Enterprise Linux (RHEL) Red Hat Enterprise Linux (RHEL)

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in Red Hat Enterprise Linux (RHEL).

Recent Red Hat Enterprise Linux (RHEL) Security Advisories

Advisory Title Published
RHSA-2021:3144 (RHSA-2021:3144) Low: .NET Core 2.1 on Red Hat Enterprise Linux security and bugfix update August 11, 2021
RHSA-2021:1547 (RHSA-2021:1547) Important: .NET Core 3.1 on Red Hat Enterprise Linux security and bugfix update May 12, 2021
RHSA-2021:1546 (RHSA-2021:1546) Important: .NET 5.0 on Red Hat Enterprise Linux security and bugfix update May 12, 2021

By the Year

In 2025 there have been 0 vulnerabilities in Red Hat Enterprise Linux (RHEL). Last year, in 2024 Enterprise Linux (RHEL) had 81 security vulnerabilities published. Right now, Enterprise Linux (RHEL) is on track to have less security vulnerabilities in 2025 than it did last year.




Year Vulnerabilities Average Score
2025 0 0.00
2024 81 6.22
2023 189 6.38
2022 174 6.71
2021 147 6.76
2020 104 6.41
2019 292 6.30
2018 112 7.59

It may take a day or so for new Enterprise Linux (RHEL) vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Red Hat Enterprise Linux (RHEL) Security Vulnerabilities

Mutt and NeoMutt Email Header Spoofing Vulnerability

CVE-2024-49394 5.3 - Medium - November 12, 2024

In mutt and neomutt the In-Reply-To email header field is not protected by cryptographic signing which allows an attacker to reuse an unencrypted but signed email message to impersonate the original sender.

Improper Verification of Cryptographic Signature

Mutt and NeoMutt PGP Encryption Bcc Header Leak Vulnerability

CVE-2024-49395 5.3 - Medium - November 12, 2024

In mutt and neomutt, PGP encryption does not use the --hidden-recipient mode which may leak the Bcc email header field by inferring from the recipients info.

Email Header Manipulation Vulnerability in Mutt and NeoMutt

CVE-2024-49393 5.9 - Medium - November 12, 2024

In neomutt and mutt, the To and Cc email headers are not validated by cryptographic signing which allows an attacker that intercepts a message to change their value and include himself as a one of the recipients to compromise message confidentiality.

Improper Verification of Cryptographic Signature

In the Linux kernel

CVE-2024-50074 7.8 - High - October 29, 2024

In the Linux kernel, the following vulnerability has been resolved: parport: Proper fix for array out-of-bounds access The recent fix for array out-of-bounds accesses replaced sprintf() calls blindly with snprintf(). However, since snprintf() returns the would-be-printed size, not the actually output size, the length calculation can still go over the given limit. Use scnprintf() instead of snprintf(), which returns the actually output letters, for addressing the potential out-of-bounds access properly.

Out-of-bounds Read

A vulnerability was found in Podman, Buildah, and CRI-O

CVE-2024-9676 6.5 - Medium - October 15, 2024

A vulnerability was found in Podman, Buildah, and CRI-O. A symlink traversal vulnerability in the containers/storage library can cause Podman, Buildah, and CRI-O to hang and result in a denial of service via OOM kill when running a malicious image using an automatically assigned user namespace (`--userns=auto` in Podman and Buildah). The containers/storage library will read /etc/passwd inside the container, but does not properly validate if that file is a symlink, which can be used to cause the library to read an arbitrary file on the host.

Directory traversal

A vulnerability was found in Buildah

CVE-2024-9675 7.8 - High - October 09, 2024

A vulnerability was found in Buildah. Cache mounts do not properly validate that user-specified paths for the cache are within our cache directory, allowing a `RUN` instruction in a Container file to mount an arbitrary directory from the host (read/write) into the container as long as those files can be accessed by the user running Buildah.

Directory traversal

A flaw was found in Go

CVE-2024-9341 8.2 - High - October 01, 2024

A flaw was found in Go. When FIPS mode is enabled on a system, container runtimes may incorrectly handle certain file paths due to improper validation in the containers/common Go library. This flaw allows an attacker to exploit symbolic links and trick the system into mounting sensitive host directories inside a container. This issue also allows attackers to access critical host files, bypassing the intended isolation between containers and the host system.

insecure temporary file

A flaw was found in QEMU

CVE-2024-8354 5.5 - Medium - September 19, 2024

A flaw was found in QEMU. An assertion failure was present in the usb_ep_get() function in hw/net/core.c when trying to get the USB endpoint from a USB device. This flaw may allow a malicious unprivileged guest user to crash the QEMU process on the host and cause a denial of service condition.

assertion failure

A heap-based buffer overflow vulnerability was found in the libopensc OpenPGP driver

CVE-2024-8443 2.9 - Low - September 10, 2024

A heap-based buffer overflow vulnerability was found in the libopensc OpenPGP driver. A crafted USB device or smart card with malicious responses to the APDUs during the card enrollment process using the `pkcs15-init` tool may lead to out-of-bound rights, possibly resulting in arbitrary code execution.

Memory Corruption

A vulnerability was found in OpenSC, OpenSC tools, PKCS#11 module, minidriver, and CTK

CVE-2024-45615 3.9 - Low - September 03, 2024

A vulnerability was found in OpenSC, OpenSC tools, PKCS#11 module, minidriver, and CTK. The problem is missing initialization of variables expected to be initialized (as arguments to other functions, etc.).

Use of Uninitialized Resource

A vulnerability was found in OpenSC, OpenSC tools, PKCS#11 module, minidriver, and CTK

CVE-2024-45616 3.9 - Low - September 03, 2024

A vulnerability was found in OpenSC, OpenSC tools, PKCS#11 module, minidriver, and CTK. An attacker could use a crafted USB Device or Smart Card, which would present the system with a specially crafted response to APDUs. The following problems were caused by insufficient control of the response APDU buffer and its length when communicating with the card.

