Red Hat Linux OS and other open source products
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in any Red Hat product.
RSS Feeds for Red Hat security vulnerabilities
Create a CVE RSS feed including security vulnerabilities found in Red Hat products with stack.watch. Just hit watch, then grab your custom RSS feed url.
Products by Red Hat Sorted by Most Security Vulnerabilities since 2018
Red Hat Enterprise Linux Server1534 vulnerabilities
RedHat Enterprise Linux (RHEL) Server. Includes software bundeled with RHEL server.
Red Hat Enterprise Linux Workstation1504 vulnerabilities
RedHat Enterprise Linux (RHEL) Workstation. Includes software bundled with RHEL Workstation.
Red Hat Enterprise Linux Desktop1493 vulnerabilities
RedHat Enterprise Linux (RHEL) Desktop. Includes software bundled with RHEL desktop
Recent Red Hat Security Advisories
| Advisory | Title | Published |
|---|---|---|
| RHSA-2026:20087 | (RHSA-2026:20087) Important: OpenShift Container Platform 4.16.63 bug fix and security update | May 29, 2026 |
| RHSA-2026:21932 | (RHSA-2026:21932) Red Hat OpenShift Pipelines Release 1.20.5 | May 29, 2026 |
| RHSA-2026:21931 | (RHSA-2026:21931) Red Hat OpenShift Pipelines Release 1.20.5 | May 29, 2026 |
| RHSA-2026:20088 | (RHSA-2026:20088) OpenShift Container Platform 4.16.63 bug fix and security update | May 29, 2026 |
| RHSA-2026:20089 | (RHSA-2026:20089) OpenShift Container Platform 4.16.63 security and extras update | May 29, 2026 |
| RHSA-2026:21773 | (RHSA-2026:21773) Red Hat Offline Knowledge Portal security and content update | May 28, 2026 |
| RHSA-2026:21772 | (RHSA-2026:21772) Red Hat OpenShift Dev Spaces 3.28.0 Release. | May 28, 2026 |
| RHSA-2026:21769 | (RHSA-2026:21769) Important: Multicluster Global Hub 1.5.4 security update | May 28, 2026 |
| RHSA-2026:21757 | (RHSA-2026:21757) Important: flatpak security update | May 28, 2026 |
| RHSA-2026:21756 | (RHSA-2026:21756) Important: flatpak security update | May 28, 2026 |
By the Year
In 2026 there have been 952 vulnerabilities in Red Hat with an average score of 7.0 out of ten. Last year, in 2025 Red Hat had 1132 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in Red Hat in 2026 could surpass last years number. However, the average CVE base score of the vulnerabilities in 2026 is greater by 0.47.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 952 | 7.03 |
| 2025 | 1132 | 6.56 |
| 2024 | 1684 | 6.57 |
| 2023 | 1206 | 6.75 |
| 2022 | 1362 | 6.97 |
| 2021 | 1123 | 6.62 |
| 2020 | 663 | 6.39 |
| 2019 | 772 | 6.98 |
| 2018 | 760 | 7.16 |
It may take a day or so for new Red Hat vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Red Hat Security Vulnerabilities
| CVE | Date | Vulnerability | Products |
|---|---|---|---|
| CVE-2026-10101 | May 29, 2026 |
RBAC Bypass: Assisted-Service Exposes Pull-Secret via InfraEnv.statusACM/MCE assisted-service writes raw referenced pull-secret contents into `InfraEnv.status.conditions[].message` when pull-secret validation fails. A namespace principal with the stock `view` ClusterRole cannot directly read Secrets, but can read `InfraEnv` objects and recover the referenced Secret's `.dockerconfigjson` data from status. This bypasses the Kubernetes/OpenShift RBAC separation between read-only namespace viewers and Secret readers. In the reproduced proof, the same ServiceAccount was denied `get` and `list` on Secrets, but recovered synthetic pull-secret `username`, `password`, `email`, and base64 `auth` fields through `InfraEnv.status`. |
Multicluster Engine
|
| CVE-2026-46579 | May 29, 2026 |
OpenShift Router X-SSL-Client-* Header Bypass via insecureEdgeTerminationPolicyA flaw was found in the OpenShift Router. When a Route has `insecureEdgeTerminationPolicy` set to Allow, the HTTP frontend does not remove `X-SSL-Client-*` headers from incoming requests. This allows an unauthenticated attacker to send plain HTTP requests with crafted `X-SSL-Client-*` headers. As a result, backends relying on these headers for mutual TLS (Transport Layer Security) authentication can be bypassed, enabling the attacker to impersonate client certificate identities. |
Openshift
|
| CVE-2026-42965 | May 29, 2026 |
OpenShift Router allows metadata exfil via EndpointSlice FQDN proxyA flaw was found in the OpenShift Router. A user with EndpointSlice write access can exploit this vulnerability by creating a Service backed by an FQDN (Fully Qualified Domain Name) EndpointSlice that resolves to a cloud metadata endpoint. This allows the router to proxy requests to the cloud metadata endpoint, leading to the disclosure of instance credentials and other sensitive metadata. This bypasses previous security measures for validating IP addresses. |
