Ai Inference Server Red Hat Ai Inference Server

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in Red Hat Ai Inference Server.

Recent Red Hat Ai Inference Server Security Advisories

Advisory Title Published
RHSA-2026:36006 (RHSA-2026:36006) Red Hat AI Inference Server 3.2.2 (ROCm) July 6, 2026
RHSA-2026:36005 (RHSA-2026:36005) Red Hat AI Inference Server 3.2.2 (CUDA) July 6, 2026
RHSA-2026:36004 (RHSA-2026:36004) Red Hat AI Inference Server Model Optimization Tools 3.2.2 (cuda) July 6, 2026
RHSA-2026:30089 (RHSA-2026:30089) Red Hat AI Inference Server 3.3.5 (CUDA) June 25, 2026
RHSA-2026:30088 (RHSA-2026:30088) Red Hat AI Inference Server 3.3.5 (ROCm) June 25, 2026
RHSA-2026:30087 (RHSA-2026:30087) Red Hat AI Inference Server 3.3.5 (Spyre) June 25, 2026
RHSA-2026:30078 (RHSA-2026:30078) Red Hat AI Inference Server Model Optimization Tools 3.3.5 (CUDA) June 25, 2026
RHSA-2026:25096 (RHSA-2026:25096) Red Hat AI Inference Server Model Optimization Tools 3.2.2 (cuda) June 10, 2026
RHSA-2026:19725 (RHSA-2026:19725) Red Hat AI Inference Server 3.2.2 (ROCm) May 20, 2026
RHSA-2026:19724 (RHSA-2026:19724) Red Hat AI Inference Server 3.2.2 (CUDA) May 20, 2026

By the Year

In 2026 there have been 94 vulnerabilities in Red Hat Ai Inference Server with an average score of 7.7 out of ten. Last year, in 2025 Ai Inference Server had 6 security vulnerabilities published. That is, 88 more vulnerabilities have already been reported in 2026 as compared to last year. However, the average CVE base score of the vulnerabilities in 2026 is greater by 0.77.

Year Vulnerabilities Average Score
2026 94 7.67
2025 6 6.90
2024 4 6.45

It may take a day or so for new Ai Inference Server vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Red Hat Ai Inference Server Security Vulnerabilities

FFmpeg RASC Decoder OOB Heap Write via Malformed Frame
CVE-2026-58049 7.6 - High - June 28, 2026

FFmpeg's RASC video decoder (decode_dlta in libavcodec/rasc.c) performs 32-bit reads and writes at the row cursor before the NEXT_LINE row-boundary check and validates the DLTA region in pixel rather than byte units, so a DLTA run on a PAL8 frame can access several bytes past the row allocation. A crafted media stream using the RASC FourCC, decoded by libavcodec, triggers a bitstream-controlled out-of-bounds heap write and adjacent out-of-bounds read, leading to memory corruption.

Memory Corruption

Jackson-Databind PTV Array Type Allowlist Bypass 2.10.0-2.18.8, 2.21.4, 3.1.4
CVE-2026-54513 8.1 - High - June 23, 2026

jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.10.0 until 2.18.8, 2.21.4, and 3.1.4, BasicPolymorphicTypeValidator.Builder.allowIfSubTypeIsArray() allowlists any array type based only on clazz.isArray(), without validating the array's component (element) type against the configured allowlist. A PTV built with allowIfSubTypeIsArray() plus an explicit concrete-type allowlist therefore still permits EvilType[] even though EvilType is not allowlisted. When Jackson deserializes the elements and no per-element type IDs are present, it instantiates the component type directly with no further PTV check, bypassing the allowlist. This vulnerability is fixed in 2.18.8, 2.21.4, and 3.1.4.