Use of Uninitialized Resource

A vulnerability was found in OpenSC, OpenSC tools, PKCS#11 module, minidriver, and CTK

CVE-2024-45617 3.9 - Low - September 03, 2024

A vulnerability was found in OpenSC, OpenSC tools, PKCS#11 module, minidriver, and CTK. An attacker could use a crafted USB Device or Smart Card, which would present the system with a specially crafted response to APDUs. Insufficient or missing checking of return values of functions leads to unexpected work with variables that have not been initialized.

Use of Uninitialized Resource

A vulnerability was found in pkcs15-init in OpenSC

CVE-2024-45618 3.9 - Low - September 03, 2024

A vulnerability was found in pkcs15-init in OpenSC. An attacker could use a crafted USB Device or Smart Card, which would present the system with a specially crafted response to APDUs. Insufficient or missing checking of return values of functions leads to unexpected work with variables that have not been initialized.

Use of Uninitialized Resource

A vulnerability was found in OpenSC, OpenSC tools, PKCS#11 module, minidriver, and CTK

CVE-2024-45619 4.3 - Medium - September 03, 2024

A vulnerability was found in OpenSC, OpenSC tools, PKCS#11 module, minidriver, and CTK. An attacker could use a crafted USB Device or Smart Card, which would present the system with a specially crafted response to APDUs. When buffers are partially filled with data, initialized parts of the buffer can be incorrectly accessed.

Classic Buffer Overflow

A vulnerability was found in the pkcs15-init tool in OpenSC

CVE-2024-45620 3.9 - Low - September 03, 2024

A vulnerability was found in the pkcs15-init tool in OpenSC. An attacker could use a crafted USB Device or Smart Card, which would present the system with a specially crafted response to APDUs. When buffers are partially filled with data, initialized parts of the buffer can be incorrectly accessed.

Classic Buffer Overflow

An issue was discovered in FRRouting (FRR) through 10.1

CVE-2024-44070 7.5 - High - August 19, 2024

An issue was discovered in FRRouting (FRR) through 10.1. bgp_attr_encap in bgpd/bgp_attr.c does not check the actual remaining stream length before taking the TLV value.

A null pointer dereference flaw was found in Libtiff via `tif_dirinfo.c`

CVE-2024-7006 7.5 - High - August 12, 2024

A null pointer dereference flaw was found in Libtiff via `tif_dirinfo.c`. This issue may allow an attacker to trigger memory allocation failures through certain means, such as restricting the heap space size or injecting faults, causing a segmentation fault. This can cause an application crash, eventually leading to a denial of service.

NULL Pointer Dereference

A flaw was found in Podman

CVE-2024-3056 7.7 - High - August 02, 2024

A flaw was found in Podman. This issue may allow an attacker to create a specially crafted container that, when configured to share the same IPC with at least one other container, can create a large number of IPC resources in /dev/shm. The malicious container will continue to exhaust resources until it is out-of-memory (OOM) killed. While the malicious container's cgroup will be removed, the IPC resources it created are not. Those resources are tied to the IPC namespace that will not be removed until all containers using it are stopped, and one non-malicious container is holding the namespace open. The malicious container is restarted, either automatically or by attacker control, repeating the process and increasing the amount of memory consumed. With a container configured to restart always, such as `podman run --restart=always`, this can result in a memory-based denial of service of the system.

Resource Exhaustion

A flaw was found in the 389 Directory Server

CVE-2024-6237 6.5 - Medium - July 09, 2024

A flaw was found in the 389 Directory Server. This flaw allows an unauthenticated user to cause a systematic server crash while sending a specific extended search request, leading to a denial of service.

A flaw was found in the virtio-net device in QEMU

CVE-2024-6505 6.8 - Medium - July 05, 2024

A flaw was found in the virtio-net device in QEMU. When enabling the RSS feature on the virtio-net network card, the indirections_table data within RSS becomes controllable. Setting excessively large values may cause an index out-of-bounds issue, potentially resulting in heap overflow access. This flaw allows a privileged user in the guest to crash the QEMU process on the host.

Out-of-bounds Read

OpenSSH Race Condition leading to RCE, known as regreSSHion

CVE-2024-6387 8.1 - High - July 01, 2024

A security regression (CVE-2006-5051) was discovered in OpenSSH's server (sshd). There is a race condition which can lead sshd to handle some signals in an unsafe manner. An unauthenticated, remote attacker may be able to trigger it by failing to authenticate within a set time period.

Race Condition

A flaw was found in the Poppler's Pdfinfo utility

CVE-2024-6239 7.5 - High - June 21, 2024

A flaw was found in the Poppler's Pdfinfo utility. This issue occurs when using -dests parameter with pdfinfo utility. By using certain malformed input files, an attacker could cause the utility to crash, leading to a denial of service.

A vulnerability was found in FreeIPA in a way when a Kerberos TGS-REQ is encrypted using the clients session key

CVE-2024-3183 8.1 - High - June 12, 2024

A vulnerability was found in FreeIPA in a way when a Kerberos TGS-REQ is encrypted using the clients session key. This key is different for each new session, which protects it from brute force attacks. However, the ticket it contains is encrypted using the target principal key directly. For user principals, this key is a hash of a public per-principal randomly-generated salt and the users password. If a principal is compromised it means the attacker would be able to retrieve tickets encrypted to any principal, all of them being encrypted by their own key directly. By taking these tickets and salts offline, the attacker could run brute force attacks to find character strings able to decrypt tickets when combined to a principal salt (i.e. find the principals password).

