Red Hat Openshift

GnuTLS Remote DoS via Malformed PSK Binder (NULL Ptr Deref)
CVE-2026-1584 7.5 - High - April 09, 2026

A flaw was found in gnutls. A remote, unauthenticated attacker can exploit this vulnerability by sending a specially crafted ClientHello message with an invalid Pre-Shared Key (PSK) binder value during the TLS handshake. This can lead to a NULL pointer dereference, causing the server to crash and resulting in a remote Denial of Service (DoS) condition.

NULL Pointer Dereference

libcap TOCTOU in cap_set_file() leads to privilege escalation
CVE-2026-4878 6.7 - Medium - April 09, 2026

A flaw was found in libcap. A local unprivileged user can exploit a Time-of-check-to-time-of-use (TOCTOU) race condition in the `cap_set_file()` function. This allows an attacker with write access to a parent directory to redirect file capability updates to an attacker-controlled file. By doing so, capabilities can be injected into or stripped from unintended executables, leading to privilege escalation.

TOCTTOU

libssh Local MITM via Insecure Default Config on Windows
CVE-2025-14821 7.8 - High - April 07, 2026

A flaw was found in libssh. This vulnerability allows local man-in-the-middle attacks, security downgrades of SSH (Secure Shell) connections, and manipulation of trusted host information, posing a significant risk to the confidentiality, integrity, and availability of SSH communications via an insecure default configuration on Windows systems where the library automatically loads configuration files from the C:\etc directory, which can be created and modified by unprivileged local users.

DLL preloading

NULL Pointer Deref in libarchive ACL Parsing (archive_acl_from_text_nl)
CVE-2026-5745 5.5 - Medium - April 07, 2026

A flaw was found in libarchive. A NULL pointer dereference vulnerability exists in the ACL parsing logic, specifically within the archive_acl_from_text_nl() function. When processing a malformed ACL string (such as a bare "d" or "default" tag without subsequent fields), the function fails to perform adequate validation before advancing the pointer. An attacker can exploit this by providing a maliciously crafted archive, causing an application utilizing the libarchive API (such as bsdtar) to crash, resulting in a Denial of Service (DoS).

NULL Pointer Dereference

util-linux login(1) Hostname Canonicalization flaw bypassing PAM access
CVE-2026-3184 3.7 - Low - April 03, 2026

A flaw was found in util-linux. Improper hostname canonicalization in the `login(1)` utility, when invoked with the `-h` option, can modify the supplied remote hostname before setting `PAM_RHOST`. A remote attacker could exploit this by providing a specially crafted hostname, potentially bypassing host-based Pluggable Authentication Modules (PAM) access control rules that rely on fully qualified domain names. This could lead to unauthorized access.

Authentication Bypass by Alternate Name

Corosync Integer Overflow in UDP Join Validation (CVE-2026-35092)
CVE-2026-35092 7.5 - High - April 01, 2026

A flaw was found in Corosync. An integer overflow vulnerability in Corosync's join message sanity validation allows a remote, unauthenticated attacker to send crafted User Datagram Protocol (UDP) packets. This can cause the service to crash, leading to a denial of service. This vulnerability specifically affects Corosync deployments configured to use totemudp/totemudpu mode.

Integer Overflow or Wraparound

Corosync OOB read via UDP in totemudp DoS
CVE-2026-35091 8.2 - High - April 01, 2026

A flaw was found in Corosync. A remote unauthenticated attacker can exploit a wrong return value vulnerability in the Corosync membership commit token sanity check by sending a specially crafted User Datagram Protocol (UDP) packet. This can lead to an out-of-bounds read, causing a denial of service (DoS) and potentially disclosing limited memory contents. This vulnerability affects Corosync when running in totemudp/totemudpu mode, which is the default configuration.

Incorrect Check of Function Return Value

Integer Overflow in libarchive ZISofs Block Pointer on 32bit
CVE-2026-5121 9.8 - Critical - March 30, 2026

A flaw was found in libarchive. On 32-bit systems, an integer overflow vulnerability exists in the zisofs block pointer allocation logic. A remote attacker can exploit this by providing a specially crafted ISO9660 image, which can lead to a heap buffer overflow. This could potentially allow for arbitrary code execution on the affected system.

