Red Hat Enterprise Linux Desktop RedHat Enterprise Linux (RHEL) Desktop. Includes software bundled with RHEL desktop

Linux Kernel netfilter nf_tables Use-After-Free CA PrivEsc via NF_DROP
CVE-2024-1086 7.8 - High - January 31, 2024

A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation. The nft_verdict_init() function allows positive values as drop error within the hook verdict, and hence the nf_hook_slow() function can cause a double free vulnerability when NF_DROP is issued with a drop error which resembles NF_ACCEPT. We recommend upgrading past commit f342de4e2f33e0e39165d8639387aa6c19dff660.

Dangling pointer

X.Org Server cursor flaw overwrites SELinux context
CVE-2024-0409 7.8 - High - January 18, 2024

A flaw was found in the X.Org server. The cursor code in both Xephyr and Xwayland uses the wrong type of private at creation. It uses the cursor bits type with the cursor as private, and when initiating the cursor, that overwrites the XSELINUX context.

Memory Corruption

X.Org Server GLX PBuffer XACE Hook Missing Leading to SELinux Crash
CVE-2024-0408 5.5 - Medium - January 18, 2024

A flaw was found in the X.Org server. The GLX PBuffer code does not call the XACE hook when creating the buffer, leaving it unlabeled. When the client issues another request to access that resource (as with a GetGeometry) or when it creates another resource that needs to access that buffer, such as a GC, the XSELINUX code will try to use an object that was never labeled and crash because the SID is NULL.

Improper Neutralization of Null Byte or NUL Character

X.Org Server: Heap Overflow via Button Mapping Bit Misallocation
CVE-2023-6816 9.8 - Critical - January 18, 2024

A flaw was found in X.Org server. Both DeviceFocusEvent and the XIQueryPointer reply contain a bit for each logical button currently down. Buttons can be arbitrarily mapped to any value up to 255, but the X.Org Server was only allocating space for the device's particular number of buttons, leading to a heap overflow if a bigger value was used.

Memory Corruption

CVE-2023-5455: CSRF in FreeIPA /ipa/session/login_password
CVE-2023-5455 6.5 - Medium - January 10, 2024

A Cross-site request forgery vulnerability exists in ipa/session/login_password in all supported versions of IPA. This flaw allows an attacker to trick the user into submitting a request that could perform actions as the user, resulting in a loss of confidentiality and system integrity. During community penetration testing it was found that for certain HTTP end-points FreeIPA does not ensure CSRF protection. Due to implementation details one cannot use this flaw for reflection of a cookie representing already logged-in user. An attacker would always have to go through a new authentication attempt.

Session Riding

PostgreSQL Array Integer Overflow Allows Authenticated Code Exec
CVE-2023-5869 8.8 - High - December 10, 2023

A flaw was found in PostgreSQL that allows authenticated database users to execute arbitrary code through missing overflow checks during SQL array value modification. This issue exists due to an integer overflow during array modification where a remote user can trigger the overflow by providing specially crafted data. This enables the execution of arbitrary code on the target system, allowing users to write arbitrary bytes to memory and extensively read the server's memory.

Integer Overflow or Wraparound

Red Hat Insights Client LPE via Unsafe Temp Dir Handling
CVE-2023-3972 7.8 - High - November 01, 2023

A vulnerability was found in insights-client. This security issue occurs because of insecure file operations or unsafe handling of temporary files and directories that lead to local privilege escalation. Before the insights-client has been registered on the system by root, an unprivileged local user or attacker could create the /var/tmp/insights-client directory (owning the directory with read, write, and execute permissions) on the system. After the insights-client is registered by root, an attacker could then control the directory content that insights are using by putting malicious scripts into it and executing arbitrary code as root (trivially bypassing SELinux protections because insights processes are allowed to disable SELinux system-wide).

Creation of Temporary File in Directory with Insecure Permissions

CVE-2023-5367: OOB Write in Xorg X11 Server XIChangeDeviceProperty
CVE-2023-5367 7.8 - High - October 25, 2023

A out-of-bounds write flaw was found in the xorg-x11-server. This issue occurs due to an incorrect calculation of a buffer offset when copying data stored in the heap in the XIChangeDeviceProperty function in Xi/xiproperty.c and in RRChangeOutputProperty function in randr/rrproperty.c, allowing for possible escalation of privileges or denial of service.

