Red Hat Discovery

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in Red Hat Discovery.

Recent Red Hat Discovery Security Advisories

Advisory	Title	Published
RHSA-2025:7630	(RHSA-2025:7630) Important: updated discovery-cli RPMs	May 14, 2025
RHSA-2025:3709	(RHSA-2025:3709) Important: updated discovery container images	April 8, 2025
RHSA-2025:1487	(RHSA-2025:1487) Important: updated discovery container images	February 13, 2025
RHSA-2025:1249	(RHSA-2025:1249) Important: updated discovery container images	February 10, 2025

By the Year

In 2025 there have been 19 vulnerabilities in Red Hat Discovery with an average score of 6.7 out of ten. Last year, in 2024 Discovery had 1 security vulnerability published. That is, 18 more vulnerabilities have already been reported in 2025 as compared to last year. However, the average CVE base score of the vulnerabilities in 2025 is greater by 1.18.

Year	Vulnerabilities	Average Score
2025	19	6.68
2024	1	5.50
2023	1	5.90
2022	0	0.00
2021	0	0.00
2020	1	7.80

It may take a day or so for new Discovery vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Red Hat Discovery Security Vulnerabilities

Linux-PAM pam_namespace LPE via Symlink Race
CVE-2025-8941 7.8 - High - August 13, 2025

A flaw was found in linux-pam. The pam_namespace module may improperly handle user-controlled paths, allowing local users to exploit symlink attacks and race conditions to elevate their privileges to root. This CVE provides a "complete" fix for CVE-2025-6020.

Directory traversal

GnuTLS NULL Deref in figure_common_ciphersuite()
CVE-2025-6395 6.5 - Medium - July 10, 2025

A NULL pointer dereference flaw was found in the GnuTLS software in _gnutls_figure_common_ciphersuite().

NULL Pointer Dereference

libxslt Heap Corruption via atype Flag Manipulation
CVE-2025-7425 7.8 - High - July 10, 2025

A flaw was found in libxslt where the attribute type, atype, flags are modified in a way that corrupts internal memory management. When XSLT functions, such as the key() process, result in tree fragments, this corruption prevents the proper cleanup of ID attributes. As a result, the system may access freed memory, causing crashes or enabling attackers to trigger heap corruption.

Dangling pointer

GnuTLS certtool Heap OOB Null Write in Template Parsing – DoS
CVE-2025-32990 6.5 - Medium - July 10, 2025

A heap-buffer-overflow (off-by-one) flaw was found in the GnuTLS software in the template parsing logic within the certtool utility. When it reads certain settings from a template file, it allows an attacker to cause an out-of-bounds (OOB) NULL pointer write, resulting in memory corruption and a denial-of-service (DoS) that could potentially crash the system.

Heap-based Buffer Overflow

GnuTLS Double-Free in SAN Export Logic (CVE-2025-32988)
CVE-2025-32988 6.5 - Medium - July 10, 2025

A flaw was found in GnuTLS. A double-free vulnerability exists in GnuTLS due to incorrect ownership handling in the export logic of Subject Alternative Name (SAN) entries containing an otherName. If the type-id OID is invalid or malformed, GnuTLS will call asn1_delete_structure() on an ASN.1 node it does not own, leading to a double-free condition when the parent function or caller later attempts to free the same structure. This vulnerability can be triggered using only public GnuTLS APIs and may result in denial of service or memory corruption, depending on allocator behavior.

Double-free

GnuTLS CT SCT Heap-Buffer-Overread (CVE-2025-32989)
CVE-2025-32989 5.3 - Medium - July 10, 2025

A heap-buffer-overread vulnerability was found in GnuTLS in how it handles the Certificate Transparency (CT) Signed Certificate Timestamp (SCT) extension during X.509 certificate parsing. This flaw allows a malicious user to create a certificate containing a malformed SCT extension (OID 1.3.6.1.4.1.11129.2.4.2) that contains sensitive data. This issue leads to the exposure of confidential information when GnuTLS verifies certificates from certain websites when the certificate (SCT) is not checked correctly.

Improper Certificate Validation

PAM Namespace Race: Local Priv Escal via Symlinks in linux-pam
CVE-2025-6020 7.8 - High - June 17, 2025

A flaw was found in linux-pam. The module pam_namespace may use access user-controlled paths without proper protection, allowing local users to elevate their privileges to root via multiple symlink attacks and race conditions.