Use of Password Hash With Insufficient Computational Effort

A vulnerability was found in GNU Nano that allows a possible privilege escalation through an insecure temporary file

CVE-2024-5742 6.7 - Medium - June 12, 2024

A vulnerability was found in GNU Nano that allows a possible privilege escalation through an insecure temporary file. If Nano is killed while editing, a file it saves to an emergency file with the permissions of the running user provides a window of opportunity for attackers to escalate privileges through a malicious symlink.

insecure temporary file

A flaw was found in Booth, a cluster ticket manager

CVE-2024-3049 5.9 - Medium - June 06, 2024

A flaw was found in Booth, a cluster ticket manager. If a specially-crafted hash is passed to gcry_md_get_algo_dlen(), it may allow an invalid HMAC to be accepted by the Booth server.

Insufficient Verification of Data Authenticity

net-snmp provides various tools relating to the Simple Network Management Protocol

CVE-2022-24806 5.3 - Medium - April 16, 2024

net-snmp provides various tools relating to the Simple Network Management Protocol. Prior to version 5.9.2, a user with read-write credentials can exploit an Improper Input Validation vulnerability when SETing malformed OIDs in master agent and subagent simultaneously. Version 5.9.2 contains a patch. Users should use strong SNMPv3 credentials and avoid sharing the credentials. Those who must use SNMPv1 or SNMPv2c should use a complex community string and enhance the protection by restricting access to a given IP address range.

net-snmp provides various tools relating to the Simple Network Management Protocol

CVE-2022-24807 6.5 - Medium - April 16, 2024

net-snmp provides various tools relating to the Simple Network Management Protocol. Prior to version 5.9.2, a malformed OID in a SET request to `SNMP-VIEW-BASED-ACM-MIB::vacmAccessTable` can cause an out-of-bounds memory access. A user with read-write credentials can exploit the issue. Version 5.9.2 contains a patch. Users should use strong SNMPv3 credentials and avoid sharing the credentials. Those who must use SNMPv1 or SNMPv2c should use a complex community string and enhance the protection by restricting access to a given IP address range.

Classic Buffer Overflow

net-snmp provides various tools relating to the Simple Network Management Protocol

CVE-2022-24808 6.5 - Medium - April 16, 2024

net-snmp provides various tools relating to the Simple Network Management Protocol. Prior to version 5.9.2, a user with read-write credentials can use a malformed OID in a `SET` request to `NET-SNMP-AGENT-MIB::nsLogTable` to cause a NULL pointer dereference. Version 5.9.2 contains a patch. Users should use strong SNMPv3 credentials and avoid sharing the credentials. Those who must use SNMPv1 or SNMPv2c should use a complex community string and enhance the protection by restricting access to a given IP address range.

NULL Pointer Dereference

net-snmp provides various tools relating to the Simple Network Management Protocol

CVE-2022-24809 6.5 - Medium - April 16, 2024

net-snmp provides various tools relating to the Simple Network Management Protocol. Prior to version 5.9.2, a user with read-only credentials can use a malformed OID in a `GET-NEXT` to the `nsVacmAccessTable` to cause a NULL pointer dereference. Version 5.9.2 contains a patch. Users should use strong SNMPv3 credentials and avoid sharing the credentials. Those who must use SNMPv1 or SNMPv2c should use a complex community string and enhance the protection by restricting access to a given IP address range.

NULL Pointer Dereference

net-snmp provides various tools relating to the Simple Network Management Protocol

CVE-2022-24805 8.8 - High - April 16, 2024

net-snmp provides various tools relating to the Simple Network Management Protocol. Prior to version 5.9.2, a buffer overflow in the handling of the `INDEX` of `NET-SNMP-VACM-MIB` can cause an out-of-bounds memory access. A user with read-only credentials can exploit the issue. Version 5.9.2 contains a patch. Users should use strong SNMPv3 credentials and avoid sharing the credentials. Those who must use SNMPv1 or SNMPv2c should use a complex community string and enhance the protection by restricting access to a given IP address range.

Classic Buffer Overflow

A flaw was found in QEMU

CVE-2024-3567 5.5 - Medium - April 10, 2024

A flaw was found in QEMU. An assertion failure was present in the update_sctp_checksum() function in hw/net/net_tx_pkt.c when trying to calculate the checksum of a short-sized fragmented packet. This flaw allows a malicious guest to crash QEMU and cause a denial of service condition.

assertion failure

The implementation of PEAP in wpa_supplicant through 2.10 allows authentication bypass

CVE-2023-52160 6.5 - Medium - February 22, 2024

The implementation of PEAP in wpa_supplicant through 2.10 allows authentication bypass. For a successful attack, wpa_supplicant must be configured to not verify the network's TLS certificate during Phase 1 authentication, and an eap_peap_decrypt vulnerability can then be abused to skip Phase 2 authentication. The attack vector is sending an EAP-TLV Success packet instead of starting Phase 2. This allows an adversary to impersonate Enterprise Wi-Fi networks.

authentification

Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs)

CVE-2023-50387 7.5 - High - February 14, 2024

Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the "KeyTrap" issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records.

Allocation of Resources Without Limits or Throttling

The use-after-free vulnerability was found in the AuthentIC driver in OpenSC packages

CVE-2024-1454 3.4 - Low - February 12, 2024

The use-after-free vulnerability was found in the AuthentIC driver in OpenSC packages, occuring in the card enrolment process using pkcs15-init when a user or administrator enrols or modifies cards. An attacker must have physical access to the computer system and requires a crafted USB device or smart card to present the system with specially crafted responses to the APDUs, which are considered high complexity and low severity. This manipulation can allow for compromised card management operations during enrolment.

Dangling pointer

A vulnerability was found in JWCrypto

CVE-2023-6681 5.3 - Medium - February 12, 2024

A vulnerability was found in JWCrypto. This flaw allows an attacker to cause a denial of service (DoS) attack and possible password brute-force and dictionary attacks to be more resource-intensive. This issue can result in a large amount of computational consumption, causing a denial of service attack.