Integer Overflow or Wraparound

Unprivileged User Can Modify Firewall State via D-Bus in firewalld
CVE-2026-4948 5.5 - Medium - March 27, 2026

A flaw was found in firewalld. A local unprivileged user can exploit this vulnerability by mis-authorizing two runtime D-Bus (Desktop Bus) setters, setZoneSettings2 and setPolicySettings. This mis-authorization allows the user to modify the runtime firewall state without proper authentication, leading to unauthorized changes in network security configurations.

Incorrect Execution-Assigned Permissions

libssh Denial of Service via Arbitrary File Access during Config Parsing
CVE-2026-0965 - March 26, 2026

A flaw was found in libssh where it can attempt to open arbitrary files during configuration parsing. A local attacker can exploit this by providing a malicious configuration file or when the system is misconfigured. This vulnerability could lead to a Denial of Service (DoS) by causing the system to try and access dangerous files, such as block devices or large system files, which can disrupt normal operations.

External Control of File Name or Path

Libssh DoS via regex backtracking in match_pattern with crafted hostnames
CVE-2026-0967 - March 26, 2026

A flaw was found in libssh. A remote attacker, by controlling client configuration files or known_hosts files, could craft specific hostnames that when processed by the `match_pattern()` function can lead to inefficient regular expression backtracking. This can cause timeouts and resource exhaustion, resulting in a Denial of Service (DoS) for the client.

ReDoS

libssh SFTP longname NullCheck: Heap OverRead -> DoS
CVE-2026-0968 - March 26, 2026

A flaw was found in libssh in which a malicious SFTP (SSH File Transfer Protocol) server can exploit this by sending a malformed 'longname' field within an `SSH_FXP_NAME` message during a file listing operation. This missing null check can lead to reading beyond allocated memory on the heap. This can cause unexpected behavior or lead to a denial of service (DoS) due to application crashes.

NULL Pointer Dereference

SCP Client Path Traversal Allowing Local File Overwrite (CVE-2026-0964)
CVE-2026-0964 - March 26, 2026

A malicious SCP server can send unexpected paths that could make the client application override local files outside of working directory. This could be misused to create malicious executable or configuration files and make the user execute them under specific consequences. This is the same issue as in OpenSSH, tracked as CVE-2019-6111.

Directory traversal

OpenSSH ssh_get_hexa Zero-Length Leak Self-DoS via GSSAPI
CVE-2026-0966 - March 26, 2026

The API function `ssh_get_hexa()` is vulnerable, when 0-lenght input is provided to this function. This function is used internally in `ssh_get_fingerprint_hash()` and `ssh_print_hexa()` (deprecated), which is vulnerable to the same input (length is provided by the calling application). The function is also used internally in the gssapi code for logging the OIDs received by the server during GSSAPI authentication. This could be triggered remotely, when the server allows GSSAPI authentication and logging verbosity is set at least to SSH_LOG_PACKET (3). This could cause self-DoS of the per-connection daemon process.

buffer underrun

CVE-2026-2100: Uninitialized Return in p11-kit C_DeriveKey DS
CVE-2026-2100 5.3 - Medium - March 26, 2026

A flaw was found in p11-kit. A remote attacker could exploit this vulnerability by calling the C_DeriveKey function on a remote token with specific IBM kyber or IBM btc derive mechanism parameters set to NULL. This could lead to the RPC-client attempting to return an uninitialized value, potentially resulting in a NULL dereference or undefined behavior. This issue may cause an application level denial of service or other unpredictable system states.

Access of Uninitialized Pointer

PolKit setuid helper OOM DoS via long stdin input
CVE-2026-4897 5.5 - Medium - March 26, 2026

A flaw was found in polkit. A local user can exploit this by providing a specially crafted, excessively long input to the `polkit-agent-helper-1` setuid binary via standard input (stdin). This unbounded input can lead to an out-of-memory (OOM) condition, resulting in a Denial of Service (DoS) for the system.

