Red Hat Openshift

GNUTLS Name Constraint Bypass (CVE-2026-42011)
CVE-2026-42011 7.4 - High - May 07, 2026

A flaw was found in gnutls. This vulnerability occurs because permitted name constraints were incorrectly ignored when previous Certificate Authorities (CAs) only had excluded name constraints. A remote attacker could exploit this to bypass critical name constraint checks during certificate validation. This bypass could lead to the acceptance of invalid certificates, potentially enabling spoofing or man-in-the-middle attacks against affected systems.

Improper Certificate Validation

GNUTLS RSA-PSK Username NUL Bypass Auth
CVE-2026-42010 7.1 - High - May 07, 2026

A flaw was found in gnutls. Servers configured with RSA-PSK (RivestShamirAdleman Pre-Shared Key) wrongfully matched usernames containing a NUL character with truncated usernames. A remote attacker could exploit this by sending a specially crafted username, leading to an authentication bypass. This vulnerability allows an attacker to gain unauthorized access by circumventing the authentication process.

Poison Null Byte

Open vSwitch FTP Helper Heap OOB Leads to DoS
CVE-2026-34956 5.9 - Medium - May 05, 2026

A flaw was found in Open vSwitch. When Open vSwitch is configured with a conntrack flow using FTP helpers over the userspace datapath, a remote attacker can send a specially crafted FTP stream with an EPASV command exceeding 255 characters. This heap access error can lead to a crash, resulting in a Denial of Service (DoS) for the affected system.

Classic Buffer Overflow

Heap Buffer Overflow in GnuTLS DTLS Fragment Reassembly (CVE-2026-33846)
CVE-2026-33846 7.5 - High - May 04, 2026

A heap buffer overflow vulnerability exists in the DTLS handshake fragment reassembly logic of GnuTLS. The issue arises in merge_handshake_packet() where incoming handshake fragments are matched and merged based solely on handshake type, without validating that the message_length field remains consistent across all fragments of the same logical message. An attacker can exploit this by sending crafted DTLS fragments with conflicting message_length values, causing the implementation to allocate a buffer based on a smaller initial fragment and subsequently write beyond its bounds using larger, inconsistent fragments. Because the merge operation does not enforce proper bounds checking against the allocated buffer size, this results in an out-of-bounds write on the heap. The vulnerability is remotely exploitable without authentication via the DTLS handshake path and can lead to application crashes or potential memory corruption.

length manipulation

OOB Read via DTLS Fragment Underflow in GnuTLS
CVE-2026-33845 7.5 - High - April 30, 2026

A flaw in GnuTLS DTLS handshake parsing allows malformed fragments with zero length and non-zero offset, leading to an integer underflow during reassembly and resulting in an out-of-bounds read. This issue is remotely exploitable and may cause information disclosure or denial of service.

Integer underflow

GnuTLS OCSP Multi-Record Logic Error Allows Revoked Cert Acceptance
CVE-2026-3832 3.7 - Low - April 30, 2026

A flaw was found in gnutls. A remote attacker could exploit this vulnerability by presenting a specially crafted Online Certificate Status Protocol (OCSP) response during a TLS handshake. Due to a logic error in how gnutls processes multi-record OCSP responses, a client with OCSP verification enabled may incorrectly accept a revoked server certificate, potentially leading to a compromise of trust.

Incorrect Behavior Order: Early Validation

GnuTLS SAN case-sensitivity flaw can bypass nameConstraints
CVE-2026-3833 6.5 - Medium - April 30, 2026

A flaw was found in gnutls. This vulnerability occurs because gnutls performs case-sensitive comparisons of `nameConstraints` labels, specifically for `dNSName` (DNS) or `rfc822Name` (email) constraints within `excludedSubtrees` or `permittedSubtrees`. A remote attacker can exploit this by crafting a leaf certificate with casing differences in the Subject Alternative Name (SAN), leading to a policy bypass where a certificate that should be rejected is instead accepted. This could result in unauthorized access or information disclosure.

