Red Hat Enterprise Linux (RHEL)
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Red Hat Enterprise Linux (RHEL).
Recent Red Hat Enterprise Linux (RHEL) Security Advisories
| Advisory | Title | Published |
|---|---|---|
| RHSA-2026:17611 | (RHSA-2026:17611) Red Hat Enterprise Linux AI 3.3.3 | May 14, 2026 |
| RHSA-2026:17609 | (RHSA-2026:17609) Red Hat Enterprise Linux AI 3.3.3 | May 14, 2026 |
| RHSA-2026:10141 | (RHSA-2026:10141) Red Hat Enterprise Linux AI 3.3.1 | April 23, 2026 |
| RHSA-2026:10140 | (RHSA-2026:10140) Red Hat Enterprise Linux AI 3.3.1 | April 23, 2026 |
| RHSA-2025:19429 | (RHSA-2025:19429) Red Hat Enterprise Linux AI 1.5 (NVIDIA) | November 3, 2025 |
| RHSA-2025:19427 | (RHSA-2025:19427) Red Hat Enterprise Linux AI 1.5 (AMD) | November 3, 2025 |
| RHSA-2025:19430 | (RHSA-2025:19430) Red Hat Enterprise Linux AI 1.5 (NVIDIA) | November 3, 2025 |
| RHSA-2025:19426 | (RHSA-2025:19426) Red Hat Enterprise Linux AI 1.5 (NVIDIA) | November 3, 2025 |
| RHSA-2025:19428 | (RHSA-2025:19428) Red Hat Enterprise Linux AI 1.5 (NVIDIA) | November 3, 2025 |
| RHSA-2025:19425 | (RHSA-2025:19425) Red Hat Enterprise Linux AI 1.5 (AMD) | November 3, 2025 |
By the Year
In 2026 there have been 157 vulnerabilities in Red Hat Enterprise Linux (RHEL) with an average score of 6.3 out of ten. Last year, in 2025 Enterprise Linux (RHEL) had 204 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in Enterprise Linux (RHEL) in 2026 could surpass last years number. Last year, the average CVE base score was greater by 0.18
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 157 | 6.25 |
| 2025 | 204 | 6.44 |
| 2024 | 171 | 6.34 |
| 2023 | 210 | 6.37 |
| 2022 | 175 | 6.74 |
| 2021 | 148 | 6.51 |
| 2020 | 104 | 6.35 |
| 2019 | 293 | 6.21 |
| 2018 | 113 | 7.02 |
It may take a day or so for new Enterprise Linux (RHEL) vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Red Hat Enterprise Linux (RHEL) Security Vulnerabilities
X.Org X Server AAF in CreateSaverWindow() (Xwayland)
CVE-2026-50263
5.5 - Medium
- June 05, 2026
A use-after-free flaw was found in the X.Org X server and Xwayland in CreateSaverWindow(). A client can trigger a use-after-free read after changing window attributes and forcing the screen saver, leading to information disclosure.
Dangling pointer
X.Org XServer Xwayland OOB Read __glXDisp_ChangeDrawableAttributes
CVE-2026-50262
5.5 - Medium
- June 05, 2026
An out-of-bounds read flaw was found in the X.Org X server and Xwayland in __glXDisp_ChangeDrawableAttributes(). A wrong size validation check can read a client-controlled number of bytes, exceeding the request buffer, leading to information disclosure. A write path also exists but requires byte-swapped clients which is disabled by default.
Out-of-bounds Read
X.Org X Server & Xwayland OOB Heap Write via DRI2 Buffers
CVE-2026-50264
7.8 - High
- June 05, 2026
An out-of-bounds write flaw was found in the X.Org X server and Xwayland in DRIGetBuffers/DRIGetBuffersWithFormat. A client that requests multiple DRI2BufferBackLeft attachments and one DRI2BufferFrontLeft can trigger an out-of-bounds heap write. This may be used to crash the server, or for privilege escalation if the X server runs as root.
