Rhel Els Red Hat Rhel Els

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in Red Hat Rhel Els.

By the Year

In 2026 there have been 214 vulnerabilities in Red Hat Rhel Els with an average score of 7.7 out of ten. Last year, in 2025 Rhel Els had 63 security vulnerabilities published. That is, 151 more vulnerabilities have already been reported in 2026 as compared to last year. Last year, the average CVE base score was greater by 0.07




Year Vulnerabilities Average Score
2026 214 7.71
2025 63 7.78
2024 14 7.34
2023 5 8.22

It may take a day or so for new Rhel Els vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Red Hat Rhel Els Security Vulnerabilities

389-ds-base 1.3.2+ Heap Buffer Overflow via oversized LDAP UNBIND
CVE-2026-11610 8.8 - High - July 07, 2026

A heap buffer overflow flaw was found in the SASL I/O layer of 389 Directory Server (389-ds-base). After a successful SASL bind with integrity protection (SSF > 0), an authenticated attacker can send a specially crafted oversized LDAP UNBIND packet that is copied into a 512-byte heap receive buffer without a bounds check in sasl_io_recv() in sasl_io.c. This allows up to approximately 2 megabytes of attacker-controlled data to overflow the buffer, causing a denial of service (server crash). In FreeIPA and Red Hat Identity Management deployments, any domain user with a valid Kerberos ticket, any enrolled host, or any service account can trigger this vulnerability over the network after authenticating via GSSAPI. The vulnerable code path has existed since approximately 2013 (389-ds-base 1.3.2) and was not addressed by the CVE-2025-14905 fix, which patched a separate heap overflow in schema.c only.

Heap-based Buffer Overflow

ImageMagick SVG decoder command injection (pre 7.1.2-15 / pre 6.9.13-40)
CVE-2026-56379 8.1 - High - June 23, 2026

ImageMagick before 7.1.2-15 and 6.9.13-40 contains a command injection vulnerability in the SVG decoder that allows attackers to inject arbitrary MVG drawing commands. Attackers can craft malicious SVG files with injected Magick Vector Graphics commands that execute during rendering.

Output Sanitization

CVE-2026-12329: Firefox ESR 140.12 Memory Safety Bug
CVE-2026-12329 7.5 - High - June 16, 2026

Memory safety bug fixed in Thunderbird ESR 140.12. This vulnerability was fixed in Firefox ESR 140.12 and Thunderbird 140.12.

Buffer Overflow

Firefox ESR 115.36115.37, ESR 140.11140.12 & 151 Memory Corruption (Arbitrary Code)
CVE-2026-12328 7.5 - High - June 16, 2026

Memory safety bugs present in Firefox ESR 115.36, Firefox ESR 140.11, Thunderbird ESR 140.11, Firefox 151 and Thunderbird 151. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Firefox ESR 115.37, Thunderbird 152, and Thunderbird 140.12.

Classic Buffer Overflow

Firefox JIT Miscompilation in DOM Core & HTML (before 152, ESR 140.12, 115.37)
CVE-2026-12299 7.5 - High - June 16, 2026

JIT miscompilation in the DOM: Core & HTML component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Firefox ESR 115.37, Thunderbird 152, and Thunderbird 140.12.

Object Type Confusion

Memory safety bug in Firefox before 152 (fixed in 152)
CVE-2026-12298 7.5 - High - June 16, 2026

Memory safety bug fixed in Firefox 152. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Thunderbird 152, and Thunderbird 140.12.

Out-of-bounds Read

Firefox Sandbox Escape (Networking Boundary, pre-152)
CVE-2026-12297 7.5 - High - June 16, 2026

Sandbox escape due to incorrect boundary conditions in the Networking component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Firefox ESR 115.37, Thunderbird 152, and Thunderbird 140.12.

Buffer Overflow

Firefox 152 Sandbox Escape in Process Sandboxing Component
CVE-2026-12296 7.5 - High - June 16, 2026

Sandbox escape in the Security: Process Sandboxing component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Thunderbird 152, and Thunderbird 140.12.