Denylist / Deny List

vLLM <0.22.0: Assert in Activation Fxn Loading Enables AAE
CVE-2026-41523 7.5 - High - June 22, 2026

vLLM is an inference and serving engine for large language models (LLMs). Prior to 0.22.0, an assert-based security check in vLLM's activation function loading allows any unauthenticated attacker to achieve arbitrary code execution on the server by publishing a malicious HuggingFace model, when vLLM runs in Python optimized mode (python -O or PYTHONOPTIMIZE=1). This vulnerability is fixed in 0.22.0.

Code Injection

vLLM Authentication Bypass via ASGI Trust (0.3.0-0.22.0)
CVE-2026-48746 9.1 - Critical - June 22, 2026

vLLM is an inference and serving engine for large language models (LLMs). From 0.3.0 until 0.22.0, a vulnerability in ASGI web servers and starlette's trust on those web servers enables an authentication bypass of the OpenAI API AuthenticationMiddleware. It allows to use the API without providing the configured VLLM_API_KEY or --api-key. This vulnerability is fixed in 0.22.0.

HTTP Request Smuggling

vLLM 0.10.2-0.12.x Missing Sparse Tensor Validation, Potential DoS
CVE-2026-56340 8.8 - High - June 20, 2026

vLLM versions >= 0.10.2 and < 0.13.0 are missing sparse tensor validation in multimodal embeddings processing. Because PyTorch disables sparse tensor invariant checks by default, an attacker can submit crafted embedding requests with malformed (negative or out-of-bounds) tensor indices, when the prompt-embeds feature is enabled, to trigger crashes or resource exhaustion (denial of service), with potential for out-of-bounds/write-what-where memory corruption. This continues CVE-2025-62164, whose prior fix only disabled the feature by default rather than addressing the root cause.

Improper Input Validation

RCE via AV1 SVC ID Bounds in libaom Encoder
CVE-2026-56211 7.1 - High - June 19, 2026

A remote code execution vulnerability was found in libaom, the reference AV1 codec implementation. Insufficient bounds validation in the AV1 encoder's SVC (Scalable Video Coding) layer ID control allows an attacker to supply crafted video frame pixels that overlap with internal encoder layer context structures. In fork-based video processing services, an attacker can use this to hijack the cyclic refresh map pointer, brute-force the process base address via a crash oracle, and redirect control flow to achieve arbitrary command execution. Exploitation requires the target service to use libaom with SVC encoding enabled and accept attacker-supplied video frames.

Memory Corruption

libaom Heap-Buffer-Overflow in SVC Layer ID Read (CVE-2026-56210)
CVE-2026-56210 7.1 - High - June 19, 2026

A heap-buffer-overflow read vulnerability was found in libaom, the reference AV1 codec implementation. A missing bounds check in the SVC (Scalable Video Coding) layer ID control function allows setting a spatial_layer_id exceeding the configured number of layers. This causes an out-of-bounds heap read of approximately 40,728 bytes when computing a layer context array index. An attacker who can influence SVC encoder parameters in a network-facing service could exploit this for information disclosure (heap content leak) or denial of service (segmentation fault from hitting unmapped memory).

Out-of-bounds Read

LIBAOM AV1 Codec Arbitrary Address Write via SVC Layer Control
CVE-2026-56209 7.1 - High - June 19, 2026

An arbitrary address write vulnerability was found in libaom, the reference AV1 codec implementation. A missing bounds check in the SVC (Scalable Video Coding) layer ID control function allows an attacker to inject an arbitrary pointer into the cyclic refresh map field via crafted image pixel values. The encoder then writes approximately 1,200 bytes at the attacker-controlled address. This is fully deterministic and does not require a separate information leak. An attacker who can supply frames to a network-facing libaom encoder with SVC enabled could exploit this for denial of service or potential code execution.

