Red Hat Linux OS and other open source products
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in any Red Hat product.
RSS Feeds for Red Hat security vulnerabilities
Create a CVE RSS feed including security vulnerabilities found in Red Hat products with stack.watch. Just hit watch, then grab your custom RSS feed url.
Products by Red Hat Sorted by Most Security Vulnerabilities since 2018
Red Hat Enterprise Linux Server1534 vulnerabilities
RedHat Enterprise Linux (RHEL) Server. Includes software bundeled with RHEL server.
Red Hat Enterprise Linux Workstation1504 vulnerabilities
RedHat Enterprise Linux (RHEL) Workstation. Includes software bundled with RHEL Workstation.
Red Hat Enterprise Linux Desktop1493 vulnerabilities
RedHat Enterprise Linux (RHEL) Desktop. Includes software bundled with RHEL desktop
Recent Red Hat Security Advisories
| Advisory | Title | Published |
|---|---|---|
| RHSA-2026:30853 | (RHSA-2026:30853) Important: git-lfs security update | June 29, 2026 |
| RHSA-2026:30852 | (RHSA-2026:30852) Important: perl-Archive-Tar security update | June 29, 2026 |
| RHSA-2026:30849 | (RHSA-2026:30849) Important: gnutls and libtasn1 security update | June 29, 2026 |
| RHSA-2026:30847 | (RHSA-2026:30847) Moderate: libxslt security update | June 29, 2026 |
| RHSA-2026:30846 | (RHSA-2026:30846) Important: thunderbird security update | June 29, 2026 |
| RHSA-2026:30845 | (RHSA-2026:30845) Moderate: mod_md security update | June 29, 2026 |
| RHSA-2026:30843 | (RHSA-2026:30843) Important: perl-IO-Compress security update | June 29, 2026 |
| RHSA-2026:30814 | (RHSA-2026:30814) Red Hat Hardened Images RPMs Security Update | June 28, 2026 |
| RHSA-2026:30652 | (RHSA-2026:30652) Red Hat Hardened Images RPMs Security Update | June 28, 2026 |
| RHSA-2026:30651 | (RHSA-2026:30651) Important: Red Hat Advanced Cluster Management for Kubernetes v2.13.9 security update | June 28, 2026 |
By the Year
In 2026 there have been 1380 vulnerabilities in Red Hat with an average score of 7.1 out of ten. Last year, in 2025 Red Hat had 1144 security vulnerabilities published. That is, 236 more vulnerabilities have already been reported in 2026 as compared to last year. However, the average CVE base score of the vulnerabilities in 2026 is greater by 0.49.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 1380 | 7.05 |
| 2025 | 1144 | 6.56 |
| 2024 | 1686 | 6.57 |
| 2023 | 1206 | 6.75 |
| 2022 | 1362 | 6.97 |
| 2021 | 1123 | 6.62 |
| 2020 | 663 | 6.39 |
| 2019 | 772 | 6.98 |
| 2018 | 760 | 7.16 |
It may take a day or so for new Red Hat vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Red Hat Security Vulnerabilities
| CVE | Date | Vulnerability | Products |
|---|---|---|---|
| CVE-2026-13434 | Jun 26, 2026 |
KubeVirt v1.8.0 Network Annotation Injection Allows Cross-namespace ImpersonationA flaw was found in KubeVirt's network annotation generator. When a tenant creates a VirtualMachineInstance with a Multus network configuration, the supplied networkName value is written verbatim into the launcher pod's v1.multus-cni.io/default-network annotation without format validation or sanitization. The only admission check rejects empty strings; no DNS-1123 format validation, JSON detection, or special character rejection is performed. When the ExternalNetResourceInjection Beta feature gate is enabled (off by default, cluster-admin only), the NAD lookup that would otherwise catch malformed names is skipped by design. A tenant with kubevirt.io:edit permissions can inject a JSON-formatted NetworkSelectionElement array specifying an arbitrary namespace, NAD name, static IP address, and MAC address. Multus on the node parses this JSON and attaches the launcher pod to the specified network attachment in any namespace, enabling cross-namespace network access and IP/MAC impersonation on network segments normally segregated from tenant workloads. The ExternalNetResourceInjection feature gate was introduced in KubeVirt v1.8.0 (first shipped in OpenShift Virtualization 4.21). |
Container Native Virtualization
|
| CVE-2026-13325 | Jun 26, 2026 |