Memory Corruption
UAF in X.Org X Server XWayland SyncChangeCounter()
CVE-2026-50261
7.8 - High
- June 05, 2026
A use-after-free flaw was found in the X.Org X server and Xwayland in SyncChangeCounter(). A client that sets up multiple SyncCounters can trigger a use-after-free when destroying those counters via a second client connection while changing those counters. This may be used to crash the server, or for privilege escalation if the X server runs as root.
Dangling pointer
Use-after-free in X.Org X Server via SyncCounters
CVE-2026-50260
7.8 - High
- June 05, 2026
A use-after-free flaw was found in the X.Org X server and Xwayland in FreeCounter(). A client that sets up multiple SyncCounters and awaits on those triggers can trigger a use-after-free when destroying those counters via a second client connection. This may be used to crash the server, or for privilege escalation if the X server runs as root.
Dangling pointer
Stack Buffer Overflow in X.Org X Server (_XkbSetMapChecks)
CVE-2026-50259
7.8 - High
- June 05, 2026
A stack-based buffer overflow flaw was found in the X.Org X server and Xwayland. _XkbSetMapChecks() declares a fixed-size stack buffer mapWidths[256] indexed by key type index. The helper function CheckKeyTypes() writes to this buffer at a client-controlled offset, allowing a stack buffer overflow. This may be used to crash the server, or for privilege escalation if the X server runs as root.
Stack Overflow
CVE-2026-50258: Stack BOF in X.Org X Server & Xwayland
CVE-2026-50258
7.8 - High
- June 05, 2026
A stack-based buffer overflow flaw was found in the X.Org X server and Xwayland. The X server has multiple stack buffers sized XkbMaxShiftLevel * XkbNumKbdGroups but CheckKeyTypes() does not verify or clamp non-canonical key types to XkbMaxShiftLevel. A client can change key types to excessive shift levels and trigger stack overflows. This is caused by an incomplete fix of CVE-2025-26597. This may be used to crash the server, or for privilege escalation if the X server runs as root.
Stack Overflow
X.Org X Server UAF via miSyncDestroyFence()
CVE-2026-50257
7.8 - High
- June 05, 2026
A use-after-free flaw was found in the X.Org X server and Xwayland in miSyncDestroyFence(). A client that sets up multiple fence triggers can trigger a use-after-free function pointer call. An attacker would connect to the X server to set up a fence and await that fence, then a second X connection destroys the fence, causing the use-after-free. This may be used to crash the server, or for privilege escalation if the X server runs as root.
Dangling pointer
X.Org X Server: Stack Buffer Overflow via Font Alias Length Attack (CVE-2026-50256)
CVE-2026-50256
7.8 - High
- June 05, 2026
A stack-based buffer overflow flaw was found in the X.Org X server and Xwayland. A mismatch between the X server and the libXfont2 library's maximum font name length can cause a stack buffer overflow during font alias resolution. The server allocates a 256 byte stack buffer but libXfont2's alias target name length is 1024 bytes. A font alias name between 257 and 1023 bytes causes the X server to copy that name into the undersized stack buffer without further checks. This may be used to crash the server, or for privilege escalation if the X server runs as root.
Stack Overflow
Root Privilege Elevation via libinput udev Property Injection
CVE-2026-50265
7 - High
- June 05, 2026
A flaw was found in libinput. A local attacker with access to /dev/uinput can inject arbitrary udev properties through the libinput-device-group helper. This injection can lead to root code execution, for example, by exploiting REMOVE_CMD properties that are executed when a device is removed. This vulnerability allows an attacker to gain elevated privileges on the system.
Shell injection
Local Priv Escalation via Malformed MUD URLs in NetworkManager's dhclient
CVE-2026-10805
6.7 - Medium
- June 04, 2026
A flaw was found in NetworkManager. This local privilege escalation vulnerability exists in NetworkManager's dhclient backend when processing malformed Manufacturer Usage Description (MUD) URLs. A local user can exploit this flaw to escalate privileges by triggering a script via a crafted MUD URL, provided an administrator has explicitly configured NetworkManager to use dhclient. This issue does not affect default configurations of NetworkManager.