Memory Corruption

Red Hat Subscription-Manager Local Privilege Escalation via D-Bus Auth Bypass
CVE-2023-3899 7.8 - High - August 23, 2023

A vulnerability was found in subscription-manager that allows local privilege escalation due to inadequate authorization. The D-Bus interface com.redhat.RHSM1 exposes a significant number of methods to all users that could change the state of the registration. By using the com.redhat.RHSM1.Config.SetAll() method, a low-privileged local user could tamper with the state of the registration, by unregistering the system or by changing the current entitlements. This flaw allows an attacker to set arbitrary configuration directives for /etc/rhsm/rhsm.conf, which can be abused to cause a local privilege escalation to an unconfined root.

AuthZ

X.org X Server Priv Escalation via dangling pointer in DeepCopyPointerClasses
CVE-2023-0494 7.8 - High - March 27, 2023

A vulnerability was found in X.Org. This issue occurs due to a dangling pointer in DeepCopyPointerClasses that can be exploited by ProcXkbSetDeviceInfo() and ProcXkbGetDeviceInfo() to read and write into freed memory. This can lead to local privilege elevation on systems where the X server runs privileged and remote code execution for ssh X forwarding sessions.

Dangling pointer

WebKit Arbitrary Code Execution via Malicious Content
CVE-2019-8720 8.8 - High - March 06, 2023

A vulnerability was found in WebKit. The flaw is triggered when processing maliciously crafted web content that may lead to arbitrary code execution. Improved memory handling addresses the multiple memory corruption issues.

Buffer Overflow

SSSD libsss_certmap unsanitised LDAP cert data (CVE-2022-4254)
CVE-2022-4254 8.8 - High - February 01, 2023

sssd: libsss_certmap fails to sanitise certificate data used in LDAP filters

LDAP Injection

QEMU < 1.6.2: QCOW2 snapshot update_refcount crash
CVE-2014-0147 - September 29, 2022

Qemu before 1.6.2 block diver for the various disk image formats used by Bochs and for the QCOW version 2 format, are vulnerable to a possible crash caused by signed data types or a logic error while creating QCOW2 snapshots, which leads to incorrectly calling update_refcount() routine.

QEMU 2.0.0 - Block Driver Overflows in CLOOP/QCOW2 v2 (CVE-2014-0144)
CVE-2014-0144 - September 29, 2022

QEMU before 2.0.0 block drivers for CLOOP, QCOW2 version 2 and various other image formats are vulnerable to potential memory corruptions, integer/buffer overflows or crash caused by missing input validations which could allow a remote user to execute arbitrary code on the host with the privileges of the QEMU process.

QEMU <2.0: Hyper-V VHDX block driver loop DoS vulnerability
CVE-2014-0148 - September 29, 2022

Qemu before 2.0 block driver for Hyper-V VHDX Images is vulnerable to infinite loops and other potential issues when calculating BAT entries, due to missing bounds checks for block_size and logical_sector_size variables. These are used to derive other fields like 'sectors_per_block' etc. A user able to alter the Qemu disk image could ise this flaw to crash the Qemu instance resulting in DoS.

IBM Java SDK <SR1 FP10: plaintext stored in memory dumps (CVE-2015-1931)
CVE-2015-1931 - September 29, 2022

IBM Java Security Components in IBM SDK, Java Technology Edition 8 before SR1 FP10, 7 R1 before SR3 FP10, 7 before SR9 FP10, 6 R1 before SR8 FP7, 6 before SR16 FP7, and 5.0 before SR16 FP13 stores plaintext information in memory dumps, which allows local users to obtain sensitive information by reading a file.

A random memory access flaw was found in the Linux kernel's GPU i915 kernel driver functionality in the way a user may run malicious code on the GPU
CVE-2022-0330 7.8 - High - March 25, 2022

A random memory access flaw was found in the Linux kernel's GPU i915 kernel driver functionality in the way a user may run malicious code on the GPU. This flaw allows a local user to crash the system or escalate their privileges on the system.

Improper Preservation of Permissions

A flaw was found in the KVM's AMD code for supporting SVM nested virtualization
CVE-2021-3656 8.8 - High - March 04, 2022

A flaw was found in the KVM's AMD code for supporting SVM nested virtualization. The flaw occurs when processing the VMCB (virtual machine control block) provided by the L1 guest to spawn/handle a nested guest (L2). Due to improper validation of the "virt_ext" field, this issue could allow a malicious L1 to disable both VMLOAD/VMSAVE intercepts and VLS (Virtual VMLOAD/VMSAVE) for the L2 guest. As a result, the L2 guest would be allowed to read/write physical pages of the host, resulting in a crash of the entire system, leak of sensitive data or potential guest-to-host escape.