KubeVirt migration proxy disableTLS exposes unauthenticated TCP listener to pod netA flaw was found in KubeVirt's migration proxy. When spec.configuration.migrations.disableTLS is set to true on the KubeVirt custom resource, the target virt-handler binds a plain TCP listener on all interfaces (0.0.0.0/::) on a random port with no authentication, peer allow-list, or handshake token. This listener proxies directly into the target virt-launcher's virtqemud control socket. An attacker with a running pod on the cluster network can connect to this listener and issue unfiltered libvirt RPC commands against another tenant's virtual machine, including reading VM memory and configuration, modifying VM state via QMP, or destroying the VM. The bind address is unconditionally 0.0.0.0 configuring a dedicated migration network via migrations.network only changes the advertised migration IP, not the listener bind address, so the port remains reachable on the pod network even when a dedicated migration network is configured. The API documentation describes disableTLS as removing "the additional layer of live migration encryption" without disclosing that it also removes all mutual authentication. |
Container Native Virtualization
|
| CVE-2026-48615 | Jun 26, 2026 |
Node.js Proxy Tunnel Error exposes credentials via ERR_PROXY_TUNNELA flaw in Node.js proxy tunnel error handling could expose proxy credentials in `ERR_PROXY_TUNNEL` error messages. When proxy credentials are embedded in the proxy URL, they may be exposed through error handling paths and captured by logs, diagnostics, or other error consumers. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**. |
|
| CVE-2026-48933 | Jun 26, 2026 |
Node.js WebCrypto Crash via 2GiB Input in subtle.encryptA flaw in Node.js WebCrypto implementation can crash the process if the input of `subtle.encrypt()` is a multiple of 2GiB. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**. |
|
| CVE-2026-48618 | Jun 26, 2026 |
Node.js TLS Hostname Normalization Bypass via Unicode Dot SeparatorA flaw in Node.js TLS hostname handling can cause Node.js unicode dot separator handling can lead to tls wildcard-depth authentication bypass due to resolver and verifier hostname normalization mismat. This can lead to confidentiality impact or bypass of the intended security boundary under affected configurations. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**. |
|
| CVE-2026-13322 | Jun 26, 2026 |
DoS via endless buffering on virt-serial server in KubeVirtA flaw was found in KubeVirt's downward metrics virtio-serial server. The server reads guest requests using textproto.Reader.ReadLine(), which buffers input indefinitely until a newline character is received, with no length limit or read deadline. A user with access to a VM guest that has the downward metrics virtio-serial device configured can write a continuous byte stream to the device, causing unbounded memory allocation in the virt-handler process until it is OOM-killed. |
Container Native Virtualization
|
| CVE-2026-13083 | Jun 25, 2026 |
RedHat PenDrive RptGen XSS via ClusterVersion spec.channelA flaw was found in the Pen Drive report generator. Cluster-sourced data is rendered into HTML reports without proper escaping or sanitization. An attacker with cluster administrator privileges can inject a stored cross-site scripting (XSS) payload into cluster objects (such as ClusterVersion spec.channel) that executes in the browser of any user who opens the generated HTML report. |
Pdrive Lightspeed
|
| CVE-2026-13318 | Jun 25, 2026 |
SSRF in KubeVirt virt-api Port-forward via vmi.Status.IPA server-side request forgery (SSRF) flaw was found in KubeVirt's virt-api port-forward handler. When processing a port-forward request to a VirtualMachineInstance (VMI), virt-api reads the target IP from vmi.Status.Interfaces[0].IP and passes it directly to net.Dial() without validation. For VMIs using non-masquerade network bindings (bridge or secondary-only), this IP is reported by the QEMU guest agent running inside the VM and is fully controllable by the VM owner. An attacker with kubevirt.io:edit permissions can create a VM with a modified guest agent that reports an arbitrary IP address, then request port-forward to establish a bidirectional TCP tunnel from virt-api's cluster-internal network position to any routable destination, bypassing NetworkPolicy isolation. |
Container Native Virtualization
|
| CVE-2026-13218 | Jun 25, 2026 |
KubeVirt virt-handler cache handling flaw allows symlink-based file overwriteA flaw was found in KubeVirt's virt-handler network cache handling. The WriteToCachedFile function writes data to a launcher-rooted path using os.WriteFile and os.Chown without symlink protection. A user with access to the virt-launcher container can plant a symlink at the cache file path, causing virt-handler to follow it and overwrite an arbitrary host file with JSON content and change its ownership. |
Container Native Virtualization
|
| CVE-2026-12993 | Jun 25, 2026 |
