Red Hat Openshift

Samba Remote Cmd Exec via Unsanitized %u in check password script
CVE-2026-4408 9 - Critical - May 28, 2026

A flaw was found in Samba. A remote attacker can exploit a misconfiguration in Samba file servers and classic domain controllers that use the "check password script" feature. If this script is configured with the %u substitution character, the client-controlled username is passed without proper escaping of shell meta-characters. This vulnerability allows an attacker to achieve remote command execution on the affected system. This issue primarily affects non-standard configurations where the "check password script" is used with %u and the samba-dcerpcd service is started as a system service.

Shell injection

CVE-2026-44604: rpmuncompress Command Injection W/O Sanitization
CVE-2026-44604 7 - High - May 28, 2026

A command injection vulnerability was discovered in the `rpmuncompress` utility of RPM. When extracting certain archive formats (ZIP, 7z, GEM) to a specified destination directory, the tool inserts the archive's top-level folder name into a shell command without properly sanitizing it. A specially crafted archive containing shell metacharacters in its folder name can execute arbitrary commands as the user running the extraction.

Shell injection

Samba NTFS Reparse Points Access Control Bypass via SMB
CVE-2026-1933 7.1 - High - May 27, 2026

A flaw was found in Sambas handling of NTFS-style reparse points on shares configured with read only = yes. Due to missing SMB-layer access checks, authenticated users with underlying filesystem write permissions may create or delete reparse point metadata through SMB operations even on read-only exports. This could allow modification of SMB-visible file behavior, including converting files into symbolic links or other reparse point types.

Authorization

Sambas vfs_worm Rename Bypass Enables Overwrite of WORM Files
CVE-2026-2340 6.5 - Medium - May 27, 2026

A flaw was found in Sambas vfs_worm module. The module is intended to provide write-once, read-many (WORM) protections by preventing modification of files after a configurable grace period. Due to insufficient validation during rename operations, an authenticated user with write access to a share could overwrite a protected file by renaming a newly created file over the existing WORM-protected file.

Improper Handling of Insufficient Permissions or Privileges

Samba CA AutoEnroll HTTP Trust Misinstall (CVE-2026-3012)
CVE-2026-3012 8 - High - May 27, 2026

A flaw was found in Sambas certificate auto-enrollment Group Policy handling. When certificate auto-enrollment is enabled, Samba may retrieve a CA certificate over an unencrypted HTTP connection and install it into the local trust store without proper verification. An attacker with the ability to intercept or redirect network traffic could exploit this behavior to supply a malicious certificate authority certificate, potentially allowing interception or spoofing of trusted communications.

Insufficient Verification of Data Authenticity

GnuTLS PKCS#12 Bag Off-by-One Buffer Overwrite
CVE-2026-42015 5.3 - Medium - May 26, 2026

A flaw was found in gnutls. An off-by-one error exists in the PKCS#12 bag element bounds check. This vulnerability allows an remote attacker to write past the internal array of a PKCS#12 bag when appending to a bag that already contains 32 elements. This memory corruption could lead to a denial of service (DoS) or potentially other unspecified impacts.

off-by-five

GnuTLS SAN Size ForkCheck Bypass
CVE-2026-42013 8.2 - High - May 26, 2026

A flaw was found in gnutls. When validating certificates, an oversized Subject Alternative Name (SAN) could cause the validation process to incorrectly fall back to checking the Common Name (CN) field. This could allow a remote attacker to bypass proper certificate validation, potentially leading to spoofing or man-in-the-middle attacks.

Improper Validation of Specified Quantity in Input

GNUTLS Certificate Validation Bypass via URI/SRV SAN Fallback
CVE-2026-42012 7.1 - High - May 26, 2026

A flaw was found in gnutls. A remote attacker could exploit this vulnerability by presenting a specially crafted certificate that contains Uniform Resource Identifier (URI) or Service (SRV) Subject Alternative Names (SANs). This could cause the certificate validation process to incorrectly fall back to checking DNS hostnames against the Common Name (CN), potentially allowing the attacker to spoof legitimate services or intercept sensitive information.