Improper Handling of Case Sensitivity

OpenShift: BuildEnv Injection via buildconfigs/instantiate
CVE-2026-7309 4.3 - Medium - April 28, 2026

A flaw was found in the OpenShift Container Platform build system. A user with the `edit` ClusterRole can inject arbitrary environment variables, such as `LD_PRELOAD` or `http_proxy`, into `docker-build` containers through the `buildconfigs/instantiate` API. This incomplete fix for a previous vulnerability allows for information disclosure, specifically impacting the confidentiality of build traffic.

Untrusted Path

OVN Remote OOB Read via Crafted DHCPv6 SOLICIT
CVE-2026-5367 8.6 - High - April 24, 2026

A flaw was found in OVN (Open Virtual Network). A remote attacker, by sending crafted DHCPv6 (Dynamic Host Configuration Protocol for IPv6) SOLICIT packets with an inflated Client ID length, could cause the ovn-controller to read beyond the bounds of a packet. This out-of-bounds read can lead to the disclosure of sensitive information stored in heap memory, which is then returned to the attacker's virtual machine port.

length manipulation

libxml2 XSD Internal Entity Type-Confusion DoS
CVE-2026-6732 6.5 - Medium - April 23, 2026

A flaw was found in libxml2. This vulnerability occurs when the library processes a specially crafted XML Schema Definition (XSD) validated document that includes an internal entity reference. An attacker could exploit this by providing a malicious document, leading to a type confusion error that causes the application to crash. This results in a denial of service (DoS), making the affected system or application unavailable.

Object Type Confusion

RedHat libefiboot local DoS via invalid device path node length
CVE-2026-6862 5.5 - Medium - April 22, 2026

A flaw was found in libefiboot, a component of efivar. The device path node parser in libefiboot fails to validate that each node's Length field is at least 4 bytes, which is the minimum size for an EFI (Extensible Firmware Interface) device path node header. A local user could exploit this vulnerability by providing a specially crafted device path node. This can lead to infinite recursion, causing stack exhaustion and a process crash, resulting in a denial of service (DoS).

Stack Exhaustion

Heap Buffer Overrun in binutils XCOFF linker leads to LPE
CVE-2026-6846 7.8 - High - April 22, 2026

A flaw was found in binutils. A heap-buffer-overflow vulnerability exists when processing a specially crafted XCOFF (Extended Common Object File Format) object file during linking. A local attacker could trick a user into processing this malicious file, which could lead to arbitrary code execution, allowing the attacker to run unauthorized commands, or cause a denial of service, making the system unavailable.

Heap-based Buffer Overflow

Binutils Readelf Local DoS via Crafted ELF Files
CVE-2026-6844 5.5 - Medium - April 22, 2026

A flaw was found in the `readelf` utility of the binutils package. A local attacker could exploit two Denial of Service (DoS) vulnerabilities by providing a specially crafted Executable and Linkable Format (ELF) file. One vulnerability, a resource exhaustion (CWE-400), can lead to an out-of-memory condition. The other, a null pointer dereference (CWE-476), can cause a segmentation fault. Both issues can result in the `readelf` utility becoming unresponsive or crashing, leading to a denial of service.

Resource Exhaustion

nano Format String Vulnerability: Statusline DoS
CVE-2026-6843 5.5 - Medium - April 22, 2026

A flaw was found in nano. A local user could exploit a format string vulnerability in the `statusline()` function. By creating a directory with a name containing `printf` specifiers, the application attempts to display this name, leading to a segmentation fault (SEGV). This results in a Denial of Service (DoS) for the `nano` application.

Use of Externally-Controlled Format String

binutils readelf DoS via crafted ELF file
CVE-2026-6845 5 - Medium - April 22, 2026

A flaw was found in binutils, specifically within the `readelf` utility. This vulnerability allows a local attacker to cause a Denial of Service (DoS) by tricking a user into processing a specially crafted Executable and Linkable Format (ELF) file. The exploitation of this flaw can lead to the system becoming unresponsive due to excessive resource consumption or a program crash.

NULL Pointer Dereference

CVE-2026-6842: Nano Dir Perm Flaw Allows Bad .desktop Launcher
CVE-2026-6842 2.5 - Low - April 22, 2026

A flaw was found in nano. In environments with permissive umask settings, a local attacker can exploit incorrect directory permissions (0777 instead of 0700) for the `~/.local` directory. This allows the attacker to inject a malicious `.desktop` launcher, which could lead to unintended actions or information disclosure if the launcher is subsequently processed.

