Red Hat Linux OS and other open source products
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in any Red Hat product.
RSS Feeds for Red Hat security vulnerabilities
Create a CVE RSS feed including security vulnerabilities found in Red Hat products with stack.watch. Just hit watch, then grab your custom RSS feed url.
Products by Red Hat Sorted by Most Security Vulnerabilities since 2018
Red Hat Enterprise Linux Server1534 vulnerabilities
RedHat Enterprise Linux (RHEL) Server. Includes software bundeled with RHEL server.
Red Hat Enterprise Linux Workstation1504 vulnerabilities
RedHat Enterprise Linux (RHEL) Workstation. Includes software bundled with RHEL Workstation.
Red Hat Enterprise Linux Desktop1493 vulnerabilities
RedHat Enterprise Linux (RHEL) Desktop. Includes software bundled with RHEL desktop
Recent Red Hat Security Advisories
| Advisory | Title | Published |
|---|---|---|
| RHSA-2026:0627 | (RHSA-2026:0627) Important: Red Hat Advanced Cluster Management for Kubernetes v2.13.5 security update | January 14, 2026 |
| RHSA-2026:0608 | (RHSA-2026:0608) Moderate: vsftpd security update | January 14, 2026 |
| RHSA-2026:0606 | (RHSA-2026:0606) Moderate: vsftpd security update | January 14, 2026 |
| RHSA-2026:0605 | (RHSA-2026:0605) Moderate: vsftpd security update | January 14, 2026 |
| RHSA-2026:0602 | (RHSA-2026:0602) Moderate: openssl security update | January 14, 2026 |
| RHSA-2026:0420 | (RHSA-2026:0420) Important: OpenShift Container Platform 4.20.10 bug fix and security update | January 14, 2026 |
| RHSA-2026:0596 | (RHSA-2026:0596) Moderate: cups security update | January 14, 2026 |
| RHSA-2026:0594 | (RHSA-2026:0594) Moderate: libpq security update | January 14, 2026 |
| RHSA-2026:0576 | (RHSA-2026:0576) Important: kernel security update | January 14, 2026 |
| RHSA-2026:0545 | (RHSA-2026:0545) Important: podman security update | January 14, 2026 |
By the Year
In 2026 there have been 7 vulnerabilities in Red Hat with an average score of 7.5 out of ten. Last year, in 2025 Red Hat had 984 security vulnerabilities published. Right now, Red Hat is on track to have less security vulnerabilities in 2026 than it did last year. However, the average CVE base score of the vulnerabilities in 2026 is greater by 0.95.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 7 | 7.47 |
| 2025 | 984 | 6.52 |
| 2024 | 1671 | 6.56 |
| 2023 | 1206 | 6.74 |
| 2022 | 1360 | 6.96 |
| 2021 | 1122 | 6.68 |
| 2020 | 644 | 6.62 |
| 2019 | 757 | 6.93 |
| 2018 | 739 | 7.31 |
It may take a day or so for new Red Hat vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Red Hat Security Vulnerabilities
| CVE | Date | Vulnerability | Products |
|---|---|---|---|
| CVE-2025-14242 | Jan 14, 2026 |
A flaw was found in vsftpdA flaw was found in vsftpd. This vulnerability allows a denial of service (DoS) via an integer overflow in the ls command parameter parsing, triggered by a remote, authenticated attacker sending a crafted STAT command with a specific byte sequence. |
Enterprise Linux (RHEL)
|
| CVE-2026-0716 | Jan 13, 2026 |
A flaw was found in libsoups WebSocket frame processing when handling incoming messagesA flaw was found in libsoups WebSocket frame processing when handling incoming messages. If a non-default configuration is used where the maximum incoming payload size is unset, the library may read memory outside the intended bounds. This can cause unintended memory exposure or a crash. Applications using libsoups WebSocket support with this configuration may be impacted. |
Enterprise Linux (RHEL)
|
| CVE-2025-12548 | Jan 13, 2026 |
