Red Hat Enterprise Linux (RHEL)

A flaw was found in vsftpd
CVE-2025-14242 6.5 - Medium - January 14, 2026

A flaw was found in vsftpd. This vulnerability allows a denial of service (DoS) via an integer overflow in the ls command parameter parsing, triggered by a remote, authenticated attacker sending a crafted STAT command with a specific byte sequence.

Integer Overflow or Wraparound

A flaw was found in libsoups WebSocket frame processing when handling incoming messages
CVE-2026-0716 4.8 - Medium - January 13, 2026

A flaw was found in libsoups WebSocket frame processing when handling incoming messages. If a non-default configuration is used where the maximum incoming payload size is unset, the library may read memory outside the intended bounds. This can cause unintended memory exposure or a crash. Applications using libsoups WebSocket support with this configuration may be impacted.

Buffer Access with Incorrect Length Value

A flaw was identified in the NTLM authentication handling of the libsoup HTTP library
CVE-2026-0719 8.6 - High - January 08, 2026

A flaw was identified in the NTLM authentication handling of the libsoup HTTP library, used by GNOME and other applications for network communication. When processing extremely long passwords, an internal size calculation can overflow due to improper use of signed integers. This results in incorrect memory allocation on the stack, followed by unsafe memory copying. As a result, applications using libsoup may crash unexpectedly, creating a denial-of-service risk.

Stack Overflow

A flaw was found in the Undertow HTTP server core, which is used in WildFly, JBoss EAP, and other Java applications
CVE-2025-12543 9.6 - Critical - January 07, 2026

A flaw was found in the Undertow HTTP server core, which is used in WildFly, JBoss EAP, and other Java applications. The Undertow library fails to properly validate the Host header in incoming HTTP requests.As a result, requests containing malformed or malicious Host headers are processed without rejection, enabling attackers to poison caches, perform internal network scans, or hijack user sessions.

Improper Input Validation

libnbd URI Injection Enables Code Execution via Malicious SSH Args
CVE-2025-14946 4.8 - Medium - December 19, 2025

A flaw was found in libnbd. A malicious actor could exploit this by convincing libnbd to open a specially crafted Uniform Resource Identifier (URI). This vulnerability arises because non-standard hostnames starting with '-o' are incorrectly interpreted as arguments to the Secure Shell (SSH) process, rather than as hostnames. This could lead to arbitrary code execution with the privileges of the user running libnbd.

Argument Injection

HTTP Host Header Smuggling via libsoups Duplicate Host Handling
CVE-2025-14523 8.2 - High - December 11, 2025

A flaw in libsoups HTTP header handling allows multiple Host: headers in a request and returns the last occurrence for server-side processing. Common front proxies often honor the first Host: header, so this mismatch can cause vhost confusion where a proxy routes a request to one backend but the backend interprets it as destined for another host. This discrepancy enables request-smuggling style attacks, cache poisoning, or bypassing host-based access controls when an attacker supplies duplicate Host headers.

HTTP Request Smuggling

glib GIO escape_byte_string overflow causes heap buffer DoS
CVE-2025-14512 6.5 - Medium - December 11, 2025

A flaw was found in glib. This vulnerability allows a heap buffer overflow and denial-of-service (DoS) via an integer overflow in GLib's GIO (GLib Input/Output) escape_byte_string() function when processing malicious file or remote filesystem attribute values.

Integer Overflow or Wraparound

GLib GVariant Buffer Underflow Heap Corruption (CVE-2025-14087)
CVE-2025-14087 5.6 - Medium - December 10, 2025

A flaw was found in GLib (Gnome Lib). This vulnerability allows a remote attacker to cause heap corruption, leading to a denial of service or potential code execution via a buffer-underflow in the GVariant parser when processing maliciously crafted input strings.

Integer Overflow or Wraparound

Heap Buffer Overread in util-linux setpwnam() (256-byte usernames)
CVE-2025-14104 6.1 - Medium - December 05, 2025

A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database.

