Inspecting raw image manifest quay.io/redhat-appstudio-qe/build-e2e-oifp/go-component-drfezg@sha256:6f23f06fc84e00e77dc40e47b30d375c0ec20c1f19d08c7bd57afc6102837850. Selecting auth Using token for quay.io/redhat-appstudio-qe/build-e2e-oifp/go-component-drfezg Selecting auth Using token for quay.io/redhat-appstudio-qe/build-e2e-oifp/go-component-drfezg WARNING: SBOM attachments are deprecated and support will be removed in a Cosign release soon after 2024-02-22 (see https://github.com/sigstore/cosign/issues/2755). Instead, please use SBOM attestations. WARNING: Downloading SBOMs this way does not ensure its authenticity. If you want to ensure a tamper-proof SBOM, download it using 'cosign download attestation '. Found SBOM of media type: text/spdx+json Running TPA scan on amd64 image manifest... % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed { "scanned" : { "total" : 724, "direct" : 339, "transitive" : 385 }, "providers" : { "rhtpa" : { "status" : { "ok" : true, "name" : "rhtpa", "code" : 200, "message" : "OK", "warnings" : { "pkg:golang/cmd/objdump" : [ "Unable to process: missing version component" ], "pkg:golang/github.com/go-delve/delve/cmd/dlv" : [ "Unable to process: missing version component" ], "pkg:golang/cmd/addr2line" : [ "Unable to process: missing version component" ], "pkg:golang/cmd/cgo" : [ "Unable to process: missing version component" ], "pkg:golang/cmd/buildid" : [ "Unable to process: missing version component" ], "pkg:golang/cmd/doc" : [ "Unable to process: missing version component" ], "pkg:golang/cmd/trace" : [ "Unable to process: missing version component" ], "pkg:golang/cmd/link" : [ "Unable to process: missing version component" ], "pkg:golang/cmd/vet" : [ "Unable to process: missing version component" ], "pkg:golang/cmd/dist" : [ "Unable to process: missing version component" ], "pkg:golang/cmd/nm" : [ "Unable to process: missing version component" ] } }, "sources" : { "osv-github" : { "summary" : { "direct" : 33, "transitive" : 8, "total" : 41, "dependencies" : 14, "critical" : 0, "high" : 12, "medium" : 13, "low" : 3, "unknown" : 13, "remediations" : 0, "recommendations" : 1, "unscanned" : 0 }, "dependencies" : [ { "ref" : "pkg:pypi/setuptools@53.0.0", "issues" : [ { "id" : "CVE-2024-6345", "source" : "osv-github", "cvssScore" : 8.8, "severity" : "HIGH", "cves" : [ "CVE-2024-6345" ], "unique" : false }, { "id" : "CVE-2022-40897", "source" : "osv-github", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2022-40897" ], "unique" : false }, { "id" : "CVE-2025-47273", "title" : "setuptools has a path traversal vulnerability in PackageIndex.download that leads to Arbitrary File Write", "source" : "osv-github", "cves" : [ "CVE-2025-47273" ], "unique" : false } ], "transitive" : [ ], "highestVulnerability" : { "id" : "CVE-2024-6345", "source" : "osv-github", "cvssScore" : 8.8, "severity" : "HIGH", "cves" : [ "CVE-2024-6345" ], "unique" : false } }, { "ref" : "pkg:npm/tar@6.1.11", "issues" : [ { "id" : "CVE-2026-23950", "title" : "node-tar has Race Condition in Path Reservations via Unicode Ligature Collisions on macOS APFS", "source" : "osv-github", "cvssScore" : 8.8, "severity" : "HIGH", "cves" : [ "CVE-2026-23950" ], "unique" : false }, { "id" : "CVE-2026-24842", "title" : "node-tar Vulnerable to Arbitrary File Creation/Overwrite via Hardlink Path Traversal", "source" : "osv-github", "cvssScore" : 8.2, "severity" : "HIGH", "cves" : [ "CVE-2026-24842" ], "unique" : false }, { "id" : "CVE-2026-26960", "source" : "osv-github", "cvssScore" : 7.1, "severity" : "HIGH", "cves" : [ "CVE-2026-26960" ], "unique" : false }, { "id" : "CVE-2024-28863", "title" : "node-tar vulnerable to denial of service while parsing a tar file due to lack of folders count validation", "source" : "osv-github", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-28863" ], "unique" : false }, { "id" : "CVE-2026-23745", "title" : "node-tar Vulnerable to Arbitrary File Overwrite and Symlink Poisoning via Insufficient Path Sanitization", "source" : "osv-github", "cves" : [ "CVE-2026-23745" ], "unique" : false }, { "id" : "CVE-2026-29786", "title" : "node-tar: Hardlink Path Traversal via Drive-Relative Linkpath", "source" : "osv-github", "cves" : [ "CVE-2026-29786" ], "unique" : false }, { "id" : "CVE-2026-31802", "source" : "osv-github", "cves" : [ "CVE-2026-31802" ], "unique" : false }, { "id" : "CVE-2026-53655", "title" : "node-tar applies PAX size override to intermediary GNU long-name/long-link headers, causing tar parser interpretation differential (file smuggling)", "source" : "osv-github", "cves" : [ "CVE-2026-53655" ], "unique" : false } ], "transitive" : [ ], "highestVulnerability" : { "id" : "CVE-2026-23950", "title" : "node-tar has Race Condition in Path Reservations via Unicode Ligature Collisions on macOS APFS", "source" : "osv-github", "cvssScore" : 8.8, "severity" : "HIGH", "cves" : [ "CVE-2026-23950" ], "unique" : false } }, { "ref" : "pkg:npm/ip@2.0.0", "issues" : [ { "id" : "CVE-2024-29415", "title" : "The ip package through 2.0.1 for Node.js might allow SSRF because some IP addresses (such as 127.1, 01200034567, 012.1.2.3, 000:0:0000::01, and ::fFFf:127.0.0.1) are improperly categorized as globally routable via isPublic. NOTE: this issue exists because of an incomplete fix for CVE-2023-42282.", "source" : "osv-github", "cvssScore" : 8.1, "severity" : "HIGH", "cves" : [ "CVE-2024-29415" ], "unique" : false }, { "id" : "CVE-2023-42282", "title" : "The ip package before 1.1.9 for Node.js might allow SSRF because some IP addresses (such as 0x7f.1) are improperly categorized as globally routable via isPublic.", "source" : "osv-github", "cves" : [ "CVE-2023-42282" ], "unique" : false } ], "transitive" : [ ], "highestVulnerability" : { "id" : "CVE-2024-29415", "title" : "The ip package through 2.0.1 for Node.js might allow SSRF because some IP addresses (such as 127.1, 01200034567, 012.1.2.3, 000:0:0000::01, and ::fFFf:127.0.0.1) are improperly categorized as globally routable via isPublic. NOTE: this issue exists because of an incomplete fix for CVE-2023-42282.", "source" : "osv-github", "cvssScore" : 8.1, "severity" : "HIGH", "cves" : [ "CVE-2024-29415" ], "unique" : false } }, { "ref" : "pkg:npm/http-cache-semantics@4.1.0", "issues" : [ { "id" : "CVE-2022-25881", "title" : "This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library.", "source" : "osv-github", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2022-25881" ], "unique" : false } ], "transitive" : [ ], "highestVulnerability" : { "id" : "CVE-2022-25881", "title" : "This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library.", "source" : "osv-github", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2022-25881" ], "unique" : false } }, { "ref" : "pkg:npm/minimatch@5.1.0", "issues" : [ { "id" : "CVE-2026-27903", "source" : "osv-github", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2026-27903" ], "unique" : false }, { "id" : "CVE-2026-27904", "source" : "osv-github", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2026-27904" ], "unique" : false }, { "id" : "CVE-2026-26996", "source" : "osv-github", "cves" : [ "CVE-2026-26996" ], "unique" : false } ], "transitive" : [ ], "highestVulnerability" : { "id" : "CVE-2026-27903", "source" : "osv-github", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2026-27903" ], "unique" : false } }, { "ref" : "pkg:npm/minimatch@3.1.2", "issues" : [ { "id" : "CVE-2026-27903", "source" : "osv-github", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2026-27903" ], "unique" : false }, { "id" : "CVE-2026-27904", "source" : "osv-github", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2026-27904" ], "unique" : false }, { "id" : "CVE-2026-26996", "source" : "osv-github", "cves" : [ "CVE-2026-26996" ], "unique" : false } ], "transitive" : [ ], "highestVulnerability" : { "id" : "CVE-2026-27903", "source" : "osv-github", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2026-27903" ], "unique" : false } }, { "ref" : "pkg:npm/npm@8.19.2", "issues" : [ { "id" : "CVE-2026-0775", "title" : "npm cli Incorrect Permission Assignment Local Privilege Escalation Vulnerability", "source" : "osv-github", "cvssScore" : 7.0, "severity" : "HIGH", "cves" : [ "CVE-2026-0775" ], "unique" : false } ], "transitive" : [ ], "highestVulnerability" : { "id" : "CVE-2026-0775", "title" : "npm cli Incorrect Permission Assignment Local Privilege Escalation Vulnerability", "source" : "osv-github", "cvssScore" : 7.0, "severity" : "HIGH", "cves" : [ "CVE-2026-0775" ], "unique" : false } }, { "ref" : "pkg:npm/brace-expansion@1.1.11", "issues" : [ { "id" : "CVE-2026-33750", "title" : "brace-expansion: Zero-step sequence causes process hang and memory exhaustion", "source" : "osv-github", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2026-33750" ], "unique" : false }, { "id" : "CVE-2025-5889", "title" : "juliangruber brace-expansion index.js expand redos", "source" : "osv-github", "cvssScore" : 3.1, "severity" : "LOW", "cves" : [ "CVE-2025-5889" ], "unique" : false } ], "transitive" : [ ], "highestVulnerability" : { "id" : "CVE-2026-33750", "title" : "brace-expansion: Zero-step sequence causes process hang and memory exhaustion", "source" : "osv-github", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2026-33750" ], "unique" : false } }, { "ref" : "pkg:npm/brace-expansion@2.0.1", "issues" : [ { "id" : "CVE-2026-33750", "title" : "brace-expansion: Zero-step sequence causes process hang and memory exhaustion", "source" : "osv-github", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2026-33750" ], "unique" : false }, { "id" : "CVE-2025-5889", "title" : "juliangruber brace-expansion index.js expand redos", "source" : "osv-github", "cvssScore" : 3.1, "severity" : "LOW", "cves" : [ "CVE-2025-5889" ], "unique" : false } ], "transitive" : [ ], "highestVulnerability" : { "id" : "CVE-2026-33750", "title" : "brace-expansion: Zero-step sequence causes process hang and memory exhaustion", "source" : "osv-github", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2026-33750" ], "unique" : false } }, { "ref" : "pkg:pypi/idna@2.10", "issues" : [ { "id" : "CVE-2024-3651", "source" : "osv-github", "cvssScore" : 6.2, "severity" : "MEDIUM", "cves" : [ "CVE-2024-3651" ], "unique" : false }, { "id" : "CVE-2026-45409", "title" : "Internationalized Domain Names in Applications (IDNA): Specially crafted inputs to idna.encode() can bypass CVE-2024-3651 fix", "source" : "osv-github", "cves" : [ "CVE-2026-45409" ], "unique" : false } ], "transitive" : [ ], "highestVulnerability" : { "id" : "CVE-2024-3651", "source" : "osv-github", "cvssScore" : 6.2, "severity" : "MEDIUM", "cves" : [ "CVE-2024-3651" ], "unique" : false } }, { "ref" : "pkg:pypi/requests@2.25.1", "issues" : [ { "id" : "CVE-2023-32681", "title" : "Unintended leak of Proxy-Authorization header in requests", "source" : "osv-github", "cvssScore" : 6.1, "severity" : "MEDIUM", "cves" : [ "CVE-2023-32681" ], "unique" : false }, { "id" : "CVE-2024-35195", "title" : "Requests `Session` object does not verify requests after making first request with verify=False", "source" : "osv-github", "cvssScore" : 5.6, "severity" : "MEDIUM", "cves" : [ "CVE-2024-35195" ], "unique" : false }, { "id" : "CVE-2024-47081", "title" : "Requests vulnerable to .netrc credentials leak via malicious URLs", "source" : "osv-github", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2024-47081" ], "unique" : false }, { "id" : "CVE-2026-25645", "title" : "Requests has Insecure Temp File Reuse in its extract_zipped_paths() utility function", "source" : "osv-github", "cvssScore" : 4.4, "severity" : "MEDIUM", "cves" : [ "CVE-2026-25645" ], "unique" : false } ], "transitive" : [ { "ref" : "pkg:pypi/idna@2.10", "issues" : [ { "id" : "CVE-2024-3651", "source" : "osv-github", "cvssScore" : 6.2, "severity" : "MEDIUM", "cves" : [ "CVE-2024-3651" ], "unique" : false }, { "id" : "CVE-2026-45409", "title" : "Internationalized Domain Names in Applications (IDNA): Specially crafted inputs to idna.encode() can bypass CVE-2024-3651 fix", "source" : "osv-github", "cves" : [ "CVE-2026-45409" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2024-3651", "source" : "osv-github", "cvssScore" : 6.2, "severity" : "MEDIUM", "cves" : [ "CVE-2024-3651" ], "unique" : false } }, { "ref" : "pkg:pypi/urllib3@1.26.5", "issues" : [ { "id" : "CVE-2023-43804", "source" : "osv-github", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-43804" ], "unique" : false }, { "id" : "CVE-2025-50181", "source" : "osv-github", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2025-50181" ], "unique" : false }, { "id" : "CVE-2026-44431", "title" : "urllib3: Sensitive headers forwarded across origins in proxied low-level redirects", "source" : "osv-github", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-44431" ], "unique" : false }, { "id" : "CVE-2024-37891", "source" : "osv-github", "cvssScore" : 4.4, "severity" : "MEDIUM", "cves" : [ "CVE-2024-37891" ], "unique" : false }, { "id" : "CVE-2023-45803", "source" : "osv-github", "cvssScore" : 4.2, "severity" : "MEDIUM", "cves" : [ "CVE-2023-45803" ], "unique" : false }, { "id" : "CVE-2025-66418", "source" : "osv-github", "cves" : [ "CVE-2025-66418" ], "unique" : false }, { "id" : "CVE-2025-66471", "source" : "osv-github", "cves" : [ "CVE-2025-66471" ], "unique" : false }, { "id" : "CVE-2026-21441", "title" : "urllib3 vulnerable to decompression-bomb safeguard bypass when following HTTP redirects (streaming API)", "source" : "osv-github", "cves" : [ "CVE-2026-21441" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2023-43804", "source" : "osv-github", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-43804" ], "unique" : false } } ], "highestVulnerability" : { "id" : "CVE-2024-3651", "source" : "osv-github", "cvssScore" : 6.2, "severity" : "MEDIUM", "cves" : [ "CVE-2024-3651" ], "unique" : false } }, { "ref" : "pkg:npm/%40tootallnate/once@2.0.0", "issues" : [ { "id" : "CVE-2026-3449", "title" : "Versions of the package @tootallnate/once before 3.0.1 are vulnerable to Incorrect Control Flow Scoping in promise resolving when AbortSignal option is used. The Promise remains in a permanently pending state after the signal is aborted, causing any await or .then() usage to hang indefinitely. This can cause a control-flow leak that can lead to stalled requests, blocked workers, or degraded application availability.", "source" : "osv-github", "cvssScore" : 3.3, "severity" : "LOW", "cves" : [ "CVE-2026-3449" ], "unique" : false } ], "transitive" : [ ], "highestVulnerability" : { "id" : "CVE-2026-3449", "title" : "Versions of the package @tootallnate/once before 3.0.1 are vulnerable to Incorrect Control Flow Scoping in promise resolving when AbortSignal option is used. The Promise remains in a permanently pending state after the signal is aborted, causing any await or .then() usage to hang indefinitely. This can cause a control-flow leak that can lead to stalled requests, blocked workers, or degraded application availability.", "source" : "osv-github", "cvssScore" : 3.3, "severity" : "LOW", "cves" : [ "CVE-2026-3449" ], "unique" : false } }, { "ref" : "pkg:npm/diff@5.1.0", "issues" : [ { "id" : "CVE-2026-24001", "title" : "jsdiff has a Denial of Service vulnerability in parsePatch and applyPatch", "source" : "osv-github", "cves" : [ "CVE-2026-24001" ], "unique" : false } ], "transitive" : [ ], "highestVulnerability" : { "id" : "CVE-2026-24001", "title" : "jsdiff has a Denial of Service vulnerability in parsePatch and applyPatch", "source" : "osv-github", "cves" : [ "CVE-2026-24001" ], "unique" : false } }, { "ref" : "pkg:pypi/pysocks@1.7.1", "recommendation" : "pkg:pypi/pysocks@1.7.1?repository_url=https%3A%2F%2Fpackages.redhat.com%2Ftrusted-libraries%2Fpython" } ] }, "redhat-csaf" : { "summary" : { "direct" : 544, "transitive" : 1161, "total" : 1705, "dependencies" : 171, "critical" : 27, "high" : 675, "medium" : 880, "low" : 120, "unknown" : 3, "remediations" : 0, "recommendations" : 0, "unscanned" : 0 }, "dependencies" : [ { "ref" : "pkg:rpm/redhat/binutils-gold@2.35.2-24.el9?arch=x86_64&distro=rhel-9.1&upstream=binutils-2.35.2-24.el9.src.rpm", "issues" : [ { "id" : "CVE-2022-4285", "title" : "An illegal memory access flaw was found in the binutils package. Parsing an ELF file containing corrupt symbol version information may result in a denial of service. This issue is the result of an incomplete fix for CVE-2020-16599.", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2022-4285" ], "unique" : false }, { "id" : "CVE-2025-11082", "title" : "GNU Binutils Linker elf-eh-frame.c _bfd_elf_parse_eh_frame heap-based overflow", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2025-11082" ], "unique" : false }, { "id" : "CVE-2025-11083", "title" : "GNU Binutils Linker elfcode.h elf_swap_shdr heap-based overflow", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2025-11083" ], "unique" : false }, { "id" : "CVE-2025-5244", "title" : "GNU Binutils ld elflink.c elf_gc_sweep memory corruption", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2025-5244" ], "unique" : false } ], "transitive" : [ { "ref" : "pkg:rpm/redhat/openssl-libs@3.0.1-47.el9_1?arch=x86_64&distro=rhel-9.1&epoch=1&upstream=openssl-3.0.1-47.el9_1.src.rpm", "issues" : [ { "id" : "CVE-2025-15467", "title" : "Stack buffer overflow in CMS (Auth)EnvelopedData parsing", "source" : "redhat-csaf", "cvssScore" : 9.8, "severity" : "CRITICAL", "cves" : [ "CVE-2025-15467" ], "unique" : false }, { "id" : "CVE-2026-45445", "title" : "AES-OCB IV Ignored on EVP_Cipher() Path", "source" : "redhat-csaf", "cvssScore" : 9.1, "severity" : "CRITICAL", "cves" : [ "CVE-2026-45445" ], "unique" : false }, { "id" : "CVE-2026-45447", "title" : "Heap Use-After-Free in the PKCS7_verify() Function", "source" : "redhat-csaf", "cvssScore" : 8.1, "severity" : "HIGH", "cves" : [ "CVE-2026-45447" ], "unique" : false }, { "id" : "CVE-2022-3358", "title" : "Using a Custom Cipher with NID_undef may lead to NULL encryption", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2022-3358" ], "unique" : false }, { "id" : "CVE-2023-5363", "title" : "Incorrect cipher key & IV length processing", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2023-5363" ], "unique" : false }, { "id" : "CVE-2026-28390", "title" : "Possible NULL Dereference When Processing CMS KeyTransportRecipientInfo", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2026-28390" ], "unique" : false }, { "id" : "CVE-2026-34183", "title" : "Unbounded Memory Growth in the QUIC PATH_CHALLENGE Handler", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2026-34183" ], "unique" : false }, { "id" : "CVE-2024-12797", "title" : "RFC7250 handshakes with unauthenticated servers don't abort as expected", "source" : "redhat-csaf", "cvssScore" : 7.4, "severity" : "HIGH", "cves" : [ "CVE-2024-12797" ], "unique" : false }, { "id" : "CVE-2025-69419", "title" : "Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion", "source" : "redhat-csaf", "cvssScore" : 7.4, "severity" : "HIGH", "cves" : [ "CVE-2025-69419" ], "unique" : false }, { "id" : "CVE-2026-34182", "title" : "CMS AuthEnvelopedData Processing May Accept Forged Messages", "source" : "redhat-csaf", "cvssScore" : 7.4, "severity" : "HIGH", "cves" : [ "CVE-2026-34182" ], "unique" : false }, { "id" : "CVE-2023-2650", "title" : "Possible DoS translating ASN.1 object identifiers", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-2650" ], "unique" : false }, { "id" : "CVE-2023-6129", "title" : "POLY1305 MAC implementation corrupts vector registers on PowerPC", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-6129" ], "unique" : false }, { "id" : "CVE-2025-69421", "title" : "NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2025-69421" ], "unique" : false }, { "id" : "CVE-2026-34181", "title" : "PKCS#12 Files with PBMAC1 Are Accepted with Short HMAC Keys", "source" : "redhat-csaf", "cvssScore" : 6.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-34181" ], "unique" : false }, { "id" : "CVE-2026-42768", "title" : "Multi-RecipientInfo Bleichenbacher Oracle in CMS_decrypt() and PKCS7_decrypt()", "source" : "redhat-csaf", "cvssScore" : 6.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-42768" ], "unique" : false }, { "id" : "CVE-2025-11187", "title" : "Improper validation of PBMAC1 parameters in PKCS#12 MAC verification", "source" : "redhat-csaf", "cvssScore" : 6.1, "severity" : "MEDIUM", "cves" : [ "CVE-2025-11187" ], "unique" : false }, { "id" : "CVE-2023-0464", "title" : "Excessive Resource Usage Verifying X.509 Policy Constraints", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-0464" ], "unique" : false }, { "id" : "CVE-2023-6237", "title" : "Excessive time spent checking invalid RSA public keys", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-6237" ], "unique" : false }, { "id" : "CVE-2024-5535", "title" : "SSL_select_next_proto buffer overread", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2024-5535" ], "unique" : false }, { "id" : "CVE-2024-6119", "title" : "Possible denial of service in X.509 name checks", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2024-6119" ], "unique" : false }, { "id" : "CVE-2025-15468", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2025-15468" ], "unique" : false }, { "id" : "CVE-2025-66199", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2025-66199" ], "unique" : false }, { "id" : "CVE-2025-69420", "title" : "Missing ASN1_TYPE validation in TS_RESP_verify_response() function", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2025-69420" ], "unique" : false }, { "id" : "CVE-2026-22796", "title" : "ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-22796" ], "unique" : false }, { "id" : "CVE-2026-31790", "title" : "Incorrect Failure Handling in RSA KEM RSASVE Encapsulation", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-31790" ], "unique" : false }, { "id" : "CVE-2026-42764", "title" : "NULL Pointer Dereference in QUIC Server Initial Packet Handling", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-42764" ], "unique" : false }, { "id" : "CVE-2026-42769", "title" : "Trust-Anchor Substitution via cert/issuer Typo in CMP rootCaKeyUpdate", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-42769" ], "unique" : false }, { "id" : "CVE-2026-42770", "title" : "FFC-DH Peer Validation Uses Attacker-Supplied q", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-42770" ], "unique" : false }, { "id" : "CVE-2026-9076", "title" : "Out-of-Bounds Read in CMS Password-Based Decryption", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-9076" ], "unique" : false }, { "id" : "CVE-2024-4741", "source" : "redhat-csaf", "cvssScore" : 5.6, "severity" : "MEDIUM", "cves" : [ "CVE-2024-4741" ], "unique" : false }, { "id" : "CVE-2025-9230", "title" : "Out-of-bounds read & write in RFC 3211 KEK Unwrap", "source" : "redhat-csaf", "cvssScore" : 5.6, "severity" : "MEDIUM", "cves" : [ "CVE-2025-9230" ], "unique" : false }, { "id" : "CVE-2024-0727", "title" : "PKCS12 Decoding crashes", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-0727" ], "unique" : false }, { "id" : "CVE-2025-15469", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2025-15469" ], "unique" : false }, { "id" : "CVE-2026-22795", "title" : "Missing ASN1_TYPE validation in PKCS#12 parsing", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2026-22795" ], "unique" : false }, { "id" : "CVE-2026-7383", "title" : "Possible Heap Buffer Overflow in ASN.1 Multibyte String Conversion", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2026-7383" ], "unique" : false }, { "id" : "CVE-2023-0465", "title" : "Invalid certificate policies in leaf certificates are silently ignored", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2023-0465" ], "unique" : false }, { "id" : "CVE-2023-0466", "title" : "Certificate policy check not enabled", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2023-0466" ], "unique" : false }, { "id" : "CVE-2023-2975", "title" : "AES-SIV implementation ignores empty associated data entries", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2023-2975" ], "unique" : false }, { "id" : "CVE-2023-3446", "title" : "Excessive time spent checking DH keys and parameters", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2023-3446" ], "unique" : false }, { "id" : "CVE-2023-3817", "title" : "Excessive time spent checking DH q parameter value", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2023-3817" ], "unique" : false }, { "id" : "CVE-2023-5678", "title" : "Excessive time spent in DH check / generation with large Q parameter value", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2023-5678" ], "unique" : false }, { "id" : "CVE-2024-4603", "title" : "Excessive time spent checking DSA keys and parameters", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2024-4603" ], "unique" : false }, { "id" : "CVE-2026-42766", "title" : "Possible NULL Dereference in Password-Based CMS Decryption", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-42766" ], "unique" : false }, { "id" : "CVE-2026-42767", "title" : "NULL Pointer Dereference in CRMF EncryptedValue Decryption", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-42767" ], "unique" : false }, { "id" : "CVE-2023-1255", "title" : "Input buffer over-read in AES-XTS implementation on 64 bit ARM", "source" : "redhat-csaf", "cvssScore" : 5.1, "severity" : "MEDIUM", "cves" : [ "CVE-2023-1255" ], "unique" : false }, { "id" : "CVE-2026-34180", "title" : "Heap Buffer Over-read in ASN.1 Content Parsing", "source" : "redhat-csaf", "cvssScore" : 5.0, "severity" : "MEDIUM", "cves" : [ "CVE-2026-34180" ], "unique" : false }, { "id" : "CVE-2025-68160", "title" : "Heap out-of-bounds write in BIO_f_linebuffer on short writes", "source" : "redhat-csaf", "cvssScore" : 4.7, "severity" : "MEDIUM", "cves" : [ "CVE-2025-68160" ], "unique" : false }, { "id" : "CVE-2025-69418", "title" : "Unauthenticated/unencrypted trailing bytes with low-level OCB function calls", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2025-69418" ], "unique" : false }, { "id" : "CVE-2024-2511", "title" : "Unbounded memory growth with session handling in TLSv1.3", "source" : "redhat-csaf", "cvssScore" : 3.7, "severity" : "LOW", "cves" : [ "CVE-2024-2511" ], "unique" : false }, { "id" : "CVE-2026-45446", "title" : "Incorrect Tag Processing for Empty Messages in AES-GCM-SIV and AES-SIV modes", "source" : "redhat-csaf", "cvssScore" : 3.7, "severity" : "LOW", "cves" : [ "CVE-2026-45446" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2025-15467", "title" : "Stack buffer overflow in CMS (Auth)EnvelopedData parsing", "source" : "redhat-csaf", "cvssScore" : 9.8, "severity" : "CRITICAL", "cves" : [ "CVE-2025-15467" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/ca-certificates@2022.2.54-90.2.el9_0?arch=noarch&distro=rhel-9.1&upstream=ca-certificates-2022.2.54-90.2.el9_0.src.rpm", "issues" : [ { "id" : "CVE-2023-37920", "title" : "Certifi's removal of e-Tugra root certificate", "source" : "redhat-csaf", "cvssScore" : 9.1, "severity" : "CRITICAL", "cves" : [ "CVE-2023-37920" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2023-37920", "title" : "Certifi's removal of e-Tugra root certificate", "source" : "redhat-csaf", "cvssScore" : 9.1, "severity" : "CRITICAL", "cves" : [ "CVE-2023-37920" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/krb5-libs@1.19.1-24.el9_1?arch=x86_64&distro=rhel-9.1&upstream=krb5-1.19.1-24.el9_1.src.rpm", "issues" : [ { "id" : "CVE-2024-3596", "title" : "RADIUS Protocol under RFC2865 is vulnerable to forgery attacks.", "source" : "redhat-csaf", "cvssScore" : 9.0, "severity" : "CRITICAL", "cves" : [ "CVE-2024-3596" ], "unique" : false }, { "id" : "CVE-2023-39975", "title" : "kdc/do_tgs_req.c in MIT Kerberos 5 (aka krb5) 1.21 before 1.21.2 has a double free that is reachable if an authenticated user can trigger an authorization-data handling failure. Incorrect data is copied from one ticket to another.", "source" : "redhat-csaf", "cvssScore" : 8.8, "severity" : "HIGH", "cves" : [ "CVE-2023-39975" ], "unique" : false }, { "id" : "CVE-2024-26462", "title" : "Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/kdc/ndr.c.", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2024-26462" ], "unique" : false }, { "id" : "CVE-2024-37370", "title" : "In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can modify the plaintext Extra Count field of a confidential GSS krb5 wrap token, causing the unwrapped token to appear truncated to the application.", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2024-37370" ], "unique" : false }, { "id" : "CVE-2020-17049", "title" : "Kerberos KDC Security Feature Bypass Vulnerability", "source" : "redhat-csaf", "cvssScore" : 7.2, "severity" : "HIGH", "cves" : [ "CVE-2020-17049" ], "unique" : false }, { "id" : "CVE-2023-36054", "title" : "lib/kadm5/kadm_rpc_xdr.c in MIT Kerberos 5 (aka krb5) before 1.20.2 and 1.21.x before 1.21.1 frees an uninitialized pointer. A remote authenticated user can trigger a kadmind crash. This occurs because _xdr_kadm5_principal_ent_rec does not validate the relationship between n_key_data and the key_data array count.", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-36054" ], "unique" : false }, { "id" : "CVE-2024-37371", "title" : "In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can cause invalid memory reads during GSS message token handling by sending message tokens with invalid length fields.", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-37371" ], "unique" : false }, { "id" : "CVE-2025-24528", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2025-24528" ], "unique" : false }, { "id" : "CVE-2024-26458", "title" : "Kerberos 5 (aka krb5) 1.21.2 contains a memory leak in /krb5/src/lib/rpc/pmap_rmt.c.", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2024-26458" ], "unique" : false }, { "id" : "CVE-2024-26461", "title" : "Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/lib/gssapi/krb5/k5sealv3.c.", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2024-26461" ], "unique" : false }, { "id" : "CVE-2025-3576", "title" : "Krb5: kerberos rc4-hmac-md5 checksum vulnerability enabling message spoofing via md5 collisions", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2025-3576" ], "unique" : false }, { "id" : "CVE-2026-40355", "title" : "In MIT Kerberos 5 (aka krb5) before 1.22.3, there is a NULL pointer dereference if an application calls gss_accept_sec_context() on a system with a NegoEx mechanism registered in /etc/gss/mech. An unauthenticated remote attacker can trigger this, causing the process to terminate in parse_nego_message.", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-40355" ], "unique" : false }, { "id" : "CVE-2026-40356", "title" : "In MIT Kerberos 5 (aka krb5) before 1.22.3, there is an integer underflow and resultant out-of-bounds read if an application calls gss_accept_sec_context() on a system with a NegoEx mechanism registered in /etc/gss/mech. An unauthenticated remote attacker can trigger this, possibly causing the process to terminate in parse_message.", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-40356" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2024-3596", "title" : "RADIUS Protocol under RFC2865 is vulnerable to forgery attacks.", "source" : "redhat-csaf", "cvssScore" : 9.0, "severity" : "CRITICAL", "cves" : [ "CVE-2024-3596" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/glibc@2.34-40.el9_1.1?arch=x86_64&distro=rhel-9.1&upstream=glibc-2.34-40.el9_1.1.src.rpm", "issues" : [ { "id" : "CVE-2024-2961", "title" : "The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.", "source" : "redhat-csaf", "cvssScore" : 8.8, "severity" : "HIGH", "cves" : [ "CVE-2024-2961" ], "unique" : false }, { "id" : "CVE-2026-0861", "title" : "Integer overflow in memalign leads to heap corruption", "source" : "redhat-csaf", "cvssScore" : 8.1, "severity" : "HIGH", "cves" : [ "CVE-2026-0861" ], "unique" : false }, { "id" : "CVE-2023-4911", "title" : "Glibc: buffer overflow in ld.so leading to privilege escalation", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2023-4911" ], "unique" : false }, { "id" : "CVE-2024-33599", "title" : "nscd: Stack-based buffer overflow in netgroup cache", "source" : "redhat-csaf", "cvssScore" : 7.6, "severity" : "HIGH", "cves" : [ "CVE-2024-33599" ], "unique" : false }, { "id" : "CVE-2025-4802", "source" : "redhat-csaf", "cvssScore" : 7.0, "severity" : "HIGH", "cves" : [ "CVE-2025-4802" ], "unique" : false }, { "id" : "CVE-2023-4527", "title" : "Glibc: stack read overflow in getaddrinfo in no-aaaa mode", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4527" ], "unique" : false }, { "id" : "CVE-2026-4437", "title" : "gethostbyaddr and gethostbyaddr_r may incorrectly handle DNS response", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4437" ], "unique" : false }, { "id" : "CVE-2026-6238", "title" : "Buffer overread in ns_printrrf with corrupted RDATA field", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2026-6238" ], "unique" : false }, { "id" : "CVE-2023-4806", "title" : "Glibc: potential use-after-free in getaddrinfo()", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4806" ], "unique" : false }, { "id" : "CVE-2023-4813", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4813" ], "unique" : false }, { "id" : "CVE-2025-15281", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2025-15281" ], "unique" : false }, { "id" : "CVE-2026-3904", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-3904" ], "unique" : false }, { "id" : "CVE-2026-5435", "title" : "Potential buffer overflow in ns_sprintrrf TSIG handling path", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-5435" ], "unique" : false }, { "id" : "CVE-2025-5702", "title" : "The strcmp implementation optimized for the Power10 processor in the GNU C Library version 2.39 and later writes to vector registers v20 to v31 without saving contents from the caller (those registers are defined as non-volatile registers by the powerpc64le ABI), resulting in overwriting of its contents and potentially altering control flow of the caller, or leaking the input strings to the function to other parts of the program.", "source" : "redhat-csaf", "cvssScore" : 5.6, "severity" : "MEDIUM", "cves" : [ "CVE-2025-5702" ], "unique" : false }, { "id" : "CVE-2025-0395", "title" : "When the assert() function in the GNU C Library versions 2.13 to 2.40 fails, it does not allocate enough space for the assertion failure message string and size information, which may lead to a buffer overflow if the message string size aligns to page size.", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2025-0395" ], "unique" : false }, { "id" : "CVE-2024-33600", "title" : "nscd: Null pointer crashes after notfound response", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33600" ], "unique" : false }, { "id" : "CVE-2026-0915", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-0915" ], "unique" : false }, { "id" : "CVE-2026-4046", "title" : "iconv crash due to assertion failure with untrusted input", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4046" ], "unique" : false }, { "id" : "CVE-2026-5450", "title" : "scanf %mc off-by-one heap buffer overflow", "source" : "redhat-csaf", "cvssScore" : 5.0, "severity" : "MEDIUM", "cves" : [ "CVE-2026-5450" ], "unique" : false }, { "id" : "CVE-2026-5928", "title" : "Potential buffer under-read in ungetwc", "source" : "redhat-csaf", "cvssScore" : 5.0, "severity" : "MEDIUM", "cves" : [ "CVE-2026-5928" ], "unique" : false }, { "id" : "CVE-2025-8058", "source" : "redhat-csaf", "cvssScore" : 4.2, "severity" : "MEDIUM", "cves" : [ "CVE-2025-8058" ], "unique" : false }, { "id" : "CVE-2024-33601", "title" : "nscd: netgroup cache may terminate daemon on memory allocation failure", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33601" ], "unique" : false }, { "id" : "CVE-2024-33602", "title" : "nscd: netgroup cache assumes NSS callback uses in-buffer strings", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33602" ], "unique" : false }, { "id" : "CVE-2026-4438", "title" : "gethostbyaddr and gethostbyaddr_r return invalid DNS hostnames", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4438" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2024-2961", "title" : "The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.", "source" : "redhat-csaf", "cvssScore" : 8.8, "severity" : "HIGH", "cves" : [ "CVE-2024-2961" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/glibc-common@2.34-40.el9_1.1?arch=x86_64&distro=rhel-9.1&upstream=glibc-2.34-40.el9_1.1.src.rpm", "issues" : [ { "id" : "CVE-2024-2961", "title" : "The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.", "source" : "redhat-csaf", "cvssScore" : 8.8, "severity" : "HIGH", "cves" : [ "CVE-2024-2961" ], "unique" : false }, { "id" : "CVE-2026-0861", "title" : "Integer overflow in memalign leads to heap corruption", "source" : "redhat-csaf", "cvssScore" : 8.1, "severity" : "HIGH", "cves" : [ "CVE-2026-0861" ], "unique" : false }, { "id" : "CVE-2023-4911", "title" : "Glibc: buffer overflow in ld.so leading to privilege escalation", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2023-4911" ], "unique" : false }, { "id" : "CVE-2024-33599", "title" : "nscd: Stack-based buffer overflow in netgroup cache", "source" : "redhat-csaf", "cvssScore" : 7.6, "severity" : "HIGH", "cves" : [ "CVE-2024-33599" ], "unique" : false }, { "id" : "CVE-2025-4802", "source" : "redhat-csaf", "cvssScore" : 7.0, "severity" : "HIGH", "cves" : [ "CVE-2025-4802" ], "unique" : false }, { "id" : "CVE-2023-4527", "title" : "Glibc: stack read overflow in getaddrinfo in no-aaaa mode", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4527" ], "unique" : false }, { "id" : "CVE-2026-4437", "title" : "gethostbyaddr and gethostbyaddr_r may incorrectly handle DNS response", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4437" ], "unique" : false }, { "id" : "CVE-2023-4806", "title" : "Glibc: potential use-after-free in getaddrinfo()", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4806" ], "unique" : false }, { "id" : "CVE-2023-4813", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4813" ], "unique" : false }, { "id" : "CVE-2025-15281", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2025-15281" ], "unique" : false }, { "id" : "CVE-2025-5702", "title" : "The strcmp implementation optimized for the Power10 processor in the GNU C Library version 2.39 and later writes to vector registers v20 to v31 without saving contents from the caller (those registers are defined as non-volatile registers by the powerpc64le ABI), resulting in overwriting of its contents and potentially altering control flow of the caller, or leaking the input strings to the function to other parts of the program.", "source" : "redhat-csaf", "cvssScore" : 5.6, "severity" : "MEDIUM", "cves" : [ "CVE-2025-5702" ], "unique" : false }, { "id" : "CVE-2025-0395", "title" : "When the assert() function in the GNU C Library versions 2.13 to 2.40 fails, it does not allocate enough space for the assertion failure message string and size information, which may lead to a buffer overflow if the message string size aligns to page size.", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2025-0395" ], "unique" : false }, { "id" : "CVE-2024-33600", "title" : "nscd: Null pointer crashes after notfound response", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33600" ], "unique" : false }, { "id" : "CVE-2026-0915", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-0915" ], "unique" : false }, { "id" : "CVE-2026-4046", "title" : "iconv crash due to assertion failure with untrusted input", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4046" ], "unique" : false }, { "id" : "CVE-2026-5450", "title" : "scanf %mc off-by-one heap buffer overflow", "source" : "redhat-csaf", "cvssScore" : 5.0, "severity" : "MEDIUM", "cves" : [ "CVE-2026-5450" ], "unique" : false }, { "id" : "CVE-2025-8058", "source" : "redhat-csaf", "cvssScore" : 4.2, "severity" : "MEDIUM", "cves" : [ "CVE-2025-8058" ], "unique" : false }, { "id" : "CVE-2024-33601", "title" : "nscd: netgroup cache may terminate daemon on memory allocation failure", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33601" ], "unique" : false }, { "id" : "CVE-2024-33602", "title" : "nscd: netgroup cache assumes NSS callback uses in-buffer strings", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33602" ], "unique" : false }, { "id" : "CVE-2026-4438", "title" : "gethostbyaddr and gethostbyaddr_r return invalid DNS hostnames", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4438" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2024-2961", "title" : "The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.", "source" : "redhat-csaf", "cvssScore" : 8.8, "severity" : "HIGH", "cves" : [ "CVE-2024-2961" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/glibc-langpack-en@2.34-40.el9_1.1?arch=x86_64&distro=rhel-9.1&upstream=glibc-2.34-40.el9_1.1.src.rpm", "issues" : [ { "id" : "CVE-2024-2961", "title" : "The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.", "source" : "redhat-csaf", "cvssScore" : 8.8, "severity" : "HIGH", "cves" : [ "CVE-2024-2961" ], "unique" : false }, { "id" : "CVE-2026-0861", "title" : "Integer overflow in memalign leads to heap corruption", "source" : "redhat-csaf", "cvssScore" : 8.1, "severity" : "HIGH", "cves" : [ "CVE-2026-0861" ], "unique" : false }, { "id" : "CVE-2023-4911", "title" : "Glibc: buffer overflow in ld.so leading to privilege escalation", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2023-4911" ], "unique" : false }, { "id" : "CVE-2024-33599", "title" : "nscd: Stack-based buffer overflow in netgroup cache", "source" : "redhat-csaf", "cvssScore" : 7.6, "severity" : "HIGH", "cves" : [ "CVE-2024-33599" ], "unique" : false }, { "id" : "CVE-2025-4802", "source" : "redhat-csaf", "cvssScore" : 7.0, "severity" : "HIGH", "cves" : [ "CVE-2025-4802" ], "unique" : false }, { "id" : "CVE-2023-4527", "title" : "Glibc: stack read overflow in getaddrinfo in no-aaaa mode", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4527" ], "unique" : false }, { "id" : "CVE-2026-4437", "title" : "gethostbyaddr and gethostbyaddr_r may incorrectly handle DNS response", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4437" ], "unique" : false }, { "id" : "CVE-2023-4806", "title" : "Glibc: potential use-after-free in getaddrinfo()", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4806" ], "unique" : false }, { "id" : "CVE-2023-4813", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4813" ], "unique" : false }, { "id" : "CVE-2025-15281", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2025-15281" ], "unique" : false }, { "id" : "CVE-2025-5702", "title" : "The strcmp implementation optimized for the Power10 processor in the GNU C Library version 2.39 and later writes to vector registers v20 to v31 without saving contents from the caller (those registers are defined as non-volatile registers by the powerpc64le ABI), resulting in overwriting of its contents and potentially altering control flow of the caller, or leaking the input strings to the function to other parts of the program.", "source" : "redhat-csaf", "cvssScore" : 5.6, "severity" : "MEDIUM", "cves" : [ "CVE-2025-5702" ], "unique" : false }, { "id" : "CVE-2025-0395", "title" : "When the assert() function in the GNU C Library versions 2.13 to 2.40 fails, it does not allocate enough space for the assertion failure message string and size information, which may lead to a buffer overflow if the message string size aligns to page size.", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2025-0395" ], "unique" : false }, { "id" : "CVE-2024-33600", "title" : "nscd: Null pointer crashes after notfound response", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33600" ], "unique" : false }, { "id" : "CVE-2026-0915", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-0915" ], "unique" : false }, { "id" : "CVE-2026-4046", "title" : "iconv crash due to assertion failure with untrusted input", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4046" ], "unique" : false }, { "id" : "CVE-2026-5450", "title" : "scanf %mc off-by-one heap buffer overflow", "source" : "redhat-csaf", "cvssScore" : 5.0, "severity" : "MEDIUM", "cves" : [ "CVE-2026-5450" ], "unique" : false }, { "id" : "CVE-2025-8058", "source" : "redhat-csaf", "cvssScore" : 4.2, "severity" : "MEDIUM", "cves" : [ "CVE-2025-8058" ], "unique" : false }, { "id" : "CVE-2024-33601", "title" : "nscd: netgroup cache may terminate daemon on memory allocation failure", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33601" ], "unique" : false }, { "id" : "CVE-2024-33602", "title" : "nscd: netgroup cache assumes NSS callback uses in-buffer strings", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33602" ], "unique" : false }, { "id" : "CVE-2026-4438", "title" : "gethostbyaddr and gethostbyaddr_r return invalid DNS hostnames", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4438" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2024-2961", "title" : "The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.", "source" : "redhat-csaf", "cvssScore" : 8.8, "severity" : "HIGH", "cves" : [ "CVE-2024-2961" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/libcurl-minimal@7.76.1-19.el9_1.1?arch=x86_64&distro=rhel-9.1&upstream=curl-7.76.1-19.el9_1.1.src.rpm", "issues" : [ { "id" : "CVE-2023-38545", "title" : "This flaw makes curl overflow a heap based buffer in the SOCKS5 proxy\nhandshake.\n\nWhen curl is asked to pass along the host name to the SOCKS5 proxy to allow\nthat to resolve the address instead of it getting done by curl itself, the\nmaximum length that host name can be is 255 bytes.\n\nIf the host name is detected to be longer, curl switches to local name\nresolving and instead passes on the resolved address only. Due to this bug,\nthe local variable that means \"let the host resolve the name\" could get the\nwrong value during a slow SOCKS5 handshake, and contrary to the intention,\ncopy the too long host name to the target buffer instead of copying just the\nresolved address there.