Improper Certificate Validation

Libgnutls RSA PKCS#11 Key Exchange Overread Info Disclosure
CVE-2026-5260 8.2 - High - May 26, 2026

A flaw was found in libgnutls. A remote attacker, by sending an extremely short premaster secret during an RSA key exchange to a server using an RSA key backed by a PKCS#11 token, could trigger a short heap overread. This memory corruption vulnerability could lead to information disclosure.

Improper Validation of Specified Quantity in Input

libsolv Heap Buffer Overflow via .solv Decompression
CVE-2026-48864 7.8 - High - May 26, 2026

A flaw was found in libsolv. This heap buffer overflow occurs during the decompression of attacker-controlled compressed data within `.solv` files due to insufficient input validation. An attacker can provide a specially crafted `.solv` file, which, when processed by a vulnerable application, can lead to out-of-bounds memory access. This could result in information disclosure, alteration of program execution, or a denial of service.

Memory Corruption

Shell Injection in Samba Print Service via Unescaped %J
CVE-2026-4480 8.5 - High - May 26, 2026

A flaw was found in the Samba printing subsystem. Samba passes the client-controlled job description string to the command configured with the "print command" setting via the "%J" substitution character without escaping shell meta characters. A remote attacker could exploit this vulnerability by sending a specially crafted print job description that contains unescaped shell characters. This could lead to remote code execution on the affected system.

Shell injection

libsolv Heap B.O. in repo_add_solv via negative .solv size
CVE-2026-9149 6.5 - Medium - May 20, 2026

A flaw was found in libsolv. This heap buffer overflow vulnerability occurs when a victim processes a specially crafted `.solv` file containing negative size values in the `repo_add_solv` function. This leads to an undersized memory allocation and a subsequent out-of-bounds write. An attacker could exploit this to cause a denial of service (DoS).

Heap-based Buffer Overflow

Red Hat libsolv Stack Buffer Overflow in Debian METADATA Parser
CVE-2026-9150 6.5 - Medium - May 20, 2026

A flaw was found in libsolv. This stack-based buffer overflow vulnerability occurs in libsolv's Debian metadata parser when processing specially crafted Debian repository metadata. An attacker could exploit this by providing malicious SHA384 or SHA512 checksum tags, leading to memory corruption and a denial of service (DoS) in the affected system.

Stack Overflow

GnuTLS DTLS DoS via Duplicate Seq Number Reordering
CVE-2026-42009 7.5 - High - May 18, 2026

A flaw was found in gnutls. A remote attacker could exploit an issue in the Datagram Transport Layer Security (DTLS) packet reordering logic. The comparator function, responsible for ordering DTLS packets by sequence numbers, did not correctly handle packets with duplicate sequence numbers. This could lead to unstable packet ordering or undefined behavior, resulting in a denial of service.

Undefined Behavior for Input to API

GNUTLS Name Constraint Bypass (CVE-2026-42011)
CVE-2026-42011 7.4 - High - May 07, 2026

A flaw was found in gnutls. This vulnerability occurs because permitted name constraints were incorrectly ignored when previous Certificate Authorities (CAs) only had excluded name constraints. A remote attacker could exploit this to bypass critical name constraint checks during certificate validation. This bypass could lead to the acceptance of invalid certificates, potentially enabling spoofing or man-in-the-middle attacks against affected systems.

Improper Certificate Validation

GNUTLS RSA-PSK Username NUL Bypass Auth
CVE-2026-42010 7.1 - High - May 07, 2026

A flaw was found in gnutls. Servers configured with RSA-PSK (RivestShamirAdleman Pre-Shared Key) wrongfully matched usernames containing a NUL character with truncated usernames. A remote attacker could exploit this by sending a specially crafted username, leading to an authentication bypass. This vulnerability allows an attacker to gain unauthorized access by circumventing the authentication process.

Poison Null Byte

Open vSwitch FTP Helper Heap OOB Leads to DoS
CVE-2026-34956 5.9 - Medium - May 05, 2026

A flaw was found in Open vSwitch. When Open vSwitch is configured with a conntrack flow using FTP helpers over the userspace datapath, a remote attacker can send a specially crafted FTP stream with an EPASV command exceeding 255 characters. This heap access error can lead to a crash, resulting in a Denial of Service (DoS) for the affected system.