Openshift
|
| CVE-2026-10078 | May 29, 2026 |
Quay OAuth validator leaks client_id & client_secret in URL queryA flaw was found in the Quay config-tool's GitLab OAuth validator. This vulnerability causes sensitive credentials, specifically client_id and client_secret, to be transmitted as plaintext in URL query parameters during POST requests to the GitLab endpoint. This insecure transmission can lead to the disclosure of these credentials in various system logs, such as server access logs, reverse proxy logs, and other monitoring systems. An attacker with access to these logs could potentially obtain these credentials, leading to unauthorized information disclosure. |
Quay
|
| CVE-2026-10052 | May 29, 2026 |
Quay Config-Tool LDAP/SMTP Validation Bypass Enables Internal ReconnaissanceA flaw was found in the Quay config-tool's LDAP and SMTP validation functions. An attacker with config editor access can exploit these functions, which make outbound connections to user-supplied endpoints without proper IP or host filtering. This allows the attacker to perform internal network reconnaissance from the Quay pod's network position, potentially mapping the internal network infrastructure. |
Quay
|
| CVE-2026-6324 | May 29, 2026 |
libsoup Signed-to-Unsigned Conversion Out-of-Bounds in HTTP Stream RCEA flaw was found in libsoup. A remote attacker could exploit an unsigned to signed conversion error in the `soup_body_input_stream_read_chunked()` function by sending a malicious HTTP request. This vulnerability occurs when libsoup operates behind a non-libsoup proxy server or as a proxy in front of a non-libsoup backend server. Successful exploitation can allow an attacker to bypass security controls, poison web caches, or gain unauthorized access. |
Enterprise Linux (RHEL)
|
| CVE-2026-10028 | May 28, 2026 |
Glib-Networking GnuTLS Cert Verification Infinite Loop DoSA flaw was found in glib-networking. A remote attacker can exploit this vulnerability by presenting a specially crafted certificate chain to an application that uses glib-networking with the GnuTLS backend enabled and performs certificate verification. This crafted chain, which contains circular issuer relationships, can cause an infinite loop during certificate verification. The unbounded traversal consumes excessive CPU resources, leading to a denial of service for the affected process or worker. |
Enterprise Linux (RHEL)
|
| CVE-2026-9804 | May 28, 2026 |
KubeVirt virt-exportserver Path Traversal VulnerabilityA flaw was found in KubeVirt's virt-exportserver component. An attacker with specific namespace-level access can exploit a path traversal vulnerability in the VMExport directory endpoint. By placing a symbolic link (symlink) within an exported filesystem Persistent Volume Claim (PVC) that points outside its designated mount root, the attacker can read arbitrary files from the exporter pod's filesystem. This leads to information disclosure, potentially exposing sensitive data. |
Container Native Virtualization
|
| CVE-2026-4408 | May 28, 2026 |
Samba Remote Cmd Exec via Unsanitized %u in check password scriptA flaw was found in Samba. A remote attacker can exploit a misconfiguration in Samba file servers and classic domain controllers that use the "check password script" feature. If this script is configured with the %u substitution character, the client-controlled username is passed without proper escaping of shell meta-characters. This vulnerability allows an attacker to achieve remote command execution on the affected system. This issue primarily affects non-standard configurations where the "check password script" is used with %u and the samba-dcerpcd service is started as a system service. |
Enterprise Linux (RHEL)
Openshift
|
| CVE-2026-44604 | May 28, 2026 |
CVE-2026-44604: rpmuncompress Command Injection W/O SanitizationA command injection vulnerability was discovered in the `rpmuncompress` utility of RPM. When extracting certain archive formats (ZIP, 7z, GEM) to a specified destination directory, the tool inserts the archive's top-level folder name into a shell command without properly sanitizing it. A specially crafted archive containing shell metacharacters in its folder name can execute arbitrary commands as the user running the extraction. |
Pdrive Lightspeed
Quarkus
Enterprise Linux (RHEL)
And others... |
| CVE-2026-9803 | May 28, 2026 |
