Rhui Red Hat Rhui

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in Red Hat Rhui.

Recent Red Hat Rhui Security Advisories

Advisory Title Published
RHSA-2026:10754 (RHSA-2026:10754) Important: RHUI 4.11.4 security update - python-pyOpenSSL April 27, 2026
RHSA-2026:1485 (RHSA-2026:1485) Important: RHUI 4.11.3 security update - python-urllib3 January 28, 2026
RHSA-2025:1335 (RHSA-2025:1335) Important: RHUI 4.11 security, bugfix, and enhancement update February 12, 2025
RHSA-2024:1878 (RHSA-2024:1878) Moderate: RHUI 4.8 Release - Security Updates, Bug Fixes, and Enhancements April 18, 2024
RHSA-2023:4591 (RHSA-2023:4591) Moderate: RHUI 4.5.0 release - Security, Bug Fixes, and Enhancements August 9, 2023
RHSA-2023:2101 (RHSA-2023:2101) Moderate: RHUI 4.4.0 release - Security Fixes, Bug Fixes, and Enhancements Update May 3, 2023
RHSA-2023:0742 (RHSA-2023:0742) Low: RHUI 4.3.0 release - Security Fixes, Bug Fixes, and Enhancements Update February 13, 2023
RHSA-2022:5602 (RHSA-2022:5602) Important: RHUI 4.1.1 release - Security Fixes and Enhancement Update July 19, 2022

By the Year

In 2026 there have been 55 vulnerabilities in Red Hat Rhui with an average score of 7.4 out of ten. Last year, in 2025 Rhui had 4 security vulnerabilities published. That is, 51 more vulnerabilities have already been reported in 2026 as compared to last year. However, the average CVE base score of the vulnerabilities in 2026 is greater by 0.89.

Year Vulnerabilities Average Score
2026 55 7.37
2025 4 6.48
2024 4 7.50

It may take a day or so for new Rhui vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Red Hat Rhui Security Vulnerabilities

libsolv PGP EdDSA Buffer Overflow (CVE-2026-48863)
CVE-2026-48863 7.5 - High - July 16, 2026

A flaw was found in libsolv. A stack-based buffer overflow vulnerability exists in the PGP verification component due to incorrect length handling when copying EdDSA 's' MPI into a stack buffer. A remote attacker could craft a malicious Ed25519 PGP signature with mismatched MPI lengths. Processing this crafted signature could lead to a denial of service in automated package or repository processing workflows.

Stack Overflow

GnuTLS UAF in pkcs11_token_set_pin on NULL SO PIN
CVE-2026-42014 6.6 - Medium - June 16, 2026

A flaw was found in GnuTLS. The `gnutls_pkcs11_token_set_pin` function, used for changing the Security Officer PIN, can lead to a use-after-free vulnerability. This occurs when an attacker attempts to change the PIN with a NULL old PIN for a token that lacks a protected authentication path.

Dangling pointer

OpenSSL PKCS#7 UAF via PKCS7_verify(); FIPS 3.6+ safe
CVE-2026-45447 8.1 - High - June 09, 2026

Issue summary: A specially crafted PKCS#7 or S/MIME signed message could trigger a use-after-free during PKCS#7 signature verification. Impact summary: A use-after-free may result in process crashes, heap corruption, or potentially remote code execution. When processing a PKCS#7 or S/MIME signed message, if the SignedData digestAlgorithms field is present as an empty ASN.1 SET, OpenSSL may incorrectly free a caller-owned BIO during PKCS7_verify(). A subsequent use of the BIO by the calling application results in a use-after-free condition. In the common case this occurs when the application later calls BIO_free() on the BIO originally passed to PKCS7_verify(). Depending on allocator behavior and application-specific BIO usage patterns, this may result in a crash or other memory corruption. In some application contexts this may potentially be exploitable for remote code execution. Applications that process PKCS#7 or S/MIME signed messages using OpenSSL PKCS#7 APIs may be affected. Applications using the CMS APIs for this processing are not affected. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.