\n\nThe target buffer being a heap based buffer, and the host name coming from the\nURL that curl has been told to operate with.", "source" : "redhat-csaf", "cvssScore" : 8.1, "severity" : "HIGH", "cves" : [ "CVE-2023-38545" ], "unique" : false }, { "id" : "CVE-2024-2398", "title" : "HTTP/2 push headers memory-leak", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2024-2398" ], "unique" : false }, { "id" : "CVE-2023-23916", "title" : "An allocation of resources without limits or throttling vulnerability exists in curl trans", "source" : "redhat-csaf", "cvssScore" : 6.0, "severity" : "MEDIUM", "cves" : [ "CVE-2024-50264" ], "unique" : false }, { "id" : "CVE-2025-38110", "title" : "net/mdiobus: Fix potential out-of-bounds clause 45 read/write access", "source" : "redhat-csaf", "cvssScore" : 6.0, "severity" : "MEDIUM", "cves" : [ "CVE-2025-38110" ], "unique" : false }, { "id" : "CVE-2024-53122", "title" : "mptcp: cope racing subflow creation in mptcp_rcv_space_adjust", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2024-53122" ], "unique" : false }, { "id" : "CVE-2024-53197", "title" : "ALSA: usb-audio: Fix potential out-of-bound accesses for Extigy and Mbox devices", "source" : "redhat-csaf", "cvssScore" : 5.8, "severity" : "MEDIUM", "cves" : [ "CVE-2024-53197" ], "unique" : false }, { "id" : "CVE-2024-36941", "title" : "wifi: nl80211: don't free NULL coalescing rule", "source" : "redhat-csaf", "cvssScore" : 5.7, "severity" : "MEDIUM", "cves" : [ "CVE-2024-36941" ], "unique" : false }, { "id" : "CVE-2024-38627", "title" : "stm class: Fix a double free in stm_register_device()", "source" : "redhat-csaf", "cvssScore" : 5.6, "severity" : "MEDIUM", "cves" : [ "CVE-2024-38627" ], "unique" : false }, { "id" : "CVE-2022-50042", "title" : "net: genl: fix error path memory leak in policy dumping", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2022-50042" ], "unique" : false }, { "id" : "CVE-2022-50353", "title" : "mmc: wmt-sdmmc: fix return value check of mmc_add_host()", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2022-50353" ], "unique" : false }, { "id" : "CVE-2022-50678", "title" : "wifi: brcmfmac: fix invalid address access when enabling SCAN log level", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2022-50678" ], "unique" : false }, { "id" : "CVE-2023-1074", "title" : "A memory leak flaw was found in the Linux kernel's Stream Control Transmission Protocol. This issue may occur when a user starts a malicious networking service and someone connects to this service. This could allow a local user to starve resources, causing a denial of service.", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-1074" ], "unique" : false }, { "id" : "CVE-2023-45862", "title" : "An issue was discovered in drivers/usb/storage/ene_ub6250.c for the ENE UB6250 reader driver in the Linux kernel before 6.2.5. An object could potentially extend beyond the end of an allocation.", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-45862" ], "unique" : false }, { "id" : "CVE-2023-52490", "title" : "mm: migrate: fix getting incorrect page mapping during page migration", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-52490" ], "unique" : false }, { "id" : "CVE-2023-52658", "title" : "Revert \"net/mlx5: Block entering switchdev mode with ns inconsistency\"", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-52658" ], "unique" : false }, { "id" : "CVE-2023-53291", "title" : "rcu/rcuscale: Stop kfree_scale_thread thread(s) after unloading rcuscale", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-53291" ], "unique" : false }, { "id" : "CVE-2023-53391", "title" : "shmem: use ramfs_kill_sb() for kill_sb method of ramfs-based tmpfs", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-53391" ], "unique" : false }, { "id" : "CVE-2023-53597", "title" : "cifs: fix mid leak during reconnection after timeout threshold", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-53597" ], "unique" : false }, { "id" : "CVE-2023-53704", "title" : "clk: imx: clk-imx8mp: improve error handling in imx8mp_clocks_probe()", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-53704" ], "unique" : false }, { "id" : "CVE-2023-54004", "title" : "udplite: Fix NULL pointer dereference in __sk_mem_raise_allocated().", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-54004" ], "unique" : false }, { "id" : "CVE-2023-54093", "title" : "media: anysee: fix null-ptr-deref in anysee_master_xfer", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-54093" ], "unique" : false }, { "id" : "CVE-2023-54271", "title" : "blk-cgroup: Fix NULL deref caused by blkg_policy_data being installed before init", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-54271" ], "unique" : false }, { "id" : "CVE-2023-7192", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-7192" ], "unique" : false }, { "id" : "CVE-2024-0443", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-0443" ], "unique" : false }, { "id" : "CVE-2024-26615", "title" : "net/smc: fix illegal rmb_desc access in SMC-D connection dump", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-26615" ], "unique" : false }, { "id" : "CVE-2024-26878", "title" : "quota: Fix potential NULL pointer dereference", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-26878" ], "unique" : false }, { "id" : "CVE-2024-27046", "title" : "nfp: flower: handle acti_netdevs allocation failure", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-27046" ], "unique" : false }, { "id" : "CVE-2024-27052", "title" : "wifi: rtl8xxxu: add cancel_work_sync() for c2hcmd_work", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-27052" ], "unique" : false }, { "id" : "CVE-2024-35789", "title" : "wifi: mac80211: check/clear fast rx for non-4addr sta VLAN changes", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-35789" ], "unique" : false }, { "id" : "CVE-2024-35852", "title" : "mlxsw: spectrum_acl_tcam: Fix memory leak when canceling rehash work", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-35852" ], "unique" : false }, { "id" : "CVE-2024-35890", "title" : "gro: fix ownership transfer", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-35890" ], "unique" : false }, { "id" : "CVE-2024-35907", "title" : "mlxbf_gige: call request_irq() after NAPI initialized", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-35907" ], "unique" : false }, { "id" : "CVE-2024-35952", "title" : "drm/ast: Fix soft lockup", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-35952" ], "unique" : false }, { "id" : "CVE-2024-35989", "title" : "dmaengine: idxd: Fix oops during rmmod on single-CPU platforms", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-35989" ], "unique" : false }, { "id" : "CVE-2024-39483", "title" : "KVM: SVM: WARN on vNMI + NMI window iff NMIs are outright masked", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-39483" ], "unique" : false }, { "id" : "CVE-2024-40959", "title" : "xfrm6: check ip6_dst_idev() return value in xfrm6_get_saddr()", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-40959" ], "unique" : false }, { "id" : "CVE-2024-41035", "title" : "USB: core: Fix duplicate endpoint bug by clearing reserved bits in the descriptor", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-41035" ], "unique" : false }, { "id" : "CVE-2024-41064", "title" : "powerpc/eeh: avoid possible crash when edev->pdev changes", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-41064" ], "unique" : false }, { "id" : "CVE-2024-42079", "title" : "gfs2: Fix NULL pointer dereference in gfs2_log_flush", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-42079" ], "unique" : false }, { "id" : "CVE-2024-42272", "title" : "sched: act_ct: take care of padding in struct zones_ht_key", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-42272" ], "unique" : false }, { "id" : "CVE-2024-42283", "title" : "net: nexthop: Initialize all fields in dumped nexthops", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-42283" ], "unique" : false }, { "id" : "CVE-2024-42322", "title" : "ipvs: properly dereference pe in ip_vs_add_service", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-42322" ], "unique" : false }, { "id" : "CVE-2024-43854", "title" : "block: initialize integrity buffer to zero before writing it to media", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-43854" ], "unique" : false }, { "id" : "CVE-2024-44990", "title" : "bonding: fix null pointer deref in bond_ipsec_offload_ok", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-44990" ], "unique" : false }, { "id" : "CVE-2024-44994", "title" : "iommu: Restore lost return in iommu_report_device_fault()", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-44994" ], "unique" : false }, { "id" : "CVE-2024-45018", "title" : "netfilter: flowtable: initialise extack before use", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-45018" ], "unique" : false }, { "id" : "CVE-2024-46713", "title" : "perf/aux: Fix AUX buffer serialization", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-46713" ], "unique" : false }, { "id" : "CVE-2024-46824", "title" : "iommufd: Require drivers to supply the cache_invalidate_user ops", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-46824" ], "unique" : false }, { "id" : "CVE-2024-49949", "title" : "net: avoid potential underflow in qdisc_pkt_len_init() with UFO", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-49949" ], "unique" : false }, { "id" : "CVE-2024-50208", "title" : "RDMA/bnxt_re: Fix a bug while setting up Level-2 PBL pages", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-50208" ], "unique" : false }, { "id" : "CVE-2024-50251", "title" : "netfilter: nft_payload: sanitize offset and length before calling skb_checksum()", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-50251" ], "unique" : false }, { "id" : "CVE-2024-50252", "title" : "mlxsw: spectrum_ipip: Fix memory leak when changing remote IPv6 address", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-50252" ], "unique" : false }, { "id" : "CVE-2024-53113", "title" : "mm: fix NULL pointer dereference in alloc_pages_bulk_noprof", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-53113" ], "unique" : false }, { "id" : "CVE-2025-21669", "title" : "vsock/virtio: discard packets if the transport changes", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2025-21669" ], "unique" : false }, { "id" : "CVE-2025-21962", "title" : "cifs: Fix integer overflow while processing closetimeo mount option", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2025-21962" ], "unique" : false }, { "id" : "CVE-2025-21963", "title" : "cifs: Fix integer overflow while processing acdirmax mount option", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2025-21963" ], "unique" : false }, { "id" : "CVE-2025-21964", "title" : "cifs: Fix integer overflow while processing acregmax mount option", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2025-21964" ], "unique" : false }, { "id" : "CVE-2025-37785", "title" : "ext4: fix OOB read when checking dotdot dir", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2025-37785" ], "unique" : false }, { "id" : "CVE-2025-38234", "title" : "sched/rt: Fix race in push_rt_task", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2025-38234" ], "unique" : false }, { "id" : "CVE-2023-52448", "title" : "gfs2: Fix kernel NULL pointer dereference in gfs2_rgrp_dump", "source" : "redhat-csaf", "cvssScore" : 4.7, "severity" : "MEDIUM", "cves" : [ "CVE-2023-52448" ], "unique" : false }, { "id" : "CVE-2023-53755", "title" : "dmaengine: ptdma: check for null desc before calling pt_cmd_callback", "source" : "redhat-csaf", "cvssScore" : 4.7, "severity" : "MEDIUM", "cves" : [ "CVE-2023-53755" ], "unique" : false }, { "id" : "CVE-2024-47745", "title" : "mm: call the security_mmap_file() LSM hook in remap_file_pages()", "source" : "redhat-csaf", "cvssScore" : 4.7, "severity" : "MEDIUM", "cves" : [ "CVE-2024-47745" ], "unique" : false }, { "id" : "CVE-2024-53088", "title" : "i40e: fix race condition by adding filter's intermediate sync state", "source" : "redhat-csaf", "cvssScore" : 4.7, "severity" : "MEDIUM", "cves" : [ "CVE-2024-53088" ], "unique" : false }, { "id" : "CVE-2025-21961", "title" : "eth: bnxt: fix truesize for mb-xdp-pass case", "source" : "redhat-csaf", "cvssScore" : 4.7, "severity" : "MEDIUM", "cves" : [ "CVE-2025-21961" ], "unique" : false }, { "id" : "CVE-2025-22036", "title" : "exfat: fix random stack corruption after get_block", "source" : "redhat-csaf", "cvssScore" : 4.7, "severity" : "MEDIUM", "cves" : [ "CVE-2025-22036" ], "unique" : false }, { "id" : "CVE-2025-38417", "title" : "ice: fix eswitch code memory leak in reset scenario", "source" : "redhat-csaf", "cvssScore" : 4.7, "severity" : "MEDIUM", "cves" : [ "CVE-2025-38417" ], "unique" : false }, { "id" : "CVE-2023-52771", "title" : "cxl/port: Fix delete_endpoint() vs parent unregistration race", "source" : "redhat-csaf", "cvssScore" : 4.4, "severity" : "MEDIUM", "cves" : [ "CVE-2023-52771" ], "unique" : false }, { "id" : "CVE-2023-52864", "title" : "platform/x86: wmi: Fix opening of char device", "source" : "redhat-csaf", "cvssScore" : 4.4, "severity" : "MEDIUM", "cves" : [ "CVE-2023-52864" ], "unique" : false }, { "id" : "CVE-2024-26855", "title" : "net: ice: Fix potential NULL pointer dereference in ice_bridge_setlink()", "source" : "redhat-csaf", "cvssScore" : 4.4, "severity" : "MEDIUM", "cves" : [ "CVE-2024-26855" ], "unique" : false }, { "id" : "CVE-2024-35845", "title" : "wifi: iwlwifi: dbg-tlv: ensure NUL termination", "source" : "redhat-csaf", "cvssScore" : 4.4, "severity" : "MEDIUM", "cves" : [ "CVE-2024-35845" ], "unique" : false }, { "id" : "CVE-2024-36922", "title" : "wifi: iwlwifi: read txq->read_ptr under lock", "source" : "redhat-csaf", "cvssScore" : 4.4, "severity" : "MEDIUM", "cves" : [ "CVE-2024-36922" ], "unique" : false }, { "id" : "CVE-2024-38555", "title" : "net/mlx5: Discard command completions in internal error", "source" : "redhat-csaf", "cvssScore" : 4.4, "severity" : "MEDIUM", "cves" : [ "CVE-2024-38555" ], "unique" : false }, { "id" : "CVE-2024-38556", "title" : "net/mlx5: Add a timeout to acquire the command queue semaphore", "source" : "redhat-csaf", "cvssScore" : 4.4, "severity" : "MEDIUM", "cves" : [ "CVE-2024-38556" ], "unique" : false }, { "id" : "CVE-2024-43855", "title" : "md: fix deadlock between mddev_suspend and flush bio", "source" : "redhat-csaf", "cvssScore" : 4.4, "severity" : "MEDIUM", "cves" : [ "CVE-2024-43855" ], "unique" : false }, { "id" : "CVE-2024-46826", "title" : "ELF: fix kernel.randomize_va_space double read", "source" : "redhat-csaf", "cvssScore" : 4.4, "severity" : "MEDIUM", "cves" : [ "CVE-2024-46826" ], "unique" : false }, { "id" : "CVE-2024-26897", "title" : "wifi: ath9k: delay all of ath9k_wmi_event_tasklet() until init is complete", "source" : "redhat-csaf", "cvssScore" : 4.1, "severity" : "MEDIUM", "cves" : [ "CVE-2024-26897" ], "unique" : false }, { "id" : "CVE-2024-38586", "title" : "r8169: Fix possible ring buffer corruption on fragmented Tx packets.", "source" : "redhat-csaf", "cvssScore" : 4.1, "severity" : "MEDIUM", "cves" : [ "CVE-2024-38586" ], "unique" : false }, { "id" : "CVE-2022-50846", "title" : "mmc: via-sdmmc: fix return value check of mmc_add_host()", "source" : "redhat-csaf", "cvssScore" : 3.3, "severity" : "LOW", "cves" : [ "CVE-2022-50846" ], "unique" : false }, { "id" : "CVE-2023-53639", "title" : "wifi: ath6kl: reduce WARN to dev_dbg() in callback", "source" : "redhat-csaf", "cvssScore" : 3.3, "severity" : "LOW", "cves" : [ "CVE-2023-53639" ], "unique" : false }, { "id" : "CVE-2023-54153", "title" : "ext4: turn quotas off if mount failed after enabling quotas", "source" : "redhat-csaf", "cvssScore" : 3.3, "severity" : "LOW", "cves" : [ "CVE-2023-54153" ], "unique" : false }, { "id" : "CVE-2023-54267", "title" : "powerpc/pseries: Rework lppaca_shared_proc() to avoid DEBUG_PREEMPT", "source" : "redhat-csaf", "cvssScore" : 2.5, "severity" : "LOW", "cves" : [ "CVE-2023-54267" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2023-44466", "title" : "An issue was discovered in net/ceph/messenger_v2.c in the Linux kernel before 6.4.5. There is an integer signedness error, leading to a buffer overflow and remote code execution via HELLO or one of the AUTH frames. This occurs because of an untrusted length taken from a TCP packet in ceph_decode_32.", "source" : "redhat-csaf", "cvssScore" : 8.8, "severity" : "HIGH", "cves" : [ "CVE-2023-44466" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/glibc-common@2.34-40.el9_1.1?arch=x86_64&distro=rhel-9.1&upstream=glibc-2.34-40.el9_1.1.src.rpm", "issues" : [ { "id" : "CVE-2024-2961", "title" : "The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.", "source" : "redhat-csaf", "cvssScore" : 8.8, "severity" : "HIGH", "cves" : [ "CVE-2024-2961" ], "unique" : false }, { "id" : "CVE-2026-0861", "title" : "Integer overflow in memalign leads to heap corruption", "source" : "redhat-csaf", "cvssScore" : 8.1, "severity" : "HIGH", "cves" : [ "CVE-2026-0861" ], "unique" : false }, { "id" : "CVE-2023-4911", "title" : "Glibc: buffer overflow in ld.so leading to privilege escalation", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2023-4911" ], "unique" : false }, { "id" : "CVE-2024-33599", "title" : "nscd: Stack-based buffer overflow in netgroup cache", "source" : "redhat-csaf", "cvssScore" : 7.6, "severity" : "HIGH", "cves" : [ "CVE-2024-33599" ], "unique" : false }, { "id" : "CVE-2025-4802", "source" : "redhat-csaf", "cvssScore" : 7.0, "severity" : "HIGH", "cves" : [ "CVE-2025-4802" ], "unique" : false }, { "id" : "CVE-2023-4527", "title" : "Glibc: stack read overflow in getaddrinfo in no-aaaa mode", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4527" ], "unique" : false }, { "id" : "CVE-2026-4437", "title" : "gethostbyaddr and gethostbyaddr_r may incorrectly handle DNS response", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4437" ], "unique" : false }, { "id" : "CVE-2023-4806", "title" : "Glibc: potential use-after-free in getaddrinfo()", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4806" ], "unique" : false }, { "id" : "CVE-2023-4813", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4813" ], "unique" : false }, { "id" : "CVE-2025-15281", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2025-15281" ], "unique" : false }, { "id" : "CVE-2025-5702", "title" : "The strcmp implementation optimized for the Power10 processor in the GNU C Library version 2.39 and later writes to vector registers v20 to v31 without saving contents from the caller (those registers are defined as non-volatile registers by the powerpc64le ABI), resulting in overwriting of its contents and potentially altering control flow of the caller, or leaking the input strings to the function to other parts of the program.", "source" : "redhat-csaf", "cvssScore" : 5.6, "severity" : "MEDIUM", "cves" : [ "CVE-2025-5702" ], "unique" : false }, { "id" : "CVE-2025-0395", "title" : "When the assert() function in the GNU C Library versions 2.13 to 2.40 fails, it does not allocate enough space for the assertion failure message string and size information, which may lead to a buffer overflow if the message string size aligns to page size.", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2025-0395" ], "unique" : false }, { "id" : "CVE-2024-33600", "title" : "nscd: Null pointer crashes after notfound response", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33600" ], "unique" : false }, { "id" : "CVE-2026-0915", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-0915" ], "unique" : false }, { "id" : "CVE-2026-4046", "title" : "iconv crash due to assertion failure with untrusted input", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4046" ], "unique" : false }, { "id" : "CVE-2026-5450", "title" : "scanf %mc off-by-one heap buffer overflow", "source" : "redhat-csaf", "cvssScore" : 5.0, "severity" : "MEDIUM", "cves" : [ "CVE-2026-5450" ], "unique" : false }, { "id" : "CVE-2025-8058", "source" : "redhat-csaf", "cvssScore" : 4.2, "severity" : "MEDIUM", "cves" : [ "CVE-2025-8058" ], "unique" : false }, { "id" : "CVE-2024-33601", "title" : "nscd: netgroup cache may terminate daemon on memory allocation failure", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33601" ], "unique" : false }, { "id" : "CVE-2024-33602", "title" : "nscd: netgroup cache assumes NSS callback uses in-buffer strings", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33602" ], "unique" : false }, { "id" : "CVE-2026-4438", "title" : "gethostbyaddr and gethostbyaddr_r return invalid DNS hostnames", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4438" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2024-2961", "title" : "The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.", "source" : "redhat-csaf", "cvssScore" : 8.8, "severity" : "HIGH", "cves" : [ "CVE-2024-2961" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/glibc-devel@2.34-40.el9_1.1?arch=x86_64&distro=rhel-9.1&upstream=glibc-2.34-40.el9_1.1.src.rpm", "issues" : [ { "id" : "CVE-2024-2961", "title" : "The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.", "source" : "redhat-csaf", "cvssScore" : 8.8, "severity" : "HIGH", "cves" : [ "CVE-2024-2961" ], "unique" : false }, { "id" : "CVE-2026-0861", "title" : "Integer overflow in memalign leads to heap corruption", "source" : "redhat-csaf", "cvssScore" : 8.1, "severity" : "HIGH", "cves" : [ "CVE-2026-0861" ], "unique" : false }, { "id" : "CVE-2023-4911", "title" : "Glibc: buffer overflow in ld.so leading to privilege escalation", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2023-4911" ], "unique" : false }, { "id" : "CVE-2024-33599", "title" : "nscd: Stack-based buffer overflow in netgroup cache", "source" : "redhat-csaf", "cvssScore" : 7.6, "severity" : "HIGH", "cves" : [ "CVE-2024-33599" ], "unique" : false }, { "id" : "CVE-2025-4802", "source" : "redhat-csaf", "cvssScore" : 7.0, "severity" : "HIGH", "cves" : [ "CVE-2025-4802" ], "unique" : false }, { "id" : "CVE-2023-4527", "title" : "Glibc: stack read overflow in getaddrinfo in no-aaaa mode", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4527" ], "unique" : false }, { "id" : "CVE-2026-4437", "title" : "gethostbyaddr and gethostbyaddr_r may incorrectly handle DNS response", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4437" ], "unique" : false }, { "id" : "CVE-2023-4806", "title" : "Glibc: potential use-after-free in getaddrinfo()", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4806" ], "unique" : false }, { "id" : "CVE-2023-4813", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4813" ], "unique" : false }, { "id" : "CVE-2025-15281", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2025-15281" ], "unique" : false }, { "id" : "CVE-2025-5702", "title" : "The strcmp implementation optimized for the Power10 processor in the GNU C Library version 2.39 and later writes to vector registers v20 to v31 without saving contents from the caller (those registers are defined as non-volatile registers by the powerpc64le ABI), resulting in overwriting of its contents and potentially altering control flow of the caller, or leaking the input strings to the function to other parts of the program.", "source" : "redhat-csaf", "cvssScore" : 5.6, "severity" : "MEDIUM", "cves" : [ "CVE-2025-5702" ], "unique" : false }, { "id" : "CVE-2025-0395", "title" : "When the assert() function in the GNU C Library versions 2.13 to 2.40 fails, it does not allocate enough space for the assertion failure message string and size information, which may lead to a buffer overflow if the message string size aligns to page size.", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2025-0395" ], "unique" : false }, { "id" : "CVE-2024-33600", "title" : "nscd: Null pointer crashes after notfound response", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33600" ], "unique" : false }, { "id" : "CVE-2026-0915", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-0915" ], "unique" : false }, { "id" : "CVE-2026-4046", "title" : "iconv crash due to assertion failure with untrusted input", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4046" ], "unique" : false }, { "id" : "CVE-2026-5450", "title" : "scanf %mc off-by-one heap buffer overflow", "source" : "redhat-csaf", "cvssScore" : 5.0, "severity" : "MEDIUM", "cves" : [ "CVE-2026-5450" ], "unique" : false }, { "id" : "CVE-2025-8058", "source" : "redhat-csaf", "cvssScore" : 4.2, "severity" : "MEDIUM", "cves" : [ "CVE-2025-8058" ], "unique" : false }, { "id" : "CVE-2024-33601", "title" : "nscd: netgroup cache may terminate daemon on memory allocation failure", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33601" ], "unique" : false }, { "id" : "CVE-2024-33602", "title" : "nscd: netgroup cache assumes NSS callback uses in-buffer strings", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33602" ], "unique" : false }, { "id" : "CVE-2026-4438", "title" : "gethostbyaddr and gethostbyaddr_r return invalid DNS hostnames", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4438" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2024-2961", "title" : "The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.", "source" : "redhat-csaf", "cvssScore" : 8.8, "severity" : "HIGH", "cves" : [ "CVE-2024-2961" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/glibc-langpack-en@2.34-40.el9_1.1?arch=x86_64&distro=rhel-9.1&upstream=glibc-2.34-40.el9_1.1.src.rpm", "issues" : [ { "id" : "CVE-2024-2961", "title" : "The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.", "source" : "redhat-csaf", "cvssScore" : 8.8, "severity" : "HIGH", "cves" : [ "CVE-2024-2961" ], "unique" : false }, { "id" : "CVE-2026-0861", "title" : "Integer overflow in memalign leads to heap corruption", "source" : "redhat-csaf", "cvssScore" : 8.1, "severity" : "HIGH", "cves" : [ "CVE-2026-0861" ], "unique" : false }, { "id" : "CVE-2023-4911", "title" : "Glibc: buffer overflow in ld.so leading to privilege escalation", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2023-4911" ], "unique" : false }, { "id" : "CVE-2024-33599", "title" : "nscd: Stack-based buffer overflow in netgroup cache", "source" : "redhat-csaf", "cvssScore" : 7.6, "severity" : "HIGH", "cves" : [ "CVE-2024-33599" ], "unique" : false }, { "id" : "CVE-2025-4802", "source" : "redhat-csaf", "cvssScore" : 7.0, "severity" : "HIGH", "cves" : [ "CVE-2025-4802" ], "unique" : false }, { "id" : "CVE-2023-4527", "title" : "Glibc: stack read overflow in getaddrinfo in no-aaaa mode", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4527" ], "unique" : false }, { "id" : "CVE-2026-4437", "title" : "gethostbyaddr and gethostbyaddr_r may incorrectly handle DNS response", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4437" ], "unique" : false }, { "id" : "CVE-2023-4806", "title" : "Glibc: potential use-after-free in getaddrinfo()", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4806" ], "unique" : false }, { "id" : "CVE-2023-4813", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4813" ], "unique" : false }, { "id" : "CVE-2025-15281", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2025-15281" ], "unique" : false }, { "id" : "CVE-2025-5702", "title" : "The strcmp implementation optimized for the Power10 processor in the GNU C Library version 2.39 and later writes to vector registers v20 to v31 without saving contents from the caller (those registers are defined as non-volatile registers by the powerpc64le ABI), resulting in overwriting of its contents and potentially altering control flow of the caller, or leaking the input strings to the function to other parts of the program.", "source" : "redhat-csaf", "cvssScore" : 5.6, "severity" : "MEDIUM", "cves" : [ "CVE-2025-5702" ], "unique" : false }, { "id" : "CVE-2025-0395", "title" : "When the assert() function in the GNU C Library versions 2.13 to 2.40 fails, it does not allocate enough space for the assertion failure message string and size information, which may lead to a buffer overflow if the message string size aligns to page size.", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2025-0395" ], "unique" : false }, { "id" : "CVE-2024-33600", "title" : "nscd: Null pointer crashes after notfound response", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33600" ], "unique" : false }, { "id" : "CVE-2026-0915", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-0915" ], "unique" : false }, { "id" : "CVE-2026-4046", "title" : "iconv crash due to assertion failure with untrusted input", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4046" ], "unique" : false }, { "id" : "CVE-2026-5450", "title" : "scanf %mc off-by-one heap buffer overflow", "source" : "redhat-csaf", "cvssScore" : 5.0, "severity" : "MEDIUM", "cves" : [ "CVE-2026-5450" ], "unique" : false }, { "id" : "CVE-2025-8058", "source" : "redhat-csaf", "cvssScore" : 4.2, "severity" : "MEDIUM", "cves" : [ "CVE-2025-8058" ], "unique" : false }, { "id" : "CVE-2024-33601", "title" : "nscd: netgroup cache may terminate daemon on memory allocation failure", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33601" ], "unique" : false }, { "id" : "CVE-2024-33602", "title" : "nscd: netgroup cache assumes NSS callback uses in-buffer strings", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33602" ], "unique" : false }, { "id" : "CVE-2026-4438", "title" : "gethostbyaddr and gethostbyaddr_r return invalid DNS hostnames", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4438" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2024-2961", "title" : "The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.", "source" : "redhat-csaf", "cvssScore" : 8.8, "severity" : "HIGH", "cves" : [ "CVE-2024-2961" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/libcurl-minimal@7.76.1-19.el9_1.1?arch=x86_64&distro=rhel-9.1&upstream=curl-7.76.1-19.el9_1.1.src.rpm", "issues" : [ { "id" : "CVE-2023-38545", "title" : "This flaw makes curl overflow a heap based buffer in the SOCKS5 proxy\nhandshake.\n\nWhen curl is asked to pass along the host name to the SOCKS5 proxy to allow\nthat to resolve the address instead of it getting done by curl itself, the\nmaximum length that host name can be is 255 bytes.\n\nIf the host name is detected to be longer, curl switches to local name\nresolving and instead passes on the resolved address only. Due to this bug,\nthe local variable that means \"let the host resolve the name\" could get the\nwrong value during a slow SOCKS5 handshake, and contrary to the intention,\ncopy the too long host name to the target buffer instead of copying just the\nresolved address there.\n\nThe target buffer being a heap based buffer, and the host name coming from the\nURL that curl has been told to operate with.", "source" : "redhat-csaf", "cvssScore" : 8.1, "severity" : "HIGH", "cves" : [ "CVE-2023-38545" ], "unique" : false }, { "id" : "CVE-2024-2398", "title" : "HTTP/2 push headers memory-leak", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2024-2398" ], "unique" : false }, { "id" : "CVE-2023-23916", "title" : "An allocation of resources without limits or throttling vulnerability exists in curl unit exists and is running.", "source" : "redhat-csaf", "cvssScore" : 4.7, "severity" : "MEDIUM", "cves" : [ "CVE-2026-40223" ], "unique" : false }, { "id" : "CVE-2026-40228", "title" : "In systemd 259, systemd-journald can send ANSI escape sequences to the terminals of arbitrary users when a \"logger -p emerg\" command is executed, if ForwardToWall=yes is set.", "source" : "redhat-csaf", "cvssScore" : 2.9, "severity" : "LOW", "cves" : [ "CVE-2026-40228" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2026-29111", "title" : "systemd: Local unprivileged user can trigger an assert", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2026-29111" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/systemd-rpm-macros@250-12.el9_1.3?arch=noarch&distro=rhel-9.1&upstream=systemd-250-12.el9_1.3.src.rpm", "issues" : [ { "id" : "CVE-2026-29111", "title" : "systemd: Local unprivileged user can trigger an assert", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2026-29111" ], "unique" : false }, { "id" : "CVE-2023-7008", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-7008" ], "unique" : false }, { "id" : "CVE-2025-4598", "title" : "Systemd-coredump: race condition that allows a local attacker to crash a suid program and gain read access to the resulting core dump", "source" : "redhat-csaf", "cvssScore" : 4.7, "severity" : "MEDIUM", "cves" : [ "CVE-2025-4598" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2026-29111", "title" : "systemd: Local unprivileged user can trigger an assert", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2026-29111" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/systemd-libs@250-12.el9_1.3?arch=x86_64&distro=rhel-9.1&upstream=systemd-250-12.el9_1.3.src.rpm", "issues" : [ { "id" : "CVE-2026-29111", "title" : "systemd: Local unprivileged user can trigger an assert", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2026-29111" ], "unique" : false }, { "id" : "CVE-2023-7008", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-7008" ], "unique" : false }, { "id" : "CVE-2025-4598", "title" : "Systemd-coredump: race condition that allows a local attacker to crash a suid program and gain read access to the resulting core dump", "source" : "redhat-csaf", "cvssScore" : 4.7, "severity" : "MEDIUM", "cves" : [ "CVE-2025-4598" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2026-29111", "title" : "systemd: Local unprivileged user can trigger an assert", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2026-29111" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/ncurses-libs@6.2-8.20210508.el9?arch=x86_64&distro=rhel-9.1&upstream=ncurses-6.2-8.20210508.el9.src.rpm", "issues" : [ { "id" : "CVE-2023-29491", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2023-29491" ], "unique" : false }, { "id" : "CVE-2025-69720", "title" : "The infocmp command-line tool in ncurses before 6.5-20251213 has a stack-based buffer overflow in analyze_string in progs/infocmp.c.", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2025-69720" ], "unique" : false }, { "id" : "CVE-2022-29458", "title" : "ncurses 6.3 before patch 20220416 has an out-of-bounds read and segmentation violation in convert_strings in tinfo/read_entry.c in the terminfo library.", "source" : "redhat-csaf", "cvssScore" : 6.1, "severity" : "MEDIUM", "cves" : [ "CVE-2022-29458" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2023-29491", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2023-29491" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/xz-libs@5.2.5-8.el9_0?arch=x86_64&distro=rhel-9.1&upstream=xz-5.2.5-8.el9_0.src.rpm", "issues" : [ { "id" : "CVE-2025-31115", "title" : "XZ has a heap-use-after-free bug in threaded .xz decoder", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2025-31115" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2025-31115", "title" : "XZ has a heap-use-after-free bug in threaded .xz decoder", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2025-31115" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/libgcrypt@1.10.0-8.el9_0?arch=x86_64&distro=rhel-9.1&upstream=libgcrypt-1.10.0-8.el9_0.src.rpm", "issues" : [ { "id" : "CVE-2026-41989", "title" : "Libgcrypt before 1.12.2 sometimes allows a heap-based buffer overflow and denial of service via crafted ECDH ciphertext to gcry_pk_decrypt.", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2026-41989" ], "unique" : false }, { "id" : "CVE-2024-2236", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2024-2236" ], "unique" : false }, { "id" : "CVE-2026-41990", "title" : "Libgcrypt before 1.12.2 mishandles Dilithium signing. Writes to a static array lack a bounds check but do not use attacker-controlled data.", "source" : "redhat-csaf", "cvssScore" : 3.3, "severity" : "LOW", "cves" : [ "CVE-2026-41990" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2026-41989", "title" : "Libgcrypt before 1.12.2 sometimes allows a heap-based buffer overflow and denial of service via crafted ECDH ciphertext to gcry_pk_decrypt.", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2026-41989" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/expat@2.4.9-1.el9_1.1?arch=x86_64&distro=rhel-9.1&upstream=expat-2.4.9-1.el9_1.1.src.rpm", "issues" : [ { "id" : "CVE-2023-52425", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2023-52425" ], "unique" : false }, { "id" : "CVE-2024-28757", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2024-28757" ], "unique" : false }, { "id" : "CVE-2024-45490", "title" : "An issue was discovered in libexpat before 2.6.3. xmlparse.c does not reject a negative length for XML_ParseBuffer.", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2024-45490" ], "unique" : false }, { "id" : "CVE-2024-45491", "title" : "An issue was discovered in libexpat before 2.6.3. dtdCopy in xmlparse.c can have an integer overflow for nDefaultAtts on 32-bit platforms (where UINT_MAX equals SIZE_MAX).", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2024-45491" ], "unique" : false }, { "id" : "CVE-2024-8176", "title" : "Libexpat: expat: improper restriction of xml entity expansion depth in libexpat", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2024-8176" ], "unique" : false }, { "id" : "CVE-2026-45186", "title" : "In libexpat before 2.8.1, the computational complexity of attribute name collision checks allows a denial of service via moderately sized crafted XML input.", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2026-45186" ], "unique" : false }, { "id" : "CVE-2026-56132", "title" : "In libexpat before 2.8.2, there is a heap-based buffer overflow in doProlog in xmlparse.c because scaffold backing array reallocation is mishandled when there is data-structure sharing across parsers.", "source" : "redhat-csaf", "cvssScore" : 6.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-56132" ], "unique" : false }, { "id" : "CVE-2022-23990", "title" : "Expat (aka libexpat) before 2.4.4 has an integer overflow in the doProlog function.", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2022-23990" ], "unique" : false }, { "id" : "CVE-2024-45492", "title" : "An issue was discovered in libexpat before 2.6.3. nextScaffoldPart in xmlparse.c can have an integer overflow for m_groupSize on 32-bit platforms (where UINT_MAX equals SIZE_MAX).", "source" : "redhat-csaf", "cvssScore" : 6.2, "severity" : "MEDIUM", "cves" : [ "CVE-2024-45492" ], "unique" : false }, { "id" : "CVE-2024-50602", "title" : "An issue was discovered in libexpat before 2.6.4. There is a crash within the XML_ResumeParser function because XML_StopParser can stop/suspend an unstarted parser.", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2024-50602" ], "unique" : false }, { "id" : "CVE-2025-59375", "title" : "libexpat in Expat before 2.7.2 allows attackers to trigger large dynamic memory allocations via a small document that is submitted for parsing.", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2025-59375" ], "unique" : false }, { "id" : "CVE-2026-50219", "title" : "libexpat before 2.8.2 lacks handler call depth tracking for calls to XML_GetBuffer, XML_Parse, XML_ParseBuffer, XML_ParserFree, or XML_ParserReset from within handlers in cases of a policy violation. Thus, a use-after-free can occur,", "source" : "redhat-csaf", "cvssScore" : 4.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-50219" ], "unique" : false }, { "id" : "CVE-2026-41080", "title" : "libexpat before 2.8.0 uses insufficient entropy, and thus hash flooding can occur via a crafted XML document.", "source" : "redhat-csaf", "cvssScore" : 3.7, "severity" : "LOW", "cves" : [ "CVE-2026-41080" ], "unique" : false }, { "id" : "CVE-2013-0340", "source" : "redhat-csaf", "cves" : [ "CVE-2013-0340" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2023-52425", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2023-52425" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/libblkid@2.37.4-9.el9?arch=x86_64&distro=rhel-9.1&upstream=util-linux-2.37.4-9.el9.src.rpm", "issues" : [ { "id" : "CVE-2026-13595", "title" : "Util-linux: util-linux: heap use-after-free in libblkid nested partition probing", "source" : "redhat-csaf", "cvssScore" : 6.8, "severity" : "MEDIUM", "cves" : [ "CVE-2026-13595" ], "unique" : false }, { "id" : "CVE-2025-14104", "title" : "Util-linux: util-linux: heap buffer overread in setpwnam() when processing 256-byte usernames", "source" : "redhat-csaf", "cvssScore" : 6.1, "severity" : "MEDIUM", "cves" : [ "CVE-2025-14104" ], "unique" : false }, { "id" : "CVE-2026-27456", "title" : "util-linux: TOCTOU Race Condition in util-linux mount(8) - Loop Device Setup", "source" : "redhat-csaf", "cvssScore" : 4.7, "severity" : "MEDIUM", "cves" : [ "CVE-2026-27456" ], "unique" : false }, { "id" : "CVE-2026-3184", "title" : "Util-linux: util-linux: access control bypass due to improper hostname canonicalization", "source" : "redhat-csaf", "cvssScore" : 3.7, "severity" : "LOW", "cves" : [ "CVE-2026-3184" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2026-13595", "title" : "Util-linux: util-linux: heap use-after-free in libblkid nested partition probing", "source" : "redhat-csaf", "cvssScore" : 6.8, "severity" : "MEDIUM", "cves" : [ "CVE-2026-13595" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/util-linux@2.37.4-9.el9?arch=x86_64&distro=rhel-9.1&upstream=util-linux-2.37.4-9.el9.src.rpm", "issues" : [ { "id" : "CVE-2026-13595", "title" : "Util-linux: util-linux: heap use-after-free in libblkid nested partition probing", "source" : "redhat-csaf", "cvssScore" : 6.8, "severity" : "MEDIUM", "cves" : [ "CVE-2026-13595" ], "unique" : false }, { "id" : "CVE-2025-14104", "title" : "Util-linux: util-linux: heap buffer overread in setpwnam() when processing 256-byte usernames", "source" : "redhat-csaf", "cvssScore" : 6.1, "severity" : "MEDIUM", "cves" : [ "CVE-2025-14104" ], "unique" : false }, { "id" : "CVE-2026-27456", "title" : "util-linux: TOCTOU Race Condition in util-linux mount(8) - Loop Device Setup", "source" : "redhat-csaf", "cvssScore" : 4.7, "severity" : "MEDIUM", "cves" : [ "CVE-2026-27456" ], "unique" : false }, { "id" : "CVE-2026-3184", "title" : "Util-linux: util-linux: access control bypass due to improper hostname canonicalization", "source" : "redhat-csaf", "cvssScore" : 3.7, "severity" : "LOW", "cves" : [ "CVE-2026-3184" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2026-13595", "title" : "Util-linux: util-linux: heap use-after-free in libblkid nested partition probing", "source" : "redhat-csaf", "cvssScore" : 6.8, "severity" : "MEDIUM", "cves" : [ "CVE-2026-13595" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/libeconf@0.4.1-2.el9?arch=x86_64&distro=rhel-9.1&upstream=libeconf-0.4.1-2.el9.src.rpm", "issues" : [ { "id" : "CVE-2023-22652", "title" : "Stack buffer overflow in \"read_file\" function", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-22652" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2023-22652", "title" : "Stack buffer overflow in \"read_file\" function", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-22652" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/sed@4.8-9.el9?arch=x86_64&distro=rhel-9.1&upstream=sed-4.8-9.el9.src.rpm", "issues" : [ { "id" : "CVE-2026-5958", "title" : "Race Condition in GNU Sed", "source" : "redhat-csaf", "cvssScore" : 6.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-5958" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2026-5958", "title" : "Race Condition in GNU Sed", "source" : "redhat-csaf", "cvssScore" : 6.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-5958" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/dbus@1.12.20-7.el9_1?arch=x86_64&distro=rhel-9.1&epoch=1&upstream=dbus-1.12.20-7.el9_1.src.rpm", "issues" : [ { "id" : "CVE-2023-34969", "title" : "D-Bus before 1.15.6 sometimes allows unprivileged users to crash dbus-daemon. If a privileged user with control over the dbus-daemon is using the org.freedesktop.DBus.Monitoring interface to monitor message bus traffic, then an unprivileged user with the ability to connect to the same dbus-daemon can cause a dbus-daemon crash under some circumstances via an unreplyable message. When done on the well-known system bus, this is a denial-of-service vulnerability. The fixed versions are 1.12.28, 1.14.8, and 1.15.6.", "source" : "redhat-csaf", "cvssScore" : 6.2, "severity" : "MEDIUM", "cves" : [ "CVE-2023-34969" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2023-34969", "title" : "D-Bus before 1.15.6 sometimes allows unprivileged users to crash dbus-daemon. If a privileged user with control over the dbus-daemon is using the org.freedesktop.DBus.Monitoring interface to monitor message bus traffic, then an unprivileged user with the ability to connect to the same dbus-daemon can cause a dbus-daemon crash under some circumstances via an unreplyable message. When done on the well-known system bus, this is a denial-of-service vulnerability. The fixed versions are 1.12.28, 1.14.8, and 1.15.6.", "source" : "redhat-csaf", "cvssScore" : 6.2, "severity" : "MEDIUM", "cves" : [ "CVE-2023-34969" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/libsmartcols@2.37.4-9.el9?arch=x86_64&distro=rhel-9.1&upstream=util-linux-2.37.4-9.el9.src.rpm", "issues" : [ { "id" : "CVE-2025-14104", "title" : "Util-linux: util-linux: heap buffer overread in setpwnam() when processing 256-byte usernames", "source" : "redhat-csaf", "cvssScore" : 6.1, "severity" : "MEDIUM", "cves" : [ "CVE-2025-14104" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2025-14104", "title" : "Util-linux: util-linux: heap buffer overread in setpwnam() when processing 256-byte usernames", "source" : "redhat-csaf", "cvssScore" : 6.1, "severity" : "MEDIUM", "cves" : [ "CVE-2025-14104" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/util-linux-core@2.37.4-9.el9?arch=x86_64&distro=rhel-9.1&upstream=util-linux-2.37.4-9.el9.src.rpm", "issues" : [ { "id" : "CVE-2025-14104", "title" : "Util-linux: util-linux: heap buffer overread in setpwnam() when processing 256-byte usernames", "source" : "redhat-csaf", "cvssScore" : 6.1, "severity" : "MEDIUM", "cves" : [ "CVE-2025-14104" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2025-14104", "title" : "Util-linux: util-linux: heap buffer overread in setpwnam() when processing 256-byte usernames", "source" : "redhat-csaf", "cvssScore" : 6.1, "severity" : "MEDIUM", "cves" : [ "CVE-2025-14104" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/libuuid@2.37.4-9.el9?arch=x86_64&distro=rhel-9.1&upstream=util-linux-2.37.4-9.el9.src.rpm", "issues" : [ { "id" : "CVE-2025-14104", "title" : "Util-linux: util-linux: heap buffer overread in setpwnam() when processing 256-byte usernames", "source" : "redhat-csaf", "cvssScore" : 6.1, "severity" : "MEDIUM", "cves" : [ "CVE-2025-14104" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2025-14104", "title" : "Util-linux: util-linux: heap buffer overread in setpwnam() when processing 256-byte usernames", "source" : "redhat-csaf", "cvssScore" : 6.1, "severity" : "MEDIUM", "cves" : [ "CVE-2025-14104" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/gzip@1.12-1.el9?arch=x86_64&distro=rhel-9.1&upstream=gzip-1.12-1.el9.src.rpm", "issues" : [ { "id" : "CVE-2026-41991", "title" : "Predictable Temporary File in GNU gzip", "source" : "redhat-csaf", "cvssScore" : 6.0, "severity" : "MEDIUM", "cves" : [ "CVE-2026-41991" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2026-41991", "title" : "Predictable Temporary File in GNU gzip", "source" : "redhat-csaf", "cvssScore" : 6.0, "severity" : "MEDIUM", "cves" : [ "CVE-2026-41991" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/libtasn1@4.16.0-8.el9_1?arch=x86_64&distro=rhel-9.1&upstream=libtasn1-4.16.0-8.el9_1.src.rpm", "issues" : [ { "id" : "CVE-2025-13151", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2025-13151" ], "unique" : false }, { "id" : "CVE-2024-12133", "title" : "Libtasn1: inefficient der decoding in libtasn1 leading to potential remote dos", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2024-12133" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2025-13151", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2025-13151" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/p11-kit@0.24.1-2.el9?arch=x86_64&distro=rhel-9.1&upstream=p11-kit-0.24.1-2.el9.src.rpm", "issues" : [ { "id" : "CVE-2026-2100", "title" : "P11-kit: null dereference via c_derivekey with specific null parameters", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-2100" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2026-2100", "title" : "P11-kit: null dereference via c_derivekey with specific null parameters", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-2100" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/p11-kit-trust@0.24.1-2.el9?arch=x86_64&distro=rhel-9.1&upstream=p11-kit-0.24.1-2.el9.src.rpm", "issues" : [ { "id" : "CVE-2026-2100", "title" : "P11-kit: null dereference via c_derivekey with specific null parameters", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-2100" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2026-2100", "title" : "P11-kit: null dereference via c_derivekey with specific null parameters", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-2100" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/shadow-utils@4.9-5.el9?arch=x86_64&distro=rhel-9.1&epoch=2&upstream=shadow-utils-4.9-5.el9.src.rpm", "issues" : [ { "id" : "CVE-2023-4641", "source" : "redhat-csaf", "cvssScore" : 4.7, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4641" ], "unique" : false }, { "id" : "CVE-2024-56433", "title" : "shadow-utils (aka shadow) 4.4 through 4.17.0 establishes a default /etc/subuid behavior (e.g., uid 100000 through 165535 for the first user account) that can realistically conflict with the uids of users defined on locally administered networks, potentially leading to account takeover, e.g., by leveraging newuidmap for access to an NFS home directory (or same-host resources in the case of remote logins by these local network users). NOTE: it may also be argued that system administrators should not have assigned uids, within local networks, that are within the range that can occur in /etc/subuid.", "source" : "redhat-csaf", "cvssScore" : 3.6, "severity" : "LOW", "cves" : [ "CVE-2024-56433" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2023-4641", "source" : "redhat-csaf", "cvssScore" : 4.7, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4641" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/bzip2-libs@1.0.8-8.el9?arch=x86_64&distro=rhel-9.1&upstream=bzip2-1.0.8-8.el9.src.rpm", "issues" : [ { "id" : "CVE-2019-12900", "title" : "BZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out-of-bounds write when there are many selectors.", "source" : "redhat-csaf", "cvssScore" : 4.4, "severity" : "MEDIUM", "cves" : [ "CVE-2019-12900" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2019-12900", "title" : "BZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out-of-bounds write when there are many selectors.", "source" : "redhat-csaf", "cvssScore" : 4.4, "severity" : "MEDIUM", "cves" : [ "CVE-2019-12900" ], "unique" : false } } ], "highestVulnerability" : { "id" : "CVE-2025-15467", "title" : "Stack buffer overflow in CMS (Auth)EnvelopedData parsing", "source" : "redhat-csaf", "cvssScore" : 9.8, "severity" : "CRITICAL", "cves" : [ "CVE-2025-15467" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/gdb-headless@10.2-10.el9?arch=x86_64&distro=rhel-9.1&upstream=gdb-10.2-10.el9.src.rpm", "issues" : [ { "id" : "CVE-2021-3826", "title" : "Heap/stack buffer overflow in the dlang_lname function in d-demangle.c in libiberty allows attackers to potentially cause a denial of service (segmentation fault and crash) via a crafted mangled symbol.", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2021-3826" ], "unique" : false } ], "transitive" : [ { "ref" : "pkg:rpm/redhat/openssl-libs@3.0.1-47.el9_1?arch=x86_64&distro=rhel-9.1&epoch=1&upstream=openssl-3.0.1-47.el9_1.src.rpm", "issues" : [ { "id" : "CVE-2025-15467", "title" : "Stack buffer overflow in CMS (Auth)EnvelopedData parsing", "source" : "redhat-csaf", "cvssScore" : 9.8, "severity" : "CRITICAL", "cves" : [ "CVE-2025-15467" ], "unique" : false }, { "id" : "CVE-2026-45445", "title" : "AES-OCB IV Ignored on EVP_Cipher() Path", "source" : "redhat-csaf", "cvssScore" : 9.1, "severity" : "CRITICAL", "cves" : [ "CVE-2026-45445" ], "unique" : false }, { "id" : "CVE-2026-45447", "title" : "Heap Use-After-Free in the PKCS7_verify() Function", "source" : "redhat-csaf", "cvssScore" : 8.1, "severity" : "HIGH", "cves" : [ "CVE-2026-45447" ], "unique" : false }, { "id" : "CVE-2022-3358", "title" : "Using a Custom Cipher with NID_undef may lead to NULL encryption", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2022-3358" ], "unique" : false }, { "id" : "CVE-2023-5363", "title" : "Incorrect cipher key & IV length processing", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2023-5363" ], "unique" : false }, { "id" : "CVE-2026-28390", "title" : "Possible NULL Dereference When Processing CMS KeyTransportRecipientInfo", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2026-28390" ], "unique" : false }, { "id" : "CVE-2026-34183", "title" : "Unbounded Memory Growth in the QUIC PATH_CHALLENGE Handler", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2026-34183" ], "unique" : false }, { "id" : "CVE-2024-12797", "title" : "RFC7250 handshakes with unauthenticated servers don't abort as expected", "source" : "redhat-csaf", "cvssScore" : 7.4, "severity" : "HIGH", "cves" : [ "CVE-2024-12797" ], "unique" : false }, { "id" : "CVE-2025-69419", "title" : "Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion", "source" : "redhat-csaf", "cvssScore" : 7.4, "severity" : "HIGH", "cves" : [ "CVE-2025-69419" ], "unique" : false }, { "id" : "CVE-2026-34182", "title" : "CMS AuthEnvelopedData Processing May Accept Forged Messages", "source" : "redhat-csaf", "cvssScore" : 7.4, "severity" : "HIGH", "cves" : [ "CVE-2026-34182" ], "unique" : false }, { "id" : "CVE-2023-2650", "title" : "Possible DoS translating ASN.1 object identifiers", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-2650" ], "unique" : false }, { "id" : "CVE-2023-6129", "title" : "POLY1305 MAC implementation corrupts vector registers on PowerPC", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-6129" ], "unique" : false }, { "id" : "CVE-2025-69421", "title" : "NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2025-69421" ], "unique" : false }, { "id" : "CVE-2026-34181", "title" : "PKCS#12 Files with PBMAC1 Are Accepted with Short HMAC Keys", "source" : "redhat-csaf", "cvssScore" : 6.