Red Hat Rhivos
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Red Hat Rhivos.
By the Year
In 2025 there have been 37 vulnerabilities in Red Hat Rhivos with an average score of 6.7 out of ten. Last year, in 2024 Rhivos had 1 security vulnerability published. That is, 36 more vulnerabilities have already been reported in 2025 as compared to last year. Last year, the average CVE base score was greater by 1.07
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2025 | 37 | 6.73 |
| 2024 | 1 | 7.80 |
It may take a day or so for new Rhivos vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Red Hat Rhivos Security Vulnerabilities
QEMU QIOChannelWebsock UAF via WebSocket handshake
CVE-2025-11234
7.5 - High
- October 03, 2025
A flaw was found in QEMU. If the QIOChannelWebsock object is freed while it is waiting to complete a handshake, a GSource is leaked. This can lead to the callback firing later on and triggering a use-after-free in the use of the channel. This can be abused by a malicious client with network access to the VNC WebSocket port to cause a denial of service during the WebSocket handshake prior to the VNC client authentication.
Dangling pointer
FreeIPA Privilege Escalation via Missing krbCanonicalName Validation
CVE-2025-7493
9.1 - Critical
- September 30, 2025
A privilege escalation flaw from host to domain administrator was found in FreeIPA. This vulnerability is similar to CVE-2025-4404, where it fails to validate the uniqueness of the krbCanonicalName. While the previously released version added validations for the admin@REALM credential, FreeIPA still does not validate the root@REALM canonical name, which can also be used as the realm administrator's name. This flaw allows an attacker to perform administrative tasks over the REALM, leading to access to sensitive data and sensitive data exfiltration.
Insufficient Granularity of Access Control
libsoup OOB read via cookie date handling flaw
CVE-2025-11021
7.5 - High
- September 26, 2025
A flaw was found in the cookie date handling logic of the libsoup HTTP library, widely used by GNOME and other applications for web communication. When processing cookies with specially crafted expiration dates, the library may perform an out-of-bounds memory read. This flaw could result in unintended disclosure of memory contents, potentially exposing sensitive information from the process using libsoup.
Out-of-bounds Read
Libtiff Write-What-Where via TIFF Height Field
CVE-2025-9900
8.8 - High
- September 23, 2025
A flaw was found in Libtiff. This vulnerability is a "write-what-where" condition, triggered when the library processes a specially crafted TIFF image file. By providing an abnormally large image height value in the file's metadata, an attacker can trick the library into writing attacker-controlled color data to an arbitrary memory location. This memory corruption can be exploited to cause a denial of service (application crash) or to achieve arbitrary code execution with the permissions of the user.
Write-what-where Condition
Podman Build Context Leakage via RUN --mount=type=bind
CVE-2025-4953
7.4 - High
- September 16, 2025
A flaw was found in Podman. In a Containerfile or Podman, data written to RUN --mount=type=bind mounts during the podman build is not discarded. This issue can lead to files created within the container appearing in the temporary build context directory on the host, leaving the created files accessible.
Creation of Temporary File With Insecure Permissions
libssh KEX Memory Leak Triggered by Repeated Incorrect Key Exchange Guesses
CVE-2025-8277
3.1 - Low
- September 09, 2025
A flaw was found in libssh's handling of key exchange (KEX) processes when a client repeatedly sends incorrect KEX guesses. The library fails to free memory during these rekey operations, which can gradually exhaust system memory. This issue can lead to crashes on the client side, particularly when using libgcrypt, which impacts application stability and availability.
Memory Leak
Podman v4.0.0–v5.6.1: kube Play Overwrite Host Files via Symlink Volumes
CVE-2025-9566
8.1 - High
- September 05, 2025
There's a vulnerability in podman where an attacker may use the kube play command to overwrite host files when the kube file container a Secrete or a ConfigMap volume mount and such volume contains a symbolic link to a host file path. In a successful attack, the attacker can only control the target file to be overwritten but not the content to be written into the file. Binary-Affected: podman Upstream-version-introduced: v4.0.0 Upstream-version-fixed: v5.6.1
Directory traversal
Undertow DoS via MadeYouReset Server-Reset Abuse
CVE-2025-9784
7.5 - High
- September 02, 2025
A flaw was found in Undertow where malformed client requests can trigger server-side stream resets without triggering abuse counters. This issue, referred to as the "MadeYouReset" attack, allows malicious clients to induce excessive server workload by repeatedly causing server-side stream aborts. While not a protocol bug, this highlights a common implementation weakness that can be exploited to cause a denial of service (DoS).