A flaw was found in Eclipse Che che-machine-execA flaw was found in Eclipse Che che-machine-exec. This vulnerability allows unauthenticated remote arbitrary command execution and secret exfiltration (SSH keys, tokens, etc.) from other users' Developer Workspace containers, via an unauthenticated JSON-RPC / websocket API exposed on TCP port 3333. |
Openshift Devspaces
|
| CVE-2025-14025 | Jan 08, 2026 |
A flaw was found in Ansible Automation Platform (AAP)A flaw was found in Ansible Automation Platform (AAP). Read-only scoped OAuth2 API Tokens in AAP, are enforced at the Gateway level for Gateway-specific operations. However, this vulnerability allows read-only tokens to perform write operations on backend services (e.g., Controller, Hub, EDA). If this flaw were exploited, an attackers capabilities would only be limited by role based access controls (RBAC). |
Ansible Automation Platform
|
| CVE-2026-0719 | Jan 08, 2026 |
A flaw was identified in the NTLM authentication handling of the libsoup HTTP libraryA flaw was identified in the NTLM authentication handling of the libsoup HTTP library, used by GNOME and other applications for network communication. When processing extremely long passwords, an internal size calculation can overflow due to improper use of signed integers. This results in incorrect memory allocation on the stack, followed by unsafe memory copying. As a result, applications using libsoup may crash unexpectedly, creating a denial-of-service risk. |
Enterprise Linux (RHEL)
|
| CVE-2026-0707 | Jan 08, 2026 |
A flaw was found in KeycloakA flaw was found in Keycloak. The Keycloak Authorization header parser is overly permissive regarding the formatting of the "Bearer" authentication scheme. It accepts non-standard characters (such as tabs) as separators and tolerates case variations that deviate from RFC 6750 specifications. |
Build Keycloak
|
| CVE-2025-12543 | Jan 07, 2026 |
A flaw was found in the Undertow HTTP server core, which is used in WildFly, JBoss EAP, and other Java applicationsA flaw was found in the Undertow HTTP server core, which is used in WildFly, JBoss EAP, and other Java applications. The Undertow library fails to properly validate the Host header in incoming HTTP requests.As a result, requests containing malformed or malicious Host headers are processed without rejection, enabling attackers to poison caches, perform internal network scans, or hijack user sessions. |
Camel Spring Boot
Apache Camel Hawtio
Jboss Data Grid
And others... |
| CVE-2025-61594 | Dec 30, 2025 |
URI is a module providing classes to handle Uniform Resource IdentifiersURI is a module providing classes to handle Uniform Resource Identifiers. In versions prior to 0.12.5, 0.13.3, and 1.0.4, a bypass exists for the fix to CVE-2025-27221 that can expose user credentials. When using the `+` operator to combine URIs, sensitive information like passwords from the original URI can be leaked, violating RFC3986 and making applications vulnerable to credential exposure. Versions 0.12.5, 0.13.3, and 1.0.4 fix the issue. |
|
| CVE-2025-13699 | Dec 23, 2025 |
MariaDB mariadb-dump Directory Traversal RCE via View Name ValidationMariaDB mariadb-dump Utility Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of MariaDB. Interaction with the mariadb-dump utility is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the handling of view names. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27000. |
|
| CVE-2025-11419 | Dec 23, 2025 |
Keycloak TLS 1.2 Renegotiation DoS (unauthenticated, CPU exhaustion)A flaw was found in Keycloak. This vulnerability allows an unauthenticated remote attacker to cause a denial of service (DoS) by repeatedly initiating TLS 1.2 client-initiated renegotiation requests to exhaust server CPU resources, making the service unavailable. |
Build Keycloak
Keycloak
|
| CVE-2025-14946 | Dec 19, 2025 |