Classic Buffer Overflow

Heap Buffer Overflow in GnuTLS DTLS Fragment Reassembly (CVE-2026-33846)
CVE-2026-33846 7.5 - High - May 04, 2026

A heap buffer overflow vulnerability exists in the DTLS handshake fragment reassembly logic of GnuTLS. The issue arises in merge_handshake_packet() where incoming handshake fragments are matched and merged based solely on handshake type, without validating that the message_length field remains consistent across all fragments of the same logical message. An attacker can exploit this by sending crafted DTLS fragments with conflicting message_length values, causing the implementation to allocate a buffer based on a smaller initial fragment and subsequently write beyond its bounds using larger, inconsistent fragments. Because the merge operation does not enforce proper bounds checking against the allocated buffer size, this results in an out-of-bounds write on the heap. The vulnerability is remotely exploitable without authentication via the DTLS handshake path and can lead to application crashes or potential memory corruption.

length manipulation

OOB Read via DTLS Fragment Underflow in GnuTLS
CVE-2026-33845 7.5 - High - April 30, 2026

A flaw in GnuTLS DTLS handshake parsing allows malformed fragments with zero length and non-zero offset, leading to an integer underflow during reassembly and resulting in an out-of-bounds read. This issue is remotely exploitable and may cause information disclosure or denial of service.

Integer underflow

GnuTLS OCSP Multi-Record Logic Error Allows Revoked Cert Acceptance
CVE-2026-3832 3.7 - Low - April 30, 2026

A flaw was found in gnutls. A remote attacker could exploit this vulnerability by presenting a specially crafted Online Certificate Status Protocol (OCSP) response during a TLS handshake. Due to a logic error in how gnutls processes multi-record OCSP responses, a client with OCSP verification enabled may incorrectly accept a revoked server certificate, potentially leading to a compromise of trust.

Incorrect Behavior Order: Early Validation

GnuTLS SAN case-sensitivity flaw can bypass nameConstraints
CVE-2026-3833 6.5 - Medium - April 30, 2026

A flaw was found in gnutls. This vulnerability occurs because gnutls performs case-sensitive comparisons of `nameConstraints` labels, specifically for `dNSName` (DNS) or `rfc822Name` (email) constraints within `excludedSubtrees` or `permittedSubtrees`. A remote attacker can exploit this by crafting a leaf certificate with casing differences in the Subject Alternative Name (SAN), leading to a policy bypass where a certificate that should be rejected is instead accepted. This could result in unauthorized access or information disclosure.

Improper Handling of Case Sensitivity

OpenShift: BuildEnv Injection via buildconfigs/instantiate
CVE-2026-7309 4.3 - Medium - April 28, 2026

A flaw was found in the OpenShift Container Platform build system. A user with the `edit` ClusterRole can inject arbitrary environment variables, such as `LD_PRELOAD` or `http_proxy`, into `docker-build` containers through the `buildconfigs/instantiate` API. This incomplete fix for a previous vulnerability allows for information disclosure, specifically impacting the confidentiality of build traffic.

Untrusted Path

OVN Remote OOB Read via Crafted DHCPv6 SOLICIT
CVE-2026-5367 8.6 - High - April 24, 2026

A flaw was found in OVN (Open Virtual Network). A remote attacker, by sending crafted DHCPv6 (Dynamic Host Configuration Protocol for IPv6) SOLICIT packets with an inflated Client ID length, could cause the ovn-controller to read beyond the bounds of a packet. This out-of-bounds read can lead to the disclosure of sensitive information stored in heap memory, which is then returned to the attacker's virtual machine port.

length manipulation

libxml2 XSD Internal Entity Type-Confusion DoS
CVE-2026-6732 6.5 - Medium - April 23, 2026

A flaw was found in libxml2. This vulnerability occurs when the library processes a specially crafted XML Schema Definition (XSD) validated document that includes an internal entity reference. An attacker could exploit this by providing a malicious document, leading to a type confusion error that causes the application to crash. This results in a denial of service (DoS), making the affected system or application unavailable.