Memory Corruption

Heap Overflow in libaom's AV1 Encoder LAP Mode
CVE-2026-56208 7.6 - High - June 19, 2026

A heap buffer overflow vulnerability was found in libaom, the reference AV1 codec implementation. A flaw in the AV1 encoder's Look-Ahead Processing (LAP) mode causes the first-pass stats ring buffer wrap-around guard to be bypassed when g_lag_in_frames is set to 1 or higher. This results in a 232-byte out-of-bounds write on every encoded frame after the second, corrupting adjacent heap objects. An attacker who can influence encoder configuration in a transcoding service or WebRTC session could exploit this to cause a denial of service (process crash) or potentially achieve code execution.

Heap-based Buffer Overflow

FFmpeg MagicYUV libavcodec OOB Write <8.1.2
CVE-2026-8461 8.8 - High - June 18, 2026

An out-of-bounds write vulnerability in FFmpeg's libavcodec library, specifically in the MagicYUV decoder, allows denial-of-service and, in some cases, can be exploited for remote code execution. This vulnerability is associated with the file libavcodec/magicyuv.C. This issue affects FFmpeg before version 8.1.2.

Memory Corruption

Starlette <1.1.0 StaticFiles SSRF on Windows
CVE-2026-48818 7.5 - High - June 17, 2026

Starlette is a lightweight ASGI framework/toolkit. In versions 1.0.1 and earlier, StaticFiles on Windows is vulnerable to SSRF. An UNC path such as \\attacker.com\share can cause os.path.realpath to initiate an outbound SMB connection before the path is rejected, exposing the service accounts NTLMv2 credentials for offline cracking or relay even though the HTTP response is only a 404. The issue affects default follow_symlink=False deployments, including frameworks built on Starlette such as FastAPI; POSIX systems and follow_symlink=True are unaffected. The issue is fixed in 1.1.0.

SSRF

vLLM Image Metadata Handling CVE: EXIF/TPNG tRNS Vulnerability
CVE-2026-12491 4.8 - Medium - June 17, 2026

A flaw was found in vLLM, an open-source library for large language model inference. This vulnerability arises from improper handling of image metadata, specifically EXIF orientation and PNG transparency (tRNS) data, during image processing. When images are converted to RGB, transparency information may be implicitly discarded or remapped, leading to unexpected rendering of transparent pixels and distortion of input content. This can result in the model misinterpreting image content, potentially affecting the integrity of processed data.

Misinterpretation of Input

vLLM 0.8.0+ OOM DoS via unbounded frame count in VideoMediaIO.load_base64()
CVE-2026-5497 7.5 - High - June 11, 2026

vLLM versions 0.8.0 and later are vulnerable to an Out-of-Memory (OOM) Denial of Service (DoS) attack due to unbounded frame count processing in the `VideoMediaIO.load_base64()` method. When processing `video/jpeg` data URLs, the method splits the base64 data string on commas to extract individual JPEG frames without enforcing a frame count limit. An attacker can exploit this by crafting a single API request containing thousands of comma-separated base64-encoded JPEG frames in a data URL, causing the server to decode all frames into memory and crash due to excessive memory consumption. This vulnerability is reachable via the OpenAI-compatible chat completions API and does not require authentication.

Resource Exhaustion

RCE in HuggingFace Transformers 5.2.0 LightGlue load path
CVE-2026-5241 7.7 - High - June 03, 2026

A vulnerability in the LightGlue model loading path of huggingface/transformers version 5.2.0 allows an attacker-controlled model repository to execute arbitrary code during model initialization. The issue arises because the `trust_remote_code` parameter, intended to prevent remote code execution, is overridden by untrusted serialized configuration data in a nested code path. Specifically, when loading a LightGlue model using `AutoModel.from_pretrained()` with `trust_remote_code=False`, the `LightGlueConfig` reads the `trust_remote_code` value from the untrusted `config.json` file and propagates it into nested `AutoConfig.from_pretrained()` calls. This results in the execution of attacker-provided Python modules, even when the victim explicitly disables remote code execution. The vulnerability poses a high risk for environments such as API inference servers, research notebooks, CI/CD pipelines, and model evaluation workers, potentially leading to credential theft, lateral movement, or persistence/backdoor deployment.