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-34181" ], "unique" : false }, { "id" : "CVE-2026-42768", "title" : "Multi-RecipientInfo Bleichenbacher Oracle in CMS_decrypt() and PKCS7_decrypt()", "source" : "redhat-csaf", "cvssScore" : 6.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-42768" ], "unique" : false }, { "id" : "CVE-2025-11187", "title" : "Improper validation of PBMAC1 parameters in PKCS#12 MAC verification", "source" : "redhat-csaf", "cvssScore" : 6.1, "severity" : "MEDIUM", "cves" : [ "CVE-2025-11187" ], "unique" : false }, { "id" : "CVE-2023-0464", "title" : "Excessive Resource Usage Verifying X.509 Policy Constraints", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-0464" ], "unique" : false }, { "id" : "CVE-2023-6237", "title" : "Excessive time spent checking invalid RSA public keys", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-6237" ], "unique" : false }, { "id" : "CVE-2024-5535", "title" : "SSL_select_next_proto buffer overread", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2024-5535" ], "unique" : false }, { "id" : "CVE-2024-6119", "title" : "Possible denial of service in X.509 name checks", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2024-6119" ], "unique" : false }, { "id" : "CVE-2025-15468", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2025-15468" ], "unique" : false }, { "id" : "CVE-2025-66199", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2025-66199" ], "unique" : false }, { "id" : "CVE-2025-69420", "title" : "Missing ASN1_TYPE validation in TS_RESP_verify_response() function", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2025-69420" ], "unique" : false }, { "id" : "CVE-2026-22796", "title" : "ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-22796" ], "unique" : false }, { "id" : "CVE-2026-31790", "title" : "Incorrect Failure Handling in RSA KEM RSASVE Encapsulation", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-31790" ], "unique" : false }, { "id" : "CVE-2026-42764", "title" : "NULL Pointer Dereference in QUIC Server Initial Packet Handling", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-42764" ], "unique" : false }, { "id" : "CVE-2026-42769", "title" : "Trust-Anchor Substitution via cert/issuer Typo in CMP rootCaKeyUpdate", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-42769" ], "unique" : false }, { "id" : "CVE-2026-42770", "title" : "FFC-DH Peer Validation Uses Attacker-Supplied q", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-42770" ], "unique" : false }, { "id" : "CVE-2026-9076", "title" : "Out-of-Bounds Read in CMS Password-Based Decryption", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-9076" ], "unique" : false }, { "id" : "CVE-2024-4741", "source" : "redhat-csaf", "cvssScore" : 5.6, "severity" : "MEDIUM", "cves" : [ "CVE-2024-4741" ], "unique" : false }, { "id" : "CVE-2025-9230", "title" : "Out-of-bounds read & write in RFC 3211 KEK Unwrap", "source" : "redhat-csaf", "cvssScore" : 5.6, "severity" : "MEDIUM", "cves" : [ "CVE-2025-9230" ], "unique" : false }, { "id" : "CVE-2024-0727", "title" : "PKCS12 Decoding crashes", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-0727" ], "unique" : false }, { "id" : "CVE-2025-15469", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2025-15469" ], "unique" : false }, { "id" : "CVE-2026-22795", "title" : "Missing ASN1_TYPE validation in PKCS#12 parsing", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2026-22795" ], "unique" : false }, { "id" : "CVE-2026-7383", "title" : "Possible Heap Buffer Overflow in ASN.1 Multibyte String Conversion", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2026-7383" ], "unique" : false }, { "id" : "CVE-2023-0465", "title" : "Invalid certificate policies in leaf certificates are silently ignored", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2023-0465" ], "unique" : false }, { "id" : "CVE-2023-0466", "title" : "Certificate policy check not enabled", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2023-0466" ], "unique" : false }, { "id" : "CVE-2023-2975", "title" : "AES-SIV implementation ignores empty associated data entries", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2023-2975" ], "unique" : false }, { "id" : "CVE-2023-3446", "title" : "Excessive time spent checking DH keys and parameters", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2023-3446" ], "unique" : false }, { "id" : "CVE-2023-3817", "title" : "Excessive time spent checking DH q parameter value", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2023-3817" ], "unique" : false }, { "id" : "CVE-2023-5678", "title" : "Excessive time spent in DH check / generation with large Q parameter value", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2023-5678" ], "unique" : false }, { "id" : "CVE-2024-4603", "title" : "Excessive time spent checking DSA keys and parameters", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2024-4603" ], "unique" : false }, { "id" : "CVE-2026-42766", "title" : "Possible NULL Dereference in Password-Based CMS Decryption", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-42766" ], "unique" : false }, { "id" : "CVE-2026-42767", "title" : "NULL Pointer Dereference in CRMF EncryptedValue Decryption", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-42767" ], "unique" : false }, { "id" : "CVE-2023-1255", "title" : "Input buffer over-read in AES-XTS implementation on 64 bit ARM", "source" : "redhat-csaf", "cvssScore" : 5.1, "severity" : "MEDIUM", "cves" : [ "CVE-2023-1255" ], "unique" : false }, { "id" : "CVE-2026-34180", "title" : "Heap Buffer Over-read in ASN.1 Content Parsing", "source" : "redhat-csaf", "cvssScore" : 5.0, "severity" : "MEDIUM", "cves" : [ "CVE-2026-34180" ], "unique" : false }, { "id" : "CVE-2025-68160", "title" : "Heap out-of-bounds write in BIO_f_linebuffer on short writes", "source" : "redhat-csaf", "cvssScore" : 4.7, "severity" : "MEDIUM", "cves" : [ "CVE-2025-68160" ], "unique" : false }, { "id" : "CVE-2025-69418", "title" : "Unauthenticated/unencrypted trailing bytes with low-level OCB function calls", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2025-69418" ], "unique" : false }, { "id" : "CVE-2024-2511", "title" : "Unbounded memory growth with session handling in TLSv1.3", "source" : "redhat-csaf", "cvssScore" : 3.7, "severity" : "LOW", "cves" : [ "CVE-2024-2511" ], "unique" : false }, { "id" : "CVE-2026-45446", "title" : "Incorrect Tag Processing for Empty Messages in AES-GCM-SIV and AES-SIV modes", "source" : "redhat-csaf", "cvssScore" : 3.7, "severity" : "LOW", "cves" : [ "CVE-2026-45446" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2025-15467", "title" : "Stack buffer overflow in CMS (Auth)EnvelopedData parsing", "source" : "redhat-csaf", "cvssScore" : 9.8, "severity" : "CRITICAL", "cves" : [ "CVE-2025-15467" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/ca-certificates@2022.2.54-90.2.el9_0?arch=noarch&distro=rhel-9.1&upstream=ca-certificates-2022.2.54-90.2.el9_0.src.rpm", "issues" : [ { "id" : "CVE-2023-37920", "title" : "Certifi's removal of e-Tugra root certificate", "source" : "redhat-csaf", "cvssScore" : 9.1, "severity" : "CRITICAL", "cves" : [ "CVE-2023-37920" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2023-37920", "title" : "Certifi's removal of e-Tugra root certificate", "source" : "redhat-csaf", "cvssScore" : 9.1, "severity" : "CRITICAL", "cves" : [ "CVE-2023-37920" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/krb5-libs@1.19.1-24.el9_1?arch=x86_64&distro=rhel-9.1&upstream=krb5-1.19.1-24.el9_1.src.rpm", "issues" : [ { "id" : "CVE-2024-3596", "title" : "RADIUS Protocol under RFC2865 is vulnerable to forgery attacks.", "source" : "redhat-csaf", "cvssScore" : 9.0, "severity" : "CRITICAL", "cves" : [ "CVE-2024-3596" ], "unique" : false }, { "id" : "CVE-2023-39975", "title" : "kdc/do_tgs_req.c in MIT Kerberos 5 (aka krb5) 1.21 before 1.21.2 has a double free that is reachable if an authenticated user can trigger an authorization-data handling failure. Incorrect data is copied from one ticket to another.", "source" : "redhat-csaf", "cvssScore" : 8.8, "severity" : "HIGH", "cves" : [ "CVE-2023-39975" ], "unique" : false }, { "id" : "CVE-2024-26462", "title" : "Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/kdc/ndr.c.", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2024-26462" ], "unique" : false }, { "id" : "CVE-2024-37370", "title" : "In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can modify the plaintext Extra Count field of a confidential GSS krb5 wrap token, causing the unwrapped token to appear truncated to the application.", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2024-37370" ], "unique" : false }, { "id" : "CVE-2020-17049", "title" : "Kerberos KDC Security Feature Bypass Vulnerability", "source" : "redhat-csaf", "cvssScore" : 7.2, "severity" : "HIGH", "cves" : [ "CVE-2020-17049" ], "unique" : false }, { "id" : "CVE-2023-36054", "title" : "lib/kadm5/kadm_rpc_xdr.c in MIT Kerberos 5 (aka krb5) before 1.20.2 and 1.21.x before 1.21.1 frees an uninitialized pointer. A remote authenticated user can trigger a kadmind crash. This occurs because _xdr_kadm5_principal_ent_rec does not validate the relationship between n_key_data and the key_data array count.", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-36054" ], "unique" : false }, { "id" : "CVE-2024-37371", "title" : "In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can cause invalid memory reads during GSS message token handling by sending message tokens with invalid length fields.", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-37371" ], "unique" : false }, { "id" : "CVE-2025-24528", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2025-24528" ], "unique" : false }, { "id" : "CVE-2024-26458", "title" : "Kerberos 5 (aka krb5) 1.21.2 contains a memory leak in /krb5/src/lib/rpc/pmap_rmt.c.", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2024-26458" ], "unique" : false }, { "id" : "CVE-2024-26461", "title" : "Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/lib/gssapi/krb5/k5sealv3.c.", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2024-26461" ], "unique" : false }, { "id" : "CVE-2025-3576", "title" : "Krb5: kerberos rc4-hmac-md5 checksum vulnerability enabling message spoofing via md5 collisions", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2025-3576" ], "unique" : false }, { "id" : "CVE-2026-40355", "title" : "In MIT Kerberos 5 (aka krb5) before 1.22.3, there is a NULL pointer dereference if an application calls gss_accept_sec_context() on a system with a NegoEx mechanism registered in /etc/gss/mech. An unauthenticated remote attacker can trigger this, causing the process to terminate in parse_nego_message.", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-40355" ], "unique" : false }, { "id" : "CVE-2026-40356", "title" : "In MIT Kerberos 5 (aka krb5) before 1.22.3, there is an integer underflow and resultant out-of-bounds read if an application calls gss_accept_sec_context() on a system with a NegoEx mechanism registered in /etc/gss/mech. An unauthenticated remote attacker can trigger this, possibly causing the process to terminate in parse_message.", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-40356" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2024-3596", "title" : "RADIUS Protocol under RFC2865 is vulnerable to forgery attacks.", "source" : "redhat-csaf", "cvssScore" : 9.0, "severity" : "CRITICAL", "cves" : [ "CVE-2024-3596" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/glibc@2.34-40.el9_1.1?arch=x86_64&distro=rhel-9.1&upstream=glibc-2.34-40.el9_1.1.src.rpm", "issues" : [ { "id" : "CVE-2024-2961", "title" : "The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.", "source" : "redhat-csaf", "cvssScore" : 8.8, "severity" : "HIGH", "cves" : [ "CVE-2024-2961" ], "unique" : false }, { "id" : "CVE-2026-0861", "title" : "Integer overflow in memalign leads to heap corruption", "source" : "redhat-csaf", "cvssScore" : 8.1, "severity" : "HIGH", "cves" : [ "CVE-2026-0861" ], "unique" : false }, { "id" : "CVE-2023-4911", "title" : "Glibc: buffer overflow in ld.so leading to privilege escalation", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2023-4911" ], "unique" : false }, { "id" : "CVE-2024-33599", "title" : "nscd: Stack-based buffer overflow in netgroup cache", "source" : "redhat-csaf", "cvssScore" : 7.6, "severity" : "HIGH", "cves" : [ "CVE-2024-33599" ], "unique" : false }, { "id" : "CVE-2025-4802", "source" : "redhat-csaf", "cvssScore" : 7.0, "severity" : "HIGH", "cves" : [ "CVE-2025-4802" ], "unique" : false }, { "id" : "CVE-2023-4527", "title" : "Glibc: stack read overflow in getaddrinfo in no-aaaa mode", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4527" ], "unique" : false }, { "id" : "CVE-2026-4437", "title" : "gethostbyaddr and gethostbyaddr_r may incorrectly handle DNS response", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4437" ], "unique" : false }, { "id" : "CVE-2026-6238", "title" : "Buffer overread in ns_printrrf with corrupted RDATA field", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2026-6238" ], "unique" : false }, { "id" : "CVE-2023-4806", "title" : "Glibc: potential use-after-free in getaddrinfo()", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4806" ], "unique" : false }, { "id" : "CVE-2023-4813", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4813" ], "unique" : false }, { "id" : "CVE-2025-15281", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2025-15281" ], "unique" : false }, { "id" : "CVE-2026-3904", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-3904" ], "unique" : false }, { "id" : "CVE-2026-5435", "title" : "Potential buffer overflow in ns_sprintrrf TSIG handling path", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-5435" ], "unique" : false }, { "id" : "CVE-2025-5702", "title" : "The strcmp implementation optimized for the Power10 processor in the GNU C Library version 2.39 and later writes to vector registers v20 to v31 without saving contents from the caller (those registers are defined as non-volatile registers by the powerpc64le ABI), resulting in overwriting of its contents and potentially altering control flow of the caller, or leaking the input strings to the function to other parts of the program.", "source" : "redhat-csaf", "cvssScore" : 5.6, "severity" : "MEDIUM", "cves" : [ "CVE-2025-5702" ], "unique" : false }, { "id" : "CVE-2025-0395", "title" : "When the assert() function in the GNU C Library versions 2.13 to 2.40 fails, it does not allocate enough space for the assertion failure message string and size information, which may lead to a buffer overflow if the message string size aligns to page size.", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2025-0395" ], "unique" : false }, { "id" : "CVE-2024-33600", "title" : "nscd: Null pointer crashes after notfound response", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33600" ], "unique" : false }, { "id" : "CVE-2026-0915", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-0915" ], "unique" : false }, { "id" : "CVE-2026-4046", "title" : "iconv crash due to assertion failure with untrusted input", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4046" ], "unique" : false }, { "id" : "CVE-2026-5450", "title" : "scanf %mc off-by-one heap buffer overflow", "source" : "redhat-csaf", "cvssScore" : 5.0, "severity" : "MEDIUM", "cves" : [ "CVE-2026-5450" ], "unique" : false }, { "id" : "CVE-2026-5928", "title" : "Potential buffer under-read in ungetwc", "source" : "redhat-csaf", "cvssScore" : 5.0, "severity" : "MEDIUM", "cves" : [ "CVE-2026-5928" ], "unique" : false }, { "id" : "CVE-2025-8058", "source" : "redhat-csaf", "cvssScore" : 4.2, "severity" : "MEDIUM", "cves" : [ "CVE-2025-8058" ], "unique" : false }, { "id" : "CVE-2024-33601", "title" : "nscd: netgroup cache may terminate daemon on memory allocation failure", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33601" ], "unique" : false }, { "id" : "CVE-2024-33602", "title" : "nscd: netgroup cache assumes NSS callback uses in-buffer strings", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33602" ], "unique" : false }, { "id" : "CVE-2026-4438", "title" : "gethostbyaddr and gethostbyaddr_r return invalid DNS hostnames", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4438" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2024-2961", "title" : "The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.", "source" : "redhat-csaf", "cvssScore" : 8.8, "severity" : "HIGH", "cves" : [ "CVE-2024-2961" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/python3-setuptools-wheel@53.0.0-10.el9_1.1?arch=noarch&distro=rhel-9.1&upstream=python-setuptools-53.0.0-10.el9_1.1.src.rpm", "issues" : [ { "id" : "CVE-2024-6345", "source" : "redhat-csaf", "cvssScore" : 8.8, "severity" : "HIGH", "cves" : [ "CVE-2024-6345" ], "unique" : false }, { "id" : "CVE-2025-47273", "title" : "setuptools has a path traversal vulnerability in PackageIndex.download that leads to Arbitrary File Write", "source" : "redhat-csaf", "cvssScore" : 7.1, "severity" : "HIGH", "cves" : [ "CVE-2025-47273" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2024-6345", "source" : "redhat-csaf", "cvssScore" : 8.8, "severity" : "HIGH", "cves" : [ "CVE-2024-6345" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/glibc-common@2.34-40.el9_1.1?arch=x86_64&distro=rhel-9.1&upstream=glibc-2.34-40.el9_1.1.src.rpm", "issues" : [ { "id" : "CVE-2024-2961", "title" : "The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.", "source" : "redhat-csaf", "cvssScore" : 8.8, "severity" : "HIGH", "cves" : [ "CVE-2024-2961" ], "unique" : false }, { "id" : "CVE-2026-0861", "title" : "Integer overflow in memalign leads to heap corruption", "source" : "redhat-csaf", "cvssScore" : 8.1, "severity" : "HIGH", "cves" : [ "CVE-2026-0861" ], "unique" : false }, { "id" : "CVE-2023-4911", "title" : "Glibc: buffer overflow in ld.so leading to privilege escalation", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2023-4911" ], "unique" : false }, { "id" : "CVE-2024-33599", "title" : "nscd: Stack-based buffer overflow in netgroup cache", "source" : "redhat-csaf", "cvssScore" : 7.6, "severity" : "HIGH", "cves" : [ "CVE-2024-33599" ], "unique" : false }, { "id" : "CVE-2025-4802", "source" : "redhat-csaf", "cvssScore" : 7.0, "severity" : "HIGH", "cves" : [ "CVE-2025-4802" ], "unique" : false }, { "id" : "CVE-2023-4527", "title" : "Glibc: stack read overflow in getaddrinfo in no-aaaa mode", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4527" ], "unique" : false }, { "id" : "CVE-2026-4437", "title" : "gethostbyaddr and gethostbyaddr_r may incorrectly handle DNS response", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4437" ], "unique" : false }, { "id" : "CVE-2023-4806", "title" : "Glibc: potential use-after-free in getaddrinfo()", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4806" ], "unique" : false }, { "id" : "CVE-2023-4813", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4813" ], "unique" : false }, { "id" : "CVE-2025-15281", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2025-15281" ], "unique" : false }, { "id" : "CVE-2025-5702", "title" : "The strcmp implementation optimized for the Power10 processor in the GNU C Library version 2.39 and later writes to vector registers v20 to v31 without saving contents from the caller (those registers are defined as non-volatile registers by the powerpc64le ABI), resulting in overwriting of its contents and potentially altering control flow of the caller, or leaking the input strings to the function to other parts of the program.", "source" : "redhat-csaf", "cvssScore" : 5.6, "severity" : "MEDIUM", "cves" : [ "CVE-2025-5702" ], "unique" : false }, { "id" : "CVE-2025-0395", "title" : "When the assert() function in the GNU C Library versions 2.13 to 2.40 fails, it does not allocate enough space for the assertion failure message string and size information, which may lead to a buffer overflow if the message string size aligns to page size.", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2025-0395" ], "unique" : false }, { "id" : "CVE-2024-33600", "title" : "nscd: Null pointer crashes after notfound response", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33600" ], "unique" : false }, { "id" : "CVE-2026-0915", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-0915" ], "unique" : false }, { "id" : "CVE-2026-4046", "title" : "iconv crash due to assertion failure with untrusted input", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4046" ], "unique" : false }, { "id" : "CVE-2026-5450", "title" : "scanf %mc off-by-one heap buffer overflow", "source" : "redhat-csaf", "cvssScore" : 5.0, "severity" : "MEDIUM", "cves" : [ "CVE-2026-5450" ], "unique" : false }, { "id" : "CVE-2025-8058", "source" : "redhat-csaf", "cvssScore" : 4.2, "severity" : "MEDIUM", "cves" : [ "CVE-2025-8058" ], "unique" : false }, { "id" : "CVE-2024-33601", "title" : "nscd: netgroup cache may terminate daemon on memory allocation failure", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33601" ], "unique" : false }, { "id" : "CVE-2024-33602", "title" : "nscd: netgroup cache assumes NSS callback uses in-buffer strings", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33602" ], "unique" : false }, { "id" : "CVE-2026-4438", "title" : "gethostbyaddr and gethostbyaddr_r return invalid DNS hostnames", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4438" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2024-2961", "title" : "The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.", "source" : "redhat-csaf", "cvssScore" : 8.8, "severity" : "HIGH", "cves" : [ "CVE-2024-2961" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/glibc-langpack-en@2.34-40.el9_1.1?arch=x86_64&distro=rhel-9.1&upstream=glibc-2.34-40.el9_1.1.src.rpm", "issues" : [ { "id" : "CVE-2024-2961", "title" : "The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.", "source" : "redhat-csaf", "cvssScore" : 8.8, "severity" : "HIGH", "cves" : [ "CVE-2024-2961" ], "unique" : false }, { "id" : "CVE-2026-0861", "title" : "Integer overflow in memalign leads to heap corruption", "source" : "redhat-csaf", "cvssScore" : 8.1, "severity" : "HIGH", "cves" : [ "CVE-2026-0861" ], "unique" : false }, { "id" : "CVE-2023-4911", "title" : "Glibc: buffer overflow in ld.so leading to privilege escalation", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2023-4911" ], "unique" : false }, { "id" : "CVE-2024-33599", "title" : "nscd: Stack-based buffer overflow in netgroup cache", "source" : "redhat-csaf", "cvssScore" : 7.6, "severity" : "HIGH", "cves" : [ "CVE-2024-33599" ], "unique" : false }, { "id" : "CVE-2025-4802", "source" : "redhat-csaf", "cvssScore" : 7.0, "severity" : "HIGH", "cves" : [ "CVE-2025-4802" ], "unique" : false }, { "id" : "CVE-2023-4527", "title" : "Glibc: stack read overflow in getaddrinfo in no-aaaa mode", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4527" ], "unique" : false }, { "id" : "CVE-2026-4437", "title" : "gethostbyaddr and gethostbyaddr_r may incorrectly handle DNS response", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4437" ], "unique" : false }, { "id" : "CVE-2023-4806", "title" : "Glibc: potential use-after-free in getaddrinfo()", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4806" ], "unique" : false }, { "id" : "CVE-2023-4813", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4813" ], "unique" : false }, { "id" : "CVE-2025-15281", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2025-15281" ], "unique" : false }, { "id" : "CVE-2025-5702", "title" : "The strcmp implementation optimized for the Power10 processor in the GNU C Library version 2.39 and later writes to vector registers v20 to v31 without saving contents from the caller (those registers are defined as non-volatile registers by the powerpc64le ABI), resulting in overwriting of its contents and potentially altering control flow of the caller, or leaking the input strings to the function to other parts of the program.", "source" : "redhat-csaf", "cvssScore" : 5.6, "severity" : "MEDIUM", "cves" : [ "CVE-2025-5702" ], "unique" : false }, { "id" : "CVE-2025-0395", "title" : "When the assert() function in the GNU C Library versions 2.13 to 2.40 fails, it does not allocate enough space for the assertion failure message string and size information, which may lead to a buffer overflow if the message string size aligns to page size.", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2025-0395" ], "unique" : false }, { "id" : "CVE-2024-33600", "title" : "nscd: Null pointer crashes after notfound response", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33600" ], "unique" : false }, { "id" : "CVE-2026-0915", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-0915" ], "unique" : false }, { "id" : "CVE-2026-4046", "title" : "iconv crash due to assertion failure with untrusted input", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4046" ], "unique" : false }, { "id" : "CVE-2026-5450", "title" : "scanf %mc off-by-one heap buffer overflow", "source" : "redhat-csaf", "cvssScore" : 5.0, "severity" : "MEDIUM", "cves" : [ "CVE-2026-5450" ], "unique" : false }, { "id" : "CVE-2025-8058", "source" : "redhat-csaf", "cvssScore" : 4.2, "severity" : "MEDIUM", "cves" : [ "CVE-2025-8058" ], "unique" : false }, { "id" : "CVE-2024-33601", "title" : "nscd: netgroup cache may terminate daemon on memory allocation failure", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33601" ], "unique" : false }, { "id" : "CVE-2024-33602", "title" : "nscd: netgroup cache assumes NSS callback uses in-buffer strings", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33602" ], "unique" : false }, { "id" : "CVE-2026-4438", "title" : "gethostbyaddr and gethostbyaddr_r return invalid DNS hostnames", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4438" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2024-2961", "title" : "The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.", "source" : "redhat-csaf", "cvssScore" : 8.8, "severity" : "HIGH", "cves" : [ "CVE-2024-2961" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/python3-libs@3.9.14-1.el9_1.2?arch=x86_64&distro=rhel-9.1&upstream=python3.9-3.9.14-1.el9_1.2.src.rpm", "issues" : [ { "id" : "CVE-2023-40217", "source" : "redhat-csaf", "cvssScore" : 8.6, "severity" : "HIGH", "cves" : [ "CVE-2023-40217" ], "unique" : false }, { "id" : "CVE-2026-6100", "title" : "Use-after-free in lzma.LZMADecompressor, bz2.BZ2Decompressor, and gzip.GzipFile after re-use under memory pressure", "source" : "redhat-csaf", "cvssScore" : 8.1, "severity" : "HIGH", "cves" : [ "CVE-2026-6100" ], "unique" : false }, { "id" : "CVE-2023-6597", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2023-6597" ], "unique" : false }, { "id" : "CVE-2024-12718", "title" : "Bypass extraction filter to modify file metadata outside extraction directory", "source" : "redhat-csaf", "cvssScore" : 7.6, "severity" : "HIGH", "cves" : [ "CVE-2024-12718" ], "unique" : false }, { "id" : "CVE-2025-4517", "title" : "Arbitrary writes via tarfile realpath overflow", "source" : "redhat-csaf", "cvssScore" : 7.6, "severity" : "HIGH", "cves" : [ "CVE-2025-4517" ], "unique" : false }, { "id" : "CVE-2023-24329", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2023-24329" ], "unique" : false }, { "id" : "CVE-2024-6232", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2024-6232" ], "unique" : false }, { "id" : "CVE-2025-12084", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2025-12084" ], "unique" : false }, { "id" : "CVE-2025-4138", "title" : "Bypassing extraction filter to create symlinks to arbitrary targets outside extraction directory", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2025-4138" ], "unique" : false }, { "id" : "CVE-2025-4435", "title" : "Tarfile extracts filtered members when errorlevel=0", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2025-4435" ], "unique" : false }, { "id" : "CVE-2025-8194", "title" : "Tarfile infinite loop during parsing with negative member offset", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2025-8194" ], "unique" : false }, { "id" : "CVE-2025-4330", "title" : "Extraction filter bypass for linking outside extraction directory", "source" : "redhat-csaf", "cvssScore" : 7.3, "severity" : "HIGH", "cves" : [ "CVE-2025-4330" ], "unique" : false }, { "id" : "CVE-2025-15366", "source" : "redhat-csaf", "cvssScore" : 7.1, "severity" : "HIGH", "cves" : [ "CVE-2025-15366" ], "unique" : false }, { "id" : "CVE-2025-15367", "source" : "redhat-csaf", "cvssScore" : 7.1, "severity" : "HIGH", "cves" : [ "CVE-2025-15367" ], "unique" : false }, { "id" : "CVE-2026-1299", "source" : "redhat-csaf", "cvssScore" : 7.1, "severity" : "HIGH", "cves" : [ "CVE-2026-1299" ], "unique" : false }, { "id" : "CVE-2026-4519", "title" : "webbrowser.open() allows leading dashes in URLs", "source" : "redhat-csaf", "cvssScore" : 7.1, "severity" : "HIGH", "cves" : [ "CVE-2026-4519" ], "unique" : false }, { "id" : "CVE-2026-4786", "title" : "Incomplete mitigation of CVE-2026-4519, %action expansion for command injection to webbrowser.open()", "source" : "redhat-csaf", "cvssScore" : 7.1, "severity" : "HIGH", "cves" : [ "CVE-2026-4786" ], "unique" : false }, { "id" : "CVE-2024-6923", "source" : "redhat-csaf", "cvssScore" : 6.8, "severity" : "MEDIUM", "cves" : [ "CVE-2024-6923" ], "unique" : false }, { "id" : "CVE-2025-0938", "title" : "URL parser allowed square brackets in domain names", "source" : "redhat-csaf", "cvssScore" : 6.8, "severity" : "MEDIUM", "cves" : [ "CVE-2025-0938" ], "unique" : false }, { "id" : "CVE-2025-13836", "source" : "redhat-csaf", "cvssScore" : 6.8, "severity" : "MEDIUM", "cves" : [ "CVE-2025-13836" ], "unique" : false }, { "id" : "CVE-2024-9287", "source" : "redhat-csaf", "cvssScore" : 6.3, "severity" : "MEDIUM", "cves" : [ "CVE-2024-9287" ], "unique" : false }, { "id" : "CVE-2024-0450", "source" : "redhat-csaf", "cvssScore" : 6.2, "severity" : "MEDIUM", "cves" : [ "CVE-2024-0450" ], "unique" : false }, { "id" : "CVE-2025-13837", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2025-13837" ], "unique" : false }, { "id" : "CVE-2026-4224", "title" : "Stack overflow parsing XML with deeply nested DTD content models", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4224" ], "unique" : false }, { "id" : "CVE-2007-4559", "title" : "Directory traversal vulnerability in the (1) extract and (2) extractall functions in the tarfile module in Python allows user-assisted remote attackers to overwrite arbitrary files via a .. (dot dot) sequence in filenames in a TAR archive, a related issue to CVE-2001-1267.", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2007-4559" ], "unique" : false }, { "id" : "CVE-2026-3644", "title" : "Incomplete control character validation in http.cookies", "source" : "redhat-csaf", "cvssScore" : 5.4, "severity" : "MEDIUM", "cves" : [ "CVE-2026-3644" ], "unique" : false }, { "id" : "CVE-2023-27043", "title" : "The email module of Python through 3.11.3 incorrectly parses e-mail addresses that contain a special character. The wrong portion of an RFC2822 header is identified as the value of the addr-spec. In some applications, an attacker can bypass a protection mechanism in which application access is granted only after verifying receipt of e-mail to a specific domain (e.g., only @company.example.com addresses may be used for signup). This occurs in email/_parseaddr.py in recent versions of Python.", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2023-27043" ], "unique" : false }, { "id" : "CVE-2024-8088", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2024-8088" ], "unique" : false }, { "id" : "CVE-2025-59375", "title" : "libexpat in Expat before 2.7.2 allows attackers to trigger large dynamic memory allocations via a small document that is submitted for parsing.", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2025-59375" ], "unique" : false }, { "id" : "CVE-2024-0397", "source" : "redhat-csaf", "cvssScore" : 5.0, "severity" : "MEDIUM", "cves" : [ "CVE-2024-0397" ], "unique" : false }, { "id" : "CVE-2024-7592", "source" : "redhat-csaf", "cvssScore" : 4.8, "severity" : "MEDIUM", "cves" : [ "CVE-2024-7592" ], "unique" : false }, { "id" : "CVE-2025-15282", "source" : "redhat-csaf", "cvssScore" : 4.8, "severity" : "MEDIUM", "cves" : [ "CVE-2025-15282" ], "unique" : false }, { "id" : "CVE-2026-0672", "source" : "redhat-csaf", "cvssScore" : 4.8, "severity" : "MEDIUM", "cves" : [ "CVE-2026-0672" ], "unique" : false }, { "id" : "CVE-2026-0865", "source" : "redhat-csaf", "cvssScore" : 4.5, "severity" : "MEDIUM", "cves" : [ "CVE-2026-0865" ], "unique" : false }, { "id" : "CVE-2026-1502", "title" : "HTTP client proxy tunnel headers not validated for CR/LF", "source" : "redhat-csaf", "cvssScore" : 4.5, "severity" : "MEDIUM", "cves" : [ "CVE-2026-1502" ], "unique" : false }, { "id" : "CVE-2025-6069", "title" : "HTMLParser quadratic complexity when processing malformed inputs", "source" : "redhat-csaf", "cvssScore" : 4.3, "severity" : "MEDIUM", "cves" : [ "CVE-2025-6069" ], "unique" : false }, { "id" : "CVE-2025-8291", "title" : "ZIP64 End of Central Directory (EOCD) Locator record offset not checked", "source" : "redhat-csaf", "cvssScore" : 4.3, "severity" : "MEDIUM", "cves" : [ "CVE-2025-8291" ], "unique" : false }, { "id" : "CVE-2025-6075", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2025-6075" ], "unique" : false }, { "id" : "CVE-2024-11168", "source" : "redhat-csaf", "cvssScore" : 3.7, "severity" : "LOW", "cves" : [ "CVE-2024-11168" ], "unique" : false }, { "id" : "CVE-2024-4032", "source" : "redhat-csaf", "cvssScore" : 3.7, "severity" : "LOW", "cves" : [ "CVE-2024-4032" ], "unique" : false }, { "id" : "CVE-2026-2297", "title" : "SourcelessFileLoader does not use io.open_code()", "source" : "redhat-csaf", "cvssScore" : 3.3, "severity" : "LOW", "cves" : [ "CVE-2026-2297" ], "unique" : false }, { "id" : "CVE-2024-5642", "title" : "Buffer overread when using an empty list with SSLContext.set_npn_protocols()", "source" : "redhat-csaf", "cvssScore" : 2.7, "severity" : "LOW", "cves" : [ "CVE-2024-5642" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2023-40217", "source" : "redhat-csaf", "cvssScore" : 8.6, "severity" : "HIGH", "cves" : [ "CVE-2023-40217" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/gnutls@3.7.6-12.el9_0?arch=x86_64&distro=rhel-9.1&upstream=gnutls-3.7.6-12.el9_0.src.rpm", "issues" : [ { "id" : "CVE-2026-42013", "title" : "Gnutls: gnutls: certificate validation bypass due to oversized subject alternative name", "source" : "redhat-csaf", "cvssScore" : 8.2, "severity" : "HIGH", "cves" : [ "CVE-2026-42013" ], "unique" : false }, { "id" : "CVE-2026-5260", "title" : "Gnutls: gnutls: information disclosure via heap overread in rsa key exchange", "source" : "redhat-csaf", "cvssScore" : 8.2, "severity" : "HIGH", "cves" : [ "CVE-2026-5260" ], "unique" : false }, { "id" : "CVE-2024-0553", "title" : "Gnutls: incomplete fix for cve-2023-5981", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2024-0553" ], "unique" : false }, { "id" : "CVE-2024-0567", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2024-0567" ], "unique" : false }, { "id" : "CVE-2026-1584", "title" : "Gnutls: gnutls: remote denial of service via crafted clienthello with invalid psk binder", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2026-1584" ], "unique" : false }, { "id" : "CVE-2026-33845", "title" : "Gnutls: gnutls: denial of service via dtls zero-length fragment", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2026-33845" ], "unique" : false }, { "id" : "CVE-2026-33846", "title" : "Gnutls: gnutls: denial of service via heap buffer overflow in dtls handshake fragment reassembly", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2026-33846" ], "unique" : false }, { "id" : "CVE-2026-42009", "title" : "Gnutls: gnutls: denial of service via dtls packet reordering vulnerability", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2026-42009" ], "unique" : false }, { "id" : "CVE-2023-0361", "title" : "A timing side-channel in the handling of RSA ClientKeyExchange messages was discovered in GnuTLS. This side-channel can be sufficient to recover the key encrypted in the RSA ciphertext across a network in a Bleichenbacher style attack. To achieve a successful decryption the attacker would need to send a large amount of specially crafted messages to the vulnerable server. By recovering the secret from the ClientKeyExchange message, the attacker would be able to decrypt the application data exchanged over that connection.", "source" : "redhat-csaf", "cvssScore" : 7.4, "severity" : "HIGH", "cves" : [ "CVE-2023-0361" ], "unique" : false }, { "id" : "CVE-2026-42011", "title" : "Gnutls: gnutls: security bypass due to incorrect name constraint handling", "source" : "redhat-csaf", "cvssScore" : 7.4, "severity" : "HIGH", "cves" : [ "CVE-2026-42011" ], "unique" : false }, { "id" : "CVE-2026-42010", "title" : "Gnutls: gnutls: authentication bypass via nul character in username", "source" : "redhat-csaf", "cvssScore" : 7.1, "severity" : "HIGH", "cves" : [ "CVE-2026-42010" ], "unique" : false }, { "id" : "CVE-2026-42012", "title" : "Gnutls: gnutls: certificate validation bypass due to improper handling of uri and srv sans", "source" : "redhat-csaf", "cvssScore" : 7.1, "severity" : "HIGH", "cves" : [ "CVE-2026-42012" ], "unique" : false }, { "id" : "CVE-2026-42014", "title" : "Gnutls: gnutls: use-after-free in gnutls_pkcs11_token_set_pin", "source" : "redhat-csaf", "cvssScore" : 6.6, "severity" : "MEDIUM", "cves" : [ "CVE-2026-42014" ], "unique" : false }, { "id" : "CVE-2025-32988", "title" : "Gnutls: vulnerability in gnutls othername san export", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2025-32988" ], "unique" : false }, { "id" : "CVE-2025-32990", "title" : "Gnutls: vulnerability in gnutls certtool template parsing", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2025-32990" ], "unique" : false }, { "id" : "CVE-2025-6395", "title" : "Gnutls: null pointer dereference in _gnutls_figure_common_ciphersuite()", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2025-6395" ], "unique" : false }, { "id" : "CVE-2026-3833", "title" : "Gnutls: gnutls: policy bypass due to case-sensitive nameconstraints comparison", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2026-3833" ], "unique" : false }, { "id" : "CVE-2023-5981", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-5981" ], "unique" : false }, { "id" : "CVE-2024-12243", "title" : "Gnutls: gnutls impacted by inefficient der decoding in libtasn1 leading to remote dos", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2024-12243" ], "unique" : false }, { "id" : "CVE-2024-28834", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2024-28834" ], "unique" : false }, { "id" : "CVE-2025-14831", "title" : "Gnutls: gnutls: denial of service via excessive resource consumption during certificate verification", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2025-14831" ], "unique" : false }, { "id" : "CVE-2025-32989", "title" : "Gnutls: vulnerability in gnutls sct extension parsing", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2025-32989" ], "unique" : false }, { "id" : "CVE-2026-42015", "title" : "Gnutls: gnutls: memory corruption due to off-by-one error in pkcs#12 bag handling", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-42015" ], "unique" : false }, { "id" : "CVE-2024-28835", "source" : "redhat-csaf", "cvssScore" : 5.0, "severity" : "MEDIUM", "cves" : [ "CVE-2024-28835" ], "unique" : false }, { "id" : "CVE-2025-9820", "title" : "Gnutls: stack-based buffer overflow in gnutls_pkcs11_token_init() function", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2025-9820" ], "unique" : false }, { "id" : "CVE-2026-3832", "title" : "Gnutls: gnutls: security bypass allows acceptance of revoked server certificates via crafted ocsp response", "source" : "redhat-csaf", "cvssScore" : 3.7, "severity" : "LOW", "cves" : [ "CVE-2026-3832" ], "unique" : false }, { "id" : "CVE-2026-5419", "title" : "Gnutls: gnutls: information disclosure via timing side-channel in pkcs#7 padding removal", "source" : "redhat-csaf", "cvssScore" : 3.7, "severity" : "LOW", "cves" : [ "CVE-2026-5419" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2026-42013", "title" : "Gnutls: gnutls: certificate validation bypass due to oversized subject alternative name", "source" : "redhat-csaf", "cvssScore" : 8.2, "severity" : "HIGH", "cves" : [ "CVE-2026-42013" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/libcurl-minimal@7.76.1-19.el9_1.1?arch=x86_64&distro=rhel-9.1&upstream=curl-7.76.1-19.el9_1.1.src.rpm", "issues" : [ { "id" : "CVE-2023-38545", "title" : "This flaw makes curl overflow a heap based buffer in the SOCKS5 proxy\nhandshake.\n\nWhen curl is asked to pass along the host name to the SOCKS5 proxy to allow\nthat to resolve the address instead of it getting done by curl itself, the\nmaximum length that host name can be is 255 bytes.\n\nIf the host name is detected to be longer, curl switches to local name\nresolving and instead passes on the resolved address only. Due to this bug,\nthe local variable that means \"let the host resolve the name\" could get the\nwrong value during a slow SOCKS5 handshake, and contrary to the intention,\ncopy the too long host name to the target buffer instead of copying just the\nresolved address there.\n\nThe target buffer being a heap based buffer, and the host name coming from the\nURL that curl has been told to operate with.", "source" : "redhat-csaf", "cvssScore" : 8.1, "severity" : "HIGH", "cves" : [ "CVE-2023-38545" ], "unique" : false }, { "id" : "CVE-2024-2398", "title" : "HTTP/2 push headers memory-leak", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2024-2398" ], "unique" : false }, { "id" : "CVE-2023-23916", "title" : "An allocation of resources without limits or throttling vulnerability exists in curl = 12.22.9, >= 14.18.3, >= 16.13.2, and >= 17.3.1 use a null protoype for the object these properties are being assigned to.", "source" : "redhat-csaf", "cvssScore" : 8.2, "severity" : "HIGH", "cves" : [ "CVE-2022-21824" ], "unique" : false }, { "id" : "CVE-2023-32002", "title" : "The use of `Module._load()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module.\n\nThis vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x.\n\nPlease note that at the time this CVE was issued, the policy is an experimental feature of Node.js.", "source" : "redhat-csaf", "cvssScore" : 8.1, "severity" : "HIGH", "cves" : [ "CVE-2023-32002" ], "unique" : false }, { "id" : "CVE-2024-21892", "title" : "On Linux, Node.js ignores certain environment variables if those may have been set by an unprivileged user while the process is running with elevated privileges with the only exception of CAP_NET_BIND_SERVICE.\nDue to a bug in the implementation of this exception, Node.js incorrectly applies this exception even when certain other capabilities have been set.\nThis allows unprivileged users to inject code that inherits the process's elevated privileges.", "source" : "redhat-csaf", "cvssScore" : 8.1, "severity" : "HIGH", "cves" : [ "CVE-2024-21892" ], "unique" : false }, { "id" : "CVE-2024-21896", "title" : "The permission model protects itself against path traversal attacks by calling path.resolve() on any paths given by the user. If the path is to be treated as a Buffer, the implementation uses Buffer.from() to obtain a Buffer from the result of path.resolve(). By monkey-patching Buffer internals, namely, Buffer.prototype.utf8Write, the application can modify the result of path.resolve(), which leads to a path traversal vulnerability.\nThis vulnerability affects all users using the experimental permission model in Node.js 20 and Node.js 21.\nPlease note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.", "source" : "redhat-csaf", "cvssScore" : 7.9, "severity" : "HIGH", "cves" : [ "CVE-2024-21896" ], "unique" : false }, { "id" : "CVE-2025-23083", "title" : "With the aid of the diagnostics_channel utility, an event can be hooked into whenever a worker thread is created. This is not limited only to workers but also exposes internal workers, where an instance of them can be fetched, and its constructor can be grabbed and reinstated for malicious usage. \r\n\r\nThis vulnerability affects Permission Model users (--permission) on Node.js v20, v22, and v23.", "source" : "redhat-csaf", "cvssScore" : 7.7, "severity" : "HIGH", "cves" : [ "CVE-2025-23083" ], "unique" : false }, { "id" : "CVE-2025-6965", "title" : "Integer Truncation on SQLite", "source" : "redhat-csaf", "cvssScore" : 7.7, "severity" : "HIGH", "cves" : [ "CVE-2025-6965" ], "unique" : false }, { "id" : "CVE-2021-35065", "title" : "The glob-parent package before 6.0.1 for Node.js allows ReDoS (regular expression denial of service) attacks against the enclosure regular expression.", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2021-35065" ], "unique" : false }, { "id" : "CVE-2022-25881", "title" : "This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library.", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2022-25881" ], "unique" : false }, { "id" : "CVE-2022-25883", "title" : "Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.