Protection Mechanism Failure

Sandbox Esc. in DOM Nav. - Firefox <152 (ESR 140.12/115.37)
CVE-2026-12295 7.5 - High - June 16, 2026

Sandbox escape in the DOM: Navigation component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Firefox ESR 115.37, Thunderbird 152, and Thunderbird 140.12.

Protection Mechanism Failure

Firefox Sandbox Escape via DOM Workers (pre-152, ESR 140.12, ESR 115.37)
CVE-2026-12294 7.5 - High - June 16, 2026

Sandbox escape in the DOM: Workers component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Firefox ESR 115.37, Thunderbird 152, and Thunderbird 140.12.

Protection Mechanism Failure

CVE-2026-12292: Firefox Web Audio boundary flaw (v<152)
CVE-2026-12292 7.5 - High - June 16, 2026

Incorrect boundary conditions in the Web Audio component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Thunderbird 152, and Thunderbird 140.12.

Buffer Overflow

Use-after-free in Firefox Networking HTTP before 152
CVE-2026-12291 7.5 - High - June 16, 2026

Use-after-free in the Networking: HTTP component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Firefox ESR 115.37, Thunderbird 152, and Thunderbird 140.12.

Dangling pointer

Firefox Memory Safety bug fixed in 152 ESR 140.12/115.37
CVE-2026-12290 7.5 - High - June 16, 2026

Memory safety bug fixed in Firefox 152. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Firefox ESR 115.37, Thunderbird 152, and Thunderbird 140.12.

Buffer Overflow

Firefox WebRender Privilege Escalation before 152
CVE-2026-12289 7.5 - High - June 16, 2026

Privilege escalation in the Graphics: WebRender component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Firefox ESR 115.37, Thunderbird 152, and Thunderbird 140.12.

Improper Privilege Management

389-Ds SASL_IO Integer Overflow: DoS/RCE via Crafted Packet
CVE-2026-11774 7.6 - High - June 11, 2026

An integer overflow flaw was found in the SASL I/O layer of 389 Directory Server (389-ds-base). In sasl_io_start_packet(), adding sizeof(uint32_t) to a crafted SASL packet length prefix of 0xFFFFFFFC causes unsigned wraparound to zero, bypassing the nsslapd-maxsasliosize limit and leading to a heap buffer overflow of up to approximately 2 megabytes of attacker-controlled data. After a successful SASL bind with integrity protection (SSF > 0), a remote attacker can cause a Denial of Service (DoS) or achieve Remote Code Execution (RCE). In FreeIPA and Red Hat Identity Management deployments, any domain user with a valid Kerberos ticket, enrolled host, or service account can trigger this vulnerability over the network. This flaw is independent of CVE-2025-14905, which patched schema.c only and did not modify sasl_io.c.

Integer Overflow or Wraparound

ImageMagick OOM in AcquireAlignedMemory (pre-6.9.13-50/7.1.2-25)
CVE-2026-53460 7.5 - High - June 10, 2026

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-50 and 7.1.2-25, a missing check for maximum memory request in AcquireAlignedMemory could trigger an out-of-Memory condition. This issue has been patched in versions 6.9.13-50 and 7.1.2-25.

Allocation of Resources Without Limits or Throttling

Invalid DCM decode in ImageMagick <6.9.13-48 / <7.1.2-24 causes crash
CVE-2026-49218 7.5 - High - June 10, 2026

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-48 and 7.1.2-24, a missing check in the DCM decoder could result in an image with invalid dimensions and that could cause crashes in other operation. This issue has been patched in versions 6.9.13-48 and 7.1.2-24.

Improper Input Validation

ImageMagick OOB Heap Write via Multi-Image Read Before 6.9.13-48/7.1.2-23
CVE-2026-46520 7.5 - High - June 10, 2026

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-48 and 7.1.2-23, when reading multiple images with different dimensions an out of bounds heap write can occur. This issue has been patched in versions 6.9.13-48 and 7.1.2-23.