Inclusion of Functionality from Untrusted Control Sphere

AIOHTTP <3.14: CookieJar.load() RCE via untrusted input
CVE-2026-34993 7.2 - High - June 02, 2026

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.14.0, using ``CookieJar.load()`` with untrusted input may allow arbitrary code execution. Most applications using this function will be doing so with the user's own data, so this is unlikely to affect many applications. Version 3.14.0 patches the issue. If an application does allow attacker controlled files to be loaded, a workaround on older releases would be to sanitize the files before loading.

Marshaling, Unmarshaling

AITER 0.1.14 RCE via Unauth MessageQueue.recv() on ZMQ SUB
CVE-2026-49121 8.1 - High - June 01, 2026

AI Tensor Engine for ROCm (AITER) through 0.1.14 contains an unauthenticated remote code execution vulnerability in the MessageQueue.recv() function within shm_broadcast.py that allows unauthenticated remote attackers to execute arbitrary code by sending a malicious pickle payload to a ZMQ SUB socket with no authentication, HMAC, or format validation. Attackers who can reach the writer XPUB endpoint on the cluster network or supply a forged Handle with an attacker-controlled remote_subscribe_addr can deliver a crafted pickle payload that executes arbitrary code simultaneously as the inference worker process on every remote reader worker.

Marshaling, Unmarshaling

Poppler Splash integer overflow arbitrary code exec
CVE-2026-10118 7.8 - High - June 01, 2026

A flaw was found in Poppler's Splash backend. A remote attacker could exploit this vulnerability by crafting a malicious PDF file that, when rendered, triggers an integer overflow in the `tilingPatternFill` function. This overflow leads to an undersized heap memory allocation, allowing a subsequent out-of-bounds write. Successful exploitation could result in arbitrary code execution, information disclosure, or denial of service within the context of the application processing the PDF.

Integer Overflow or Wraparound

Pip console_scripts path flaw enables entry point out-of-dir
CVE-2026-8643 8 - High - June 01, 2026

pip would treat console_scripts and gui_scripts as paths instead of file names without sanitizing the resolved absolute path to the installation directory, leading to entry points being installed outside the installation directory.

Directory traversal

Unbounded Memory Allocation via Baggage Prop in OpenTelemetry Java <1.62.0
CVE-2026-45292 7.5 - High - May 28, 2026

opentelemetry-java is the Java implementation of the OpenTelemetry API for recording telemetry, and SDK for managing telemetry recorded by the API. Prior to 1.62.0, a vulnerability affects the baggage propagation implementation in opentelemetry-api and opentelemetry-extension-trace-propagators. Parsing oversized baggage causes unbounded memory allocation and CPU consumption. Because baggage is automatically re-injected into every outgoing request, the effect can fan out to downstream services that never received the original malicious request. This vulnerability is fixed in 1.62.0.

Allocation of Resources Without Limits or Throttling

PyJWT <=2.12: HMAC verifier may use issuer JWK as secret key
CVE-2026-48526 7.4 - High - May 28, 2026

PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, when the verifier is decoding JSON Web Tokens, while supporting both asymmetric and HMAC algorithms, the library does not validate use of JSON Web Keys in HMAC algorithm, allowing attacker to use the issuer public key as the secret key for HMAC algorithm. This vulnerability is fixed in 2.13.0.

authentification

Host Header Validation Bypass in Starlette <1.0.1 Leading to Routing Bypass
CVE-2026-48710 6.5 - Medium - May 26, 2026

Starlette is a lightweight ASGI framework/toolkit. Prior to version 1.0.1, the HTTP `Host` request header was not validated before being used to reconstruct `request.url`. Because the routing algorithm relies on the raw HTTP path while `request.url` is rebuilt from the `Host` header, a malformed header could make `request.url.path` differ from the path that was actually requested. Middleware and endpoints that apply security restrictions based on `request.url` (rather than the raw `scope` path) could therefore be bypassed. Users should upgrade to a version greater than or equal to version 1.0.1, which validates the `Host` header against the grammar of RFC 9112 §3.2 / RFC 3986 §3.2.2 when constructing `request.url` and falls back to `scope["server"]` for malformed values.

