Red Hat Linux OS and other open source products
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in any Red Hat product.
RSS Feeds for Red Hat security vulnerabilities
Create a CVE RSS feed including security vulnerabilities found in Red Hat products with stack.watch. Just hit watch, then grab your custom RSS feed url.
Products by Red Hat Sorted by Most Security Vulnerabilities since 2018
Red Hat Enterprise Linux Server1534 vulnerabilities
RedHat Enterprise Linux (RHEL) Server. Includes software bundeled with RHEL server.
Red Hat Enterprise Linux Workstation1504 vulnerabilities
RedHat Enterprise Linux (RHEL) Workstation. Includes software bundled with RHEL Workstation.
Red Hat Enterprise Linux Desktop1493 vulnerabilities
RedHat Enterprise Linux (RHEL) Desktop. Includes software bundled with RHEL desktop
Recent Red Hat Security Advisories
| Advisory | Title | Published |
|---|---|---|
| RHSA-2026:30115 | (RHSA-2026:30115) Important: perl-IO-Compress security update | June 25, 2026 |
| RHSA-2026:30089 | (RHSA-2026:30089) Red Hat AI Inference Server 3.3.5 (CUDA) | June 25, 2026 |
| RHSA-2026:30088 | (RHSA-2026:30088) Red Hat AI Inference Server 3.3.5 (ROCm) | June 25, 2026 |
| RHSA-2026:30087 | (RHSA-2026:30087) Red Hat AI Inference Server 3.3.5 (Spyre) | June 25, 2026 |
| RHSA-2026:30086 | (RHSA-2026:30086) Important: perl-IO-Compress security update | June 25, 2026 |
| RHSA-2026:30084 | (RHSA-2026:30084) Important: Red Hat build of Keycloak 26.6.4 Images Security Update | June 25, 2026 |
| RHSA-2026:30083 | (RHSA-2026:30083) Important: Red Hat build of Keycloak 26.6.4 Security Update | June 25, 2026 |
| RHSA-2026:30076 | (RHSA-2026:30076) Red Hat Quay 3.12.19 | June 25, 2026 |
| RHSA-2026:30056 | (RHSA-2026:30056) RHOAI 3.3.4 - Red Hat OpenShift AI | June 25, 2026 |
| RHSA-2026:30050 | (RHSA-2026:30050) Important: Red Hat build of Keycloak 26.4.13 Images Security Update | June 25, 2026 |
By the Year
In 2026 there have been 1306 vulnerabilities in Red Hat with an average score of 7.0 out of ten. Last year, in 2025 Red Hat had 1140 security vulnerabilities published. That is, 166 more vulnerabilities have already been reported in 2026 as compared to last year. However, the average CVE base score of the vulnerabilities in 2026 is greater by 0.45.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 1306 | 7.02 |
| 2025 | 1140 | 6.56 |
| 2024 | 1686 | 6.57 |
| 2023 | 1206 | 6.75 |
| 2022 | 1362 | 6.97 |
| 2021 | 1123 | 6.62 |
| 2020 | 663 | 6.39 |
| 2019 | 772 | 6.98 |
| 2018 | 760 | 7.16 |
It may take a day or so for new Red Hat vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Red Hat Security Vulnerabilities
| CVE | Date | Vulnerability | Products |
|---|---|---|---|
| CVE-2026-12992 | Jun 25, 2026 |
Apicurio Registry WSDLReaderAccessor SSRF via WSDL ImportA flaw was found in Apicurio Registry. The WSDLReaderAccessor creates a wsdl4j WSDLReader without disabling the javax.wsdl.importDocuments feature. When the VALIDITY rule is set to FULL, an attacker with Developer-role access can upload a WSDL document containing attacker-controlled import locations, causing the registry to issue HTTP requests to arbitrary internal URLs (server-side request forgery). |
Apicurio Registry
|
| CVE-2026-12975 | Jun 25, 2026 |
Apicurio Registry XML SSRF via External DTD Entity Fetch (CVE-2026-12975)A flaw was found in Apicurio Registry. The ContentTypeUtil.isParsableXml() method creates a SAXParserFactory without enabling secure processing features or disabling external entity resolution. An attacker with artifact-write permission (or unauthenticated when the registry runs with default configuration) can upload a crafted XML document to trigger blind server-side request forgery (SSRF) via external DTD/entity fetch, or cause denial of service via entity expansion. |
Apicurio Registry
|
| CVE-2026-11800 | Jun 25, 2026 |
Keycloak JWT Algorithm Confusion Bypass Via Authorization GrantA flaw was found in Keycloak. This JWT algorithm confusion vulnerability in the JWT Authorization Grant flow allows an attacker with valid client credentials to bypass signature verification. By forging an assertion, the attacker can create unauthorized access tokens. This enables the attacker to impersonate any federated user linked to the affected Identity Provider, leading to unauthorized access and potential privilege escalation. |
Build Keycloak
Jboss Data Grid
Jbosseapxp
And others... |
| CVE-2026-9083 | Jun 25, 2026 |