Apicurio Registry XML Entity Expansion DoS via External Entity UploadA flaw was found in Apicurio Registry. The DocumentBuilderAccessor correctly blocks external DTD and schema access but does not disable DOCTYPE declarations or enable FEATURE_SECURE_PROCESSING. An attacker with artifact-write permission can upload XML documents with internal entity-expansion payloads (billion-laughs variant) that cause CPU and heap exhaustion, partially mitigated by the JAXP default 64,000 entity-expansion limit. |
Apicurio Registry
|
| CVE-2026-12992 | Jun 25, 2026 |
Apicurio Registry WSDLReaderAccessor SSRF via WSDL ImportA flaw was found in Apicurio Registry. The WSDLReaderAccessor creates a wsdl4j WSDLReader without disabling the javax.wsdl.importDocuments feature. When the VALIDITY rule is set to FULL, an attacker with Developer-role access can upload a WSDL document containing attacker-controlled import locations, causing the registry to issue HTTP requests to arbitrary internal URLs (server-side request forgery). |
Apicurio Registry
|
| CVE-2026-12975 | Jun 25, 2026 |
Apicurio Registry XML SSRF via External DTD Entity Fetch (CVE-2026-12975)A flaw was found in Apicurio Registry. The ContentTypeUtil.isParsableXml() method creates a SAXParserFactory without enabling secure processing features or disabling external entity resolution. An attacker with artifact-write permission (or unauthenticated when the registry runs with default configuration) can upload a crafted XML document to trigger blind server-side request forgery (SSRF) via external DTD/entity fetch, or cause denial of service via entity expansion. |
Apicurio Registry
|
| CVE-2026-11800 | Jun 25, 2026 |
Keycloak JWT Algorithm Confusion Bypass Via Authorization GrantA flaw was found in Keycloak. This JWT algorithm confusion vulnerability in the JWT Authorization Grant flow allows an attacker with valid client credentials to bypass signature verification. By forging an assertion, the attacker can create unauthorized access tokens. This enables the attacker to impersonate any federated user linked to the affected Identity Provider, leading to unauthorized access and potential privilege escalation. |
Build Keycloak
Jboss Data Grid
Jbosseapxp
And others... |
| CVE-2026-47770 | Jun 25, 2026 |
jq <1.8.2 stack exhaustion via recursive array == comparisonjq is a command-line JSON processor. Prior to 1.8.2, comparing two sufficiently deeply nested arrays with the == operator exhausts the C stack on jq's ordinary command-line surface, resulting in denial of service via stack exhaustion (uncontrolled recursion). The crash occurs in jq's recursive structural comparison code, with the recursion repeating through jvp_array_equal() and jv_equal() in src/jv.c when comparing deeply nested arrays; a nearby sort comparator path through jv_cmp() in src/jv_aux.c overflows the stack at a larger nesting depth from the same missing recursion guard. Anyone running jq comparisons on attacker-controlled deeply nested JSON values, or embedding jq in a context where untrusted data can reach the == comparison path, is affected. This vulnerability is fixed in 1.8.2. |
|
| CVE-2026-54679 | Jun 25, 2026 |
jq 1.8.2 Int Overflow & Buf OVerrun before 1.8.2 on 32-bitjq is a command-line JSON processor. Prior to 1.8.2, on 32bit system, jvp_string_append has a chance of integer/multiple overflowing and then causing a massive buffer overrun. This vulnerability is fixed in 1.8.2. |
|
| CVE-2026-9083 | Jun 25, 2026 |
Keycloak: Arbitrary File Path Disclosure via Keystore ParamA flaw was found in Keycloak. A realm administrator with the "manage-realm" role can exploit this vulnerability by submitting an arbitrary filesystem path as a keystore parameter when creating a key provider component. This allows the administrator to probe arbitrary filesystem paths, determining which files exist and are readable by the Keycloak process. This information disclosure could be used to identify high-value targets for follow-on attacks. |
Build Keycloak
|
| CVE-2026-9799 | Jun 25, 2026 |
Keycloak UMA Prefix Bypass Grants Unauthorized Access Under PERMISSIVE ModeA flaw was found in org.keycloak.authorization. An authenticated user with a granted User-Managed Access (UMA) permission ticket for one resource can exploit this by using a specific permission request prefix to bypass per-resource access control. This allows the user to gain unauthorized access to all resources of that type within the same resource server, even if they do not have a ticket for those specific resources. This vulnerability requires the resource server to be configured in PERMISSIVE policy enforcement mode and affects typed resources with ownerManagedAccess enabled, where no explicit policy protects the resource type. The primary consequence is unauthorized information disclosure or modification of resources. |