\r\r\r", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2022-25883" ], "unique" : false }, { "id" : "CVE-2022-3517", "title" : "A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2022-3517" ], "unique" : false }, { "id" : "CVE-2022-43548", "title" : "A OS Command Injection vulnerability exists in Node.js versions <14.21.1, <16.18.1, <18.12.1, <19.0.1 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding attacks.The fix for this issue in https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32212 was incomplete and this new CVE is to complete the fix.", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2022-43548" ], "unique" : false }, { "id" : "CVE-2023-23918", "title" : "A privilege escalation vulnerability exists in Node.js <19.6.1, <18.14.1, <16.19.1 and <14.21.3 that made it possible to bypass the experimental Permissions (https://nodejs.org/api/permissions.html) feature in Node.js and access non authorized modules by using process.mainModule.require(). This only affects users who had enabled the experimental permissions option with --experimental-policy.", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2023-23918" ], "unique" : false }, { "id" : "CVE-2023-23919", "title" : "A cryptographic vulnerability exists in Node.js <19.2.0, <18.14.1, <16.19.1, <14.21.3 that in some cases did does not clear the OpenSSL error stack after operations that may set it. This may lead to false positive errors during subsequent cryptographic operations that happen to be on the same thread. This in turn could be used to cause a denial of service.", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2023-23919" ], "unique" : false }, { "id" : "CVE-2023-24807", "title" : "Undici vulnerable to Regular Expression Denial of Service in Headers", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2023-24807" ], "unique" : false }, { "id" : "CVE-2023-30581", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2023-30581" ], "unique" : false }, { "id" : "CVE-2023-30590", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2023-30590" ], "unique" : false }, { "id" : "CVE-2023-32067", "title" : "0-byte UDP payload DoS in c-ares", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2023-32067" ], "unique" : false }, { "id" : "CVE-2023-32559", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2023-32559" ], "unique" : false }, { "id" : "CVE-2023-38552", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2023-38552" ], "unique" : false }, { "id" : "CVE-2023-39331", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2023-39331" ], "unique" : false }, { "id" : "CVE-2023-44487", "title" : "The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2023-44487" ], "unique" : false }, { "id" : "CVE-2024-22019", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2024-22019" ], "unique" : false }, { "id" : "CVE-2024-27983", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2024-27983" ], "unique" : false }, { "id" : "CVE-2025-23166", "title" : "The C++ method SignTraits::DeriveBits() may incorrectly call ThrowException() based on user-supplied inputs when executing in a background thread, crashing the Node.js process. Such cryptographic operations are commonly applied to untrusted inputs. Thus, this mechanism potentially allows an adversary to remotely crash a Node.js runtime.", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2025-23166" ], "unique" : false }, { "id" : "CVE-2025-59465", "title" : "A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node.js to crash by triggering an unhandled `TLSSocket` error `ECONNRESET`. Instead of safely closing the connection, the process crashes, enabling a remote denial of service. This primarily affects applications that do not attach explicit error handlers to secure sockets, for example:\n```\nserver.on('secureConnection', socket => {\n socket.on('error', err => {\n console.log(err)\n })\n})\n```", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2025-59465" ], "unique" : false }, { "id" : "CVE-2026-1526", "title" : "undici is vulnerable to Unbounded Memory Consumption in undici WebSocket permessage-deflate Decompression", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2026-1526" ], "unique" : false }, { "id" : "CVE-2026-1528", "title" : "undici is vulnerable to Malicious WebSocket 64-bit length overflows undici parser and crashes the client", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2026-1528" ], "unique" : false }, { "id" : "CVE-2026-21710", "title" : "A flaw in Node.js HTTP request handling causes an uncaught `TypeError` when a request is received with a header named `__proto__` and the application accesses `req.headersDistinct`.\r\n\r\nWhen this occurs, `dest[\"__proto__\"]` resolves to `Object.prototype` rather than `undefined`, causing `.push()` to be called on a non-array. This exception is thrown synchronously inside a property getter and cannot be intercepted by `error` event listeners, meaning it cannot be handled without wrapping every `req.headersDistinct` access in a `try/catch`.\r\n\r\n* This vulnerability affects all Node.js HTTP servers on **20.x, 22.x, 24.x, and v25.x**", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2026-21710" ], "unique" : false }, { "id" : "CVE-2026-2229", "title" : "undici is vulnerable to Unhandled Exception in undici WebSocket Client Due to Invalid server_max_window_bits Validation", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2026-2229" ], "unique" : false }, { "id" : "CVE-2026-27135", "title" : "nghttp2 Denial of service: Assertion failure due to the missing state validation", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2026-27135" ], "unique" : false }, { "id" : "CVE-2021-44531", "title" : "Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI is specifically defined to use a particular SAN type, can result in bypassing name-constrained intermediates. Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 was accepting URI SAN types, which PKIs are often not defined to use. Additionally, when a protocol allows URI SANs, Node.js did not match the URI correctly.Versions of Node.js with the fix for this disable the URI SAN type when checking a certificate against a hostname. This behavior can be reverted through the --security-revert command-line option.", "source" : "redhat-csaf", "cvssScore" : 7.4, "severity" : "HIGH", "cves" : [ "CVE-2021-44531" ], "unique" : false }, { "id" : "CVE-2021-44532", "title" : "Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 converts SANs (Subject Alternative Names) to a string format. It uses this string to check peer certificates against hostnames when validating connections. The string format was subject to an injection vulnerability when name constraints were used within a certificate chain, allowing the bypass of these name constraints.Versions of Node.js with the fix for this escape SANs containing the problematic characters in order to prevent the injection. This behavior can be reverted through the --security-revert command-line option.", "source" : "redhat-csaf", "cvssScore" : 7.4, "severity" : "HIGH", "cves" : [ "CVE-2021-44532" ], "unique" : false }, { "id" : "CVE-2021-44533", "title" : "Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 did not handle multi-value Relative Distinguished Names correctly. Attackers could craft certificate subjects containing a single-value Relative Distinguished Name that would be interpreted as a multi-value Relative Distinguished Name, for example, in order to inject a Common Name that would allow bypassing the certificate subject verification.Affected versions of Node.js that do not accept multi-value Relative Distinguished Names and are thus not vulnerable to such attacks themselves. However, third-party code that uses node's ambiguous presentation of certificate subjects may be vulnerable.", "source" : "redhat-csaf", "cvssScore" : 7.4, "severity" : "HIGH", "cves" : [ "CVE-2021-44533" ], "unique" : false }, { "id" : "CVE-2024-22017", "title" : "setuid() does not affect libuv's internal io_uring operations if initialized before the call to setuid().\nThis allows the process to perform privileged operations despite presumably having dropped such privileges through a call to setuid().\nThis vulnerability affects all users using version greater or equal than Node.js 18.18.0, Node.js 20.4.0 and Node.js 21.", "source" : "redhat-csaf", "cvssScore" : 7.3, "severity" : "HIGH", "cves" : [ "CVE-2024-22017" ], "unique" : false }, { "id" : "CVE-2025-3277", "title" : "An integer overflow can be triggered in SQLite’s `concat_ws()` function. The resulting, truncated integer is then used to allocate a buffer. When SQLite then writes the resulting string to the buffer, it uses the original, untruncated size and thus a wild Heap Buffer overflow of size ~4GB can be triggered. This can result in arbitrary code execution.", "source" : "redhat-csaf", "cvssScore" : 7.3, "severity" : "HIGH", "cves" : [ "CVE-2025-3277" ], "unique" : false }, { "id" : "CVE-2026-1525", "source" : "redhat-csaf", "cvssScore" : 7.3, "severity" : "HIGH", "cves" : [ "CVE-2026-1525" ], "unique" : false }, { "id" : "CVE-2025-55130", "title" : "A flaw in Node.js’s Permissions model allows attackers to bypass `--allow-fs-read` and `--allow-fs-write` restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory can escape the allowed path and read sensitive files. This breaks the expected isolation guarantees and enables arbitrary file read/write, leading to potential system compromise.\nThis vulnerability affects users of the permission model on Node.js v20, v22, v24, and v25.", "source" : "redhat-csaf", "cvssScore" : 7.1, "severity" : "HIGH", "cves" : [ "CVE-2025-55130" ], "unique" : false }, { "id" : "CVE-2025-55131", "title" : "A flaw in Node.js's buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the `vm` module with the timeout option. Under specific timing conditions, buffers allocated with `Buffer.alloc` and other `TypedArray` instances like `Uint8Array` may contain leftover data from previous operations, allowing in-process secrets like tokens or passwords to leak or causing data corruption. While exploitation typically requires precise timing or in-process code execution, it can become remotely exploitable when untrusted input influences workload and timeouts, leading to potential confidentiality and integrity impact.", "source" : "redhat-csaf", "cvssScore" : 7.1, "severity" : "HIGH", "cves" : [ "CVE-2025-55131" ], "unique" : false }, { "id" : "CVE-2023-30589", "source" : "redhat-csaf", "cvssScore" : 7.0, "severity" : "HIGH", "cves" : [ "CVE-2023-30589" ], "unique" : false }, { "id" : "CVE-2025-31498", "title" : "c-ares has a use-after-free in read_answers()", "source" : "redhat-csaf", "cvssScore" : 7.0, "severity" : "HIGH", "cves" : [ "CVE-2025-31498" ], "unique" : false }, { "id" : "CVE-2025-22150", "title" : "Undici Uses Insufficiently Random Values", "source" : "redhat-csaf", "cvssScore" : 6.8, "severity" : "MEDIUM", "cves" : [ "CVE-2025-22150" ], "unique" : false }, { "id" : "CVE-2024-21891", "title" : "Node.js depends on multiple built-in utility functions to normalize paths provided to node:fs functions, which can be overwitten with user-defined implementations leading to filesystem permission model bypass through path traversal attack.\nThis vulnerability affects all users using the experimental permission model in Node.js 20 and Node.js 21.\nPlease note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.", "source" : "redhat-csaf", "cvssScore" : 6.6, "severity" : "MEDIUM", "cves" : [ "CVE-2024-21891" ], "unique" : false }, { "id" : "CVE-2023-23936", "title" : "CRLF Injection in Nodejs ‘undici’ via host", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-23936" ], "unique" : false }, { "id" : "CVE-2024-22020", "title" : "A security flaw in Node.js allows a bypass of network import restrictions.\nBy embedding non-network imports in data URLs, an attacker can execute arbitrary code, compromising system security.\nVerified on various platforms, the vulnerability is mitigated by forbidding data URLs in network imports.\nExploiting this flaw can violate network import security, posing a risk to developers and servers.", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-22020" ], "unique" : false }, { "id" : "CVE-2024-22025", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-22025" ], "unique" : false }, { "id" : "CVE-2024-28863", "title" : "node-tar vulnerable to denial of service while parsing a tar file due to lack of folders count validation", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-28863" ], "unique" : false }, { "id" : "CVE-2025-23167", "title" : "A flaw in Node.js 20's HTTP parser allows improper termination of HTTP/1 headers using `\\r\\n\\rX` instead of the required `\\r\\n\\r\\n`.\nThis inconsistency enables request smuggling, allowing attackers to bypass proxy-based access controls and submit unauthorized requests.\n\nThe issue was resolved by upgrading `llhttp` to version 9, which enforces correct header termination.\n\nImpact:\n* This vulnerability affects only Node.js 20.x users prior to the `llhttp` v9 upgrade.", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2025-23167" ], "unique" : false }, { "id" : "CVE-2026-1527", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2026-1527" ], "unique" : false }, { "id" : "CVE-2026-21712", "title" : "A flaw in Node.js URL processing causes an assertion failure in native code when `url.format()` is called with a malformed internationalized domain name (IDN) containing invalid characters, crashing the Node.js process.", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2026-21712" ], "unique" : false }, { "id" : "CVE-2026-25547", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2026-25547" ], "unique" : false }, { "id" : "CVE-2026-26996", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2026-26996" ], "unique" : false }, { "id" : "CVE-2026-27904", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2026-27904" ], "unique" : false }, { "id" : "CVE-2024-27982", "source" : "redhat-csaf", "cvssScore" : 6.1, "severity" : "MEDIUM", "cves" : [ "CVE-2024-27982" ], "unique" : false }, { "id" : "CVE-2023-31147", "title" : "Insufficient randomness in generation of DNS query IDs in c-ares", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-31147" ], "unique" : false }, { "id" : "CVE-2023-46809", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-46809" ], "unique" : false }, { "id" : "CVE-2025-59466", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2025-59466" ], "unique" : false }, { "id" : "CVE-2026-21637", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-21637" ], "unique" : false }, { "id" : "CVE-2026-21713", "title" : "A flaw in Node.js HMAC verification uses a non-constant-time comparison when validating user-provided signatures, potentially leaking timing information proportional to the number of matching bytes. Under certain threat models where high-resolution timing measurements are possible, this behavior could be exploited as a timing oracle to infer HMAC values.\r\n\r\nNode.js already provides timing-safe comparison primitives used elsewhere in the codebase, indicating this is an oversight rather than an intentional design decision.\r\n\r\nThis vulnerability affects **20.x, 22.x, 24.x, and 25.x**.", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-21713" ], "unique" : false }, { "id" : "CVE-2026-21717", "title" : "A flaw in V8's string hashing mechanism causes integer-like strings to be hashed to their numeric value, making hash collisions trivially predictable. By crafting a request that causes many such collisions in V8's internal string table, an attacker can significantly degrade performance of the Node.js process.\r\n\r\nThe most common trigger is any endpoint that calls `JSON.parse()` on attacker-controlled input, as JSON parsing automatically internalizes short strings into the affected hash table.\r\n\r\nThis vulnerability affects **20.x, 22.x, 24.x, and 25.x**.", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-21717" ], "unique" : false }, { "id" : "CVE-2026-2581", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-2581" ], "unique" : false }, { "id" : "CVE-2023-31130", "title" : "Buffer Underwrite in ares_inet_net_pton()", "source" : "redhat-csaf", "cvssScore" : 5.7, "severity" : "MEDIUM", "cves" : [ "CVE-2023-31130" ], "unique" : false }, { "id" : "CVE-2023-30588", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2023-30588" ], "unique" : false }, { "id" : "CVE-2023-39333", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2023-39333" ], "unique" : false }, { "id" : "CVE-2024-28182", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2024-28182" ], "unique" : false }, { "id" : "CVE-2025-23085", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2025-23085" ], "unique" : false }, { "id" : "CVE-2025-55132", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2025-55132" ], "unique" : false }, { "id" : "CVE-2026-21714", "title" : "A memory leak occurs in Node.js HTTP/2 servers when a client sends WINDOW_UPDATE frames on stream 0 (connection-level) that cause the flow control window to exceed the maximum value of 2³¹-1. The server correctly sends a GOAWAY frame, but the Http2Session object is never cleaned up.\r\n\r\nThis vulnerability affects HTTP2 users on Node.js 20, 22, 24 and 25.", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-21714" ], "unique" : false }, { "id" : "CVE-2026-21711", "title" : "A flaw in Node.js Permission Model network enforcement leaves Unix Domain Socket (UDS) server operations without the required permission checks, while all comparable network paths correctly enforce them.\r\n\r\nAs a result, code running under `--permission` without `--allow-net` can create and expose local IPC endpoints, allowing communication with other processes on the same host outside of the intended network restriction boundary.\r\n\r\nThis vulnerability affects Node.js **25.x** processes using the Permission Model where `--allow-net` is intentionally omitted to restrict network access. Note that `--allow-net` is currently an experimental feature.", "source" : "redhat-csaf", "cvssScore" : 5.2, "severity" : "MEDIUM", "cves" : [ "CVE-2026-21711" ], "unique" : false }, { "id" : "CVE-2024-21890", "title" : "The Node.js Permission Model does not clarify in the documentation that wildcards should be only used as the last character of a file path. For example:\n```\n --allow-fs-read=/home/node/.ssh/*.pub\n```\n\nwill ignore `pub` and give access to everything after `.ssh/`.\n\nThis misleading documentation affects all users using the experimental permission model in Node.js 20 and Node.js 21.\n\nPlease note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.", "source" : "redhat-csaf", "cvssScore" : 5.0, "severity" : "MEDIUM", "cves" : [ "CVE-2024-21890" ], "unique" : false }, { "id" : "CVE-2024-25629", "title" : "c-ares out of bounds read in ares__read_line()", "source" : "redhat-csaf", "cvssScore" : 4.4, "severity" : "MEDIUM", "cves" : [ "CVE-2024-25629" ], "unique" : false }, { "id" : "CVE-2023-23920", "title" : "An untrusted search path vulnerability exists in Node.js. <19.6.1, <18.14.1, <16.19.1, and <14.21.3 that could allow an attacker to search and potentially load ICU data when running with elevated privileges.", "source" : "redhat-csaf", "cvssScore" : 4.2, "severity" : "MEDIUM", "cves" : [ "CVE-2023-23920" ], "unique" : false }, { "id" : "CVE-2023-45143", "title" : "Undici's cookie header not cleared on cross-origin redirect in fetch", "source" : "redhat-csaf", "cvssScore" : 3.9, "severity" : "LOW", "cves" : [ "CVE-2023-45143" ], "unique" : false }, { "id" : "CVE-2024-36137", "title" : "A vulnerability has been identified in Node.js, affecting users of the experimental permission model when the --allow-fs-write flag is used.\r\n\r\nNode.js Permission Model do not operate on file descriptors, however, operations such as fs.fchown or fs.fchmod can use a \"read-only\" file descriptor to change the owner and permissions of a file.", "source" : "redhat-csaf", "cvssScore" : 3.9, "severity" : "LOW", "cves" : [ "CVE-2024-36137" ], "unique" : false }, { "id" : "CVE-2026-21716", "title" : "An incomplete fix for CVE-2024-36137 leaves `FileHandle.chmod()` and `FileHandle.chown()` in the promises API without the required permission checks, while their callback-based equivalents (`fs.fchmod()`, `fs.fchown()`) were correctly patched.\r\n\r\nAs a result, code running under `--permission` with restricted `--allow-fs-write` can still use promise-based `FileHandle` methods to modify file permissions and ownership on already-open file descriptors, bypassing the intended write restrictions.\r\n\r\nThis vulnerability affects **20.x, 22.x, 24.x, and 25.x** processes using the Permission Model where `--allow-fs-write` is intentionally restricted.", "source" : "redhat-csaf", "cvssScore" : 3.8, "severity" : "LOW", "cves" : [ "CVE-2026-21716" ], "unique" : false }, { "id" : "CVE-2023-31124", "title" : "AutoTools does not set CARES_RANDOM_FILE during cross compilation", "source" : "redhat-csaf", "cvssScore" : 3.7, "severity" : "LOW", "cves" : [ "CVE-2023-31124" ], "unique" : false }, { "id" : "CVE-2025-23165", "title" : "In Node.js, the `ReadFileUtf8` internal binding leaks memory due to a corrupted pointer in `uv_fs_s.file`: a UTF-16 path buffer is allocated but subsequently overwritten when the file descriptor is set. This results in an unrecoverable memory leak on every call. Repeated use can cause unbounded memory growth, leading to a denial of service.\r\n\r\nImpact:\r\n* This vulnerability affects APIs relying on `ReadFileUtf8` on Node.js release lines: v20 and v22.", "source" : "redhat-csaf", "cvssScore" : 3.7, "severity" : "LOW", "cves" : [ "CVE-2025-23165" ], "unique" : false }, { "id" : "CVE-2026-21715", "title" : "A flaw in Node.js Permission Model filesystem enforcement leaves `fs.realpathSync.native()` without the required read permission checks, while all comparable filesystem functions correctly enforce them.\r\n\r\nAs a result, code running under `--permission` with restricted `--allow-fs-read` can still use `fs.realpathSync.native()` to check file existence, resolve symlink targets, and enumerate filesystem paths outside of permitted directories.\r\n\r\nThis vulnerability affects **20.x, 22.x, 24.x, and 25.x** processes using the Permission Model where `--allow-fs-read` is intentionally restricted.", "source" : "redhat-csaf", "cvssScore" : 3.3, "severity" : "LOW", "cves" : [ "CVE-2026-21715" ], "unique" : false }, { "id" : "CVE-2021-44906", "title" : "Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).", "source" : "redhat-csaf", "cvssScore" : 3.1, "severity" : "LOW", "cves" : [ "CVE-2021-44906" ], "unique" : false }, { "id" : "CVE-2024-22018", "title" : "A vulnerability has been identified in Node.js, affecting users of the experimental permission model when the --allow-fs-read flag is used.\nThis flaw arises from an inadequate permission model that fails to restrict file stats through the fs.lstat API. As a result, malicious actors can retrieve stats from files that they do not have explicit read access to.\nThis vulnerability affects all users using the experimental permission model in Node.js 20 and Node.js 21.\nPlease note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.", "source" : "redhat-csaf", "cvssScore" : 2.9, "severity" : "LOW", "cves" : [ "CVE-2024-22018" ], "unique" : false } ], "transitive" : [ { "ref" : "pkg:rpm/redhat/openssl@3.0.1-47.el9_1?arch=x86_64&distro=rhel-9.1&epoch=1&upstream=openssl-3.0.1-47.el9_1.src.rpm", "issues" : [ { "id" : "CVE-2025-15467", "title" : "Stack buffer overflow in CMS (Auth)EnvelopedData parsing", "source" : "redhat-csaf", "cvssScore" : 9.8, "severity" : "CRITICAL", "cves" : [ "CVE-2025-15467" ], "unique" : false }, { "id" : "CVE-2026-45445", "title" : "AES-OCB IV Ignored on EVP_Cipher() Path", "source" : "redhat-csaf", "cvssScore" : 9.1, "severity" : "CRITICAL", "cves" : [ "CVE-2026-45445" ], "unique" : false }, { "id" : "CVE-2026-45447", "title" : "Heap Use-After-Free in the PKCS7_verify() Function", "source" : "redhat-csaf", "cvssScore" : 8.1, "severity" : "HIGH", "cves" : [ "CVE-2026-45447" ], "unique" : false }, { "id" : "CVE-2022-3358", "title" : "Using a Custom Cipher with NID_undef may lead to NULL encryption", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2022-3358" ], "unique" : false }, { "id" : "CVE-2023-5363", "title" : "Incorrect cipher key & IV length processing", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2023-5363" ], "unique" : false }, { "id" : "CVE-2026-28390", "title" : "Possible NULL Dereference When Processing CMS KeyTransportRecipientInfo", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2026-28390" ], "unique" : false }, { "id" : "CVE-2026-34183", "title" : "Unbounded Memory Growth in the QUIC PATH_CHALLENGE Handler", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2026-34183" ], "unique" : false }, { "id" : "CVE-2024-12797", "title" : "RFC7250 handshakes with unauthenticated servers don't abort as expected", "source" : "redhat-csaf", "cvssScore" : 7.4, "severity" : "HIGH", "cves" : [ "CVE-2024-12797" ], "unique" : false }, { "id" : "CVE-2025-69419", "title" : "Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion", "source" : "redhat-csaf", "cvssScore" : 7.4, "severity" : "HIGH", "cves" : [ "CVE-2025-69419" ], "unique" : false }, { "id" : "CVE-2026-34182", "title" : "CMS AuthEnvelopedData Processing May Accept Forged Messages", "source" : "redhat-csaf", "cvssScore" : 7.4, "severity" : "HIGH", "cves" : [ "CVE-2026-34182" ], "unique" : false }, { "id" : "CVE-2023-2650", "title" : "Possible DoS translating ASN.1 object identifiers", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-2650" ], "unique" : false }, { "id" : "CVE-2023-6129", "title" : "POLY1305 MAC implementation corrupts vector registers on PowerPC", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-6129" ], "unique" : false }, { "id" : "CVE-2025-69421", "title" : "NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2025-69421" ], "unique" : false }, { "id" : "CVE-2026-2673", "title" : "OpenSSL TLS 1.3 server may choose unexpected key agreement group", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2026-2673" ], "unique" : false }, { "id" : "CVE-2026-34181", "title" : "PKCS#12 Files with PBMAC1 Are Accepted with Short HMAC Keys", "source" : "redhat-csaf", "cvssScore" : 6.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-34181" ], "unique" : false }, { "id" : "CVE-2026-42768", "title" : "Multi-RecipientInfo Bleichenbacher Oracle in CMS_decrypt() and PKCS7_decrypt()", "source" : "redhat-csaf", "cvssScore" : 6.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-42768" ], "unique" : false }, { "id" : "CVE-2025-11187", "title" : "Improper validation of PBMAC1 parameters in PKCS#12 MAC verification", "source" : "redhat-csaf", "cvssScore" : 6.1, "severity" : "MEDIUM", "cves" : [ "CVE-2025-11187" ], "unique" : false }, { "id" : "CVE-2023-0464", "title" : "Excessive Resource Usage Verifying X.509 Policy Constraints", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-0464" ], "unique" : false }, { "id" : "CVE-2023-6237", "title" : "Excessive time spent checking invalid RSA public keys", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-6237" ], "unique" : false }, { "id" : "CVE-2024-5535", "title" : "SSL_select_next_proto buffer overread", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2024-5535" ], "unique" : false }, { "id" : "CVE-2024-6119", "title" : "Possible denial of service in X.509 name checks", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2024-6119" ], "unique" : false }, { "id" : "CVE-2025-15468", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2025-15468" ], "unique" : false }, { "id" : "CVE-2025-66199", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2025-66199" ], "unique" : false }, { "id" : "CVE-2025-69420", "title" : "Missing ASN1_TYPE validation in TS_RESP_verify_response() function", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2025-69420" ], "unique" : false }, { "id" : "CVE-2025-9231", "title" : "Timing side-channel in SM2 algorithm on 64 bit ARM", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2025-9231" ], "unique" : false }, { "id" : "CVE-2026-22796", "title" : "ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-22796" ], "unique" : false }, { "id" : "CVE-2026-28386", "title" : "Out-of-bounds Read in AES-CFB-128 on X86-64 with AVX-512 Support", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-28386" ], "unique" : false }, { "id" : "CVE-2026-28388", "title" : "NULL Pointer Dereference When Processing a Delta CRL", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-28388" ], "unique" : false }, { "id" : "CVE-2026-28389", "title" : "Possible NULL Dereference When Processing CMS KeyAgreeRecipientInfo", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-28389" ], "unique" : false }, { "id" : "CVE-2026-31790", "title" : "Incorrect Failure Handling in RSA KEM RSASVE Encapsulation", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-31790" ], "unique" : false }, { "id" : "CVE-2026-42764", "title" : "NULL Pointer Dereference in QUIC Server Initial Packet Handling", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-42764" ], "unique" : false }, { "id" : "CVE-2026-42769", "title" : "Trust-Anchor Substitution via cert/issuer Typo in CMP rootCaKeyUpdate", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-42769" ], "unique" : false }, { "id" : "CVE-2026-42770", "title" : "FFC-DH Peer Validation Uses Attacker-Supplied q", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-42770" ], "unique" : false }, { "id" : "CVE-2026-9076", "title" : "Out-of-Bounds Read in CMS Password-Based Decryption", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-9076" ], "unique" : false }, { "id" : "CVE-2026-31789", "title" : "Heap Buffer Overflow in Hexadecimal Conversion", "source" : "redhat-csaf", "cvssScore" : 5.8, "severity" : "MEDIUM", "cves" : [ "CVE-2026-31789" ], "unique" : false }, { "id" : "CVE-2024-4741", "source" : "redhat-csaf", "cvssScore" : 5.6, "severity" : "MEDIUM", "cves" : [ "CVE-2024-4741" ], "unique" : false }, { "id" : "CVE-2025-9230", "title" : "Out-of-bounds read & write in RFC 3211 KEK Unwrap", "source" : "redhat-csaf", "cvssScore" : 5.6, "severity" : "MEDIUM", "cves" : [ "CVE-2025-9230" ], "unique" : false }, { "id" : "CVE-2024-0727", "title" : "PKCS12 Decoding crashes", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-0727" ], "unique" : false }, { "id" : "CVE-2025-15469", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2025-15469" ], "unique" : false }, { "id" : "CVE-2026-22795", "title" : "Missing ASN1_TYPE validation in PKCS#12 parsing", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2026-22795" ], "unique" : false }, { "id" : "CVE-2026-7383", "title" : "Possible Heap Buffer Overflow in ASN.1 Multibyte String Conversion", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2026-7383" ], "unique" : false }, { "id" : "CVE-2023-0465", "title" : "Invalid certificate policies in leaf certificates are silently ignored", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2023-0465" ], "unique" : false }, { "id" : "CVE-2023-0466", "title" : "Certificate policy check not enabled", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2023-0466" ], "unique" : false }, { "id" : "CVE-2023-2975", "title" : "AES-SIV implementation ignores empty associated data entries", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2023-2975" ], "unique" : false }, { "id" : "CVE-2023-3446", "title" : "Excessive time spent checking DH keys and parameters", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2023-3446" ], "unique" : false }, { "id" : "CVE-2023-3817", "title" : "Excessive time spent checking DH q parameter value", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2023-3817" ], "unique" : false }, { "id" : "CVE-2023-5678", "title" : "Excessive time spent in DH check / generation with large Q parameter value", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2023-5678" ], "unique" : false }, { "id" : "CVE-2024-4603", "title" : "Excessive time spent checking DSA keys and parameters", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2024-4603" ], "unique" : false }, { "id" : "CVE-2026-42766", "title" : "Possible NULL Dereference in Password-Based CMS Decryption", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-42766" ], "unique" : false }, { "id" : "CVE-2026-42767", "title" : "NULL Pointer Dereference in CRMF EncryptedValue Decryption", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-42767" ], "unique" : false }, { "id" : "CVE-2023-1255", "title" : "Input buffer over-read in AES-XTS implementation on 64 bit ARM", "source" : "redhat-csaf", "cvssScore" : 5.1, "severity" : "MEDIUM", "cves" : [ "CVE-2023-1255" ], "unique" : false }, { "id" : "CVE-2026-34180", "title" : "Heap Buffer Over-read in ASN.1 Content Parsing", "source" : "redhat-csaf", "cvssScore" : 5.0, "severity" : "MEDIUM", "cves" : [ "CVE-2026-34180" ], "unique" : false }, { "id" : "CVE-2025-68160", "title" : "Heap out-of-bounds write in BIO_f_linebuffer on short writes", "source" : "redhat-csaf", "cvssScore" : 4.7, "severity" : "MEDIUM", "cves" : [ "CVE-2025-68160" ], "unique" : false }, { "id" : "CVE-2025-69418", "title" : "Unauthenticated/unencrypted trailing bytes with low-level OCB function calls", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2025-69418" ], "unique" : false }, { "id" : "CVE-2024-2511", "title" : "Unbounded memory growth with session handling in TLSv1.3", "source" : "redhat-csaf", "cvssScore" : 3.7, "severity" : "LOW", "cves" : [ "CVE-2024-2511" ], "unique" : false }, { "id" : "CVE-2026-28387", "title" : "Potential Use-after-free in DANE Client Code", "source" : "redhat-csaf", "cvssScore" : 3.7, "severity" : "LOW", "cves" : [ "CVE-2026-28387" ], "unique" : false }, { "id" : "CVE-2026-45446", "title" : "Incorrect Tag Processing for Empty Messages in AES-GCM-SIV and AES-SIV modes", "source" : "redhat-csaf", "cvssScore" : 3.7, "severity" : "LOW", "cves" : [ "CVE-2026-45446" ], "unique" : false }, { "id" : "CVE-2025-9232", "title" : "Out-of-bounds read in HTTP client no_proxy handling", "source" : "redhat-csaf", "cvssScore" : 3.1, "severity" : "LOW", "cves" : [ "CVE-2025-9232" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2025-15467", "title" : "Stack buffer overflow in CMS (Auth)EnvelopedData parsing", "source" : "redhat-csaf", "cvssScore" : 9.8, "severity" : "CRITICAL", "cves" : [ "CVE-2025-15467" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/openssl-libs@3.0.1-47.el9_1?arch=x86_64&distro=rhel-9.1&epoch=1&upstream=openssl-3.0.1-47.el9_1.src.rpm", "issues" : [ { "id" : "CVE-2025-15467", "title" : "Stack buffer overflow in CMS (Auth)EnvelopedData parsing", "source" : "redhat-csaf", "cvssScore" : 9.8, "severity" : "CRITICAL", "cves" : [ "CVE-2025-15467" ], "unique" : false }, { "id" : "CVE-2026-45445", "title" : "AES-OCB IV Ignored on EVP_Cipher() Path", "source" : "redhat-csaf", "cvssScore" : 9.1, "severity" : "CRITICAL", "cves" : [ "CVE-2026-45445" ], "unique" : false }, { "id" : "CVE-2026-45447", "title" : "Heap Use-After-Free in the PKCS7_verify() Function", "source" : "redhat-csaf", "cvssScore" : 8.1, "severity" : "HIGH", "cves" : [ "CVE-2026-45447" ], "unique" : false }, { "id" : "CVE-2022-3358", "title" : "Using a Custom Cipher with NID_undef may lead to NULL encryption", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2022-3358" ], "unique" : false }, { "id" : "CVE-2023-5363", "title" : "Incorrect cipher key & IV length processing", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2023-5363" ], "unique" : false }, { "id" : "CVE-2026-28390", "title" : "Possible NULL Dereference When Processing CMS KeyTransportRecipientInfo", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2026-28390" ], "unique" : false }, { "id" : "CVE-2026-34183", "title" : "Unbounded Memory Growth in the QUIC PATH_CHALLENGE Handler", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2026-34183" ], "unique" : false }, { "id" : "CVE-2024-12797", "title" : "RFC7250 handshakes with unauthenticated servers don't abort as expected", "source" : "redhat-csaf", "cvssScore" : 7.4, "severity" : "HIGH", "cves" : [ "CVE-2024-12797" ], "unique" : false }, { "id" : "CVE-2025-69419", "title" : "Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion", "source" : "redhat-csaf", "cvssScore" : 7.4, "severity" : "HIGH", "cves" : [ "CVE-2025-69419" ], "unique" : false }, { "id" : "CVE-2026-34182", "title" : "CMS AuthEnvelopedData Processing May Accept Forged Messages", "source" : "redhat-csaf", "cvssScore" : 7.4, "severity" : "HIGH", "cves" : [ "CVE-2026-34182" ], "unique" : false }, { "id" : "CVE-2023-2650", "title" : "Possible DoS translating ASN.1 object identifiers", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-2650" ], "unique" : false }, { "id" : "CVE-2023-6129", "title" : "POLY1305 MAC implementation corrupts vector registers on PowerPC", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-6129" ], "unique" : false }, { "id" : "CVE-2025-69421", "title" : "NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2025-69421" ], "unique" : false }, { "id" : "CVE-2026-34181", "title" : "PKCS#12 Files with PBMAC1 Are Accepted with Short HMAC Keys", "source" : "redhat-csaf", "cvssScore" : 6.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-34181" ], "unique" : false }, { "id" : "CVE-2026-42768", "title" : "Multi-RecipientInfo Bleichenbacher Oracle in CMS_decrypt() and PKCS7_decrypt()", "source" : "redhat-csaf", "cvssScore" : 6.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-42768" ], "unique" : false }, { "id" : "CVE-2025-11187", "title" : "Improper validation of PBMAC1 parameters in PKCS#12 MAC verification", "source" : "redhat-csaf", "cvssScore" : 6.1, "severity" : "MEDIUM", "cves" : [ "CVE-2025-11187" ], "unique" : false }, { "id" : "CVE-2023-0464", "title" : "Excessive Resource Usage Verifying X.509 Policy Constraints", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-0464" ], "unique" : false }, { "id" : "CVE-2023-6237", "title" : "Excessive time spent checking invalid RSA public keys", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-6237" ], "unique" : false }, { "id" : "CVE-2024-5535", "title" : "SSL_select_next_proto buffer overread", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2024-5535" ], "unique" : false }, { "id" : "CVE-2024-6119", "title" : "Possible denial of service in X.509 name checks", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2024-6119" ], "unique" : false }, { "id" : "CVE-2025-15468", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2025-15468" ], "unique" : false }, { "id" : "CVE-2025-66199", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2025-66199" ], "unique" : false }, { "id" : "CVE-2025-69420", "title" : "Missing ASN1_TYPE validation in TS_RESP_verify_response() function", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2025-69420" ], "unique" : false }, { "id" : "CVE-2026-22796", "title" : "ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-22796" ], "unique" : false }, { "id" : "CVE-2026-31790", "title" : "Incorrect Failure Handling in RSA KEM RSASVE Encapsulation", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-31790" ], "unique" : false }, { "id" : "CVE-2026-42764", "title" : "NULL Pointer Dereference in QUIC Server Initial Packet Handling", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-42764" ], "unique" : false }, { "id" : "CVE-2026-42769", "title" : "Trust-Anchor Substitution via cert/issuer Typo in CMP rootCaKeyUpdate", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-42769" ], "unique" : false }, { "id" : "CVE-2026-42770", "title" : "FFC-DH Peer Validation Uses Attacker-Supplied q", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-42770" ], "unique" : false }, { "id" : "CVE-2026-9076", "title" : "Out-of-Bounds Read in CMS Password-Based Decryption", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-9076" ], "unique" : false }, { "id" : "CVE-2024-4741", "source" : "redhat-csaf", "cvssScore" : 5.6, "severity" : "MEDIUM", "cves" : [ "CVE-2024-4741" ], "unique" : false }, { "id" : "CVE-2025-9230", "title" : "Out-of-bounds read & write in RFC 3211 KEK Unwrap", "source" : "redhat-csaf", "cvssScore" : 5.6, "severity" : "MEDIUM", "cves" : [ "CVE-2025-9230" ], "unique" : false }, { "id" : "CVE-2024-0727", "title" : "PKCS12 Decoding crashes", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-0727" ], "unique" : false }, { "id" : "CVE-2025-15469", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2025-15469" ], "unique" : false }, { "id" : "CVE-2026-22795", "title" : "Missing ASN1_TYPE validation in PKCS#12 parsing", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2026-22795" ], "unique" : false }, { "id" : "CVE-2026-7383", "title" : "Possible Heap Buffer Overflow in ASN.1 Multibyte String Conversion", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2026-7383" ], "unique" : false }, { "id" : "CVE-2023-0465", "title" : "Invalid certificate policies in leaf certificates are silently ignored", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2023-0465" ], "unique" : false }, { "id" : "CVE-2023-0466", "title" : "Certificate policy check not enabled", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2023-0466" ], "unique" : false }, { "id" : "CVE-2023-2975", "title" : "AES-SIV implementation ignores empty associated data entries", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2023-2975" ], "unique" : false }, { "id" : "CVE-2023-3446", "title" : "Excessive time spent checking DH keys and parameters", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2023-3446" ], "unique" : false }, { "id" : "CVE-2023-3817", "title" : "Excessive time spent checking DH q parameter value", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2023-3817" ], "unique" : false }, { "id" : "CVE-2023-5678", "title" : "Excessive time spent in DH check / generation with large Q parameter value", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2023-5678" ], "unique" : false }, { "id" : "CVE-2024-4603", "title" : "Excessive time spent checking DSA keys and parameters", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2024-4603" ], "unique" : false }, { "id" : "CVE-2026-42766", "title" : "Possible NULL Dereference in Password-Based CMS Decryption", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-42766" ], "unique" : false }, { "id" : "CVE-2026-42767", "title" : "NULL Pointer Dereference in CRMF EncryptedValue Decryption", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-42767" ], "unique" : false }, { "id" : "CVE-2023-1255", "title" : "Input buffer over-read in AES-XTS implementation on 64 bit ARM", "source" : "redhat-csaf", "cvssScore" : 5.1, "severity" : "MEDIUM", "cves" : [ "CVE-2023-1255" ], "unique" : false }, { "id" : "CVE-2026-34180", "title" : "Heap Buffer Over-read in ASN.1 Content Parsing", "source" : "redhat-csaf", "cvssScore" : 5.0, "severity" : "MEDIUM", "cves" : [ "CVE-2026-34180" ], "unique" : false }, { "id" : "CVE-2025-68160", "title" : "Heap out-of-bounds write in BIO_f_linebuffer on short writes", "source" : "redhat-csaf", "cvssScore" : 4.7, "severity" : "MEDIUM", "cves" : [ "CVE-2025-68160" ], "unique" : false }, { "id" : "CVE-2025-69418", "title" : "Unauthenticated/unencrypted trailing bytes with low-level OCB function calls", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2025-69418" ], "unique" : false }, { "id" : "CVE-2024-2511", "title" : "Unbounded memory growth with session handling in TLSv1.3", "source" : "redhat-csaf", "cvssScore" : 3.7, "severity" : "LOW", "cves" : [ "CVE-2024-2511" ], "unique" : false }, { "id" : "CVE-2026-45446", "title" : "Incorrect Tag Processing for Empty Messages in AES-GCM-SIV and AES-SIV modes", "source" : "redhat-csaf", "cvssScore" : 3.7, "severity" : "LOW", "cves" : [ "CVE-2026-45446" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2025-15467", "title" : "Stack buffer overflow in CMS (Auth)EnvelopedData parsing", "source" : "redhat-csaf", "cvssScore" : 9.8, "severity" : "CRITICAL", "cves" : [ "CVE-2025-15467" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/ca-certificates@2022.2.54-90.2.el9_0?arch=noarch&distro=rhel-9.1&upstream=ca-certificates-2022.2.54-90.2.el9_0.src.rpm", "issues" : [ { "id" : "CVE-2023-37920", "title" : "Certifi's removal of e-Tugra root certificate", "source" : "redhat-csaf", "cvssScore" : 9.1, "severity" : "CRITICAL", "cves" : [ "CVE-2023-37920" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2023-37920", "title" : "Certifi's removal of e-Tugra root certificate", "source" : "redhat-csaf", "cvssScore" : 9.1, "severity" : "CRITICAL", "cves" : [ "CVE-2023-37920" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/glibc@2.34-40.el9_1.1?arch=x86_64&distro=rhel-9.1&upstream=glibc-2.34-40.el9_1.1.src.rpm", "issues" : [ { "id" : "CVE-2024-2961", "title" : "The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.", "source" : "redhat-csaf", "cvssScore" : 8.8, "severity" : "HIGH", "cves" : [ "CVE-2024-2961" ], "unique" : false }, { "id" : "CVE-2026-0861", "title" : "Integer overflow in memalign leads to heap corruption", "source" : "redhat-csaf", "cvssScore" : 8.1, "severity" : "HIGH", "cves" : [ "CVE-2026-0861" ], "unique" : false }, { "id" : "CVE-2023-4911", "title" : "Glibc: buffer overflow in ld.so leading to privilege escalation", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2023-4911" ], "unique" : false }, { "id" : "CVE-2024-33599", "title" : "nscd: Stack-based buffer overflow in netgroup cache", "source" : "redhat-csaf", "cvssScore" : 7.6, "severity" : "HIGH", "cves" : [ "CVE-2024-33599" ], "unique" : false }, { "id" : "CVE-2025-4802", "source" : "redhat-csaf", "cvssScore" : 7.0, "severity" : "HIGH", "cves" : [ "CVE-2025-4802" ], "unique" : false }, { "id" : "CVE-2023-4527", "title" : "Glibc: stack read overflow in getaddrinfo in no-aaaa mode", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4527" ], "unique" : false }, { "id" : "CVE-2026-4437", "title" : "gethostbyaddr and gethostbyaddr_r may incorrectly handle DNS response", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4437" ], "unique" : false }, { "id" : "CVE-2026-6238", "title" : "Buffer overread in ns_printrrf with corrupted RDATA field", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2026-6238" ], "unique" : false }, { "id" : "CVE-2023-4806", "title" : "Glibc: potential use-after-free in getaddrinfo()", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4806" ], "unique" : false }, { "id" : "CVE-2023-4813", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4813" ], "unique" : false }, { "id" : "CVE-2025-15281", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2025-15281" ], "unique" : false }, { "id" : "CVE-2026-3904", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-3904" ], "unique" : false }, { "id" : "CVE-2026-5435", "title" : "Potential buffer overflow in ns_sprintrrf TSIG handling path", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-5435" ], "unique" : false }, { "id" : "CVE-2025-5702", "title" : "The strcmp implementation optimized for the Power10 processor in the GNU C Library version 2.39 and later writes to vector registers v20 to v31 without saving contents from the caller (those registers are defined as non-volatile registers by the powerpc64le ABI), resulting in overwriting of its contents and potentially altering control flow of the caller, or leaking the input strings to the function to other parts of the program.", "source" : "redhat-csaf", "cvssScore" : 5.6, "severity" : "MEDIUM", "cves" : [ "CVE-2025-5702" ], "unique" : false }, { "id" : "CVE-2025-0395", "title" : "When the assert() function in the GNU C Library versions 2.13 to 2.40 fails, it does not allocate enough space for the assertion failure message string and size information, which may lead to a buffer overflow if the message string size aligns to page size.", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2025-0395" ], "unique" : false }, { "id" : "CVE-2024-33600", "title" : "nscd: Null pointer crashes after notfound response", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33600" ], "unique" : false }, { "id" : "CVE-2026-0915", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-0915" ], "unique" : false }, { "id" : "CVE-2026-4046", "title" : "iconv crash due to assertion failure with untrusted input", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4046" ], "unique" : false }, { "id" : "CVE-2026-5450", "title" : "scanf %mc off-by-one heap buffer overflow", "source" : "redhat-csaf", "cvssScore" : 5.0, "severity" : "MEDIUM", "cves" : [ "CVE-2026-5450" ], "unique" : false }, { "id" : "CVE-2026-5928", "title" : "Potential buffer under-read in ungetwc", "source" : "redhat-csaf", "cvssScore" : 5.0, "severity" : "MEDIUM", "cves" : [ "CVE-2026-5928" ], "unique" : false }, { "id" : "CVE-2025-8058", "source" : "redhat-csaf", "cvssScore" : 4.2, "severity" : "MEDIUM", "cves" : [ "CVE-2025-8058" ], "unique" : false }, { "id" : "CVE-2024-33601", "title" : "nscd: netgroup cache may terminate daemon on memory allocation failure", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33601" ], "unique" : false }, { "id" : "CVE-2024-33602", "title" : "nscd: netgroup cache assumes NSS callback uses in-buffer strings", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33602" ], "unique" : false }, { "id" : "CVE-2026-4438", "title" : "gethostbyaddr and gethostbyaddr_r return invalid DNS hostnames", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4438" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2024-2961", "title" : "The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.", "source" : "redhat-csaf", "cvssScore" : 8.8, "severity" : "HIGH", "cves" : [ "CVE-2024-2961" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/nodejs-libs@16.18.1-3.el9_1?arch=x86_64&distro=rhel-9.1&epoch=1&upstream=nodejs-16.18.1-3.el9_1.src.rpm", "issues" : [ { "id" : "CVE-2023-32006", "title" : "The use of `module.constructor.createRequire()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module.