HTTP Request Smuggling

GnuTLS DTLS DoS via Duplicate Seq Number Reordering
CVE-2026-42009 7.5 - High - May 18, 2026

A flaw was found in gnutls. A remote attacker could exploit an issue in the Datagram Transport Layer Security (DTLS) packet reordering logic. The comparator function, responsible for ordering DTLS packets by sequence numbers, did not correctly handle packets with duplicate sequence numbers. This could lead to unstable packet ordering or undefined behavior, resulting in a denial of service.

Undefined Behavior for Input to API

Diffusers RCE via trust_remote_code Bypass before 0.38.0
CVE-2026-44513 8.8 - High - May 14, 2026

Diffusers is the a library for pretrained diffusion models. Prior to 0.38.0, a trust_remote_code bypass in DiffusionPipeline.from_pretrained allows arbitrary remote code execution despite the user passing trust_remote_code=False (or omitting it, which is the default). The vulnerability has three variants, all sharing the same root cause the trust_remote_code gate was implemented inside DiffusionPipeline.download() rather than at the actual dynamic-module load site, so any code path that bypassed or short-circuited download() also bypassed the security check. DiffusionPipeline.from_pretrained('repoA', custom_pipeline='attacker/repoB', trust_remote_code=False) the gate evaluated against repoA's file list rather than repoB's, so repoB's pipeline.py was loaded and executed. DiffusionPipeline.from_pretrained('/local/snapshot', custom_pipeline='attacker/repoB', trust_remote_code=False) the local-path branch never invoked download(), so the gate was never reached and remote code from repoB executed. DiffusionPipeline.from_pretrained('/local/snapshot', trust_remote_code=False) where the snapshot contains custom component files (e.g. unet/my_unet_model.py) referenced from model_index.json same root cause; the local path skipped download() and custom component code executed. This vulnerability is fixed in 0.38.0.

Code Injection

PyTorch Lightning 2.6.2-2.6.3 Credential Harvesting Vulnerability
CVE-2026-44484 9.8 - Critical - May 14, 2026

PyTorch Lightning is a deep learning framework to pretrain and finetune AI models. Versions 2.6.2 and 2.6.2 have introduced functionality consistent with a credential harvesting mechanism.

Embedded Malicious Code

PythonMultipart <0.0.27: DoS via unlimited multipartpart headers
CVE-2026-42561 7.5 - High - May 13, 2026

Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.27, python-multipart has a denial of service vulnerability in multipart part header parsing. When parsing multipart/form-data, MultipartParser previously had no limit on the number of part headers or the size of an individual part header. An attacker could send a request with either many repeated headers without terminating the header block or a single very large header value, causing excessive CPU work before request rejection or completion. This vulnerability is fixed in 0.0.27.

Allocation of Resources Without Limits or Throttling

urllib3 2.6.0-<2.7.0 Decompress Whole Response DoS via Brotli
CVE-2026-44432 7.5 - High - May 13, 2026

urllib3 is an HTTP client library for Python. From 2.6.0 to before 2.7.0, urllib3 could decompress the whole response instead of the requested portion (1) during the second HTTPResponse.read(amt=N) call when the response was decompressed using the official Brotli library or (2) when HTTPResponse.drain_conn() was called after the response had been read and decompressed partially (compression algorithm did not matter here). These issues could cause urllib3 to fully decode a small amount of highly compressed data in a single operation. This could result in excessive resource consumption (high CPU usage and massive memory allocation for the decompressed data) on the client side. This vulnerability is fixed in 2.7.0.