Build Keycloak
|
| CVE-2026-9705 | Jun 25, 2026 |
Keycloak RAT Allows Reenable ClientA flaw was found in Keycloak's client registration service. A remote attacker, possessing a previously issued Registration Access Token (RAT), could exploit this vulnerability to re-enable a client that an administrator had explicitly disabled. This bypasses security controls, allowing the attacker to reset the client's secret and potentially regain privileged API access. The primary impact includes unauthorized information disclosure and potential integrity compromise. |
Build Keycloak
|
| CVE-2026-9086 | Jun 25, 2026 |
Keycloak Client Redirect URI Validation Bypass XSS (CVE-2026-9086)A flaw was found in Keycloak. A remote attacker with administrative privileges, specifically those with `manage-client` permission or access to client registration endpoints, could bypass client Uniform Resource Identifier (URI) validation. This is achieved by registering a malicious client with a specially crafted redirect URI using a case-insensitive `javascript:` or `data:` scheme. This Cross-Site Scripting (XSS) vulnerability allows for arbitrary code execution in the Keycloak origin when a victim clicks the crafted link, such as in the logout flow or the Admin Console. |
Build Keycloak
|
| CVE-2026-9099 | Jun 25, 2026 |
Keycloak Admin API: Missing Auth Checks in GroupResource.addChildA flaw was found in Keycloak. A missing authorization check in the GroupResource.addChild() endpoint within the Admin REST API allows an authenticated user with limited administrative privileges to reparent any existing group. When Fine-Grained Admin Permissions v2 (FGAPv2) is enabled, an attacker with management rights over a single low-privilege group can reparent a highly privileged group (such as one possessing the realm-admin role) under their managed group. Because group permissions follow a hierarchical structure, this action unauthorizedly grants the attacker management and password-reset capabilities over the members of the targeted privileged group. An attacker can exploit this to reset an administrator's password, compromise the account, and achieve a full realm takeover, leading to a complete compromise of confidentiality, integrity, and availability. |
Build Keycloak
|
| CVE-2026-9800 | Jun 25, 2026 |
Keycloak Policy Enforcer Auth Bypass via Access-Denied Page InjectionA flaw was found in Keycloak Policy Enforcer. This vulnerability allows any authenticated user to bypass all authorization policies, including role, scope, and User-Managed Access (UMA) permission checks. By including the configured access-denied page path within a request URL, either as a path segment or a query parameter, an attacker can gain unauthorized access to protected resources. |
Build Keycloak
|
| CVE-2026-13208 | Jun 24, 2026 |
Unauthenticated Domain Event Forgery in KubeVirt virt-handlerA flaw was found in KubeVirt's virt-handler domain notify server. The gRPC handlers for HandleDomainEvent and HandleK8SEvent derive the VMI identity (namespace/name) solely from the request body without validating it against the connection's origin. Each virt-launcher pod connects through a per-VMI pipe socket, but no identity tag is propagated from the pipe path to the server handlers. This allows a compromised virt-launcher process to send forged domain lifecycle events for any other VMI scheduled on the same node, causing virt-handler to erroneously update that VMI's state and disrupt its lifecycle management. |
Container Native Virtualization
|
| CVE-2026-13201 | Jun 24, 2026 |
KubeVirt safepath nofollow bypass causes host path permission changesA flaw was found in KubeVirt's safepath package used by virt-handler. The OpenAtNoFollow function uses O_PATH|O_NOFOLLOW to obtain a file descriptor to a path leaf, but downstream operations resolve the path via /proc/self/fd/N using link-following syscalls. When the leaf is a symlink, the kernel dereferences it, defeating the intended no-follow protection. An attacker with access to a virt-launcher pod can exploit this to redirect virt-handler's IPC socket connections, including the notify socket used for VM domain lifecycle events. By hijacking this socket, the attacker can inject arbitrary domain events into virt-handler, causing it to take incorrect lifecycle actions, corrupt VM state in the Kubernetes API, or crash resulting in sustained denial of VM management services for all virtual machines on the affected node. Additionally, the same symlink following flaw allows virt-handler to apply file ownership or permission changes to unintended host paths. |