libnbd URI Injection Enables Code Execution via Malicious SSH ArgsA flaw was found in libnbd. A malicious actor could exploit this by convincing libnbd to open a specially crafted Uniform Resource Identifier (URI). This vulnerability arises because non-standard hostnames starting with '-o' are incorrectly interpreted as arguments to the Secure Shell (SSH) process, rather than as hostnames. This could lead to arbitrary code execution with the privileges of the user running libnbd. |
Enterprise Linux (RHEL)
Container Native Virtualization
|
| CVE-2025-14874 | Dec 18, 2025 |
Nodemailer DoS via crafted email header triggers infinite recursionA flaw was found in Nodemailer. This vulnerability allows a denial of service (DoS) via a crafted email address header that triggers infinite recursion in the address parser. |
Acm
Ceph Storage
Rhdh
And others... |
| CVE-2025-43535 | Dec 17, 2025 |
Apple Safari 26.2 Crashes on Malicious Web Content (CVE-2025-43535)The issue was addressed with improved memory handling. This issue is fixed in Safari 26.2, iOS 18.7.3 and iPadOS 18.7.3, iOS 26.2 and iPadOS 26.2, macOS Tahoe 26.2, visionOS 26.2. Processing maliciously crafted web content may lead to an unexpected process crash. |
|
| CVE-2025-43529 | Dec 17, 2025 |
Apple iOS/macOS Use-After-Free in Safari (fixed 26.2) CAU leading to code execA use-after-free issue was addressed with improved memory management. This issue is fixed in watchOS 26.2, Safari 26.2, iOS 18.7.3 and iPadOS 18.7.3, iOS 26.2 and iPadOS 26.2, macOS Tahoe 26.2, visionOS 26.2, tvOS 26.2. Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 26. CVE-2025-14174 was also issued in response to this report. |
|
| CVE-2025-43531 | Dec 17, 2025 |
Apple Safari race condition leads to crash from malicious contentA race condition was addressed with improved state handling. This issue is fixed in watchOS 26.2, Safari 26.2, iOS 18.7.3 and iPadOS 18.7.3, iOS 26.2 and iPadOS 26.2, macOS Tahoe 26.2, visionOS 26.2, tvOS 26.2. Processing maliciously crafted web content may lead to an unexpected process crash. |
|
| CVE-2025-43536 | Dec 17, 2025 |
Use-After-Free in Apple Safari 26.2 causing crashesA use-after-free issue was addressed with improved memory management. This issue is fixed in macOS Tahoe 26.2, iOS 26.2 and iPadOS 26.2, Safari 26.2, iOS 18.7.3 and iPadOS 18.7.3. Processing maliciously crafted web content may lead to an unexpected process crash. |
|
| CVE-2025-43541 | Dec 17, 2025 |
Apple Safari Type Confusion Crash (pre-26.2)A type confusion issue was addressed with improved state handling. This issue is fixed in Safari 26.2, iOS 18.7.3 and iPadOS 18.7.3, iOS 26.2 and iPadOS 26.2, macOS Tahoe 26.2, visionOS 26.2. Processing maliciously crafted web content may lead to an unexpected Safari crash. |
|
| CVE-2025-43501 | Dec 17, 2025 |
Apple Safari Buffer Overflow Fixed in 26.2A buffer overflow issue was addressed with improved memory handling. This issue is fixed in Safari 26.2, iOS 18.7.3 and iPadOS 18.7.3, iOS 26.2 and iPadOS 26.2, macOS Tahoe 26.2, visionOS 26.2. Processing maliciously crafted web content may lead to an unexpected process crash. |
|
| CVE-2025-68156 | Dec 16, 2025 |
Expr 1.17.6 DoS via unbounded recursion in builtin funcsExpr is an expression language and expression evaluation for Go. Prior to version 1.17.7, several builtin functions in Expr, including `flatten`, `min`, `max`, `mean`, and `median`, perform recursive traversal over user-provided data structures without enforcing a maximum recursion depth. If the evaluation environment contains deeply nested or cyclic data structures, these functions may recurse indefinitely until exceed the Go runtime stack limit. This results in a stack overflow panic, causing the