Directory traversal

Memory Corruption in libxml2 via sch:name -> DoS
CVE-2025-49796 9.1 - Critical - June 16, 2025

A vulnerability was found in libxml2. Processing certain sch:name elements from the input XML file can trigger a memory corruption issue. This flaw allows an attacker to craft a malicious XML input file that can lead libxml to crash, resulting in a denial of service or other possible undefined behavior due to sensitive data being corrupted in memory.

Out-of-bounds Read

Stack Overflow in libxml2 xmlBuildQName (CVE-2025-6021)
CVE-2025-6021 7.5 - High - June 12, 2025

A flaw was found in libxml2's xmlBuildQName function, where integer overflows in buffer size calculations can lead to a stack-based buffer overflow. This issue can result in memory corruption or a denial of service when processing crafted input.

Stack Overflow

Integer Overflow in libarchive RAR Reader Causes Double-Free
CVE-2025-5914 7.3 - High - June 09, 2025

A vulnerability has been identified in the libarchive library, specifically within the archive_read_format_rar_seek_data() function. This flaw involves an integer overflow that can ultimately lead to a double-free condition. Exploiting a double-free vulnerability can result in memory corruption, enabling an attacker to execute arbitrary code or cause a denial-of-service condition.

Double-free

MIT Kerberos GSSAPI Msg Spoof via RC4-HMAC-MD5 Coll
CVE-2025-3576 5.9 - Medium - April 15, 2025

A vulnerability in the MIT Kerberos implementation allows GSSAPI-protected messages using RC4-HMAC-MD5 to be spoofed due to weaknesses in the MD5 checksum design. If RC4 is preferred over stronger encryption types, an attacker could exploit MD5 collisions to forge message integrity codes. This may lead to unauthorized message tampering.

Reversible One-Way Hash

DoS via Stack Overflow in libexpat Recursive Entity Expansion
CVE-2024-8176 7.5 - High - March 14, 2025

A stack overflow vulnerability exists in the libexpat library due to the way it handles recursive entity expansion in XML documents. When parsing an XML document with deeply nested entity references, libexpat can be forced to recurse indefinitely, exhausting the stack space and causing a crash. This issue could lead to denial of service (DoS) or, in some cases, exploitable memory corruption, depending on the environment and library usage.

Stack Exhaustion

OpenSSH VerifyHostKeyDNS DoS via Host Key Verification Error
CVE-2025-26465 6.8 - Medium - February 18, 2025

A vulnerability was found in OpenSSH when the VerifyHostKeyDNS option is enabled. A machine-in-the-middle attack can be performed by a malicious machine impersonating a legit server. This issue occurs due to how OpenSSH mishandles error codes in specific conditions when verifying the host key. For an attack to be considered successful, the attacker needs to manage to exhaust the client's memory resource first, turning the attack complexity high.

Detection of Error Condition Without Action

serialize-javascript XSS via unsanitized regex input
CVE-2024-11831 5.4 - Medium - February 10, 2025

A flaw was found in npm-serialize-javascript. The vulnerability occurs because the serialize-javascript module does not properly sanitize certain inputs, such as regex or other JavaScript object types, allowing an attacker to inject malicious code. This code could be executed when deserialized by a web browser, causing Cross-site scripting (XSS) attacks. This issue is critical in environments where serialized data is sent to web clients, potentially compromising the security of the website or web application using this package.

XSS

libtasn1 CVE-2024-12133: DoS via Crafted Large Certificate
CVE-2024-12133 5.3 - Medium - February 10, 2025

A flaw in libtasn1 causes inefficient handling of specific certificate data. When processing a large number of elements in a certificate, libtasn1 takes much longer than expected, which can slow down or even crash the system. This flaw allows an attacker to send a specially crafted certificate, causing a denial of service attack.

Inefficient Algorithmic Complexity

GnuTLS libtasn1 DoS via DER Cert Decoding
CVE-2024-12243 5.3 - Medium - February 10, 2025

A flaw was found in GnuTLS, which relies on libtasn1 for ASN.1 data processing. Due to an inefficient algorithm in libtasn1, decoding certain DER-encoded certificate data can take excessive time, leading to increased resource consumption. This flaw allows a remote attacker to send a specially crafted certificate, causing GnuTLS to become unresponsive or slow, resulting in a denial-of-service condition.

Inefficient Algorithmic Complexity

Rsync --safe-links Path Traversal, Arbitrary File Write
CVE-2024-12088 6.5 - Medium - January 14, 2025

A flaw was found in rsync. When using the `--safe-links` option, the rsync client fails to properly verify if a symbolic link destination sent from the server contains another symbolic link within it. This results in a path traversal vulnerability, which may lead to arbitrary file write outside the desired directory.