Object Type Confusion

RedHat libefiboot local DoS via invalid device path node length
CVE-2026-6862 5.5 - Medium - April 22, 2026

A flaw was found in libefiboot, a component of efivar. The device path node parser in libefiboot fails to validate that each node's Length field is at least 4 bytes, which is the minimum size for an EFI (Extensible Firmware Interface) device path node header. A local user could exploit this vulnerability by providing a specially crafted device path node. This can lead to infinite recursion, causing stack exhaustion and a process crash, resulting in a denial of service (DoS).

Stack Exhaustion

Heap Buffer Overrun in binutils XCOFF linker leads to LPE
CVE-2026-6846 7.8 - High - April 22, 2026

A flaw was found in binutils. A heap-buffer-overflow vulnerability exists when processing a specially crafted XCOFF (Extended Common Object File Format) object file during linking. A local attacker could trick a user into processing this malicious file, which could lead to arbitrary code execution, allowing the attacker to run unauthorized commands, or cause a denial of service, making the system unavailable.

Heap-based Buffer Overflow

Binutils Readelf Local DoS via Crafted ELF Files
CVE-2026-6844 5.5 - Medium - April 22, 2026

A flaw was found in the `readelf` utility of the binutils package. A local attacker could exploit two Denial of Service (DoS) vulnerabilities by providing a specially crafted Executable and Linkable Format (ELF) file. One vulnerability, a resource exhaustion (CWE-400), can lead to an out-of-memory condition. The other, a null pointer dereference (CWE-476), can cause a segmentation fault. Both issues can result in the `readelf` utility becoming unresponsive or crashing, leading to a denial of service.

Resource Exhaustion

nano Format String Vulnerability: Statusline DoS
CVE-2026-6843 5.5 - Medium - April 22, 2026

A flaw was found in nano. A local user could exploit a format string vulnerability in the `statusline()` function. By creating a directory with a name containing `printf` specifiers, the application attempts to display this name, leading to a segmentation fault (SEGV). This results in a Denial of Service (DoS) for the `nano` application.

Use of Externally-Controlled Format String

binutils readelf DoS via crafted ELF file
CVE-2026-6845 5 - Medium - April 22, 2026

A flaw was found in binutils, specifically within the `readelf` utility. This vulnerability allows a local attacker to cause a Denial of Service (DoS) by tricking a user into processing a specially crafted Executable and Linkable Format (ELF) file. The exploitation of this flaw can lead to the system becoming unresponsive due to excessive resource consumption or a program crash.

NULL Pointer Dereference

CVE-2026-6842: Nano Dir Perm Flaw Allows Bad .desktop Launcher
CVE-2026-6842 2.5 - Low - April 22, 2026

A flaw was found in nano. In environments with permissive umask settings, a local attacker can exploit incorrect directory permissions (0777 instead of 0700) for the `~/.local` directory. This allows the attacker to inject a malicious `.desktop` launcher, which could lead to unintended actions or information disclosure if the launcher is subsequently processed.

Incorrect Permission Assignment for Critical Resource

dnsmasq OOB Write via BOOTREPLY (DHCP Split Relay)
CVE-2026-6507 7.5 - High - April 17, 2026

A flaw was found in dnsmasq. A remote attacker could exploit an out-of-bounds write vulnerability by sending a specially crafted BOOTREPLY (Bootstrap Protocol Reply) packet to a dnsmasq server configured with the `--dhcp-split-relay` option. This can lead to memory corruption, causing the dnsmasq daemon to crash and resulting in a denial of service (DoS).

Memory Corruption

SSSD PAM Passkey Daemon DoS via Unbounded Read (SSSD pam_passkey_child_read_data)
CVE-2026-6245 5.5 - Medium - April 15, 2026

A flaw was found in the System Security Services Daemon (SSSD). The pam_passkey_child_read_data() function within the PAM passkey responder fails to properly handle raw bytes received from a pipe. Because the data is treated as a NUL-terminated C string without explicit termination, it results in an out-of-bounds read when processed by functions like snprintf(). A local attacker could potentially trigger this vulnerability by initiating a crafted passkey authentication request, causing the SSSD PAM responder to crash, resulting in a local Denial of Service (DoS).