Dangling pointer

AIOHTTP <3.14: CookieJar.load() RCE via untrusted input
CVE-2026-34993 7.2 - High - June 02, 2026

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.14.0, using ``CookieJar.load()`` with untrusted input may allow arbitrary code execution. Most applications using this function will be doing so with the user's own data, so this is unlikely to affect many applications. Version 3.14.0 patches the issue. If an application does allow attacker controlled files to be loaded, a workaround on older releases would be to sanitize the files before loading.

Marshaling, Unmarshaling

GnuTLS PKCS#7 Padding Timing SideChannel Info Disclosure
CVE-2026-5419 3.7 - Low - June 01, 2026

A flaw was found in gnutls. The PKCS#7 padding check, performed during decryption, was not constant-time. This timing side-channel could allow a remote attacker to potentially leak sensitive information about the padding bytes through observable timing differences. This vulnerability is a form of information disclosure.

Observable Timing Discrepancy

PyJWT <=2.12: HMAC verifier may use issuer JWK as secret key
CVE-2026-48526 7.4 - High - May 28, 2026

PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, when the verifier is decoding JSON Web Tokens, while supporting both asymmetric and HMAC algorithms, the library does not validate use of JSON Web Keys in HMAC algorithm, allowing attacker to use the issuer public key as the secret key for HMAC algorithm. This vulnerability is fixed in 2.13.0.

authentification

GnuTLS PKCS#12 Bag Off-by-One Buffer Overwrite
CVE-2026-42015 5.3 - Medium - May 26, 2026

A flaw was found in gnutls. An off-by-one error exists in the PKCS#12 bag element bounds check. This vulnerability allows an remote attacker to write past the internal array of a PKCS#12 bag when appending to a bag that already contains 32 elements. This memory corruption could lead to a denial of service (DoS) or potentially other unspecified impacts.

off-by-five

GnuTLS SAN Size ForkCheck Bypass
CVE-2026-42013 8.2 - High - May 26, 2026

A flaw was found in gnutls. When validating certificates, an oversized Subject Alternative Name (SAN) could cause the validation process to incorrectly fall back to checking the Common Name (CN) field. This could allow a remote attacker to bypass proper certificate validation, potentially leading to spoofing or man-in-the-middle attacks.

Improper Certificate Validation

GNUTLS Certificate Validation Bypass via URI/SRV SAN Fallback
CVE-2026-42012 7.1 - High - May 26, 2026

A flaw was found in gnutls. A remote attacker could exploit this vulnerability by presenting a specially crafted certificate that contains Uniform Resource Identifier (URI) or Service (SRV) Subject Alternative Names (SANs). This could cause the certificate validation process to incorrectly fall back to checking DNS hostnames against the Common Name (CN), potentially allowing the attacker to spoof legitimate services or intercept sensitive information.

Improper Certificate Validation

Libgnutls RSA PKCS#11 Key Exchange Overread Info Disclosure
CVE-2026-5260 8.2 - High - May 26, 2026

A flaw was found in libgnutls. A remote attacker, by sending an extremely short premaster secret during an RSA key exchange to a server using an RSA key backed by a PKCS#11 token, could trigger a short heap overread. This memory corruption vulnerability could lead to information disclosure.

Buffer Over-read

libsolv Heap Buffer Overflow via .solv Decompression
CVE-2026-48864 7.8 - High - May 26, 2026

A flaw was found in libsolv. This heap buffer overflow occurs during the decompression of attacker-controlled compressed data within `.solv` files due to insufficient input validation. An attacker can provide a specially crafted `.solv` file, which, when processed by a vulnerable application, can lead to out-of-bounds memory access. This could result in information disclosure, alteration of program execution, or a denial of service.

Memory Corruption

libsolv Heap B.O. in repo_add_solv via negative .solv size
CVE-2026-9149 6.5 - Medium - May 20, 2026

A flaw was found in libsolv. This heap buffer overflow vulnerability occurs when a victim processes a specially crafted `.solv` file containing negative size values in the `repo_add_solv` function. This leads to an undersized memory allocation and a subsequent out-of-bounds write. An attacker could exploit this to cause a denial of service (DoS).