Heap-based Buffer Overflow

ImageMagick <=6.9.13-47,7.1.2-22: MNG Coder Missing Resource Check (CVE-2026-45664)
CVE-2026-45664 7.5 - High - June 10, 2026

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-47 and 7.1.2-22, because of a missing check in the MNG coder it would be possible to read more images than the list limit policy would allow resulting in excessive resource use. This issue has been patched in versions 6.9.13-47 and 7.1.2-22.

Resource Exhaustion

ImageMagick MIFF decoder infinite loop CPU exhaustion prior to 7.1.2.23/6.9.13-48
CVE-2026-46522 7.5 - High - June 10, 2026

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2.23 and 6.9.13-48, due to a missing check in the MIFF decoder, a crafted file could cause an infinite loop resulting in CPU exhaustion. Versions 7.1.2.23 and 6.9.13-48 fix the issue.

Resource Exhaustion

ImageMagick PSD Decoder Bypass: List-Length Policy before 6.9.13-47/7.1.2-22
CVE-2026-45031 7.5 - High - June 10, 2026

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-47 and 7.1.2-22, due to a missing check in the PSD decoder it would be possible to bypass the list-length resource policy when decoding a PSD image. Other security limits would still apply. This issue has been patched in versions 6.9.13-47 and 7.1.2-22.

Resource Exhaustion

ImageMagick heap-use-after-free via MSL image (v<7.1.2.23 & <6.9.13-48)
CVE-2026-46523 7.5 - High - June 10, 2026

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2.23 and 6.9.13-48, a crafted MSL image can trigger a heap-use-after-free. Versions 7.1.2.23 and 6.9.13-48 fix the issue.

Dangling pointer

X.Org X Server AAF in CreateSaverWindow() (Xwayland)
CVE-2026-50263 5.5 - Medium - June 05, 2026

A use-after-free flaw was found in the X.Org X server and Xwayland in CreateSaverWindow(). A client can trigger a use-after-free read after changing window attributes and forcing the screen saver, leading to information disclosure.

Dangling pointer

X.Org XServer Xwayland OOB Read __glXDisp_ChangeDrawableAttributes
CVE-2026-50262 5.5 - Medium - June 05, 2026

An out-of-bounds read flaw was found in the X.Org X server and Xwayland in __glXDisp_ChangeDrawableAttributes(). A wrong size validation check can read a client-controlled number of bytes, exceeding the request buffer, leading to information disclosure. A write path also exists but requires byte-swapped clients which is disabled by default.

Out-of-bounds Read

X.Org X Server & Xwayland OOB Heap Write via DRI2 Buffers
CVE-2026-50264 7.8 - High - June 05, 2026

An out-of-bounds write flaw was found in the X.Org X server and Xwayland in DRIGetBuffers/DRIGetBuffersWithFormat. A client that requests multiple DRI2BufferBackLeft attachments and one DRI2BufferFrontLeft can trigger an out-of-bounds heap write. This may be used to crash the server, or for privilege escalation if the X server runs as root.

Memory Corruption

UAF in X.Org X Server XWayland SyncChangeCounter()
CVE-2026-50261 7.8 - High - June 05, 2026

A use-after-free flaw was found in the X.Org X server and Xwayland in SyncChangeCounter(). A client that sets up multiple SyncCounters can trigger a use-after-free when destroying those counters via a second client connection while changing those counters. This may be used to crash the server, or for privilege escalation if the X server runs as root.

Dangling pointer

Use-after-free in X.Org X Server via SyncCounters
CVE-2026-50260 7.8 - High - June 05, 2026

A use-after-free flaw was found in the X.Org X server and Xwayland in FreeCounter(). A client that sets up multiple SyncCounters and awaits on those triggers can trigger a use-after-free when destroying those counters via a second client connection. This may be used to crash the server, or for privilege escalation if the X server runs as root.