Directory traversal

Path traversal in rsync via --inc-recursive option
CVE-2024-12087 6.5 - Medium - January 14, 2025

A path traversal vulnerability exists in rsync. It stems from behavior enabled by the `--inc-recursive` option, a default-enabled option for many client options and can be enabled by the server even if not explicitly enabled by the client. When using the `--inc-recursive` option, a lack of proper symlink verification coupled with deduplication checks occurring on a per-file-list basis could allow a server to write files outside of the client's intended destination directory. A malicious server could write malicious files to arbitrary locations named after valid directories/paths on the client.

Directory traversal

Rsync Race Condition Enables Symlink Traversal, Potential PrivEsc
CVE-2024-12747 5.6 - Medium - January 14, 2025

A flaw was found in rsync. This vulnerability arises from a race condition during rsync's handling of symbolic links. Rsync's default behavior when encountering symbolic links is to skip them. If an attacker replaced a regular file with a symbolic link at the right time, it was possible to bypass the default behavior and traverse symbolic links. Depending on the privileges of the rsync process, an attacker could leak sensitive information, potentially leading to privilege escalation.

Race Condition

Ansible include_vars leak: Vault secrets exposed in logs
CVE-2024-8775 5.5 - Medium - September 14, 2024

A flaw was found in Ansible, where sensitive information stored in Ansible Vault files can be exposed in plaintext during the execution of a playbook. This occurs when using tasks such as include_vars to load vaulted variables without setting the no_log: true parameter, resulting in sensitive data being printed in the playbook output or logs. This can lead to the unintentional disclosure of secrets like passwords or API keys, compromising security and potentially allowing unauthorized access or actions.

Insertion of Sensitive Information into Log File

OpenSSH <9.6 BPP handshake flaw allows integrity bypass (Terrapin attack)
CVE-2023-48795 5.9 - Medium - December 18, 2023

The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in chacha20-poly1305@openssh.com and (if CBC is used) the -etm@openssh.com MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust.

Improper Validation of Integrity Check Value

A heap use-after-free vulnerability was found in systemd before version v245-rc1
CVE-2020-1712 7.8 - High - March 31, 2020

A heap use-after-free vulnerability was found in systemd before version v245-rc1, where asynchronous Polkit queries are performed while handling dbus messages. A local unprivileged attacker can abuse this flaw to crash systemd services or potentially execute code and elevate their privileges, by sending specially crafted dbus messages.

Dangling pointer

Stay on top of Security Vulnerabilities

Want an email whenever new vulnerabilities are published for Red Hat Discovery or by Red Hat? Click the Watch button to subscribe.

Red Hat
Vendor

Red Hat Discovery
Product

Red Hat Discovery

Don't miss out!

Recent Red Hat Discovery Security Advisories

By the Year

Recent Red Hat Discovery Security Vulnerabilities

Linux-PAM pam_namespace LPE via Symlink Race CVE-2025-8941 7.8 - High - August 13, 2025

GnuTLS NULL Deref in figure_common_ciphersuite() CVE-2025-6395 6.5 - Medium - July 10, 2025

libxslt Heap Corruption via atype Flag Manipulation CVE-2025-7425 7.8 - High - July 10, 2025

GnuTLS certtool Heap OOB Null Write in Template Parsing – DoS CVE-2025-32990 6.5 - Medium - July 10, 2025

GnuTLS Double-Free in SAN Export Logic (CVE-2025-32988) CVE-2025-32988 6.5 - Medium - July 10, 2025

GnuTLS CT SCT Heap-Buffer-Overread (CVE-2025-32989) CVE-2025-32989 5.3 - Medium - July 10, 2025

PAM Namespace Race: Local Priv Escal via Symlinks in linux-pam CVE-2025-6020 7.8 - High - June 17, 2025

Memory Corruption in libxml2 via sch:name -> DoS CVE-2025-49796 9.1 - Critical - June 16, 2025

Stack Overflow in libxml2 xmlBuildQName (CVE-2025-6021) CVE-2025-6021 7.5 - High - June 12, 2025

Integer Overflow in libarchive RAR Reader Causes Double-Free CVE-2025-5914 7.3 - High - June 09, 2025

MIT Kerberos GSSAPI Msg Spoof via RC4-HMAC-MD5 Coll CVE-2025-3576 5.9 - Medium - April 15, 2025

DoS via Stack Overflow in libexpat Recursive Entity Expansion CVE-2024-8176 7.5 - High - March 14, 2025