Container Native Virtualization
|
| CVE-2026-49980 | Jun 24, 2026 |
Rclone 1.46.0-1.74.3: Unauthenticated GET/HEAD RCE via rcdRclone is a command-line program to sync files and directories to and from different cloud storage providers. From 1.46.0 until 1.74.3, rclone rcd --rc-serve accepts unauthenticated GET and HEAD requests to paths of the form: /[remote:path]/object. The remote value is parsed from the URL and passed to normal backend initialization. Inline remote configuration can set backend options that execute local commands during initialization. As a result, a single unauthenticated GET or HEAD request can execute a command as the rclone process user. This vulnerability is fixed in 1.74.3. |
Openshift Api Data Protection
Acm
Cryostat
|
| CVE-2026-12892 | Jun 23, 2026 |
GStreamer gst-plugins-bad H.264 MVC/SVC NAL Heap OOB ReadA flaw was found in GStreamer's gst-plugins-bad package. When processing a specially crafted H.264 video file containing malformed MVC or SVC extension slice NAL units, a 1-byte heap out-of-bounds read can occur during parsing. This happens when the parser attempts to check slice boundary information without first verifying that the NAL unit contains enough data beyond the extension header. An attacker could exploit this by tricking a user into opening a malicious H.264 video file, potentially causing the application to crash or leak a single byte of heap memory. |
Enterprise Linux (RHEL)
|
| CVE-2026-12891 | Jun 23, 2026 |
OOB Read in GStreamer gst-plugins-bad H.266 ParserA flaw was found in the GStreamer gst-plugins-bad package. When processing a malformed H.266/VVC video stream with a crafted aspect ratio indicator value, the H.266 parser performs an out-of-bounds read of up to 8 bytes from adjacent memory. This flaw allows an attacker to craft a malicious H.266 video file or stream that, when processed by a GStreamer-based application, could leak limited memory contents through video metadata, potentially exposing sensitive information from the application's address space. |
Enterprise Linux (RHEL)
|
| CVE-2026-11820 | Jun 23, 2026 |
Ansible Module 'nexmo' leaks API credentials via query stringA flaw was found in the community.general Ansible collection's nexmo module. The module constructs HTTP requests to the Vonage/Nexmo SMS API by encoding API credentials (api_key and api_secret) into URL query parameters and sending them via GET requests. This causes credentials to be exposed in web server access logs, proxy logs, HTTP Referer headers, and network monitoring tools, despite the Ansible argument specification marking these parameters as no_log. An attacker with access to any of these logging or monitoring points can obtain the full API credentials and gain unauthorized access to the victim's Vonage/Nexmo account. |
Enterprise Linux (RHEL)
|
| CVE-2026-11819 | Jun 23, 2026 |
Ansible keyring_info leak passphrase via no_log omissionModule: plugins/modules/keyring_info.py CVSS 3.1: 5.5 MEDIUM AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Issue: The module retrieves a passphrase from the OS native keyring (GNOME Keyring, macOS Keychain, Windows Credential Manager) and places it directly into result["passphrase"] with no output suppression, no no_log protection, and no documentation warning. Root Cause: Line 105 (protected): keyring_password=dict(type="str", required=True, no_log=True) Line 127 (NOT protected): result["passphrase"] = passphrase Observed Output: { "changed": false, "passphrase": "MyMasterP@ssw0rd!SSH_Key_Secret" } Visible via register + debug: { "keyring_result": { "changed": false, "passphrase": "MyMasterP@ssw0rd!SSH_Key_Secret" } } Impact: Master passwords, SSH key passphrases and service credentials appear in all Ansible output register: keyring_result followed by debug: var=keyring_result prints passphrase in full Ansible fact caching backends (Redis, JSON file, memcached) may persist the passphrase AWX/Tower job logs silently store the live credential Fix: module.exit_json(changed=False, passphrase=passphrase, _ansible_no_log=True) Also add a documentation warning requiring callers to use no_log: true at the task level. PoCs Fig 1: PoC execution showing passphrase in plaintext output Fig 2: Source code showing no_log=True on input (line 105) vs unprotected output (line 127) |