Allocation of Resources Without Limits or Throttling

BFD Library XCOFF Relocation Validation Defect DoS
CVE-2026-4647 6.1 - Medium - March 23, 2026

A flaw was found in the GNU Binutils BFD library, a widely used component for handling binary files such as object files and executables. The issue occurs when processing specially crafted XCOFF object files, where a relocation type value is not properly validated before being used. This can cause the program to read memory outside of intended bounds. As a result, affected tools may crash or expose unintended memory contents, leading to denial-of-service or limited information disclosure risks.

Out-of-bounds Read

Infinite Loop DoS via Crafted Boolean XPath in antchfx/xpath
CVE-2026-4645 - March 23, 2026

Negative DataRow Length in pgproto3 Leading to DoS
CVE-2026-4427 - March 19, 2026

UB in libarchive Zisofs Decompressor Enables DoS via Malicious ISO
CVE-2026-4426 6.5 - Medium - March 19, 2026

A flaw was found in libarchive. An Undefined Behavior vulnerability exists in the zisofs decompression logic, caused by improper validation of a field (`pz_log2_bs`) read from ISO9660 Rock Ridge extensions. A remote attacker can exploit this by supplying a specially crafted ISO file. This can lead to incorrect memory allocation and potential application crashes, resulting in a denial-of-service (DoS) condition.

1335

libarchive Heap OOB Read via Craft RAR Archive
CVE-2026-4424 7.5 - High - March 19, 2026

A flaw was found in libarchive. This heap out-of-bounds read vulnerability exists in the RAR archive processing logic due to improper validation of the LZSS sliding window size after transitions between compression methods. A remote attacker can exploit this by providing a specially crafted RAR archive, leading to the disclosure of sensitive heap memory information without requiring authentication or user interaction.

Out-of-bounds Read

Heap-based Overflow in GNU Binutils BFD Linker (CVE-2026-3441)
CVE-2026-3441 6.1 - Medium - March 15, 2026

A flaw was found in GNU Binutils. This heap-based buffer overflow vulnerability, specifically an out-of-bounds read in the bfd linker, allows an attacker to gain access to sensitive information. By convincing a user to process a specially crafted XCOFF object file, an attacker can trigger this flaw, potentially leading to information disclosure or an application level denial of service.

Out-of-bounds Read

BufOverflow bfd linker in GNU Binutils CVE-2026-3442
CVE-2026-3442 6.1 - Medium - March 15, 2026

A flaw was found in GNU Binutils. This vulnerability, a heap-based buffer overflow, specifically an out-of-bounds read, exists in the bfd linker component. An attacker could exploit this by convincing a user to process a specially crafted malicious XCOFF object file. Successful exploitation may lead to the disclosure of sensitive information or cause the application to crash, resulting in an application level denial of service.

Out-of-bounds Read

Infinite Loop in libarchive RAR5 Decompression causing DoS
CVE-2026-4111 7.5 - High - March 13, 2026

A flaw was identified in the RAR5 archive decompression logic of the libarchive library, specifically within the archive_read_data() processing path. When a specially crafted RAR5 archive is processed, the decompression routine may enter a state where internal logic prevents forward progress. This condition results in an infinite loop that continuously consumes CPU resources. Because the archive passes checksum validation and appears structurally valid, affected applications cannot detect the issue before processing. This can allow attackers to cause persistent denial-of-service conditions in services that automatically process archives.

Infinite Loop

systemd Improper Access Control in D-Bus RegisterMachine
CVE-2026-4105 6.7 - Medium - March 13, 2026

A flaw was found in systemd. The systemd-machined service contains an Improper Access Control vulnerability due to insufficient validation of the class parameter in the RegisterMachine D-Bus (Desktop Bus) method. A local unprivileged user can exploit this by attempting to register a machine with a specific class value, which may leave behind a usable, attacker-controlled machine object. This allows the attacker to invoke methods on the privileged object, leading to the execution of arbitrary commands with root privileges on the host system.