OpenSSH VerifyHostKeyDNS DoS via Host Key Verification Error CVE-2025-26465 6.8 - Medium - February 18, 2025

serialize-javascript XSS via unsanitized regex input CVE-2024-11831 5.4 - Medium - February 10, 2025

libtasn1 CVE-2024-12133: DoS via Crafted Large Certificate CVE-2024-12133 5.3 - Medium - February 10, 2025

GnuTLS libtasn1 DoS via DER Cert Decoding CVE-2024-12243 5.3 - Medium - February 10, 2025

Rsync --safe-links Path Traversal, Arbitrary File Write CVE-2024-12088 6.5 - Medium - January 14, 2025

Path traversal in rsync via --inc-recursive option CVE-2024-12087 6.5 - Medium - January 14, 2025

Rsync Race Condition Enables Symlink Traversal, Potential PrivEsc CVE-2024-12747 5.6 - Medium - January 14, 2025

Ansible include_vars leak: Vault secrets exposed in logs CVE-2024-8775 5.5 - Medium - September 14, 2024

OpenSSH <9.6 BPP handshake flaw allows integrity bypass (Terrapin attack) CVE-2023-48795 5.9 - Medium - December 18, 2023

A heap use-after-free vulnerability was found in systemd before version v245-rc1 CVE-2020-1712 7.8 - High - March 31, 2020

Stay on top of Security Vulnerabilities

Red Hat Vendor

Red Hat DiscoveryProduct

Linux-PAM pam_namespace LPE via Symlink Race
CVE-2025-8941 7.8 - High - August 13, 2025

GnuTLS NULL Deref in figure_common_ciphersuite()
CVE-2025-6395 6.5 - Medium - July 10, 2025

libxslt Heap Corruption via atype Flag Manipulation
CVE-2025-7425 7.8 - High - July 10, 2025

GnuTLS certtool Heap OOB Null Write in Template Parsing – DoS
CVE-2025-32990 6.5 - Medium - July 10, 2025

GnuTLS Double-Free in SAN Export Logic (CVE-2025-32988)
CVE-2025-32988 6.5 - Medium - July 10, 2025

GnuTLS CT SCT Heap-Buffer-Overread (CVE-2025-32989)
CVE-2025-32989 5.3 - Medium - July 10, 2025

PAM Namespace Race: Local Priv Escal via Symlinks in linux-pam
CVE-2025-6020 7.8 - High - June 17, 2025

Memory Corruption in libxml2 via sch:name -> DoS
CVE-2025-49796 9.1 - Critical - June 16, 2025

Stack Overflow in libxml2 xmlBuildQName (CVE-2025-6021)
CVE-2025-6021 7.5 - High - June 12, 2025

Integer Overflow in libarchive RAR Reader Causes Double-Free
CVE-2025-5914 7.3 - High - June 09, 2025

MIT Kerberos GSSAPI Msg Spoof via RC4-HMAC-MD5 Coll
CVE-2025-3576 5.9 - Medium - April 15, 2025

DoS via Stack Overflow in libexpat Recursive Entity Expansion
CVE-2024-8176 7.5 - High - March 14, 2025

OpenSSH VerifyHostKeyDNS DoS via Host Key Verification Error
CVE-2025-26465 6.8 - Medium - February 18, 2025

serialize-javascript XSS via unsanitized regex input
CVE-2024-11831 5.4 - Medium - February 10, 2025

libtasn1 CVE-2024-12133: DoS via Crafted Large Certificate
CVE-2024-12133 5.3 - Medium - February 10, 2025

GnuTLS libtasn1 DoS via DER Cert Decoding
CVE-2024-12243 5.3 - Medium - February 10, 2025

Rsync --safe-links Path Traversal, Arbitrary File Write
CVE-2024-12088 6.5 - Medium - January 14, 2025

Path traversal in rsync via --inc-recursive option
CVE-2024-12087 6.5 - Medium - January 14, 2025

Rsync Race Condition Enables Symlink Traversal, Potential PrivEsc
CVE-2024-12747 5.6 - Medium - January 14, 2025

Ansible include_vars leak: Vault secrets exposed in logs
CVE-2024-8775 5.5 - Medium - September 14, 2024

OpenSSH <9.6 BPP handshake flaw allows integrity bypass (Terrapin attack)
CVE-2023-48795 5.9 - Medium - December 18, 2023

A heap use-after-free vulnerability was found in systemd before version v245-rc1
CVE-2020-1712 7.8 - High - March 31, 2020

Red Hat
Vendor

Red Hat Discovery
Product