host application to crash. While exploitability depends on whether an attacker can influence or inject cyclic or pathologically deep data into the evaluation environment, this behavior represents a denial-of-service (DoS) risk and affects overall library robustness. Instead of returning a recoverable evaluation error, the process may terminate unexpectedly. In affected versions, evaluation of expressions that invoke certain builtin functions on untrusted or insufficiently validated data structures can lead to a process-level crash due to stack exhaustion. This issue is most relevant in scenarios where Expr is used to evaluate expressions against externally supplied or dynamically constructed environments; cyclic references (directly or indirectly) can be introduced into arrays, maps, or structs; and there are no application-level safeguards preventing deeply nested input data. In typical use cases with controlled, acyclic data, the issue may not manifest. However, when present, the resulting panic can be used to reliably crash the application, constituting a denial of service. The issue has been fixed in the v1.17.7 versions of Expr. The patch introduces a maximum recursion depth limit for affected builtin functions. When this limit is exceeded, evaluation aborts gracefully and returns a descriptive error instead of panicking. Additionally, the maximum depth can be customized by users via `builtin.MaxDepth`, allowing applications with legitimate deep structures to raise the limit in a controlled manner. Users are strongly encouraged to upgrade to the patched release, which includes both the recursion guard and comprehensive test coverage to prevent regressions. For users who cannot immediately upgrade, some mitigations are recommended. Ensure that evaluation environments cannot contain cyclic references, validate or sanitize externally supplied data structures before passing them to Expr, and/or wrap expression evaluation with panic recovery to prevent a full process crash (as a last-resort defensive measure). These workarounds reduce risk but do not fully eliminate the issue without the patch. |
|
| CVE-2025-68287 | Dec 16, 2025 |
Linux Kernel dwc3 Remove Requests Race Condition Causing USB CrashIn the Linux kernel, the following vulnerability has been resolved: usb: dwc3: Fix race condition between concurrent dwc3_remove_requests() call paths This patch addresses a race condition caused by unsynchronized execution of multiple call paths invoking `dwc3_remove_requests()`, leading to premature freeing of USB requests and subsequent crashes. Three distinct execution paths interact with `dwc3_remove_requests()`: Path 1: Triggered via `dwc3_gadget_reset_interrupt()` during USB reset handling. The call stack includes: - `dwc3_ep0_reset_state()` - `dwc3_ep0_stall_and_restart()` - `dwc3_ep0_out_start()` - `dwc3_remove_requests()` - `dwc3_gadget_del_and_unmap_request()` Path 2: Also initiated from `dwc3_gadget_reset_interrupt()`, but through `dwc3_stop_active_transfers()`. The call stack includes: - `dwc3_stop_active_transfers()` - `dwc3_remove_requests()` - `dwc3_gadget_del_and_unmap_request()` Path 3: Occurs independently during `adb root` execution, which triggers USB function unbind and bind operations. The sequence includes: - `gserial_disconnect()` - `usb_ep_disable()` - `dwc3_gadget_ep_disable()` - `dwc3_remove_requests()` with `-ESHUTDOWN` status Path 3 operates asynchronously and lacks synchronization with Paths 1 and 2. When Path 3 completes, it disables endpoints and frees 'out' requests. If Paths 1 or 2 are still processing these requests, accessing freed memory leads to a crash due to use-after-free conditions. To fix this added check for request completion and skip processing if already completed and added the request status for ep0 while queue. |