Resource Exhaustion

A heap overflow flaw was found in 389-ds-base

CVE-2024-1062 - February 12, 2024

A heap overflow flaw was found in 389-ds-base. This issue leads to a denial of service when writing a value larger than 256 chars in log_entry_attr.

Heap-based Buffer Overflow

A vulnerability was reported in the Open vSwitch sub-component in the Linux Kernel

CVE-2024-1151 5.5 - Medium - February 11, 2024

A vulnerability was reported in the Open vSwitch sub-component in the Linux Kernel. The flaw occurs when a recursive operation of code push recursively calls into the code block. The OVS module does not validate the stack depth, pushing too many frames and causing a stack overflow. As a result, this can lead to a crash or other related issues.

Memory Corruption

An out-of-bounds memory access flaw was found in the X.Org server

CVE-2024-0229 7.8 - High - February 09, 2024

An out-of-bounds memory access flaw was found in the X.Org server. This issue can be triggered when a device frozen by a sync grab is reattached to a different master device. This issue may lead to an application crash, local privilege escalation (if the server runs with extended privileges), or remote code execution in SSH X11 forwarding environments.

Memory Corruption

A flaw was found in the Linux kernel's NVMe driver

CVE-2023-6356 7.5 - High - February 07, 2024

A flaw was found in the Linux kernel's NVMe driver. This issue may allow an unauthenticated malicious actor to send a set of crafted TCP packages when using NVMe over TCP, leading the NVMe driver to a NULL pointer dereference in the NVMe driver and causing kernel panic and a denial of service.

NULL Pointer Dereference

A flaw was found in the Linux kernel's NVMe driver

CVE-2023-6535 7.5 - High - February 07, 2024

A flaw was found in the Linux kernel's NVMe driver. This issue may allow an unauthenticated malicious actor to send a set of crafted TCP packages when using NVMe over TCP, leading the NVMe driver to a NULL pointer dereference in the NVMe driver, causing kernel panic and a denial of service.

NULL Pointer Dereference

A flaw was found in the Linux kernel's NVMe driver

CVE-2023-6536 7.5 - High - February 07, 2024

A flaw was found in the Linux kernel's NVMe driver. This issue may allow an unauthenticated malicious actor to send a set of crafted TCP packages when using NVMe over TCP, leading the NVMe driver to a NULL pointer dereference in the NVMe driver, causing kernel panic and a denial of service.

NULL Pointer Dereference

A flaw was found in the grub2-set-bootflag utility of grub2

CVE-2024-1048 3.3 - Low - February 06, 2024

A flaw was found in the grub2-set-bootflag utility of grub2. After the fix of CVE-2019-14865, grub2-set-bootflag will create a temporary file with the new grubenv content and rename it to the original grubenv file. If the program is killed before the rename operation, the temporary file will not be removed and may fill the filesystem when invoked multiple times, resulting in a filesystem out of free inodes or blocks.

Insufficient Cleanup

An information disclosure flaw was found in ansible-core due to a failure to respect the ANSIBLE_NO_LOG configuration in some scenarios

CVE-2024-0690 5.5 - Medium - February 06, 2024

An information disclosure flaw was found in ansible-core due to a failure to respect the ANSIBLE_NO_LOG configuration in some scenarios. Information is still included in the output in certain tasks, such as loop items. Depending on the task, this issue may include sensitive information, such as decrypted secret values.

Output Sanitization

A flaw was found in m2crypto

CVE-2023-50781 7.5 - High - February 05, 2024

A flaw was found in m2crypto. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data.

Side Channel Attack

A flaw was found in the python-cryptography package

CVE-2023-50782 7.5 - High - February 05, 2024

A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data.

Side Channel Attack

A path traversal vulnerability was found in the CPIO utility

CVE-2023-7216 5.3 - Medium - February 05, 2024

A path traversal vulnerability was found in the CPIO utility. This issue could allow a remote unauthenticated attacker to trick a user into opening a specially crafted archive. During the extraction process, the archiver could follow symlinks outside of the intended directory, which allows files to be written in arbitrary directories through symlinks.

Directory traversal

A Marvin vulnerability side-channel leakage was found in the RSA decryption operation in the Linux Kernel

CVE-2023-6240 6.5 - Medium - February 04, 2024

A Marvin vulnerability side-channel leakage was found in the RSA decryption operation in the Linux Kernel. This issue may allow a network attacker to decrypt ciphertexts or forge signatures, limiting the services that use that private key.

Side Channel Attack

A vulnerability was found in OpenSC where PKCS#1 encryption padding removal is not implemented as side-channel resistant

CVE-2023-5992 5.9 - Medium - January 31, 2024

A vulnerability was found in OpenSC where PKCS#1 encryption padding removal is not implemented as side-channel resistant. This issue may result in the potential leak of private data.

Side Channel Attack

A timing side-channel vulnerability has been discovered in the opencryptoki package while processing RSA PKCS#1 v1.5 padded ciphertexts

CVE-2024-0914 5.9 - Medium - January 31, 2024

A timing side-channel vulnerability has been discovered in the opencryptoki package while processing RSA PKCS#1 v1.5 padded ciphertexts. This flaw could potentially enable unauthorized RSA ciphertext decryption or signing, even without access to the corresponding private key.

Side Channel Attack

A flaw was found in the Linux kernel's memory deduplication mechanism

CVE-2024-0564 6.5 - Medium - January 30, 2024

A flaw was found in the Linux kernel's memory deduplication mechanism. The max page sharing of Kernel Samepage Merging (KSM), added in Linux kernel version 4.4.0-96.119, can create a side channel. When the attacker and the victim share the same host and the default setting of KSM is "max page sharing=256", it is possible for the attacker to time the unmap to merge with the victim's page. The unmapping time depends on whether it merges with the victim's page and additional physical pages are created beyond the KSM's "max page share". Through these operations, the attacker can leak the victim's page.