Shell injection
GnuTLS PKCS#7 Padding Timing SideChannel Info Disclosure
CVE-2026-5419
3.7 - Low
- June 01, 2026
A flaw was found in gnutls. The PKCS#7 padding check, performed during decryption, was not constant-time. This timing side-channel could allow a remote attacker to potentially leak sensitive information about the padding bytes through observable timing differences. This vulnerability is a form of information disclosure.
Observable Timing Discrepancy
rrdtool rrdcached Buffer Overflow via Oversized CREATE
CVE-2026-43958
7.8 - High
- June 01, 2026
A flaw was found in rrdcached, a component of rrdtool. A local attacker with access to a rrdcached socket can exploit a stack-based buffer overflow by sending an oversized CREATE request. This vulnerability can lead to a denial of service by crashing the daemon or potentially allow for arbitrary code execution, impacting the integrity and confidentiality of data.
Stack Overflow
Poppler Splash integer overflow arbitrary code exec
CVE-2026-10118
7.8 - High
- June 01, 2026
A flaw was found in Poppler's Splash backend. A remote attacker could exploit this vulnerability by crafting a malicious PDF file that, when rendered, triggers an integer overflow in the `tilingPatternFill` function. This overflow leads to an undersized heap memory allocation, allowing a subsequent out-of-bounds write. Successful exploitation could result in arbitrary code execution, information disclosure, or denial of service within the context of the application processing the PDF.
Integer Overflow or Wraparound
libsoup Signed-to-Unsigned Conversion Out-of-Bounds in HTTP Stream RCE
CVE-2026-6324
4.8 - Medium
- May 29, 2026
A flaw was found in libsoup. A remote attacker could exploit an unsigned to signed conversion error in the `soup_body_input_stream_read_chunked()` function by sending a malicious HTTP request. This vulnerability occurs when libsoup operates behind a non-libsoup proxy server or as a proxy in front of a non-libsoup backend server. Successful exploitation can allow an attacker to bypass security controls, poison web caches, or gain unauthorized access.
HTTP Request Smuggling
Glib-Networking GnuTLS Cert Verification Infinite Loop DoS
CVE-2026-10028
4.3 - Medium
- May 28, 2026
A flaw was found in glib-networking. A remote attacker can exploit this vulnerability by presenting a specially crafted certificate chain to an application that uses glib-networking with the GnuTLS backend enabled and performs certificate verification. This crafted chain, which contains circular issuer relationships, can cause an infinite loop during certificate verification. The unbounded traversal consumes excessive CPU resources, leading to a denial of service for the affected process or worker.
Infinite Loop
Samba Remote Cmd Exec via Unsanitized %u in check password script
CVE-2026-4408
9 - Critical
- May 28, 2026
A flaw was found in Samba. A remote attacker can exploit a misconfiguration in Samba file servers and classic domain controllers that use the "check password script" feature. If this script is configured with the %u substitution character, the client-controlled username is passed without proper escaping of shell meta-characters. This vulnerability allows an attacker to achieve remote command execution on the affected system. This issue primarily affects non-standard configurations where the "check password script" is used with %u and the samba-dcerpcd service is started as a system service.
Shell injection
CVE-2026-44604: rpmuncompress Command Injection W/O Sanitization
CVE-2026-44604
7 - High
- May 28, 2026
A command injection vulnerability was discovered in the `rpmuncompress` utility of RPM. When extracting certain archive formats (ZIP, 7z, GEM) to a specified destination directory, the tool inserts the archive's top-level folder name into a shell command without properly sanitizing it. A specially crafted archive containing shell metacharacters in its folder name can execute arbitrary commands as the user running the extraction.
Shell injection
Samba NTFS Reparse Points Access Control Bypass via SMB
CVE-2026-1933
7.1 - High
- May 27, 2026
A flaw was found in Sambas handling of NTFS-style reparse points on shares configured with read only = yes. Due to missing SMB-layer access checks, authenticated users with underlying filesystem write permissions may create or delete reparse point metadata through SMB operations even on read-only exports. This could allow modification of SMB-visible file behavior, including converting files into symbolic links or other reparse point types.
