Red Hat Rhel Eus
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Red Hat Rhel Eus.
By the Year
In 2026 there have been 0 vulnerabilities in Red Hat Rhel Eus. Last year, in 2025 Rhel Eus had 80 security vulnerabilities published. Right now, Rhel Eus is on track to have less security vulnerabilities in 2026 than it did last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 0 | 0.00 |
| 2025 | 80 | 7.27 |
| 2024 | 66 | 6.80 |
| 2023 | 47 | 6.83 |
It may take a day or so for new Rhel Eus vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Red Hat Rhel Eus Security Vulnerabilities
WebKitGTK Unexpected Crash from Malicious Web Content (CVE-2025-66287)
CVE-2025-66287
8.8 - High
- December 04, 2025
A flaw was found in WebKitGTK. Processing malicious web content can cause an unexpected process crash due to improper memory handling.
Classic Buffer Overflow
WebKitGTK File DragDrop Info Disclosure (CVE-2025-13947)
CVE-2025-13947
7.4 - High
- December 03, 2025
A flaw was found in WebKitGTK. This vulnerability allows remote, user-assisted information disclosure that can reveal any file the user is permitted to read via abusing the file drag-and-drop mechanism where WebKitGTK does not verify that drag operations originate from outside the browser.
Origin Validation Error
Out-of-Bounds Read / Integer Underflow in WebKitGTK (UIProcess DoS)
CVE-2025-13502
7.5 - High
- November 25, 2025
A flaw was found in WebKitGTK and WPE WebKit. This vulnerability allows an out-of-bounds read and integer underflow, leading to a UIProcess crash (DoS) via a crafted payload to the GLib remote inspector server.
Integer Overflow or Wraparound
Keylime Agent: UUID Overwrite via TPM ID Spoof
CVE-2025-13609
8.2 - High
- November 24, 2025
A vulnerability has been identified in keylime where an attacker can exploit this flaw by registering a new agent using a different Trusted Platform Module (TPM) device but claiming an existing agent's unique identifier (UUID). This action overwrites the legitimate agent's identity, enabling the attacker to impersonate the compromised agent and potentially bypass security controls.
Use of Multiple Resources with Duplicate Identifier
kdcproxy DoS via Unbounded TCP Response Length (CVE-2025-59089)
CVE-2025-59089
5.9 - Medium
- November 12, 2025
If an attacker causes kdcproxy to connect to an attacker-controlled KDC server (e.g. through server-side request forgery), they can exploit the fact that kdcproxy does not enforce bounds on TCP response length to conduct a denial-of-service attack. While receiving the KDC's response, kdcproxy copies the entire buffered stream into a new buffer on each recv() call, even when the transfer is incomplete, causing excessive memory allocation and CPU usage. Additionally, kdcproxy accepts incoming response chunks as long as the received data length is not exactly equal to the length indicated in the response header, even when individual chunks or the total buffer exceed the maximum length of a Kerberos message. This allows an attacker to send unbounded data until the connection timeout is reached (approximately 12 seconds), exhausting server memory or CPU resources. Multiple concurrent requests can cause accept queue overflow, denying service to legitimate clients.
Allocation of Resources Without Limits or Throttling
DNS SSRF in MIT Kerberos kdcproxy
CVE-2025-59088
8.6 - High
- November 12, 2025
If kdcproxy receives a request for a realm which does not have server addresses defined in its configuration, by default, it will query SRV records in the DNS zone matching the requested realm name. This creates a server-side request forgery vulnerability, since an attacker could send a request for a realm matching a DNS zone where they created SRV records pointing to arbitrary ports and hostnames (which may resolve to loopback or internal IP addresses). This vulnerability can be exploited to probe internal network topology and firewall rules, perform port scanning, and exfiltrate data. Deployments where the "use_dns" setting is explicitly set to false are not affected.
SSRF
UA-FAULT: X.Org X Server X11 Present Extension UseAfterFree (CVE202562229)
CVE-2025-62229
7.3 - High
- October 30, 2025
A flaw was found in the X.Org X server and Xwayland when processing X11 Present extension notifications. Improper error handling during notification creation can leave dangling pointers that lead to a use-after-free condition. This can cause memory corruption or a crash, potentially allowing an attacker to execute arbitrary code or cause a denial of service.