Side Channel Attack

An out-of-bounds read flaw was found in Shim due to the lack of proper boundary verification during the load of a PE binary

CVE-2023-40549 5.5 - Medium - January 29, 2024

An out-of-bounds read flaw was found in Shim due to the lack of proper boundary verification during the load of a PE binary. This flaw allows an attacker to load a crafted PE binary, triggering the issue and crashing Shim, resulting in a denial of service.

Out-of-bounds Read

An out-of-bounds read flaw was found in Shim when it tried to validate the SBAT information

CVE-2023-40550 5.5 - Medium - January 29, 2024

An out-of-bounds read flaw was found in Shim when it tried to validate the SBAT information. This issue may expose sensitive data during the system's boot phase.

Out-of-bounds Read

A flaw was found in Shim when an error happened while creating a new ESL variable

CVE-2023-40546 5.5 - Medium - January 29, 2024

A flaw was found in Shim when an error happened while creating a new ESL variable. If Shim fails to create the new variable, it tries to print an error message to the user; however, the number of parameters used by the logging function doesn't match the format string used by it, leading to a crash under certain circumstances.

NULL Pointer Dereference

A flaw was found in the MZ binary format in Shim

CVE-2023-40551 5.1 - Medium - January 29, 2024

A flaw was found in the MZ binary format in Shim. An out-of-bounds read may occur, leading to a crash or possible exposure of sensitive data during the system's boot phase.

Out-of-bounds Read

A null pointer dereference flaw was found in the hugetlbfs_fill_super function in the Linux kernel hugetlbfs (HugeTLB pages) functionality

CVE-2024-0841 7.8 - High - January 28, 2024

A null pointer dereference flaw was found in the hugetlbfs_fill_super function in the Linux kernel hugetlbfs (HugeTLB pages) functionality. This issue may allow a local user to crash the system or potentially escalate their privileges on the system.

NULL Pointer Dereference

An out-of-memory flaw was found in libtiff that could be triggered by passing a crafted tiff file to the TIFFRasterScanlineSize64() API

CVE-2023-52355 7.5 - High - January 25, 2024

An out-of-memory flaw was found in libtiff that could be triggered by passing a crafted tiff file to the TIFFRasterScanlineSize64() API. This flaw allows a remote attacker to cause a denial of service via a crafted input with a size smaller than 379 KB.

Memory Corruption

A segment fault (SEGV) flaw was found in libtiff that could be triggered by passing a crafted tiff file to the TIFFReadRGBATileExt() API

CVE-2023-52356 7.5 - High - January 25, 2024

A segment fault (SEGV) flaw was found in libtiff that could be triggered by passing a crafted tiff file to the TIFFReadRGBATileExt() API. This flaw allows a remote attacker to cause a heap-buffer overflow, leading to a denial of service.

Memory Corruption

A remote code execution vulnerability was found in Shim

CVE-2023-40547 8.3 - High - January 25, 2024

A remote code execution vulnerability was found in Shim. The Shim boot support trusts attacker-controlled values when parsing an HTTP response. This flaw allows an attacker to craft a specific malicious HTTP request, leading to a completely controlled out-of-bounds write primitive and complete system compromise. This flaw is only exploitable during the early boot phase, an attacker needs to perform a Man-in-the-Middle or compromise the boot server to be able to exploit this vulnerability successfully.

Memory Corruption

A use-after-free flaw was found in the __ext4_remount in fs/ext4/super.c in ext4 in the Linux kernel

CVE-2024-0775 7.1 - High - January 22, 2024

A use-after-free flaw was found in the __ext4_remount in fs/ext4/super.c in ext4 in the Linux kernel. This flaw allows a local user to cause an information leak problem while freeing the old quota file names before a potential failure, leading to a use-after-free.

Dangling pointer

A use-after-free flaw was found in the Linux Kernel due to a race problem in the unix garbage collector's deletion of SKB races with unix_stream_read_generic() on the socket

CVE-2023-6531 7 - High - January 21, 2024

A use-after-free flaw was found in the Linux Kernel due to a race problem in the unix garbage collector's deletion of SKB races with unix_stream_read_generic() on the socket that the SKB is queued on.

Race Condition

A flaw was found in the X.Org server

CVE-2024-0408 5.5 - Medium - January 18, 2024

A flaw was found in the X.Org server. The GLX PBuffer code does not call the XACE hook when creating the buffer, leaving it unlabeled. When the client issues another request to access that resource (as with a GetGeometry) or when it creates another resource that needs to access that buffer, such as a GC, the XSELINUX code will try to use an object that was never labeled and crash because the SID is NULL.

A flaw was found in the Netfilter subsystem in the Linux kernel

CVE-2024-0607 6.6 - Medium - January 18, 2024

A flaw was found in the Netfilter subsystem in the Linux kernel. The issue is in the nft_byteorder_eval() function, where the code iterates through a loop and writes to the `dst` array. On each iteration, 8 bytes are written, but `dst` is an array of u32, so each element only has space for 4 bytes. That means every iteration overwrites part of the previous element corrupting this array of u32. This flaw allows a local user to cause a denial of service or potentially break NetFilter functionality.

A flaw was found in the X.Org server

CVE-2024-0409 7.8 - High - January 18, 2024

A flaw was found in the X.Org server. The cursor code in both Xephyr and Xwayland uses the wrong type of private at creation. It uses the cursor bits type with the cursor as private, and when initiating the cursor, that overwrites the XSELINUX context.

Memory Corruption

A denial of service vulnerability due to a deadlock was found in sctp_auto_asconf_init in net/sctp/socket.c in the Linux kernels SCTP subsystem

CVE-2024-0639 5.5 - Medium - January 17, 2024

A denial of service vulnerability due to a deadlock was found in sctp_auto_asconf_init in net/sctp/socket.c in the Linux kernels SCTP subsystem. This flaw allows guests with local user privileges to trigger a deadlock and potentially crash the system.