|
| CVE-2025-68285 | Dec 16, 2025 |
Linux kernel Ceph lib: use-after-free in have_mon_and_osd_mapIn the Linux kernel, the following vulnerability has been resolved: libceph: fix potential use-after-free in have_mon_and_osd_map() The wait loop in __ceph_open_session() can race with the client receiving a new monmap or osdmap shortly after the initial map is received. Both ceph_monc_handle_map() and handle_one_map() install a new map immediately after freeing the old one kfree(monc->monmap); monc->monmap = monmap; ceph_osdmap_destroy(osdc->osdmap); osdc->osdmap = newmap; under client->monc.mutex and client->osdc.lock respectively, but because neither is taken in have_mon_and_osd_map() it's possible for client->monc.monmap->epoch and client->osdc.osdmap->epoch arms in client->monc.monmap && client->monc.monmap->epoch && client->osdc.osdmap && client->osdc.osdmap->epoch; condition to dereference an already freed map. This happens to be reproducible with generic/395 and generic/397 with KASAN enabled: BUG: KASAN: slab-use-after-free in have_mon_and_osd_map+0x56/0x70 Read of size 4 at addr ffff88811012d810 by task mount.ceph/13305 CPU: 2 UID: 0 PID: 13305 Comm: mount.ceph Not tainted 6.14.0-rc2-build2+ #1266 ... Call Trace: <TASK> have_mon_and_osd_map+0x56/0x70 ceph_open_session+0x182/0x290 ceph_get_tree+0x333/0x680 vfs_get_tree+0x49/0x180 do_new_mount+0x1a3/0x2d0 path_mount+0x6dd/0x730 do_mount+0x99/0xe0 __do_sys_mount+0x141/0x180 do_syscall_64+0x9f/0x100 entry_SYSCALL_64_after_hwframe+0x76/0x7e </TASK> Allocated by task 13305: ceph_osdmap_alloc+0x16/0x130 ceph_osdc_init+0x27a/0x4c0 ceph_create_client+0x153/0x190 create_fs_client+0x50/0x2a0 ceph_get_tree+0xff/0x680 vfs_get_tree+0x49/0x180 do_new_mount+0x1a3/0x2d0 path_mount+0x6dd/0x730 do_mount+0x99/0xe0 __do_sys_mount+0x141/0x180 do_syscall_64+0x9f/0x100 entry_SYSCALL_64_after_hwframe+0x76/0x7e Freed by task 9475: kfree+0x212/0x290 handle_one_map+0x23c/0x3b0 ceph_osdc_handle_map+0x3c9/0x590 mon_dispatch+0x655/0x6f0 ceph_con_process_message+0xc3/0xe0 ceph_con_v1_try_read+0x614/0x760 ceph_con_workfn+0x2de/0x650 process_one_work+0x486/0x7c0 process_scheduled_works+0x73/0x90 worker_thread+0x1c8/0x2a0 kthread+0x2ec/0x300 ret_from_fork+0x24/0x40 ret_from_fork_asm+0x1a/0x30 Rewrite the wait loop to check the above condition directly with client->monc.mutex and client->osdc.lock taken as appropriate. While at it, improve the timeout handling (previously mount_timeout could be exceeded in case wait_event_interruptible_timeout() slept more than once) and access client->auth_err under client->monc.mutex to match how it's set in finish_auth(). monmap_show() and osdmap_show() now take the respective lock before accessing the map as well. |
|
| CVE-2025-14443 | Dec 16, 2025 |
OpenShift API Server SSRF Enables Internal Network EnumerationA flaw was found in ose-openshift-apiserver. This vulnerability allows internal network enumeration, service discovery, limited information disclosure, and potential denial-of-service (DoS) through Server-Side Request Forgery (SSRF) due to missing IP address and network-range validation when processing user-supplied image references. |
Openshift
|
| CVE-2025-14777 | Dec 16, 2025 |
Keycloak Admin API IDOR via ResourceSetServiceA flaw was found in Keycloak. An IDOR (Broken Access Control) vulnerability exists in the admin API endpoints for authorization resource management, specifically in ResourceSetService and PermissionTicketService. The system checks authorization against the resourceServer (client) ID provided in the API request, but the backend database lookup and modification operations (findById, delete) only use the resourceId. This mismatch allows an authenticated attacker with fine-grained admin permissions for one client (e.g., Client A) to delete or update resources belonging to another client (Client B) within the same realm by supplying a valid resource ID. |