Enterprise Linux (RHEL)
|
| CVE-2026-9073 | Jun 23, 2026 |
foreman-mcp-server LEAKS Auth Tokens via Info & Debug LoggingA flaw was found in foreman-mcp-server. This component utilizes two distinct logging mechanisms that can expose sensitive session and authentication data. One mechanism logs session identifiers, which are treated as authentication credentials, at an informational level. The other, when debug logging is enabled, incompletely sanitizes HTTP request headers, leading to the cleartext logging of sensitive information such as authorization tokens and API keys. This vulnerability can result in a confidentiality breach, as sensitive authentication data is persisted in plain text within container logs, increasing the risk if logs are forwarded to a centralized platform. |
Satellite
|
| CVE-2026-12112 | Jun 23, 2026 |
Redhat Foreman MCP Server Session Hijack, Priv EscalationA flaw was found in the foreman-mcp-server. A session management vulnerability in the MCP Server allows unauthenticated attackers to hijack active administrative sessions due to an improper cache of authenticated client connections, by trusting a non-secret session ID without re-validating authentication tokens and by logging all newly created session IDs to standard logs. This issue can result in privilege escalation and infrastructure-wide code execution. |
Satellite
|
| CVE-2026-11807 | Jun 23, 2026 |
Missing auth in Red Hat EDA WebSocket API leaks credentialsA missing authorization vulnerability was found in the Event-Driven Ansible (EDA) websocket API. The /api/eda/ws/ansible-rulebook endpoint does not verify user permissions when processing Worker messages. Any authenticated user can send a forged message with an arbitrary activation_id to receive plaintext credentials associated with that activation, including OAuth tokens, vault passwords, and SSH keys. |
Ansible Automation Platform
|
| CVE-2026-12969 | Jun 23, 2026 |
dnsmasq OOB Heap Read via find_soa() in NS SectionAn out-of-bounds read vulnerability exists in dnsmasq's find_soa() function in src/rfc1035.c. When parsing NS section records, extract_name() is called with extrabytes=0, failing to validate that 10 additional bytes exist for fixed-length DNS record fields. A remote attacker controlling a DNS zone can exploit this via a crafted NXDOMAIN response to cause a 10-byte heap out-of-bounds read, potentially accessing stale data from prior transactions. |
Enterprise Linux (RHEL)
Openshift
|
| CVE-2026-10609 | Jun 23, 2026 |
OpenShift Cluster Logging Operator: SA Token Escalation via Missing AuthA missing authorization flaw was found in the OpenShift Cluster Logging Operator. The operator creates and forwards ServiceAccount tokens to output destinations without verifying that the ClusterLogForwarder creator has permission to use those credentials, allowing a delegated editor to exfiltrate SA tokens and escalate privileges. |
Logging
|
| CVE-2026-55654 | Jun 23, 2026 |
OpenSSH GSSAPI Trailing NULL -> Heap OOB Read DoSA flaw was found in OpenSSH. This vulnerability, a heap out-of-bounds read, occurs during the cleanup of GSSAPI (Generic Security Service Application Programming Interface) indicators when a trailing NULL termination is missing in the auth-indicators array. A remote attacker, under specific configurations involving GSSAPI authentication and a Kerberos environment, could exploit this to cause the SSH authentication path to crash or abort. This leads to a denial of service (DoS), impacting the availability of the SSH service. |
Enterprise Linux (RHEL)
Hummingbird
Openshift
And others... |
| CVE-2026-55655 | Jun 23, 2026 |
OpenSSH X11 Forwarding Hijack via local X Socket Pre-bindingA flaw was found in OpenSSH. A local unprivileged attacker on a Linux client host can hijack client-side X11 forwarding connections. This is possible by pre-binding the preferred abstract X socket name when X11 forwarding is enabled and a local UNIX-domain X socket is used. A successful attack can compromise the confidentiality of forwarded X11 traffic, including sensitive window contents and input, and may allow some manipulation of the forwarded session. |
Enterprise Linux (RHEL)
Hummingbird
Openshift
And others... |
| CVE-2026-55653 | Jun 23, 2026 |