Allocation of Resources Without Limits or Throttling
Linux-PAM pam_namespace LPE via Symlink Race
CVE-2025-8941
7.8 - High
- August 13, 2025
A flaw was found in linux-pam. The pam_namespace module may improperly handle user-controlled paths, allowing local users to exploit symlink attacks and race conditions to elevate their privileges to root. This CVE provides a "complete" fix for CVE-2025-6020.
Directory traversal
GnuTLS NULL Deref in figure_common_ciphersuite()
CVE-2025-6395
6.5 - Medium
- July 10, 2025
A NULL pointer dereference flaw was found in the GnuTLS software in _gnutls_figure_common_ciphersuite().
NULL Pointer Dereference
libxslt Heap Corruption via atype Flag Manipulation
CVE-2025-7425
7.8 - High
- July 10, 2025
A flaw was found in libxslt where the attribute type, atype, flags are modified in a way that corrupts internal memory management. When XSLT functions, such as the key() process, result in tree fragments, this corruption prevents the proper cleanup of ID attributes. As a result, the system may access freed memory, causing crashes or enabling attackers to trigger heap corruption.
Dangling pointer
GnuTLS certtool Heap OOB Null Write in Template Parsing – DoS
CVE-2025-32990
6.5 - Medium
- July 10, 2025
A heap-buffer-overflow (off-by-one) flaw was found in the GnuTLS software in the template parsing logic within the certtool utility. When it reads certain settings from a template file, it allows an attacker to cause an out-of-bounds (OOB) NULL pointer write, resulting in memory corruption and a denial-of-service (DoS) that could potentially crash the system.
Heap-based Buffer Overflow
GnuTLS CT SCT Heap-Buffer-Overread (CVE-2025-32989)
CVE-2025-32989
5.3 - Medium
- July 10, 2025
A heap-buffer-overread vulnerability was found in GnuTLS in how it handles the Certificate Transparency (CT) Signed Certificate Timestamp (SCT) extension during X.509 certificate parsing. This flaw allows a malicious user to create a certificate containing a malformed SCT extension (OID 1.3.6.1.4.1.11129.2.4.2) that contains sensitive data. This issue leads to the exposure of confidential information when GnuTLS verifies certificates from certain websites when the certificate (SCT) is not checked correctly.
Improper Certificate Validation
GnuTLS Double-Free in SAN Export Logic (CVE-2025-32988)
CVE-2025-32988
6.5 - Medium
- July 10, 2025
A flaw was found in GnuTLS. A double-free vulnerability exists in GnuTLS due to incorrect ownership handling in the export logic of Subject Alternative Name (SAN) entries containing an otherName. If the type-id OID is invalid or malformed, GnuTLS will call asn1_delete_structure() on an ASN.1 node it does not own, leading to a double-free condition when the parent function or caller later attempts to free the same structure. This vulnerability can be triggered using only public GnuTLS APIs and may result in denial of service or memory corruption, depending on allocator behavior.
Double-free
Podman TLS Cert Bypass in machine init Allows MITM
CVE-2025-6032
8.3 - High
- June 24, 2025
A flaw was found in Podman. The podman machine init command fails to verify the TLS certificate when downloading the VM images from an OCI registry. This issue results in a Man In The Middle attack.
Improper Certificate Validation
OOB Read in libssh SFTP Handle (CVE-2025-5318)
CVE-2025-5318
5.4 - Medium
- June 24, 2025
A flaw was found in the libssh library in versions less than 0.11.2. An out-of-bounds read can be triggered in the sftp_handle function due to an incorrect comparison check that permits the function to access memory beyond the valid handle list and to return an invalid pointer, which is used in further processing. This vulnerability allows an authenticated remote attacker to potentially read unintended memory regions, exposing sensitive information or affect service behavior.
Out-of-bounds Read
PAM Namespace Race: Local Priv Escal via Symlinks in linux-pam
CVE-2025-6020
7.8 - High
- June 17, 2025
A flaw was found in linux-pam. The module pam_namespace may use access user-controlled paths without proper protection, allowing local users to elevate their privileges to root via multiple symlink attacks and race conditions.
Directory traversal
libxml2 NULL ptr deref via XPath causes DoS
CVE-2025-49795
7.5 - High
- June 16, 2025
A NULL pointer dereference vulnerability was found in libxml2 when processing XPath XML expressions. This flaw allows an attacker to craft a malicious XML input to libxml2, leading to a denial of service.
Dangling pointer
UAF in libxml2 XPath Parsing via sch:name Path (CVE-2025-49794)
CVE-2025-49794
9.1 - Critical
- June 16, 2025
A use-after-free vulnerability was found in libxml2. This issue occurs when parsing XPath elements under certain circumstances when the XML schematron has the <sch:name path="..."/> schema elements. This flaw allows a malicious actor to craft a malicious XML document used as input for libxml, resulting in the program's crash using libxml or other possible undefined behaviors.