Dangling pointer

Stack Buffer Overflow in X.Org X Server (_XkbSetMapChecks)
CVE-2026-50259 7.8 - High - June 05, 2026

A stack-based buffer overflow flaw was found in the X.Org X server and Xwayland. _XkbSetMapChecks() declares a fixed-size stack buffer mapWidths[256] indexed by key type index. The helper function CheckKeyTypes() writes to this buffer at a client-controlled offset, allowing a stack buffer overflow. This may be used to crash the server, or for privilege escalation if the X server runs as root.

Stack Overflow

CVE-2026-50258: Stack BOF in X.Org X Server & Xwayland
CVE-2026-50258 7.8 - High - June 05, 2026

A stack-based buffer overflow flaw was found in the X.Org X server and Xwayland. The X server has multiple stack buffers sized XkbMaxShiftLevel * XkbNumKbdGroups but CheckKeyTypes() does not verify or clamp non-canonical key types to XkbMaxShiftLevel. A client can change key types to excessive shift levels and trigger stack overflows. This is caused by an incomplete fix of CVE-2025-26597. This may be used to crash the server, or for privilege escalation if the X server runs as root.

Stack Overflow

X.Org X Server UAF via miSyncDestroyFence()
CVE-2026-50257 7.8 - High - June 05, 2026

A use-after-free flaw was found in the X.Org X server and Xwayland in miSyncDestroyFence(). A client that sets up multiple fence triggers can trigger a use-after-free function pointer call. An attacker would connect to the X server to set up a fence and await that fence, then a second X connection destroys the fence, causing the use-after-free. This may be used to crash the server, or for privilege escalation if the X server runs as root.

Dangling pointer

X.Org X Server: Stack Buffer Overflow via Font Alias Length Attack (CVE-2026-50256)
CVE-2026-50256 7.8 - High - June 05, 2026

A stack-based buffer overflow flaw was found in the X.Org X server and Xwayland. A mismatch between the X server and the libXfont2 library's maximum font name length can cause a stack buffer overflow during font alias resolution. The server allocates a 256 byte stack buffer but libXfont2's alias target name length is 1024 bytes. A font alias name between 257 and 1023 bytes causes the X server to copy that name into the undersized stack buffer without further checks. This may be used to crash the server, or for privilege escalation if the X server runs as root.

Stack Overflow

Kernel: CIFS spnego key authority fields misinterpreted
CVE-2026-46243 7.8 - High - June 01, 2026

In the Linux kernel, the following vulnerability has been resolved: smb: client: reject userspace cifs.spnego descriptions cifs.spnego key descriptions contain authority-bearing fields such as pid, uid, creduid, and upcall_target that cifs.upcall treats as kernel-originating inputs. However, userspace can also create keys of this type through request_key(2) or add_key(2), allowing those fields to be supplied without CIFS origin. Only accept cifs.spnego descriptions while CIFS is using its private spnego_cred to request the key.

Improper Input Validation

Poppler Splash integer overflow arbitrary code exec
CVE-2026-10118 7.8 - High - June 01, 2026

A flaw was found in Poppler's Splash backend. A remote attacker could exploit this vulnerability by crafting a malicious PDF file that, when rendered, triggers an integer overflow in the `tilingPatternFill` function. This overflow leads to an undersized heap memory allocation, allowing a subsequent out-of-bounds write. Successful exploitation could result in arbitrary code execution, information disclosure, or denial of service within the context of the application processing the PDF.

Integer Overflow or Wraparound

Linux Kernel RCU Misuse in mlx4 SRQ Event Handling
CVE-2026-46181 7 - High - May 28, 2026

In the Linux kernel, the following vulnerability has been resolved: RDMA/mlx4: Fix mis-use of RCU in mlx4_srq_event() Sashiko points out the radix_tree itself is RCU safe, but nothing ever frees the mlx4_srq struct with RCU, and it isn't even accessed within the RCU critical section. It also will crash if an event is delivered before the srq object is finished initializing. Use the spinlock since it isn't easy to make RCU work, use refcount_inc_not_zero() to protect against partially initialized objects, and order the refcount_set() to be after the srq is fully initialized.