OpenSSH DH-GEX Double Free DoS in FIPS ModeA flaw was found in OpenSSH. A malicious SSH server can exploit a double free vulnerability in the Diffie-Hellman Group Exchange (DH-GEX) client path. This occurs during FIPS (Federal Information Processing Standards) mode known-group validation when the client processes attacker-controlled DH-GEX group parameters. Successful exploitation leads to client-side process termination, resulting in a Denial of Service (DoS). |
Enterprise Linux (RHEL)
Hummingbird
Openshift
And others... |
| CVE-2026-48746 | Jun 22, 2026 |
vLLM Authentication Bypass via ASGI Trust (0.3.0-0.22.0)vLLM is an inference and serving engine for large language models (LLMs). From 0.3.0 until 0.22.0, a vulnerability in ASGI web servers and starlette's trust on those web servers enables an authentication bypass of the OpenAI API AuthenticationMiddleware. It allows to use the API without providing the configured VLLM_API_KEY or --api-key. This vulnerability is fixed in 0.22.0. |
|
| CVE-2026-12549 | Jun 22, 2026 |
Red Hat Apache HTTPD Signed Comparison Range Regres (CVE-2026-12549)The fix for CVE-2026-2443 was regressed by a subsequent rework commit that replaced specific overflow checks with a general signed comparison. When a client sends a Range request with a suffix length exceeding the content size, the resulting negative start value is not properly clamped, leading to malformed HTTP 206 responses and log flooding. |
Enterprise Linux (RHEL)
|
| CVE-2026-12725 | Jun 22, 2026 |
Heap Overflow in dnsmasq Causing DoS with DNSSEC+Query LoggingA heap-based buffer overflow was found in dnsmasq. When DNSSEC validation and query logging are both enabled, logging of DS or DNSKEY replies containing unsupported algorithm or digest types can cause dnsmasq to write past the end of an internal logging buffer. A remote attacker able to supply such a DNS response may crash the dnsmasq process, resulting in denial of service. |
Enterprise Linux (RHEL)
Openshift
|
| CVE-2026-54100 | Jun 22, 2026 |
WMCO SSH Host Key Verification Flaw Exposes Windows Node CredentialsA flaw was found in the Windows Machine Config Operator (WMCO) for Red Hat OpenShift Container Platform. WMCO establishes SSH connections to Windows worker nodes without verifying the remote server host key. An adjacent-network attacker who can intercept or redirect WMCO's SSH session can capture WICD and kubelet bootstrap credentials transferred during node configuration, enabling compromise of Windows node identities in the cluster. |
Openshift
Windows Machine Config
|
| CVE-2026-54099 | Jun 22, 2026 |
Cluster Admin Escalation via WMCO CSR Auto-ApprovalA flaw was found in the Windows Machine Config Operator (WMCO) for Red Hat OpenShift Container Platform. The WICD CSR auto-approver validates that a Certificate Signing Request contains the organization system:wicd-nodes but does not reject additional organization values such as system:masters. A compromised Windows worker node that holds WICD credentials can submit a CSR that is auto-approved and signed by the cluster, yielding a client certificate that grants cluster-administrator privileges and enabling full cluster takeover. |
Openshift
Windows Machine Config
|
| CVE-2026-50559 | Jun 19, 2026 |
Quarkus HTTP Auth Bypass via Encoded ; and / Fixed 3.37.0Quarkus is a Java framework for building cloud-native applications. Prior to versions 3.37.0, 3.36.3, 3.33.2.1, 3.33.3, 3.27.4.1, 3.27.5, and 3.20.6.2, Quarkus HTTP path-based authorization policies can be bypassed using encoded semicolons (%3B) to smuggle matrix parameters past the security layer, and using encoded slashes (%2F) or backslashes (%5C) to access protected static resources. This is a distinct issue from CVE-2026-39852, which addressed only literal semicolon stripping. Versions 3.37.0, 3.36.3, 3.33.2.1, 3.33.3, 3.27.4.1, 3.27.5, and 3.20.6.2 contain a patch. |
|
| CVE-2026-12726 | Jun 19, 2026 |
AWX GitHub Webhook Exposure: Untrusted callback leaks PATA flaw was found in the AWX GitHub webhook integration. When processing GitHub pull_request webhooks, the controller stores the pull_request.statuses_url value from the webhook payload without validating that it points to a trusted GitHub API endpoint. If a job template is configured with a GitHub Personal Access Token as its webhook credential, the controller later POSTs that token to the stored callback URL when posting job status updates. An attacker who can submit a correctly signed forged webhook using the job template's webhook_key can redirect the callback to an attacker-controlled URL and exfiltrate the configured GitHub PAT. |
Ansible Automation Platform
|
| CVE-2026-56211 | Jun 19, 2026 |