Heap-based Buffer Overflow

Red Hat libsolv Stack Buffer Overflow in Debian METADATA Parser
CVE-2026-9150 6.5 - Medium - May 20, 2026

A flaw was found in libsolv. This stack-based buffer overflow vulnerability occurs in libsolv's Debian metadata parser when processing specially crafted Debian repository metadata. An attacker could exploit this by providing malicious SHA384 or SHA512 checksum tags, leading to memory corruption and a denial of service (DoS) in the affected system.

Stack Overflow

GnuTLS DTLS DoS via Duplicate Seq Number Reordering
CVE-2026-42009 7.5 - High - May 18, 2026

A flaw was found in gnutls. A remote attacker could exploit an issue in the Datagram Transport Layer Security (DTLS) packet reordering logic. The comparator function, responsible for ordering DTLS packets by sequence numbers, did not correctly handle packets with duplicate sequence numbers. This could lead to unstable packet ordering or undefined behavior, resulting in a denial of service.

Undefined Behavior for Input to API

urllib3 2.6.0-<2.7.0 Decompress Whole Response DoS via Brotli
CVE-2026-44432 7.5 - High - May 13, 2026

urllib3 is an HTTP client library for Python. From 2.6.0 to before 2.7.0, urllib3 could decompress the whole response instead of the requested portion (1) during the second HTTPResponse.read(amt=N) call when the response was decompressed using the official Brotli library or (2) when HTTPResponse.drain_conn() was called after the response had been read and decompressed partially (compression algorithm did not matter here). These issues could cause urllib3 to fully decode a small amount of highly compressed data in a single operation. This could result in excessive resource consumption (high CPU usage and massive memory allocation for the decompressed data) on the client side. This vulnerability is fixed in 2.7.0.

Data Amplification

Heap Buffer Overflow in NGINX ngx_http_rewrite_module via PCRE Capture
CVE-2026-42945 8.1 - High - May 13, 2026

NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module. This vulnerability exists when the rewrite directive is followed by a rewrite, if, or set directive and an unnamed Perl-Compatible Regular Expression (PCRE) capture (for example, $1, $2) with a replacement string that includes a question mark (?). An unauthenticated attacker along with conditions beyond its control can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Heap-based Buffer Overflow

Denial of Service via Attribute Name Collision in libexpat < 2.8.1
CVE-2026-45186 7.5 - High - May 10, 2026

In libexpat before 2.8.1, the computational complexity of attribute name collision checks allows a denial of service via moderately sized crafted XML input.

Inefficient Algorithmic Complexity

GNUTLS Name Constraint Bypass (CVE-2026-42011)
CVE-2026-42011 7.4 - High - May 07, 2026

A flaw was found in gnutls. This vulnerability occurs because permitted name constraints were incorrectly ignored when previous Certificate Authorities (CAs) only had excluded name constraints. A remote attacker could exploit this to bypass critical name constraint checks during certificate validation. This bypass could lead to the acceptance of invalid certificates, potentially enabling spoofing or man-in-the-middle attacks against affected systems.

Improper Certificate Validation

GNUTLS RSA-PSK Username NUL Bypass Auth
CVE-2026-42010 7.1 - High - May 07, 2026

A flaw was found in gnutls. Servers configured with RSA-PSK (RivestShamirAdleman Pre-Shared Key) wrongfully matched usernames containing a NUL character with truncated usernames. A remote attacker could exploit this by sending a specially crafted username, leading to an authentication bypass. This vulnerability allows an attacker to gain unauthorized access by circumventing the authentication process.