Keycloak ClientRegistrationAuth DoS via malformed Bearer headerA flaw was found in Keycloak's ClientRegistrationAuth component. A remote unauthenticated attacker can exploit this vulnerability by sending a specially crafted POST request with a malformed 'Authorization: Bearer' header to any client registration endpoint. This can lead to an ArrayIndexOutOfBoundsException, causing the server to return an HTTP 500 error and resulting in a Denial of Service (DoS) for the affected service. |
Build Keycloak
|
| CVE-2026-9802 | May 28, 2026 |
Keycloak token replay after revocation via server restartA flaw was found in Keycloak. When revokeRefreshToken=true is enabled and persistent session storage is in use, a server restart can reset internal timing mechanisms. This allows a remote attacker, who has previously captured a user's refresh token, to replay that token even after it has been revoked. Successful exploitation grants the attacker unauthorized access to the victim's account, potentially leading to information disclosure or privilege escalation. |
Build Keycloak
|
| CVE-2026-9801 | May 28, 2026 |
Keycloak LDAP Password Policy DoS via OutOfMemoryErrorA flaw was found in Keycloak. A remote attacker with high privileges, such as a realm administrator configuring a malicious Lightweight Directory Access Protocol (LDAP) server or an attacker compromising an upstream LDAP server, could exploit this vulnerability. By sending a malformed LDAP password policy response during a password authentication request, the attacker can trigger an OutOfMemoryError. This causes the Keycloak Java Virtual Machine (JVM) to terminate, leading to a denial of service (DoS) for all realms on the affected node. |
Build Keycloak
|
| CVE-2026-9798 | May 28, 2026 |
Keycloak CIBA flow bypass for account lock via brute-forceA flaw was found in Keycloak, an open-source identity and access management solution. When a user account is temporarily locked due to repeated failed login attempts, an attacker with valid client credentials can exploit the Client-Initiated Backchannel Authentication (CIBA) flow to bypass this brute-force protection. This allows continued authentication attempts and token issuance even when the account should be locked, potentially enabling further unauthorized access attempts. |
Build Keycloak
|
| CVE-2026-9796 | May 28, 2026 |
Keycloak TOCTOU Privilege Escalation via Role Check ExploitA flaw was found in Keycloak. An authenticated administrator with the `manage-clients` role can exploit a Time-of-check to time-of-use (TOCTOU) vulnerability in the name-based admin role checks. This allows the attacker to escalate their privileges to `realm-admin` for all users within the realm, granting them extensive control over the system. The composite role relationship persists even after the attacker's own permissions are revoked and across system reboots. |
Build Keycloak
|
| CVE-2026-9795 | May 28, 2026 |
Keycloak FGAPv2 Role Assignment Bypass Exploits Admin PermissionsA flaw was found in Keycloak's Fine-Grained Admin Permissions (FGAPv2) feature. An administrator with limited client management permissions can exploit this vulnerability to assign any realm role, including highly privileged roles, to a client's scope mapping. This bypasses intended security controls, allowing the injected role to be projected into a user's authentication token when they access the modified client. This could lead to unauthorized privilege escalation within the Keycloak realm. |
Build Keycloak
|
| CVE-2026-9794 | May 28, 2026 |
Keycloak SAML ECP Info Disclosure via SOAP XML Fault StringsA flaw was found in Keycloak. A remote, unauthenticated attacker can exploit this vulnerability by sending specially crafted SOAP requests to the SAML ECP (Security Assertion Markup Language Enhanced Client or Proxy) endpoint with varying client IDs. By observing distinct faultstrings in the responses, the attacker can determine the client's protocol type, leading to information disclosure. |
Build Keycloak
|
| CVE-2026-9792 | May 28, 2026 |
Keycloak Client Policy Bypass Enables Unauth ROPC GrantA flaw was found in Keycloak's Client Policies, specifically within the `org.keycloak.protocol.oidc` component. When certain condition providers (client-type, client-roles, client-attributes, client-scopes) are used to enforce security restrictions, the `reject-ropc-grant` executor is silently bypassed. This allows an unauthenticated remote attacker to obtain tokens via a Resource Owner Password Credentials (ROPC) grant, even when a policy is explicitly configured to block it. This bypass can lead to unauthorized access and information disclosure. |
Build Keycloak
|
| CVE-2026-9793 | May 28, 2026 |