Data Amplification

GNUTLS RSA-PSK Username NUL Bypass Auth
CVE-2026-42010 7.1 - High - May 07, 2026

A flaw was found in gnutls. Servers configured with RSA-PSK (RivestShamirAdleman Pre-Shared Key) wrongfully matched usernames containing a NUL character with truncated usernames. A remote attacker could exploit this by sending a specially crafted username, leading to an authentication bypass. This vulnerability allows an attacker to gain unauthorized access by circumventing the authentication process.

Improper Null Termination

Memory Allocation with Excessive Size in Apache Thrift < 0.23.0 (CVE-2026-43868)
CVE-2026-43868 7.5 - High - May 05, 2026

Memory Allocation with Excessive Size Value vulnerability in Apache Thrift. This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue.

Stack Exhaustion

Apache Thrift CVE-2026-43869: Improper Cert Host Mismatch before 0.23.0
CVE-2026-43869 7.3 - High - May 05, 2026

Improper Validation of Certificate with Host Mismatch vulnerability in Apache Thrift. This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue.

Improper Validation of Certificate with Host Mismatch

Heap Buffer Overflow in GnuTLS DTLS Fragment Reassembly (CVE-2026-33846)
CVE-2026-33846 7.5 - High - May 04, 2026

A heap buffer overflow vulnerability exists in the DTLS handshake fragment reassembly logic of GnuTLS. The issue arises in merge_handshake_packet() where incoming handshake fragments are matched and merged based solely on handshake type, without validating that the message_length field remains consistent across all fragments of the same logical message. An attacker can exploit this by sending crafted DTLS fragments with conflicting message_length values, causing the implementation to allocate a buffer based on a smaller initial fragment and subsequently write beyond its bounds using larger, inconsistent fragments. Because the merge operation does not enforce proper bounds checking against the allocated buffer size, this results in an out-of-bounds write on the heap. The vulnerability is remotely exploitable without authentication via the DTLS handshake path and can lead to application crashes or potential memory corruption.

length manipulation

OOB Read via DTLS Fragment Underflow in GnuTLS
CVE-2026-33845 7.5 - High - April 30, 2026

A flaw in GnuTLS DTLS handshake parsing allows malformed fragments with zero length and non-zero offset, leading to an integer underflow during reassembly and resulting in an out-of-bounds read. This issue is remotely exploitable and may cause information disclosure or denial of service.

Integer underflow

libsndfile 1.2.2 IMA ADPCM overflow allows heap buffer overflow
CVE-2026-37555 8.2 - High - April 29, 2026

An issue was discovered in libsndfile 1.2.2 IMA ADPCM codec. The AIFF code path (line 241) was fixed with (sf_count_t) cast, but the WAV code path (line 235) and close path (line 167) were not. When samplesperblock (int) * blocks (int) exceeds INT_MAX, the 32-bit multiplication overflows before being assigned to sf.frames (sf_count_t/int64). With samplesperblock=50000 and blocks=50000, the product 2500000000 overflows to -1794967296. This causes incorrect frame count leading to heap buffer overflow or denial of service. Both values come from the WAV file header and are attacker-controlled. This issue was discovered after an incomplete fix for CVE-2022-33065.

Integer Overflow or Wraparound

OOB Read Vulnerability in Apache Thrift before 0.23.0
CVE-2026-41607 9.1 - Critical - April 28, 2026

Out-of-bounds Read vulnerability in Apache Thrift. This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue.

Out-of-bounds Read

Apache Thrift <0.23.0: Uncontrolled Recursion Vulnerability
CVE-2026-41606 7.5 - High - April 28, 2026

Uncontrolled Recursion vulnerability in Apache Thrift. This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue.

Stack Exhaustion

Apache Thrift Int Overflow or Wraparound <0.23.0; Fixed 0.23.0
CVE-2026-41605 7.7 - High - April 28, 2026

Integer Overflow or Wraparound vulnerability in Apache Thrift. This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue.