Buffer Access with Incorrect Length Value

GnuTLS Remote DoS via Malformed PSK Binder (NULL Ptr Deref)
CVE-2026-1584 7.5 - High - April 09, 2026

A flaw was found in gnutls. A remote, unauthenticated attacker can exploit this vulnerability by sending a specially crafted ClientHello message with an invalid Pre-Shared Key (PSK) binder value during the TLS handshake. This can lead to a NULL pointer dereference, causing the server to crash and resulting in a remote Denial of Service (DoS) condition.

NULL Pointer Dereference

libcap TOCTOU in cap_set_file() leads to privilege escalation
CVE-2026-4878 6.7 - Medium - April 09, 2026

A flaw was found in libcap. A local unprivileged user can exploit a Time-of-check-to-time-of-use (TOCTOU) race condition in the `cap_set_file()` function. This allows an attacker with write access to a parent directory to redirect file capability updates to an attacker-controlled file. By doing so, capabilities can be injected into or stripped from unintended executables, leading to privilege escalation.

TOCTTOU

libssh Local MITM via Insecure Default Config on Windows
CVE-2025-14821 7.8 - High - April 07, 2026

A flaw was found in libssh. This vulnerability allows local man-in-the-middle attacks, security downgrades of SSH (Secure Shell) connections, and manipulation of trusted host information, posing a significant risk to the confidentiality, integrity, and availability of SSH communications via an insecure default configuration on Windows systems where the library automatically loads configuration files from the C:\etc directory, which can be created and modified by unprivileged local users.

DLL preloading

NULL Pointer Deref in libarchive ACL Parsing (archive_acl_from_text_nl)
CVE-2026-5745 5.5 - Medium - April 07, 2026

A flaw was found in libarchive. A NULL pointer dereference vulnerability exists in the ACL parsing logic, specifically within the archive_acl_from_text_nl() function. When processing a malformed ACL string (such as a bare "d" or "default" tag without subsequent fields), the function fails to perform adequate validation before advancing the pointer. An attacker can exploit this by providing a maliciously crafted archive, causing an application utilizing the libarchive API (such as bsdtar) to crash, resulting in a Denial of Service (DoS).

NULL Pointer Dereference

util-linux login(1) Hostname Canonicalization flaw bypassing PAM access
CVE-2026-3184 3.7 - Low - April 03, 2026

A flaw was found in util-linux. Improper hostname canonicalization in the `login(1)` utility, when invoked with the `-h` option, can modify the supplied remote hostname before setting `PAM_RHOST`. A remote attacker could exploit this by providing a specially crafted hostname, potentially bypassing host-based Pluggable Authentication Modules (PAM) access control rules that rely on fully qualified domain names. This could lead to unauthorized access.

Authentication Bypass by Alternate Name

Corosync Integer Overflow in UDP Join Validation (CVE-2026-35092)
CVE-2026-35092 7.5 - High - April 01, 2026

A flaw was found in Corosync. An integer overflow vulnerability in Corosync's join message sanity validation allows a remote, unauthenticated attacker to send crafted User Datagram Protocol (UDP) packets. This can cause the service to crash, leading to a denial of service. This vulnerability specifically affects Corosync deployments configured to use totemudp/totemudpu mode.

Integer Overflow or Wraparound

Corosync OOB read via UDP in totemudp DoS
CVE-2026-35091 8.2 - High - April 01, 2026

A flaw was found in Corosync. A remote unauthenticated attacker can exploit a wrong return value vulnerability in the Corosync membership commit token sanity check by sending a specially crafted User Datagram Protocol (UDP) packet. This can lead to an out-of-bounds read, causing a denial of service (DoS) and potentially disclosing limited memory contents

Incorrect Check of Function Return Value

Integer Overflow in libarchive ZISofs Block Pointer on 32bit
CVE-2026-5121 9.8 - Critical - March 30, 2026

A flaw was found in libarchive. On 32-bit systems, an integer overflow vulnerability exists in the zisofs block pointer allocation logic. A remote attacker can exploit this by providing a specially crafted ISO9660 image, which can lead to a heap buffer overflow. This could potentially allow for arbitrary code execution on the affected system.

Integer Overflow or Wraparound

Unprivileged User Can Modify Firewall State via D-Bus in firewalld
CVE-2026-4948 5.5 - Medium - March 27, 2026

A flaw was found in firewalld. A local unprivileged user can exploit this vulnerability by mis-authorizing two runtime D-Bus (Desktop Bus) setters, setZoneSettings2 and setPolicySettings. This mis-authorization allows the user to modify the runtime firewall state without proper authentication, leading to unauthorized changes in network security configurations.