Authorization
Sambas vfs_worm Rename Bypass Enables Overwrite of WORM Files
CVE-2026-2340
6.5 - Medium
- May 27, 2026
A flaw was found in Sambas vfs_worm module. The module is intended to provide write-once, read-many (WORM) protections by preventing modification of files after a configurable grace period. Due to insufficient validation during rename operations, an authenticated user with write access to a share could overwrite a protected file by renaming a newly created file over the existing WORM-protected file.
Improper Handling of Insufficient Permissions or Privileges
Samba CA AutoEnroll HTTP Trust Misinstall (CVE-2026-3012)
CVE-2026-3012
8 - High
- May 27, 2026
A flaw was found in Sambas certificate auto-enrollment Group Policy handling. When certificate auto-enrollment is enabled, Samba may retrieve a CA certificate over an unencrypted HTTP connection and install it into the local trust store without proper verification. An attacker with the ability to intercept or redirect network traffic could exploit this behavior to supply a malicious certificate authority certificate, potentially allowing interception or spoofing of trusted communications.
Insufficient Verification of Data Authenticity
GnuTLS PKCS#12 Bag Off-by-One Buffer Overwrite
CVE-2026-42015
5.3 - Medium
- May 26, 2026
A flaw was found in gnutls. An off-by-one error exists in the PKCS#12 bag element bounds check. This vulnerability allows an remote attacker to write past the internal array of a PKCS#12 bag when appending to a bag that already contains 32 elements. This memory corruption could lead to a denial of service (DoS) or potentially other unspecified impacts.
off-by-five
GnuTLS SAN Size ForkCheck Bypass
CVE-2026-42013
8.2 - High
- May 26, 2026
A flaw was found in gnutls. When validating certificates, an oversized Subject Alternative Name (SAN) could cause the validation process to incorrectly fall back to checking the Common Name (CN) field. This could allow a remote attacker to bypass proper certificate validation, potentially leading to spoofing or man-in-the-middle attacks.
Improper Validation of Specified Quantity in Input
GNUTLS Certificate Validation Bypass via URI/SRV SAN Fallback
CVE-2026-42012
7.1 - High
- May 26, 2026
A flaw was found in gnutls. A remote attacker could exploit this vulnerability by presenting a specially crafted certificate that contains Uniform Resource Identifier (URI) or Service (SRV) Subject Alternative Names (SANs). This could cause the certificate validation process to incorrectly fall back to checking DNS hostnames against the Common Name (CN), potentially allowing the attacker to spoof legitimate services or intercept sensitive information.
Improper Certificate Validation
Libgnutls RSA PKCS#11 Key Exchange Overread Info Disclosure
CVE-2026-5260
8.2 - High
- May 26, 2026
A flaw was found in libgnutls. A remote attacker, by sending an extremely short premaster secret during an RSA key exchange to a server using an RSA key backed by a PKCS#11 token, could trigger a short heap overread. This memory corruption vulnerability could lead to information disclosure.
Improper Validation of Specified Quantity in Input
libsolv Heap Buffer Overflow via .solv Decompression
CVE-2026-48864
7.8 - High
- May 26, 2026
A flaw was found in libsolv. This heap buffer overflow occurs during the decompression of attacker-controlled compressed data within `.solv` files due to insufficient input validation. An attacker can provide a specially crafted `.solv` file, which, when processed by a vulnerable application, can lead to out-of-bounds memory access. This could result in information disclosure, alteration of program execution, or a denial of service.
Memory Corruption
Shell Injection in Samba Print Service via Unescaped %J
CVE-2026-4480
9 - Critical
- May 26, 2026
A flaw was found in the Samba printing subsystem. Samba passes the client-controlled job description string to the command configured with the "print command" setting via the "%J" substitution character without escaping shell meta characters. A remote attacker could exploit this vulnerability by sending a specially crafted print job description that contains unescaped shell characters. This could lead to remote code execution on the affected system.
Shell injection
libsolv Heap B.O. in repo_add_solv via negative .solv size
CVE-2026-9149
6.5 - Medium
- May 20, 2026
A flaw was found in libsolv. This heap buffer overflow vulnerability occurs when a victim processes a specially crafted `.solv` file containing negative size values in the `repo_add_solv` function. This leads to an undersized memory allocation and a subsequent out-of-bounds write. An attacker could exploit this to cause a denial of service (DoS).