\n\nThis vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x, and, 20.x.\n\nPlease note that at the time this CVE was issued, the policy is an experimental feature of Node.js.", "source" : "redhat-csaf", "cvssScore" : 8.8, "severity" : "HIGH", "cves" : [ "CVE-2023-32006" ], "unique" : false }, { "id" : "CVE-2022-4904", "source" : "redhat-csaf", "cvssScore" : 8.6, "severity" : "HIGH", "cves" : [ "CVE-2022-4904" ], "unique" : false }, { "id" : "CVE-2023-32002", "title" : "The use of `Module._load()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module.\n\nThis vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x.\n\nPlease note that at the time this CVE was issued, the policy is an experimental feature of Node.js.", "source" : "redhat-csaf", "cvssScore" : 8.1, "severity" : "HIGH", "cves" : [ "CVE-2023-32002" ], "unique" : false }, { "id" : "CVE-2025-23083", "title" : "With the aid of the diagnostics_channel utility, an event can be hooked into whenever a worker thread is created. This is not limited only to workers but also exposes internal workers, where an instance of them can be fetched, and its constructor can be grabbed and reinstated for malicious usage. \r\n\r\nThis vulnerability affects Permission Model users (--permission) on Node.js v20, v22, and v23.", "source" : "redhat-csaf", "cvssScore" : 7.7, "severity" : "HIGH", "cves" : [ "CVE-2025-23083" ], "unique" : false }, { "id" : "CVE-2025-6965", "title" : "Integer Truncation on SQLite", "source" : "redhat-csaf", "cvssScore" : 7.7, "severity" : "HIGH", "cves" : [ "CVE-2025-6965" ], "unique" : false }, { "id" : "CVE-2021-35065", "title" : "The glob-parent package before 6.0.1 for Node.js allows ReDoS (regular expression denial of service) attacks against the enclosure regular expression.", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2021-35065" ], "unique" : false }, { "id" : "CVE-2022-25881", "title" : "This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library.", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2022-25881" ], "unique" : false }, { "id" : "CVE-2023-23918", "title" : "A privilege escalation vulnerability exists in Node.js <19.6.1, <18.14.1, <16.19.1 and <14.21.3 that made it possible to bypass the experimental Permissions (https://nodejs.org/api/permissions.html) feature in Node.js and access non authorized modules by using process.mainModule.require(). This only affects users who had enabled the experimental permissions option with --experimental-policy.", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2023-23918" ], "unique" : false }, { "id" : "CVE-2023-24807", "title" : "Undici vulnerable to Regular Expression Denial of Service in Headers", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2023-24807" ], "unique" : false }, { "id" : "CVE-2023-30581", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2023-30581" ], "unique" : false }, { "id" : "CVE-2023-30590", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2023-30590" ], "unique" : false }, { "id" : "CVE-2023-32067", "title" : "0-byte UDP payload DoS in c-ares", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2023-32067" ], "unique" : false }, { "id" : "CVE-2023-32559", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2023-32559" ], "unique" : false }, { "id" : "CVE-2023-44487", "title" : "The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2023-44487" ], "unique" : false }, { "id" : "CVE-2024-22019", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2024-22019" ], "unique" : false }, { "id" : "CVE-2024-27983", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2024-27983" ], "unique" : false }, { "id" : "CVE-2025-23166", "title" : "The C++ method SignTraits::DeriveBits() may incorrectly call ThrowException() based on user-supplied inputs when executing in a background thread, crashing the Node.js process. Such cryptographic operations are commonly applied to untrusted inputs. Thus, this mechanism potentially allows an adversary to remotely crash a Node.js runtime.", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2025-23166" ], "unique" : false }, { "id" : "CVE-2025-59465", "title" : "A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node.js to crash by triggering an unhandled `TLSSocket` error `ECONNRESET`. Instead of safely closing the connection, the process crashes, enabling a remote denial of service. This primarily affects applications that do not attach explicit error handlers to secure sockets, for example:\n```\nserver.on('secureConnection', socket => {\n socket.on('error', err => {\n console.log(err)\n })\n})\n```", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2025-59465" ], "unique" : false }, { "id" : "CVE-2026-1526", "title" : "undici is vulnerable to Unbounded Memory Consumption in undici WebSocket permessage-deflate Decompression", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2026-1526" ], "unique" : false }, { "id" : "CVE-2026-1528", "title" : "undici is vulnerable to Malicious WebSocket 64-bit length overflows undici parser and crashes the client", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2026-1528" ], "unique" : false }, { "id" : "CVE-2026-21710", "title" : "A flaw in Node.js HTTP request handling causes an uncaught `TypeError` when a request is received with a header named `__proto__` and the application accesses `req.headersDistinct`.\r\n\r\nWhen this occurs, `dest[\"__proto__\"]` resolves to `Object.prototype` rather than `undefined`, causing `.push()` to be called on a non-array. This exception is thrown synchronously inside a property getter and cannot be intercepted by `error` event listeners, meaning it cannot be handled without wrapping every `req.headersDistinct` access in a `try/catch`.\r\n\r\n* This vulnerability affects all Node.js HTTP servers on **20.x, 22.x, 24.x, and v25.x**", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2026-21710" ], "unique" : false }, { "id" : "CVE-2026-2229", "title" : "undici is vulnerable to Unhandled Exception in undici WebSocket Client Due to Invalid server_max_window_bits Validation", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2026-2229" ], "unique" : false }, { "id" : "CVE-2026-27135", "title" : "nghttp2 Denial of service: Assertion failure due to the missing state validation", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2026-27135" ], "unique" : false }, { "id" : "CVE-2025-3277", "title" : "An integer overflow can be triggered in SQLite’s `concat_ws()` function. The resulting, truncated integer is then used to allocate a buffer. When SQLite then writes the resulting string to the buffer, it uses the original, untruncated size and thus a wild Heap Buffer overflow of size ~4GB can be triggered. This can result in arbitrary code execution.", "source" : "redhat-csaf", "cvssScore" : 7.3, "severity" : "HIGH", "cves" : [ "CVE-2025-3277" ], "unique" : false }, { "id" : "CVE-2026-1525", "source" : "redhat-csaf", "cvssScore" : 7.3, "severity" : "HIGH", "cves" : [ "CVE-2026-1525" ], "unique" : false }, { "id" : "CVE-2025-55130", "title" : "A flaw in Node.js’s Permissions model allows attackers to bypass `--allow-fs-read` and `--allow-fs-write` restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory can escape the allowed path and read sensitive files. This breaks the expected isolation guarantees and enables arbitrary file read/write, leading to potential system compromise.\nThis vulnerability affects users of the permission model on Node.js v20, v22, v24, and v25.", "source" : "redhat-csaf", "cvssScore" : 7.1, "severity" : "HIGH", "cves" : [ "CVE-2025-55130" ], "unique" : false }, { "id" : "CVE-2025-55131", "title" : "A flaw in Node.js's buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the `vm` module with the timeout option. Under specific timing conditions, buffers allocated with `Buffer.alloc` and other `TypedArray` instances like `Uint8Array` may contain leftover data from previous operations, allowing in-process secrets like tokens or passwords to leak or causing data corruption. While exploitation typically requires precise timing or in-process code execution, it can become remotely exploitable when untrusted input influences workload and timeouts, leading to potential confidentiality and integrity impact.", "source" : "redhat-csaf", "cvssScore" : 7.1, "severity" : "HIGH", "cves" : [ "CVE-2025-55131" ], "unique" : false }, { "id" : "CVE-2023-30589", "source" : "redhat-csaf", "cvssScore" : 7.0, "severity" : "HIGH", "cves" : [ "CVE-2023-30589" ], "unique" : false }, { "id" : "CVE-2025-31498", "title" : "c-ares has a use-after-free in read_answers()", "source" : "redhat-csaf", "cvssScore" : 7.0, "severity" : "HIGH", "cves" : [ "CVE-2025-31498" ], "unique" : false }, { "id" : "CVE-2025-22150", "title" : "Undici Uses Insufficiently Random Values", "source" : "redhat-csaf", "cvssScore" : 6.8, "severity" : "MEDIUM", "cves" : [ "CVE-2025-22150" ], "unique" : false }, { "id" : "CVE-2023-23936", "title" : "CRLF Injection in Nodejs ‘undici’ via host", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-23936" ], "unique" : false }, { "id" : "CVE-2024-22025", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-22025" ], "unique" : false }, { "id" : "CVE-2026-1527", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2026-1527" ], "unique" : false }, { "id" : "CVE-2026-21712", "title" : "A flaw in Node.js URL processing causes an assertion failure in native code when `url.format()` is called with a malformed internationalized domain name (IDN) containing invalid characters, crashing the Node.js process.", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2026-21712" ], "unique" : false }, { "id" : "CVE-2026-25547", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2026-25547" ], "unique" : false }, { "id" : "CVE-2026-26996", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2026-26996" ], "unique" : false }, { "id" : "CVE-2026-27904", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2026-27904" ], "unique" : false }, { "id" : "CVE-2024-27982", "source" : "redhat-csaf", "cvssScore" : 6.1, "severity" : "MEDIUM", "cves" : [ "CVE-2024-27982" ], "unique" : false }, { "id" : "CVE-2023-31147", "title" : "Insufficient randomness in generation of DNS query IDs in c-ares", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-31147" ], "unique" : false }, { "id" : "CVE-2025-59466", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2025-59466" ], "unique" : false }, { "id" : "CVE-2026-21637", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-21637" ], "unique" : false }, { "id" : "CVE-2026-21713", "title" : "A flaw in Node.js HMAC verification uses a non-constant-time comparison when validating user-provided signatures, potentially leaking timing information proportional to the number of matching bytes. Under certain threat models where high-resolution timing measurements are possible, this behavior could be exploited as a timing oracle to infer HMAC values.\r\n\r\nNode.js already provides timing-safe comparison primitives used elsewhere in the codebase, indicating this is an oversight rather than an intentional design decision.\r\n\r\nThis vulnerability affects **20.x, 22.x, 24.x, and 25.x**.", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-21713" ], "unique" : false }, { "id" : "CVE-2026-21717", "title" : "A flaw in V8's string hashing mechanism causes integer-like strings to be hashed to their numeric value, making hash collisions trivially predictable. By crafting a request that causes many such collisions in V8's internal string table, an attacker can significantly degrade performance of the Node.js process.\r\n\r\nThe most common trigger is any endpoint that calls `JSON.parse()` on attacker-controlled input, as JSON parsing automatically internalizes short strings into the affected hash table.\r\n\r\nThis vulnerability affects **20.x, 22.x, 24.x, and 25.x**.", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-21717" ], "unique" : false }, { "id" : "CVE-2026-2581", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-2581" ], "unique" : false }, { "id" : "CVE-2023-31130", "title" : "Buffer Underwrite in ares_inet_net_pton()", "source" : "redhat-csaf", "cvssScore" : 5.7, "severity" : "MEDIUM", "cves" : [ "CVE-2023-31130" ], "unique" : false }, { "id" : "CVE-2023-30588", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2023-30588" ], "unique" : false }, { "id" : "CVE-2024-28182", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2024-28182" ], "unique" : false }, { "id" : "CVE-2025-23085", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2025-23085" ], "unique" : false }, { "id" : "CVE-2026-21714", "title" : "A memory leak occurs in Node.js HTTP/2 servers when a client sends WINDOW_UPDATE frames on stream 0 (connection-level) that cause the flow control window to exceed the maximum value of 2³¹-1. The server correctly sends a GOAWAY frame, but the Http2Session object is never cleaned up.\r\n\r\nThis vulnerability affects HTTP2 users on Node.js 20, 22, 24 and 25.", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-21714" ], "unique" : false }, { "id" : "CVE-2026-21711", "title" : "A flaw in Node.js Permission Model network enforcement leaves Unix Domain Socket (UDS) server operations without the required permission checks, while all comparable network paths correctly enforce them.\r\n\r\nAs a result, code running under `--permission` without `--allow-net` can create and expose local IPC endpoints, allowing communication with other processes on the same host outside of the intended network restriction boundary.\r\n\r\nThis vulnerability affects Node.js **25.x** processes using the Permission Model where `--allow-net` is intentionally omitted to restrict network access. Note that `--allow-net` is currently an experimental feature.", "source" : "redhat-csaf", "cvssScore" : 5.2, "severity" : "MEDIUM", "cves" : [ "CVE-2026-21711" ], "unique" : false }, { "id" : "CVE-2024-25629", "title" : "c-ares out of bounds read in ares__read_line()", "source" : "redhat-csaf", "cvssScore" : 4.4, "severity" : "MEDIUM", "cves" : [ "CVE-2024-25629" ], "unique" : false }, { "id" : "CVE-2023-23920", "title" : "An untrusted search path vulnerability exists in Node.js. <19.6.1, <18.14.1, <16.19.1, and <14.21.3 that could allow an attacker to search and potentially load ICU data when running with elevated privileges.", "source" : "redhat-csaf", "cvssScore" : 4.2, "severity" : "MEDIUM", "cves" : [ "CVE-2023-23920" ], "unique" : false }, { "id" : "CVE-2026-21716", "title" : "An incomplete fix for CVE-2024-36137 leaves `FileHandle.chmod()` and `FileHandle.chown()` in the promises API without the required permission checks, while their callback-based equivalents (`fs.fchmod()`, `fs.fchown()`) were correctly patched.\r\n\r\nAs a result, code running under `--permission` with restricted `--allow-fs-write` can still use promise-based `FileHandle` methods to modify file permissions and ownership on already-open file descriptors, bypassing the intended write restrictions.\r\n\r\nThis vulnerability affects **20.x, 22.x, 24.x, and 25.x** processes using the Permission Model where `--allow-fs-write` is intentionally restricted.", "source" : "redhat-csaf", "cvssScore" : 3.8, "severity" : "LOW", "cves" : [ "CVE-2026-21716" ], "unique" : false }, { "id" : "CVE-2023-31124", "title" : "AutoTools does not set CARES_RANDOM_FILE during cross compilation", "source" : "redhat-csaf", "cvssScore" : 3.7, "severity" : "LOW", "cves" : [ "CVE-2023-31124" ], "unique" : false }, { "id" : "CVE-2025-23165", "title" : "In Node.js, the `ReadFileUtf8` internal binding leaks memory due to a corrupted pointer in `uv_fs_s.file`: a UTF-16 path buffer is allocated but subsequently overwritten when the file descriptor is set. This results in an unrecoverable memory leak on every call. Repeated use can cause unbounded memory growth, leading to a denial of service.\r\n\r\nImpact:\r\n* This vulnerability affects APIs relying on `ReadFileUtf8` on Node.js release lines: v20 and v22.", "source" : "redhat-csaf", "cvssScore" : 3.7, "severity" : "LOW", "cves" : [ "CVE-2025-23165" ], "unique" : false }, { "id" : "CVE-2026-21715", "title" : "A flaw in Node.js Permission Model filesystem enforcement leaves `fs.realpathSync.native()` without the required read permission checks, while all comparable filesystem functions correctly enforce them.\r\n\r\nAs a result, code running under `--permission` with restricted `--allow-fs-read` can still use `fs.realpathSync.native()` to check file existence, resolve symlink targets, and enumerate filesystem paths outside of permitted directories.\r\n\r\nThis vulnerability affects **20.x, 22.x, 24.x, and 25.x** processes using the Permission Model where `--allow-fs-read` is intentionally restricted.", "source" : "redhat-csaf", "cvssScore" : 3.3, "severity" : "LOW", "cves" : [ "CVE-2026-21715" ], "unique" : false }, { "id" : "CVE-2025-55132", "source" : "redhat-csaf", "cvssScore" : 2.8, "severity" : "LOW", "cves" : [ "CVE-2025-55132" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2023-32006", "title" : "The use of `module.constructor.createRequire()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module.\n\nThis vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x, and, 20.x.\n\nPlease note that at the time this CVE was issued, the policy is an experimental feature of Node.js.", "source" : "redhat-csaf", "cvssScore" : 8.8, "severity" : "HIGH", "cves" : [ "CVE-2023-32006" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/glibc-common@2.34-40.el9_1.1?arch=x86_64&distro=rhel-9.1&upstream=glibc-2.34-40.el9_1.1.src.rpm", "issues" : [ { "id" : "CVE-2024-2961", "title" : "The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.", "source" : "redhat-csaf", "cvssScore" : 8.8, "severity" : "HIGH", "cves" : [ "CVE-2024-2961" ], "unique" : false }, { "id" : "CVE-2026-0861", "title" : "Integer overflow in memalign leads to heap corruption", "source" : "redhat-csaf", "cvssScore" : 8.1, "severity" : "HIGH", "cves" : [ "CVE-2026-0861" ], "unique" : false }, { "id" : "CVE-2023-4911", "title" : "Glibc: buffer overflow in ld.so leading to privilege escalation", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2023-4911" ], "unique" : false }, { "id" : "CVE-2024-33599", "title" : "nscd: Stack-based buffer overflow in netgroup cache", "source" : "redhat-csaf", "cvssScore" : 7.6, "severity" : "HIGH", "cves" : [ "CVE-2024-33599" ], "unique" : false }, { "id" : "CVE-2025-4802", "source" : "redhat-csaf", "cvssScore" : 7.0, "severity" : "HIGH", "cves" : [ "CVE-2025-4802" ], "unique" : false }, { "id" : "CVE-2023-4527", "title" : "Glibc: stack read overflow in getaddrinfo in no-aaaa mode", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4527" ], "unique" : false }, { "id" : "CVE-2026-4437", "title" : "gethostbyaddr and gethostbyaddr_r may incorrectly handle DNS response", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4437" ], "unique" : false }, { "id" : "CVE-2023-4806", "title" : "Glibc: potential use-after-free in getaddrinfo()", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4806" ], "unique" : false }, { "id" : "CVE-2023-4813", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4813" ], "unique" : false }, { "id" : "CVE-2025-15281", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2025-15281" ], "unique" : false }, { "id" : "CVE-2025-5702", "title" : "The strcmp implementation optimized for the Power10 processor in the GNU C Library version 2.39 and later writes to vector registers v20 to v31 without saving contents from the caller (those registers are defined as non-volatile registers by the powerpc64le ABI), resulting in overwriting of its contents and potentially altering control flow of the caller, or leaking the input strings to the function to other parts of the program.", "source" : "redhat-csaf", "cvssScore" : 5.6, "severity" : "MEDIUM", "cves" : [ "CVE-2025-5702" ], "unique" : false }, { "id" : "CVE-2025-0395", "title" : "When the assert() function in the GNU C Library versions 2.13 to 2.40 fails, it does not allocate enough space for the assertion failure message string and size information, which may lead to a buffer overflow if the message string size aligns to page size.", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2025-0395" ], "unique" : false }, { "id" : "CVE-2024-33600", "title" : "nscd: Null pointer crashes after notfound response", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33600" ], "unique" : false }, { "id" : "CVE-2026-0915", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-0915" ], "unique" : false }, { "id" : "CVE-2026-4046", "title" : "iconv crash due to assertion failure with untrusted input", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4046" ], "unique" : false }, { "id" : "CVE-2026-5450", "title" : "scanf %mc off-by-one heap buffer overflow", "source" : "redhat-csaf", "cvssScore" : 5.0, "severity" : "MEDIUM", "cves" : [ "CVE-2026-5450" ], "unique" : false }, { "id" : "CVE-2025-8058", "source" : "redhat-csaf", "cvssScore" : 4.2, "severity" : "MEDIUM", "cves" : [ "CVE-2025-8058" ], "unique" : false }, { "id" : "CVE-2024-33601", "title" : "nscd: netgroup cache may terminate daemon on memory allocation failure", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33601" ], "unique" : false }, { "id" : "CVE-2024-33602", "title" : "nscd: netgroup cache assumes NSS callback uses in-buffer strings", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33602" ], "unique" : false }, { "id" : "CVE-2026-4438", "title" : "gethostbyaddr and gethostbyaddr_r return invalid DNS hostnames", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4438" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2024-2961", "title" : "The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.", "source" : "redhat-csaf", "cvssScore" : 8.8, "severity" : "HIGH", "cves" : [ "CVE-2024-2961" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/glibc-langpack-en@2.34-40.el9_1.1?arch=x86_64&distro=rhel-9.1&upstream=glibc-2.34-40.el9_1.1.src.rpm", "issues" : [ { "id" : "CVE-2024-2961", "title" : "The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.", "source" : "redhat-csaf", "cvssScore" : 8.8, "severity" : "HIGH", "cves" : [ "CVE-2024-2961" ], "unique" : false }, { "id" : "CVE-2026-0861", "title" : "Integer overflow in memalign leads to heap corruption", "source" : "redhat-csaf", "cvssScore" : 8.1, "severity" : "HIGH", "cves" : [ "CVE-2026-0861" ], "unique" : false }, { "id" : "CVE-2023-4911", "title" : "Glibc: buffer overflow in ld.so leading to privilege escalation", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2023-4911" ], "unique" : false }, { "id" : "CVE-2024-33599", "title" : "nscd: Stack-based buffer overflow in netgroup cache", "source" : "redhat-csaf", "cvssScore" : 7.6, "severity" : "HIGH", "cves" : [ "CVE-2024-33599" ], "unique" : false }, { "id" : "CVE-2025-4802", "source" : "redhat-csaf", "cvssScore" : 7.0, "severity" : "HIGH", "cves" : [ "CVE-2025-4802" ], "unique" : false }, { "id" : "CVE-2023-4527", "title" : "Glibc: stack read overflow in getaddrinfo in no-aaaa mode", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4527" ], "unique" : false }, { "id" : "CVE-2026-4437", "title" : "gethostbyaddr and gethostbyaddr_r may incorrectly handle DNS response", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4437" ], "unique" : false }, { "id" : "CVE-2023-4806", "title" : "Glibc: potential use-after-free in getaddrinfo()", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4806" ], "unique" : false }, { "id" : "CVE-2023-4813", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4813" ], "unique" : false }, { "id" : "CVE-2025-15281", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2025-15281" ], "unique" : false }, { "id" : "CVE-2025-5702", "title" : "The strcmp implementation optimized for the Power10 processor in the GNU C Library version 2.39 and later writes to vector registers v20 to v31 without saving contents from the caller (those registers are defined as non-volatile registers by the powerpc64le ABI), resulting in overwriting of its contents and potentially altering control flow of the caller, or leaking the input strings to the function to other parts of the program.", "source" : "redhat-csaf", "cvssScore" : 5.6, "severity" : "MEDIUM", "cves" : [ "CVE-2025-5702" ], "unique" : false }, { "id" : "CVE-2025-0395", "title" : "When the assert() function in the GNU C Library versions 2.13 to 2.40 fails, it does not allocate enough space for the assertion failure message string and size information, which may lead to a buffer overflow if the message string size aligns to page size.", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2025-0395" ], "unique" : false }, { "id" : "CVE-2024-33600", "title" : "nscd: Null pointer crashes after notfound response", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33600" ], "unique" : false }, { "id" : "CVE-2026-0915", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-0915" ], "unique" : false }, { "id" : "CVE-2026-4046", "title" : "iconv crash due to assertion failure with untrusted input", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4046" ], "unique" : false }, { "id" : "CVE-2026-5450", "title" : "scanf %mc off-by-one heap buffer overflow", "source" : "redhat-csaf", "cvssScore" : 5.0, "severity" : "MEDIUM", "cves" : [ "CVE-2026-5450" ], "unique" : false }, { "id" : "CVE-2025-8058", "source" : "redhat-csaf", "cvssScore" : 4.2, "severity" : "MEDIUM", "cves" : [ "CVE-2025-8058" ], "unique" : false }, { "id" : "CVE-2024-33601", "title" : "nscd: netgroup cache may terminate daemon on memory allocation failure", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33601" ], "unique" : false }, { "id" : "CVE-2024-33602", "title" : "nscd: netgroup cache assumes NSS callback uses in-buffer strings", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33602" ], "unique" : false }, { "id" : "CVE-2026-4438", "title" : "gethostbyaddr and gethostbyaddr_r return invalid DNS hostnames", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4438" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2024-2961", "title" : "The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.", "source" : "redhat-csaf", "cvssScore" : 8.8, "severity" : "HIGH", "cves" : [ "CVE-2024-2961" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/ncurses-libs@6.2-8.20210508.el9?arch=x86_64&distro=rhel-9.1&upstream=ncurses-6.2-8.20210508.el9.src.rpm", "issues" : [ { "id" : "CVE-2023-29491", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2023-29491" ], "unique" : false }, { "id" : "CVE-2025-69720", "title" : "The infocmp command-line tool in ncurses before 6.5-20251213 has a stack-based buffer overflow in analyze_string in progs/infocmp.c.", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2025-69720" ], "unique" : false }, { "id" : "CVE-2022-29458", "title" : "ncurses 6.3 before patch 20220416 has an out-of-bounds read and segmentation violation in convert_strings in tinfo/read_entry.c in the terminfo library.", "source" : "redhat-csaf", "cvssScore" : 6.1, "severity" : "MEDIUM", "cves" : [ "CVE-2022-29458" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2023-29491", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2023-29491" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/ncurses-base@6.2-8.20210508.el9?arch=noarch&distro=rhel-9.1&upstream=ncurses-6.2-8.20210508.el9.src.rpm", "issues" : [ { "id" : "CVE-2023-29491", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2023-29491" ], "unique" : false }, { "id" : "CVE-2025-69720", "title" : "The infocmp command-line tool in ncurses before 6.5-20251213 has a stack-based buffer overflow in analyze_string in progs/infocmp.c.", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2025-69720" ], "unique" : false }, { "id" : "CVE-2022-29458", "title" : "ncurses 6.3 before patch 20220416 has an out-of-bounds read and segmentation violation in convert_strings in tinfo/read_entry.c in the terminfo library.", "source" : "redhat-csaf", "cvssScore" : 6.1, "severity" : "MEDIUM", "cves" : [ "CVE-2022-29458" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2023-29491", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2023-29491" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/libcap@2.48-8.el9?arch=x86_64&distro=rhel-9.1&upstream=libcap-2.48-8.el9.src.rpm", "issues" : [ { "id" : "CVE-2023-2603", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2023-2603" ], "unique" : false }, { "id" : "CVE-2026-4878", "title" : "Libcap: libcap: privilege escalation via toctou race condition in cap_set_file()", "source" : "redhat-csaf", "cvssScore" : 6.7, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4878" ], "unique" : false }, { "id" : "CVE-2023-2602", "title" : "A vulnerability was found in the pthread_create() function in libcap. This issue may allow a malicious actor to use cause __real_pthread_create() to return an error, which can exhaust the process memory.", "source" : "redhat-csaf", "cvssScore" : 3.3, "severity" : "LOW", "cves" : [ "CVE-2023-2602" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2023-2603", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2023-2603" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/libbrotli@1.0.9-6.el9?arch=x86_64&distro=rhel-9.1&upstream=brotli-1.0.9-6.el9.src.rpm", "issues" : [ { "id" : "CVE-2025-6176", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2025-6176" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2025-6176", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2025-6176" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/sed@4.8-9.el9?arch=x86_64&distro=rhel-9.1&upstream=sed-4.8-9.el9.src.rpm", "issues" : [ { "id" : "CVE-2026-5958", "title" : "Race Condition in GNU Sed", "source" : "redhat-csaf", "cvssScore" : 6.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-5958" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2026-5958", "title" : "Race Condition in GNU Sed", "source" : "redhat-csaf", "cvssScore" : 6.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-5958" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/libstdc%2B%2B@11.3.1-2.1.el9?arch=x86_64&distro=rhel-9.1&upstream=gcc-11.3.1-2.1.el9.src.rpm", "issues" : [ { "id" : "CVE-2020-11023", "title" : "Potential XSS vulnerability in jQuery", "source" : "redhat-csaf", "cvssScore" : 6.1, "severity" : "MEDIUM", "cves" : [ "CVE-2020-11023" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2020-11023", "title" : "Potential XSS vulnerability in jQuery", "source" : "redhat-csaf", "cvssScore" : 6.1, "severity" : "MEDIUM", "cves" : [ "CVE-2020-11023" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/libtasn1@4.16.0-8.el9_1?arch=x86_64&distro=rhel-9.1&upstream=libtasn1-4.16.0-8.el9_1.src.rpm", "issues" : [ { "id" : "CVE-2025-13151", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2025-13151" ], "unique" : false }, { "id" : "CVE-2024-12133", "title" : "Libtasn1: inefficient der decoding in libtasn1 leading to potential remote dos", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2024-12133" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2025-13151", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2025-13151" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/p11-kit@0.24.1-2.el9?arch=x86_64&distro=rhel-9.1&upstream=p11-kit-0.24.1-2.el9.src.rpm", "issues" : [ { "id" : "CVE-2026-2100", "title" : "P11-kit: null dereference via c_derivekey with specific null parameters", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-2100" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2026-2100", "title" : "P11-kit: null dereference via c_derivekey with specific null parameters", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-2100" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/p11-kit-trust@0.24.1-2.el9?arch=x86_64&distro=rhel-9.1&upstream=p11-kit-0.24.1-2.el9.src.rpm", "issues" : [ { "id" : "CVE-2026-2100", "title" : "P11-kit: null dereference via c_derivekey with specific null parameters", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-2100" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2026-2100", "title" : "P11-kit: null dereference via c_derivekey with specific null parameters", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-2100" ], "unique" : false } } ], "highestVulnerability" : { "id" : "CVE-2023-39332", "source" : "redhat-csaf", "cvssScore" : 9.8, "severity" : "CRITICAL", "cves" : [ "CVE-2023-39332" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/environment-modules@5.0.1-1.el9?arch=x86_64&distro=rhel-9.1&upstream=environment-modules-5.0.1-1.el9.src.rpm", "transitive" : [ { "ref" : "pkg:rpm/redhat/openssl-libs@3.0.1-47.el9_1?arch=x86_64&distro=rhel-9.1&epoch=1&upstream=openssl-3.0.1-47.el9_1.src.rpm", "issues" : [ { "id" : "CVE-2025-15467", "title" : "Stack buffer overflow in CMS (Auth)EnvelopedData parsing", "source" : "redhat-csaf", "cvssScore" : 9.8, "severity" : "CRITICAL", "cves" : [ "CVE-2025-15467" ], "unique" : false }, { "id" : "CVE-2026-45445", "title" : "AES-OCB IV Ignored on EVP_Cipher() Path", "source" : "redhat-csaf", "cvssScore" : 9.1, "severity" : "CRITICAL", "cves" : [ "CVE-2026-45445" ], "unique" : false }, { "id" : "CVE-2026-45447", "title" : "Heap Use-After-Free in the PKCS7_verify() Function", "source" : "redhat-csaf", "cvssScore" : 8.1, "severity" : "HIGH", "cves" : [ "CVE-2026-45447" ], "unique" : false }, { "id" : "CVE-2022-3358", "title" : "Using a Custom Cipher with NID_undef may lead to NULL encryption", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2022-3358" ], "unique" : false }, { "id" : "CVE-2023-5363", "title" : "Incorrect cipher key & IV length processing", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2023-5363" ], "unique" : false }, { "id" : "CVE-2026-28390", "title" : "Possible NULL Dereference When Processing CMS KeyTransportRecipientInfo", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2026-28390" ], "unique" : false }, { "id" : "CVE-2026-34183", "title" : "Unbounded Memory Growth in the QUIC PATH_CHALLENGE Handler", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2026-34183" ], "unique" : false }, { "id" : "CVE-2024-12797", "title" : "RFC7250 handshakes with unauthenticated servers don't abort as expected", "source" : "redhat-csaf", "cvssScore" : 7.4, "severity" : "HIGH", "cves" : [ "CVE-2024-12797" ], "unique" : false }, { "id" : "CVE-2025-69419", "title" : "Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion", "source" : "redhat-csaf", "cvssScore" : 7.4, "severity" : "HIGH", "cves" : [ "CVE-2025-69419" ], "unique" : false }, { "id" : "CVE-2026-34182", "title" : "CMS AuthEnvelopedData Processing May Accept Forged Messages", "source" : "redhat-csaf", "cvssScore" : 7.4, "severity" : "HIGH", "cves" : [ "CVE-2026-34182" ], "unique" : false }, { "id" : "CVE-2023-2650", "title" : "Possible DoS translating ASN.1 object identifiers", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-2650" ], "unique" : false }, { "id" : "CVE-2023-6129", "title" : "POLY1305 MAC implementation corrupts vector registers on PowerPC", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-6129" ], "unique" : false }, { "id" : "CVE-2025-69421", "title" : "NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2025-69421" ], "unique" : false }, { "id" : "CVE-2026-34181", "title" : "PKCS#12 Files with PBMAC1 Are Accepted with Short HMAC Keys", "source" : "redhat-csaf", "cvssScore" : 6.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-34181" ], "unique" : false }, { "id" : "CVE-2026-42768", "title" : "Multi-RecipientInfo Bleichenbacher Oracle in CMS_decrypt() and PKCS7_decrypt()", "source" : "redhat-csaf", "cvssScore" : 6.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-42768" ], "unique" : false }, { "id" : "CVE-2025-11187", "title" : "Improper validation of PBMAC1 parameters in PKCS#12 MAC verification", "source" : "redhat-csaf", "cvssScore" : 6.1, "severity" : "MEDIUM", "cves" : [ "CVE-2025-11187" ], "unique" : false }, { "id" : "CVE-2023-0464", "title" : "Excessive Resource Usage Verifying X.509 Policy Constraints", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-0464" ], "unique" : false }, { "id" : "CVE-2023-6237", "title" : "Excessive time spent checking invalid RSA public keys", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-6237" ], "unique" : false }, { "id" : "CVE-2024-5535", "title" : "SSL_select_next_proto buffer overread", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2024-5535" ], "unique" : false }, { "id" : "CVE-2024-6119", "title" : "Possible denial of service in X.509 name checks", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2024-6119" ], "unique" : false }, { "id" : "CVE-2025-15468", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2025-15468" ], "unique" : false }, { "id" : "CVE-2025-66199", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2025-66199" ], "unique" : false }, { "id" : "CVE-2025-69420", "title" : "Missing ASN1_TYPE validation in TS_RESP_verify_response() function", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2025-69420" ], "unique" : false }, { "id" : "CVE-2026-22796", "title" : "ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-22796" ], "unique" : false }, { "id" : "CVE-2026-31790", "title" : "Incorrect Failure Handling in RSA KEM RSASVE Encapsulation", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-31790" ], "unique" : false }, { "id" : "CVE-2026-42764", "title" : "NULL Pointer Dereference in QUIC Server Initial Packet Handling", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-42764" ], "unique" : false }, { "id" : "CVE-2026-42769", "title" : "Trust-Anchor Substitution via cert/issuer Typo in CMP rootCaKeyUpdate", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-42769" ], "unique" : false }, { "id" : "CVE-2026-42770", "title" : "FFC-DH Peer Validation Uses Attacker-Supplied q", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-42770" ], "unique" : false }, { "id" : "CVE-2026-9076", "title" : "Out-of-Bounds Read in CMS Password-Based Decryption", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-9076" ], "unique" : false }, { "id" : "CVE-2024-4741", "source" : "redhat-csaf", "cvssScore" : 5.6, "severity" : "MEDIUM", "cves" : [ "CVE-2024-4741" ], "unique" : false }, { "id" : "CVE-2025-9230", "title" : "Out-of-bounds read & write in RFC 3211 KEK Unwrap", "source" : "redhat-csaf", "cvssScore" : 5.6, "severity" : "MEDIUM", "cves" : [ "CVE-2025-9230" ], "unique" : false }, { "id" : "CVE-2024-0727", "title" : "PKCS12 Decoding crashes", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-0727" ], "unique" : false }, { "id" : "CVE-2025-15469", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2025-15469" ], "unique" : false }, { "id" : "CVE-2026-22795", "title" : "Missing ASN1_TYPE validation in PKCS#12 parsing", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2026-22795" ], "unique" : false }, { "id" : "CVE-2026-7383", "title" : "Possible Heap Buffer Overflow in ASN.1 Multibyte String Conversion", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2026-7383" ], "unique" : false }, { "id" : "CVE-2023-0465", "title" : "Invalid certificate policies in leaf certificates are silently ignored", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2023-0465" ], "unique" : false }, { "id" : "CVE-2023-0466", "title" : "Certificate policy check not enabled", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2023-0466" ], "unique" : false }, { "id" : "CVE-2023-2975", "title" : "AES-SIV implementation ignores empty associated data entries", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2023-2975" ], "unique" : false }, { "id" : "CVE-2023-3446", "title" : "Excessive time spent checking DH keys and parameters", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2023-3446" ], "unique" : false }, { "id" : "CVE-2023-3817", "title" : "Excessive time spent checking DH q parameter value", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2023-3817" ], "unique" : false }, { "id" : "CVE-2023-5678", "title" : "Excessive time spent in DH check / generation with large Q parameter value", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2023-5678" ], "unique" : false }, { "id" : "CVE-2024-4603", "title" : "Excessive time spent checking DSA keys and parameters", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2024-4603" ], "unique" : false }, { "id" : "CVE-2026-42766", "title" : "Possible NULL Dereference in Password-Based CMS Decryption", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-42766" ], "unique" : false }, { "id" : "CVE-2026-42767", "title" : "NULL Pointer Dereference in CRMF EncryptedValue Decryption", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-42767" ], "unique" : false }, { "id" : "CVE-2023-1255", "title" : "Input buffer over-read in AES-XTS implementation on 64 bit ARM", "source" : "redhat-csaf", "cvssScore" : 5.1, "severity" : "MEDIUM", "cves" : [ "CVE-2023-1255" ], "unique" : false }, { "id" : "CVE-2026-34180", "title" : "Heap Buffer Over-read in ASN.1 Content Parsing", "source" : "redhat-csaf", "cvssScore" : 5.0, "severity" : "MEDIUM", "cves" : [ "CVE-2026-34180" ], "unique" : false }, { "id" : "CVE-2025-68160", "title" : "Heap out-of-bounds write in BIO_f_linebuffer on short writes", "source" : "redhat-csaf", "cvssScore" : 4.7, "severity" : "MEDIUM", "cves" : [ "CVE-2025-68160" ], "unique" : false }, { "id" : "CVE-2025-69418", "title" : "Unauthenticated/unencrypted trailing bytes with low-level OCB function calls", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2025-69418" ], "unique" : false }, { "id" : "CVE-2024-2511", "title" : "Unbounded memory growth with session handling in TLSv1.3", "source" : "redhat-csaf", "cvssScore" : 3.7, "severity" : "LOW", "cves" : [ "CVE-2024-2511" ], "unique" : false }, { "id" : "CVE-2026-45446", "title" : "Incorrect Tag Processing for Empty Messages in AES-GCM-SIV and AES-SIV modes", "source" : "redhat-csaf", "cvssScore" : 3.7, "severity" : "LOW", "cves" : [ "CVE-2026-45446" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2025-15467", "title" : "Stack buffer overflow in CMS (Auth)EnvelopedData parsing", "source" : "redhat-csaf", "cvssScore" : 9.8, "severity" : "CRITICAL", "cves" : [ "CVE-2025-15467" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/ca-certificates@2022.2.54-90.2.el9_0?arch=noarch&distro=rhel-9.1&upstream=ca-certificates-2022.2.54-90.2.el9_0.src.rpm", "issues" : [ { "id" : "CVE-2023-37920", "title" : "Certifi's removal of e-Tugra root certificate", "source" : "redhat-csaf", "cvssScore" : 9.1, "severity" : "CRITICAL", "cves" : [ "CVE-2023-37920" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2023-37920", "title" : "Certifi's removal of e-Tugra root certificate", "source" : "redhat-csaf", "cvssScore" : 9.1, "severity" : "CRITICAL", "cves" : [ "CVE-2023-37920" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/glibc@2.34-40.el9_1.1?arch=x86_64&distro=rhel-9.1&upstream=glibc-2.34-40.el9_1.1.src.rpm", "issues" : [ { "id" : "CVE-2024-2961", "title" : "The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.", "source" : "redhat-csaf", "cvssScore" : 8.8, "severity" : "HIGH", "cves" : [ "CVE-2024-2961" ], "unique" : false }, { "id" : "CVE-2026-0861", "title" : "Integer overflow in memalign leads to heap corruption", "source" : "redhat-csaf", "cvssScore" : 8.1, "severity" : "HIGH", "cves" : [ "CVE-2026-0861" ], "unique" : false }, { "id" : "CVE-2023-4911", "title" : "Glibc: buffer overflow in ld.so leading to privilege escalation", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2023-4911" ], "unique" : false }, { "id" : "CVE-2024-33599", "title" : "nscd: Stack-based buffer overflow in netgroup cache", "source" : "redhat-csaf", "cvssScore" : 7.6, "severity" : "HIGH", "cves" : [ "CVE-2024-33599" ], "unique" : false }, { "id" : "CVE-2025-4802", "source" : "redhat-csaf", "cvssScore" : 7.0, "severity" : "HIGH", "cves" : [ "CVE-2025-4802" ], "unique" : false }, { "id" : "CVE-2023-4527", "title" : "Glibc: stack read overflow in getaddrinfo in no-aaaa mode", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4527" ], "unique" : false }, { "id" : "CVE-2026-4437", "title" : "gethostbyaddr and gethostbyaddr_r may incorrectly handle DNS response", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4437" ], "unique" : false }, { "id" : "CVE-2026-6238", "title" : "Buffer overread in ns_printrrf with corrupted RDATA field", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2026-6238" ], "unique" : false }, { "id" : "CVE-2023-4806", "title" : "Glibc: potential use-after-free in getaddrinfo()", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4806" ], "unique" : false }, { "id" : "CVE-2023-4813", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4813" ], "unique" : false }, { "id" : "CVE-2025-15281", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2025-15281" ], "unique" : false }, { "id" : "CVE-2026-3904", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-3904" ], "unique" : false }, { "id" : "CVE-2026-5435", "title" : "Potential buffer overflow in ns_sprintrrf TSIG handling path", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-5435" ], "unique" : false }, { "id" : "CVE-2025-5702", "title" : "The strcmp implementation optimized for the Power10 processor in the GNU C Library version 2.39 and later writes to vector registers v20 to v31 without saving contents from the caller (those registers are defined as non-volatile registers by the powerpc64le ABI), resulting in overwriting of its contents and potentially altering control flow of the caller, or leaking the input strings to the function to other parts of the program.", "source" : "redhat-csaf", "cvssScore" : 5.6, "severity" : "MEDIUM", "cves" : [ "CVE-2025-5702" ], "unique" : false }, { "id" : "CVE-2025-0395", "title" : "When the assert() function in the GNU C Library versions 2.13 to 2.40 fails, it does not allocate enough space for the assertion failure message string and size information, which may lead to a buffer overflow if the message string size aligns to page size.", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2025-0395" ], "unique" : false }, { "id" : "CVE-2024-33600", "title" : "nscd: Null pointer crashes after notfound response", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33600" ], "unique" : false }, { "id" : "CVE-2026-0915", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-0915" ], "unique" : false }, { "id" : "CVE-2026-4046", "title" : "iconv crash due to assertion failure with untrusted input", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4046" ], "unique" : false }, { "id" : "CVE-2026-5450", "title" : "scanf %mc off-by-one heap buffer overflow", "source" : "redhat-csaf", "cvssScore" : 5.0, "severity" : "MEDIUM", "cves" : [ "CVE-2026-5450" ], "unique" : false }, { "id" : "CVE-2026-5928", "title" : "Potential buffer under-read in ungetwc", "source" : "redhat-csaf", "cvssScore" : 5.0, "severity" : "MEDIUM", "cves" : [ "CVE-2026-5928" ], "unique" : false }, { "id" : "CVE-2025-8058", "source" : "redhat-csaf", "cvssScore" : 4.2, "severity" : "MEDIUM", "cves" : [ "CVE-2025-8058" ], "unique" : false }, { "id" : "CVE-2024-33601", "title" : "nscd: netgroup cache may terminate daemon on memory allocation failure", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33601" ], "unique" : false }, { "id" : "CVE-2024-33602", "title" : "nscd: netgroup cache assumes NSS callback uses in-buffer strings", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33602" ], "unique" : false }, { "id" : "CVE-2026-4438", "title" : "gethostbyaddr and gethostbyaddr_r return invalid DNS hostnames", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4438" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2024-2961", "title" : "The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.", "source" : "redhat-csaf", "cvssScore" : 8.8, "severity" : "HIGH", "cves" : [ "CVE-2024-2961" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/glibc-common@2.34-40.el9_1.1?arch=x86_64&distro=rhel-9.1&upstream=glibc-2.34-40.el9_1.1.src.rpm", "issues" : [ { "id" : "CVE-2024-2961", "title" : "The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.", "source" : "redhat-csaf", "cvssScore" : 8.8, "severity" : "HIGH", "cves" : [ "CVE-2024-2961" ], "unique" : false }, { "id" : "CVE-2026-0861", "title" : "Integer overflow in memalign leads to heap corruption", "source" : "redhat-csaf", "cvssScore" : 8.1, "severity" : "HIGH", "cves" : [ "CVE-2026-0861" ], "unique" : false }, { "id" : "CVE-2023-4911", "title" : "Glibc: buffer overflow in ld.so leading to privilege escalation", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2023-4911" ], "unique" : false }, { "id" : "CVE-2024-33599", "title" : "nscd: Stack-based buffer overflow in netgroup cache", "source" : "redhat-csaf", "cvssScore" : 7.6, "severity" : "HIGH", "cves" : [ "CVE-2024-33599" ], "unique" : false }, { "id" : "CVE-2025-4802", "source" : "redhat-csaf", "cvssScore" : 7.0, "severity" : "HIGH", "cves" : [ "CVE-2025-4802" ], "unique" : false }, { "id" : "CVE-2023-4527", "title" : "Glibc: stack read overflow in getaddrinfo in no-aaaa mode", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4527" ], "unique" : false }, { "id" : "CVE-2026-4437", "title" : "gethostbyaddr and gethostbyaddr_r may incorrectly handle DNS response", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4437" ], "unique" : false }, { "id" : "CVE-2023-4806", "title" : "Glibc: potential use-after-free in getaddrinfo()", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4806" ], "unique" : false }, { "id" : "CVE-2023-4813", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4813" ], "unique" : false }, { "id" : "CVE-2025-15281", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2025-15281" ], "unique" : false }, { "id" : "CVE-2025-5702", "title" : "The strcmp implementation optimized for the Power10 processor in the GNU C Library version 2.39 and later writes to vector registers v20 to v31 without saving contents from the caller (those registers are defined as non-volatile registers by the powerpc64le ABI), resulting in overwriting of its contents and potentially altering control flow of the caller, or leaking the input strings to the function to other parts of the program.", "source" : "redhat-csaf", "cvssScore" : 5.6, "severity" : "MEDIUM", "cves" : [ "CVE-2025-5702" ], "unique" : false }, { "id" : "CVE-2025-0395", "title" : "When the assert() function in the GNU C Library versions 2.13 to 2.40 fails, it does not allocate enough space for the assertion failure message string and size information, which may lead to a buffer overflow if the message string size aligns to page size.", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2025-0395" ], "unique" : false }, { "id" : "CVE-2024-33600", "title" : "nscd: Null pointer crashes after notfound response", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33600" ], "unique" : false }, { "id" : "CVE-2026-0915", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-0915" ], "unique" : false }, { "id" : "CVE-2026-4046", "title" : "iconv crash due to assertion failure with untrusted input", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4046" ], "unique" : false }, { "id" : "CVE-2026-5450", "title" : "scanf %mc off-by-one heap buffer overflow", "source" : "redhat-csaf", "cvssScore" : 5.0, "severity" : "MEDIUM", "cves" : [ "CVE-2026-5450" ], "unique" : false }, { "id" : "CVE-2025-8058", "source" : "redhat-csaf", "cvssScore" : 4.2, "severity" : "MEDIUM", "cves" : [ "CVE-2025-8058" ], "unique" : false }, { "id" : "CVE-2024-33601", "title" : "nscd: netgroup cache may terminate daemon on memory allocation failure", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33601" ], "unique" : false }, { "id" : "CVE-2024-33602", "title" : "nscd: netgroup cache assumes NSS callback uses in-buffer strings", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33602" ], "unique" : false }, { "id" : "CVE-2026-4438", "title" : "gethostbyaddr and gethostbyaddr_r return invalid DNS hostnames", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4438" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2024-2961", "title" : "The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.", "source" : "redhat-csaf", "cvssScore" : 8.8, "severity" : "HIGH", "cves" : [ "CVE-2024-2961" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/glibc-langpack-en@2.34-40.el9_1.1?arch=x86_64&distro=rhel-9.1&upstream=glibc-2.34-40.el9_1.1.src.rpm", "issues" : [ { "id" : "CVE-2024-2961", "title" : "The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.", "source" : "redhat-csaf", "cvssScore" : 8.8, "severity" : "HIGH", "cves" : [ "CVE-2024-2961" ], "unique" : false }, { "id" : "CVE-2026-0861", "title" : "Integer overflow in memalign leads to heap corruption", "source" : "redhat-csaf", "cvssScore" : 8.1, "severity" : "HIGH", "cves" : [ "CVE-2026-0861" ], "unique" : false }, { "id" : "CVE-2023-4911", "title" : "Glibc: buffer overflow in ld.so leading to privilege escalation", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2023-4911" ], "unique" : false }, { "id" : "CVE-2024-33599", "title" : "nscd: Stack-based buffer overflow in netgroup cache", "source" : "redhat-csaf", "cvssScore" : 7.6, "severity" : "HIGH", "cves" : [ "CVE-2024-33599" ], "unique" : false }, { "id" : "CVE-2025-4802", "source" : "redhat-csaf", "cvssScore" : 7.0, "severity" : "HIGH", "cves" : [ "CVE-2025-4802" ], "unique" : false }, { "id" : "CVE-2023-4527", "title" : "Glibc: stack read overflow in getaddrinfo in no-aaaa mode", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4527" ], "unique" : false }, { "id" : "CVE-2026-4437", "title" : "gethostbyaddr and gethostbyaddr_r may incorrectly handle DNS response", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4437" ], "unique" : false }, { "id" : "CVE-2023-4806", "title" : "Glibc: potential use-after-free in getaddrinfo()", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4806" ], "unique" : false }, { "id" : "CVE-2023-4813", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4813" ], "unique" : false }, { "id" : "CVE-2025-15281", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2025-15281" ], "unique" : false }, { "id" : "CVE-2025-5702", "title" : "The strcmp implementation optimized for the Power10 processor in the GNU C Library version 2.39 and later writes to vector registers v20 to v31 without saving contents from the caller (those registers are defined as non-volatile registers by the powerpc64le ABI), resulting in overwriting of its contents and potentially altering control flow of the caller, or leaking the input strings to the function to other parts of the program.", "source" : "redhat-csaf", "cvssScore" : 5.6, "severity" : "MEDIUM", "cves" : [ "CVE-2025-5702" ], "unique" : false }, { "id" : "CVE-2025-0395", "title" : "When the assert() function in the GNU C Library versions 2.13 to 2.40 fails, it does not allocate enough space for the assertion failure message string and size information, which may lead to a buffer overflow if the message string size aligns to page size.", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2025-0395" ], "unique" : false }, { "id" : "CVE-2024-33600", "title" : "nscd: Null pointer crashes after notfound response", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33600" ], "unique" : false }, { "id" : "CVE-2026-0915", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-0915" ], "unique" : false }, { "id" : "CVE-2026-4046", "title" : "iconv crash due to assertion failure with untrusted input", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4046" ], "unique" : false }, { "id" : "CVE-2026-5450", "title" : "scanf %mc off-by-one heap buffer overflow", "source" : "redhat-csaf", "cvssScore" : 5.0, "severity" : "MEDIUM", "cves" : [ "CVE-2026-5450" ], "unique" : false }, { "id" : "CVE-2025-8058", "source" : "redhat-csaf", "cvssScore" : 4.2, "severity" : "MEDIUM", "cves" : [ "CVE-2025-8058" ], "unique" : false }, { "id" : "CVE-2024-33601", "title" : "nscd: netgroup cache may terminate daemon on memory allocation failure", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33601" ], "unique" : false }, { "id" : "CVE-2024-33602", "title" : "nscd: netgroup cache assumes NSS callback uses in-buffer strings", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33602" ], "unique" : false }, { "id" : "CVE-2026-4438", "title" : "gethostbyaddr and gethostbyaddr_r return invalid DNS hostnames", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4438" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2024-2961", "title" : "The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.", "source" : "redhat-csaf", "cvssScore" : 8.8, "severity" : "HIGH", "cves" : [ "CVE-2024-2961" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/less@590-1.el9_0?arch=x86_64&distro=rhel-9.1&upstream=less-590-1.el9_0.src.rpm", "issues" : [ { "id" : "CVE-2024-32487", "title" : "less through 653 allows OS command execution via a newline character in the name of a file, because quoting is mishandled in filename.c. Exploitation typically requires use with attacker-controlled file names, such as the files extracted from an untrusted archive. Exploitation also requires the LESSOPEN environment variable, but this is set by default in many common cases.", "source" : "redhat-csaf", "cvssScore" : 8.6, "severity" : "HIGH", "cves" : [ "CVE-2024-32487" ], "unique" : false }, { "id" : "CVE-2022-46663", "title" : "In GNU Less before 609, crafted data can result in \"less -R\" not filtering ANSI escape sequences sent to the terminal.", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2022-46663" ], "unique" : false }, { "id" : "CVE-2022-48624", "title" : "close_altfile in filename.c in less before 606 omits shell_quote calls for LESSCLOSE.", "source" : "redhat-csaf", "cvssScore" : 7.0, "severity" : "HIGH", "cves" : [ "CVE-2022-48624" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2024-32487", "title" : "less through 653 allows OS command execution via a newline character in the name of a file, because quoting is mishandled in filename.c. Exploitation typically requires use with attacker-controlled file names, such as the files extracted from an untrusted archive. Exploitation also requires the LESSOPEN environment variable, but this is set by default in many common cases.", "source" : "redhat-csaf", "cvssScore" : 8.6, "severity" : "HIGH", "cves" : [ "CVE-2024-32487" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/ncurses-base@6.2-8.20210508.el9?arch=noarch&distro=rhel-9.1&upstream=ncurses-6.2-8.20210508.el9.src.rpm", "issues" : [ { "id" : "CVE-2023-29491", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2023-29491" ], "unique" : false }, { "id" : "CVE-2025-69720", "title" : "The infocmp command-line tool in ncurses before 6.5-20251213 has a stack-based buffer overflow in analyze_string in progs/infocmp.c.", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2025-69720" ], "unique" : false }, { "id" : "CVE-2022-29458", "title" : "ncurses 6.3 before patch 20220416 has an out-of-bounds read and segmentation violation in convert_strings in tinfo/read_entry.c in the terminfo library.", "source" : "redhat-csaf", "cvssScore" : 6.1, "severity" : "MEDIUM", "cves" : [ "CVE-2022-29458" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2023-29491", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2023-29491" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/libcap@2.48-8.el9?arch=x86_64&distro=rhel-9.1&upstream=libcap-2.48-8.el9.src.rpm", "issues" : [ { "id" : "CVE-2023-2603", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2023-2603" ], "unique" : false }, { "id" : "CVE-2026-4878", "title" : "Libcap: libcap: privilege escalation via toctou race condition in cap_set_file()", "source" : "redhat-csaf", "cvssScore" : 6.7, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4878" ], "unique" : false }, { "id" : "CVE-2023-2602", "title" : "A vulnerability was found in the pthread_create() function in libcap. This issue may allow a malicious actor to use cause __real_pthread_create() to return an error, which can exhaust the process memory.", "source" : "redhat-csaf", "cvssScore" : 3.3, "severity" : "LOW", "cves" : [ "CVE-2023-2602" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2023-2603", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2023-2603" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/systemd-libs@250-12.el9_1.3?arch=x86_64&distro=rhel-9.1&upstream=systemd-250-12.el9_1.3.src.rpm", "issues" : [ { "id" : "CVE-2026-29111", "title" : "systemd: Local unprivileged user can trigger an assert", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2026-29111" ], "unique" : false }, { "id" : "CVE-2023-7008", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-7008" ], "unique" : false }, { "id" : "CVE-2025-4598", "title" : "Systemd-coredump: race condition that allows a local attacker to crash a suid program and gain read access to the resulting core dump", "source" : "redhat-csaf", "cvssScore" : 4.7, "severity" : "MEDIUM", "cves" : [ "CVE-2025-4598" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2026-29111", "title" : "systemd: Local unprivileged user can trigger an assert", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2026-29111" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/ncurses-libs@6.2-8.20210508.el9?arch=x86_64&distro=rhel-9.1&upstream=ncurses-6.2-8.20210508.el9.src.rpm", "issues" : [ { "id" : "CVE-2023-29491", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2023-29491" ], "unique" : false }, { "id" : "CVE-2025-69720", "title" : "The infocmp command-line tool in ncurses before 6.5-20251213 has a stack-based buffer overflow in analyze_string in progs/infocmp.c.", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2025-69720" ], "unique" : false }, { "id" : "CVE-2022-29458", "title" : "ncurses 6.3 before patch 20220416 has an out-of-bounds read and segmentation violation in convert_strings in tinfo/read_entry.c in the terminfo library.", "source" : "redhat-csaf", "cvssScore" : 6.1, "severity" : "MEDIUM", "cves" : [ "CVE-2022-29458" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2023-29491", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2023-29491" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/xz-libs@5.2.5-8.el9_0?arch=x86_64&distro=rhel-9.1&upstream=xz-5.2.5-8.el9_0.src.rpm", "issues" : [ { "id" : "CVE-2025-31115", "title" : "XZ has a heap-use-after-free bug in threaded .xz decoder", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2025-31115" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2025-31115", "title" : "XZ has a heap-use-after-free bug in threaded .xz decoder", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2025-31115" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/libgcrypt@1.10.0-8.el9_0?arch=x86_64&distro=rhel-9.1&upstream=libgcrypt-1.10.0-8.el9_0.src.rpm", "issues" : [ { "id" : "CVE-2026-41989", "title" : "Libgcrypt before 1.12.2 sometimes allows a heap-based buffer overflow and denial of service via crafted ECDH ciphertext to gcry_pk_decrypt.", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2026-41989" ], "unique" : false }, { "id" : "CVE-2024-2236", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2024-2236" ], "unique" : false }, { "id" : "CVE-2026-41990", "title" : "Libgcrypt before 1.12.2 mishandles Dilithium signing. Writes to a static array lack a bounds check but do not use attacker-controlled data.", "source" : "redhat-csaf", "cvssScore" : 3.3, "severity" : "LOW", "cves" : [ "CVE-2026-41990" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2026-41989", "title" : "Libgcrypt before 1.12.2 sometimes allows a heap-based buffer overflow and denial of service via crafted ECDH ciphertext to gcry_pk_decrypt.", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2026-41989" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/sed@4.8-9.el9?arch=x86_64&distro=rhel-9.1&upstream=sed-4.8-9.el9.src.rpm", "issues" : [ { "id" : "CVE-2026-5958", "title" : "Race Condition in GNU Sed", "source" : "redhat-csaf", "cvssScore" : 6.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-5958" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2026-5958", "title" : "Race Condition in GNU Sed", "source" : "redhat-csaf", "cvssScore" : 6.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-5958" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/libstdc%2B%2B@11.3.1-2.1.el9?arch=x86_64&distro=rhel-9.1&upstream=gcc-11.3.1-2.1.el9.src.rpm", "issues" : [ { "id" : "CVE-2020-11023", "title" : "Potential XSS vulnerability in jQuery", "source" : "redhat-csaf", "cvssScore" : 6.1, "severity" : "MEDIUM", "cves" : [ "CVE-2020-11023" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2020-11023", "title" : "Potential XSS vulnerability in jQuery", "source" : "redhat-csaf", "cvssScore" : 6.1, "severity" : "MEDIUM", "cves" : [ "CVE-2020-11023" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/gzip@1.12-1.el9?arch=x86_64&distro=rhel-9.1&upstream=gzip-1.12-1.el9.src.rpm", "issues" : [ { "id" : "CVE-2026-41991", "title" : "Predictable Temporary File in GNU gzip", "source" : "redhat-csaf", "cvssScore" : 6.0, "severity" : "MEDIUM", "cves" : [ "CVE-2026-41991" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2026-41991", "title" : "Predictable Temporary File in GNU gzip", "source" : "redhat-csaf", "cvssScore" : 6.0, "severity" : "MEDIUM", "cves" : [ "CVE-2026-41991" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/libtasn1@4.16.0-8.el9_1?arch=x86_64&distro=rhel-9.1&upstream=libtasn1-4.16.0-8.el9_1.src.rpm", "issues" : [ { "id" : "CVE-2025-13151", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2025-13151" ], "unique" : false }, { "id" : "CVE-2024-12133", "title" : "Libtasn1: inefficient der decoding in libtasn1 leading to potential remote dos", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2024-12133" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2025-13151", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2025-13151" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/p11-kit@0.24.1-2.el9?arch=x86_64&distro=rhel-9.1&upstream=p11-kit-0.24.1-2.el9.src.rpm", "issues" : [ { "id" : "CVE-2026-2100", "title" : "P11-kit: null dereference via c_derivekey with specific null parameters", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-2100" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2026-2100", "title" : "P11-kit: null dereference via c_derivekey with specific null parameters", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-2100" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/p11-kit-trust@0.24.1-2.el9?arch=x86_64&distro=rhel-9.1&upstream=p11-kit-0.24.1-2.el9.src.rpm", "issues" : [ { "id" : "CVE-2026-2100", "title" : "P11-kit: null dereference via c_derivekey with specific null parameters", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-2100" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2026-2100", "title" : "P11-kit: null dereference via c_derivekey with specific null parameters", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-2100" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/procps-ng@3.3.17-8.el9?arch=x86_64&distro=rhel-9.1&upstream=procps-ng-3.3.17-8.el9.src.rpm", "issues" : [ { "id" : "CVE-2023-4016", "title" : "Under some circumstances, this weakness allows a user who has access to run the “ps” utility on a machine, the ability to write almost unlimited amounts of unfiltered data into the process heap.", "source" : "redhat-csaf", "cvssScore" : 3.3, "severity" : "LOW", "cves" : [ "CVE-2023-4016" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2023-4016", "title" : "Under some circumstances, this weakness allows a user who has access to run the “ps” utility on a machine, the ability to write almost unlimited amounts of unfiltered data into the process heap.", "source" : "redhat-csaf", "cvssScore" : 3.3, "severity" : "LOW", "cves" : [ "CVE-2023-4016" ], "unique" : false } } ], "highestVulnerability" : { "id" : "CVE-2025-15467", "title" : "Stack buffer overflow in CMS (Auth)EnvelopedData parsing", "source" : "redhat-csaf", "cvssScore" : 9.8, "severity" : "CRITICAL", "cves" : [ "CVE-2025-15467" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/python3-gobject-base@3.40.1-6.el9?arch=x86_64&distro=rhel-9.1&upstream=pygobject3-3.40.1-6.el9.src.rpm", "transitive" : [ { "ref" : "pkg:rpm/redhat/openssl-libs@3.0.1-47.el9_1?arch=x86_64&distro=rhel-9.1&epoch=1&upstream=openssl-3.0.1-47.el9_1.src.rpm", "issues" : [ { "id" : "CVE-2025-15467", "title" : "Stack buffer overflow in CMS (Auth)EnvelopedData parsing", "source" : "redhat-csaf", "cvssScore" : 9.8, "severity" : "CRITICAL", "cves" : [ "CVE-2025-15467" ], "unique" : false }, { "id" : "CVE-2026-45445", "title" : "AES-OCB IV Ignored on EVP_Cipher() Path", "source" : "redhat-csaf", "cvssScore" : 9.1, "severity" : "CRITICAL", "cves" : [ "CVE-2026-45445" ], "unique" : false }, { "id" : "CVE-2026-45447", "title" : "Heap Use-After-Free in the PKCS7_verify() Function", "source" : "redhat-csaf", "cvssScore" : 8.1, "severity" : "HIGH", "cves" : [ "CVE-2026-45447" ], "unique" : false }, { "id" : "CVE-2022-3358", "title" : "Using a Custom Cipher with NID_undef may lead to NULL encryption", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2022-3358" ], "unique" : false }, { "id" : "CVE-2023-5363", "title" : "Incorrect cipher key & IV length processing", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2023-5363" ], "unique" : false }, { "id" : "CVE-2026-28390", "title" : "Possible NULL Dereference When Processing CMS KeyTransportRecipientInfo", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2026-28390" ], "unique" : false }, { "id" : "CVE-2026-34183", "title" : "Unbounded Memory Growth in the QUIC PATH_CHALLENGE Handler", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2026-34183" ], "unique" : false }, { "id" : "CVE-2024-12797", "title" : "RFC7250 handshakes with unauthenticated servers don't abort as expected", "source" : "redhat-csaf", "cvssScore" : 7.4, "severity" : "HIGH", "cves" : [ "CVE-2024-12797" ], "unique" : false }, { "id" : "CVE-2025-69419", "title" : "Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion", "source" : "redhat-csaf", "cvssScore" : 7.4, "severity" : "HIGH", "cves" : [ "CVE-2025-69419" ], "unique" : false }, { "id" : "CVE-2026-34182", "title" : "CMS AuthEnvelopedData Processing May Accept Forged Messages", "source" : "redhat-csaf", "cvssScore" : 7.4, "severity" : "HIGH", "cves" : [ "CVE-2026-34182" ], "unique" : false }, { "id" : "CVE-2023-2650", "title" : "Possible DoS translating ASN.1 object identifiers", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-2650" ], "unique" : false }, { "id" : "CVE-2023-6129", "title" : "POLY1305 MAC implementation corrupts vector registers on PowerPC", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-6129" ], "unique" : false }, { "id" : "CVE-2025-69421", "title" : "NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2025-69421" ], "unique" : false }, { "id" : "CVE-2026-34181", "title" : "PKCS#12 Files with PBMAC1 Are Accepted with Short HMAC Keys", "source" : "redhat-csaf", "cvssScore" : 6.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-34181" ], "unique" : false }, { "id" : "CVE-2026-42768", "title" : "Multi-RecipientInfo Bleichenbacher Oracle in CMS_decrypt() and PKCS7_decrypt()", "source" : "redhat-csaf", "cvssScore" : 6.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-42768" ], "unique" : false }, { "id" : "CVE-2025-11187", "title" : "Improper validation of PBMAC1 parameters in PKCS#12 MAC verification", "source" : "redhat-csaf", "cvssScore" : 6.1, "severity" : "MEDIUM", "cves" : [ "CVE-2025-11187" ], "unique" : false }, { "id" : "CVE-2023-0464", "title" : "Excessive Resource Usage Verifying X.509 Policy Constraints", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-0464" ], "unique" : false }, { "id" : "CVE-2023-6237", "title" : "Excessive time spent checking invalid RSA public keys", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-6237" ], "unique" : false }, { "id" : "CVE-2024-5535", "title" : "SSL_select_next_proto buffer overread", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2024-5535" ], "unique" : false }, { "id" : "CVE-2024-6119", "title" : "Possible denial of service in X.509 name checks", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2024-6119" ], "unique" : false }, { "id" : "CVE-2025-15468", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2025-15468" ], "unique" : false }, { "id" : "CVE-2025-66199", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2025-66199" ], "unique" : false }, { "id" : "CVE-2025-69420", "title" : "Missing ASN1_TYPE validation in TS_RESP_verify_response() function", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2025-69420" ], "unique" : false }, { "id" : "CVE-2026-22796", "title" : "ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-22796" ], "unique" : false }, { "id" : "CVE-2026-31790", "title" : "Incorrect Failure Handling in RSA KEM RSASVE Encapsulation", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-31790" ], "unique" : false }, { "id" : "CVE-2026-42764", "title" : "NULL Pointer Dereference in QUIC Server Initial Packet Handling", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-42764" ], "unique" : false }, { "id" : "CVE-2026-42769", "title" : "Trust-Anchor Substitution via cert/issuer Typo in CMP rootCaKeyUpdate", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-42769" ], "unique" : false }, { "id" : "CVE-2026-42770", "title" : "FFC-DH Peer Validation Uses Attacker-Supplied q", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-42770" ], "unique" : false }, { "id" : "CVE-2026-9076", "title" : "Out-of-Bounds Read in CMS Password-Based Decryption", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-9076" ], "unique" : false }, { "id" : "CVE-2024-4741", "source" : "redhat-csaf", "cvssScore" : 5.6, "severity" : "MEDIUM", "cves" : [ "CVE-2024-4741" ], "unique" : false }, { "id" : "CVE-2025-9230", "title" : "Out-of-bounds read & write in RFC 3211 KEK Unwrap", "source" : "redhat-csaf", "cvssScore" : 5.6, "severity" : "MEDIUM", "cves" : [ "CVE-2025-9230" ], "unique" : false }, { "id" : "CVE-2024-0727", "title" : "PKCS12 Decoding crashes", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-0727" ], "unique" : false }, { "id" : "CVE-2025-15469", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2025-15469" ], "unique" : false }, { "id" : "CVE-2026-22795", "title" : "Missing ASN1_TYPE validation in PKCS#12 parsing", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2026-22795" ], "unique" : false }, { "id" : "CVE-2026-7383", "title" : "Possible Heap Buffer Overflow in ASN.1 Multibyte String Conversion", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2026-7383" ], "unique" : false }, { "id" : "CVE-2023-0465", "title" : "Invalid certificate policies in leaf certificates are silently ignored", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2023-0465" ], "unique" : false }, { "id" : "CVE-2023-0466", "title" : "Certificate policy check not enabled", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2023-0466" ], "unique" : false }, { "id" : "CVE-2023-2975", "title" : "AES-SIV implementation ignores empty associated data entries", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2023-2975" ], "unique" : false }, { "id" : "CVE-2023-3446", "title" : "Excessive time spent checking DH keys and parameters", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2023-3446" ], "unique" : false }, { "id" : "CVE-2023-3817", "title" : "Excessive time spent checking DH q parameter value", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2023-3817" ], "unique" : false }, { "id" : "CVE-2023-5678", "title" : "Excessive time spent in DH check / generation with large Q parameter value", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2023-5678" ], "unique" : false }, { "id" : "CVE-2024-4603", "title" : "Excessive time spent checking DSA keys and parameters", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2024-4603" ], "unique" : false }, { "id" : "CVE-2026-42766", "title" : "Possible NULL Dereference in Password-Based CMS Decryption", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-42766" ], "unique" : false }, { "id" : "CVE-2026-42767", "title" : "NULL Pointer Dereference in CRMF EncryptedValue Decryption", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-42767" ], "unique" : false }, { "id" : "CVE-2023-1255", "title" : "Input buffer over-read in AES-XTS implementation on 64 bit ARM", "source" : "redhat-csaf", "cvssScore" : 5.1, "severity" : "MEDIUM", "cves" : [ "CVE-2023-1255" ], "unique" : false }, { "id" : "CVE-2026-34180", "title" : "Heap Buffer Over-read in ASN.1 Content Parsing", "source" : "redhat-csaf", "cvssScore" : 5.0, "severity" : "MEDIUM", "cves" : [ "CVE-2026-34180" ], "unique" : false }, { "id" : "CVE-2025-68160", "title" : "Heap out-of-bounds write in BIO_f_linebuffer on short writes", "source" : "redhat-csaf", "cvssScore" : 4.7, "severity" : "MEDIUM", "cves" : [ "CVE-2025-68160" ], "unique" : false }, { "id" : "CVE-2025-69418", "title" : "Unauthenticated/unencrypted trailing bytes with low-level OCB function calls", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2025-69418" ], "unique" : false }, { "id" : "CVE-2024-2511", "title" : "Unbounded memory growth with session handling in TLSv1.3", "source" : "redhat-csaf", "cvssScore" : 3.7, "severity" : "LOW", "cves" : [ "CVE-2024-2511" ], "unique" : false }, { "id" : "CVE-2026-45446", "title" : "Incorrect Tag Processing for Empty Messages in AES-GCM-SIV and AES-SIV modes", "source" : "redhat-csaf", "cvssScore" : 3.7, "severity" : "LOW", "cves" : [ "CVE-2026-45446" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2025-15467", "title" : "Stack buffer overflow in CMS (Auth)EnvelopedData parsing", "source" : "redhat-csaf", "cvssScore" : 9.8, "severity" : "CRITICAL", "cves" : [ "CVE-2025-15467" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/ca-certificates@2022.2.54-90.2.el9_0?arch=noarch&distro=rhel-9.1&upstream=ca-certificates-2022.2.54-90.2.el9_0.src.rpm", "issues" : [ { "id" : "CVE-2023-37920", "title" : "Certifi's removal of e-Tugra root certificate", "source" : "redhat-csaf", "cvssScore" : 9.1, "severity" : "CRITICAL", "cves" : [ "CVE-2023-37920" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2023-37920", "title" : "Certifi's removal of e-Tugra root certificate", "source" : "redhat-csaf", "cvssScore" : 9.1, "severity" : "CRITICAL", "cves" : [ "CVE-2023-37920" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/glibc@2.34-40.el9_1.1?arch=x86_64&distro=rhel-9.1&upstream=glibc-2.34-40.el9_1.1.src.rpm", "issues" : [ { "id" : "CVE-2024-2961", "title" : "The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.", "source" : "redhat-csaf", "cvssScore" : 8.8, "severity" : "HIGH", "cves" : [ "CVE-2024-2961" ], "unique" : false }, { "id" : "CVE-2026-0861", "title" : "Integer overflow in memalign leads to heap corruption", "source" : "redhat-csaf", "cvssScore" : 8.1, "severity" : "HIGH", "cves" : [ "CVE-2026-0861" ], "unique" : false }, { "id" : "CVE-2023-4911", "title" : "Glibc: buffer overflow in ld.so leading to privilege escalation", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2023-4911" ], "unique" : false }, { "id" : "CVE-2024-33599", "title" : "nscd: Stack-based buffer overflow in netgroup cache", "source" : "redhat-csaf", "cvssScore" : 7.6, "severity" : "HIGH", "cves" : [ "CVE-2024-33599" ], "unique" : false }, { "id" : "CVE-2025-4802", "source" : "redhat-csaf", "cvssScore" : 7.0, "severity" : "HIGH", "cves" : [ "CVE-2025-4802" ], "unique" : false }, { "id" : "CVE-2023-4527", "title" : "Glibc: stack read overflow in getaddrinfo in no-aaaa mode", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4527" ], "unique" : false }, { "id" : "CVE-2026-4437", "title" : "gethostbyaddr and gethostbyaddr_r may incorrectly handle DNS response", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4437" ], "unique" : false }, { "id" : "CVE-2026-6238", "title" : "Buffer overread in ns_printrrf with corrupted RDATA field", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2026-6238" ], "unique" : false }, { "id" : "CVE-2023-4806", "title" : "Glibc: potential use-after-free in getaddrinfo()", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4806" ], "unique" : false }, { "id" : "CVE-2023-4813", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4813" ], "unique" : false }, { "id" : "CVE-2025-15281", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2025-15281" ], "unique" : false }, { "id" : "CVE-2026-3904", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-3904" ], "unique" : false }, { "id" : "CVE-2026-5435", "title" : "Potential buffer overflow in ns_sprintrrf TSIG handling path", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-5435" ], "unique" : false }, { "id" : "CVE-2025-5702", "title" : "The strcmp implementation optimized for the Power10 processor in the GNU C Library version 2.39 and later writes to vector registers v20 to v31 without saving contents from the caller (those registers are defined as non-volatile registers by the powerpc64le ABI), resulting in overwriting of its contents and potentially altering control flow of the caller, or leaking the input strings to the function to other parts of the program.", "source" : "redhat-csaf", "cvssScore" : 5.6, "severity" : "MEDIUM", "cves" : [ "CVE-2025-5702" ], "unique" : false }, { "id" : "CVE-2025-0395", "title" : "When the assert() function in the GNU C Library versions 2.13 to 2.40 fails, it does not allocate enough space for the assertion failure message string and size information, which may lead to a buffer overflow if the message string size aligns to page size.", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2025-0395" ], "unique" : false }, { "id" : "CVE-2024-33600", "title" : "nscd: Null pointer crashes after notfound response", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33600" ], "unique" : false }, { "id" : "CVE-2026-0915", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-0915" ], "unique" : false }, { "id" : "CVE-2026-4046", "title" : "iconv crash due to assertion failure with untrusted input", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4046" ], "unique" : false }, { "id" : "CVE-2026-5450", "title" : "scanf %mc off-by-one heap buffer overflow", "source" : "redhat-csaf", "cvssScore" : 5.0, "severity" : "MEDIUM", "cves" : [ "CVE-2026-5450" ], "unique" : false }, { "id" : "CVE-2026-5928", "title" : "Potential buffer under-read in ungetwc", "source" : "redhat-csaf", "cvssScore" : 5.0, "severity" : "MEDIUM", "cves" : [ "CVE-2026-5928" ], "unique" : false }, { "id" : "CVE-2025-8058", "source" : "redhat-csaf", "cvssScore" : 4.2, "severity" : "MEDIUM", "cves" : [ "CVE-2025-8058" ], "unique" : false }, { "id" : "CVE-2024-33601", "title" : "nscd: netgroup cache may terminate daemon on memory allocation failure", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33601" ], "unique" : false }, { "id" : "CVE-2024-33602", "title" : "nscd: netgroup cache assumes NSS callback uses in-buffer strings", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33602" ], "unique" : false }, { "id" : "CVE-2026-4438", "title" : "gethostbyaddr and gethostbyaddr_r return invalid DNS hostnames", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4438" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2024-2961", "title" : "The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.", "source" : "redhat-csaf", "cvssScore" : 8.8, "severity" : "HIGH", "cves" : [ "CVE-2024-2961" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/python3-setuptools-wheel@53.0.0-10.el9_1.1?arch=noarch&distro=rhel-9.1&upstream=python-setuptools-53.0.0-10.el9_1.1.src.rpm", "issues" : [ { "id" : "CVE-2024-6345", "source" : "redhat-csaf", "cvssScore" : 8.8, "severity" : "HIGH", "cves" : [ "CVE-2024-6345" ], "unique" : false }, { "id" : "CVE-2025-47273", "title" : "setuptools has a path traversal vulnerability in PackageIndex.download that leads to Arbitrary File Write", "source" : "redhat-csaf", "cvssScore" : 7.1, "severity" : "HIGH", "cves" : [ "CVE-2025-47273" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2024-6345", "source" : "redhat-csaf", "cvssScore" : 8.8, "severity" : "HIGH", "cves" : [ "CVE-2024-6345" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/glibc-common@2.34-40.el9_1.1?arch=x86_64&distro=rhel-9.1&upstream=glibc-2.34-40.el9_1.1.src.rpm", "issues" : [ { "id" : "CVE-2024-2961", "title" : "The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.", "source" : "redhat-csaf", "cvssScore" : 8.8, "severity" : "HIGH", "cves" : [ "CVE-2024-2961" ], "unique" : false }, { "id" : "CVE-2026-0861", "title" : "Integer overflow in memalign leads to heap corruption", "source" : "redhat-csaf", "cvssScore" : 8.1, "severity" : "HIGH", "cves" : [ "CVE-2026-0861" ], "unique" : false }, { "id" : "CVE-2023-4911", "title" : "Glibc: buffer overflow in ld.so leading to privilege escalation", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2023-4911" ], "unique" : false }, { "id" : "CVE-2024-33599", "title" : "nscd: Stack-based buffer overflow in netgroup cache", "source" : "redhat-csaf", "cvssScore" : 7.6, "severity" : "HIGH", "cves" : [ "CVE-2024-33599" ], "unique" : false }, { "id" : "CVE-2025-4802", "source" : "redhat-csaf", "cvssScore" : 7.0, "severity" : "HIGH", "cves" : [ "CVE-2025-4802" ], "unique" : false }, { "id" : "CVE-2023-4527", "title" : "Glibc: stack read overflow in getaddrinfo in no-aaaa mode", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4527" ], "unique" : false }, { "id" : "CVE-2026-4437", "title" : "gethostbyaddr and gethostbyaddr_r may incorrectly handle DNS response", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4437" ], "unique" : false }, { "id" : "CVE-2023-4806", "title" : "Glibc: potential use-after-free in getaddrinfo()", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4806" ], "unique" : false }, { "id" : "CVE-2023-4813", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4813" ], "unique" : false }, { "id" : "CVE-2025-15281", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2025-15281" ], "unique" : false }, { "id" : "CVE-2025-5702", "title" : "The strcmp implementation optimized for the Power10 processor in the GNU C Library version 2.39 and later writes to vector registers v20 to v31 without saving contents from the caller (those registers are defined as non-volatile registers by the powerpc64le ABI), resulting in overwriting of its contents and potentially altering control flow of the caller, or leaking the input strings to the function to other parts of the program.", "source" : "redhat-csaf", "cvssScore" : 5.6, "severity" : "MEDIUM", "cves" : [ "CVE-2025-5702" ], "unique" : false }, { "id" : "CVE-2025-0395", "title" : "When the assert() function in the GNU C Library versions 2.13 to 2.40 fails, it does not allocate enough space for the assertion failure message string and size information, which may lead to a buffer overflow if the message string size aligns to page size.", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2025-0395" ], "unique" : false }, { "id" : "CVE-2024-33600", "title" : "nscd: Null pointer crashes after notfound response", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33600" ], "unique" : false }, { "id" : "CVE-2026-0915", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-0915" ], "unique" : false }, { "id" : "CVE-2026-4046", "title" : "iconv crash due to assertion failure with untrusted input", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4046" ], "unique" : false }, { "id" : "CVE-2026-5450", "title" : "scanf %mc off-by-one heap buffer overflow", "source" : "redhat-csaf", "cvssScore" : 5.0, "severity" : "MEDIUM", "cves" : [ "CVE-2026-5450" ], "unique" : false }, { "id" : "CVE-2025-8058", "source" : "redhat-csaf", "cvssScore" : 4.2, "severity" : "MEDIUM", "cves" : [ "CVE-2025-8058" ], "unique" : false }, { "id" : "CVE-2024-33601", "title" : "nscd: netgroup cache may terminate daemon on memory allocation failure", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33601" ], "unique" : false }, { "id" : "CVE-2024-33602", "title" : "nscd: netgroup cache assumes NSS callback uses in-buffer strings", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33602" ], "unique" : false }, { "id" : "CVE-2026-4438", "title" : "gethostbyaddr and gethostbyaddr_r return invalid DNS hostnames", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4438" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2024-2961", "title" : "The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.", "source" : "redhat-csaf", "cvssScore" : 8.8, "severity" : "HIGH", "cves" : [ "CVE-2024-2961" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/glibc-langpack-en@2.34-40.el9_1.1?arch=x86_64&distro=rhel-9.1&upstream=glibc-2.34-40.el9_1.1.src.rpm", "issues" : [ { "id" : "CVE-2024-2961", "title" : "The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.", "source" : "redhat-csaf", "cvssScore" : 8.8, "severity" : "HIGH", "cves" : [ "CVE-2024-2961" ], "unique" : false }, { "id" : "CVE-2026-0861", "title" : "Integer overflow in memalign leads to heap corruption", "source" : "redhat-csaf", "cvssScore" : 8.1, "severity" : "HIGH", "cves" : [ "CVE-2026-0861" ], "unique" : false }, { "id" : "CVE-2023-4911", "title" : "Glibc: buffer overflow in ld.so leading to privilege escalation", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2023-4911" ], "unique" : false }, { "id" : "CVE-2024-33599", "title" : "nscd: Stack-based buffer overflow in netgroup cache", "source" : "redhat-csaf", "cvssScore" : 7.6, "severity" : "HIGH", "cves" : [ "CVE-2024-33599" ], "unique" : false }, { "id" : "CVE-2025-4802", "source" : "redhat-csaf", "cvssScore" : 7.0, "severity" : "HIGH", "cves" : [ "CVE-2025-4802" ], "unique" : false }, { "id" : "CVE-2023-4527", "title" : "Glibc: stack read overflow in getaddrinfo in no-aaaa mode", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4527" ], "unique" : false }, { "id" : "CVE-2026-4437", "title" : "gethostbyaddr and gethostbyaddr_r may incorrectly handle DNS response", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4437" ], "unique" : false }, { "id" : "CVE-2023-4806", "title" : "Glibc: potential use-after-free in getaddrinfo()", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4806" ], "unique" : false }, { "id" : "CVE-2023-4813", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4813" ], "unique" : false }, { "id" : "CVE-2025-15281", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2025-15281" ], "unique" : false }, { "id" : "CVE-2025-5702", "title" : "The strcmp implementation optimized for the Power10 processor in the GNU C Library version 2.39 and later writes to vector registers v20 to v31 without saving contents from the caller (those registers are defined as non-volatile registers by the powerpc64le ABI), resulting in overwriting of its contents and potentially altering control flow of the caller, or leaking the input strings to the function to other parts of the program.", "source" : "redhat-csaf", "cvssScore" : 5.6, "severity" : "MEDIUM", "cves" : [ "CVE-2025-5702" ], "unique" : false }, { "id" : "CVE-2025-0395", "title" : "When the assert() function in the GNU C Library versions 2.13 to 2.40 fails, it does not allocate enough space for the assertion failure message string and size information, which may lead to a buffer overflow if the message string size aligns to page size.", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2025-0395" ], "unique" : false }, { "id" : "CVE-2024-33600", "title" : "nscd: Null pointer crashes after notfound response", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33600" ], "unique" : false }, { "id" : "CVE-2026-0915", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-0915" ], "unique" : false }, { "id" : "CVE-2026-4046", "title" : "iconv crash due to assertion failure with untrusted input", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4046" ], "unique" : false }, { "id" : "CVE-2026-5450", "title" : "scanf %mc off-by-one heap buffer overflow", "source" : "redhat-csaf", "cvssScore" : 5.0, "severity" : "MEDIUM", "cves" : [ "CVE-2026-5450" ], "unique" : false }, { "id" : "CVE-2025-8058", "source" : "redhat-csaf", "cvssScore" : 4.2, "severity" : "MEDIUM", "cves" : [ "CVE-2025-8058" ], "unique" : false }, { "id" : "CVE-2024-33601", "title" : "nscd: netgroup cache may terminate daemon on memory allocation failure", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33601" ], "unique" : false }, { "id" : "CVE-2024-33602", "title" : "nscd: netgroup cache assumes NSS callback uses in-buffer strings", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33602" ], "unique" : false }, { "id" : "CVE-2026-4438", "title" : "gethostbyaddr and gethostbyaddr_r return invalid DNS hostnames", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4438" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2024-2961", "title" : "The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.", "source" : "redhat-csaf", "cvssScore" : 8.8, "severity" : "HIGH", "cves" : [ "CVE-2024-2961" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/python3-libs@3.9.14-1.el9_1.2?arch=x86_64&distro=rhel-9.1&upstream=python3.9-3.9.14-1.el9_1.2.src.rpm", "issues" : [ { "id" : "CVE-2023-40217", "source" : "redhat-csaf", "cvssScore" : 8.6, "severity" : "HIGH", "cves" : [ "CVE-2023-40217" ], "unique" : false }, { "id" : "CVE-2026-6100", "title" : "Use-after-free in lzma.LZMADecompressor, bz2.BZ2Decompressor, and gzip.GzipFile after re-use under memory pressure", "source" : "redhat-csaf", "cvssScore" : 8.1, "severity" : "HIGH", "cves" : [ "CVE-2026-6100" ], "unique" : false }, { "id" : "CVE-2023-6597", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2023-6597" ], "unique" : false }, { "id" : "CVE-2024-12718", "title" : "Bypass extraction filter to modify file metadata outside extraction directory", "source" : "redhat-csaf", "cvssScore" : 7.6, "severity" : "HIGH", "cves" : [ "CVE-2024-12718" ], "unique" : false }, { "id" : "CVE-2025-4517", "title" : "Arbitrary writes via tarfile realpath overflow", "source" : "redhat-csaf", "cvssScore" : 7.6, "severity" : "HIGH", "cves" : [ "CVE-2025-4517" ], "unique" : false }, { "id" : "CVE-2023-24329", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2023-24329" ], "unique" : false }, { "id" : "CVE-2024-6232", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2024-6232" ], "unique" : false }, { "id" : "CVE-2025-12084", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2025-12084" ], "unique" : false }, { "id" : "CVE-2025-4138", "title" : "Bypassing extraction filter to create symlinks to arbitrary targets outside extraction directory", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2025-4138" ], "unique" : false }, { "id" : "CVE-2025-4435", "title" : "Tarfile extracts filtered members when errorlevel=0", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2025-4435" ], "unique" : false }, { "id" : "CVE-2025-8194", "title" : "Tarfile infinite loop during parsing with negative member offset", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2025-8194" ], "unique" : false }, { "id" : "CVE-2025-4330", "title" : "Extraction filter bypass for linking outside extraction directory", "source" : "redhat-csaf", "cvssScore" : 7.3, "severity" : "HIGH", "cves" : [ "CVE-2025-4330" ], "unique" : false }, { "id" : "CVE-2025-15366", "source" : "redhat-csaf", "cvssScore" : 7.1, "severity" : "HIGH", "cves" : [ "CVE-2025-15366" ], "unique" : false }, { "id" : "CVE-2025-15367", "source" : "redhat-csaf", "cvssScore" : 7.1, "severity" : "HIGH", "cves" : [ "CVE-2025-15367" ], "unique" : false }, { "id" : "CVE-2026-1299", "source" : "redhat-csaf", "cvssScore" : 7.1, "severity" : "HIGH", "cves" : [ "CVE-2026-1299" ], "unique" : false }, { "id" : "CVE-2026-4519", "title" : "webbrowser.open() allows leading dashes in URLs", "source" : "redhat-csaf", "cvssScore" : 7.1, "severity" : "HIGH", "cves" : [ "CVE-2026-4519" ], "unique" : false }, { "id" : "CVE-2026-4786", "title" : "Incomplete mitigation of CVE-2026-4519, %action expansion for command injection to webbrowser.open()", "source" : "redhat-csaf", "cvssScore" : 7.1, "severity" : "HIGH", "cves" : [ "CVE-2026-4786" ], "unique" : false }, { "id" : "CVE-2024-6923", "source" : "redhat-csaf", "cvssScore" : 6.8, "severity" : "MEDIUM", "cves" : [ "CVE-2024-6923" ], "unique" : false }, { "id" : "CVE-2025-0938", "title" : "URL parser allowed square brackets in domain names", "source" : "redhat-csaf", "cvssScore" : 6.8, "severity" : "MEDIUM", "cves" : [ "CVE-2025-0938" ], "unique" : false }, { "id" : "CVE-2025-13836", "source" : "redhat-csaf", "cvssScore" : 6.8, "severity" : "MEDIUM", "cves" : [ "CVE-2025-13836" ], "unique" : false }, { "id" : "CVE-2024-9287", "source" : "redhat-csaf", "cvssScore" : 6.3, "severity" : "MEDIUM", "cves" : [ "CVE-2024-9287" ], "unique" : false }, { "id" : "CVE-2024-0450", "source" : "redhat-csaf", "cvssScore" : 6.2, "severity" : "MEDIUM", "cves" : [ "CVE-2024-0450" ], "unique" : false }, { "id" : "CVE-2025-13837", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2025-13837" ], "unique" : false }, { "id" : "CVE-2026-4224", "title" : "Stack overflow parsing XML with deeply nested DTD content models", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4224" ], "unique" : false }, { "id" : "CVE-2007-4559", "title" : "Directory traversal vulnerability in the (1) extract and (2) extractall functions in the tarfile module in Python allows user-assisted remote attackers to overwrite arbitrary files via a .. (dot dot) sequence in filenames in a TAR archive, a related issue to CVE-2001-1267.", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2007-4559" ], "unique" : false }, { "id" : "CVE-2026-3644", "title" : "Incomplete control character validation in http.cookies", "source" : "redhat-csaf", "cvssScore" : 5.4, "severity" : "MEDIUM", "cves" : [ "CVE-2026-3644" ], "unique" : false }, { "id" : "CVE-2023-27043", "title" : "The email module of Python through 3.11.3 incorrectly parses e-mail addresses that contain a special character. The wrong portion of an RFC2822 header is identified as the value of the addr-spec. In some applications, an attacker can bypass a protection mechanism in which application access is granted only after verifying receipt of e-mail to a specific domain (e.g., only @company.example.com addresses may be used for signup). This occurs in email/_parseaddr.py in recent versions of Python.", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2023-27043" ], "unique" : false }, { "id" : "CVE-2024-8088", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2024-8088" ], "unique" : false }, { "id" : "CVE-2025-59375", "title" : "libexpat in Expat before 2.7.2 allows attackers to trigger large dynamic memory allocations via a small document that is submitted for parsing.", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2025-59375" ], "unique" : false }, { "id" : "CVE-2024-0397", "source" : "redhat-csaf", "cvssScore" : 5.0, "severity" : "MEDIUM", "cves" : [ "CVE-2024-0397" ], "unique" : false }, { "id" : "CVE-2024-7592", "source" : "redhat-csaf", "cvssScore" : 4.8, "severity" : "MEDIUM", "cves" : [ "CVE-2024-7592" ], "unique" : false }, { "id" : "CVE-2025-15282", "source" : "redhat-csaf", "cvssScore" : 4.8, "severity" : "MEDIUM", "cves" : [ "CVE-2025-15282" ], "unique" : false }, { "id" : "CVE-2026-0672", "source" : "redhat-csaf", "cvssScore" : 4.8, "severity" : "MEDIUM", "cves" : [ "CVE-2026-0672" ], "unique" : false }, { "id" : "CVE-2026-0865", "source" : "redhat-csaf", "cvssScore" : 4.5, "severity" : "MEDIUM", "cves" : [ "CVE-2026-0865" ], "unique" : false }, { "id" : "CVE-2026-1502", "title" : "HTTP client proxy tunnel headers not validated for CR/LF", "source" : "redhat-csaf", "cvssScore" : 4.5, "severity" : "MEDIUM", "cves" : [ "CVE-2026-1502" ], "unique" : false }, { "id" : "CVE-2025-6069", "title" : "HTMLParser quadratic complexity when processing malformed inputs", "source" : "redhat-csaf", "cvssScore" : 4.3, "severity" : "MEDIUM", "cves" : [ "CVE-2025-6069" ], "unique" : false }, { "id" : "CVE-2025-8291", "title" : "ZIP64 End of Central Directory (EOCD) Locator record offset not checked", "source" : "redhat-csaf", "cvssScore" : 4.3, "severity" : "MEDIUM", "cves" : [ "CVE-2025-8291" ], "unique" : false }, { "id" : "CVE-2025-6075", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2025-6075" ], "unique" : false }, { "id" : "CVE-2024-11168", "source" : "redhat-csaf", "cvssScore" : 3.7, "severity" : "LOW", "cves" : [ "CVE-2024-11168" ], "unique" : false }, { "id" : "CVE-2024-4032", "source" : "redhat-csaf", "cvssScore" : 3.7, "severity" : "LOW", "cves" : [ "CVE-2024-4032" ], "unique" : false }, { "id" : "CVE-2026-2297", "title" : "SourcelessFileLoader does not use io.open_code()", "source" : "redhat-csaf", "cvssScore" : 3.3, "severity" : "LOW", "cves" : [ "CVE-2026-2297" ], "unique" : false }, { "id" : "CVE-2024-5642", "title" : "Buffer overread when using an empty list with SSLContext.set_npn_protocols()", "source" : "redhat-csaf", "cvssScore" : 2.7, "severity" : "LOW", "cves" : [ "CVE-2024-5642" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2023-40217", "source" : "redhat-csaf", "cvssScore" : 8.6, "severity" : "HIGH", "cves" : [ "CVE-2023-40217" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/python3@3.9.14-1.el9_1.2?arch=x86_64&distro=rhel-9.1&upstream=python3.9-3.9.14-1.el9_1.2.src.rpm", "issues" : [ { "id" : "CVE-2023-40217", "source" : "redhat-csaf", "cvssScore" : 8.6, "severity" : "HIGH", "cves" : [ "CVE-2023-40217" ], "unique" : false }, { "id" : "CVE-2026-6100", "title" : "Use-after-free in lzma.LZMADecompressor, bz2.BZ2Decompressor, and gzip.GzipFile after re-use under memory pressure", "source" : "redhat-csaf", "cvssScore" : 8.1, "severity" : "HIGH", "cves" : [ "CVE-2026-6100" ], "unique" : false }, { "id" : "CVE-2023-6597", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2023-6597" ], "unique" : false }, { "id" : "CVE-2024-12718", "title" : "Bypass extraction filter to modify file metadata outside extraction directory", "source" : "redhat-csaf", "cvssScore" : 7.6, "severity" : "HIGH", "cves" : [ "CVE-2024-12718" ], "unique" : false }, { "id" : "CVE-2025-4517", "title" : "Arbitrary writes via tarfile realpath overflow", "source" : "redhat-csaf", "cvssScore" : 7.6, "severity" : "HIGH", "cves" : [ "CVE-2025-4517" ], "unique" : false }, { "id" : "CVE-2023-24329", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2023-24329" ], "unique" : false }, { "id" : "CVE-2024-6232", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2024-6232" ], "unique" : false }, { "id" : "CVE-2025-12084", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2025-12084" ], "unique" : false }, { "id" : "CVE-2025-4138", "title" : "Bypassing extraction filter to create symlinks to arbitrary targets outside extraction directory", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2025-4138" ], "unique" : false }, { "id" : "CVE-2025-4435", "title" : "Tarfile extracts filtered members when errorlevel=0", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2025-4435" ], "unique" : false }, { "id" : "CVE-2025-8194", "title" : "Tarfile infinite loop during parsing with negative member offset", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2025-8194" ], "unique" : false }, { "id" : "CVE-2025-4330", "title" : "Extraction filter bypass for linking outside extraction directory", "source" : "redhat-csaf", "cvssScore" : 7.3, "severity" : "HIGH", "cves" : [ "CVE-2025-4330" ], "unique" : false }, { "id" : "CVE-2025-15366", "source" : "redhat-csaf", "cvssScore" : 7.1, "severity" : "HIGH", "cves" : [ "CVE-2025-15366" ], "unique" : false }, { "id" : "CVE-2025-15367", "source" : "redhat-csaf", "cvssScore" : 7.1, "severity" : "HIGH", "cves" : [ "CVE-2025-15367" ], "unique" : false }, { "id" : "CVE-2026-1299", "source" : "redhat-csaf", "cvssScore" : 7.1, "severity" : "HIGH", "cves" : [ "CVE-2026-1299" ], "unique" : false }, { "id" : "CVE-2026-4519", "title" : "webbrowser.open() allows leading dashes in URLs", "source" : "redhat-csaf", "cvssScore" : 7.1, "severity" : "HIGH", "cves" : [ "CVE-2026-4519" ], "unique" : false }, { "id" : "CVE-2026-4786", "title" : "Incomplete mitigation of CVE-2026-4519, %action expansion for command injection to webbrowser.open()", "source" : "redhat-csaf", "cvssScore" : 7.1, "severity" : "HIGH", "cves" : [ "CVE-2026-4786" ], "unique" : false }, { "id" : "CVE-2024-6923", "source" : "redhat-csaf", "cvssScore" : 6.8, "severity" : "MEDIUM", "cves" : [ "CVE-2024-6923" ], "unique" : false }, { "id" : "CVE-2025-0938", "title" : "URL parser allowed square brackets in domain names", "source" : "redhat-csaf", "cvssScore" : 6.8, "severity" : "MEDIUM", "cves" : [ "CVE-2025-0938" ], "unique" : false }, { "id" : "CVE-2025-13836", "source" : "redhat-csaf", "cvssScore" : 6.8, "severity" : "MEDIUM", "cves" : [ "CVE-2025-13836" ], "unique" : false }, { "id" : "CVE-2026-6019", "title" : "BaseCookie.js_output() does not neutralize embedded characters", "source" : "redhat-csaf", "cvssScore" : 6.8, "severity" : "MEDIUM", "cves" : [ "CVE-2026-6019" ], "unique" : false }, { "id" : "CVE-2024-9287", "source" : "redhat-csaf", "cvssScore" : 6.3, "severity" : "MEDIUM", "cves" : [ "CVE-2024-9287" ], "unique" : false }, { "id" : "CVE-2024-0450", "source" : "redhat-csaf", "cvssScore" : 6.2, "severity" : "MEDIUM", "cves" : [ "CVE-2024-0450" ], "unique" : false }, { "id" : "CVE-2026-5713", "title" : "Out-of-bounds read/write during remote profiling and asyncio process introspection when connecting to malicious target", "source" : "redhat-csaf", "cvssScore" : 6.0, "severity" : "MEDIUM", "cves" : [ "CVE-2026-5713" ], "unique" : false }, { "id" : "CVE-2025-13837", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2025-13837" ], "unique" : false }, { "id" : "CVE-2026-4224", "title" : "Stack overflow parsing XML with deeply nested DTD content models", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4224" ], "unique" : false }, { "id" : "CVE-2007-4559", "title" : "Directory traversal vulnerability in the (1) extract and (2) extractall functions in the tarfile module in Python allows user-assisted remote attackers to overwrite arbitrary files via a .. (dot dot) sequence in filenames in a TAR archive, a related issue to CVE-2001-1267.", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2007-4559" ], "unique" : false }, { "id" : "CVE-2026-3644", "title" : "Incomplete control character validation in http.cookies", "source" : "redhat-csaf", "cvssScore" : 5.4, "severity" : "MEDIUM", "cves" : [ "CVE-2026-3644" ], "unique" : false }, { "id" : "CVE-2023-27043", "title" : "The email module of Python through 3.11.3 incorrectly parses e-mail addresses that contain a special character. The wrong portion of an RFC2822 header is identified as the value of the addr-spec. In some applications, an attacker can bypass a protection mechanism in which application access is granted only after verifying receipt of e-mail to a specific domain (e.g., only @company.example.com addresses may be used for signup). This occurs in email/_parseaddr.py in recent versions of Python.", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2023-27043" ], "unique" : false }, { "id" : "CVE-2024-8088", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2024-8088" ], "unique" : false }, { "id" : "CVE-2025-12781", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2025-12781" ], "unique" : false }, { "id" : "CVE-2025-59375", "title" : "libexpat in Expat before 2.7.2 allows attackers to trigger large dynamic memory allocations via a small document that is submitted for parsing.", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2025-59375" ], "unique" : false }, { "id" : "CVE-2026-3446", "title" : "Base64 decoding stops at first padded quad by default", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-3446" ], "unique" : false }, { "id" : "CVE-2024-0397", "source" : "redhat-csaf", "cvssScore" : 5.0, "severity" : "MEDIUM", "cves" : [ "CVE-2024-0397" ], "unique" : false }, { "id" : "CVE-2024-7592", "source" : "redhat-csaf", "cvssScore" : 4.8, "severity" : "MEDIUM", "cves" : [ "CVE-2024-7592" ], "unique" : false }, { "id" : "CVE-2025-15282", "source" : "redhat-csaf", "cvssScore" : 4.8, "severity" : "MEDIUM", "cves" : [ "CVE-2025-15282" ], "unique" : false }, { "id" : "CVE-2026-0672", "source" : "redhat-csaf", "cvssScore" : 4.8, "severity" : "MEDIUM", "cves" : [ "CVE-2026-0672" ], "unique" : false }, { "id" : "CVE-2025-11468", "source" : "redhat-csaf", "cvssScore" : 4.5, "severity" : "MEDIUM", "cves" : [ "CVE-2025-11468" ], "unique" : false }, { "id" : "CVE-2026-0865", "source" : "redhat-csaf", "cvssScore" : 4.5, "severity" : "MEDIUM", "cves" : [ "CVE-2026-0865" ], "unique" : false }, { "id" : "CVE-2026-1502", "title" : "HTTP client proxy tunnel headers not validated for CR/LF", "source" : "redhat-csaf", "cvssScore" : 4.5, "severity" : "MEDIUM", "cves" : [ "CVE-2026-1502" ], "unique" : false }, { "id" : "CVE-2025-6069", "title" : "HTMLParser quadratic complexity when processing malformed inputs", "source" : "redhat-csaf", "cvssScore" : 4.3, "severity" : "MEDIUM", "cves" : [ "CVE-2025-6069" ], "unique" : false }, { "id" : "CVE-2025-8291", "title" : "ZIP64 End of Central Directory (EOCD) Locator record offset not checked", "source" : "redhat-csaf", "cvssScore" : 4.3, "severity" : "MEDIUM", "cves" : [ "CVE-2025-8291" ], "unique" : false }, { "id" : "CVE-2025-6075", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2025-6075" ], "unique" : false }, { "id" : "CVE-2024-11168", "source" : "redhat-csaf", "cvssScore" : 3.7, "severity" : "LOW", "cves" : [ "CVE-2024-11168" ], "unique" : false }, { "id" : "CVE-2024-4032", "source" : "redhat-csaf", "cvssScore" : 3.7, "severity" : "LOW", "cves" : [ "CVE-2024-4032" ], "unique" : false }, { "id" : "CVE-2026-2297", "title" : "SourcelessFileLoader does not use io.open_code()", "source" : "redhat-csaf", "cvssScore" : 3.3, "severity" : "LOW", "cves" : [ "CVE-2026-2297" ], "unique" : false }, { "id" : "CVE-2026-3479", "title" : "pkgutil.get_data() does not enforce documented restrictions", "source" : "redhat-csaf", "cvssScore" : 3.3, "severity" : "LOW", "cves" : [ "CVE-2026-3479" ], "unique" : false }, { "id" : "CVE-2024-5642", "title" : "Buffer overread when using an empty list with SSLContext.set_npn_protocols()", "source" : "redhat-csaf", "cvssScore" : 2.7, "severity" : "LOW", "cves" : [ "CVE-2024-5642" ], "unique" : false }, { "id" : "CVE-2025-13462", "title" : "tarfile: Skip DIRTYPE normalization during GNU LONGNAME/LONGLINK handling", "source" : "redhat-csaf", "cvssScore" : 2.5, "severity" : "LOW", "cves" : [ "CVE-2025-13462" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2023-40217", "source" : "redhat-csaf", "cvssScore" : 8.6, "severity" : "HIGH", "cves" : [ "CVE-2023-40217" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/gnutls@3.7.6-12.el9_0?arch=x86_64&distro=rhel-9.1&upstream=gnutls-3.7.6-12.el9_0.src.rpm", "issues" : [ { "id" : "CVE-2026-42013", "title" : "Gnutls: gnutls: certificate validation bypass due to oversized subject alternative name", "source" : "redhat-csaf", "cvssScore" : 8.2, "severity" : "HIGH", "cves" : [ "CVE-2026-42013" ], "unique" : false }, { "id" : "CVE-2026-5260", "title" : "Gnutls: gnutls: information disclosure via heap overread in rsa key exchange", "source" : "redhat-csaf", "cvssScore" : 8.2, "severity" : "HIGH", "cves" : [ "CVE-2026-5260" ], "unique" : false }, { "id" : "CVE-2024-0553", "title" : "Gnutls: incomplete fix for cve-2023-5981", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2024-0553" ], "unique" : false }, { "id" : "CVE-2024-0567", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2024-0567" ], "unique" : false }, { "id" : "CVE-2026-1584", "title" : "Gnutls: gnutls: remote denial of service via crafted clienthello with invalid psk binder", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2026-1584" ], "unique" : false }, { "id" : "CVE-2026-33845", "title" : "Gnutls: gnutls: denial of service via dtls zero-length fragment", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2026-33845" ], "unique" : false }, { "id" : "CVE-2026-33846", "title" : "Gnutls: gnutls: denial of service via heap buffer overflow in dtls handshake fragment reassembly", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2026-33846" ], "unique" : false }, { "id" : "CVE-2026-42009", "title" : "Gnutls: gnutls: denial of service via dtls packet reordering vulnerability", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2026-42009" ], "unique" : false }, { "id" : "CVE-2023-0361", "title" : "A timing side-channel in the handling of RSA ClientKeyExchange messages was discovered in GnuTLS. This side-channel can be sufficient to recover the key encrypted in the RSA ciphertext across a network in a Bleichenbacher style attack. To achieve a successful decryption the attacker would need to send a large amount of specially crafted messages to the vulnerable server. By recovering the secret from the ClientKeyExchange message, the attacker would be able to decrypt the application data exchanged over that connection.", "source" : "redhat-csaf", "cvssScore" : 7.4, "severity" : "HIGH", "cves" : [ "CVE-2023-0361" ], "unique" : false }, { "id" : "CVE-2026-42011", "title" : "Gnutls: gnutls: security bypass due to incorrect name constraint handling", "source" : "redhat-csaf", "cvssScore" : 7.4, "severity" : "HIGH", "cves" : [ "CVE-2026-42011" ], "unique" : false }, { "id" : "CVE-2026-42010", "title" : "Gnutls: gnutls: authentication bypass via nul character in username", "source" : "redhat-csaf", "cvssScore" : 7.1, "severity" : "HIGH", "cves" : [ "CVE-2026-42010" ], "unique" : false }, { "id" : "CVE-2026-42012", "title" : "Gnutls: gnutls: certificate validation bypass due to improper handling of uri and srv sans", "source" : "redhat-csaf", "cvssScore" : 7.1, "severity" : "HIGH", "cves" : [ "CVE-2026-42012" ], "unique" : false }, { "id" : "CVE-2026-42014", "title" : "Gnutls: gnutls: use-after-free in gnutls_pkcs11_token_set_pin", "source" : "redhat-csaf", "cvssScore" : 6.6, "severity" : "MEDIUM", "cves" : [ "CVE-2026-42014" ], "unique" : false }, { "id" : "CVE-2025-32988", "title" : "Gnutls: vulnerability in gnutls othername san export", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2025-32988" ], "unique" : false }, { "id" : "CVE-2025-32990", "title" : "Gnutls: vulnerability in gnutls certtool template parsing", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2025-32990" ], "unique" : false }, { "id" : "CVE-2025-6395", "title" : "Gnutls: null pointer dereference in _gnutls_figure_common_ciphersuite()", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2025-6395" ], "unique" : false }, { "id" : "CVE-2026-3833", "title" : "Gnutls: gnutls: policy bypass due to case-sensitive nameconstraints comparison", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2026-3833" ], "unique" : false }, { "id" : "CVE-2023-5981", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-5981" ], "unique" : false }, { "id" : "CVE-2024-12243", "title" : "Gnutls: gnutls impacted by inefficient der decoding in libtasn1 leading to remote dos", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2024-12243" ], "unique" : false }, { "id" : "CVE-2024-28834", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2024-28834" ], "unique" : false }, { "id" : "CVE-2025-14831", "title" : "Gnutls: gnutls: denial of service via excessive resource consumption during certificate verification", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2025-14831" ], "unique" : false }, { "id" : "CVE-2025-32989", "title" : "Gnutls: vulnerability in gnutls sct extension parsing", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2025-32989" ], "unique" : false }, { "id" : "CVE-2026-42015", "title" : "Gnutls: gnutls: memory corruption due to off-by-one error in pkcs#12 bag handling", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-42015" ], "unique" : false }, { "id" : "CVE-2024-28835", "source" : "redhat-csaf", "cvssScore" : 5.0, "severity" : "MEDIUM", "cves" : [ "CVE-2024-28835" ], "unique" : false }, { "id" : "CVE-2025-9820", "title" : "Gnutls: stack-based buffer overflow in gnutls_pkcs11_token_init() function", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2025-9820" ], "unique" : false }, { "id" : "CVE-2026-3832", "title" : "Gnutls: gnutls: security bypass allows acceptance of revoked server certificates via crafted ocsp response", "source" : "redhat-csaf", "cvssScore" : 3.7, "severity" : "LOW", "cves" : [ "CVE-2026-3832" ], "unique" : false }, { "id" : "CVE-2026-5419", "title" : "Gnutls: gnutls: information disclosure via timing side-channel in pkcs#7 padding removal", "source" : "redhat-csaf", "cvssScore" : 3.7, "severity" : "LOW", "cves" : [ "CVE-2026-5419" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2026-42013", "title" : "Gnutls: gnutls: certificate validation bypass due to oversized subject alternative name", "source" : "redhat-csaf", "cvssScore" : 8.2, "severity" : "HIGH", "cves" : [ "CVE-2026-42013" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/ncurses-base@6.2-8.20210508.el9?arch=noarch&distro=rhel-9.1&upstream=ncurses-6.2-8.20210508.el9.src.rpm", "issues" : [ { "id" : "CVE-2023-29491", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2023-29491" ], "unique" : false }, { "id" : "CVE-2025-69720", "title" : "The infocmp command-line tool in ncurses before 6.5-20251213 has a stack-based buffer overflow in analyze_string in progs/infocmp.c.", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2025-69720" ], "unique" : false }, { "id" : "CVE-2022-29458", "title" : "ncurses 6.3 before patch 20220416 has an out-of-bounds read and segmentation violation in convert_strings in tinfo/read_entry.c in the terminfo library.", "source" : "redhat-csaf", "cvssScore" : 6.1, "severity" : "MEDIUM", "cves" : [ "CVE-2022-29458" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2023-29491", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2023-29491" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/libcap@2.48-8.el9?arch=x86_64&distro=rhel-9.1&upstream=libcap-2.48-8.el9.src.rpm", "issues" : [ { "id" : "CVE-2023-2603", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2023-2603" ], "unique" : false }, { "id" : "CVE-2026-4878", "title" : "Libcap: libcap: privilege escalation via toctou race condition in cap_set_file()", "source" : "redhat-csaf", "cvssScore" : 6.7, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4878" ], "unique" : false }, { "id" : "CVE-2023-2602", "title" : "A vulnerability was found in the pthread_create() function in libcap. This issue may allow a malicious actor to use cause __real_pthread_create() to return an error, which can exhaust the process memory.", "source" : "redhat-csaf", "cvssScore" : 3.3, "severity" : "LOW", "cves" : [ "CVE-2023-2602" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2023-2603", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2023-2603" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/ncurses-libs@6.2-8.20210508.el9?arch=x86_64&distro=rhel-9.1&upstream=ncurses-6.2-8.20210508.el9.src.rpm", "issues" : [ { "id" : "CVE-2023-29491", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2023-29491" ], "unique" : false }, { "id" : "CVE-2025-69720", "title" : "The infocmp command-line tool in ncurses before 6.5-20251213 has a stack-based buffer overflow in analyze_string in progs/infocmp.c.", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2025-69720" ], "unique" : false }, { "id" : "CVE-2022-29458", "title" : "ncurses 6.3 before patch 20220416 has an out-of-bounds read and segmentation violation in convert_strings in tinfo/read_entry.c in the terminfo library.", "source" : "redhat-csaf", "cvssScore" : 6.1, "severity" : "MEDIUM", "cves" : [ "CVE-2022-29458" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2023-29491", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2023-29491" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/sqlite-libs@3.34.1-6.el9_1?arch=x86_64&distro=rhel-9.1&upstream=sqlite-3.34.1-6.el9_1.src.rpm", "issues" : [ { "id" : "CVE-2025-6965", "title" : "Integer Truncation on SQLite", "source" : "redhat-csaf", "cvssScore" : 7.7, "severity" : "HIGH", "cves" : [ "CVE-2025-6965" ], "unique" : false }, { "id" : "CVE-2023-7104", "source" : "redhat-csaf", "cvssScore" : 7.3, "severity" : "HIGH", "cves" : [ "CVE-2023-7104" ], "unique" : false }, { "id" : "CVE-2025-3277", "title" : "An integer overflow can be triggered in SQLite’s `concat_ws()` function. The resulting, truncated integer is then used to allocate a buffer. When SQLite then writes the resulting string to the buffer, it uses the original, untruncated size and thus a wild Heap Buffer overflow of size ~4GB can be triggered. This can result in arbitrary code execution.", "source" : "redhat-csaf", "cvssScore" : 7.3, "severity" : "HIGH", "cves" : [ "CVE-2025-3277" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2025-6965", "title" : "Integer Truncation on SQLite", "source" : "redhat-csaf", "cvssScore" : 7.7, "severity" : "HIGH", "cves" : [ "CVE-2025-6965" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/xz-libs@5.2.5-8.el9_0?arch=x86_64&distro=rhel-9.1&upstream=xz-5.2.5-8.el9_0.src.rpm", "issues" : [ { "id" : "CVE-2025-31115", "title" : "XZ has a heap-use-after-free bug in threaded .xz decoder", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2025-31115" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2025-31115", "title" : "XZ has a heap-use-after-free bug in threaded .xz decoder", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2025-31115" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/expat@2.4.9-1.el9_1.1?arch=x86_64&distro=rhel-9.1&upstream=expat-2.4.9-1.el9_1.1.src.rpm", "issues" : [ { "id" : "CVE-2023-52425", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2023-52425" ], "unique" : false }, { "id" : "CVE-2024-28757", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2024-28757" ], "unique" : false }, { "id" : "CVE-2024-45490", "title" : "An issue was discovered in libexpat before 2.6.3. xmlparse.c does not reject a negative length for XML_ParseBuffer.", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2024-45490" ], "unique" : false }, { "id" : "CVE-2024-45491", "title" : "An issue was discovered in libexpat before 2.6.3. dtdCopy in xmlparse.c can have an integer overflow for nDefaultAtts on 32-bit platforms (where UINT_MAX equals SIZE_MAX).", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2024-45491" ], "unique" : false }, { "id" : "CVE-2024-8176", "title" : "Libexpat: expat: improper restriction of xml entity expansion depth in libexpat", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2024-8176" ], "unique" : false }, { "id" : "CVE-2026-45186", "title" : "In libexpat before 2.8.1, the computational complexity of attribute name collision checks allows a denial of service via moderately sized crafted XML input.", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2026-45186" ], "unique" : false }, { "id" : "CVE-2026-56132", "title" : "In libexpat before 2.8.2, there is a heap-based buffer overflow in doProlog in xmlparse.c because scaffold backing array reallocation is mishandled when there is data-structure sharing across parsers.", "source" : "redhat-csaf", "cvssScore" : 6.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-56132" ], "unique" : false }, { "id" : "CVE-2022-23990", "title" : "Expat (aka libexpat) before 2.4.4 has an integer overflow in the doProlog function.", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2022-23990" ], "unique" : false }, { "id" : "CVE-2024-45492", "title" : "An issue was discovered in libexpat before 2.6.3. nextScaffoldPart in xmlparse.c can have an integer overflow for m_groupSize on 32-bit platforms (where UINT_MAX equals SIZE_MAX).", "source" : "redhat-csaf", "cvssScore" : 6.2, "severity" : "MEDIUM", "cves" : [ "CVE-2024-45492" ], "unique" : false }, { "id" : "CVE-2024-50602", "title" : "An issue was discovered in libexpat before 2.6.4. There is a crash within the XML_ResumeParser function because XML_StopParser can stop/suspend an unstarted parser.", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2024-50602" ], "unique" : false }, { "id" : "CVE-2025-59375", "title" : "libexpat in Expat before 2.7.2 allows attackers to trigger large dynamic memory allocations via a small document that is submitted for parsing.", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2025-59375" ], "unique" : false }, { "id" : "CVE-2026-50219", "title" : "libexpat before 2.8.2 lacks handler call depth tracking for calls to XML_GetBuffer, XML_Parse, XML_ParseBuffer, XML_ParserFree, or XML_ParserReset from within handlers in cases of a policy violation. Thus, a use-after-free can occur,", "source" : "redhat-csaf", "cvssScore" : 4.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-50219" ], "unique" : false }, { "id" : "CVE-2026-41080", "title" : "libexpat before 2.8.0 uses insufficient entropy, and thus hash flooding can occur via a crafted XML document.", "source" : "redhat-csaf", "cvssScore" : 3.7, "severity" : "LOW", "cves" : [ "CVE-2026-41080" ], "unique" : false }, { "id" : "CVE-2013-0340", "source" : "redhat-csaf", "cves" : [ "CVE-2013-0340" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2023-52425", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2023-52425" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/libblkid@2.37.4-9.el9?arch=x86_64&distro=rhel-9.1&upstream=util-linux-2.37.4-9.el9.src.rpm", "issues" : [ { "id" : "CVE-2026-13595", "title" : "Util-linux: util-linux: heap use-after-free in libblkid nested partition probing", "source" : "redhat-csaf", "cvssScore" : 6.8, "severity" : "MEDIUM", "cves" : [ "CVE-2026-13595" ], "unique" : false }, { "id" : "CVE-2025-14104", "title" : "Util-linux: util-linux: heap buffer overread in setpwnam() when processing 256-byte usernames", "source" : "redhat-csaf", "cvssScore" : 6.1, "severity" : "MEDIUM", "cves" : [ "CVE-2025-14104" ], "unique" : false }, { "id" : "CVE-2026-27456", "title" : "util-linux: TOCTOU Race Condition in util-linux mount(8) - Loop Device Setup", "source" : "redhat-csaf", "cvssScore" : 4.7, "severity" : "MEDIUM", "cves" : [ "CVE-2026-27456" ], "unique" : false }, { "id" : "CVE-2026-3184", "title" : "Util-linux: util-linux: access control bypass due to improper hostname canonicalization", "source" : "redhat-csaf", "cvssScore" : 3.7, "severity" : "LOW", "cves" : [ "CVE-2026-3184" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2026-13595", "title" : "Util-linux: util-linux: heap use-after-free in libblkid nested partition probing", "source" : "redhat-csaf", "cvssScore" : 6.8, "severity" : "MEDIUM", "cves" : [ "CVE-2026-13595" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/sed@4.8-9.el9?arch=x86_64&distro=rhel-9.1&upstream=sed-4.8-9.el9.src.rpm", "issues" : [ { "id" : "CVE-2026-5958", "title" : "Race Condition in GNU Sed", "source" : "redhat-csaf", "cvssScore" : 6.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-5958" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2026-5958", "title" : "Race Condition in GNU Sed", "source" : "redhat-csaf", "cvssScore" : 6.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-5958" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/libuuid@2.37.4-9.el9?arch=x86_64&distro=rhel-9.1&upstream=util-linux-2.37.4-9.el9.src.rpm", "issues" : [ { "id" : "CVE-2025-14104", "title" : "Util-linux: util-linux: heap buffer overread in setpwnam() when processing 256-byte usernames", "source" : "redhat-csaf", "cvssScore" : 6.1, "severity" : "MEDIUM", "cves" : [ "CVE-2025-14104" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2025-14104", "title" : "Util-linux: util-linux: heap buffer overread in setpwnam() when processing 256-byte usernames", "source" : "redhat-csaf", "cvssScore" : 6.1, "severity" : "MEDIUM", "cves" : [ "CVE-2025-14104" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/libtasn1@4.16.0-8.el9_1?arch=x86_64&distro=rhel-9.1&upstream=libtasn1-4.16.0-8.el9_1.src.rpm", "issues" : [ { "id" : "CVE-2025-13151", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2025-13151" ], "unique" : false }, { "id" : "CVE-2024-12133", "title" : "Libtasn1: inefficient der decoding in libtasn1 leading to potential remote dos", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2024-12133" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2025-13151", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2025-13151" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/p11-kit@0.24.1-2.el9?arch=x86_64&distro=rhel-9.1&upstream=p11-kit-0.24.1-2.el9.src.rpm", "issues" : [ { "id" : "CVE-2026-2100", "title" : "P11-kit: null dereference via c_derivekey with specific null parameters", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-2100" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2026-2100", "title" : "P11-kit: null dereference via c_derivekey with specific null parameters", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-2100" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/p11-kit-trust@0.24.1-2.el9?arch=x86_64&distro=rhel-9.1&upstream=p11-kit-0.24.1-2.el9.src.rpm", "issues" : [ { "id" : "CVE-2026-2100", "title" : "P11-kit: null dereference via c_derivekey with specific null parameters", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-2100" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2026-2100", "title" : "P11-kit: null dereference via c_derivekey with specific null parameters", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-2100" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/bzip2-libs@1.0.8-8.el9?arch=x86_64&distro=rhel-9.1&upstream=bzip2-1.0.8-8.el9.src.rpm", "issues" : [ { "id" : "CVE-2019-12900", "title" : "BZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out-of-bounds write when there are many selectors.", "source" : "redhat-csaf", "cvssScore" : 4.4, "severity" : "MEDIUM", "cves" : [ "CVE-2019-12900" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2019-12900", "title" : "BZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out-of-bounds write when there are many selectors.", "source" : "redhat-csaf", "cvssScore" : 4.4, "severity" : "MEDIUM", "cves" : [ "CVE-2019-12900" ], "unique" : false } } ], "highestVulnerability" : { "id" : "CVE-2025-15467", "title" : "Stack buffer overflow in CMS (Auth)EnvelopedData parsing", "source" : "redhat-csaf", "cvssScore" : 9.8, "severity" : "CRITICAL", "cves" : [ "CVE-2025-15467" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/lsof@4.94.0-3.el9?arch=x86_64&distro=rhel-9.1&upstream=lsof-4.94.0-3.el9.src.rpm", "transitive" : [ { "ref" : "pkg:rpm/redhat/openssl-libs@3.0.1-47.el9_1?arch=x86_64&distro=rhel-9.1&epoch=1&upstream=openssl-3.0.1-47.el9_1.src.rpm", "issues" : [ { "id" : "CVE-2025-15467", "title" : "Stack buffer overflow in CMS (Auth)EnvelopedData parsing", "source" : "redhat-csaf", "cvssScore" : 9.8, "severity" : "CRITICAL", "cves" : [ "CVE-2025-15467" ], "unique" : false }, { "id" : "CVE-2026-45445", "title" : "AES-OCB IV Ignored on EVP_Cipher() Path", "source" : "redhat-csaf", "cvssScore" : 9.1, "severity" : "CRITICAL", "cves" : [ "CVE-2026-45445" ], "unique" : false }, { "id" : "CVE-2026-45447", "title" : "Heap Use-After-Free in the PKCS7_verify() Function", "source" : "redhat-csaf", "cvssScore" : 8.1, "severity" : "HIGH", "cves" : [ "CVE-2026-45447" ], "unique" : false }, { "id" : "CVE-2022-3358", "title" : "Using a Custom Cipher with NID_undef may lead to NULL encryption", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2022-3358" ], "unique" : false }, { "id" : "CVE-2023-5363", "title" : "Incorrect cipher key & IV length processing", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2023-5363" ], "unique" : false }, { "id" : "CVE-2026-28390", "title" : "Possible NULL Dereference When Processing CMS KeyTransportRecipientInfo", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2026-28390" ], "unique" : false }, { "id" : "CVE-2026-34183", "title" : "Unbounded Memory Growth in the QUIC PATH_CHALLENGE Handler", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2026-34183" ], "unique" : false }, { "id" : "CVE-2024-12797", "title" : "RFC7250 handshakes with unauthenticated servers don't abort as expected", "source" : "redhat-csaf", "cvssScore" : 7.4, "severity" : "HIGH", "cves" : [ "CVE-2024-12797" ], "unique" : false }, { "id" : "CVE-2025-69419", "title" : "Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion", "source" : "redhat-csaf", "cvssScore" : 7.4, "severity" : "HIGH", "cves" : [ "CVE-2025-69419" ], "unique" : false }, { "id" : "CVE-2026-34182", "title" : "CMS AuthEnvelopedData Processing May Accept Forged Messages", "source" : "redhat-csaf", "cvssScore" : 7.4, "severity" : "HIGH", "cves" : [ "CVE-2026-34182" ], "unique" : false }, { "id" : "CVE-2023-2650", "title" : "Possible DoS translating ASN.1 object identifiers", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-2650" ], "unique" : false }, { "id" : "CVE-2023-6129", "title" : "POLY1305 MAC implementation corrupts vector registers on PowerPC", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-6129" ], "unique" : false }, { "id" : "CVE-2025-69421", "title" : "NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2025-69421" ], "unique" : false }, { "id" : "CVE-2026-34181", "title" : "PKCS#12 Files with PBMAC1 Are Accepted with Short HMAC Keys", "source" : "redhat-csaf", "cvssScore" : 6.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-34181" ], "unique" : false }, { "id" : "CVE-2026-42768", "title" : "Multi-RecipientInfo Bleichenbacher Oracle in CMS_decrypt() and PKCS7_decrypt()", "source" : "redhat-csaf", "cvssScore" : 6.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-42768" ], "unique" : false }, { "id" : "CVE-2025-11187", "title" : "Improper validation of PBMAC1 parameters in PKCS#12 MAC verification", "source" : "redhat-csaf", "cvssScore" : 6.1, "severity" : "MEDIUM", "cves" : [ "CVE-2025-11187" ], "unique" : false }, { "id" : "CVE-2023-0464", "title" : "Excessive Resource Usage Verifying X.509 Policy Constraints", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-0464" ], "unique" : false }, { "id" : "CVE-2023-6237", "title" : "Excessive time spent checking invalid RSA public keys", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-6237" ], "unique" : false }, { "id" : "CVE-2024-5535", "title" : "SSL_select_next_proto buffer overread", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2024-5535" ], "unique" : false }, { "id" : "CVE-2024-6119", "title" : "Possible denial of service in X.509 name checks", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2024-6119" ], "unique" : false }, { "id" : "CVE-2025-15468", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2025-15468" ], "unique" : false }, { "id" : "CVE-2025-66199", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2025-66199" ], "unique" : false }, { "id" : "CVE-2025-69420", "title" : "Missing ASN1_TYPE validation in TS_RESP_verify_response() function", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2025-69420" ], "unique" : false }, { "id" : "CVE-2026-22796", "title" : "ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-22796" ], "unique" : false }, { "id" : "CVE-2026-31790", "title" : "Incorrect Failure Handling in RSA KEM RSASVE Encapsulation", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-31790" ], "unique" : false }, { "id" : "CVE-2026-42764", "title" : "NULL Pointer Dereference in QUIC Server Initial Packet Handling", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-42764" ], "unique" : false }, { "id" : "CVE-2026-42769", "title" : "Trust-Anchor Substitution via cert/issuer Typo in CMP rootCaKeyUpdate", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-42769" ], "unique" : false }, { "id" : "CVE-2026-42770", "title" : "FFC-DH Peer Validation Uses Attacker-Supplied q", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-42770" ], "unique" : false }, { "id" : "CVE-2026-9076", "title" : "Out-of-Bounds Read in CMS Password-Based Decryption", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-9076" ], "unique" : false }, { "id" : "CVE-2024-4741", "source" : "redhat-csaf", "cvssScore" : 5.6, "severity" : "MEDIUM", "cves" : [ "CVE-2024-4741" ], "unique" : false }, { "id" : "CVE-2025-9230", "title" : "Out-of-bounds read & write in RFC 3211 KEK Unwrap", "source" : "redhat-csaf", "cvssScore" : 5.6, "severity" : "MEDIUM", "cves" : [ "CVE-2025-9230" ], "unique" : false }, { "id" : "CVE-2024-0727", "title" : "PKCS12 Decoding crashes", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-0727" ], "unique" : false }, { "id" : "CVE-2025-15469", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2025-15469" ], "unique" : false }, { "id" : "CVE-2026-22795", "title" : "Missing ASN1_TYPE validation in PKCS#12 parsing", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2026-22795" ], "unique" : false }, { "id" : "CVE-2026-7383", "title" : "Possible Heap Buffer Overflow in ASN.1 Multibyte String Conversion", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2026-7383" ], "unique" : false }, { "id" : "CVE-2023-0465", "title" : "Invalid certificate policies in leaf certificates are silently ignored", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2023-0465" ], "unique" : false }, { "id" : "CVE-2023-0466", "title" : "Certificate policy check not enabled", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2023-0466" ], "unique" : false }, { "id" : "CVE-2023-2975", "title" : "AES-SIV implementation ignores empty associated data entries", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2023-2975" ], "unique" : false }, { "id" : "CVE-2023-3446", "title" : "Excessive time spent checking DH keys and parameters", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2023-3446" ], "unique" : false }, { "id" : "CVE-2023-3817", "title" : "Excessive time spent checking DH q parameter value", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2023-3817" ], "unique" : false }, { "id" : "CVE-2023-5678", "title" : "Excessive time spent in DH check / generation with large Q parameter value", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2023-5678" ], "unique" : false }, { "id" : "CVE-2024-4603", "title" : "Excessive time spent checking DSA keys and parameters", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2024-4603" ], "unique" : false }, { "id" : "CVE-2026-42766", "title" : "Possible NULL Dereference in Password-Based CMS Decryption", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-42766" ], "unique" : false }, { "id" : "CVE-2026-42767", "title" : "NULL Pointer Dereference in CRMF EncryptedValue Decryption", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-42767" ], "unique" : false }, { "id" : "CVE-2023-1255", "title" : "Input buffer over-read in AES-XTS implementation on 64 bit ARM", "source" : "redhat-csaf", "cvssScore" : 5.1, "severity" : "MEDIUM", "cves" : [ "CVE-2023-1255" ], "unique" : false }, { "id" : "CVE-2026-34180", "title" : "Heap Buffer Over-read in ASN.1 Content Parsing", "source" : "redhat-csaf", "cvssScore" : 5.0, "severity" : "MEDIUM", "cves" : [ "CVE-2026-34180" ], "unique" : false }, { "id" : "CVE-2025-68160", "title" : "Heap out-of-bounds write in BIO_f_linebuffer on short writes", "source" : "redhat-csaf", "cvssScore" : 4.7, "severity" : "MEDIUM", "cves" : [ "CVE-2025-68160" ], "unique" : false }, { "id" : "CVE-2025-69418", "title" : "Unauthenticated/unencrypted trailing bytes with low-level OCB function calls", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2025-69418" ], "unique" : false }, { "id" : "CVE-2024-2511", "title" : "Unbounded memory growth with session handling in TLSv1.3", "source" : "redhat-csaf", "cvssScore" : 3.7, "severity" : "LOW", "cves" : [ "CVE-2024-2511" ], "unique" : false }, { "id" : "CVE-2026-45446", "title" : "Incorrect Tag Processing for Empty Messages in AES-GCM-SIV and AES-SIV modes", "source" : "redhat-csaf", "cvssScore" : 3.7, "severity" : "LOW", "cves" : [ "CVE-2026-45446" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2025-15467", "title" : "Stack buffer overflow in CMS (Auth)EnvelopedData parsing", "source" : "redhat-csaf", "cvssScore" : 9.8, "severity" : "CRITICAL", "cves" : [ "CVE-2025-15467" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/ca-certificates@2022.2.54-90.2.el9_0?arch=noarch&distro=rhel-9.1&upstream=ca-certificates-2022.2.54-90.2.el9_0.src.rpm", "issues" : [ { "id" : "CVE-2023-37920", "title" : "Certifi's removal of e-Tugra root certificate", "source" : "redhat-csaf", "cvssScore" : 9.1, "severity" : "CRITICAL", "cves" : [ "CVE-2023-37920" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2023-37920", "title" : "Certifi's removal of e-Tugra root certificate", "source" : "redhat-csaf", "cvssScore" : 9.1, "severity" : "CRITICAL", "cves" : [ "CVE-2023-37920" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/krb5-libs@1.19.1-24.el9_1?arch=x86_64&distro=rhel-9.1&upstream=krb5-1.19.1-24.el9_1.src.rpm", "issues" : [ { "id" : "CVE-2024-3596", "title" : "RADIUS Protocol under RFC2865 is vulnerable to forgery attacks.", "source" : "redhat-csaf", "cvssScore" : 9.0, "severity" : "CRITICAL", "cves" : [ "CVE-2024-3596" ], "unique" : false }, { "id" : "CVE-2023-39975", "title" : "kdc/do_tgs_req.c in MIT Kerberos 5 (aka krb5) 1.21 before 1.21.2 has a double free that is reachable if an authenticated user can trigger an authorization-data handling failure. Incorrect data is copied from one ticket to another.", "source" : "redhat-csaf", "cvssScore" : 8.8, "severity" : "HIGH", "cves" : [ "CVE-2023-39975" ], "unique" : false }, { "id" : "CVE-2024-26462", "title" : "Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/kdc/ndr.c.", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2024-26462" ], "unique" : false }, { "id" : "CVE-2024-37370", "title" : "In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can modify the plaintext Extra Count field of a confidential GSS krb5 wrap token, causing the unwrapped token to appear truncated to the application.", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2024-37370" ], "unique" : false }, { "id" : "CVE-2020-17049", "title" : "Kerberos KDC Security Feature Bypass Vulnerability", "source" : "redhat-csaf", "cvssScore" : 7.2, "severity" : "HIGH", "cves" : [ "CVE-2020-17049" ], "unique" : false }, { "id" : "CVE-2023-36054", "title" : "lib/kadm5/kadm_rpc_xdr.c in MIT Kerberos 5 (aka krb5) before 1.20.2 and 1.21.x before 1.21.1 frees an uninitialized pointer. A remote authenticated user can trigger a kadmind crash. This occurs because _xdr_kadm5_principal_ent_rec does not validate the relationship between n_key_data and the key_data array count.", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-36054" ], "unique" : false }, { "id" : "CVE-2024-37371", "title" : "In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can cause invalid memory reads during GSS message token handling by sending message tokens with invalid length fields.", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-37371" ], "unique" : false }, { "id" : "CVE-2025-24528", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2025-24528" ], "unique" : false }, { "id" : "CVE-2024-26458", "title" : "Kerberos 5 (aka krb5) 1.21.2 contains a memory leak in /krb5/src/lib/rpc/pmap_rmt.c.", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2024-26458" ], "unique" : false }, { "id" : "CVE-2024-26461", "title" : "Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/lib/gssapi/krb5/k5sealv3.c.", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2024-26461" ], "unique" : false }, { "id" : "CVE-2025-3576", "title" : "Krb5: kerberos rc4-hmac-md5 checksum vulnerability enabling message spoofing via md5 collisions", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2025-3576" ], "unique" : false }, { "id" : "CVE-2026-40355", "title" : "In MIT Kerberos 5 (aka krb5) before 1.22.3, there is a NULL pointer dereference if an