AuthZ

The Samba vfs_fruit module uses extended file attributes (EA, xattr) to provide "
CVE-2021-44142 8.8 - High - February 21, 2022

The Samba vfs_fruit module uses extended file attributes (EA, xattr) to provide "...enhanced compatibility with Apple SMB clients and interoperability with a Netatalk 3 AFP fileserver." Samba versions prior to 4.13.17, 4.14.12 and 4.15.5 with vfs_fruit configured allow out-of-bounds heap read and write via specially crafted extended file attributes. A remote attacker with write access to extended file attributes can execute arbitrary code with the privileges of smbd, typically root.

Out-of-bounds Read

A flaw was found in the way Samba, as an Active Directory Domain Controller, implemented Kerberos name-based authentication
CVE-2020-25719 7.2 - High - February 18, 2022

A flaw was found in the way Samba, as an Active Directory Domain Controller, implemented Kerberos name-based authentication. The Samba AD DC, could become confused about the user a ticket represents if it did not strictly require a Kerberos PAC and always use the SIDs found within. The result could include total domain compromise.

Race Condition

A double-free was found in the way 389-ds-base handles virtual attributes context in persistent searches
CVE-2021-4091 - February 18, 2022

A double-free was found in the way 389-ds-base handles virtual attributes context in persistent searches. An attacker could send a series of search requests, forcing the server to behave unexpectedly, and crash.

Double-free

A flaw was found in the way Samba maps domain users to local users
CVE-2020-25717 8.1 - High - February 18, 2022

A flaw was found in the way Samba maps domain users to local users. An authenticated attacker could use this flaw to cause possible privilege escalation.

Improper Input Validation

A flaw was found in the way samba implemented SMB1 authentication
CVE-2016-2124 5.9 - Medium - February 18, 2022

A flaw was found in the way samba implemented SMB1 authentication. An attacker could use this flaw to retrieve the plaintext password sent over the wire even if Kerberos authentication was required.

authentification

A local privilege escalation vulnerability was found on polkit's pkexec utility
CVE-2021-4034 7.8 - High - January 28, 2022

A local privilege escalation vulnerability was found on polkit's pkexec utility. The pkexec application is a setuid tool designed to allow unprivileged users to run commands as privileged users according predefined policies. The current version of pkexec doesn't handle the calling parameters count correctly and ends trying to execute environment variables as commands. An attacker can leverage this by crafting environment variables in such a way it'll induce pkexec to execute arbitrary code. When successfully executed the attack can cause a local privilege escalation given unprivileged users administrative rights on the target machine.

Memory Corruption

In ImageMagick versions before 7.0.9-0
CVE-2020-27769 3.3 - Low - May 14, 2021

In ImageMagick versions before 7.0.9-0, there are outside the range of representable values of type 'float' at MagickCore/quantize.c.

A logic issue was addressed with improved validation
CVE-2020-3864 7.8 - High - October 27, 2020

A logic issue was addressed with improved validation. This issue is fixed in iCloud for Windows 7.17, iTunes 12.10.4 for Windows, iCloud for Windows 10.9.2, tvOS 13.3.1, Safari 13.0.5, iOS 13.3.1 and iPadOS 13.3.1. A DOM object context may not have had a unique security origin.

Origin Validation Error

A use after free issue was addressed with improved memory management
CVE-2019-8846 - October 27, 2020

A use after free issue was addressed with improved memory management. This issue is fixed in tvOS 13.3, iCloud for Windows 10.9, iOS 13.3 and iPadOS 13.3, Safari 13.0.4, iTunes 12.10.3 for Windows, iCloud for Windows 7.16. Processing maliciously crafted web content may lead to arbitrary code execution.

Multiple memory corruption issues were addressed with improved memory handling
CVE-2019-8844 - October 27, 2020

Multiple memory corruption issues were addressed with improved memory handling. This issue is fixed in tvOS 13.3, watchOS 6.1.1, iCloud for Windows 10.9, iOS 13.3 and iPadOS 13.3, Safari 13.0.4, iTunes 12.10.3 for Windows, iCloud for Windows 7.16. Processing maliciously crafted web content may lead to arbitrary code execution.

Multiple memory corruption issues were addressed with improved memory handling
CVE-2019-8835 - October 27, 2020

Multiple memory corruption issues were addressed with improved memory handling. This issue is fixed in tvOS 13.3, iCloud for Windows 10.9, iOS 13.3 and iPadOS 13.3, Safari 13.0.4, iTunes 12.10.3 for Windows, iCloud for Windows 7.16. Processing maliciously crafted web content may lead to arbitrary code execution.

An issue was discovered in International Components for Unicode (ICU) for C/C++ through 66.1
CVE-2020-10531 8.8 - High - March 12, 2020

An issue was discovered in International Components for Unicode (ICU) for C/C++ through 66.1. An integer overflow, leading to a heap-based buffer overflow, exists in the UnicodeString::doAppend() function in common/unistr.cpp.