Authorization

NFSv3 rpc.mountd Privilege Escalation via Directory Bypass (CVE-2025-12801)
CVE-2025-12801 6.5 - Medium - March 04, 2026

A vulnerability was recently discovered in the rpc.mountd daemon in the nfs-utils package for Linux, that allows a NFSv3 client to escalate the privileges assigned to it in the /etc/exports file at mount time. In particular, it allows the client to access any subdirectory or subtree of an exported directory, regardless of the set file permissions, and regardless of any 'root_squash' or 'all_squash' attributes that would normally be expected to apply to that client.

Incorrect Execution-Assigned Permissions

QEMU VMDK OOB Read Leak or DoS
CVE-2026-2243 5.1 - Medium - February 19, 2026

A flaw was found in QEMU. A specially crafted VMDK image could trigger an out-of-bounds read vulnerability, potentially leading to a 12-byte leak of sensitive information or a denial of service condition (DoS).

Out-of-bounds Read

QEMU KVM Xen Guest Off-By-One heap OOB access in Xen physdev
CVE-2026-0665 6.5 - Medium - February 18, 2026

An off-by-one error was found in QEMU's KVM Xen guest support. A malicious guest could use this flaw to trigger out-of-bounds heap accesses in the QEMU process via the emulated Xen physdev hypercall interface, leading to a denial of service or potential memory corruption.

Memory Corruption

QEMU uefi-vars Buffer Size vs Transfer I/O Info Leak
CVE-2025-8860 3.3 - Low - February 18, 2026

A flaw was found in QEMU in the uefi-vars virtual device. When the guest writes to register UEFI_VARS_REG_BUFFER_SIZE, the .write callback `uefi_vars_write` is invoked. The function allocates a heap buffer without zeroing the memory, leaving the buffer filled with residual data from prior allocations. When the guest later reads from register UEFI_VARS_REG_PIO_BUFFER_TRANSFER, the .read callback `uefi_vars_read` returns leftover metadata or other sensitive process memory from the previously allocated buffer, leading to an information disclosure vulnerability.

Improper Removal of Sensitive Information Before Storage or Transfer

QEMU virtio-crypto AKCIPHER DoS via unchecked memory allocation
CVE-2025-14876 5.5 - Medium - February 18, 2026

A flaw was found in the virtio-crypto device of QEMU. A malicious guest operating system can exploit a missing length limit in the AKCIPHER path, leading to uncontrolled memory allocation. This can result in a denial of service (DoS) on the host system by causing the QEMU process to terminate unexpectedly.

Allocation of Resources Without Limits or Throttling

Fedora Linux: Kernel Lockdown Disabled, Unsigned Module Loading
CVE-2025-1272 7.7 - High - February 18, 2026

The Linux Kernel lockdown mode for kernel versions starting on 6.12 and above for Fedora Linux has the lockdown mode disabled without any warning. This may allow an attacker to gain access to sensitive information such kernel memory mappings, I/O ports, BPF and kprobes. Additionally unsigned modules can be loaded, leading to execution of untrusted code breaking breaking any Secure Boot protection. This vulnerability affects only Fedora Linux.

GnuTLS DoS via oversized SANs in certificates
CVE-2025-14831 5.3 - Medium - February 09, 2026

A flaw was found in GnuTLS. This vulnerability allows a denial of service (DoS) by excessive CPU (Central Processing Unit) and memory consumption via specially crafted malicious certificates containing a large number of name constraints and subject alternative names (SANs).

Inefficient Algorithmic Complexity

Memory Leak in libxml2 xmllint Shell Leads to Local DoS
CVE-2026-1757 6.2 - Medium - February 02, 2026

A flaw was identified in the interactive shell of the xmllint utility, part of the libxml2 project, where memory allocated for user input is not properly released under certain conditions. When a user submits input consisting only of whitespace, the program skips command execution but fails to free the allocated buffer. Repeating this action causes memory to continuously accumulate. Over time, this can exhaust system memory and terminate the xmllint process, creating a denial-of-service condition on the local system.