Incorrect Permission Assignment for Critical Resource

dnsmasq OOB Write via BOOTREPLY (DHCP Split Relay)
CVE-2026-6507 7.5 - High - April 17, 2026

A flaw was found in dnsmasq. A remote attacker could exploit an out-of-bounds write vulnerability by sending a specially crafted BOOTREPLY (Bootstrap Protocol Reply) packet to a dnsmasq server configured with the `--dhcp-split-relay` option. This can lead to memory corruption, causing the dnsmasq daemon to crash and resulting in a denial of service (DoS).

Memory Corruption

SSSD PAM Passkey Daemon DoS via Unbounded Read (SSSD pam_passkey_child_read_data)
CVE-2026-6245 5.5 - Medium - April 15, 2026

A flaw was found in the System Security Services Daemon (SSSD). The pam_passkey_child_read_data() function within the PAM passkey responder fails to properly handle raw bytes received from a pipe. Because the data is treated as a NUL-terminated C string without explicit termination, it results in an out-of-bounds read when processed by functions like snprintf(). A local attacker could potentially trigger this vulnerability by initiating a crafted passkey authentication request, causing the SSSD PAM responder to crash, resulting in a local Denial of Service (DoS).

Buffer Access with Incorrect Length Value

GnuTLS Remote DoS via Malformed PSK Binder (NULL Ptr Deref)
CVE-2026-1584 7.5 - High - April 09, 2026

A flaw was found in gnutls. A remote, unauthenticated attacker can exploit this vulnerability by sending a specially crafted ClientHello message with an invalid Pre-Shared Key (PSK) binder value during the TLS handshake. This can lead to a NULL pointer dereference, causing the server to crash and resulting in a remote Denial of Service (DoS) condition.

NULL Pointer Dereference

libcap TOCTOU in cap_set_file() leads to privilege escalation
CVE-2026-4878 6.7 - Medium - April 09, 2026

A flaw was found in libcap. A local unprivileged user can exploit a Time-of-check-to-time-of-use (TOCTOU) race condition in the `cap_set_file()` function. This allows an attacker with write access to a parent directory to redirect file capability updates to an attacker-controlled file. By doing so, capabilities can be injected into or stripped from unintended executables, leading to privilege escalation.

TOCTTOU

libssh Local MITM via Insecure Default Config on Windows
CVE-2025-14821 7.8 - High - April 07, 2026

A flaw was found in libssh. This vulnerability allows local man-in-the-middle attacks, security downgrades of SSH (Secure Shell) connections, and manipulation of trusted host information, posing a significant risk to the confidentiality, integrity, and availability of SSH communications via an insecure default configuration on Windows systems where the library automatically loads configuration files from the C:\etc directory, which can be created and modified by unprivileged local users.

DLL preloading

NULL Pointer Deref in libarchive ACL Parsing (archive_acl_from_text_nl)
CVE-2026-5745 5.5 - Medium - April 07, 2026

A flaw was found in libarchive. A NULL pointer dereference vulnerability exists in the ACL parsing logic, specifically within the archive_acl_from_text_nl() function. When processing a malformed ACL string (such as a bare "d" or "default" tag without subsequent fields), the function fails to perform adequate validation before advancing the pointer. An attacker can exploit this by providing a maliciously crafted archive, causing an application utilizing the libarchive API (such as bsdtar) to crash, resulting in a Denial of Service (DoS).

NULL Pointer Dereference

util-linux login(1) Hostname Canonicalization flaw bypassing PAM access
CVE-2026-3184 3.7 - Low - April 03, 2026

A flaw was found in util-linux. Improper hostname canonicalization in the `login(1)` utility, when invoked with the `-h` option, can modify the supplied remote hostname before setting `PAM_RHOST`. A remote attacker could exploit this by providing a specially crafted hostname, potentially bypassing host-based Pluggable Authentication Modules (PAM) access control rules that rely on fully qualified domain names. This could lead to unauthorized access.