Improper Locking

A denial of service vulnerability was found in tipc_crypto_key_revoke in net/tipc/crypto.c in the Linux kernels TIPC subsystem

CVE-2024-0641 5.5 - Medium - January 17, 2024

A denial of service vulnerability was found in tipc_crypto_key_revoke in net/tipc/crypto.c in the Linux kernels TIPC subsystem. This flaw allows guests with local user privileges to trigger a deadlock and potentially crash the system.

Improper Locking

An out-of-bounds memory write flaw was found in the Linux kernels Transport Layer Security functionality in how a user calls a function splice with a ktls socket as the destination

CVE-2024-0646 7.8 - High - January 17, 2024

An out-of-bounds memory write flaw was found in the Linux kernels Transport Layer Security functionality in how a user calls a function splice with a ktls socket as the destination. This flaw allows a local user to crash or potentially escalate their privileges on the system.

Memory Corruption

A heap use-after-free issue has been identified in SQLite in the jsonParseAddNodeArray() function in sqlite3.c

CVE-2024-0232 5.5 - Medium - January 16, 2024

A heap use-after-free issue has been identified in SQLite in the jsonParseAddNodeArray() function in sqlite3.c. This flaw allows a local attacker to leverage a victim to pass specially crafted malicious input to the application, potentially causing a crash and leading to a denial of service.

Dangling pointer

A vulnerability was found in GnuTLS

CVE-2024-0553 7.5 - High - January 16, 2024

A vulnerability was found in GnuTLS. The response times to malformed ciphertexts in RSA-PSK ClientKeyExchange differ from the response times of ciphertexts with correct PKCS#1 v1.5 padding. This issue may allow a remote attacker to perform a timing side-channel attack in the RSA-PSK key exchange, potentially leading to the leakage of sensitive data. CVE-2024-0553 is designated as an incomplete resolution for CVE-2023-5981.

Side Channel Attack

A use-after-free flaw was found in the Linux Kernel

CVE-2024-0562 7.8 - High - January 15, 2024

A use-after-free flaw was found in the Linux Kernel. When a disk is removed, bdi_unregister is called to stop further write-back and waits for associated delayed work to complete. However, wb_inode_writeback_end() may schedule bandwidth estimation work after this has completed, which can result in the timer attempting to access the recently freed bdi_writeback.

Dangling pointer

An authentication bypass flaw was found in GRUB due to the way

CVE-2023-4001 6.8 - Medium - January 15, 2024

An authentication bypass flaw was found in GRUB due to the way that GRUB uses the UUID of a device to search for the configuration file that contains the password hash for the GRUB password protection feature. An attacker capable of attaching an external drive such as a USB stick containing a file system with a duplicate UUID (the same as in the "/boot/" file system) can bypass the GRUB password protection feature on UEFI systems, which enumerate removable drives before non-removable ones. This issue was introduced in a downstream patch in Red Hat's version of grub2 and does not affect the upstream package.

Authentication Bypass by Spoofing

A Null pointer dereference problem was found in ida_free in lib/idr.c in the Linux Kernel

CVE-2023-6915 5.5 - Medium - January 15, 2024

A Null pointer dereference problem was found in ida_free in lib/idr.c in the Linux Kernel. This issue may allow an attacker using this library to cause a denial of service problem due to a missing check at a function return.

NULL Pointer Dereference

Relax-and-Recover (aka ReaR) through 2.7 creates a world-readable initrd when using GRUB_RESCUE=y

CVE-2024-23301 5.5 - Medium - January 12, 2024

Relax-and-Recover (aka ReaR) through 2.7 creates a world-readable initrd when using GRUB_RESCUE=y. This allows local attackers to gain access to system secrets otherwise only readable by root.

A flaw was found in the QEMU built-in VNC server while processing ClientCutText messages

CVE-2023-6683 6.5 - Medium - January 12, 2024

A flaw was found in the QEMU built-in VNC server while processing ClientCutText messages. The qemu_clipboard_request() function can be reached before vnc_server_cut_text_caps() was called and had the chance to initialize the clipboard peer, leading to a NULL pointer dereference. This could allow a malicious authenticated VNC client to crash QEMU and trigger a denial of service.

NULL Pointer Dereference

A flaw was found in the blkgs destruction path in block/blk-cgroup.c in the Linux kernel, leading to a cgroup blkio memory leakage problem

CVE-2024-0443 5.5 - Medium - January 12, 2024

A flaw was found in the blkgs destruction path in block/blk-cgroup.c in the Linux kernel, leading to a cgroup blkio memory leakage problem. When a cgroup is being destroyed, cgroup_rstat_flush() is only called at css_release_work_fn(), which is called when the blkcg reference count reaches 0. This circular dependency will prevent blkcg and some blkgs from being freed after they are made offline. This issue may allow an attacker with a local access to cause system instability, such as an out of memory error.

Exposure of Resource to Wrong Sphere

A Cross-site request forgery vulnerability exists in ipa/session/login_password in all supported versions of IPA

CVE-2023-5455 6.5 - Medium - January 10, 2024

A Cross-site request forgery vulnerability exists in ipa/session/login_password in all supported versions of IPA. This flaw allows an attacker to trick the user into submitting a request that could perform actions as the user, resulting in a loss of confidentiality and system integrity. During community penetration testing it was found that for certain HTTP end-points FreeIPA does not ensure CSRF protection. Due to implementation details one cannot use this flaw for reflection of a cookie representing already logged-in user. An attacker would always have to go through a new authentication attempt.