Build Keycloak
Keycloak
|
| CVE-2025-11393 | Dec 15, 2025 |
runtimes-inventory-rhel8-operator: proxy attaches admin creds to all commandsA flaw was found in runtimes-inventory-rhel8-operator. An internal proxy component is incorrectly configured. Because of this flaw, the proxy attaches the cluster's main administrative credentials to any command it receives, instead of only the specific reports it is supposed to handle. This allows a standard user within the cluster to send unauthorized commands to the management platform, effectively acting with the full permissions of the cluster administrator. This could lead to unauthorized changes to the cluster's configuration or status on the Red Hat platform. |
Insights Runtimes
Lightspeed For Runtimes
|
| CVE-2025-13888 | Dec 15, 2025 |
OpenShift GitOps Escalation via ArgoCD CR ManipulationA flaw was found in OpenShift GitOps. Namespace admins can create ArgoCD Custom Resources (CRs) that trick the system into granting them elevated permissions in other namespaces, including privileged namespaces. An authenticated attacker can then use these elevated permissions to create privileged workloads that run on master nodes, effectively giving them root access to the entire cluster. |
Openshift Gitops
|
| CVE-2025-14523 | Dec 11, 2025 |
HTTP Host Header Smuggling via libsoups Duplicate Host HandlingA flaw in libsoups HTTP header handling allows multiple Host: headers in a request and returns the last occurrence for server-side processing. Common front proxies often honor the first Host: header, so this mismatch can cause vhost confusion where a proxy routes a request to one backend but the backend interprets it as destined for another host. This discrepancy enables request-smuggling style attacks, cache poisoning, or bypassing host-based access controls when an attacker supplies duplicate Host headers. |
Enterprise Linux (RHEL)
|
| CVE-2025-14512 | Dec 11, 2025 |
glib GIO escape_byte_string overflow causes heap buffer DoSA flaw was found in glib. This vulnerability allows a heap buffer overflow and denial-of-service (DoS) via an integer overflow in GLib's GIO (GLib Input/Output) escape_byte_string() function when processing malicious file or remote filesystem attribute values. |
Enterprise Linux (RHEL)
Openshift
|
| CVE-2025-14082 | Dec 10, 2025 |
Keycloak Admin REST API Info Disclosure via /roles endpointA flaw was found in Keycloak Admin REST (Representational State Transfer) API. This vulnerability allows information disclosure of sensitive role metadata via insufficient authorization checks on the /admin/realms/{realm}/roles endpoint. |
Build Keycloak
Keycloak
|
| CVE-2025-14087 | Dec 10, 2025 |
GLib GVariant Buffer Underflow Heap Corruption (CVE-2025-14087)A flaw was found in GLib (Gnome Lib). This vulnerability allows a remote attacker to cause heap corruption, leading to a denial of service or potential code execution via a buffer-underflow in the GVariant parser when processing maliciously crafted input strings. |
Enterprise Linux (RHEL)
|
| CVE-2025-14333 | Dec 09, 2025 |
Firefox/Thunderbird Memory Corruption CVE-2025-14333 (ESR<140.6, <=145)Memory safety bugs present in Firefox ESR 140.5, Thunderbird ESR 140.5, Firefox 145 and Thunderbird 145. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 146, Firefox ESR < 140.6, Thunderbird < 146, and Thunderbird < 140.6. |
|
| CVE-2025-14331 | Dec 09, 2025 |