Keycloak: Arbitrary File Path Disclosure via Keystore ParamA flaw was found in Keycloak. A realm administrator with the "manage-realm" role can exploit this vulnerability by submitting an arbitrary filesystem path as a keystore parameter when creating a key provider component. This allows the administrator to probe arbitrary filesystem paths, determining which files exist and are readable by the Keycloak process. This information disclosure could be used to identify high-value targets for follow-on attacks. |
Build Keycloak
|
| CVE-2026-9799 | Jun 25, 2026 |
Keycloak UMA Prefix Bypass Grants Unauthorized Access Under PERMISSIVE ModeA flaw was found in org.keycloak.authorization. An authenticated user with a granted User-Managed Access (UMA) permission ticket for one resource can exploit this by using a specific permission request prefix to bypass per-resource access control. This allows the user to gain unauthorized access to all resources of that type within the same resource server, even if they do not have a ticket for those specific resources. This vulnerability requires the resource server to be configured in PERMISSIVE policy enforcement mode and affects typed resources with ownerManagedAccess enabled, where no explicit policy protects the resource type. The primary consequence is unauthorized information disclosure or modification of resources. |
Build Keycloak
|
| CVE-2026-9705 | Jun 25, 2026 |
Keycloak RAT Allows Reenable ClientA flaw was found in Keycloak's client registration service. A remote attacker, possessing a previously issued Registration Access Token (RAT), could exploit this vulnerability to re-enable a client that an administrator had explicitly disabled. This bypasses security controls, allowing the attacker to reset the client's secret and potentially regain privileged API access. The primary impact includes unauthorized information disclosure and potential integrity compromise. |
Build Keycloak
|
| CVE-2026-9086 | Jun 25, 2026 |
Keycloak Client Redirect URI Validation Bypass XSS (CVE-2026-9086)A flaw was found in Keycloak. A remote attacker with administrative privileges, specifically those with `manage-client` permission or access to client registration endpoints, could bypass client Uniform Resource Identifier (URI) validation. This is achieved by registering a malicious client with a specially crafted redirect URI using a case-insensitive `javascript:` or `data:` scheme. This Cross-Site Scripting (XSS) vulnerability allows for arbitrary code execution in the Keycloak origin when a victim clicks the crafted link, such as in the logout flow or the Admin Console. |
Build Keycloak
|
| CVE-2026-9099 | Jun 25, 2026 |
Keycloak Admin API: Missing Auth Checks in GroupResource.addChildA flaw was found in Keycloak. A missing authorization check in the GroupResource.addChild() endpoint within the Admin REST API allows an authenticated user with limited administrative privileges to reparent any existing group. When Fine-Grained Admin Permissions v2 (FGAPv2) is enabled, an attacker with management rights over a single low-privilege group can reparent a highly privileged group (such as one possessing the realm-admin role) under their managed group. Because group permissions follow a hierarchical structure, this action unauthorizedly grants the attacker management and password-reset capabilities over the members of the targeted privileged group. An attacker can exploit this to reset an administrator's password, compromise the account, and achieve a full realm takeover, leading to a complete compromise of confidentiality, integrity, and availability. |
Build Keycloak
|
| CVE-2026-9800 | Jun 25, 2026 |
Keycloak Policy Enforcer Auth Bypass via Access-Denied Page InjectionA flaw was found in Keycloak Policy Enforcer. This vulnerability allows any authenticated user to bypass all authorization policies, including role, scope, and User-Managed Access (UMA) permission checks. By including the configured access-denied page path within a request URL, either as a path segment or a query parameter, an attacker can gain unauthorized access to protected resources. |
Build Keycloak
|
| CVE-2026-13208 | Jun 24, 2026 |
Unauthenticated Domain Event Forgery in KubeVirt virt-handlerA flaw was found in KubeVirt's virt-handler domain notify server. The gRPC handlers for HandleDomainEvent and HandleK8SEvent derive the VMI identity (namespace/name) solely from the request body without validating it against the connection's origin. Each virt-launcher pod connects through a per-VMI pipe socket, but no identity tag is propagated from the pipe path to the server handlers. This allows a compromised virt-launcher process to send forged domain lifecycle events for any other VMI scheduled on the same node, causing virt-handler to erroneously update that VMI's state and disrupt its lifecycle management. |