Dangling pointer
X.Org X Server Xkb Extension Use-After-Free on Client Cleanup
CVE-2025-62230
7.3 - High
- October 30, 2025
A flaw was discovered in the X.Org X servers X Keyboard (Xkb) extension when handling client resource cleanup. The software frees certain data structures without properly detaching related resources, leading to a use-after-free condition. This can cause memory corruption or a crash when affected clients disconnect.
Dangling pointer
X.Org X Server XkbSetCompatMap Short Overflow Causing CRASH
CVE-2025-62231
7.3 - High
- October 30, 2025
A flaw was identified in the X.Org X servers X Keyboard (Xkb) extension where improper bounds checking in the XkbSetCompatMap() function can cause an unsigned short overflow. If an attacker sends specially crafted input data, the value calculation may overflow, leading to memory corruption or a crash.
Integer Overflow or Wraparound
SSSD AD Kerberos Auth Plugin Flaw Enables Privilege Escalation
CVE-2025-11561
8.8 - High
- October 09, 2025
A flaw was found in the integration of Active Directory and the System Security Services Daemon (SSSD) on Linux systems. In default configurations, the Kerberos local authentication plugin (sssd_krb5_localauth_plugin) is enabled, but a fallback to the an2ln plugin is possible. This fallback allows an attacker with permission to modify certain AD attributes (such as userPrincipalName or samAccountName) to impersonate privileged users, potentially resulting in unauthorized access or privilege escalation on domain-joined Linux hosts.
Improper Privilege Management
QEMU QIOChannelWebsock UAF via WebSocket handshake
CVE-2025-11234
7.5 - High
- October 03, 2025
A flaw was found in QEMU. If the QIOChannelWebsock object is freed while it is waiting to complete a handshake, a GSource is leaked. This can lead to the callback firing later on and triggering a use-after-free in the use of the channel. This can be abused by a malicious client with network access to the VNC WebSocket port to cause a denial of service during the WebSocket handshake prior to the VNC client authentication.
Dangling pointer
FreeIPA Privilege Escalation via Missing krbCanonicalName Validation
CVE-2025-7493
9.1 - Critical
- September 30, 2025
A privilege escalation flaw from host to domain administrator was found in FreeIPA. This vulnerability is similar to CVE-2025-4404, where it fails to validate the uniqueness of the krbCanonicalName. While the previously released version added validations for the admin@REALM credential, FreeIPA still does not validate the root@REALM canonical name, which can also be used as the realm administrator's name. This flaw allows an attacker to perform administrative tasks over the REALM, leading to access to sensitive data and sensitive data exfiltration.
Insufficient Granularity of Access Control
libsoup OOB read via cookie date handling flaw
CVE-2025-11021
7.5 - High
- September 26, 2025
A flaw was found in the cookie date handling logic of the libsoup HTTP library, widely used by GNOME and other applications for web communication. When processing cookies with specially crafted expiration dates, the library may perform an out-of-bounds memory read. This flaw could result in unintended disclosure of memory contents, potentially exposing sensitive information from the process using libsoup.
Out-of-bounds Read
Libtiff Write-What-Where via TIFF Height Field
CVE-2025-9900
8.8 - High
- September 23, 2025
A flaw was found in Libtiff. This vulnerability is a "write-what-where" condition, triggered when the library processes a specially crafted TIFF image file. By providing an abnormally large image height value in the file's metadata, an attacker can trick the library into writing attacker-controlled color data to an arbitrary memory location. This memory corruption can be exploited to cause a denial of service (application crash) or to achieve arbitrary code execution with the permissions of the user.