Integer Overflow or Wraparound

CVE-2026-41604: OOB Read in Apache Thrift < 0.23.0
CVE-2026-41604 8.2 - High - April 28, 2026

Out-of-bounds Read vulnerability in Apache Thrift. This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue.

Out-of-bounds Read

Apache Thrift CVE-2026-41603: Improper Cert Host Mismatch Before 0.23.0
CVE-2026-41603 8.2 - High - April 28, 2026

Improper Validation of Certificate with Host Mismatch vulnerability in Apache Thrift. This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue.

Improper Validation of Certificate with Host Mismatch

Apache Thrift Go TFramedTransport Integer Overflow (<0.23.0)
CVE-2026-41602 7.5 - High - April 28, 2026

Integer Overflow or Wraparound vulnerability in Apache Thrift TFramedTransport Go language implementation This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue.

Integer Overflow or Wraparound

Apache Thrift 0.23+ Mismatched Memory Mgmt Routines Vulnerability
CVE-2025-48431 7.5 - High - April 28, 2026

Mismatched Memory Management Routines vulnerability in Apache Thrift c_glib language bindings. This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue. Description: Specially crafted requests can crash an c_glib-based Thrift server with a clean but fatal "free(): invalid pointer" error message.

Mismatched Memory Management Routines

Pillow 10.3.012.1.1 GZIP decompress bomb in FITS decoder (CVE202640192)
CVE-2026-40192 7.5 - High - April 15, 2026

Pillow is a Python imaging library. Versions 10.3.0 through 12.1.1 did not limit the amount of GZIP-compressed data read when decoding a FITS image, making them vulnerable to decompression bomb attacks. A specially crafted FITS file could cause unbounded memory consumption, leading to denial of service (OOM crash or severe performance degradation). If users are unable to immediately upgrade, they should only open specific image formats, excluding FITS, as a workaround.

Allocation of Resources Without Limits or Throttling

CVE-2026-6385 FFmpeg DVD Subtitle Signed Int Overflow -> Heap OOB Write
CVE-2026-6385 6.5 - Medium - April 15, 2026

A flaw was found in FFmpeg. A remote attacker could exploit this vulnerability by providing a specially crafted MPEG-PS/VOB media file containing a malicious DVD subtitle stream. This vulnerability is caused by a signed integer overflow in the DVD subtitle parser's fragment reassembly bounds checks, leading to a heap out-of-bounds write. Successful exploitation can result in a denial of service (DoS) due to an application crash, and potentially lead to arbitrary code execution.

Integer Overflow or Wraparound

jq DoS via Hash Collision Exploit
CVE-2026-40164 7.5 - High - April 13, 2026

jq is a command-line JSON processor. Before commit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784, jq used MurmurHash3 with a hardcoded, publicly visible seed (0x432A9843) for all JSON object hash table operations, which allowed an attacker to precompute key collisions offline. By supplying a crafted JSON object (~100 KB) where all keys hashed to the same bucket, hash table lookups degraded from O(1) to O(n), turning any jq expression into an O(n²) operation and causing significant CPU exhaustion. This affected common jq use cases such as CI/CD pipelines, web services, and data processing scripts, and was far more practical to exploit than existing heap overflow issues since it required only a small payload. This issue has been patched in commit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784.

Reversible One-Way Hash

jq libjq buffer overflow in jv_parse_sized() (CVE-2026-39979)
CVE-2026-39979 8.2 - High - April 13, 2026

jq is a command-line JSON processor. In commits before 2f09060afab23fe9390cce7cb860b10416e1bf5f, the jv_parse_sized() API in libjq accepts a counted buffer with an explicit length parameter, but its error-handling path formats the input buffer using %s in jv_string_fmt(), which reads until a NUL terminator is found rather than respecting the caller-supplied length. This means that when malformed JSON is passed in a non-NUL-terminated buffer, the error construction logic performs an out-of-bounds read past the end of the buffer. The vulnerability is reachable by any libjq consumer calling jv_parse_sized() with untrusted input, and depending on memory layout, can result in memory disclosure or process termination. The issue has been patched in commit 2f09060afab23fe9390cce7cb860b10416e1bf5f.