Memory Leak

GnuTLS Stack Buffer Overflow in PKCS#11 Init Allows DoS/Code Exec
CVE-2025-9820 4 - Medium - January 26, 2026

A flaw was found in the GnuTLS library, specifically in the gnutls_pkcs11_token_init() function that handles PKCS#11 token initialization. When a token label longer than expected is processed, the function writes past the end of a fixed-size stack buffer. This programming error can cause the application using GnuTLS to crash or, in certain conditions, be exploited for code execution. As a result, systems or applications relying on GnuTLS may be vulnerable to a denial of service or local privilege escalation attacks.

Stack Overflow

Privilege Escalation Vulnerability in NetworkManager (CVE-2025-9615)
CVE-2025-9615 - January 26, 2026

A flaw was found in NetworkManager. The NetworkManager package allows access to files that may belong to other users. NetworkManager allows non-root users to configure the system's network. The daemon runs with root privileges and can access files owned by users different from the one who added the connection.

Improper Preservation of Permissions

Information Disclosure in Go Viper Mapstructure WeakDecode via Error Messages
CVE-2025-11065 5.3 - Medium - January 26, 2026

A flaw was found in github.com/go-viper/mapstructure/v2, in the field processing component using mapstructure.WeakDecode. This vulnerability allows information disclosure through detailed error messages that may leak sensitive input values via malformed user-supplied data processed in security-critical contexts.

Generation of Error Message Containing Sensitive Information

libxml2 XML Catalog DoS via Repeated <nextCatalog> Recursion
CVE-2026-0992 2.9 - Low - January 15, 2026

A flaw was found in the libxml2 library. This uncontrolled resource consumption vulnerability occurs when processing XML catalogs that contain repeated <nextCatalog> elements pointing to the same downstream catalog. A remote attacker can exploit this by supplying crafted catalogs, causing the parser to redundantly traverse catalog chains. This leads to excessive CPU consumption and degrades application availability, resulting in a denial-of-service condition.

Resource Exhaustion

Denial-of-Service via Unbounded <include> Recursion in libxml2 RelaxNG Parser
CVE-2026-0989 3.7 - Low - January 15, 2026

A flaw was identified in the RelaxNG parser of libxml2 related to how external schema inclusions are handled. The parser does not enforce a limit on inclusion depth when resolving nested <include> directives. Specially crafted or overly complex schemas can cause excessive recursion during parsing. This may lead to stack exhaustion and application crashes, creating a denial-of-service risk.

Stack Exhaustion

libxml2 Uncontrolled Recursion in xmlCatalogXMLResolveURI Causing DoS
CVE-2026-0990 5.9 - Medium - January 15, 2026

A flaw was found in libxml2, an XML parsing library. This uncontrolled recursion vulnerability occurs in the xmlCatalogXMLResolveURI function when an XML catalog contains a delegate URI entry that references itself. A remote attacker could exploit this configuration-dependent issue by providing a specially crafted XML catalog, leading to infinite recursion and call stack exhaustion. This ultimately results in a segmentation fault, causing a Denial of Service (DoS) by crashing affected applications.

Stack Exhaustion

OpenShift API Server SSRF Enables Internal Network Enumeration
CVE-2025-14443 6.4 - Medium - December 16, 2025

A flaw was found in ose-openshift-apiserver. This vulnerability allows internal network enumeration, service discovery, limited information disclosure, and potential denial-of-service (DoS) through Server-Side Request Forgery (SSRF) due to missing IP address and network-range validation when processing user-supplied image references.

SSRF

glib GIO escape_byte_string overflow causes heap buffer DoS
CVE-2025-14512 6.5 - Medium - December 11, 2025

A flaw was found in glib. This vulnerability allows a heap buffer overflow and denial-of-service (DoS) via an integer overflow in GLib's GIO (GLib Input/Output) escape_byte_string() function when processing malicious file or remote filesystem attribute values.