Container Native Virtualization
|
| CVE-2026-13201 | Jun 24, 2026 |
KubeVirt safepath nofollow bypass causes host path permission changesA flaw was found in KubeVirt's safepath package. The OpenAtNoFollow function uses O_PATH|O_NOFOLLOW to obtain a file descriptor to a path leaf, but downstream helpers operate via /proc/self/fd/N using link-following syscalls. When the leaf is a symlink, the kernel dereferences it, defeating the intended no-follow protection. An attacker with access to a virt-launcher pod can exploit this to cause virt-handler to apply file ownership or permission changes to an unintended host path. |
Container Native Virtualization
|
| CVE-2026-12892 | Jun 23, 2026 |
GStreamer gst-plugins-bad H.264 MVC/SVC NAL Heap OOB ReadA flaw was found in GStreamer's gst-plugins-bad package. When processing a specially crafted H.264 video file containing malformed MVC or SVC extension slice NAL units, a 1-byte heap out-of-bounds read can occur during parsing. This happens when the parser attempts to check slice boundary information without first verifying that the NAL unit contains enough data beyond the extension header. An attacker could exploit this by tricking a user into opening a malicious H.264 video file, potentially causing the application to crash or leak a single byte of heap memory. |
Enterprise Linux (RHEL)
|
| CVE-2026-12891 | Jun 23, 2026 |
OOB Read in GStreamer gst-plugins-bad H.266 ParserA flaw was found in the GStreamer gst-plugins-bad package. When processing a malformed H.266/VVC video stream with a crafted aspect ratio indicator value, the H.266 parser performs an out-of-bounds read of up to 8 bytes from adjacent memory. This flaw allows an attacker to craft a malicious H.266 video file or stream that, when processed by a GStreamer-based application, could leak limited memory contents through video metadata, potentially exposing sensitive information from the application's address space. |
Enterprise Linux (RHEL)
|
| CVE-2026-11820 | Jun 23, 2026 |
Ansible Module 'nexmo' leaks API credentials via query stringModule: plugins/modules/nexmo.py CVSS 3.1: 6.5 MEDIUM AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Issue: api_key and api_secret are declared no_log=True at the input level, but both credentials are immediately URL-encoded into a GET request as query parameters, bypassing all no_log protection. Vulnerable Code (lines 82-93): msg = { "api_key": module.params.get("api_key"), "api_secret": module.params.get("api_secret"), "from": module.params.get("src"), "text": module.params.get("msg"), } url = f"{NEXMO_API}?{urlencode(msg)}" response, info = fetch_url(module, url, headers=headers) Observed Output: https://rest.nexmo.com/sms/json?api_key=a1b2c3d4&api_secret=MyS3cr3tK3y!!&from=AnsibleBot&to=15551234567&text=Hello Exposure Vectors: Ansible verbose output (-vvv) logs the full request URL Vonage/Nexmo server access logs record credentials in query string HTTP proxies, SIEM, and network inspection tools capture the full URL AWX/Automation Controller network debug logs Fix: Switch to POST with credentials in the request body: data = urlencode({"api_key": api_key, "api_secret": api_secret, "from": src, "to": number, "text": msg}) fetch_url(module, NEXMO_API, data=data, method="POST", headers={"Content-Type": "application/x-www-form-urlencoded"}) |
Enterprise Linux (RHEL)
|
| CVE-2026-11819 | Jun 23, 2026 |
Ansible keyring_info leak passphrase via no_log omissionModule: plugins/modules/keyring_info.py CVSS 3.1: 5.5 MEDIUM AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Issue: The module retrieves a passphrase from the OS native keyring (GNOME Keyring, macOS Keychain, Windows Credential Manager) and places it directly into result["passphrase"] with no output suppression, no no_log protection, and no documentation warning. Root Cause: Line 105 (protected): keyring_password=dict(type="str", required=True, no_log=True) Line 127 (NOT protected): result["passphrase"] = passphrase Observed Output: { "changed": false, "passphrase": "MyMasterP@ssw0rd!SSH_Key_Secret" } Visible via register + debug: { "keyring_result": { "changed": false, "passphrase": "MyMasterP@ssw0rd!SSH_Key_Secret" } } Impact: Master passwords, SSH key passphrases and service credentials appear in all Ansible output register: keyring_result followed by debug: var=keyring_result prints passphrase in full Ansible fact caching backends (Redis, JSON file, memcached) may persist the passphrase AWX/Tower job logs silently store the live credential Fix: module.exit_json(changed=False, passphrase=passphrase, _ansible_no_log=True) Also add a documentation warning requiring callers to use no_log: true at the task level. PoCs Fig 1: PoC execution showing passphrase in plaintext output Fig 2: Source code showing no_log=True on input (line 105) vs unprotected output (line 127) |