RCE via AV1 SVC ID Bounds in libaom EncoderA remote code execution vulnerability was found in libaom, the reference AV1 codec implementation. Insufficient bounds validation in the AV1 encoder's SVC (Scalable Video Coding) layer ID control allows an attacker to supply crafted video frame pixels that overlap with internal encoder layer context structures. In fork-based video processing services, an attacker can use this to hijack the cyclic refresh map pointer, brute-force the process base address via a crash oracle, and redirect control flow to achieve arbitrary command execution. Exploitation requires the target service to use libaom with SVC encoding enabled and accept attacker-supplied video frames. |
Enterprise Linux (RHEL)
Enterprise Linux Ai
Hummingbird
And others... |
| CVE-2026-56210 | Jun 19, 2026 |
libaom Heap-Buffer-Overflow in SVC Layer ID Read (CVE-2026-56210)A heap-buffer-overflow read vulnerability was found in libaom, the reference AV1 codec implementation. A missing bounds check in the SVC (Scalable Video Coding) layer ID control function allows setting a spatial_layer_id exceeding the configured number of layers. This causes an out-of-bounds heap read of approximately 40,728 bytes when computing a layer context array index. An attacker who can influence SVC encoder parameters in a network-facing service could exploit this for information disclosure (heap content leak) or denial of service (segmentation fault from hitting unmapped memory). |
Enterprise Linux (RHEL)
Enterprise Linux Ai
Hummingbird
And others... |
| CVE-2026-56208 | Jun 19, 2026 |
Heap Overflow in libaom's AV1 Encoder LAP ModeA heap buffer overflow vulnerability was found in libaom, the reference AV1 codec implementation. A flaw in the AV1 encoder's Look-Ahead Processing (LAP) mode causes the first-pass stats ring buffer wrap-around guard to be bypassed when g_lag_in_frames is set to 1 or higher. This results in a 232-byte out-of-bounds write on every encoded frame after the second, corrupting adjacent heap objects. An attacker who can influence encoder configuration in a transcoding service or WebRTC session could exploit this to cause a denial of service (process crash) or potentially achieve code execution. |
Enterprise Linux (RHEL)
Enterprise Linux Ai
Hummingbird
And others... |
| CVE-2026-56209 | Jun 19, 2026 |
LIBAOM AV1 Codec Arbitrary Address Write via SVC Layer ControlAn arbitrary address write vulnerability was found in libaom, the reference AV1 codec implementation. A missing bounds check in the SVC (Scalable Video Coding) layer ID control function allows an attacker to inject an arbitrary pointer into the cyclic refresh map field via crafted image pixel values. The encoder then writes approximately 1,200 bytes at the attacker-controlled address. This is fully deterministic and does not require a separate information leak. An attacker who can supply frames to a network-facing libaom encoder with SVC enabled could exploit this for denial of service or potential code execution. |
Enterprise Linux (RHEL)
Enterprise Linux Ai
Hummingbird
And others... |
| CVE-2026-3195 | Jun 19, 2026 |
QEMU virtio-snd Input Callback Heap OOB Write CVE-2026-3195A flaw was found in QEMU. When reading input audio in the virtio-snd device input callback, the `virtio_snd_pcm_in_cb` function did not check whether the iov could fit the data buffer, potentially leading to a heap out-of-bounds write. This issue exists due to an incomplete fix for CVE-2024-7730. |
Enterprise Linux (RHEL)
Openshift
|
| CVE-2026-3196 | Jun 19, 2026 |
Virtio-snd Integer Overflow Host DoS via PCM_INFOAn integer overflow vulnerability was found in the virtio-snd device via PCM_INFO requests from the guest. A malicious guest can provide out-of-bounds stream counts, potentially leading to unbounded memory allocation on the host and a denial of service condition. |
Enterprise Linux (RHEL)
Openshift
|
| CVE-2026-12706 | Jun 19, 2026 |
FFmpeg RASC Decoder UAF via deallocated buffer in move_tableA use-after-free vulnerability was found in FFmpeg's RASC video decoder. The decode_move() function initializes a read pointer into a decompressed buffer, but a subsequent reallocation of that same buffer during move-table processing leaves the pointer dangling. An attacker could exploit this by providing a specially crafted AVI file containing a malicious RASC video stream. When a user opens or plays the file, the decoder reads from freed heap memory, which could lead to a denial of service (crash). |
Enterprise Linux Ai
Openshift Ai
|