Out-of-bounds Read

Python CPython "webbrowser.open" "%action" URL injection (CVE-2026-4786)
CVE-2026-4786 7.1 - High - April 13, 2026

Mitgation of CVE-2026-4519 was incomplete. If the URL contained "%action" the mitigation could be bypassed for certain browser types the "webbrowser.open()" API could have commands injected into the underlying shell. See CVE-2026-4519 for details.

Command Injection

UAF in CPython lzma/BZ2/gzip Decompressors before v3.15.0
CVE-2026-6100 8.1 - High - April 13, 2026

Use-after-free (UAF) was possible in the `lzma.LZMADecompressor`, `bz2.BZ2Decompressor`, and `gzip.GzipFile` when a memory allocation fails with a `MemoryError` and the decompression instance is re-used. This scenario can be triggered if the process is under memory pressure. The fix cleans up the dangling pointer in this specific error condition. The vulnerability is only present if the program re-uses decompressor instances across multiple decompression calls even after a `MemoryError` is raised during decompression. Using the helper functions to one-shot decompress data such as `lzma.decompress()`, `bz2.decompress()`, `gzip.decompress()`, and `zlib.decompress()` are not affected as a new decompressor instance is used per call. If the decompressor instance is not re-used after an error condition, this usage is similarly not vulnerable.

Dangling pointer

libcap TOCTOU in cap_set_file() leads to privilege escalation
CVE-2026-4878 6.7 - Medium - April 09, 2026

A flaw was found in libcap. A local unprivileged user can exploit a Time-of-check-to-time-of-use (TOCTOU) race condition in the `cap_set_file()` function. This allows an attacker with write access to a parent directory to redirect file capability updates to an attacker-controlled file. By doing so, capabilities can be injected into or stripped from unintended executables, leading to privilege escalation.

TOCTTOU

Buffer Overflow in cryptography 45.x-46.0.6 via non-contiguous buffers
CVE-2026-39892 7.3 - High - April 08, 2026

cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. From 45.0.0 to before 46.0.7, if a non-contiguous buffer was passed to APIs which accepted Python buffers (e.g. Hash.update()), this could lead to buffer overflows. This vulnerability is fixed in 46.0.7.

Buffer Overflow

Go crypto/x509 Intermediates DoS (<=1.26.2)
CVE-2026-32280 7.5 - High - April 08, 2026

During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions.Intermediates, which can lead to a denial of service. This affects both direct users of crypto/x509 and users of crypto/tls.

Allocation of Resources Without Limits or Throttling

Go crypto/tls TLS 1.3 KeyUpdate deadlock DoS (1.25.9 & <1.26.2)
CVE-2026-32283 7.5 - High - April 08, 2026

If one side of the TLS connection sends multiple key update messages post-handshake in a single record, the connection can deadlock, causing uncontrolled consumption of resources. This can lead to a denial of service. This only affects TLS 1.3.

Multiple Locks of a Critical Resource

Go 1.26.x crypto/x509 DNS Constraint Case Sensitivity
CVE-2026-33810 8.8 - High - April 08, 2026

When verifying a certificate chain containing excluded DNS constraints, these constraints are not correctly applied to wildcard DNS SANs which use a different case than the constraint. This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool.

Improper Validation of Unsafe Equivalence in Input

Stay on top of Security Vulnerabilities

Want an email whenever new vulnerabilities are published for Red Hat Ai Inference Server or by Red Hat? Click the Watch button to subscribe.

Red Hat
Vendor

subscribe