Enterprise Linux (RHEL)
|
| CVE-2026-9073 | Jun 23, 2026 |
foreman-mcp-server LEAKS Auth Tokens via Info & Debug LoggingA flaw was found in foreman-mcp-server. This component utilizes two distinct logging mechanisms that can expose sensitive session and authentication data. One mechanism logs session identifiers, which are treated as authentication credentials, at an informational level. The other, when debug logging is enabled, incompletely sanitizes HTTP request headers, leading to the cleartext logging of sensitive information such as authorization tokens and API keys. This vulnerability can result in a confidentiality breach, as sensitive authentication data is persisted in plain text within container logs, increasing the risk if logs are forwarded to a centralized platform. |
Satellite
|
| CVE-2026-12112 | Jun 23, 2026 |
Redhat Foreman MCP Server Session Hijack, Priv EscalationA flaw was found in the foreman-mcp-server. A session management vulnerability in the MCP Server allows unauthenticated attackers to hijack active administrative sessions due to an improper cache of authenticated client connections, by trusting a non-secret session ID without re-validating authentication tokens and by logging all newly created session IDs to standard logs. This issue can result in privilege escalation and infrastructure-wide code execution. |
Satellite
|
| CVE-2026-11807 | Jun 23, 2026 |
Missing auth in Red Hat EDA WebSocket API leaks credentialsA missing authorization vulnerability was found in the Event-Driven Ansible (EDA) websocket API. The /api/eda/ws/ansible-rulebook endpoint does not verify user permissions when processing Worker messages. Any authenticated user can send a forged message with an arbitrary activation_id to receive plaintext credentials associated with that activation, including OAuth tokens, vault passwords, and SSH keys. |
Ansible Automation Platform
|
| CVE-2026-12969 | Jun 23, 2026 |
dnsmasq OOB Heap Read via find_soa() in NS SectionAn out-of-bounds read vulnerability exists in dnsmasq's find_soa() function in src/rfc1035.c. When parsing NS section records, extract_name() is called with extrabytes=0, failing to validate that 10 additional bytes exist for fixed-length DNS record fields. A remote attacker controlling a DNS zone can exploit this via a crafted NXDOMAIN response to cause a 10-byte heap out-of-bounds read, potentially accessing stale data from prior transactions. |
Enterprise Linux (RHEL)
Openshift
|
| CVE-2026-10609 | Jun 23, 2026 |
OpenShift Cluster Logging Operator: SA Token Escalation via Missing AuthA missing authorization flaw was found in the OpenShift Cluster Logging Operator. The operator creates and forwards ServiceAccount tokens to output destinations without verifying that the ClusterLogForwarder creator has permission to use those credentials, allowing a delegated editor to exfiltrate SA tokens and escalate privileges. |
Logging
|
| CVE-2026-55654 | Jun 23, 2026 |
OpenSSH GSSAPI Trailing NULL -> Heap OOB Read DoSA flaw was found in OpenSSH. This vulnerability, a heap out-of-bounds read, occurs during the cleanup of GSSAPI (Generic Security Service Application Programming Interface) indicators when a trailing NULL termination is missing in the auth-indicators array. A remote attacker, under specific configurations involving GSSAPI authentication and a Kerberos environment, could exploit this to cause the SSH authentication path to crash or abort. This leads to a denial of service (DoS), impacting the availability of the SSH service. |
Enterprise Linux (RHEL)
Hummingbird
Openshift
And others... |
| CVE-2026-55655 | Jun 23, 2026 |
OpenSSH X11 Forwarding Hijack via local X Socket Pre-bindingA flaw was found in OpenSSH. A local unprivileged attacker on a Linux client host can hijack client-side X11 forwarding connections. This is possible by pre-binding the preferred abstract X socket name when X11 forwarding is enabled and a local UNIX-domain X socket is used. A successful attack can compromise the confidentiality of forwarded X11 traffic, including sensitive window contents and input, and may allow some manipulation of the forwarded session. |