Out-of-bounds Read

WebKitGTK Unexpected Crash from Malicious Web Content (CVE-2025-66287)
CVE-2025-66287 8.8 - High - December 04, 2025

A flaw was found in WebKitGTK. Processing malicious web content can cause an unexpected process crash due to improper memory handling.

Classic Buffer Overflow

WebKitGTK File DragDrop Info Disclosure (CVE-2025-13947)
CVE-2025-13947 7.4 - High - December 03, 2025

A flaw was found in WebKitGTK. This vulnerability allows remote, user-assisted information disclosure that can reveal any file the user is permitted to read via abusing the file drag-and-drop mechanism where WebKitGTK does not verify that drag operations originate from outside the browser.

Origin Validation Error

Local Priv Esc via ABRT Daemon Shell Injection
CVE-2025-12744 8.8 - High - December 03, 2025

A flaw was found in the ABRT daemons handling of user-supplied mount information.ABRT copies up to 12 characters from an untrusted input and places them directly into a shell command (docker inspect %s) without proper validation. An unprivileged local user can craft a payload that injects shell metacharacters, causing the root-running ABRT process to execute attacker-controlled commands and ultimately gain full root privileges.

Shell injection

Glib Heap Buffer Overflow in g_escape_uri_string()
CVE-2025-13601 7.7 - High - November 26, 2025

A heap-based buffer overflow problem was found in glib through an incorrect calculation of buffer size in the g_escape_uri_string() function. If the string to escape contains a very large number of unacceptable characters (which would need escaping), the calculation of the length of the escaped string could overflow, leading to a potential write off the end of the newly allocated string.

Integer Overflow or Wraparound

Out-of-Bounds Read / Integer Underflow in WebKitGTK (UIProcess DoS)
CVE-2025-13502 7.5 - High - November 25, 2025

A flaw was found in WebKitGTK and WPE WebKit. This vulnerability allows an out-of-bounds read and integer underflow, leading to a UIProcess crash (DoS) via a crafted payload to the GLib remote inspector server.

Integer Overflow or Wraparound

Keylime Agent: UUID Overwrite via TPM ID Spoof
CVE-2025-13609 8.2 - High - November 24, 2025

A vulnerability has been identified in keylime where an attacker can exploit this flaw by registering a new agent using a different Trusted Platform Module (TPM) device but claiming an existing agent's unique identifier (UUID). This action overwrites the legitimate agent's identity, enabling the attacker to impersonate the compromised agent and potentially bypass security controls.

Use of Multiple Resources with Duplicate Identifier

GRUB2 UAF in network module => DoS
CVE-2025-54770 4.9 - Medium - November 18, 2025

A vulnerability has been identified in the GRUB2 bootloader's network module that poses an immediate Denial of Service (DoS) risk. This flaw is a Use-after-Free issue, caused because the net_set_vlan command is not properly unregistered when the network module is unloaded from memory. An attacker who can execute this command can force the system to access memory locations that are no longer valid. Successful exploitation leads directly to system instability, which can result in a complete crash and halt system availability

Dangling pointer

GRUB2 Normal Module UAF Can Crash or Leak Data
CVE-2025-61664 4.9 - Medium - November 18, 2025

A vulnerability in the GRUB2 bootloader has been identified in the normal module. This flaw, a memory Use After Free issue, occurs because the normal_exit command is not properly unregistered when its related module is unloaded. An attacker can exploit this condition by invoking the command after the module has been removed, causing the system to improperly access a previously freed memory location. This leads to a system crash or possible impacts in data confidentiality and integrity.

Dangling pointer

GRUB2: UAF in normal command leads to DoS
CVE-2025-61663 4.9 - Medium - November 18, 2025

A vulnerability has been identified in the GRUB2 bootloader's normal command that poses an immediate Denial of Service (DoS) risk. This flaw is a Use-after-Free issue, caused because the normal command is not properly unregistered when the module is unloaded. An attacker who can execute this command can force the system to access memory locations that are no longer valid. Successful exploitation leads directly to system instability, which can result in a complete crash and halt system availability. Impact on the data integrity and confidentiality is also not discarded.