Heap-based Buffer Overflow
Red Hat libsolv Stack Buffer Overflow in Debian METADATA Parser
CVE-2026-9150
6.5 - Medium
- May 20, 2026
A flaw was found in libsolv. This stack-based buffer overflow vulnerability occurs in libsolv's Debian metadata parser when processing specially crafted Debian repository metadata. An attacker could exploit this by providing malicious SHA384 or SHA512 checksum tags, leading to memory corruption and a denial of service (DoS) in the affected system.
Stack Overflow
389-DS LDAP DoS: Unbounded Controls Enable Remote Overload
CVE-2026-9064
7.5 - High
- May 20, 2026
A flaw was found in 389-ds-base. The get_ldapmessage_controls_ext() function in the LDAP server does not enforce an upper bound on the number of controls per LDAP message. A remote, unauthenticated attacker can send a specially crafted LDAP request containing hundreds of thousands of minimal controls within the default maximum BER message size (2 MB), causing excessive CPU consumption and heap allocation on the server. Under concurrent exploitation, this leads to significant latency degradation, worker thread starvation, or out-of-memory termination, resulting in a denial of service.
Allocation of Resources Without Limits or Throttling
GnuTLS DTLS DoS via Duplicate Seq Number Reordering
CVE-2026-42009
7.5 - High
- May 18, 2026
A flaw was found in gnutls. A remote attacker could exploit an issue in the Datagram Transport Layer Security (DTLS) packet reordering logic. The comparator function, responsible for ordering DTLS packets by sequence numbers, did not correctly handle packets with duplicate sequence numbers. This could lead to unstable packet ordering or undefined behavior, resulting in a denial of service.
Undefined Behavior for Input to API
Remote Command Execution via Unsanitized UI Parameters in Cockpit
CVE-2026-4802
8 - High
- May 11, 2026
A flaw was found in Cockpit. This vulnerability allows a remote attacker to achieve arbitrary command execution on the host by exploiting unsanitized user-controlled parameters within crafted links in the system logs user interface (UI). An attacker can inject shell metacharacters and command substitutions into these parameters, leading to the execution of arbitrary shell commands on the affected system. This could result in a complete system compromise.
Shell injection
GNUTLS Name Constraint Bypass (CVE-2026-42011)
CVE-2026-42011
7.4 - High
- May 07, 2026
A flaw was found in gnutls. This vulnerability occurs because permitted name constraints were incorrectly ignored when previous Certificate Authorities (CAs) only had excluded name constraints. A remote attacker could exploit this to bypass critical name constraint checks during certificate validation. This bypass could lead to the acceptance of invalid certificates, potentially enabling spoofing or man-in-the-middle attacks against affected systems.
Improper Certificate Validation
GNUTLS RSA-PSK Username NUL Bypass Auth
CVE-2026-42010
7.1 - High
- May 07, 2026
A flaw was found in gnutls. Servers configured with RSA-PSK (RivestShamirAdleman Pre-Shared Key) wrongfully matched usernames containing a NUL character with truncated usernames. A remote attacker could exploit this by sending a specially crafted username, leading to an authentication bypass. This vulnerability allows an attacker to gain unauthorized access by circumventing the authentication process.
Poison Null Byte
Keylime Verifier Hardcoded Nonce Enables TPM Quote Replay
CVE-2026-6420
6.3 - Medium
- May 06, 2026
A flaw was found in Keylime. An attacker with root access on an enrolled monitored machine, where the Keylime agent runs, can exploit a vulnerability in the Keylime verifier. The verifier uses a hardcoded challenge nonce for Trusted Platform Module (TPM) quote attestation instead of a cryptographically random value. This allows the attacker to stockpile valid TPM quotes and replay them to evade detection after compromising the system. This issue affects only the push model deployment.