Dangling pointer
Memory Corruption in libxml2 via sch:name -> DoS
CVE-2025-49796
9.1 - Critical
- June 16, 2025
A vulnerability was found in libxml2. Processing certain sch:name elements from the input XML file can trigger a memory corruption issue. This flaw allows an attacker to craft a malicious XML input file that can lead libxml to crash, resulting in a denial of service or other possible undefined behavior due to sensitive data being corrupted in memory.
Out-of-bounds Read
xmllint CLI Buffer Overflow via Oversized Input in Interactive Shell
CVE-2025-6170
2.5 - Low
- June 16, 2025
A flaw was found in the interactive shell of the xmllint command-line tool, used for parsing XML files. When a user inputs an overly long command, the program does not check the input size properly, which can cause it to crash. This issue might allow attackers to run harmful code in rare configurations without modern protections.
Stack Overflow
Stack Overflow in libxml2 xmlBuildQName (CVE-2025-6021)
CVE-2025-6021
7.5 - High
- June 12, 2025
A flaw was found in libxml2's xmlBuildQName function, where integer overflows in buffer size calculations can lead to a stack-based buffer overflow. This issue can result in memory corruption or a denial of service when processing crafted input.
Stack Overflow
Integer Overflow in libarchive RAR Reader Causes Double-Free
CVE-2025-5914
7.3 - High
- June 09, 2025
A vulnerability has been identified in the libarchive library, specifically within the archive_read_format_rar_seek_data() function. This flaw involves an integer overflow that can ultimately lead to a double-free condition. Exploiting a double-free vulnerability can result in memory corruption, enabling an attacker to execute arbitrary code or cause a denial-of-service condition.
Double-free
DoS via Block Size Mismatch in nbdkit Server
CVE-2025-47711
4.3 - Medium
- June 09, 2025
There's a flaw in the nbdkit server when handling responses from its plugins regarding the status of data blocks. If a client makes a specific request for a very large data range, and a plugin responds with an even larger single block, the nbdkit server can encounter a critical internal error, leading to a denial-of-service.
off-by-five
nbdkit Blocksize Filter: DoS via Large Range Request
CVE-2025-47712
4.3 - Medium
- June 09, 2025
A flaw exists in the nbdkit "blocksize" filter that can be triggered by a specific type of client request. When a client requests block status information for a very large data range, exceeding a certain limit, it causes an internal error in the nbdkit, leading to a denial of service.
Integer Overflow or Wraparound
systemd-coredump CRASH Race Enables SUID Dump Credential Leak
CVE-2025-4598
4.7 - Medium
- May 30, 2025
A vulnerability was found in systemd-coredump. This flaw allows an attacker to force a SUID process to crash and replace it with a non-SUID binary to access the original's privileged process coredump, allowing the attacker to read sensitive data, such as /etc/shadow content, loaded by the original process. A SUID binary or process has a special type of permission, which allows the process to run with the file owner's permissions, regardless of the user executing the binary. This allows the process to access more restricted data than unprivileged users or processes would be able to. An attacker can leverage this flaw by forcing a SUID process to crash and force the Linux kernel to recycle the process PID before systemd-coredump can analyze the /proc/pid/auxv file. If the attacker wins the race condition, they gain access to the original's SUID process coredump file. They can read sensitive content loaded into memory by the original binary, affecting data confidentiality.
Signal Handler Race Condition
GLib GString Integer Overflow Leading to Buffer Underrun
CVE-2025-4373
4.8 - Medium
- May 06, 2025
A flaw was found in GLib, which is vulnerable to an integer overflow in the g_string_insert_unichar() function. When the position at which to insert the character is large, the position will overflow, leading to a buffer underwrite.
buffer underrun
Apache HTTP Server mod_proxy_cluster <Directory> misconfig allows MCMP hijack
CVE-2024-10306
5.4 - Medium
- April 23, 2025
A vulnerability was found in mod_proxy_cluster. The issue is that the <Directory> directive should be replaced by the <Location> directive as the former does not restrict IP/host access as `Require ip IP_ADDRESS` would suggest. This means that anyone with access to the host might send MCMP requests that may result in adding/removing/updating nodes for the balancing. However, this host should not be accessible to the public network as it does not serve the general traffic.