Write-what-where Condition
Podman v4.0.0–v5.6.1: kube Play Overwrite Host Files via Symlink Volumes
CVE-2025-9566
8.1 - High
- September 05, 2025
There's a vulnerability in podman where an attacker may use the kube play command to overwrite host files when the kube file container a Secrete or a ConfigMap volume mount and such volume contains a symbolic link to a host file path. In a successful attack, the attacker can only control the target file to be overwritten but not the content to be written into the file. Binary-Affected: podman Upstream-version-introduced: v4.0.0 Upstream-version-fixed: v5.6.1
Directory traversal
Udisks Daemon Local PrivEsc via Negative Loop Device Index on DBus
CVE-2025-8067
8.5 - High
- August 28, 2025
A flaw was found in the Udisks daemon, where it allows unprivileged users to create loop devices using the D-BUS system. This is achieved via the loop device handler, which handles requests sent through the D-BUS interface. As two of the parameters of this handle, it receives the file descriptor list and index specifying the file where the loop device should be backed. The function itself validates the index value to ensure it isn't bigger than the maximum value allowed. However, it fails to validate the lower bound, allowing the index parameter to be a negative value. Under these circumstances, an attacker can cause the UDisks daemon to crash or perform a local privilege escalation by gaining access to files owned by privileged users.
Out-of-bounds Read
Linux-PAM pam_namespace LPE via Symlink Race
CVE-2025-8941
7.8 - High
- August 13, 2025
A flaw was found in linux-pam. The pam_namespace module may improperly handle user-controlled paths, allowing local users to exploit symlink attacks and race conditions to elevate their privileges to root. This CVE provides a "complete" fix for CVE-2025-6020.
Directory traversal
GnuTLS NULL Deref in figure_common_ciphersuite()
CVE-2025-6395
6.5 - Medium
- July 10, 2025
A NULL pointer dereference flaw was found in the GnuTLS software in _gnutls_figure_common_ciphersuite().
NULL Pointer Dereference
libxslt Heap Corruption via atype Flag Manipulation
CVE-2025-7425
7.8 - High
- July 10, 2025
A flaw was found in libxslt where the attribute type, atype, flags are modified in a way that corrupts internal memory management. When XSLT functions, such as the key() process, result in tree fragments, this corruption prevents the proper cleanup of ID attributes. As a result, the system may access freed memory, causing crashes or enabling attackers to trigger heap corruption.
Dangling pointer
GnuTLS certtool Heap OOB Null Write in Template Parsing – DoS
CVE-2025-32990
6.5 - Medium
- July 10, 2025
A heap-buffer-overflow (off-by-one) flaw was found in the GnuTLS software in the template parsing logic within the certtool utility. When it reads certain settings from a template file, it allows an attacker to cause an out-of-bounds (OOB) NULL pointer write, resulting in memory corruption and a denial-of-service (DoS) that could potentially crash the system.
Heap-based Buffer Overflow
GnuTLS CT SCT Heap-Buffer-Overread (CVE-2025-32989)
CVE-2025-32989
5.3 - Medium
- July 10, 2025
A heap-buffer-overread vulnerability was found in GnuTLS in how it handles the Certificate Transparency (CT) Signed Certificate Timestamp (SCT) extension during X.509 certificate parsing. This flaw allows a malicious user to create a certificate containing a malformed SCT extension (OID 1.3.6.1.4.1.11129.2.4.2) that contains sensitive data. This issue leads to the exposure of confidential information when GnuTLS verifies certificates from certain websites when the certificate (SCT) is not checked correctly.
Improper Certificate Validation
GnuTLS Double-Free in SAN Export Logic (CVE-2025-32988)
CVE-2025-32988
6.5 - Medium
- July 10, 2025
A flaw was found in GnuTLS. A double-free vulnerability exists in GnuTLS due to incorrect ownership handling in the export logic of Subject Alternative Name (SAN) entries containing an otherName. If the type-id OID is invalid or malformed, GnuTLS will call asn1_delete_structure() on an ASN.1 node it does not own, leading to a double-free condition when the parent function or caller later attempts to free the same structure. This vulnerability can be triggered using only public GnuTLS APIs and may result in denial of service or memory corruption, depending on allocator behavior.