Use of Predictable Algorithm in Random Number Generator
Open vSwitch FTP Helper Heap OOB Leads to DoS
CVE-2026-34956
5.9 - Medium
- May 05, 2026
A flaw was found in Open vSwitch. When Open vSwitch is configured with a conntrack flow using FTP helpers over the userspace datapath, a remote attacker can send a specially crafted FTP stream with an EPASV command exceeding 255 characters. This heap access error can lead to a crash, resulting in a Denial of Service (DoS) for the affected system.
Classic Buffer Overflow
XKB Modmap OOB Read in X.Org X Server
CVE-2026-34002
6.1 - Medium
- May 05, 2026
A flaw was found in the X.Org X server. This vulnerability, an out-of-bounds read, affects the XKB (X Keyboard Extension) modifier map handling. An attacker with access to the X11 server can exploit this by sending a malformed request, which causes the server to read beyond its intended memory boundaries. This can lead to the exposure of sensitive information or cause the server to crash, resulting in a denial of service.
Buffer Access with Incorrect Length Value
OOB Read in XKB Geometry (CheckSetGeom) of X.Org X Server
CVE-2026-34000
6.1 - Medium
- May 05, 2026
A flaw was found in the X.Org X server. This out-of-bounds read vulnerability in the XKB geometry processing, specifically within the `CheckSetGeom()` and `XkbAddGeomKeyAlias` functions, allows an attacker to read uninitialized or out-of-bounds memory. An attacker with a connection to the X11 server, either locally or remotely, can exploit this without user interaction. This could lead to the disclosure of memory contents or cause a denial of service by crashing the server.
Out-of-bounds Read
Heap Buffer Overflow in GnuTLS DTLS Fragment Reassembly (CVE-2026-33846)
CVE-2026-33846
7.5 - High
- May 04, 2026
A heap buffer overflow vulnerability exists in the DTLS handshake fragment reassembly logic of GnuTLS. The issue arises in merge_handshake_packet() where incoming handshake fragments are matched and merged based solely on handshake type, without validating that the message_length field remains consistent across all fragments of the same logical message. An attacker can exploit this by sending crafted DTLS fragments with conflicting message_length values, causing the implementation to allocate a buffer based on a smaller initial fragment and subsequently write beyond its bounds using larger, inconsistent fragments. Because the merge operation does not enforce proper bounds checking against the allocated buffer size, this results in an out-of-bounds write on the heap. The vulnerability is remotely exploitable without authentication via the DTLS handshake path and can lead to application crashes or potential memory corruption.
length manipulation
OOB Read via DTLS Fragment Underflow in GnuTLS
CVE-2026-33845
7.5 - High
- April 30, 2026
A flaw in GnuTLS DTLS handshake parsing allows malformed fragments with zero length and non-zero offset, leading to an integer underflow during reassembly and resulting in an out-of-bounds read. This issue is remotely exploitable and may cause information disclosure or denial of service.
Integer underflow
GnuTLS OCSP Multi-Record Logic Error Allows Revoked Cert Acceptance
CVE-2026-3832
3.7 - Low
- April 30, 2026
A flaw was found in gnutls. A remote attacker could exploit this vulnerability by presenting a specially crafted Online Certificate Status Protocol (OCSP) response during a TLS handshake. Due to a logic error in how gnutls processes multi-record OCSP responses, a client with OCSP verification enabled may incorrectly accept a revoked server certificate, potentially leading to a compromise of trust.
Incorrect Behavior Order: Early Validation
GnuTLS SAN case-sensitivity flaw can bypass nameConstraints
CVE-2026-3833
6.5 - Medium
- April 30, 2026
A flaw was found in gnutls. This vulnerability occurs because gnutls performs case-sensitive comparisons of `nameConstraints` labels, specifically for `dNSName` (DNS) or `rfc822Name` (email) constraints within `excludedSubtrees` or `permittedSubtrees`. A remote attacker can exploit this by crafting a leaf certificate with casing differences in the Subject Alternative Name (SAN), leading to a policy bypass where a certificate that should be rejected is instead accepted. This could result in unauthorized access or information disclosure.