Race Condition within a Thread

Samba Remote Cmd Exec via Unsanitized %u in check password script
CVE-2026-4408 9 - Critical - May 28, 2026

A flaw was found in Samba. A remote attacker can exploit a misconfiguration in Samba file servers and classic domain controllers that use the "check password script" feature. If this script is configured with the %u substitution character, the client-controlled username is passed without proper escaping of shell meta-characters. This vulnerability allows an attacker to achieve remote command execution on the affected system. This issue primarily affects non-standard configurations where the "check password script" is used with %u and the samba-dcerpcd service is started as a system service.

Shell injection

Linux Kernel ALSA aloop Peer Runtime UAF Fix
CVE-2026-46090 7 - High - May 27, 2026

In the Linux kernel, the following vulnerability has been resolved: ALSA: aloop: Fix peer runtime UAF during format-change stop loopback_check_format() may stop the capture side when playback starts with parameters that no longer match a running capture stream. Commit 826af7fa62e3 ("ALSA: aloop: Fix racy access at PCM trigger") moved the peer lookup under cable->lock, but the actual snd_pcm_stop() still runs after dropping that lock. A concurrent close can clear the capture entry from cable->streams[] and detach or free its runtime while the playback trigger path still holds a stale peer substream pointer. Keep a per-cable count of in-flight peer stops before dropping cable->lock, and make free_cable() wait for those stops before detaching the runtime. This preserves the existing behavior while making the peer runtime lifetime explicit.

Signal Handler Race Condition

Linux kernel RDMA/rxe doublefree via rxe_srq_from_init
CVE-2026-45852 7 - High - May 27, 2026

In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Fix double free in rxe_srq_from_init In rxe_srq_from_init(), the queue pointer 'q' is assigned to 'srq->rq.queue' before copying the SRQ number to user space. If copy_to_user() fails, the function calls rxe_queue_cleanup() to free the queue, but leaves the now-invalid pointer in 'srq->rq.queue'. The caller of rxe_srq_from_init() (rxe_create_srq) eventually calls rxe_srq_cleanup() upon receiving the error, which triggers a second rxe_queue_cleanup() on the same memory, leading to a double free. The call trace looks like this: kmem_cache_free+0x.../0x... rxe_queue_cleanup+0x1a/0x30 [rdma_rxe] rxe_srq_cleanup+0x42/0x60 [rdma_rxe] rxe_elem_release+0x31/0x70 [rdma_rxe] rxe_create_srq+0x12b/0x1a0 [rdma_rxe] ib_create_srq_user+0x9a/0x150 [ib_core] Fix this by moving 'srq->rq.queue = q' after copy_to_user.

IO::Compress <2.220 (File::GlobMapper) Arbitrary-Code via Output Glob
CVE-2026-48962 7.8 - High - May 27, 2026

IO::Compress versions before 2.220 for Perl can execute arbitrary code in File::GlobMapper via an attacker-controlled output glob. _parseOutputGlob() wraps the caller-supplied output glob string in double quotes and stores it in the parser state; _getFiles() then runs the stored expression through eval STRING. A literal double quote in the output glob closes the dquote wrapper, and the characters that follow are evaluated as Perl. Arbitrary Perl in the output glob executes at the calling process's privilege.

Eval Injection

Shell Injection in Samba Print Service via Unescaped %J
CVE-2026-4480 9 - Critical - May 26, 2026

A flaw was found in the Samba printing subsystem. Samba passes the client-controlled job description string to the command configured with the "print command" setting via the "%J" substitution character without escaping shell meta characters. A remote attacker could exploit this vulnerability by sending a specially crafted print job description that contains unescaped shell characters. This could lead to remote code execution on the affected system.

Shell injection

389-DS LDAP DoS: Unbounded Controls Enable Remote Overload
CVE-2026-9064 7.5 - High - May 20, 2026

A flaw was found in 389-ds-base. The get_ldapmessage_controls_ext() function in the LDAP server does not enforce an upper bound on the number of controls per LDAP message. A remote, unauthenticated attacker can send a specially crafted LDAP request containing hundreds of thousands of minimal controls within the default maximum BER message size (2 MB), causing excessive CPU consumption and heap allocation on the server. Under concurrent exploitation, this leads to significant latency degradation, worker thread starvation, or out-of-memory termination, resulting in a denial of service.