Double-free
Heap Buffer Overflow in gdk-pixbuf JPEG Load Leading to OOB Read & Code Exec
CVE-2025-7345
7.5 - High
- July 08, 2025
A flaw exists in gdkpixbuf within the gdk_pixbuf__jpeg_image_load_increment function (io-jpeg.c) and in glibs g_base64_encode_step (glib/gbase64.c). When processing maliciously crafted JPEG images, a heap buffer overflow can occur during Base64 encoding, allowing out-of-bounds reads from heap memory, potentially causing application crashes or arbitrary code execution.
Classic Buffer Overflow
libssh ChaCha20 Heap Exhaustion Causes Unchecked Cipher Context (CVE-2025-5987)
CVE-2025-5987
8.1 - High
- July 07, 2025
A flaw was found in libssh when using the ChaCha20 cipher with the OpenSSL library. If an attacker manages to exhaust the heap space, this error is not detected and may lead to libssh using a partially initialized cipher context. This occurs because the OpenSSL error code returned aliases with the SSH_OK code, resulting in libssh not properly detecting the error returned by the OpenSSL library. This issue can lead to undefined behavior, including compromised data confidentiality and integrity or crashes.
Return of Wrong Status Code
Podman TLS Cert Bypass in machine init Allows MITM
CVE-2025-6032
8.3 - High
- June 24, 2025
A flaw was found in Podman. The podman machine init command fails to verify the TLS certificate when downloading the VM images from an OCI registry. This issue results in a Man In The Middle attack.
Improper Certificate Validation
OOB Read in libssh SFTP Handle (CVE-2025-5318)
CVE-2025-5318
7.1 - High
- June 24, 2025
A flaw was found in the libssh library in versions less than 0.11.2. An out-of-bounds read can be triggered in the sftp_handle function due to an incorrect comparison check that permits the function to access memory beyond the valid handle list and to return an invalid pointer, which is used in further processing. This vulnerability allows an authenticated remote attacker to potentially read unintended memory regions, exposing sensitive information or affect service behavior.
Out-of-bounds Read
Root Priv Escalation via libblockdev in udisks with XFS SUID
CVE-2025-6019
7 - High
- June 19, 2025
A Local Privilege Escalation (LPE) vulnerability was found in libblockdev. Generally, the "allow_active" setting in Polkit permits a physically present user to take certain actions based on the session type. Due to the way libblockdev interacts with the udisks daemon, an "allow_active" user on a system may be able escalate to full root privileges on the target host. Normally, udisks mounts user-provided filesystem images with security flags like nosuid and nodev to prevent privilege escalation. However, a local attacker can create a specially crafted XFS image containing a SUID-root shell, then trick udisks into resizing it. This mounts their malicious filesystem with root privileges, allowing them to execute their SUID-root shell and gain complete control of the system.
Execution with Unnecessary Privileges
X Server 'bytes to ignore' flaw to DoS
CVE-2025-49178
5.5 - Medium
- June 17, 2025
A flaw was found in the X server's request handling. Non-zero 'bytes to ignore' in a client's request can cause the server to skip processing another client's request, potentially leading to a denial of service.
Improper Locking
Xorg RandR RRChangeProviderProperty Integer Overflow
CVE-2025-49180
7.8 - High
- June 17, 2025
A flaw was found in the RandR extension, where the RRChangeProviderProperty function does not properly validate input. This issue leads to an integer overflow when computing the total size to allocate.
Integer Overflow or Wraparound
Integer Overflow in X Record Extension of X11 Server Bypass Length Check
CVE-2025-49179
7.3 - High
- June 17, 2025
A flaw was found in the X Record extension. The RecordSanityCheckRegisterClients function does not check for an integer overflow when computing request length, which allows a client to bypass length checks.
Integer Overflow or Wraparound
X11 XFixes Extension Memory Read via Request Length Omission
CVE-2025-49177
6.1 - Medium
- June 17, 2025
A flaw was found in the XFIXES extension. The XFixesSetClientDisconnectMode handler does not validate the request length, allowing a client to read unintended memory from previous requests.