Keycloak JWE Decryption Bypass Allows Unauthorized OIDC Claims via Signature OversightA flaw was found in Keycloak. When a JSON Web Encryption (JWE) encrypted request object is submitted, Keycloak may incorrectly process unsigned claims if the decrypted content is raw JSON, bypassing the configured signature policy. This allows a remote attacker to submit unauthorized claims, leading to a compromise of data integrity within the OpenID Connect (OIDC) authorization flow. While a redirect URI allowlist acts as a compensating control, this vulnerability violates OIDC Core and Financial-grade API (FAPI) signing requirements. |
Build Keycloak
|
| CVE-2026-9791 | May 28, 2026 |
Keycloak OIDC Org Metadata Leak via Authz BypassA flaw was found in Keycloak. An authenticated user with existing organization membership can exploit this flaw by accessing user-facing APIs, such as the account API or by requesting an OpenID Connect (OIDC) token with the 'organization' scope. This allows organization metadata to be disclosed in tokens, even after an administrator has explicitly disabled the Organizations feature, potentially leading to incorrect authorization decisions by resource servers. |
Build Keycloak
|
| CVE-2026-9704 | May 27, 2026 |
Keycloak TokenEndpoint JWT Length Bypass Escalates PrivilegesA flaw was found in Keycloak. An authenticated user with low privileges can exploit this vulnerability by sending an oversized subject_token JSON Web Token (JWT) to the TokenEndpoint. When the token exceeds a 4000-character limit, it is silently dropped, causing the system to fall back to client credentials. This allows the user to gain the permissions of the client's service account, leading to privilege escalation. |
Build Keycloak
|
| CVE-2026-1933 | May 27, 2026 |
Samba NTFS Reparse Points Access Control Bypass via SMBA flaw was found in Sambas handling of NTFS-style reparse points on shares configured with read only = yes. Due to missing SMB-layer access checks, authenticated users with underlying filesystem write permissions may create or delete reparse point metadata through SMB operations even on read-only exports. This could allow modification of SMB-visible file behavior, including converting files into symbolic links or other reparse point types. |
Enterprise Linux (RHEL)
Openshift
|
| CVE-2026-2340 | May 27, 2026 |
Sambas vfs_worm Rename Bypass Enables Overwrite of WORM FilesA flaw was found in Sambas vfs_worm module. The module is intended to provide write-once, read-many (WORM) protections by preventing modification of files after a configurable grace period. Due to insufficient validation during rename operations, an authenticated user with write access to a share could overwrite a protected file by renaming a newly created file over the existing WORM-protected file. |
Enterprise Linux (RHEL)
Openshift
|
| CVE-2026-9689 | May 27, 2026 |
Keycloak HTTP Parameter Pollution via Broad Redirect URIsA flaw was found in Keycloak, an open-source identity and access management solution. When a client application is configured to accept broad redirect Uniform Resource Identifiers (URIs), a remote attacker can manipulate the authentication process by crafting a special web address. If a user clicks this link, the client application might incorrectly prioritize attacker-controlled information over legitimate data. This vulnerability, known as HTTP parameter pollution, could allow an attacker to bypass security measures or gain unauthorized access to resources. |
Build Keycloak
|
| CVE-2026-3012 | May 27, 2026 |
Samba CA AutoEnroll HTTP Trust Misinstall (CVE-2026-3012)A flaw was found in Sambas certificate auto-enrollment Group Policy handling. When certificate auto-enrollment is enabled, Samba may retrieve a CA certificate over an unencrypted HTTP connection and install it into the local trust store without proper verification. An attacker with the ability to intercept or redirect network traffic could exploit this behavior to supply a malicious certificate authority certificate, potentially allowing interception or spoofing of trusted communications. |
Enterprise Linux (RHEL)
Openshift
|
| CVE-2026-42015 | May 26, 2026 |
GnuTLS PKCS#12 Bag Off-by-One Buffer OverwriteA flaw was found in gnutls. An off-by-one error exists in the PKCS#12 bag element bounds check. This vulnerability allows an remote attacker to write past the internal array of a PKCS#12 bag when appending to a bag that already contains 32 elements. This memory corruption could lead to a denial of service (DoS) or potentially other unspecified impacts. |
Enterprise Linux (RHEL)
Hummingbird
Openshift
And others... |
| CVE-2026-42013 | May 26, 2026 |