Enterprise Linux (RHEL)
Hummingbird
Openshift
And others... |
| CVE-2026-55653 | Jun 23, 2026 |
OpenSSH DH-GEX Double Free DoS in FIPS ModeA flaw was found in OpenSSH. A malicious SSH server can exploit a double free vulnerability in the Diffie-Hellman Group Exchange (DH-GEX) client path. This occurs during FIPS (Federal Information Processing Standards) mode known-group validation when the client processes attacker-controlled DH-GEX group parameters. Successful exploitation leads to client-side process termination, resulting in a Denial of Service (DoS). |
Enterprise Linux (RHEL)
Hummingbird
Openshift
And others... |
| CVE-2026-48746 | Jun 22, 2026 |
vLLM Authentication Bypass via ASGI Trust (0.3.0-0.22.0)vLLM is an inference and serving engine for large language models (LLMs). From 0.3.0 until 0.22.0, a vulnerability in ASGI web servers and starlette's trust on those web servers enables an authentication bypass of the OpenAI API AuthenticationMiddleware. It allows to use the API without providing the configured VLLM_API_KEY or --api-key. This vulnerability is fixed in 0.22.0. |
|
| CVE-2026-12549 | Jun 22, 2026 |
Red Hat Apache HTTPD Signed Comparison Range Regres (CVE-2026-12549)The fix for CVE-2026-2443 was regressed by a subsequent rework commit that replaced specific overflow checks with a general signed comparison. When a client sends a Range request with a suffix length exceeding the content size, the resulting negative start value is not properly clamped, leading to malformed HTTP 206 responses and log flooding. |
Enterprise Linux (RHEL)
|
| CVE-2026-12725 | Jun 22, 2026 |
Heap Overflow in dnsmasq Causing DoS with DNSSEC+Query LoggingA heap-based buffer overflow was found in dnsmasq. When DNSSEC validation and query logging are both enabled, logging of DS or DNSKEY replies containing unsupported algorithm or digest types can cause dnsmasq to write past the end of an internal logging buffer. A remote attacker able to supply such a DNS response may crash the dnsmasq process, resulting in denial of service. |
Enterprise Linux (RHEL)
Openshift
|
| CVE-2026-54100 | Jun 22, 2026 |
WMCO SSH Host Key Verification Flaw Exposes Windows Node CredentialsA flaw was found in the Windows Machine Config Operator (WMCO) for Red Hat OpenShift Container Platform. WMCO establishes SSH connections to Windows worker nodes without verifying the remote server host key. An adjacent-network attacker who can intercept or redirect WMCO's SSH session can capture WICD and kubelet bootstrap credentials transferred during node configuration, enabling compromise of Windows node identities in the cluster. |
Openshift
Windows Machine Config
|
| CVE-2026-54099 | Jun 22, 2026 |
Cluster Admin Escalation via WMCO CSR Auto-ApprovalA flaw was found in the Windows Machine Config Operator (WMCO) for Red Hat OpenShift Container Platform. The WICD CSR auto-approver validates that a Certificate Signing Request contains the organization system:wicd-nodes but does not reject additional organization values such as system:masters. A compromised Windows worker node that holds WICD credentials can submit a CSR that is auto-approved and signed by the cluster, yielding a client certificate that grants cluster-administrator privileges and enabling full cluster takeover. |
Openshift
Windows Machine Config
|
| CVE-2026-50559 | Jun 19, 2026 |
Quarkus HTTP Auth Bypass via Encoded ; and / Fixed 3.37.0Quarkus is a Java framework for building cloud-native applications. Prior to versions 3.37.0, 3.36.3, 3.33.2.1, 3.33.3, 3.27.4.1, 3.27.5, and 3.20.6.2, Quarkus HTTP path-based authorization policies can be bypassed using encoded semicolons (%3B) to smuggle matrix parameters past the security layer, and using encoded slashes (%2F) or backslashes (%5C) to access protected static resources. This is a distinct issue from CVE-2026-39852, which addressed only literal semicolon stripping. Versions 3.37.0, 3.36.3, 3.33.2.1, 3.33.3, 3.27.4.1, 3.27.5, and 3.20.6.2 contain a patch. |
|
| CVE-2026-12726 | Jun 19, 2026 |
AWX GitHub Webhook Exposure: Untrusted callback leaks PATA flaw was found in the AWX GitHub webhook integration. When processing GitHub pull_request webhooks, the controller stores the pull_request.statuses_url value from the webhook payload without validating that it points to a trusted GitHub API endpoint. If a job template is configured with a GitHub Personal Access Token as its webhook credential, the controller later POSTs that token to the stored callback URL when posting job status updates. An attacker who can submit a correctly signed forged webhook using the job template's webhook_key can redirect the callback to an attacker-controlled URL and exfiltrate the configured GitHub PAT. |