Memory Corruption

Type confusion in V8 in Google Chrome prior to 80.0.3987.122
CVE-2020-6418 8.8 - High - February 27, 2020

Type confusion in V8 in Google Chrome prior to 80.0.3987.122 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Object Type Confusion

Use after free in speech in Google Chrome prior to 80.0.3987.116
CVE-2020-6386 - February 27, 2020

Use after free in speech in Google Chrome prior to 80.0.3987.116 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Use after free in WebAudio in Google Chrome prior to 80.0.3987.116
CVE-2020-6384 - February 27, 2020

Use after free in WebAudio in Google Chrome prior to 80.0.3987.116 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Type confusion in V8 in Google Chrome prior to 80.0.3987.116
CVE-2020-6383 - February 27, 2020

Type confusion in V8 in Google Chrome prior to 80.0.3987.116 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Adobe Flash Player versions 32.0.0.321 and earlier
CVE-2020-3757 8.8 - High - February 13, 2020

Adobe Flash Player versions 32.0.0.321 and earlier, 32.0.0.314 and earlier, 32.0.0.321 and earlier, and 32.0.0.255 and earlier have a type confusion vulnerability. Successful exploitation could lead to arbitrary code execution.

Object Type Confusion

Use of uninitialized data in PDFium in Google Chrome prior to 80.0.3987.87
CVE-2020-6398 - February 11, 2020

Use of uninitialized data in PDFium in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file.

Inappropriate implementation in sharing in Google Chrome prior to 80.0.3987.87
CVE-2020-6397 - February 11, 2020

Inappropriate implementation in sharing in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to spoof security UI via a crafted HTML page.

Insufficient policy enforcement in downloads in Google Chrome on OS X prior to 80.0.3987.87
CVE-2020-6402 - February 11, 2020

Insufficient policy enforcement in downloads in Google Chrome on OS X prior to 80.0.3987.87 allowed an attacker who convinced a user to install a malicious extension to execute arbitrary code via a crafted Chrome Extension.

Inappropriate implementation in CORS in Google Chrome prior to 80.0.3987.87
CVE-2020-6400 - February 11, 2020

Inappropriate implementation in CORS in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to leak cross-origin data via a crafted HTML page.

Type confusion in JavaScript in Google Chrome prior to 80.0.3987.87
CVE-2020-6382 - February 11, 2020

Type confusion in JavaScript in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Incorrect implementation in Omnibox in Google Chrome on iOS prior to 80.0.3987.87
CVE-2020-6403 - February 11, 2020

Incorrect implementation in Omnibox in Google Chrome on iOS prior to 80.0.3987.87 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page.

Inappropriate implementation in Blink in Google Chrome prior to 80.0.3987.87
CVE-2020-6404 - February 11, 2020

Inappropriate implementation in Blink in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Insufficient policy enforcement in Blink in Google Chrome prior to 80.0.3987.87
CVE-2020-6394 - February 11, 2020

Insufficient policy enforcement in Blink in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to bypass content security policy via a crafted HTML page.

Integer overflow in JavaScript in Google Chrome on ChromeOS and Android prior to 80.0.3987.87
CVE-2020-6381 - February 11, 2020

Integer overflow in JavaScript in Google Chrome on ChromeOS and Android prior to 80.0.3987.87 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Insufficient policy enforcement in storage in Google Chrome prior to 80.0.3987.87
CVE-2020-6385 - February 11, 2020

Insufficient policy enforcement in storage in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to bypass site isolation via a crafted HTML page.

Out of bounds memory access in streams in Google Chrome prior to 80.0.3987.87
CVE-2020-6390 - February 11, 2020

Out of bounds memory access in streams in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Insufficient validation of untrusted input in Blink in Google Chrome prior to 80.0.3987.87
CVE-2020-6391 - February 11, 2020

Insufficient validation of untrusted input in Blink in Google Chrome prior to 80.0.3987.87 allowed a local attacker to bypass content security policy via a crafted HTML page.

Inappropriate implementation in Skia in Google Chrome prior to 80.0.3987.87
CVE-2020-6396 - February 11, 2020

Inappropriate implementation in Skia in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page.

Insufficient policy enforcement in Blink in Google Chrome prior to 80.0.3987.87
CVE-2020-6393 - February 11, 2020

Insufficient policy enforcement in Blink in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to leak cross-origin data via a crafted HTML page.

Insufficient policy enforcement in extensions in Google Chrome prior to 80.0.3987.87
CVE-2020-6392 - February 11, 2020

Insufficient policy enforcement in extensions in Google Chrome prior to 80.0.3987.87 allowed an attacker who convinced a user to install a malicious extension to bypass navigation restrictions via a crafted Chrome Extension.