GnuTLS SAN Size ForkCheck BypassA flaw was found in gnutls. When validating certificates, an oversized Subject Alternative Name (SAN) could cause the validation process to incorrectly fall back to checking the Common Name (CN) field. This could allow a remote attacker to bypass proper certificate validation, potentially leading to spoofing or man-in-the-middle attacks. |
Enterprise Linux (RHEL)
Hummingbird
Openshift
And others... |
| CVE-2026-42012 | May 26, 2026 |
GNUTLS Certificate Validation Bypass via URI/SRV SAN FallbackA flaw was found in gnutls. A remote attacker could exploit this vulnerability by presenting a specially crafted certificate that contains Uniform Resource Identifier (URI) or Service (SRV) Subject Alternative Names (SANs). This could cause the certificate validation process to incorrectly fall back to checking DNS hostnames against the Common Name (CN), potentially allowing the attacker to spoof legitimate services or intercept sensitive information. |
Enterprise Linux (RHEL)
Hummingbird
Openshift
And others... |
| CVE-2026-5260 | May 26, 2026 |
Libgnutls RSA PKCS#11 Key Exchange Overread Info DisclosureA flaw was found in libgnutls. A remote attacker, by sending an extremely short premaster secret during an RSA key exchange to a server using an RSA key backed by a PKCS#11 token, could trigger a short heap overread. This memory corruption vulnerability could lead to information disclosure. |
Enterprise Linux (RHEL)
Hummingbird
Openshift
And others... |
| CVE-2026-48864 | May 26, 2026 |
libsolv Heap Buffer Overflow via .solv DecompressionA flaw was found in libsolv. This heap buffer overflow occurs during the decompression of attacker-controlled compressed data within `.solv` files due to insufficient input validation. An attacker can provide a specially crafted `.solv` file, which, when processed by a vulnerable application, can lead to out-of-bounds memory access. This could result in information disclosure, alteration of program execution, or a denial of service. |
Enterprise Linux (RHEL)
Hummingbird
Openshift
And others... |
| CVE-2026-4480 | May 26, 2026 |
Shell Injection in Samba Print Service via Unescaped %JA flaw was found in the Samba printing subsystem. Samba passes the client-controlled job description string to the command configured with the "print command" setting via the "%J" substitution character without escaping shell meta characters. A remote attacker could exploit this vulnerability by sending a specially crafted print job description that contains unescaped shell characters. This could lead to remote code execution on the affected system. |
Enterprise Linux (RHEL)
Openshift
|
| CVE-2026-7374 | May 26, 2026 |
KubeVirt virt-handler Symlink Hijack Allows Node/Cluster TakeoverA flaw was found in KubeVirt's virt-handler component. This vulnerability allows an authenticated OpenShift user with edit permissions in a single namespace to exploit improper symlink validation when connecting to virtual machine console sockets. By replacing the console socket with a symlink to the host's container runtime (CRI-O) socket, an attacker can hijack virt-handler's privileged connection. This enables the attacker to access any Unix socket on the host, potentially leading to full control of the node and the entire cluster. |
Container Native Virtualization
|
| CVE-2026-46300 | May 23, 2026 |
Linux kernel: skb sharedfrag flag mispropagated in fragtransfer helpersIn the Linux kernel, the following vulnerability has been resolved: net: skbuff: preserve shared-frag marker during coalescing skb_try_coalesce() can attach paged frags from @from to @to. If @from has SKBFL_SHARED_FRAG set, the resulting @to skb can contain the same externally-owned or page-cache-backed frags, but the shared-frag marker is currently lost. That breaks the invariant relied on by later in-place writers. In particular, ESP input checks skb_has_shared_frag() before deciding whether an uncloned nonlinear skb can skip skb_cow_data(). If TCP receive coalescing has moved shared frags into an unmarked skb, ESP can see skb_has_shared_frag() as false and decrypt in place over page-cache backed frags. Propagate SKBFL_SHARED_FRAG when skb_try_coalesce() transfers paged frags. The tailroom copy path does not need the marker because it copies bytes into @to's linear data rather than transferring frag descriptors. |
|
| CVE-2026-9149 | May 20, 2026 |
libsolv Heap B.O. in repo_add_solv via negative .solv sizeA flaw was found in libsolv. This heap buffer overflow vulnerability occurs when a victim processes a specially crafted `.solv` file containing negative size values in the `repo_add_solv` function. This leads to an undersized memory allocation and a subsequent out-of-bounds write. An attacker could exploit this to cause a denial of service (DoS). |
Enterprise Linux (RHEL)