Ansible Automation Platform
|
| CVE-2026-56211 | Jun 19, 2026 |
RCE via AV1 SVC ID Bounds in libaom EncoderA remote code execution vulnerability was found in libaom, the reference AV1 codec implementation. Insufficient bounds validation in the AV1 encoder's SVC (Scalable Video Coding) layer ID control allows an attacker to supply crafted video frame pixels that overlap with internal encoder layer context structures. In fork-based video processing services, an attacker can use this to hijack the cyclic refresh map pointer, brute-force the process base address via a crash oracle, and redirect control flow to achieve arbitrary command execution. Exploitation requires the target service to use libaom with SVC encoding enabled and accept attacker-supplied video frames. |
Enterprise Linux (RHEL)
Enterprise Linux Ai
Hummingbird
And others... |
| CVE-2026-56210 | Jun 19, 2026 |
libaom Heap-Buffer-Overflow in SVC Layer ID Read (CVE-2026-56210)A heap-buffer-overflow read vulnerability was found in libaom, the reference AV1 codec implementation. A missing bounds check in the SVC (Scalable Video Coding) layer ID control function allows setting a spatial_layer_id exceeding the configured number of layers. This causes an out-of-bounds heap read of approximately 40,728 bytes when computing a layer context array index. An attacker who can influence SVC encoder parameters in a network-facing service could exploit this for information disclosure (heap content leak) or denial of service (segmentation fault from hitting unmapped memory). |
Enterprise Linux (RHEL)
Enterprise Linux Ai
Hummingbird
And others... |
| CVE-2026-56208 | Jun 19, 2026 |
Heap Overflow in libaom's AV1 Encoder LAP ModeA heap buffer overflow vulnerability was found in libaom, the reference AV1 codec implementation. A flaw in the AV1 encoder's Look-Ahead Processing (LAP) mode causes the first-pass stats ring buffer wrap-around guard to be bypassed when g_lag_in_frames is set to 1 or higher. This results in a 232-byte out-of-bounds write on every encoded frame after the second, corrupting adjacent heap objects. An attacker who can influence encoder configuration in a transcoding service or WebRTC session could exploit this to cause a denial of service (process crash) or potentially achieve code execution. |
Enterprise Linux (RHEL)
Enterprise Linux Ai
Hummingbird
And others... |
| CVE-2026-56209 | Jun 19, 2026 |
LIBAOM AV1 Codec Arbitrary Address Write via SVC Layer ControlAn arbitrary address write vulnerability was found in libaom, the reference AV1 codec implementation. A missing bounds check in the SVC (Scalable Video Coding) layer ID control function allows an attacker to inject an arbitrary pointer into the cyclic refresh map field via crafted image pixel values. The encoder then writes approximately 1,200 bytes at the attacker-controlled address. This is fully deterministic and does not require a separate information leak. An attacker who can supply frames to a network-facing libaom encoder with SVC enabled could exploit this for denial of service or potential code execution. |
Enterprise Linux (RHEL)
Enterprise Linux Ai
Hummingbird
And others... |
| CVE-2026-3195 | Jun 19, 2026 |
QEMU virtio-snd Input Callback Heap OOB Write CVE-2026-3195A flaw was found in QEMU. When reading input audio in the virtio-snd device input callback, the `virtio_snd_pcm_in_cb` function did not check whether the iov could fit the data buffer, potentially leading to a heap out-of-bounds write. This issue exists due to an incomplete fix for CVE-2024-7730. |
Enterprise Linux (RHEL)
Openshift
|
| CVE-2026-3196 | Jun 19, 2026 |
Virtio-snd Integer Overflow Host DoS via PCM_INFOAn integer overflow vulnerability was found in the virtio-snd device via PCM_INFO requests from the guest. A malicious guest can provide out-of-bounds stream counts, potentially leading to unbounded memory allocation on the host and a denial of service condition. |
Enterprise Linux (RHEL)
Openshift
|
| CVE-2026-12706 | Jun 19, 2026 |