Improper Null Termination

Heap Buffer Overflow in GnuTLS DTLS Fragment Reassembly (CVE-2026-33846)
CVE-2026-33846 7.5 - High - May 04, 2026

A heap buffer overflow vulnerability exists in the DTLS handshake fragment reassembly logic of GnuTLS. The issue arises in merge_handshake_packet() where incoming handshake fragments are matched and merged based solely on handshake type, without validating that the message_length field remains consistent across all fragments of the same logical message. An attacker can exploit this by sending crafted DTLS fragments with conflicting message_length values, causing the implementation to allocate a buffer based on a smaller initial fragment and subsequently write beyond its bounds using larger, inconsistent fragments. Because the merge operation does not enforce proper bounds checking against the allocated buffer size, this results in an out-of-bounds write on the heap. The vulnerability is remotely exploitable without authentication via the DTLS handshake path and can lead to application crashes or potential memory corruption.

length manipulation

OOB Read via DTLS Fragment Underflow in GnuTLS
CVE-2026-33845 7.5 - High - April 30, 2026

A flaw in GnuTLS DTLS handshake parsing allows malformed fragments with zero length and non-zero offset, leading to an integer underflow during reassembly and resulting in an out-of-bounds read. This issue is remotely exploitable and may cause information disclosure or denial of service.

Integer underflow

GnuTLS OCSP Multi-Record Logic Error Allows Revoked Cert Acceptance
CVE-2026-3832 3.7 - Low - April 30, 2026

A flaw was found in gnutls. A remote attacker could exploit this vulnerability by presenting a specially crafted Online Certificate Status Protocol (OCSP) response during a TLS handshake. Due to a logic error in how gnutls processes multi-record OCSP responses, a client with OCSP verification enabled may incorrectly accept a revoked server certificate, potentially leading to a compromise of trust.

Incorrect Behavior Order: Early Validation

GnuTLS SAN case-sensitivity flaw can bypass nameConstraints
CVE-2026-3833 6.5 - Medium - April 30, 2026

A flaw was found in gnutls. This vulnerability occurs because gnutls performs case-sensitive comparisons of `nameConstraints` labels, specifically for `dNSName` (DNS) or `rfc822Name` (email) constraints within `excludedSubtrees` or `permittedSubtrees`. A remote attacker can exploit this by crafting a leaf certificate with casing differences in the Subject Alternative Name (SAN), leading to a policy bypass where a certificate that should be rejected is instead accepted. This could result in unauthorized access or information disclosure.

Improper Handling of Case Sensitivity

Python CPython "webbrowser.open" "%action" URL injection (CVE-2026-4786)
CVE-2026-4786 7.1 - High - April 13, 2026

Mitgation of CVE-2026-4519 was incomplete. If the URL contained "%action" the mitigation could be bypassed for certain browser types the "webbrowser.open()" API could have commands injected into the underlying shell. See CVE-2026-4519 for details.

Command Injection

UAF in CPython lzma/BZ2/gzip Decompressors before v3.15.0
CVE-2026-6100 8.1 - High - April 13, 2026

Use-after-free (UAF) was possible in the `lzma.LZMADecompressor`, `bz2.BZ2Decompressor`, and `gzip.GzipFile` when a memory allocation fails with a `MemoryError` and the decompression instance is re-used. This scenario can be triggered if the process is under memory pressure. The fix cleans up the dangling pointer in this specific error condition. The vulnerability is only present if the program re-uses decompressor instances across multiple decompression calls even after a `MemoryError` is raised during decompression. Using the helper functions to one-shot decompress data such as `lzma.decompress()`, `bz2.decompress()`, `gzip.decompress()`, and `zlib.decompress()` are not affected as a new decompressor instance is used per call. If the decompressor instance is not re-used after an error condition, this usage is similarly not vulnerable.

Dangling pointer

libcap TOCTOU in cap_set_file() leads to privilege escalation
CVE-2026-4878 6.7 - Medium - April 09, 2026

A flaw was found in libcap. A local unprivileged user can exploit a Time-of-check-to-time-of-use (TOCTOU) race condition in the `cap_set_file()` function. This allows an attacker with write access to a parent directory to redirect file capability updates to an attacker-controlled file. By doing so, capabilities can be injected into or stripped from unintended executables, leading to privilege escalation.