Integer Overflow or Wraparound

Heap Buffer Overread in util-linux setpwnam() (256-byte usernames)
CVE-2025-14104 6.1 - Medium - December 05, 2025

A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database.

Out-of-bounds Read

Glib Heap Buffer Overflow in g_escape_uri_string()
CVE-2025-13601 7.7 - High - November 26, 2025

A heap-based buffer overflow problem was found in glib through an incorrect calculation of buffer size in the g_escape_uri_string() function. If the string to escape contains a very large number of unacceptable characters (which would need escaping), the calculation of the length of the escaped string could overflow, leading to a potential write off the end of the newly allocated string.

Integer Overflow or Wraparound

GRUB2 UAF in network module => DoS
CVE-2025-54770 4.9 - Medium - November 18, 2025

A vulnerability has been identified in the GRUB2 bootloader's network module that poses an immediate Denial of Service (DoS) risk. This flaw is a Use-after-Free issue, caused because the net_set_vlan command is not properly unregistered when the network module is unloaded from memory. An attacker who can execute this command can force the system to access memory locations that are no longer valid. Successful exploitation leads directly to system instability, which can result in a complete crash and halt system availability

Dangling pointer

GRUB2 Normal Module UAF Can Crash or Leak Data
CVE-2025-61664 4.9 - Medium - November 18, 2025

A vulnerability in the GRUB2 bootloader has been identified in the normal module. This flaw, a memory Use After Free issue, occurs because the normal_exit command is not properly unregistered when its related module is unloaded. An attacker can exploit this condition by invoking the command after the module has been removed, causing the system to improperly access a previously freed memory location. This leads to a system crash or possible impacts in data confidentiality and integrity.

Dangling pointer

GRUB2: UAF in normal command leads to DoS
CVE-2025-61663 4.9 - Medium - November 18, 2025

A vulnerability has been identified in the GRUB2 bootloader's normal command that poses an immediate Denial of Service (DoS) risk. This flaw is a Use-after-Free issue, caused because the normal command is not properly unregistered when the module is unloaded. An attacker who can execute this command can force the system to access memory locations that are no longer valid. Successful exploitation leads directly to system instability, which can result in a complete crash and halt system availability. Impact on the data integrity and confidentiality is also not discarded.

Dangling pointer

UAF in GRUB gettext module leads to denial of service
CVE-2025-61662 7.8 - High - November 18, 2025

A Use-After-Free vulnerability has been discovered in GRUB's gettext module. This flaw stems from a programming error where the gettext command remains registered in memory after its module is unloaded. An attacker can exploit this condition by invoking the orphaned command, causing the application to access a memory location that is no longer valid. An attacker could exploit this vulnerability to cause grub to crash, leading to a Denial of Service. Possible data integrity or confidentiality compromise is not discarded.

Dangling pointer

CVE-2025-61661: GRUB USB String Conv DoS
CVE-2025-61661 4.8 - Medium - November 18, 2025

A vulnerability has been identified in the GRUB (Grand Unified Bootloader) component. This flaw occurs because the bootloader mishandles string conversion when reading information from a USB device, allowing an attacker to exploit inconsistent length values. A local attacker can connect a maliciously configured USB device during the boot sequence to trigger this issue. A successful exploitation may lead GRUB to crash, leading to a Denial of Service. Data corruption may be also possible, although given the complexity of the exploit the impact is most likely limited.

Incorrect Calculation of Buffer Size

Use-After-Free in GNU GRUB Causes DoS via Invalid File Pointer
CVE-2025-54771 4.9 - Medium - November 18, 2025

A use-after-free vulnerability has been identified in the GNU GRUB (Grand Unified Bootloader). The flaw occurs because the file-closing process incorrectly retains a memory pointer, leaving an invalid reference to a file system structure. An attacker could exploit this vulnerability to cause grub to crash, leading to a Denial of Service. Possible data integrity or confidentiality compromise is not discarded.

Dangling pointer

libxml2 xmlSetTreeDoc UAF via stale ns pointer
CVE-2025-12863 - November 07, 2025