Authentication Bypass by Alternate Name

Corosync Integer Overflow in UDP Join Validation (CVE-2026-35092)
CVE-2026-35092 7.5 - High - April 01, 2026

A flaw was found in Corosync. An integer overflow vulnerability in Corosync's join message sanity validation allows a remote, unauthenticated attacker to send crafted User Datagram Protocol (UDP) packets. This can cause the service to crash, leading to a denial of service. This vulnerability specifically affects Corosync deployments configured to use totemudp/totemudpu mode.

Integer Overflow or Wraparound

Corosync OOB read via UDP in totemudp DoS
CVE-2026-35091 8.2 - High - April 01, 2026

A flaw was found in Corosync. A remote unauthenticated attacker can exploit a wrong return value vulnerability in the Corosync membership commit token sanity check by sending a specially crafted User Datagram Protocol (UDP) packet. This can lead to an out-of-bounds read, causing a denial of service (DoS) and potentially disclosing limited memory contents

Incorrect Check of Function Return Value

Integer Overflow in libarchive ZISofs Block Pointer on 32bit
CVE-2026-5121 9.8 - Critical - March 30, 2026

A flaw was found in libarchive. On 32-bit systems, an integer overflow vulnerability exists in the zisofs block pointer allocation logic. A remote attacker can exploit this by providing a specially crafted ISO9660 image, which can lead to a heap buffer overflow. This could potentially allow for arbitrary code execution on the affected system.

Integer Overflow or Wraparound

Unprivileged User Can Modify Firewall State via D-Bus in firewalld
CVE-2026-4948 5.5 - Medium - March 27, 2026

A flaw was found in firewalld. A local unprivileged user can exploit this vulnerability by mis-authorizing two runtime D-Bus (Desktop Bus) setters, setZoneSettings2 and setPolicySettings. This mis-authorization allows the user to modify the runtime firewall state without proper authentication, leading to unauthorized changes in network security configurations.

Incorrect Execution-Assigned Permissions

libssh Denial of Service via Arbitrary File Access during Config Parsing
CVE-2026-0965 - March 26, 2026

A flaw was found in libssh where it can attempt to open arbitrary files during configuration parsing. A local attacker can exploit this by providing a malicious configuration file or when the system is misconfigured. This vulnerability could lead to a Denial of Service (DoS) by causing the system to try and access dangerous files, such as block devices or large system files, which can disrupt normal operations.

External Control of File Name or Path

Libssh DoS via regex backtracking in match_pattern with crafted hostnames
CVE-2026-0967 - March 26, 2026

A flaw was found in libssh. A remote attacker, by controlling client configuration files or known_hosts files, could craft specific hostnames that when processed by the `match_pattern()` function can lead to inefficient regular expression backtracking. This can cause timeouts and resource exhaustion, resulting in a Denial of Service (DoS) for the client.

ReDoS

libssh SFTP longname NullCheck: Heap OverRead -> DoS
CVE-2026-0968 3.1 - Low - March 26, 2026

A flaw was found in libssh in which a malicious SFTP (SSH File Transfer Protocol) server can exploit this by sending a malformed 'longname' field within an `SSH_FXP_NAME` message during a file listing operation. This missing null check can lead to reading beyond allocated memory on the heap. This can cause unexpected behavior or lead to a denial of service (DoS) due to application crashes.

NULL Pointer Dereference

SCP Client Path Traversal Allowing Local File Overwrite (CVE-2026-0964)
CVE-2026-0964 - March 26, 2026

A malicious SCP server can send unexpected paths that could make the client application override local files outside of working directory. This could be misused to create malicious executable or configuration files and make the user execute them under specific consequences. This is the same issue as in OpenSSH, tracked as CVE-2019-6111.

Directory traversal

OpenSSH ssh_get_hexa Zero-Length Leak Self-DoS via GSSAPI
CVE-2026-0966 - March 26, 2026

A flaw was found in libssh. The API function `ssh_get_hexa()` is vulnerable to a denial of service when processing zero-length input. This can be exploited remotely by an attacker during GSSAPI (Generic Security Service Application Program Interface) authentication if the server's logging verbosity is set to `SSH_LOG_PACKET (3)` or higher. Successful exploitation could lead to a self-Denial of Service of the per-connection daemon process.

buffer underrun

CVE-2026-2100: Uninitialized Return in p11-kit C_DeriveKey DS
CVE-2026-2100 5.3 - Medium - March 26, 2026

A flaw was found in p11-kit. A remote attacker could exploit this vulnerability by calling the C_DeriveKey function on a remote token with specific IBM kyber or IBM btc derive mechanism parameters set to NULL. This could lead to the RPC-client attempting to return an uninitialized value, potentially resulting in a NULL dereference or undefined behavior. This issue may cause an application level denial of service or other unpredictable system states.