Improper Handling of Case Sensitivity
CVE-2026-5265: ovn-controller ICMP Error Copies Partial Out-of-Bounds Heap Data
CVE-2026-5265
6.5 - Medium
- April 24, 2026
When generating an ICMP Destination Unreachable or Packet Too Big response, the handler copies a portion of the original packet into the ICMP error body using the IP header's self-declared total length (ip_tot_len for IPv4, ip6_plen for IPv6) without validating it against the actual packet buffer size. A VM can send a short packet with an inflated IP length field that triggers an ICMP error (e.g., by hitting a reject ACL), causing ovn-controller to read heap memory beyond the valid packet data and include it in the ICMP response sent back to the VM.
length manipulation
OVN Remote OOB Read via Crafted DHCPv6 SOLICIT
CVE-2026-5367
8.6 - High
- April 24, 2026
A flaw was found in OVN (Open Virtual Network). A remote attacker, by sending crafted DHCPv6 (Dynamic Host Configuration Protocol for IPv6) SOLICIT packets with an inflated Client ID length, could cause the ovn-controller to read beyond the bounds of a packet. This out-of-bounds read can lead to the disclosure of sensitive information stored in heap memory, which is then returned to the attacker's virtual machine port.
length manipulation
libxml2 XSD Internal Entity Type-Confusion DoS
CVE-2026-6732
6.5 - Medium
- April 23, 2026
A flaw was found in libxml2. This vulnerability occurs when the library processes a specially crafted XML Schema Definition (XSD) validated document that includes an internal entity reference. An attacker could exploit this by providing a malicious document, leading to a type confusion error that causes the application to crash. This results in a denial of service (DoS), making the affected system or application unavailable.
Object Type Confusion
libsoup HTTP Header Smuggling via Multiple CL Headers
CVE-2026-2708
3.7 - Low
- April 23, 2026
A request smuggling vulnerability exists in libsoup's HTTP/1 header parsing logic. The soup_message_headers_append_common() function in libsoup/soup-message-headers.c unconditionally appends each header value without validating for duplicate or conflicting Content-Length fields. This allows an attacker to send HTTP requests containing multiple Content-Length headers with differing values.
HTTP Request Smuggling
X.Org X Server XKB OOB Memory Access (CVE-2026-34003)
CVE-2026-34003
7.8 - High
- April 23, 2026
A flaw was found in the X.Org X server's XKB key types request validation. A local attacker could send a specially crafted request to the X server, leading to an out-of-bounds memory access vulnerability. This could result in the disclosure of sensitive information or cause the server to crash, leading to a Denial of Service (DoS). In certain configurations, higher impact outcomes may be possible.
Out-of-bounds Read
X.Org XServer use-after-free in miSyncTriggerFence()
CVE-2026-34001
7.8 - High
- April 23, 2026
A flaw was found in the X.Org X server. This use-after-free vulnerability occurs in the XSYNC fence triggering logic, specifically within the miSyncTriggerFence() function. An attacker with access to the X11 server can exploit this without user interaction, leading to a server crash and potentially enabling memory corruption. This could result in a denial of service or further compromise of the system.
Dangling pointer
XKB Int Underflow in X.Org X Server
CVE-2026-33999
7.8 - High
- April 23, 2026
A flaw was found in the X.Org X server. This integer underflow vulnerability, specifically in the XKB compatibility map handling, allows an attacker with local or remote X11 server access to trigger a buffer read overrun. This can lead to memory-safety violations and potentially a denial of service (DoS) or other severe impacts.
Integer underflow
CVE-2025-66286: WebKitGTK/WPE WebKit API Signal Bypass; IP/DNS/HTTP Exposed
CVE-2025-66286
4.7 - Medium
- April 23, 2026
An API design flaw in WebKitGTK and WPE WebKit allows untrusted web content to unexpectedly perform IP connections, DNS lookups, and HTTP requests. Applications expect to use the WebPage::send-request signal handler to approve or reject all network requests. However, certain types of HTTP requests bypass this signal handler.
Insecure Direct Object Reference / IDOR
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Red Hat Enterprise Linux (RHEL) or by Red Hat? Click the Watch button to subscribe.