Dangling pointer

UAF in GRUB gettext module leads to denial of service
CVE-2025-61662 4.9 - Medium - November 18, 2025

A Use-After-Free vulnerability has been discovered in GRUB's gettext module. This flaw stems from a programming error where the gettext command remains registered in memory after its module is unloaded. An attacker can exploit this condition by invoking the orphaned command, causing the application to access a memory location that is no longer valid. An attacker could exploit this vulnerability to cause grub to crash, leading to a Denial of Service. Possible data integrity or confidentiality compromise is not discarded.

Dangling pointer

CVE-2025-61661: GRUB USB String Conv DoS
CVE-2025-61661 4.8 - Medium - November 18, 2025

A vulnerability has been identified in the GRUB (Grand Unified Bootloader) component. This flaw occurs because the bootloader mishandles string conversion when reading information from a USB device, allowing an attacker to exploit inconsistent length values. A local attacker can connect a maliciously configured USB device during the boot sequence to trigger this issue. A successful exploitation may lead GRUB to crash, leading to a Denial of Service. Data corruption may be also possible, although given the complexity of the exploit the impact is most likely limited.

Incorrect Calculation of Buffer Size

Use-After-Free in GNU GRUB Causes DoS via Invalid File Pointer
CVE-2025-54771 4.9 - Medium - November 18, 2025

A use-after-free vulnerability has been identified in the GNU GRUB (Grand Unified Bootloader). The flaw occurs because the file-closing process incorrectly retains a memory pointer, leaving an invalid reference to a file system structure. An attacker could exploit this vulnerability to cause grub to crash, leading to a Denial of Service. Possible data integrity or confidentiality compromise is not discarded.

Dangling pointer

World-readable snapshots allow info disclosure in libvirt
CVE-2025-13193 5.5 - Medium - November 17, 2025

A flaw was found in libvirt. External inactive snapshots for shut-down VMs are incorrectly created as world-readable, making it possible for unprivileged users to inspect the guest OS contents. This results in an information disclosure vulnerability.

Incorrect Default Permissions

kdcproxy DoS via Unbounded TCP Response Length (CVE-2025-59089)
CVE-2025-59089 5.9 - Medium - November 12, 2025

If an attacker causes kdcproxy to connect to an attacker-controlled KDC server (e.g. through server-side request forgery), they can exploit the fact that kdcproxy does not enforce bounds on TCP response length to conduct a denial-of-service attack. While receiving the KDC's response, kdcproxy copies the entire buffered stream into a new buffer on each recv() call, even when the transfer is incomplete, causing excessive memory allocation and CPU usage. Additionally, kdcproxy accepts incoming response chunks as long as the received data length is not exactly equal to the length indicated in the response header, even when individual chunks or the total buffer exceed the maximum length of a Kerberos message. This allows an attacker to send unbounded data until the connection timeout is reached (approximately 12 seconds), exhausting server memory or CPU resources. Multiple concurrent requests can cause accept queue overflow, denying service to legitimate clients.

Allocation of Resources Without Limits or Throttling

DNS SSRF in MIT Kerberos kdcproxy
CVE-2025-59088 8.6 - High - November 12, 2025

If kdcproxy receives a request for a realm which does not have server addresses defined in its configuration, by default, it will query SRV records in the DNS zone matching the requested realm name. This creates a server-side request forgery vulnerability, since an attacker could send a request for a realm matching a DNS zone where they created SRV records pointing to arbitrary ports and hostnames (which may resolve to loopback or internal IP addresses). This vulnerability can be exploited to probe internal network topology and firewall rules, perform port scanning, and exfiltrate data. Deployments where the "use_dns" setting is explicitly set to false are not affected.

SSRF

libvirt: XML Parsing Before ACL Causes Memory Exhaustion DoS
CVE-2025-12748 5.5 - Medium - November 11, 2025

A flaw was discovered in libvirt in the XML file processing. More specifically, the parsing of user provided XML files was performed before the ACL checks. A malicious user with limited permissions could exploit this flaw by submitting a specially crafted XML file, causing libvirt to allocate too much memory on the host. The excessive memory consumption could lead to a libvirt process crash on the host, resulting in a denial-of-service condition.