Session Riding

It was discovered that the eBPF implementation in the Linux kernel did not properly track bounds information for 32 bit registers when performing div and mod operations

CVE-2021-3600 7.8 - High - January 08, 2024

It was discovered that the eBPF implementation in the Linux kernel did not properly track bounds information for 32 bit registers when performing div and mod operations. A local attacker could use this to possibly execute arbitrary code.

Out-of-bounds Read

A flaw was found in libssh

CVE-2023-6004 4.8 - Medium - January 03, 2024

A flaw was found in libssh. By utilizing the ProxyCommand or ProxyJump feature, users can exploit unchecked hostname syntax on the client. This issue may allow an attacker to inject malicious code into the command of the features mentioned through the hostname parameter.

Injection

A use-after-free flaw was found in PackageKitd

CVE-2024-0217 3.3 - Low - January 03, 2024

A use-after-free flaw was found in PackageKitd. In some conditions, the order of cleanup mechanics for a transaction could be impacted. As a result, some memory access could occur on memory regions that were previously freed. Once freed, a memory region can be reused for other allocations and any previously stored data in this memory region is considered lost.

Dangling pointer

A memory leak problem was found in ctnetlink_create_conntrack in net/netfilter/nf_conntrack_netlink.c in the Linux Kernel

CVE-2023-7192 4.4 - Medium - January 02, 2024

A memory leak problem was found in ctnetlink_create_conntrack in net/netfilter/nf_conntrack_netlink.c in the Linux Kernel. This issue may allow a local attacker with CAP_NET_ADMIN privileges to cause a denial of service (DoS) attack due to a refcount overflow.

Memory Leak

A use-after-free flaw was found in the netfilter subsystem of the Linux kernel

CVE-2024-0193 6.7 - Medium - January 02, 2024

A use-after-free flaw was found in the netfilter subsystem of the Linux kernel. If the catchall element is garbage-collected when the pipapo set is removed, the element can be deactivated twice. This can cause a use-after-free issue on an NFT_CHAIN object or NFT_OBJECT object, allowing a local unprivileged user with CAP_NET_ADMIN capability to escalate their privileges on the system.

Dangling pointer

A stack based buffer overflow was found in the virtio-net device of QEMU

CVE-2023-6693 5.3 - Medium - January 02, 2024

A stack based buffer overflow was found in the virtio-net device of QEMU. This issue occurs when flushing TX in the virtio_net_flush_tx function if guest features VIRTIO_NET_F_HASH_REPORT, VIRTIO_F_VERSION_1 and VIRTIO_NET_F_MRG_RXBUF are enabled. This could allow a malicious user to overwrite local variables allocated on the stack. Specifically, the `out_sg` variable could be used to read a part of process memory and send it to the wire, causing an information leak.

Memory Corruption

A flaw was found in shadow-utils

CVE-2023-4641 5.5 - Medium - December 27, 2023

A flaw was found in shadow-utils. When asking for a new password, shadow-utils asks the password twice. If the password fails on the second attempt, shadow-utils fails in cleaning the buffer used to store the first entry. This may allow an attacker with enough access to retrieve the password from the memory.

authentification

OpenSSH through 9.6, when common types of DRAM are used, might

CVE-2023-51767 7 - High - December 24, 2023

OpenSSH through 9.6, when common types of DRAM are used, might allow row hammer attacks (for authentication bypass) because the integer value of authenticated in mm_answer_authpassword does not resist flips of a single bit. NOTE: this is applicable to a certain threat model of attacker-victim co-location in which the attacker has user privileges.

sendmail through 8.17.2 allows SMTP smuggling in certain configurations

CVE-2023-51765 5.3 - Medium - December 24, 2023

sendmail through 8.17.2 allows SMTP smuggling in certain configurations. Remote attackers can use a published exploitation technique to inject e-mail messages with a spoofed MAIL FROM address, allowing bypass of an SPF protection mechanism. This occurs because sendmail supports <LF>.<CR><LF> but some other popular e-mail servers do not. This is resolved in 8.18 and later versions with 'o' in srv_features.

Insufficient Verification of Data Authenticity

Postfix through 3.8.5 allows SMTP smuggling unless configured with smtpd_data_restrictions=reject_unauth_pipelining and smtpd_discard_ehlo_keywords=chunking (or certain other options

CVE-2023-51764 5.3 - Medium - December 24, 2023

Postfix through 3.8.5 allows SMTP smuggling unless configured with smtpd_data_restrictions=reject_unauth_pipelining and smtpd_discard_ehlo_keywords=chunking (or certain other options that exist in recent versions). Remote attackers can use a published exploitation technique to inject e-mail messages with a spoofed MAIL FROM address, allowing bypass of an SPF protection mechanism. This occurs because Postfix supports <LF>.<CR><LF> but some other popular e-mail servers do not. To prevent attack variants (by always disallowing <LF> without <CR>), a different solution is required, such as the smtpd_forbid_bare_newline=yes option with a Postfix minimum version of 3.5.23, 3.6.13, 3.7.9, 3.8.4, or 3.9.

Insufficient Verification of Data Authenticity

A race condition was found in the GSM 0710 tty multiplexor in the Linux kernel

CVE-2023-6546 7 - High - December 21, 2023

A race condition was found in the GSM 0710 tty multiplexor in the Linux kernel. This issue occurs when two threads execute the GSMIOC_SETCONF ioctl on the same tty file descriptor with the gsm line discipline enabled, and can lead to a use-after-free problem on a struct gsm_dlci while restarting the gsm mux. This could allow a local unprivileged user to escalate their privileges on the system.

Race Condition

A flaw was found in the libssh implements abstract layer for message digest (MD) operations implemented by different supported crypto backends

CVE-2023-6918 5.3 - Medium - December 19, 2023

A flaw was found in the libssh implements abstract layer for message digest (MD) operations implemented by different supported crypto backends. The return values from these were not properly checked, which could cause low-memory situations failures, NULL dereferences, crashes, or usage of the uninitialized memory as an input for the KDF. In this case, non-matching keys will result in decryption/integrity failures, terminating the connection.