TOCTTOU

Vim <9.2.0276 Modeline Sandbox Bypass OS Command Exec
CVE-2026-34982 8.2 - High - April 06, 2026

Vim is an open source, command line text editor. Prior to version 9.2.0276, a modeline sandbox bypass in Vim allows arbitrary OS command execution when a user opens a crafted file. The `complete`, `guitabtooltip` and `printheader` options are missing the `P_MLE` flag, allowing a modeline to be executed. Additionally, the `mapset()` function lacks a `check_secure()` call, allowing it to be abused from sandboxed expressions. Commit 9.2.0276 fixes the issue.

Shell injection

Sudo Priv Esc via non-fatal setuid failure pre-3e474c2 before 1.9.17p2
CVE-2026-35535 7.4 - High - April 03, 2026

In Sudo through 1.9.17p2 before 3e474c2, a failure of a setuid, setgid, or setgroups call, during a privilege drop before running the mailer, is not a fatal error and can lead to privilege escalation.

Privilege Dropping / Lowering Errors

OpenSSH <10.3 Setuid/Gid Escalation via SCP -O (no -p)
CVE-2026-35385 7.5 - High - April 02, 2026

In OpenSSH before 10.3, a file downloaded by scp may be installed setuid or setgid, an outcome contrary to some users' expectations, if the download is performed as root with -O (legacy scp protocol) and without -p (preserve mode).

Improper Preservation of Permissions

Integer Overflow in libarchive ZISofs Block Pointer on 32bit
CVE-2026-5121 9.8 - Critical - March 30, 2026

A flaw was found in libarchive. On 32-bit systems, an integer overflow vulnerability exists in the zisofs block pointer allocation logic. A remote attacker can exploit this by providing a specially crafted ISO9660 image, which can lead to a heap buffer overflow. This could potentially allow for arbitrary code execution on the affected system.

Integer Overflow or Wraparound

CVE-2026-2100: Uninitialized Return in p11-kit C_DeriveKey DS
CVE-2026-2100 5.3 - Medium - March 26, 2026

A flaw was found in p11-kit. A remote attacker could exploit this vulnerability by calling the C_DeriveKey function on a remote token with specific IBM kyber or IBM btc derive mechanism parameters set to NULL. This could lead to the RPC-client attempting to return an uninitialized value, potentially resulting in a NULL dereference or undefined behavior. This issue may cause an application level denial of service or other unpredictable system states.

Access of Uninitialized Pointer

Vim <9.2.0202: glob() Command Injection on Unix
CVE-2026-33412 7.3 - High - March 24, 2026

Vim is an open source, command line text editor. Prior to version 9.2.0202, a command injection vulnerability exists in Vim's glob() function on Unix-like systems. By including a newline character (\n) in a pattern passed to glob(), an attacker may be able to execute arbitrary shell commands. This vulnerability depends on the user's 'shell' setting. This issue has been patched in version 9.2.0202.

Shell injection

NGINX DAV Module Buffer Overflow via MOVE/COPY
CVE-2026-27654 8.2 - High - March 24, 2026

NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_dav_module module that might allow an attacker to trigger a buffer overflow to the NGINX worker process; this vulnerability may result in termination of the NGINX worker process or modification of source or destination file names outside the document root. This issue affects NGINX Open Source and NGINX Plus when the configuration file uses DAV module MOVE or COPY methods, prefix location (nonregular expression location configuration), and alias directives. The integrity impact is constrained because the NGINX worker process user has low privileges and does not have access to the entire system. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Heap-based Buffer Overflow

NGINX ngx_mail_auth_http_module causes worker process crash
CVE-2026-27651 7.5 - High - March 24, 2026

When the ngx_mail_auth_http_module module is enabled on NGINX Plus or NGINX Open Source, undisclosed requests can cause worker processes to terminate. This issue may occur when (1) CRAM-MD5 or APOP authentication is enabled, and (2) the authentication server permits retry by returning the Auth-Wait response header. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

NULL Pointer Dereference

Buffer Overread/Write in NGINX ngx_http_mp4_module via MP4 File
CVE-2026-32647 7.8 - High - March 24, 2026

NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_mp4_module module, which might allow an attacker to trigger a buffer over-read or over-write to the NGINX worker memory resulting in its termination or possibly code execution, using a specially crafted MP4 file. This issue affects NGINX Open Source and NGINX Plus if it is built with the ngx_http_mp4_module module and the mp4 directive is used in the configuration file. Additionally, the attack is possible only if an attacker can trigger the processing of a specially crafted MP4 file with the ngx_http_mp4_module module. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Out-of-bounds Read

NGINX 32-bit Open Src ngx_http_mp4_module Mem Overwrite via MP4
CVE-2026-27784 7.5 - High - March 24, 2026

The 32-bit implementation of NGINX Open Source has a vulnerability in the ngx_http_mp4_module module, which might allow an attacker to over-read or over-write NGINX worker memory resulting in its termination, using a specially crafted MP4 file. The issue only affects 32-bit NGINX Open Source if it is built with the ngx_http_mp4_module module and the mp4 directive is used in the configuration file. Additionally, the attack is possible only if an attacker can trigger the processing of a specially crafted MP4 file with the ngx_http_mp4_module module. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Integer Overflow or Wraparound

CPython webbrowser.open() Leading-Dash URL Injection in 3.15
CVE-2026-4519 7.1 - High - March 20, 2026

The webbrowser.open() API would accept leading dashes in the URL which could be handled as command line options for certain web browsers. New behavior rejects leading dashes. Users are recommended to sanitize URLs prior to passing to webbrowser.open().

Improper Input Validation

libarchive Heap OOB Read via Craft RAR Archive
CVE-2026-4424 7.5 - High - March 19, 2026

A flaw was found in libarchive. This heap out-of-bounds read vulnerability exists in the RAR archive processing logic due to improper validation of the LZSS sliding window size after transitions between compression methods. A remote attacker can exploit this by providing a specially crafted RAR archive, leading to the disclosure of sensitive heap memory information without requiring authentication or user interaction.

Out-of-bounds Read

nghttp21.68.1: assertion fail via FRAME_SIZE_ERROR after session termination
CVE-2026-27135 7.5 - High - March 18, 2026

nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. Prior to version 1.68.1, the nghttp2 library stops reading the incoming data when user facing public API `nghttp2_session_terminate_session` or `nghttp2_session_terminate_session2` is called by the application. They might be called internally by the library when it detects the situation that is subject to connection error. Due to the missing internal state validation, the library keeps reading the rest of the data after one of those APIs is called. Then receiving a malformed frame that causes FRAME_SIZE_ERROR causes assertion failure. nghttp2 v1.68.1 adds missing state validation to avoid assertion failure. No known workarounds are available.

assertion failure

pyOpenSSL CVE-2026-27459: Buffer Overflow via cookie callback (22.0.0-26.0.0)
CVE-2026-27459 8.1 - High - March 17, 2026

pyOpenSSL is a Python wrapper around the OpenSSL library. Starting in version 22.0.0 and prior to version 26.0.0, if a user provided callback to `set_cookie_generate_callback` returned a cookie value greater than 256 bytes, pyOpenSSL would overflow an OpenSSL provided buffer. Starting in version 26.0.0, cookie values that are too long are now rejected.

Classic Buffer Overflow

Infinite Loop in libarchive RAR5 Decompression causing DoS
CVE-2026-4111 7.5 - High - March 13, 2026

A flaw was identified in the RAR5 archive decompression logic of the libarchive library, specifically within the archive_read_data() processing path. When a specially crafted RAR5 archive is processed, the decompression routine may enter a state where internal logic prevents forward progress. This condition results in an infinite loop that continuously consumes CPU resources. Because the archive passes checksum validation and appears structurally valid, affected applications cannot detect the issue before processing. This can allow attackers to cause persistent denial-of-service conditions in services that automatically process archives.