Access of Uninitialized Pointer

PolKit setuid helper OOM DoS via long stdin input
CVE-2026-4897 5.5 - Medium - March 26, 2026

A flaw was found in polkit. A local user can exploit this by providing a specially crafted, excessively long input to the `polkit-agent-helper-1` setuid binary via standard input (stdin). This unbounded input can lead to an out-of-memory (OOM) condition, resulting in a Denial of Service (DoS) for the system.

Allocation of Resources Without Limits or Throttling

BFD Library XCOFF Relocation Validation Defect DoS
CVE-2026-4647 6.1 - Medium - March 23, 2026

A flaw was found in the GNU Binutils BFD library, a widely used component for handling binary files such as object files and executables. The issue occurs when processing specially crafted XCOFF object files, where a relocation type value is not properly validated before being used. This can cause the program to read memory outside of intended bounds. As a result, affected tools may crash or expose unintended memory contents, leading to denial-of-service or limited information disclosure risks.

Out-of-bounds Read

Infinite Loop DoS via Crafted Boolean XPath in antchfx/xpath
CVE-2026-4645 - March 23, 2026

Negative DataRow Length in pgproto3 Leading to DoS
CVE-2026-4427 - March 19, 2026

UB in libarchive Zisofs Decompressor Enables DoS via Malicious ISO
CVE-2026-4426 6.5 - Medium - March 19, 2026

A flaw was found in libarchive. An Undefined Behavior vulnerability exists in the zisofs decompression logic, caused by improper validation of a field (`pz_log2_bs`) read from ISO9660 Rock Ridge extensions. A remote attacker can exploit this by supplying a specially crafted ISO file. This can lead to incorrect memory allocation and potential application crashes, resulting in a denial-of-service (DoS) condition.

1335

libarchive Heap OOB Read via Craft RAR Archive
CVE-2026-4424 7.5 - High - March 19, 2026

A flaw was found in libarchive. This heap out-of-bounds read vulnerability exists in the RAR archive processing logic due to improper validation of the LZSS sliding window size after transitions between compression methods. A remote attacker can exploit this by providing a specially crafted RAR archive, leading to the disclosure of sensitive heap memory information without requiring authentication or user interaction.

Out-of-bounds Read

Heap-based Overflow in GNU Binutils BFD Linker (CVE-2026-3441)
CVE-2026-3441 6.1 - Medium - March 15, 2026

A flaw was found in GNU Binutils. This heap-based buffer overflow vulnerability, specifically an out-of-bounds read in the bfd linker, allows an attacker to gain access to sensitive information. By convincing a user to process a specially crafted XCOFF object file, an attacker can trigger this flaw, potentially leading to information disclosure or an application level denial of service.

Out-of-bounds Read

BufOverflow bfd linker in GNU Binutils CVE-2026-3442
CVE-2026-3442 6.1 - Medium - March 15, 2026

A flaw was found in GNU Binutils. This vulnerability, a heap-based buffer overflow, specifically an out-of-bounds read, exists in the bfd linker component. An attacker could exploit this by convincing a user to process a specially crafted malicious XCOFF object file. Successful exploitation may lead to the disclosure of sensitive information or cause the application to crash, resulting in an application level denial of service.

Out-of-bounds Read

Infinite Loop in libarchive RAR5 Decompression causing DoS
CVE-2026-4111 7.5 - High - March 13, 2026

A flaw was identified in the RAR5 archive decompression logic of the libarchive library, specifically within the archive_read_data() processing path. When a specially crafted RAR5 archive is processed, the decompression routine may enter a state where internal logic prevents forward progress. This condition results in an infinite loop that continuously consumes CPU resources. Because the archive passes checksum validation and appears structurally valid, affected applications cannot detect the issue before processing. This can allow attackers to cause persistent denial-of-service conditions in services that automatically process archives.