Unchecked Return Value

The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such

CVE-2023-48795 5.9 - Medium - December 18, 2023

The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in chacha20-poly1305@openssh.com and (if CBC is used) the -etm@openssh.com MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust.

Improper Validation of Integrity Check Value

A flaw was found in the mod_proxy_cluster in the Apache server

CVE-2023-6710 5.4 - Medium - December 12, 2023

A flaw was found in the mod_proxy_cluster in the Apache server. This issue may allow a malicious user to add a script in the 'alias' parameter in the URL to trigger the stored cross-site scripting (XSS) vulnerability. By adding a script on the alias parameter on the URL, it adds a new virtual host and adds the script to the cluster-manager page.

XSS

A null pointer dereference vulnerability was found in dpll_pin_parent_pin_set() in drivers/dpll/dpll_netlink.c in the Digital Phase Locked Loop (DPLL) subsystem in the Linux kernel

CVE-2023-6679 5.5 - Medium - December 11, 2023

A null pointer dereference vulnerability was found in dpll_pin_parent_pin_set() in drivers/dpll/dpll_netlink.c in the Digital Phase Locked Loop (DPLL) subsystem in the Linux kernel. This issue could be exploited to trigger a denial of service.

NULL Pointer Dereference

A flaw was found in PostgreSQL

CVE-2023-5869 8.8 - High - December 10, 2023

A flaw was found in PostgreSQL that allows authenticated database users to execute arbitrary code through missing overflow checks during SQL array value modification. This issue exists due to an integer overflow during array modification where a remote user can trigger the overflow by providing specially crafted data. This enables the execution of arbitrary code on the target system, allowing users to write arbitrary bytes to memory and extensively read the server's memory.

Integer Overflow or Wraparound

A flaw was found in PostgreSQL involving the pg_cancel_backend role

CVE-2023-5870 4.4 - Medium - December 10, 2023

A flaw was found in PostgreSQL involving the pg_cancel_backend role that signals background workers, including the logical replication launcher, autovacuum workers, and the autovacuum launcher. Successful exploitation requires a non-core extension with a less-resilient background worker and would affect that specific background worker only. This issue may allow a remote high privileged user to launch a denial of service (DoS) attack.

A memory disclosure vulnerability was found in PostgreSQL

CVE-2023-5868 4.3 - Medium - December 10, 2023

A memory disclosure vulnerability was found in PostgreSQL that allows remote users to access sensitive information by exploiting certain aggregate function calls with 'unknown'-type arguments. Handling 'unknown'-type values from string literals without type designation can disclose bytes, potentially revealing notable and confidential information. This issue exists due to excessive data output in aggregate function calls, enabling remote users to read some portion of system memory.

A null pointer dereference vulnerability was found in nft_dynset_init() in net/netfilter/nft_dynset.c in nf_tables in the Linux kernel

CVE-2023-6622 5.5 - Medium - December 08, 2023

A null pointer dereference vulnerability was found in nft_dynset_init() in net/netfilter/nft_dynset.c in nf_tables in the Linux kernel. This issue may allow a local attacker with CAP_NET_ADMIN user privilege to trigger a denial of service.

NULL Pointer Dereference

An out-of-bounds read vulnerability was found in smb2_dump_detail in fs/smb/client/smb2ops.c in the Linux Kernel

CVE-2023-6610 7.1 - High - December 08, 2023

An out-of-bounds read vulnerability was found in smb2_dump_detail in fs/smb/client/smb2ops.c in the Linux Kernel. This issue could allow a local attacker to crash the system or leak internal kernel information.

Out-of-bounds Read

An out-of-bounds read vulnerability was found in smbCalcSize in fs/smb/client/netmisc.c in the Linux Kernel

CVE-2023-6606 7.1 - High - December 08, 2023

An out-of-bounds read vulnerability was found in smbCalcSize in fs/smb/client/netmisc.c in the Linux Kernel. This issue could allow a local attacker to crash the system or leak internal kernel information.

Out-of-bounds Read

A flaw was found in libnbd

CVE-2023-5871 5.3 - Medium - November 27, 2023

A flaw was found in libnbd, due to a malicious Network Block Device (NBD), a protocol for accessing Block Devices such as hard disks over a Network. This issue may allow a malicious NBD server to cause a Denial of Service.

assertion failure

A null pointer dereference flaw was found in the Linux kernel API for the cryptographic algorithm scatterwalk functionality

CVE-2023-6176 4.7 - Medium - November 16, 2023

A null pointer dereference flaw was found in the Linux kernel API for the cryptographic algorithm scatterwalk functionality. This issue occurs when a user constructs a malicious packet with specific socket configuration, which could allow a local user to crash the system or escalate their privileges on the system.

NULL Pointer Dereference

An out-of-bounds read vulnerability was found in the NVMe-oF/TCP subsystem in the Linux kernel

CVE-2023-6121 4.3 - Medium - November 16, 2023

An out-of-bounds read vulnerability was found in the NVMe-oF/TCP subsystem in the Linux kernel. This issue may allow a remote attacker to send a crafted TCP packet, triggering a heap-based buffer overflow that results in kmalloc data being printed and potentially leaked to the kernel ring buffer (dmesg).

Out-of-bounds Read

Wiki comments required additional sanitizing and access restrictions to prevent a stored XSS risk and potential IDOR risk.

CVE-2023-5544 5.4 - Medium - November 09, 2023

Wiki comments required additional sanitizing and access restrictions to prevent a stored XSS risk and potential IDOR risk.

XSS

Stay on top of Security Vulnerabilities

Want an email whenever new vulnerabilities are published for Fedora Project Fedora or by Red Hat? Click the Watch button to subscribe.

Red Hat
Vendor

subscribe