Allocation of Resources Without Limits or Throttling

libxml2 xmlSetTreeDoc UAF via stale ns pointer
CVE-2025-12863 - November 07, 2025

Samba WINS Hook RCE via Unvalidated NetBIOS Names
CVE-2025-10230 10 - Critical - November 07, 2025

A flaw was found in Samba, in the front-end WINS hook handling: NetBIOS names from registration packets are passed to a shell without proper validation or escaping. Unsanitized NetBIOS name data from WINS registration packets are inserted into a shell command and executed by the Samba Active Directory Domain Controllers wins hook, allowing an unauthenticated network attacker to achieve remote command execution as the Samba process.

Shell injection

QEMU e1000 Driver Buffer Overflow Enables Host DoS
CVE-2025-12464 6.2 - Medium - October 31, 2025

A stack-based buffer overflow was found in the QEMU e1000 network device. The code for padding short frames was dropped from individual network devices and moved to the net core code. The issue stems from the device's receive code still being able to process a short frame in loopback mode. This could lead to a buffer overrun in the e1000_receive_iov() function via the loopback code path. A malicious guest user could use this vulnerability to crash the QEMU process on the host, resulting in a denial of service.

Stack Overflow

UA-FAULT: X.Org X Server X11 Present Extension UseAfterFree (CVE202562229)
CVE-2025-62229 7.3 - High - October 30, 2025

A flaw was found in the X.Org X server and Xwayland when processing X11 Present extension notifications. Improper error handling during notification creation can leave dangling pointers that lead to a use-after-free condition. This can cause memory corruption or a crash, potentially allowing an attacker to execute arbitrary code or cause a denial of service.

Dangling pointer

X.Org X Server Xkb Extension Use-After-Free on Client Cleanup
CVE-2025-62230 7.3 - High - October 30, 2025

A flaw was discovered in the X.Org X servers X Keyboard (Xkb) extension when handling client resource cleanup. The software frees certain data structures without properly detaching related resources, leading to a use-after-free condition. This can cause memory corruption or a crash when affected clients disconnect.

Dangling pointer

X.Org X Server XkbSetCompatMap Short Overflow Causing CRASH
CVE-2025-62231 7.3 - High - October 30, 2025

A flaw was identified in the X.Org X servers X Keyboard (Xkb) extension where improper bounds checking in the XkbSetCompatMap() function can cause an unsigned short overflow. If an attacker sends specially crafted input data, the value calculation may overflow, leading to memory corruption or a crash.

Integer Overflow or Wraparound

libsoup UAF via async HTTP/2 queue race causing remote DoS
CVE-2025-12105 7.5 - High - October 23, 2025

A flaw was found in the asynchronous message queue handling of the libsoup library, widely used by GNOME and WebKit-based applications to manage HTTP/2 communications. When network operations are aborted at specific timing intervals, an internal message queue item may be freed twice due to missing state synchronization. This leads to a use-after-free memory access, potentially crashing the affected application. Attackers could exploit this behavior remotely by triggering specific HTTP/2 read and cancel sequences, resulting in a denial-of-service condition.

Dangling pointer

Data Corruption via luksmeta on LUKS1 Disks
CVE-2025-11568 4.4 - Medium - October 15, 2025

A data corruption vulnerability has been identified in the luksmeta utility when used with the LUKS1 disk encryption format. An attacker with the necessary permissions can exploit this flaw by writing a large amount of metadata to an encrypted device. The utility fails to correctly validate the available space, causing the metadata to overwrite and corrupt the user's encrypted data. This action leads to a permanent loss of the stored information. Devices using the LUKS formats other than LUKS1 are not affected by this issue.

Improper Validation of Specified Quantity in Input

Samba vfs_streams_xattr Heap LE Leading to ID Disclosure
CVE-2025-9640 4.3 - Medium - October 15, 2025

A flaw was found in Samba, in the vfs_streams_xattr module, where uninitialized heap memory could be written into alternate data streams. This allows an authenticated user to read residual memory content that may include sensitive data, resulting in an information disclosure vulnerability.