Incorrect Execution-Assigned Permissions

libssh Denial of Service via Arbitrary File Access during Config Parsing
CVE-2026-0965 - March 26, 2026

A flaw was found in libssh where it can attempt to open arbitrary files during configuration parsing. A local attacker can exploit this by providing a malicious configuration file or when the system is misconfigured. This vulnerability could lead to a Denial of Service (DoS) by causing the system to try and access dangerous files, such as block devices or large system files, which can disrupt normal operations.

External Control of File Name or Path

Libssh DoS via regex backtracking in match_pattern with crafted hostnames
CVE-2026-0967 - March 26, 2026

A flaw was found in libssh. A remote attacker, by controlling client configuration files or known_hosts files, could craft specific hostnames that when processed by the `match_pattern()` function can lead to inefficient regular expression backtracking. This can cause timeouts and resource exhaustion, resulting in a Denial of Service (DoS) for the client.

ReDoS

libssh SFTP longname NullCheck: Heap OverRead -> DoS
CVE-2026-0968 3.1 - Low - March 26, 2026

A flaw was found in libssh in which a malicious SFTP (SSH File Transfer Protocol) server can exploit this by sending a malformed 'longname' field within an `SSH_FXP_NAME` message during a file listing operation. This missing null check can lead to reading beyond allocated memory on the heap. This can cause unexpected behavior or lead to a denial of service (DoS) due to application crashes.

NULL Pointer Dereference

SCP Client Path Traversal Allowing Local File Overwrite (CVE-2026-0964)
CVE-2026-0964 - March 26, 2026

A malicious SCP server can send unexpected paths that could make the client application override local files outside of working directory. This could be misused to create malicious executable or configuration files and make the user execute them under specific consequences. This is the same issue as in OpenSSH, tracked as CVE-2019-6111.

Directory traversal

OpenSSH ssh_get_hexa Zero-Length Leak Self-DoS via GSSAPI
CVE-2026-0966 - March 26, 2026

A flaw was found in libssh. The API function `ssh_get_hexa()` is vulnerable to a denial of service when processing zero-length input. This can be exploited remotely by an attacker during GSSAPI (Generic Security Service Application Program Interface) authentication if the server's logging verbosity is set to `SSH_LOG_PACKET (3)` or higher. Successful exploitation could lead to a self-Denial of Service of the per-connection daemon process.

buffer underrun

CVE-2026-2100: Uninitialized Return in p11-kit C_DeriveKey DS
CVE-2026-2100 5.3 - Medium - March 26, 2026

A flaw was found in p11-kit. A remote attacker could exploit this vulnerability by calling the C_DeriveKey function on a remote token with specific IBM kyber or IBM btc derive mechanism parameters set to NULL. This could lead to the RPC-client attempting to return an uninitialized value, potentially resulting in a NULL dereference or undefined behavior. This issue may cause an application level denial of service or other unpredictable system states.

Access of Uninitialized Pointer

PolKit setuid helper OOM DoS via long stdin input
CVE-2026-4897 5.5 - Medium - March 26, 2026

A flaw was found in polkit. A local user can exploit this by providing a specially crafted, excessively long input to the `polkit-agent-helper-1` setuid binary via standard input (stdin). This unbounded input can lead to an out-of-memory (OOM) condition, resulting in a Denial of Service (DoS) for the system.

Allocation of Resources Without Limits or Throttling

BFD Library XCOFF Relocation Validation Defect DoS
CVE-2026-4647 6.1 - Medium - March 23, 2026

A flaw was found in the GNU Binutils BFD library, a widely used component for handling binary files such as object files and executables. The issue occurs when processing specially crafted XCOFF object files, where a relocation type value is not properly validated before being used. This can cause the program to read memory outside of intended bounds. As a result, affected tools may crash or expose unintended memory contents, leading to denial-of-service or limited information disclosure risks.

Out-of-bounds Read

Infinite Loop DoS via Crafted Boolean XPath in antchfx/xpath
CVE-2026-4645 - March 23, 2026