Information Disclosure
Integer Overflow in BigRequests Extension Enables Request Size Bypass
CVE-2025-49176
7.3 - High
- June 17, 2025
A flaw was found in the Big Requests extension. The request length is multiplied by 4 before checking against the maximum allowed size, potentially causing an integer overflow and bypassing the size check.
Integer Overflow or Wraparound
X11 Xorg OOB Read via X Rendering Ext Cursor Handling
CVE-2025-49175
6.1 - Medium
- June 17, 2025
A flaw was found in the X Rendering extension's handling of animated cursors. If a client provides no cursors, the server assumes at least one is present, leading to an out-of-bounds read and potential crash.
Out-of-bounds Read
FreeIPA PrivEsc via duplicate krbCanonicalName yielding admin creds
CVE-2025-4404
9.1 - Critical
- June 17, 2025
A privilege escalation from host to domain vulnerability was found in the FreeIPA project. The FreeIPA package fails to validate the uniqueness of the `krbCanonicalName` for the admin account by default, allowing users to create services with the same canonical name as the REALM admin. When a successful attack happens, the user can retrieve a Kerberos ticket in the name of this service, containing the admin@REALM credential. This flaw allows an attacker to perform administrative tasks over the REALM, leading to access to sensitive data and sensitive data exfiltration.
Insufficient Granularity of Access Control
PAM Namespace Race: Local Priv Escal via Symlinks in linux-pam
CVE-2025-6020
7.8 - High
- June 17, 2025
A flaw was found in linux-pam. The module pam_namespace may use access user-controlled paths without proper protection, allowing local users to elevate their privileges to root via multiple symlink attacks and race conditions.
Directory traversal
UAF in libxml2 XPath Parsing via sch:name Path (CVE-2025-49794)
CVE-2025-49794
9.1 - Critical
- June 16, 2025
A use-after-free vulnerability was found in libxml2. This issue occurs when parsing XPath elements under certain circumstances when the XML schematron has the <sch:name path="..."/> schema elements. This flaw allows a malicious actor to craft a malicious XML document used as input for libxml, resulting in the program's crash using libxml or other possible undefined behaviors.
Dangling pointer
Memory Corruption in libxml2 via sch:name -> DoS
CVE-2025-49796
9.1 - Critical
- June 16, 2025
A vulnerability was found in libxml2. Processing certain sch:name elements from the input XML file can trigger a memory corruption issue. This flaw allows an attacker to craft a malicious XML input file that can lead libxml to crash, resulting in a denial of service or other possible undefined behavior due to sensitive data being corrupted in memory.
Out-of-bounds Read
Stack Overflow in libxml2 xmlBuildQName (CVE-2025-6021)
CVE-2025-6021
7.5 - High
- June 12, 2025
A flaw was found in libxml2's xmlBuildQName function, where integer overflows in buffer size calculations can lead to a stack-based buffer overflow. This issue can result in memory corruption or a denial of service when processing crafted input.
Stack Overflow
Integer Overflow in libarchive RAR Reader Causes Double-Free
CVE-2025-5914
7.8 - High
- June 09, 2025
A vulnerability has been identified in the libarchive library, specifically within the archive_read_format_rar_seek_data() function. This flaw involves an integer overflow that can ultimately lead to a double-free condition. Exploiting a double-free vulnerability can result in memory corruption, enabling an attacker to execute arbitrary code or cause a denial-of-service condition.
Double-free
ICU Stack Buffer Overflow in Genrb: Local Arbitrary Code Execution
CVE-2025-5222
7 - High
- May 27, 2025
A stack buffer overflow was found in Internationl components for unicode (ICU ). While running the genrb binary, the 'subtag' struct overflowed at the SRBRoot::addTag function. This issue may lead to memory corruption and local arbitrary code execution.
Classic Buffer Overflow
GIMP TGA Heap Buffer Overflow Causing Crashes
CVE-2025-48797
7.3 - High
- May 27, 2025
A flaw was found in GIMP when processing certain TGA image files. If a user opens one of these image files that has been specially crafted by an attacker, GIMP can be tricked into making serious memory errors, potentially leading to crashes and causing a heap buffer overflow.