Use of Uninitialized Resource

libxslt exsltFuncResultComp type confusion may lead to crash
CVE-2025-11731 3.1 - Low - October 14, 2025

A flaw was found in the exsltFuncResultComp() function of libxslt, which handles EXSLT <func:result> elements during stylesheet parsing. Due to improper type handling, the function may treat an XML document node as a regular XML element node, resulting in a type confusion. This can cause unexpected memory reads and potential crashes. While difficult to exploit, the flaw could lead to application instability or denial of service.

Object Type Confusion

SSSD AD Kerberos Auth Plugin Flaw Enables Privilege Escalation
CVE-2025-11561 8.8 - High - October 09, 2025

A flaw was found in the integration of Active Directory and the System Security Services Daemon (SSSD) on Linux systems. In default configurations, the Kerberos local authentication plugin (sssd_krb5_localauth_plugin) is enabled, but a fallback to the an2ln plugin is possible. This fallback allows an attacker with permission to modify certain AD attributes (such as userPrincipalName or samAccountName) to impersonate privileged users, potentially resulting in unauthorized access or privilege escalation on domain-joined Linux hosts.

Improper Privilege Management

QEMU QIOChannelWebsock UAF via WebSocket handshake
CVE-2025-11234 7.5 - High - October 03, 2025

A flaw was found in QEMU. If the QIOChannelWebsock object is freed while it is waiting to complete a handshake, a GSource is leaked. This can lead to the callback firing later on and triggering a use-after-free in the use of the channel. This can be abused by a malicious client with network access to the VNC WebSocket port to cause a denial of service during the WebSocket handshake prior to the VNC client authentication.

Dangling pointer

FreeIPA Privilege Escalation via Missing krbCanonicalName Validation
CVE-2025-7493 9.1 - Critical - September 30, 2025

A privilege escalation flaw from host to domain administrator was found in FreeIPA. This vulnerability is similar to CVE-2025-4404, where it fails to validate the uniqueness of the krbCanonicalName. While the previously released version added validations for the admin@REALM credential, FreeIPA still does not validate the root@REALM canonical name, which can also be used as the realm administrator's name. This flaw allows an attacker to perform administrative tasks over the REALM, leading to access to sensitive data and sensitive data exfiltration.

Insufficient Granularity of Access Control

libsoup OOB read via cookie date handling flaw
CVE-2025-11021 7.5 - High - September 26, 2025

A flaw was found in the cookie date handling logic of the libsoup HTTP library, widely used by GNOME and other applications for web communication. When processing cookies with specially crafted expiration dates, the library may perform an out-of-bounds memory read. This flaw could result in unintended disclosure of memory contents, potentially exposing sensitive information from the process using libsoup.

Out-of-bounds Read

glib-networking OOM in OpenSSL backend causes invalid memory write
CVE-2025-60019 3.7 - Low - September 25, 2025

glib-networking's OpenSSL backend fails to properly check the return value of memory allocation routines. An out of memory condition could potentially result in writing to an invalid memory location.

NULL Pointer Dereference

Glib-Networking SSL BIO_write OOB read vuln
CVE-2025-60018 4.8 - Medium - September 25, 2025

glib-networking's OpenSSL backend fails to properly check the return value of a call to BIO_write(), resulting in an out of bounds read.

Out-of-bounds Read

libxslt UAF Vulnerability in XSL Node Parsing
CVE-2025-10911 5.5 - Medium - September 25, 2025

A use-after-free vulnerability was found in libxslt while parsing xsl nodes that may lead to the dereference of expired pointers and application crash.

Dangling pointer

Libtiff Write-What-Where via TIFF Height Field
CVE-2025-9900 8.8 - High - September 23, 2025

A flaw was found in Libtiff. This vulnerability is a "write-what-where" condition, triggered when the library processes a specially crafted TIFF image file. By providing an abnormally large image height value in the file's metadata, an attacker can trick the library into writing attacker-controlled color data to an arbitrary memory location. This memory corruption can be exploited to cause a denial of service (application crash) or to achieve arbitrary code execution with the permissions of the user.