FFmpeg RASC Decoder UAF via deallocated buffer in move_tableA use-after-free vulnerability was found in FFmpeg's RASC video decoder. The decode_move() function initializes a read pointer into a decompressed buffer, but a subsequent reallocation of that same buffer during move-table processing leaves the pointer dangling. An attacker could exploit this by providing a specially crafted AVI file containing a malicious RASC video stream. When a user opens or plays the file, the decoder reads from freed heap memory, which could lead to a denial of service (crash). |
Enterprise Linux Ai
Openshift Ai
|
| CVE-2026-11791 | Jun 18, 2026 |
389 DS Use-After-Free via Unref'd Attr_Syntax Swap during Schema ReloadA flaw was found in 389 Directory Server. During schema reload, the attr_syntax_swap_ht() function unconditionally frees attribute syntax information nodes, bypassing the refcount-based deferred deletion used elsewhere in the attribute syntax subsystem. If an administrator triggers schema reload while concurrent LDAP query traffic is active, worker threads may access freed memory, resulting in use-after-free or double-free and a denial of service (server crash). |
Directory Server
Enterprise Linux (RHEL)
|
| CVE-2026-12505 | Jun 18, 2026 |
CIFS-UTILS PrivEsc via request_key and malicious NSS ModuleA flaw was found in the cifs-utils package where the cifs.upcall helper fails to securely drop its root privileges before looking up user information inside a user-controlled environment. A local, low privileged attacker can exploit this by using a crafted request_key payload to trick the root-owned helper into entering a custom environment (namespace) containing a malicious NSS module. This forces the system to load the attacker's controlled NSS Module and configuration, allowing them to execute arbitrary commands as the root user, elevating their privileges and fully compromising the system. |
Enterprise Linux (RHEL)
Openshift
|
| CVE-2026-55200 | Jun 17, 2026 |
libssh2 1.11.1 OOB Write in ssh2_transport_read() via oversized packet_lengthlibssh2 through 1.11.1, fixed in commit 7acf3df contains an out-of-bounds write vulnerability in ssh2_transport_read() that fails to enforce upper bounds on packet_length field. Remote attackers can send crafted SSH packets with excessively large packet_length values to corrupt heap memory and achieve remote code execution. |
|
| CVE-2026-55199 | Jun 17, 2026 |
libssh2 <=1.11.1 SSH_MSG_EXT_INFO Pre-auth CPU DoSlibssh2 through 1.11.1, fixed in commit 1762685, contains a pre-authentication denial of service vulnerability in the SSH_MSG_EXT_INFO handler in src/packet.c that allows a malicious SSH server to cause a client CPU exhaustion loop by sending a crafted extension count value. A malicious server can set nr_extensions to 0xFFFFFFFF during key exchange, causing the client to spin in a tight CPU loop for over 60 seconds because return values from _libssh2_get_string() are unchecked and the session timeout does not apply to CPU-bound loops. |
|
| CVE-2026-48818 | Jun 17, 2026 |
Starlette <1.1.0 StaticFiles SSRF on WindowsStarlette is a lightweight ASGI framework/toolkit. In versions 1.0.1 and earlier, StaticFiles on Windows is vulnerable to SSRF. An UNC path such as \\attacker.com\share can cause os.path.realpath to initiate an outbound SMB connection before the path is rejected, exposing the service accounts NTLMv2 credentials for offline cracking or relay even though the HTTP response is only a 404. The issue affects default follow_symlink=False deployments, including frameworks built on Starlette such as FastAPI; POSIX systems and follow_symlink=True are unaffected. The issue is fixed in 1.1.0. |
|
| CVE-2026-47774 | Jun 17, 2026 |
Envoy HTTP/2 OOM DoS (v<1.35.11/1.36.7/1.37.3/1.38.1)Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.35.11, 1.36.7, 1.37.3, and 1.38.1, a vulnerability in Envoy's HTTP/2 downstream request processing allows an unauthenticated remote client to trigger excessive memory consumption, potentially resulting in OOM termination of the Envoy process and denial of service. The issue arises from the combination of two behaviors. First, cookie header bytes are not fully accounted for during request header size validation in Envoy. Second, HPACK header block limits in oghttp2/quiche are enforced on encoded bytes without a corresponding limit on total decoded header size. Together, these behaviors allow a malicious client to cause large decoded header allocations while bypassing the intended request header size protections. Versions 1.35.11, 1.36.7, 1.37.3, and 1.38.1 contain a fix. No complete workaround is known short of applying a fix. Possible temporary mitigations include disabling downstream HTTP/2 where operationally feasible; enforcing stricter request header and cookie limits before traffic reaches Envoy; and monitoring Envoy memory usage for abnormal growth under HTTP/2 traffic. |