Hummingbird
Openshift
And others... |
| CVE-2026-9150 | May 20, 2026 |
Red Hat libsolv Stack Buffer Overflow in Debian METADATA ParserA flaw was found in libsolv. This stack-based buffer overflow vulnerability occurs in libsolv's Debian metadata parser when processing specially crafted Debian repository metadata. An attacker could exploit this by providing malicious SHA384 or SHA512 checksum tags, leading to memory corruption and a denial of service (DoS) in the affected system. |
Enterprise Linux (RHEL)
Hummingbird
Openshift
And others... |
| CVE-2026-9087 | May 20, 2026 |
Keycloak Cross-Session Verification Key Allows Upstream IdP Account ConsumingA flaw was found in Keycloak. The cross-session verification proof is keyed only by (local userId, idpAlias) and is not bound to the upstream identity that was actually verified, so a second upstream account on the same IdP can consume it and get linked to the victim's local account. |
Build Keycloak
|
| CVE-2026-9064 | May 20, 2026 |
389-DS LDAP DoS: Unbounded Controls Enable Remote OverloadA flaw was found in 389-ds-base. The get_ldapmessage_controls_ext() function in the LDAP server does not enforce an upper bound on the number of controls per LDAP message. A remote, unauthenticated attacker can send a specially crafted LDAP request containing hundreds of thousands of minimal controls within the default maximum BER message size (2 MB), causing excessive CPU consumption and heap allocation on the server. Under concurrent exploitation, this leads to significant latency degradation, worker thread starvation, or out-of-memory termination, resulting in a denial of service. |
Directory Server
Enterprise Linux (RHEL)
|
| CVE-2026-8975 | May 19, 2026 |
Mozilla Firefox ESR 115.35/140.10/150 Mem Safety Bug (CVE-2026-8975)Memory safety bugs present in Firefox ESR 115.35, Firefox ESR 140.10 and Firefox 150. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 151, Firefox ESR 115.36, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11. |
|
| CVE-2026-8974 | May 19, 2026 |
Firefox Memory Safety Bugs 140.10/150: Arbitrary Code Exec Fix in 151Memory safety bugs present in Firefox ESR 140.10 and Firefox 150. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11. |
|
| CVE-2026-8970 | May 19, 2026 |
Firefox Privilege Escalation in Security Component before 151/140.11Privilege escalation in the Security component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11. |
|
| CVE-2026-8968 | May 19, 2026 |
Firefox Web Codecs DS via invalid pointer fixed in 151/140.11Denial-of-service due to invalid pointer in the Audio/Video: Web Codecs component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11. |
|
| CVE-2026-8962 | May 19, 2026 |
Firefox 151/ESR 140.11 DOM Mitigation Bypass Security ComponentMitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11. |
|
| CVE-2026-8961 | May 19, 2026 |
Firefox Form Autofill Spoofing CVE-2026-8961 (fixed in 151/ESR 140.11)Spoofing issue in the Form Autofill component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11. |
|
| CVE-2026-8959 | May 19, 2026 |
Firefox 151 Win32 Widget Sandbox Escape - Boundary Condition FlawSandbox escape due to incorrect boundary conditions in the Widget: Win32 component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11. |
|
| CVE-2026-8958 | May 19, 2026 |
Firefox 151 Information Disclosure Process Sandbox EscapeInformation disclosure, sandbox escape in the Security: Process Sandboxing component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11. |
|
| CVE-2026-8957 | May 19, 2026 |
Privilege Escalation in Firefox Enterprise Policies (before 151)Privilege escalation in the Enterprise Policies component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11. |
|
| CVE-2026-8956 | May 19, 2026 |
Integer Overflow in Firefox Networking JAR (150)Integer overflow in the Networking: JAR component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11. |
|
| CVE-2026-8955 | May 19, 2026 |
Firefox Workers DOM Privilege Escalation (Pre151)Privilege escalation in the DOM: Workers component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11. |
|
| CVE-2026-8954 | May 19, 2026 |
Integer Overflow in Firefox AV Comp (before 151/ESR 140.11)Incorrect boundary conditions, integer overflow in the Audio/Video component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11. |
|
| CVE-2026-8953 | May 19, 2026 |
Firefox Sandbox Escape via Use-After-Free in Disability Access APIs (before 151)Sandbox escape due to use-after-free in the Disability Access APIs component. This vulnerability was fixed in Firefox 151, Firefox ESR 115.36, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11. |