Red Hat Rhui
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Red Hat Rhui.
Recent Red Hat Rhui Security Advisories
| Advisory | Title | Published |
|---|---|---|
| RHSA-2026:10754 | (RHSA-2026:10754) Important: RHUI 4.11.4 security update - python-pyOpenSSL | April 27, 2026 |
| RHSA-2026:1485 | (RHSA-2026:1485) Important: RHUI 4.11.3 security update - python-urllib3 | January 28, 2026 |
| RHSA-2025:1335 | (RHSA-2025:1335) Important: RHUI 4.11 security, bugfix, and enhancement update | February 12, 2025 |
| RHSA-2024:1878 | (RHSA-2024:1878) Moderate: RHUI 4.8 Release - Security Updates, Bug Fixes, and Enhancements | April 18, 2024 |
| RHSA-2023:4591 | (RHSA-2023:4591) Moderate: RHUI 4.5.0 release - Security, Bug Fixes, and Enhancements | August 9, 2023 |
| RHSA-2023:2101 | (RHSA-2023:2101) Moderate: RHUI 4.4.0 release - Security Fixes, Bug Fixes, and Enhancements Update | May 3, 2023 |
| RHSA-2023:0742 | (RHSA-2023:0742) Low: RHUI 4.3.0 release - Security Fixes, Bug Fixes, and Enhancements Update | February 13, 2023 |
| RHSA-2022:5602 | (RHSA-2022:5602) Important: RHUI 4.1.1 release - Security Fixes and Enhancement Update | July 19, 2022 |
By the Year
In 2026 there have been 5 vulnerabilities in Red Hat Rhui with an average score of 6.8 out of ten. Last year, in 2025 Rhui had 2 security vulnerabilities published. That is, 3 more vulnerabilities have already been reported in 2026 as compared to last year. Last year, the average CVE base score was greater by 0.08
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 5 | 6.82 |
| 2025 | 2 | 6.90 |
| 2024 | 4 | 7.50 |
It may take a day or so for new Rhui vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Red Hat Rhui Security Vulnerabilities
Integer Overflow in libarchive ZISofs Block Pointer on 32bit
CVE-2026-5121
9.8 - Critical
- March 30, 2026
A flaw was found in libarchive. On 32-bit systems, an integer overflow vulnerability exists in the zisofs block pointer allocation logic. A remote attacker can exploit this by providing a specially crafted ISO9660 image, which can lead to a heap buffer overflow. This could potentially allow for arbitrary code execution on the affected system.
Integer Overflow or Wraparound
libarchive Heap OOB Read via Craft RAR Archive
CVE-2026-4424
7.5 - High
- March 19, 2026
A flaw was found in libarchive. This heap out-of-bounds read vulnerability exists in the RAR archive processing logic due to improper validation of the LZSS sliding window size after transitions between compression methods. A remote attacker can exploit this by providing a specially crafted RAR archive, leading to the disclosure of sensitive heap memory information without requiring authentication or user interaction.
Out-of-bounds Read
Infinite Loop in libarchive RAR5 Decompression causing DoS
CVE-2026-4111
7.5 - High
- March 13, 2026
A flaw was identified in the RAR5 archive decompression logic of the libarchive library, specifically within the archive_read_data() processing path. When a specially crafted RAR5 archive is processed, the decompression routine may enter a state where internal logic prevents forward progress. This condition results in an infinite loop that continuously consumes CPU resources. Because the archive passes checksum validation and appears structurally valid, affected applications cannot detect the issue before processing. This can allow attackers to cause persistent denial-of-service conditions in services that automatically process archives.
Infinite Loop
GnuTLS DoS via oversized SANs in certificates
CVE-2025-14831
5.3 - Medium
- February 09, 2026
A flaw was found in GnuTLS. This vulnerability allows a denial of service (DoS) by excessive CPU (Central Processing Unit) and memory consumption via specially crafted malicious certificates containing a large number of name constraints and subject alternative names (SANs).
Inefficient Algorithmic Complexity
GnuTLS Stack Buffer Overflow in PKCS#11 Init Allows DoS/Code Exec
CVE-2025-9820
4 - Medium
- January 26, 2026
A flaw was found in the GnuTLS library, specifically in the gnutls_pkcs11_token_init() function that handles PKCS#11 token initialization. When a token label longer than expected is processed, the function writes past the end of a fixed-size stack buffer. This programming error can cause the application using GnuTLS to crash or, in certain conditions, be exploited for code execution. As a result, systems or applications relying on GnuTLS may be vulnerable to a denial of service or local privilege escalation attacks.
Stack Overflow
Heap Buffer Overread in util-linux setpwnam() (256-byte usernames)
CVE-2025-14104
6.1 - Medium
- December 05, 2025
A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database.
Out-of-bounds Read
Glib Heap Buffer Overflow in g_escape_uri_string()
CVE-2025-13601
7.7 - High
- November 26, 2025
A heap-based buffer overflow problem was found in glib through an incorrect calculation of buffer size in the g_escape_uri_string() function. If the string to escape contains a very large number of unacceptable characters (which would need escaping), the calculation of the length of the escaped string could overflow, leading to a potential write off the end of the newly allocated string.
Integer Overflow or Wraparound
Auth Bypass in Pulpcore v3.0+ via Gunicorn <=22.0 + mod_proxy
CVE-2024-7923
- September 04, 2024
An authentication bypass vulnerability has been identified in Pulpcore when deployed with Gunicorn versions prior to 22.0, due to the puppet-pulpcore configuration. This issue arises from Apache's mod_proxy not properly unsetting headers because of restrictions on underscores in HTTP headers, allowing authentication through a malformed header. This flaw impacts all active Satellite deployments (6.13, 6.14 and 6.15) which are using Pulpcore version 3.0+ and could potentially enable unauthorized users to gain administrative access.
authentification
Pulp RBAC flaw causes improper perms via AutoAddObjPermsMixin (CVE-2024-7143)
CVE-2024-7143
- August 07, 2024
A flaw was found in the Pulp package. When a role-based access control (RBAC) object in Pulp is set to assign permissions on its creation, it uses the `AutoAddObjPermsMixin` (typically the add_roles_for_object_creator method). This method finds the object creator by checking the current authenticated user. For objects that are created within a task, this current user is set by the first user with any permissions on the task object. This means the oldest user with model/domain-level task permissions will always be set as the current user of a task, even if they didn't dispatch the task. Therefore, all objects created in tasks will have their permissions assigned to this oldest user, and the creating user will receive nothing.
Insecure Inherited Permissions
python-cryptography: Remote Decryption of TLS RSA Exchanges
CVE-2023-50782
7.5 - High
- February 05, 2024
A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data.
Side Channel Attack
Remote Decrypt in TLS RSA via M2Crypto: CVE-2023-50781
CVE-2023-50781
7.5 - High
- February 05, 2024
A flaw was found in m2crypto. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data.
Side Channel Attack
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Red Hat Rhui or by Red Hat? Click the Watch button to subscribe.