AuthZ
MIT Kerberos GSSAPI Msg Spoof via RC4-HMAC-MD5 Coll
CVE-2025-3576
5.9 - Medium
- April 15, 2025
A vulnerability in the MIT Kerberos implementation allows GSSAPI-protected messages using RC4-HMAC-MD5 to be spoofed due to weaknesses in the MD5 checksum design. If RC4 is preferred over stronger encryption types, an attacker could exploit MD5 collisions to forge message integrity codes. This may lead to unauthorized message tampering.
Reversible One-Way Hash
DoS via Stack Overflow in libexpat Recursive Entity Expansion
CVE-2024-8176
7.5 - High
- March 14, 2025
A stack overflow vulnerability exists in the libexpat library due to the way it handles recursive entity expansion in XML documents. When parsing an XML document with deeply nested entity references, libexpat can be forced to recurse indefinitely, exhausting the stack space and causing a crash. This issue could lead to denial of service (DoS) or, in some cases, exploitable memory corruption, depending on the environment and library usage.
Stack Exhaustion
grub2 Heap OOB Write via Tar Integer Overflow in Secure Boot Circumvention
CVE-2024-45780
6.7 - Medium
- March 03, 2025
A flaw was found in grub2. When reading tar files, grub2 allocates an internal buffer for the file name. However, it fails to properly verify the allocation against possible integer overflows. It's possible to cause the allocation length to overflow with a crafted tar file, leading to a heap out-of-bounds write. This flaw eventually allows an attacker to circumvent secure boot protections.
Memory Corruption
Emacs URL Redirect Injection: Remote Shell
CVE-2025-1244
8.8 - High
- February 12, 2025
A command injection flaw was found in the text editor Emacs. It could allow a remote, unauthenticated attacker to execute arbitrary shell commands on a vulnerable system. Exploitation is possible by tricking users into visiting a specially crafted website or an HTTP URL with a redirect.
Shell injection
serialize-javascript XSS via unsanitized regex input
CVE-2024-11831
5.4 - Medium
- February 10, 2025
A flaw was found in npm-serialize-javascript. The vulnerability occurs because the serialize-javascript module does not properly sanitize certain inputs, such as regex or other JavaScript object types, allowing an attacker to inject malicious code. This code could be executed when deserialized by a web browser, causing Cross-site scripting (XSS) attacks. This issue is critical in environments where serialized data is sent to web clients, potentially compromising the security of the website or web application using this package.
XSS
CVE-2024-11218: Podman Build Race Allows Host Enumeration
CVE-2024-11218
8.6 - High
- January 22, 2025
A vulnerability was found in `podman build` and `buildah.` This issue occurs in a container breakout by using --jobs=2 and a race condition when building a malicious Containerfile. SELinux might mitigate it, but even with SELinux on, it still allows the enumeration of files and directories on the host.
Improper Privilege Management
Rsync Race Condition Enables Symlink Traversal, Potential PrivEsc
CVE-2024-12747
5.6 - Medium
- January 14, 2025
A flaw was found in rsync. This vulnerability arises from a race condition during rsync's handling of symbolic links. Rsync's default behavior when encountering symbolic links is to skip them. If an attacker replaced a regular file with a symbolic link at the right time, it was possible to bypass the default behavior and traverse symbolic links. Depending on the privileges of the rsync process, an attacker could leak sensitive information, potentially leading to privilege escalation.
Race Condition
Rsync --safe-links Path Traversal, Arbitrary File Write
CVE-2024-12088
6.5 - Medium
- January 14, 2025
A flaw was found in rsync. When using the `--safe-links` option, the rsync client fails to properly verify if a symbolic link destination sent from the server contains another symbolic link within it. This results in a path traversal vulnerability, which may lead to arbitrary file write outside the desired directory.
Directory traversal
Path traversal in rsync via --inc-recursive option
CVE-2024-12087
6.5 - Medium
- January 14, 2025
A path traversal vulnerability exists in rsync. It stems from behavior enabled by the `--inc-recursive` option, a default-enabled option for many client options and can be enabled by the server even if not explicitly enabled by the client. When using the `--inc-recursive` option, a lack of proper symlink verification coupled with deduplication checks occurring on a per-file-list basis could allow a server to write files outside of the client's intended destination directory. A malicious server could write malicious files to arbitrary locations named after valid directories/paths on the client.
Directory traversal
Buildah Cache Mount Path Traversal via RUN Instruction
CVE-2024-9675
7.8 - High
- October 09, 2024
A vulnerability was found in Buildah. Cache mounts do not properly validate that user-specified paths for the cache are within our cache directory, allowing a `RUN` instruction in a Container file to mount an arbitrary directory from the host (read/write) into the container as long as those files can be accessed by the user running Buildah.
Directory traversal
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Red Hat Rhivos or by Red Hat? Click the Watch button to subscribe.