Heap-based Buffer Overflow
GIMP XCF UAF via crafted image causing crash
CVE-2025-48798
7.3 - High
- May 27, 2025
A flaw was found in GIMP when processing XCF image files. If a user opens one of these image files that has been specially crafted by an attacker, GIMP can be tricked into making serious memory errors, potentially leading to crashes and causing use-after-free issues.
Dangling pointer
GNOME-RD: Unauth RDP Resource Exhaustion Crash in gnome-remote-desktop
CVE-2025-5024
7.4 - High
- May 22, 2025
A flaw was found in gnome-remote-desktop. Once gnome-remote-desktop listens for RDP connections, an unauthenticated attacker can exhaust system resources and repeatedly crash the process. There may be a resource leak after many attacks, which will also result in gnome-remote-desktop no longer being able to open files even after it is restarted via systemd.
Resource Exhaustion
Libsoup Cookie Expiration Integer Overflow
CVE-2025-4945
3.7 - Low
- May 19, 2025
A flaw was found in the cookie parsing logic of the libsoup HTTP library, used in GNOME applications and other software. The vulnerability arises when processing the expiration date of cookies, where a specially crafted value can trigger an integer overflow. This may result in undefined behavior, allowing an attacker to bypass cookie expiration logic, causing persistent or unintended cookie behavior. The issue stems from improper validation of large integer inputs during date arithmetic operations within the cookie parsing routines.
Integer Overflow or Wraparound
libsoup Integer Underflow in multipart parsing leads to DoS
CVE-2025-4948
7.5 - High
- May 19, 2025
A flaw was found in the soup_multipart_new_from_message() function of the libsoup HTTP library, which is commonly used by GNOME and other applications to handle web communications. The issue occurs when the library processes specially crafted multipart messages. Due to improper validation, an internal calculation can go wrong, leading to an integer underflow. This can cause the program to access invalid memory and crash. As a result, any application or server using libsoup could be forced to exit unexpectedly, creating a denial-of-service (DoS) risk.
Integer underflow
GLib GString Integer Overflow Leading to Buffer Underrun
CVE-2025-4373
4.8 - Medium
- May 06, 2025
A flaw was found in GLib, which is vulnerable to an integer overflow in the g_string_insert_unichar() function. When the position at which to insert the character is large, the position will overflow, leading to a buffer underwrite.
buffer underrun
Apache mod_auth_openidc POST Crash via OIDCPreservePost
CVE-2025-3891
7.5 - High
- April 29, 2025
A flaw was found in the mod_auth_openidc module for Apache httpd. This flaw allows a remote, unauthenticated attacker to trigger a denial of service by sending an empty POST request when the OIDCPreservePost directive is enabled. The server crashes consistently, affecting availability.
Uncaught Exception
libsoup Authorization Header Leak on HTTP Redirect (CVE-2025-46421)
CVE-2025-46421
6.8 - Medium
- April 24, 2025
A flaw was found in libsoup. When libsoup clients encounter an HTTP redirect, they mistakenly send the HTTP Authorization header to the new host that the redirection points to. This allows the new host to impersonate the user to the original host that issued the redirect.
Exposure of Sensitive System Information to an Unauthorized Control Sphere
Memory Leak in libsoup's soup_header_parse_quality_list()
CVE-2025-46420
6.5 - Medium
- April 24, 2025
A flaw was found in libsoup. It is vulnerable to memory leaks in the soup_header_parse_quality_list() function when parsing a quality list that contains elements with all zeroes.
Memory Leak
Apache HTTP Server mod_proxy_cluster <Directory> misconfig allows MCMP hijack
CVE-2024-10306
5.4 - Medium
- April 23, 2025
A vulnerability was found in mod_proxy_cluster. The issue is that the <Directory> directive should be replaced by the <Location> directive as the former does not restrict IP/host access as `Require ip IP_ADDRESS` would suggest. This means that anyone with access to the host might send MCMP requests that may result in adding/removing/updating nodes for the balancing. However, this host should not be accessible to the public network as it does not serve the general traffic.
AuthZ
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Red Hat Rhel Eus or by Red Hat? Click the Watch button to subscribe.
