enterprise Linux (RHEL)
|
| CVE-2026-52722 | Jun 15, 2026 |
Signed Int Overflow in GStreamer VMnc DecoderA signed integer overflow vulnerability was found in GStreamer's VMnc decoder. A crafted VMnc stream with large cursor dimensions can overflow signed integer payload-size arithmetic, bypassing a length check and leading to out-of-bounds reads. A remote attacker could trick a user into opening a specially crafted VMnc file, potentially causing a crash or information disclosure. |
Enterprise Linux (RHEL)
|
| CVE-2026-52720 | Jun 15, 2026 |
Heap Overflow in GStreamer librfb (RFB/VNC Client)A heap buffer overflow vulnerability was found in GStreamer's librfb (RFB/VNC client). The rectangle bounds check incorrectly validates area rather than individual dimensions, allowing a malicious VNC server to send a rectangle that extends beyond the framebuffer. A remote attacker could set up a malicious VNC server and trick a user into connecting, resulting in an out-of-bounds heap write that could lead to code execution or a crash. |
Enterprise Linux (RHEL)
|
| CVE-2026-53704 | Jun 15, 2026 |
GStreamer RealMedia demuxer Re-entrancy / Infinite Loop CVE-2026-53704A flaw was found in GStreamer's RealMedia demuxer in the gst-plugins-ugly package. When processing a RealMedia file containing a specially crafted FILEINFO metadata section, the demuxer parses variable-name and variable-value pairs using re_skip_pascal_string() without validating that offsets remain within the mapped buffer. Additionally, the element count controlling the parsing loop is read from attacker-controlled data without validation, which can cause an infinite loop. A crafted RealMedia file can cause the application to crash, hang, or potentially read limited adjacent memory contents. |
Enterprise Linux (RHEL)
|
| CVE-2026-53703 | Jun 15, 2026 |
Overflow in GStreamer RM Demuxer: MDPR Chunk Parsing CrashA vulnerability was found in the GStreamer RealMedia demuxer (gst-plugins-ugly). When processing a RealMedia (.rm) file, the demuxer parses MDPR (media properties) chunks to configure audio streams. For audio stream header versions 4 and 5, the parser reads fields such as codec type, packet size, sample rate, channel count, and extra codec data length from fixed offsets within the chunk without first checking that the chunk contains enough data. If a malicious file provides an MDPR chunk that is too small to contain a complete audio stream header, the parser reads beyond the end of the buffer. This can cause the application to crash. In some cases, bytes read past the buffer boundary may be incorporated into stream metadata, which could result in limited information disclosure. |
Enterprise Linux (RHEL)
|
| CVE-2026-52721 | Jun 15, 2026 |
OOB Read in GStreamer pcapparse Local PCAP Crash/Info DisclosureMultiple out-of-bounds read vulnerabilities were found in GStreamer's pcapparse element. Malformed PCAP records can trigger reads beyond buffer boundaries during IPv4/TCP header parsing. This element is primarily used in debugging pipelines, limiting real-world exposure. A local attacker could trick a user into processing a specially crafted PCAP file, potentially leading to a crash or information disclosure. |
Enterprise Linux (RHEL)
|
| CVE-2026-53705 | Jun 15, 2026 |
GStreamer gst-plugins-good: WavPack Decoder Integer Overflow Heap CorruptionA flaw was found in GStreamer's WavPack audio decoder in gst-plugins-good. When processing a specially crafted WavPack file, an integer overflow in the buffer size calculation (4 * block_samples * channels) in gst_wavpack_dec_handle_frame() causes a very small heap allocation. The WavPack library then writes decoded audio samples far beyond the allocated buffer, resulting in heap memory corruption. This affects both 32-bit and 64-bit systems since the arithmetic is performed in 32-bit integers before promotion to the allocation size type. A remote attacker could use this flaw to crash an application or potentially execute arbitrary code by convincing a user to open a malicious WavPack audio file. |
Enterprise Linux (RHEL)
|
| CVE-2026-52719 | Jun 15, 2026 |
OOB read in GStreamer VA JPEG decoder leads to crashAn out-of-bounds read vulnerability was found in the VA JPEG decoder in GStreamer's gst-plugins-bad. The JPEG parser reads a segment length value from the bitstream without validating it against available data. A remote attacker could trick a user into opening a specially crafted JPEG file, causing downstream parsing to read beyond the provided input buffer, leading to a crash or potential information disclosure. |
Enterprise Linux (RHEL)
|
| CVE-2026-44188 | Jun 15, 2026 |
Ansible Lightspeed OAuth Token Persistence via Insufficient Sess ExpA flaw was found in Ansible Lightspeed. This vulnerability, related to insufficient session expiration, allows a remote attacker to maintain persistent access to the Ansible Lightspeed instance. If an attacker exfiltrates a valid OAuth (Open Authorization) access token before a user logs out, they can continue to authenticate and access sensitive data. This is because the application fails to invalidate the token on the backend, leaving it valid until its natural expiration. This can lead to unauthorized read access to Ansible resources such as inventories, playbooks, and configuration data. |
Ansible Automation Platform
|