Write-what-where Condition

Local unprivileged user can access chat history via Lightspeed Hist Ser IPC
CVE-2025-5962 7.7 - High - September 22, 2025

A flaw was found in the Lightspeed history service. Insufficient access controls allow a local, unprivileged user to access and manipulate the chat history of another user on the same system. By abusing inter-process communication calls to the history service, an attacker can view, delete, or inject arbitrary history entries, including misleading or malicious commands. This can be used to deceive another user into executing harmful actions, posing a risk of privilege misuse or unauthorized command execution through social engineering.

Authorization

Podman Build Context Leakage via RUN --mount=type=bind
CVE-2025-4953 7.4 - High - September 16, 2025

A flaw was found in Podman. In a Containerfile or Podman, data written to RUN --mount=type=bind mounts during the podman build is not discarded. This issue can lead to files created within the container appearing in the temporary build context directory on the host, leaving the created files accessible.

Creation of Temporary File With Insecure Permissions

libssh KEX Memory Leak Triggered by Repeated Incorrect Key Exchange Guesses
CVE-2025-8277 3.1 - Low - September 09, 2025

A flaw was found in libssh's handling of key exchange (KEX) processes when a client repeatedly sends incorrect KEX guesses. The library fails to free memory during these rekey operations, which can gradually exhaust system memory. This issue can lead to crashes on the client side, particularly when using libgcrypt, which impacts application stability and availability.

Memory Leak

Podman v4.0.0–v5.6.1: kube Play Overwrite Host Files via Symlink Volumes
CVE-2025-9566 8.1 - High - September 05, 2025

There's a vulnerability in podman where an attacker may use the kube play command to overwrite host files when the kube file container a Secrete or a ConfigMap volume mount and such volume contains a symbolic link to a host file path. In a successful attack, the attacker can only control the target file to be overwritten but not the content to be written into the file. Binary-Affected: podman Upstream-version-introduced: v4.0.0 Upstream-version-fixed: v5.6.1

Directory traversal

libsoup Vary header ignored in cache, info leakage risk (CVE-2025-9901)
CVE-2025-9901 5.9 - Medium - September 03, 2025

A flaw was found in libsoups caching mechanism, SoupCache, where the HTTP Vary header is ignored when evaluating cached responses. This header ensures that responses vary appropriately based on request headers such as language or authentication. Without this check, cached content can be incorrectly reused across different requests, potentially exposing sensitive user information. While the issue is unlikely to affect everyday desktop use, it could result in confidentiality breaches in proxy or multi-user environments.

Use of Cache Containing Sensitive Information

Undertow DoS via MadeYouReset Server-Reset Abuse
CVE-2025-9784 7.5 - High - September 02, 2025

A flaw was found in Undertow where malformed client requests can trigger server-side stream resets without triggering abuse counters. This issue, referred to as the "MadeYouReset" attack, allows malicious clients to induce excessive server workload by repeatedly causing server-side stream aborts. While not a protocol bug, this highlights a common implementation weakness that can be exploited to cause a denial of service (DoS).

Allocation of Resources Without Limits or Throttling

Udisks Daemon Local PrivEsc via Negative Loop Device Index on DBus
CVE-2025-8067 8.5 - High - August 28, 2025

A flaw was found in the Udisks daemon, where it allows unprivileged users to create loop devices using the D-BUS system. This is achieved via the loop device handler, which handles requests sent through the D-BUS interface. As two of the parameters of this handle, it receives the file descriptor list and index specifying the file where the loop device should be backed. The function itself validates the index value to ensure it isn't bigger than the maximum value allowed. However, it fails to validate the lower bound, allowing the index parameter to be a negative value. Under these circumstances, an attacker can cause the UDisks daemon to crash or perform a local privilege escalation by gaining access to files owned by privileged users.

Out-of-bounds Read