|
| CVE-2026-12515 | Jun 17, 2026 |
Katello ContentUploadsController Auth Bypass via Edit ProductsA flaw was found in Katello's of Red Hat Satellite. A content upload functionality where insufficient authorization checks in the ContentUploadsController allowed users with the edit_products permission to query content information for repositories outside the products they were authorized to manage. An authenticated attacker could exploit this issue to determine whether specific content exists within repositories that should otherwise be inaccessible. This issue does not allow unauthorized modification, import, or publication of content. |
Hummingbird
Satellite
|
| CVE-2026-12528 | Jun 17, 2026 |
389 Directory Server heap buffer overflow in aclparse.cA flaw was found in 389 Directory Server in the __aclp__normalize_acltxt() function of aclparse.c. A malformed ACI (Access Control Instruction) string can trigger heap-buffer-overflow writes and reads during ACI parsing. The function fails to validate that the ACI keyword has sufficient length after whitespace stripping, leading to a 1-byte out-of-bounds write and subsequent out-of-bounds reads. An authenticated user with write access to the aci attribute could send a crafted ACI value to silently corrupt heap memory in the directory server process. |
Directory Server
Enterprise Linux (RHEL)
|
| CVE-2026-12491 | Jun 17, 2026 |
vLLM Image Metadata Handling CVE: EXIF/TPNG tRNS VulnerabilityA flaw was found in vLLM, an open-source library for large language model inference. This vulnerability arises from improper handling of image metadata, specifically EXIF orientation and PNG transparency (tRNS) data, during image processing. When images are converted to RGB, transparency information may be implicitly discarded or remapped, leading to unexpected rendering of transparent pixels and distortion of input content. This can result in the model misinterpreting image content, potentially affecting the integrity of processed data. |
Ai Inference Server
Enterprise Linux Ai
Openshift Ai
And others... |
| CVE-2026-2604 | Jun 16, 2026 |
Flatpak D-Bus Traversal in Evolution-Data-Server Enables File DeleteA flaw was found in evolution-data-server. Inconsistent comparison logic in the addressbook file backend allows a Flatpak application with D-Bus access to craft a malicious URI containing directory traversal sequences. This URI is stored without proper validation during contact creation or modification. Later, during contact deletion, the URI is processed with a less strict check, leading to the deletion of arbitrary files on the host filesystem. This could potentially include critical Flatpak override files. |
Enterprise Linux (RHEL)
|
| CVE-2026-48779 | Jun 16, 2026 |
ws Memory Exhaustion DoS Node.js <5.2.5 6.2.4 7.5.11 8.21.0ws is an open source WebSocket client and server for Node.js. All versions from 1.1.0 up to (but not including) 5.2.5, from 6.0.0 up to 6.2.4, from 7.0.0 up to 7.5.11, and from 8.0.0 up to 8.21.0 are affected by a memory exhaustion DoS vulnerability. A peer can send a high volume of exceptionally small fragments and data chunks, with modest network traffic, to force the remote peer into allocating and holding structural wrappers that consume far more memory than the default documented message-size limit, leading to process termination due to OOM. This issue has been fixed in versions 5.2.5, 6.2.4, 7.5.11, and 8.21.0. |
|
| CVE-2026-4367 | Jun 16, 2026 |
Xpm OOB Read in libXpm Causes DoSA flaw was found in libXpm. A local user with low privileges could exploit an Out-of-Bounds Read vulnerability in the `xpmNextWord()` function by processing a specially crafted or very small XPM (X PixMap) image file. This improper validation of file boundaries can cause an internal pointer to read beyond the file's end, leading to application crashes and Denial of Service conditions. |
Enterprise Linux (RHEL)
Hummingbird
|
| CVE-2026-10649 | Jun 16, 2026 |
CVE-2026-10649: Integer Overflow in Pacemaker Remote DecompressionA flaw was found in Pacemaker. An unauthenticated remote attacker can exploit an integer overflow vulnerability in the remote message decompression process. By sending a specially crafted compressed remote message before authentication, an attacker can cause memory corruption, leading to a denial of service (DoS) in the CIB remote listener. This can result in the affected service crashing. |
Enterprise Linux (RHEL)
Openshift
|