Firefox Same-Origin Policy Bypass in Request Handler <146Same-origin policy bypass in the Request Handling component. This vulnerability affects Firefox < 146, Firefox ESR < 115.31, Firefox ESR < 140.6, Thunderbird < 146, and Thunderbird < 140.6. |
|
| CVE-2025-14330 | Dec 09, 2025 |
Firefox JIT Miscompilation in JavaScript Engine (<= 145, ESR < 140.6)JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability affects Firefox < 146, Firefox ESR < 140.6, Thunderbird < 146, and Thunderbird < 140.6. |
|
| CVE-2025-14329 | Dec 09, 2025 |
Firefox Netmonitor PrivEsc <146, ESR<140.6Privilege escalation in the Netmonitor component. This vulnerability affects Firefox < 146, Firefox ESR < 140.6, Thunderbird < 146, and Thunderbird < 140.6. |
|
| CVE-2025-14328 | Dec 09, 2025 |
Privilege Escalation in Netmonitor (Firefox <146 / ESR<140.6)Privilege escalation in the Netmonitor component. This vulnerability affects Firefox < 146, Firefox ESR < 140.6, Thunderbird < 146, and Thunderbird < 140.6. |
|
| CVE-2025-14325 | Dec 09, 2025 |
Firefox JIT Miscompilation (JS) <146/ESR<140.6JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability affects Firefox < 146, Firefox ESR < 140.6, Thunderbird < 146, and Thunderbird < 140.6. |
|
| CVE-2025-14324 | Dec 09, 2025 |
Mozilla Firefox JIT Miscompilation (JS Engine) before v146, ESR <115.31/140.6JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability affects Firefox < 146, Firefox ESR < 115.31, Firefox ESR < 140.6, Thunderbird < 146, and Thunderbird < 140.6. |
|
| CVE-2025-14323 | Dec 09, 2025 |
Firefox <146 PrivEsc via DOM NotificationsPrivilege escalation in the DOM: Notifications component. This vulnerability affects Firefox < 146, Firefox ESR < 115.31, Firefox ESR < 140.6, Thunderbird < 146, and Thunderbird < 140.6. |
|
| CVE-2025-14322 | Dec 09, 2025 |
Firefox Sandbox Escape via CanvasWebGL before v146 (ESR <115.31,140.6)Sandbox escape due to incorrect boundary conditions in the Graphics: CanvasWebGL component. This vulnerability affects Firefox < 146, Firefox ESR < 115.31, Firefox ESR < 140.6, Thunderbird < 146, and Thunderbird < 140.6. |
|
| CVE-2025-14321 | Dec 09, 2025 |
Use-after-free in WebRTC Signaling: Firefox <146, ESR <140.6Use-after-free in the WebRTC: Signaling component. This vulnerability affects Firefox < 146, Firefox ESR < 140.6, Thunderbird < 146, and Thunderbird < 140.6. |
|
| CVE-2025-40277 | Dec 06, 2025 |
Linux Kernel DRM/VMWGFX Header Size Validation vs SVGA_CMD_MAX_DATASIZE -> OOBIn the Linux kernel, the following vulnerability has been resolved: drm/vmwgfx: Validate command header size against SVGA_CMD_MAX_DATASIZE This data originates from userspace and is used in buffer offset calculations which could potentially overflow causing an out-of-bounds access. |
|
| CVE-2025-66566 | Dec 05, 2025 |
CVE-2025-66566: LZ4 Java 1.10.0 Buffer not cleared leads to data disclosureyawkat LZ4 Java provides LZ4 compression for Java. Insufficient clearing of the output buffer in Java-based decompressor implementations in lz4-java 1.10.0 and earlier allows remote attackers to read previous buffer contents via crafted compressed input. In applications where the output buffer is reused without being cleared, this may lead to disclosure of sensitive data. JNI-based implementations are not affected. This vulnerability is fixed in 1.10.1. |
|
| CVE-2025-14104 | Dec 05, 2025 |
Heap Buffer Overread in util-linux setpwnam() (256-byte usernames)A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database. |
Enterprise Linux (RHEL)
Openshift
|
| CVE-2025-58098 | Dec 05, 2025 |
Apache HTTP Server <2.4.66: SSI Exec Cmd Shell Injection via mod_cgidApache HTTP Server 2.4.65 and earlier with Server Side Includes (SSI) enabled and mod_cgid (but not mod_cgi) passes the shell-escaped query string to #exec cmd="..." directives. This issue affects Apache HTTP Server before 2.4.66. Users are recommended to upgrade to version 2.4.66, which fixes the issue. |