Allocation of Resources Without Limits or Throttling

Mozilla Firefox ESR 115.35/140.10/150 Mem Safety Bug (CVE-2026-8975)
CVE-2026-8975 7.5 - High - May 19, 2026

Memory safety bugs present in Firefox ESR 115.35, Firefox ESR 140.10 and Firefox 150. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 151, Firefox ESR 115.36, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11.

Buffer Overflow

Use-After-Free in WebIDL Bindings (Firefox <151)
CVE-2026-8947 7.5 - High - May 19, 2026

Use-after-free in the DOM: Bindings (WebIDL) component. This vulnerability was fixed in Firefox 151, Firefox ESR 115.36, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11.

Dangling pointer

Firefox Web Codecs Incorrect Boundary Conditions <151 (ESR 115/140)
CVE-2026-8946 7.5 - High - May 19, 2026

Incorrect boundary conditions in the Audio/Video: Web Codecs component. This vulnerability was fixed in Firefox 151, Firefox ESR 115.36, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11.

Buffer Overflow

GnuTLS DTLS DoS via Duplicate Seq Number Reordering
CVE-2026-42009 7.5 - High - May 18, 2026

A flaw was found in gnutls. A remote attacker could exploit an issue in the Datagram Transport Layer Security (DTLS) packet reordering logic. The comparator function, responsible for ordering DTLS packets by sequence numbers, did not correctly handle packets with duplicate sequence numbers. This could lead to unstable packet ordering or undefined behavior, resulting in a denial of service.

Undefined Behavior for Input to API

Firefox 150.0.3 Sandbox Escape in Profile Backup (Fixed)
CVE-2026-8401 7.5 - High - May 12, 2026

Sandbox escape in the Profile Backup component. This vulnerability was fixed in Firefox 150.0.3, Firefox ESR 115.36, Firefox ESR 140.11, and Thunderbird 140.11.

Protection Mechanism Failure

JavaScript Engine flaw in Firefox 150.0.3 (fixed)
CVE-2026-8391 7.5 - High - May 12, 2026

Other issue in the JavaScript Engine component. This vulnerability was fixed in Firefox 150.0.3, Firefox ESR 115.36, Firefox ESR 140.11, and Thunderbird 140.11.

Improper Input Validation

Firefox 150 JIT Boundary Condition Vulnerability in JS Engine
CVE-2026-8388 7.5 - High - May 12, 2026

Incorrect boundary conditions in the JavaScript Engine: JIT component. This vulnerability was fixed in Firefox 150.0.3, Firefox ESR 115.36, Firefox ESR 140.11, and Thunderbird 140.11.

Buffer Overflow

Apple WebKit Memory Crash via Crafted Web Content - fixed in 26.5
CVE-2026-28901 8.8 - High - May 11, 2026

The issue was addressed with improved memory handling. This issue is fixed in Safari 26.5, iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. Processing maliciously crafted web content may lead to an unexpected process crash.

Buffer Overflow

UAF in Safari WebKit on macOS before 26.5 (fixed 26.5)
CVE-2026-28946 8.8 - High - May 11, 2026

A use-after-free issue was addressed with improved memory management. This issue is fixed in Safari 26.5, macOS Tahoe 26.5. Processing maliciously crafted web content may lead to an unexpected Safari crash.

Dangling pointer

Apple Safari: UAF Crash Vulnerability Fixed in 26.5
CVE-2026-28947 8.8 - High - May 11, 2026

A use-after-free issue was addressed with improved memory management. This issue is fixed in Safari 26.5, iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. Processing maliciously crafted web content may lead to an unexpected Safari crash.

Dangling pointer

Stay on top of Security Vulnerabilities

Want an email whenever new vulnerabilities are published for Red Hat Rhel Els or by Red Hat? Click the Watch button to subscribe.

Red Hat
Vendor

subscribe