Infinite Loop

OpenSSH GSSAPI: Uninitialized Variables via sshpkt_disconnect
CVE-2026-3497 8.2 - High - March 12, 2026

Vulnerability in the OpenSSH GSSAPI delta included in various Linux distributions. This vulnerability affects the GSSAPI patches added by various Linux distributions and does not affect the OpenSSH upstream project itself. The usage of sshpkt_disconnect() on an error, which does not terminate the process, allows an attacker to send an unexpected GSSAPI message type during the GSSAPI key exchange to the server, which will call the underlying function and continue the execution of the program without setting the related connection variables. As the variables are not initialized to NULL the code later accesses those uninitialized variables, accessing random memory, which could lead to undefined behavior. The recommended workaround is to use ssh_packet_disconnect() instead, which does terminate the process. The impact of the vulnerability depends heavily on the compiler flag hardening configuration.

Use of Uninitialized Resource

Go net/url Host Validation Flaw in Parse (v<1.25.8, <1.26.1)
CVE-2026-25679 7.5 - High - March 06, 2026

url.Parse insufficiently validated the host/authority component and accepted some invalid URLs.

Improper Validation of Syntactic Correctness of Input

Heap Buffer Overflow in PostgreSQL pgcrypto (pre 18.2/17.8/16.12/15.16/14.21) OS Exploit
CVE-2026-2005 8.8 - High - February 12, 2026

Heap buffer overflow in PostgreSQL pgcrypto allows a ciphertext provider to execute arbitrary code as the operating system user running the database. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected.

Heap-based Buffer Overflow

PostgreSQL Buffer Overrun via Char Valid. (18.2/17.8/16.12/15.16/14.21)
CVE-2026-2006 8.8 - High - February 12, 2026

Missing validation of multibyte character length in PostgreSQL text manipulation allows a database user to issue crafted queries that achieve a buffer overrun. That suffices to execute arbitrary code as the operating system user running the database. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected.

out-of-bounds array index

PostgreSQL intarray RCE before 18.2/17.8/16.12/15.16/14.21
CVE-2026-2004 8.8 - High - February 12, 2026

Missing validation of type of input in PostgreSQL intarray extension selectivity estimator function allows an object creator to execute arbitrary code as the operating system user running the database. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected.

Improper Validation of Specified Type of Input

GnuTLS DoS via oversized SANs in certificates
CVE-2025-14831 5.3 - Medium - February 09, 2026

A flaw was found in GnuTLS. This vulnerability allows a denial of service (DoS) by excessive CPU (Central Processing Unit) and memory consumption via specially crafted malicious certificates containing a large number of name constraints and subject alternative names (SANs).

Inefficient Algorithmic Complexity

Django SQLi via order_by alias before 6.0.2/5.2.11/4.2.28
CVE-2026-1312 8.5 - High - February 03, 2026

An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `.QuerySet.order_by()` is subject to SQL injection in column aliases containing periods when the same alias is, using a suitably crafted dictionary, with dictionary expansion, used in `FilteredRelation`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Solomon Kebede for reporting this issue.

SQL Injection

SQLi via FilteredRelation column aliases before Django 6.0.2
CVE-2026-1287 8.3 - High - February 03, 2026

An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `FilteredRelation` is subject to SQL injection in column aliases via control characters, using a suitably crafted dictionary, with dictionary expansion, as the `**kwargs` passed to `QuerySet` methods `annotate()`, `aggregate()`, `extra()`, `values()`, `values_list()`, and `alias()`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Solomon Kebede for reporting this issue.

SQL Injection

SQL Injection in Django RasterField (PostGIS) before 6.0.2, 5.2.11, 4.2.28
CVE-2026-1207 8.3 - High - February 03, 2026

An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. Raster lookups on ``RasterField`` (only implemented on PostGIS) allows remote attackers to inject SQL via the band index parameter. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Tarek Nakkouch for reporting this issue.

SQL Injection

Stay on top of Security Vulnerabilities

Want an email whenever new vulnerabilities are published for Red Hat Rhui or by Red Hat? Click the Watch button to subscribe.

Red Hat
Vendor

Red Hat Rhui
Product

subscribe