|
| CVE-2025-66200 | Dec 05, 2025 |
Apache HTTP Server 2.4.765 AllowOverride FileInfo Bypassmod_userdir+suexec bypass via AllowOverride FileInfo vulnerability in Apache HTTP Server. Users with access to use the RequestHeader directive in htaccess can cause some CGI scripts to run under an unexpected userid. This issue affects Apache HTTP Server: from 2.4.7 through 2.4.65. Users are recommended to upgrade to version 2.4.66, which fixes the issue. |
|
| CVE-2025-65082 | Dec 05, 2025 |
Apache HTTP Server 2.4.02.4.65 ENV Var XSS via config, fixed in 2.4.66Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache HTTP Server through environment variables set via the Apache configuration unexpectedly superseding variables calculated by the server for CGI programs. This issue affects Apache HTTP Server from 2.4.0 through 2.4.65. Users are recommended to upgrade to version 2.4.66 which fixes the issue. |
|
| CVE-2025-55753 | Dec 05, 2025 |
Apache HTTPd 2.4.30-2.4.65 Integer Overflow in ACME Renewal Zero Backoff TimerAn integer overflow in the case of failed ACME certificate renewal leads, after a number of failures (~30 days in default configurations), to the backoff timer becoming 0. Attempts to renew the certificate then are repeated without delays until it succeeds. This issue affects Apache HTTP Server: from 2.4.30 before 2.4.66. Users are recommended to upgrade to version 2.4.66, which fixes the issue. |
|
| CVE-2025-66287 | Dec 04, 2025 |
WebKitGTK Unexpected Crash from Malicious Web Content (CVE-2025-66287)A flaw was found in WebKitGTK. Processing malicious web content can cause an unexpected process crash due to improper memory handling. |
Enterprise Linux (RHEL)
Rhel Eus
Rhel Aus
And others... |
| CVE-2025-66516 | Dec 04, 2025 |
Apache Tika XXE prior 3.2.2 & 1.28.5 (tika-core, pdf-module, parsers)Critical XXE in Apache Tika tika-core (1.13-3.2.1), tika-pdf-module (2.0.0-3.2.1) and tika-parsers (1.13-1.28.5) modules on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF. This CVE covers the same vulnerability as in CVE-2025-54988. However, this CVE expands the scope of affected packages in two ways. First, while the entrypoint for the vulnerability was the tika-parser-pdf-module as reported in CVE-2025-54988, the vulnerability and its fix were in tika-core. Users who upgraded the tika-parser-pdf-module but did not upgrade tika-core to >= 3.2.2 would still be vulnerable. Second, the original report failed to mention that in the 1.x Tika releases, the PDFParser was in the "org.apache.tika:tika-parsers" module. |
|
| CVE-2025-40240 | Dec 04, 2025 |
Linux Kernel SCTP Chunk NULL Derefer when Data Buffer MissingIn the Linux kernel, the following vulnerability has been resolved: sctp: avoid NULL dereference when chunk data buffer is missing chunk->skb pointer is dereferenced in the if-block where it's supposed to be NULL only. chunk->skb can only be NULL if chunk->head_skb is not. Check for frag_list instead and do it just before replacing chunk->skb. We're sure that otherwise chunk->skb is non-NULL because of outer if() condition. |
|
| CVE-2025-14010 | Dec 04, 2025 |
Ansible-Collection-Community-General: Info Exposure via Verbose Debug OutputA flaw was found in ansible-collection-community-general. This vulnerability allows for information exposure (IE) of sensitive credentials, specifically plaintext passwords, via verbose output when running Ansible with debug modes. Attackers with access to logs could retrieve these secrets and potentially compromise Keycloak accounts or administrative access. |
Ceph Storage
Openstack
|