Infinite Loop

systemd Improper Access Control in D-Bus RegisterMachine
CVE-2026-4105 6.7 - Medium - March 13, 2026

A flaw was found in systemd. The systemd-machined service contains an Improper Access Control vulnerability due to insufficient validation of the class parameter in the RegisterMachine D-Bus (Desktop Bus) method. A local unprivileged user can exploit this by attempting to register a machine with a specific class value, which may leave behind a usable, attacker-controlled machine object. This allows the attacker to invoke methods on the privileged object, leading to the execution of arbitrary commands with root privileges on the host system.

Authorization

NFSv3 rpc.mountd Privilege Escalation via Directory Bypass (CVE-2025-12801)
CVE-2025-12801 6.5 - Medium - March 04, 2026

A vulnerability was recently discovered in the rpc.mountd daemon in the nfs-utils package for Linux, that allows a NFSv3 client to escalate the privileges assigned to it in the /etc/exports file at mount time. In particular, it allows the client to access any subdirectory or subtree of an exported directory, regardless of the set file permissions, and regardless of any 'root_squash' or 'all_squash' attributes that would normally be expected to apply to that client.

Incorrect Execution-Assigned Permissions

QEMU VMDK OOB Read Leak or DoS
CVE-2026-2243 5.1 - Medium - February 19, 2026

A flaw was found in QEMU. A specially crafted VMDK image could trigger an out-of-bounds read vulnerability, potentially leading to a 12-byte leak of sensitive information or a denial of service condition (DoS).

Out-of-bounds Read

QEMU KVM Xen Guest Off-By-One heap OOB access in Xen physdev
CVE-2026-0665 6.5 - Medium - February 18, 2026

An off-by-one error was found in QEMU's KVM Xen guest support. A malicious guest could use this flaw to trigger out-of-bounds heap accesses in the QEMU process via the emulated Xen physdev hypercall interface, leading to a denial of service or potential memory corruption.

Memory Corruption

QEMU uefi-vars Buffer Size vs Transfer I/O Info Leak
CVE-2025-8860 3.3 - Low - February 18, 2026

A flaw was found in QEMU in the uefi-vars virtual device. When the guest writes to register UEFI_VARS_REG_BUFFER_SIZE, the .write callback `uefi_vars_write` is invoked. The function allocates a heap buffer without zeroing the memory, leaving the buffer filled with residual data from prior allocations. When the guest later reads from register UEFI_VARS_REG_PIO_BUFFER_TRANSFER, the .read callback `uefi_vars_read` returns leftover metadata or other sensitive process memory from the previously allocated buffer, leading to an information disclosure vulnerability.

Improper Removal of Sensitive Information Before Storage or Transfer

QEMU virtio-crypto AKCIPHER DoS via unchecked memory allocation
CVE-2025-14876 5.5 - Medium - February 18, 2026

A flaw was found in the virtio-crypto device of QEMU. A malicious guest operating system can exploit a missing length limit in the AKCIPHER path, leading to uncontrolled memory allocation. This can result in a denial of service (DoS) on the host system by causing the QEMU process to terminate unexpectedly.

Allocation of Resources Without Limits or Throttling

Fedora Linux: Kernel Lockdown Disabled, Unsigned Module Loading
CVE-2025-1272 7.7 - High - February 18, 2026

The Linux Kernel lockdown mode for kernel versions starting on 6.12 and above for Fedora Linux has the lockdown mode disabled without any warning. This may allow an attacker to gain access to sensitive information such kernel memory mappings, I/O ports, BPF and kprobes. Additionally unsigned modules can be loaded, leading to execution of untrusted code breaking breaking any Secure Boot protection. This vulnerability affects only Fedora Linux.

GnuTLS DoS via oversized SANs in certificates
CVE-2025-14831 5.3 - Medium - February 09, 2026

A flaw was found in GnuTLS. This vulnerability allows a denial of service (DoS) by excessive CPU (Central Processing Unit) and memory consumption via specially crafted malicious certificates containing a large number of name constraints and subject alternative names (SANs).

Inefficient Algorithmic Complexity