application calls gss_accept_sec_context() on a system with a NegoEx mechanism registered in /etc/gss/mech. An unauthenticated remote attacker can trigger this, causing the process to terminate in parse_nego_message.", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-40355" ], "unique" : false }, { "id" : "CVE-2026-40356", "title" : "In MIT Kerberos 5 (aka krb5) before 1.22.3, there is an integer underflow and resultant out-of-bounds read if an application calls gss_accept_sec_context() on a system with a NegoEx mechanism registered in /etc/gss/mech. An unauthenticated remote attacker can trigger this, possibly causing the process to terminate in parse_message.", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-40356" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2024-3596", "title" : "RADIUS Protocol under RFC2865 is vulnerable to forgery attacks.", "source" : "redhat-csaf", "cvssScore" : 9.0, "severity" : "CRITICAL", "cves" : [ "CVE-2024-3596" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/glibc@2.34-40.el9_1.1?arch=x86_64&distro=rhel-9.1&upstream=glibc-2.34-40.el9_1.1.src.rpm", "issues" : [ { "id" : "CVE-2024-2961", "title" : "The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.", "source" : "redhat-csaf", "cvssScore" : 8.8, "severity" : "HIGH", "cves" : [ "CVE-2024-2961" ], "unique" : false }, { "id" : "CVE-2026-0861", "title" : "Integer overflow in memalign leads to heap corruption", "source" : "redhat-csaf", "cvssScore" : 8.1, "severity" : "HIGH", "cves" : [ "CVE-2026-0861" ], "unique" : false }, { "id" : "CVE-2023-4911", "title" : "Glibc: buffer overflow in ld.so leading to privilege escalation", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2023-4911" ], "unique" : false }, { "id" : "CVE-2024-33599", "title" : "nscd: Stack-based buffer overflow in netgroup cache", "source" : "redhat-csaf", "cvssScore" : 7.6, "severity" : "HIGH", "cves" : [ "CVE-2024-33599" ], "unique" : false }, { "id" : "CVE-2025-4802", "source" : "redhat-csaf", "cvssScore" : 7.0, "severity" : "HIGH", "cves" : [ "CVE-2025-4802" ], "unique" : false }, { "id" : "CVE-2023-4527", "title" : "Glibc: stack read overflow in getaddrinfo in no-aaaa mode", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4527" ], "unique" : false }, { "id" : "CVE-2026-4437", "title" : "gethostbyaddr and gethostbyaddr_r may incorrectly handle DNS response", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4437" ], "unique" : false }, { "id" : "CVE-2026-6238", "title" : "Buffer overread in ns_printrrf with corrupted RDATA field", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2026-6238" ], "unique" : false }, { "id" : "CVE-2023-4806", "title" : "Glibc: potential use-after-free in getaddrinfo()", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4806" ], "unique" : false }, { "id" : "CVE-2023-4813", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4813" ], "unique" : false }, { "id" : "CVE-2025-15281", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2025-15281" ], "unique" : false }, { "id" : "CVE-2026-3904", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-3904" ], "unique" : false }, { "id" : "CVE-2026-5435", "title" : "Potential buffer overflow in ns_sprintrrf TSIG handling path", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-5435" ], "unique" : false }, { "id" : "CVE-2025-5702", "title" : "The strcmp implementation optimized for the Power10 processor in the GNU C Library version 2.39 and later writes to vector registers v20 to v31 without saving contents from the caller (those registers are defined as non-volatile registers by the powerpc64le ABI), resulting in overwriting of its contents and potentially altering control flow of the caller, or leaking the input strings to the function to other parts of the program.", "source" : "redhat-csaf", "cvssScore" : 5.6, "severity" : "MEDIUM", "cves" : [ "CVE-2025-5702" ], "unique" : false }, { "id" : "CVE-2025-0395", "title" : "When the assert() function in the GNU C Library versions 2.13 to 2.40 fails, it does not allocate enough space for the assertion failure message string and size information, which may lead to a buffer overflow if the message string size aligns to page size.", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2025-0395" ], "unique" : false }, { "id" : "CVE-2024-33600", "title" : "nscd: Null pointer crashes after notfound response", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33600" ], "unique" : false }, { "id" : "CVE-2026-0915", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-0915" ], "unique" : false }, { "id" : "CVE-2026-4046", "title" : "iconv crash due to assertion failure with untrusted input", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4046" ], "unique" : false }, { "id" : "CVE-2026-5450", "title" : "scanf %mc off-by-one heap buffer overflow", "source" : "redhat-csaf", "cvssScore" : 5.0, "severity" : "MEDIUM", "cves" : [ "CVE-2026-5450" ], "unique" : false }, { "id" : "CVE-2026-5928", "title" : "Potential buffer under-read in ungetwc", "source" : "redhat-csaf", "cvssScore" : 5.0, "severity" : "MEDIUM", "cves" : [ "CVE-2026-5928" ], "unique" : false }, { "id" : "CVE-2025-8058", "source" : "redhat-csaf", "cvssScore" : 4.2, "severity" : "MEDIUM", "cves" : [ "CVE-2025-8058" ], "unique" : false }, { "id" : "CVE-2024-33601", "title" : "nscd: netgroup cache may terminate daemon on memory allocation failure", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33601" ], "unique" : false }, { "id" : "CVE-2024-33602", "title" : "nscd: netgroup cache assumes NSS callback uses in-buffer strings", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33602" ], "unique" : false }, { "id" : "CVE-2026-4438", "title" : "gethostbyaddr and gethostbyaddr_r return invalid DNS hostnames", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4438" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2024-2961", "title" : "The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.", "source" : "redhat-csaf", "cvssScore" : 8.8, "severity" : "HIGH", "cves" : [ "CVE-2024-2961" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/glibc-common@2.34-40.el9_1.1?arch=x86_64&distro=rhel-9.1&upstream=glibc-2.34-40.el9_1.1.src.rpm", "issues" : [ { "id" : "CVE-2024-2961", "title" : "The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.", "source" : "redhat-csaf", "cvssScore" : 8.8, "severity" : "HIGH", "cves" : [ "CVE-2024-2961" ], "unique" : false }, { "id" : "CVE-2026-0861", "title" : "Integer overflow in memalign leads to heap corruption", "source" : "redhat-csaf", "cvssScore" : 8.1, "severity" : "HIGH", "cves" : [ "CVE-2026-0861" ], "unique" : false }, { "id" : "CVE-2023-4911", "title" : "Glibc: buffer overflow in ld.so leading to privilege escalation", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2023-4911" ], "unique" : false }, { "id" : "CVE-2024-33599", "title" : "nscd: Stack-based buffer overflow in netgroup cache", "source" : "redhat-csaf", "cvssScore" : 7.6, "severity" : "HIGH", "cves" : [ "CVE-2024-33599" ], "unique" : false }, { "id" : "CVE-2025-4802", "source" : "redhat-csaf", "cvssScore" : 7.0, "severity" : "HIGH", "cves" : [ "CVE-2025-4802" ], "unique" : false }, { "id" : "CVE-2023-4527", "title" : "Glibc: stack read overflow in getaddrinfo in no-aaaa mode", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4527" ], "unique" : false }, { "id" : "CVE-2026-4437", "title" : "gethostbyaddr and gethostbyaddr_r may incorrectly handle DNS response", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4437" ], "unique" : false }, { "id" : "CVE-2023-4806", "title" : "Glibc: potential use-after-free in getaddrinfo()", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4806" ], "unique" : false }, { "id" : "CVE-2023-4813", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4813" ], "unique" : false }, { "id" : "CVE-2025-15281", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2025-15281" ], "unique" : false }, { "id" : "CVE-2025-5702", "title" : "The strcmp implementation optimized for the Power10 processor in the GNU C Library version 2.39 and later writes to vector registers v20 to v31 without saving contents from the caller (those registers are defined as non-volatile registers by the powerpc64le ABI), resulting in overwriting of its contents and potentially altering control flow of the caller, or leaking the input strings to the function to other parts of the program.", "source" : "redhat-csaf", "cvssScore" : 5.6, "severity" : "MEDIUM", "cves" : [ "CVE-2025-5702" ], "unique" : false }, { "id" : "CVE-2025-0395", "title" : "When the assert() function in the GNU C Library versions 2.13 to 2.40 fails, it does not allocate enough space for the assertion failure message string and size information, which may lead to a buffer overflow if the message string size aligns to page size.", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2025-0395" ], "unique" : false }, { "id" : "CVE-2024-33600", "title" : "nscd: Null pointer crashes after notfound response", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33600" ], "unique" : false }, { "id" : "CVE-2026-0915", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-0915" ], "unique" : false }, { "id" : "CVE-2026-4046", "title" : "iconv crash due to assertion failure with untrusted input", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4046" ], "unique" : false }, { "id" : "CVE-2026-5450", "title" : "scanf %mc off-by-one heap buffer overflow", "source" : "redhat-csaf", "cvssScore" : 5.0, "severity" : "MEDIUM", "cves" : [ "CVE-2026-5450" ], "unique" : false }, { "id" : "CVE-2025-8058", "source" : "redhat-csaf", "cvssScore" : 4.2, "severity" : "MEDIUM", "cves" : [ "CVE-2025-8058" ], "unique" : false }, { "id" : "CVE-2024-33601", "title" : "nscd: netgroup cache may terminate daemon on memory allocation failure", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33601" ], "unique" : false }, { "id" : "CVE-2024-33602", "title" : "nscd: netgroup cache assumes NSS callback uses in-buffer strings", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33602" ], "unique" : false }, { "id" : "CVE-2026-4438", "title" : "gethostbyaddr and gethostbyaddr_r return invalid DNS hostnames", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4438" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2024-2961", "title" : "The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.", "source" : "redhat-csaf", "cvssScore" : 8.8, "severity" : "HIGH", "cves" : [ "CVE-2024-2961" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/glibc-langpack-en@2.34-40.el9_1.1?arch=x86_64&distro=rhel-9.1&upstream=glibc-2.34-40.el9_1.1.src.rpm", "issues" : [ { "id" : "CVE-2024-2961", "title" : "The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.", "source" : "redhat-csaf", "cvssScore" : 8.8, "severity" : "HIGH", "cves" : [ "CVE-2024-2961" ], "unique" : false }, { "id" : "CVE-2026-0861", "title" : "Integer overflow in memalign leads to heap corruption", "source" : "redhat-csaf", "cvssScore" : 8.1, "severity" : "HIGH", "cves" : [ "CVE-2026-0861" ], "unique" : false }, { "id" : "CVE-2023-4911", "title" : "Glibc: buffer overflow in ld.so leading to privilege escalation", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2023-4911" ], "unique" : false }, { "id" : "CVE-2024-33599", "title" : "nscd: Stack-based buffer overflow in netgroup cache", "source" : "redhat-csaf", "cvssScore" : 7.6, "severity" : "HIGH", "cves" : [ "CVE-2024-33599" ], "unique" : false }, { "id" : "CVE-2025-4802", "source" : "redhat-csaf", "cvssScore" : 7.0, "severity" : "HIGH", "cves" : [ "CVE-2025-4802" ], "unique" : false }, { "id" : "CVE-2023-4527", "title" : "Glibc: stack read overflow in getaddrinfo in no-aaaa mode", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4527" ], "unique" : false }, { "id" : "CVE-2026-4437", "title" : "gethostbyaddr and gethostbyaddr_r may incorrectly handle DNS response", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4437" ], "unique" : false }, { "id" : "CVE-2023-4806", "title" : "Glibc: potential use-after-free in getaddrinfo()", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4806" ], "unique" : false }, { "id" : "CVE-2023-4813", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4813" ], "unique" : false }, { "id" : "CVE-2025-15281", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2025-15281" ], "unique" : false }, { "id" : "CVE-2025-5702", "title" : "The strcmp implementation optimized for the Power10 processor in the GNU C Library version 2.39 and later writes to vector registers v20 to v31 without saving contents from the caller (those registers are defined as non-volatile registers by the powerpc64le ABI), resulting in overwriting of its contents and potentially altering control flow of the caller, or leaking the input strings to the function to other parts of the program.", "source" : "redhat-csaf", "cvssScore" : 5.6, "severity" : "MEDIUM", "cves" : [ "CVE-2025-5702" ], "unique" : false }, { "id" : "CVE-2025-0395", "title" : "When the assert() function in the GNU C Library versions 2.13 to 2.40 fails, it does not allocate enough space for the assertion failure message string and size information, which may lead to a buffer overflow if the message string size aligns to page size.", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2025-0395" ], "unique" : false }, { "id" : "CVE-2024-33600", "title" : "nscd: Null pointer crashes after notfound response", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33600" ], "unique" : false }, { "id" : "CVE-2026-0915", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-0915" ], "unique" : false }, { "id" : "CVE-2026-4046", "title" : "iconv crash due to assertion failure with untrusted input", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4046" ], "unique" : false }, { "id" : "CVE-2026-5450", "title" : "scanf %mc off-by-one heap buffer overflow", "source" : "redhat-csaf", "cvssScore" : 5.0, "severity" : "MEDIUM", "cves" : [ "CVE-2026-5450" ], "unique" : false }, { "id" : "CVE-2025-8058", "source" : "redhat-csaf", "cvssScore" : 4.2, "severity" : "MEDIUM", "cves" : [ "CVE-2025-8058" ], "unique" : false }, { "id" : "CVE-2024-33601", "title" : "nscd: netgroup cache may terminate daemon on memory allocation failure", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33601" ], "unique" : false }, { "id" : "CVE-2024-33602", "title" : "nscd: netgroup cache assumes NSS callback uses in-buffer strings", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33602" ], "unique" : false }, { "id" : "CVE-2026-4438", "title" : "gethostbyaddr and gethostbyaddr_r return invalid DNS hostnames", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4438" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2024-2961", "title" : "The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.", "source" : "redhat-csaf", "cvssScore" : 8.8, "severity" : "HIGH", "cves" : [ "CVE-2024-2961" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/ncurses-libs@6.2-8.20210508.el9?arch=x86_64&distro=rhel-9.1&upstream=ncurses-6.2-8.20210508.el9.src.rpm", "issues" : [ { "id" : "CVE-2023-29491", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2023-29491" ], "unique" : false }, { "id" : "CVE-2025-69720", "title" : "The infocmp command-line tool in ncurses before 6.5-20251213 has a stack-based buffer overflow in analyze_string in progs/infocmp.c.", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2025-69720" ], "unique" : false }, { "id" : "CVE-2022-29458", "title" : "ncurses 6.3 before patch 20220416 has an out-of-bounds read and segmentation violation in convert_strings in tinfo/read_entry.c in the terminfo library.", "source" : "redhat-csaf", "cvssScore" : 6.1, "severity" : "MEDIUM", "cves" : [ "CVE-2022-29458" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2023-29491", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2023-29491" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/ncurses-base@6.2-8.20210508.el9?arch=noarch&distro=rhel-9.1&upstream=ncurses-6.2-8.20210508.el9.src.rpm", "issues" : [ { "id" : "CVE-2023-29491", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2023-29491" ], "unique" : false }, { "id" : "CVE-2025-69720", "title" : "The infocmp command-line tool in ncurses before 6.5-20251213 has a stack-based buffer overflow in analyze_string in progs/infocmp.c.", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2025-69720" ], "unique" : false }, { "id" : "CVE-2022-29458", "title" : "ncurses 6.3 before patch 20220416 has an out-of-bounds read and segmentation violation in convert_strings in tinfo/read_entry.c in the terminfo library.", "source" : "redhat-csaf", "cvssScore" : 6.1, "severity" : "MEDIUM", "cves" : [ "CVE-2022-29458" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2023-29491", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2023-29491" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/libcap@2.48-8.el9?arch=x86_64&distro=rhel-9.1&upstream=libcap-2.48-8.el9.src.rpm", "issues" : [ { "id" : "CVE-2023-2603", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2023-2603" ], "unique" : false }, { "id" : "CVE-2026-4878", "title" : "Libcap: libcap: privilege escalation via toctou race condition in cap_set_file()", "source" : "redhat-csaf", "cvssScore" : 6.7, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4878" ], "unique" : false }, { "id" : "CVE-2023-2602", "title" : "A vulnerability was found in the pthread_create() function in libcap. This issue may allow a malicious actor to use cause __real_pthread_create() to return an error, which can exhaust the process memory.", "source" : "redhat-csaf", "cvssScore" : 3.3, "severity" : "LOW", "cves" : [ "CVE-2023-2602" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2023-2603", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2023-2603" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/sed@4.8-9.el9?arch=x86_64&distro=rhel-9.1&upstream=sed-4.8-9.el9.src.rpm", "issues" : [ { "id" : "CVE-2026-5958", "title" : "Race Condition in GNU Sed", "source" : "redhat-csaf", "cvssScore" : 6.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-5958" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2026-5958", "title" : "Race Condition in GNU Sed", "source" : "redhat-csaf", "cvssScore" : 6.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-5958" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/gmp@6.2.0-10.el9?arch=x86_64&distro=rhel-9.1&epoch=1&upstream=gmp-6.2.0-10.el9.src.rpm", "issues" : [ { "id" : "CVE-2021-43618", "title" : "GNU Multiple Precision Arithmetic Library (GMP) through 6.2.1 has an mpz/inp_raw.c integer overflow and resultant buffer overflow via crafted input, leading to a segmentation fault on 32-bit platforms.", "source" : "redhat-csaf", "cvssScore" : 6.2, "severity" : "MEDIUM", "cves" : [ "CVE-2021-43618" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2021-43618", "title" : "GNU Multiple Precision Arithmetic Library (GMP) through 6.2.1 has an mpz/inp_raw.c integer overflow and resultant buffer overflow via crafted input, leading to a segmentation fault on 32-bit platforms.", "source" : "redhat-csaf", "cvssScore" : 6.2, "severity" : "MEDIUM", "cves" : [ "CVE-2021-43618" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/libtasn1@4.16.0-8.el9_1?arch=x86_64&distro=rhel-9.1&upstream=libtasn1-4.16.0-8.el9_1.src.rpm", "issues" : [ { "id" : "CVE-2025-13151", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2025-13151" ], "unique" : false }, { "id" : "CVE-2024-12133", "title" : "Libtasn1: inefficient der decoding in libtasn1 leading to potential remote dos", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2024-12133" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2025-13151", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2025-13151" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/p11-kit@0.24.1-2.el9?arch=x86_64&distro=rhel-9.1&upstream=p11-kit-0.24.1-2.el9.src.rpm", "issues" : [ { "id" : "CVE-2026-2100", "title" : "P11-kit: null dereference via c_derivekey with specific null parameters", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-2100" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2026-2100", "title" : "P11-kit: null dereference via c_derivekey with specific null parameters", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-2100" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/p11-kit-trust@0.24.1-2.el9?arch=x86_64&distro=rhel-9.1&upstream=p11-kit-0.24.1-2.el9.src.rpm", "issues" : [ { "id" : "CVE-2026-2100", "title" : "P11-kit: null dereference via c_derivekey with specific null parameters", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-2100" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2026-2100", "title" : "P11-kit: null dereference via c_derivekey with specific null parameters", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-2100" ], "unique" : false } } ], "highestVulnerability" : { "id" : "CVE-2025-15467", "title" : "Stack buffer overflow in CMS (Auth)EnvelopedData parsing", "source" : "redhat-csaf", "cvssScore" : 9.8, "severity" : "CRITICAL", "cves" : [ "CVE-2025-15467" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/git-core@2.31.1-3.el9_1?arch=x86_64&distro=rhel-9.1&upstream=git-2.31.1-3.el9_1.src.rpm", "issues" : [ { "id" : "CVE-2024-32002", "source" : "redhat-csaf", "cvssScore" : 9.0, "severity" : "CRITICAL", "cves" : [ "CVE-2024-32002" ], "unique" : false }, { "id" : "CVE-2022-39260", "title" : "Git vulnerable to Remote Code Execution via Heap overflow in `git shell`", "source" : "redhat-csaf", "cvssScore" : 8.8, "severity" : "HIGH", "cves" : [ "CVE-2022-39260" ], "unique" : false }, { "id" : "CVE-2025-48385", "source" : "redhat-csaf", "cvssScore" : 8.3, "severity" : "HIGH", "cves" : [ "CVE-2025-48385" ], "unique" : false }, { "id" : "CVE-2024-32004", "source" : "redhat-csaf", "cvssScore" : 8.1, "severity" : "HIGH", "cves" : [ "CVE-2024-32004" ], "unique" : false }, { "id" : "CVE-2025-48384", "source" : "redhat-csaf", "cvssScore" : 8.0, "severity" : "HIGH", "cves" : [ "CVE-2025-48384" ], "unique" : false }, { "id" : "CVE-2022-24765", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2022-24765" ], "unique" : false }, { "id" : "CVE-2022-29187", "title" : "Bypass of safe.directory protections in Git", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2022-29187" ], "unique" : false }, { "id" : "CVE-2023-29007", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2023-29007" ], "unique" : false }, { "id" : "CVE-2023-23946", "title" : "Git's `git apply` overwriting paths outside the working tree", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2023-23946" ], "unique" : false }, { "id" : "CVE-2023-25652", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2023-25652" ], "unique" : false }, { "id" : "CVE-2024-52005", "title" : "The sideband payload is passed unfiltered to the terminal in git", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2024-52005" ], "unique" : false }, { "id" : "CVE-2024-32465", "source" : "redhat-csaf", "cvssScore" : 7.3, "severity" : "HIGH", "cves" : [ "CVE-2024-32465" ], "unique" : false }, { "id" : "CVE-2025-27614", "source" : "redhat-csaf", "cvssScore" : 6.3, "severity" : "MEDIUM", "cves" : [ "CVE-2025-27614" ], "unique" : false }, { "id" : "CVE-2022-39253", "title" : "Git subject to exposure of sensitive information via local clone of symbolic links", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2022-39253" ], "unique" : false }, { "id" : "CVE-2023-22490", "title" : "Git vulnerable to local clone-based data exfiltration with non-local transports", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-22490" ], "unique" : false }, { "id" : "CVE-2024-52006", "source" : "redhat-csaf", "cvssScore" : 4.3, "severity" : "MEDIUM", "cves" : [ "CVE-2024-52006" ], "unique" : false }, { "id" : "CVE-2025-27613", "source" : "redhat-csaf", "cvssScore" : 4.3, "severity" : "MEDIUM", "cves" : [ "CVE-2025-27613" ], "unique" : false }, { "id" : "CVE-2024-32020", "title" : "Cloning local Git repository by untrusted user allows the untrusted user to modify objects in the cloned repository at will", "source" : "redhat-csaf", "cvssScore" : 3.9, "severity" : "LOW", "cves" : [ "CVE-2024-32020" ], "unique" : false }, { "id" : "CVE-2024-32021", "source" : "redhat-csaf", "cvssScore" : 3.9, "severity" : "LOW", "cves" : [ "CVE-2024-32021" ], "unique" : false }, { "id" : "CVE-2024-50349", "source" : "redhat-csaf", "cvssScore" : 3.1, "severity" : "LOW", "cves" : [ "CVE-2024-50349" ], "unique" : false }, { "id" : "CVE-2025-46835", "source" : "redhat-csaf", "cvssScore" : 3.1, "severity" : "LOW", "cves" : [ "CVE-2025-46835" ], "unique" : false }, { "id" : "CVE-2023-25815", "source" : "redhat-csaf", "cvssScore" : 2.2, "severity" : "LOW", "cves" : [ "CVE-2023-25815" ], "unique" : false } ], "transitive" : [ { "ref" : "pkg:rpm/redhat/openssl@3.0.1-47.el9_1?arch=x86_64&distro=rhel-9.1&epoch=1&upstream=openssl-3.0.1-47.el9_1.src.rpm", "issues" : [ { "id" : "CVE-2025-15467", "title" : "Stack buffer overflow in CMS (Auth)EnvelopedData parsing", "source" : "redhat-csaf", "cvssScore" : 9.8, "severity" : "CRITICAL", "cves" : [ "CVE-2025-15467" ], "unique" : false }, { "id" : "CVE-2026-45445", "title" : "AES-OCB IV Ignored on EVP_Cipher() Path", "source" : "redhat-csaf", "cvssScore" : 9.1, "severity" : "CRITICAL", "cves" : [ "CVE-2026-45445" ], "unique" : false }, { "id" : "CVE-2026-45447", "title" : "Heap Use-After-Free in the PKCS7_verify() Function", "source" : "redhat-csaf", "cvssScore" : 8.1, "severity" : "HIGH", "cves" : [ "CVE-2026-45447" ], "unique" : false }, { "id" : "CVE-2022-3358", "title" : "Using a Custom Cipher with NID_undef may lead to NULL encryption", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2022-3358" ], "unique" : false }, { "id" : "CVE-2023-5363", "title" : "Incorrect cipher key & IV length processing", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2023-5363" ], "unique" : false }, { "id" : "CVE-2026-28390", "title" : "Possible NULL Dereference When Processing CMS KeyTransportRecipientInfo", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2026-28390" ], "unique" : false }, { "id" : "CVE-2026-34183", "title" : "Unbounded Memory Growth in the QUIC PATH_CHALLENGE Handler", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2026-34183" ], "unique" : false }, { "id" : "CVE-2024-12797", "title" : "RFC7250 handshakes with unauthenticated servers don't abort as expected", "source" : "redhat-csaf", "cvssScore" : 7.4, "severity" : "HIGH", "cves" : [ "CVE-2024-12797" ], "unique" : false }, { "id" : "CVE-2025-69419", "title" : "Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion", "source" : "redhat-csaf", "cvssScore" : 7.4, "severity" : "HIGH", "cves" : [ "CVE-2025-69419" ], "unique" : false }, { "id" : "CVE-2026-34182", "title" : "CMS AuthEnvelopedData Processing May Accept Forged Messages", "source" : "redhat-csaf", "cvssScore" : 7.4, "severity" : "HIGH", "cves" : [ "CVE-2026-34182" ], "unique" : false }, { "id" : "CVE-2023-2650", "title" : "Possible DoS translating ASN.1 object identifiers", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-2650" ], "unique" : false }, { "id" : "CVE-2023-6129", "title" : "POLY1305 MAC implementation corrupts vector registers on PowerPC", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-6129" ], "unique" : false }, { "id" : "CVE-2025-69421", "title" : "NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2025-69421" ], "unique" : false }, { "id" : "CVE-2026-2673", "title" : "OpenSSL TLS 1.3 server may choose unexpected key agreement group", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2026-2673" ], "unique" : false }, { "id" : "CVE-2026-34181", "title" : "PKCS#12 Files with PBMAC1 Are Accepted with Short HMAC Keys", "source" : "redhat-csaf", "cvssScore" : 6.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-34181" ], "unique" : false }, { "id" : "CVE-2026-42768", "title" : "Multi-RecipientInfo Bleichenbacher Oracle in CMS_decrypt() and PKCS7_decrypt()", "source" : "redhat-csaf", "cvssScore" : 6.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-42768" ], "unique" : false }, { "id" : "CVE-2025-11187", "title" : "Improper validation of PBMAC1 parameters in PKCS#12 MAC verification", "source" : "redhat-csaf", "cvssScore" : 6.1, "severity" : "MEDIUM", "cves" : [ "CVE-2025-11187" ], "unique" : false }, { "id" : "CVE-2023-0464", "title" : "Excessive Resource Usage Verifying X.509 Policy Constraints", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-0464" ], "unique" : false }, { "id" : "CVE-2023-6237", "title" : "Excessive time spent checking invalid RSA public keys", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-6237" ], "unique" : false }, { "id" : "CVE-2024-5535", "title" : "SSL_select_next_proto buffer overread", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2024-5535" ], "unique" : false }, { "id" : "CVE-2024-6119", "title" : "Possible denial of service in X.509 name checks", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2024-6119" ], "unique" : false }, { "id" : "CVE-2025-15468", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2025-15468" ], "unique" : false }, { "id" : "CVE-2025-66199", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2025-66199" ], "unique" : false }, { "id" : "CVE-2025-69420", "title" : "Missing ASN1_TYPE validation in TS_RESP_verify_response() function", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2025-69420" ], "unique" : false }, { "id" : "CVE-2025-9231", "title" : "Timing side-channel in SM2 algorithm on 64 bit ARM", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2025-9231" ], "unique" : false }, { "id" : "CVE-2026-22796", "title" : "ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-22796" ], "unique" : false }, { "id" : "CVE-2026-28386", "title" : "Out-of-bounds Read in AES-CFB-128 on X86-64 with AVX-512 Support", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-28386" ], "unique" : false }, { "id" : "CVE-2026-28388", "title" : "NULL Pointer Dereference When Processing a Delta CRL", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-28388" ], "unique" : false }, { "id" : "CVE-2026-28389", "title" : "Possible NULL Dereference When Processing CMS KeyAgreeRecipientInfo", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-28389" ], "unique" : false }, { "id" : "CVE-2026-31790", "title" : "Incorrect Failure Handling in RSA KEM RSASVE Encapsulation", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-31790" ], "unique" : false }, { "id" : "CVE-2026-42764", "title" : "NULL Pointer Dereference in QUIC Server Initial Packet Handling", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-42764" ], "unique" : false }, { "id" : "CVE-2026-42769", "title" : "Trust-Anchor Substitution via cert/issuer Typo in CMP rootCaKeyUpdate", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-42769" ], "unique" : false }, { "id" : "CVE-2026-42770", "title" : "FFC-DH Peer Validation Uses Attacker-Supplied q", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-42770" ], "unique" : false }, { "id" : "CVE-2026-9076", "title" : "Out-of-Bounds Read in CMS Password-Based Decryption", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-9076" ], "unique" : false }, { "id" : "CVE-2026-31789", "title" : "Heap Buffer Overflow in Hexadecimal Conversion", "source" : "redhat-csaf", "cvssScore" : 5.8, "severity" : "MEDIUM", "cves" : [ "CVE-2026-31789" ], "unique" : false }, { "id" : "CVE-2024-4741", "source" : "redhat-csaf", "cvssScore" : 5.6, "severity" : "MEDIUM", "cves" : [ "CVE-2024-4741" ], "unique" : false }, { "id" : "CVE-2025-9230", "title" : "Out-of-bounds read & write in RFC 3211 KEK Unwrap", "source" : "redhat-csaf", "cvssScore" : 5.6, "severity" : "MEDIUM", "cves" : [ "CVE-2025-9230" ], "unique" : false }, { "id" : "CVE-2024-0727", "title" : "PKCS12 Decoding crashes", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-0727" ], "unique" : false }, { "id" : "CVE-2025-15469", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2025-15469" ], "unique" : false }, { "id" : "CVE-2026-22795", "title" : "Missing ASN1_TYPE validation in PKCS#12 parsing", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2026-22795" ], "unique" : false }, { "id" : "CVE-2026-7383", "title" : "Possible Heap Buffer Overflow in ASN.1 Multibyte String Conversion", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2026-7383" ], "unique" : false }, { "id" : "CVE-2023-0465", "title" : "Invalid certificate policies in leaf certificates are silently ignored", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2023-0465" ], "unique" : false }, { "id" : "CVE-2023-0466", "title" : "Certificate policy check not enabled", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2023-0466" ], "unique" : false }, { "id" : "CVE-2023-2975", "title" : "AES-SIV implementation ignores empty associated data entries", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2023-2975" ], "unique" : false }, { "id" : "CVE-2023-3446", "title" : "Excessive time spent checking DH keys and parameters", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2023-3446" ], "unique" : false }, { "id" : "CVE-2023-3817", "title" : "Excessive time spent checking DH q parameter value", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2023-3817" ], "unique" : false }, { "id" : "CVE-2023-5678", "title" : "Excessive time spent in DH check / generation with large Q parameter value", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2023-5678" ], "unique" : false }, { "id" : "CVE-2024-4603", "title" : "Excessive time spent checking DSA keys and parameters", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2024-4603" ], "unique" : false }, { "id" : "CVE-2026-42766", "title" : "Possible NULL Dereference in Password-Based CMS Decryption", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-42766" ], "unique" : false }, { "id" : "CVE-2026-42767", "title" : "NULL Pointer Dereference in CRMF EncryptedValue Decryption", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-42767" ], "unique" : false }, { "id" : "CVE-2023-1255", "title" : "Input buffer over-read in AES-XTS implementation on 64 bit ARM", "source" : "redhat-csaf", "cvssScore" : 5.1, "severity" : "MEDIUM", "cves" : [ "CVE-2023-1255" ], "unique" : false }, { "id" : "CVE-2026-34180", "title" : "Heap Buffer Over-read in ASN.1 Content Parsing", "source" : "redhat-csaf", "cvssScore" : 5.0, "severity" : "MEDIUM", "cves" : [ "CVE-2026-34180" ], "unique" : false }, { "id" : "CVE-2025-68160", "title" : "Heap out-of-bounds write in BIO_f_linebuffer on short writes", "source" : "redhat-csaf", "cvssScore" : 4.7, "severity" : "MEDIUM", "cves" : [ "CVE-2025-68160" ], "unique" : false }, { "id" : "CVE-2025-69418", "title" : "Unauthenticated/unencrypted trailing bytes with low-level OCB function calls", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2025-69418" ], "unique" : false }, { "id" : "CVE-2024-2511", "title" : "Unbounded memory growth with session handling in TLSv1.3", "source" : "redhat-csaf", "cvssScore" : 3.7, "severity" : "LOW", "cves" : [ "CVE-2024-2511" ], "unique" : false }, { "id" : "CVE-2026-28387", "title" : "Potential Use-after-free in DANE Client Code", "source" : "redhat-csaf", "cvssScore" : 3.7, "severity" : "LOW", "cves" : [ "CVE-2026-28387" ], "unique" : false }, { "id" : "CVE-2026-45446", "title" : "Incorrect Tag Processing for Empty Messages in AES-GCM-SIV and AES-SIV modes", "source" : "redhat-csaf", "cvssScore" : 3.7, "severity" : "LOW", "cves" : [ "CVE-2026-45446" ], "unique" : false }, { "id" : "CVE-2025-9232", "title" : "Out-of-bounds read in HTTP client no_proxy handling", "source" : "redhat-csaf", "cvssScore" : 3.1, "severity" : "LOW", "cves" : [ "CVE-2025-9232" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2025-15467", "title" : "Stack buffer overflow in CMS (Auth)EnvelopedData parsing", "source" : "redhat-csaf", "cvssScore" : 9.8, "severity" : "CRITICAL", "cves" : [ "CVE-2025-15467" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/openssh-clients@8.7p1-24.el9_1?arch=x86_64&distro=rhel-9.1&upstream=openssh-8.7p1-24.el9_1.src.rpm", "issues" : [ { "id" : "CVE-2023-38408", "title" : "The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009.", "source" : "redhat-csaf", "cvssScore" : 9.8, "severity" : "CRITICAL", "cves" : [ "CVE-2023-38408" ], "unique" : false }, { "id" : "CVE-2026-3497", "title" : "Vulnerability in the OpenSSH GSSAPI delta included in various Linux distributions. This vulnerability affects the GSSAPI patches added by various Linux distributions and does not affect the OpenSSH upstream project itself. The usage of sshpkt_disconnect() on an error, which does not terminate the process, allows an attacker to send an unexpected GSSAPI message type during the GSSAPI key exchange to the server, which will call the underlying function and continue the execution of the program without setting the related connection variables. As the variables are not initialized to NULL the code later accesses those uninitialized variables, accessing random memory, which could lead to undefined behavior. The recommended workaround is to use ssh_packet_disconnect() instead, which does terminate the process. The impact of the vulnerability depends heavily on the compiler flag hardening configuration.", "source" : "redhat-csaf", "cvssScore" : 8.2, "severity" : "HIGH", "cves" : [ "CVE-2026-3497" ], "unique" : false }, { "id" : "CVE-2024-6387", "title" : "Openssh: regresshion - race condition in ssh allows rce/dos", "source" : "redhat-csaf", "cvssScore" : 8.1, "severity" : "HIGH", "cves" : [ "CVE-2024-6387" ], "unique" : false }, { "id" : "CVE-2026-35385", "title" : "In OpenSSH before 10.3, a file downloaded by scp may be installed setuid or setgid, an outcome contrary to some users' expectations, if the download is performed as root with -O (legacy scp protocol) and without -p (preserve mode).", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2026-35385" ], "unique" : false }, { "id" : "CVE-2024-6409", "source" : "redhat-csaf", "cvssScore" : 7.0, "severity" : "HIGH", "cves" : [ "CVE-2024-6409" ], "unique" : false }, { "id" : "CVE-2025-26465", "title" : "Openssh: machine-in-the-middle attack if verifyhostkeydns is enabled", "source" : "redhat-csaf", "cvssScore" : 6.8, "severity" : "MEDIUM", "cves" : [ "CVE-2025-26465" ], "unique" : false }, { "id" : "CVE-2023-25136", "title" : "OpenSSH server (sshd) 9.1 introduced a double-free vulnerability during options.kex_algorithms handling. This is fixed in OpenSSH 9.2. The double free can be leveraged, by an unauthenticated remote attacker in the default configuration, to jump to any location in the sshd address space. One third-party report states \"remote code execution is theoretically possible.\"", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-25136" ], "unique" : false }, { "id" : "CVE-2023-51385", "title" : "In ssh in OpenSSH before 9.6, OS command injection might occur if a user name or host name has shell metacharacters, and this name is referenced by an expansion token in certain situations. For example, an untrusted Git repository can have a submodule with shell metacharacters in a user name or host name.", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-51385" ], "unique" : false }, { "id" : "CVE-2023-48795", "title" : "The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in chacha20-poly1305@openssh.com and (if CBC is used) the -etm@openssh.com MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust.", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-48795" ], "unique" : false }, { "id" : "CVE-2025-61984", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2025-61984" ], "unique" : false }, { "id" : "CVE-2025-61985", "title" : "ssh in OpenSSH before 10.1 allows the '\\0' character in an ssh:// URI, potentially leading to code execution when a ProxyCommand is used.", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2025-61985" ], "unique" : false }, { "id" : "CVE-2026-35414", "title" : "OpenSSH before 10.3 mishandles the authorized_keys principals option in uncommon scenarios involving a principals list in conjunction with a Certificate Authority that makes certain use of comma characters.", "source" : "redhat-csaf", "cvssScore" : 4.8, "severity" : "MEDIUM", "cves" : [ "CVE-2026-35414" ], "unique" : false }, { "id" : "CVE-2025-32728", "title" : "In sshd in OpenSSH before 10.0, the DisableForwarding directive does not adhere to the documentation stating that it disables X11 and agent forwarding.", "source" : "redhat-csaf", "cvssScore" : 4.3, "severity" : "MEDIUM", "cves" : [ "CVE-2025-32728" ], "unique" : false }, { "id" : "CVE-2026-35386", "title" : "In OpenSSH before 10.3, command execution can occur via shell metacharacters in a username within a command line. This requires a scenario where the username on the command line is untrusted, and also requires a non-default configurations of % in ssh_config.", "source" : "redhat-csaf", "cvssScore" : 3.6, "severity" : "LOW", "cves" : [ "CVE-2026-35386" ], "unique" : false }, { "id" : "CVE-2026-35387", "title" : "OpenSSH before 10.3 can use unintended ECDSA algorithms. Listing of any ECDSA algorithm in PubkeyAcceptedAlgorithms or HostbasedAcceptedAlgorithms is misinterpreted to mean all ECDSA algorithms.", "source" : "redhat-csaf", "cvssScore" : 3.1, "severity" : "LOW", "cves" : [ "CVE-2026-35387" ], "unique" : false }, { "id" : "CVE-2026-35388", "title" : "OpenSSH before 10.3 omits connection multiplexing confirmation for proxy-mode multiplexing sessions.", "source" : "redhat-csaf", "cvssScore" : 2.2, "severity" : "LOW", "cves" : [ "CVE-2026-35388" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2023-38408", "title" : "The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009.", "source" : "redhat-csaf", "cvssScore" : 9.8, "severity" : "CRITICAL", "cves" : [ "CVE-2023-38408" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/openssl-libs@3.0.1-47.el9_1?arch=x86_64&distro=rhel-9.1&epoch=1&upstream=openssl-3.0.1-47.el9_1.src.rpm", "issues" : [ { "id" : "CVE-2025-15467", "title" : "Stack buffer overflow in CMS (Auth)EnvelopedData parsing", "source" : "redhat-csaf", "cvssScore" : 9.8, "severity" : "CRITICAL", "cves" : [ "CVE-2025-15467" ], "unique" : false }, { "id" : "CVE-2026-45445", "title" : "AES-OCB IV Ignored on EVP_Cipher() Path", "source" : "redhat-csaf", "cvssScore" : 9.1, "severity" : "CRITICAL", "cves" : [ "CVE-2026-45445" ], "unique" : false }, { "id" : "CVE-2026-45447", "title" : "Heap Use-After-Free in the PKCS7_verify() Function", "source" : "redhat-csaf", "cvssScore" : 8.1, "severity" : "HIGH", "cves" : [ "CVE-2026-45447" ], "unique" : false }, { "id" : "CVE-2022-3358", "title" : "Using a Custom Cipher with NID_undef may lead to NULL encryption", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2022-3358" ], "unique" : false }, { "id" : "CVE-2023-5363", "title" : "Incorrect cipher key & IV length processing", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2023-5363" ], "unique" : false }, { "id" : "CVE-2026-28390", "title" : "Possible NULL Dereference When Processing CMS KeyTransportRecipientInfo", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2026-28390" ], "unique" : false }, { "id" : "CVE-2026-34183", "title" : "Unbounded Memory Growth in the QUIC PATH_CHALLENGE Handler", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2026-34183" ], "unique" : false }, { "id" : "CVE-2024-12797", "title" : "RFC7250 handshakes with unauthenticated servers don't abort as expected", "source" : "redhat-csaf", "cvssScore" : 7.4, "severity" : "HIGH", "cves" : [ "CVE-2024-12797" ], "unique" : false }, { "id" : "CVE-2025-69419", "title" : "Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion", "source" : "redhat-csaf", "cvssScore" : 7.4, "severity" : "HIGH", "cves" : [ "CVE-2025-69419" ], "unique" : false }, { "id" : "CVE-2026-34182", "title" : "CMS AuthEnvelopedData Processing May Accept Forged Messages", "source" : "redhat-csaf", "cvssScore" : 7.4, "severity" : "HIGH", "cves" : [ "CVE-2026-34182" ], "unique" : false }, { "id" : "CVE-2023-2650", "title" : "Possible DoS translating ASN.1 object identifiers", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-2650" ], "unique" : false }, { "id" : "CVE-2023-6129", "title" : "POLY1305 MAC implementation corrupts vector registers on PowerPC", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-6129" ], "unique" : false }, { "id" : "CVE-2025-69421", "title" : "NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2025-69421" ], "unique" : false }, { "id" : "CVE-2026-34181", "title" : "PKCS#12 Files with PBMAC1 Are Accepted with Short HMAC Keys", "source" : "redhat-csaf", "cvssScore" : 6.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-34181" ], "unique" : false }, { "id" : "CVE-2026-42768", "title" : "Multi-RecipientInfo Bleichenbacher Oracle in CMS_decrypt() and PKCS7_decrypt()", "source" : "redhat-csaf", "cvssScore" : 6.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-42768" ], "unique" : false }, { "id" : "CVE-2025-11187", "title" : "Improper validation of PBMAC1 parameters in PKCS#12 MAC verification", "source" : "redhat-csaf", "cvssScore" : 6.1, "severity" : "MEDIUM", "cves" : [ "CVE-2025-11187" ], "unique" : false }, { "id" : "CVE-2023-0464", "title" : "Excessive Resource Usage Verifying X.509 Policy Constraints", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-0464" ], "unique" : false }, { "id" : "CVE-2023-6237", "title" : "Excessive time spent checking invalid RSA public keys", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-6237" ], "unique" : false }, { "id" : "CVE-2024-5535", "title" : "SSL_select_next_proto buffer overread", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2024-5535" ], "unique" : false }, { "id" : "CVE-2024-6119", "title" : "Possible denial of service in X.509 name checks", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2024-6119" ], "unique" : false }, { "id" : "CVE-2025-15468", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2025-15468" ], "unique" : false }, { "id" : "CVE-2025-66199", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2025-66199" ], "unique" : false }, { "id" : "CVE-2025-69420", "title" : "Missing ASN1_TYPE validation in TS_RESP_verify_response() function", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2025-69420" ], "unique" : false }, { "id" : "CVE-2026-22796", "title" : "ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-22796" ], "unique" : false }, { "id" : "CVE-2026-31790", "title" : "Incorrect Failure Handling in RSA KEM RSASVE Encapsulation", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-31790" ], "unique" : false }, { "id" : "CVE-2026-42764", "title" : "NULL Pointer Dereference in QUIC Server Initial Packet Handling", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-42764" ], "unique" : false }, { "id" : "CVE-2026-42769", "title" : "Trust-Anchor Substitution via cert/issuer Typo in CMP rootCaKeyUpdate", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-42769" ], "unique" : false }, { "id" : "CVE-2026-42770", "title" : "FFC-DH Peer Validation Uses Attacker-Supplied q", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-42770" ], "unique" : false }, { "id" : "CVE-2026-9076", "title" : "Out-of-Bounds Read in CMS Password-Based Decryption", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-9076" ], "unique" : false }, { "id" : "CVE-2024-4741", "source" : "redhat-csaf", "cvssScore" : 5.6, "severity" : "MEDIUM", "cves" : [ "CVE-2024-4741" ], "unique" : false }, { "id" : "CVE-2025-9230", "title" : "Out-of-bounds read & write in RFC 3211 KEK Unwrap", "source" : "redhat-csaf", "cvssScore" : 5.6, "severity" : "MEDIUM", "cves" : [ "CVE-2025-9230" ], "unique" : false }, { "id" : "CVE-2024-0727", "title" : "PKCS12 Decoding crashes", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-0727" ], "unique" : false }, { "id" : "CVE-2025-15469", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2025-15469" ], "unique" : false }, { "id" : "CVE-2026-22795", "title" : "Missing ASN1_TYPE validation in PKCS#12 parsing", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2026-22795" ], "unique" : false }, { "id" : "CVE-2026-7383", "title" : "Possible Heap Buffer Overflow in ASN.1 Multibyte String Conversion", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2026-7383" ], "unique" : false }, { "id" : "CVE-2023-0465", "title" : "Invalid certificate policies in leaf certificates are silently ignored", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2023-0465" ], "unique" : false }, { "id" : "CVE-2023-0466", "title" : "Certificate policy check not enabled", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2023-0466" ], "unique" : false }, { "id" : "CVE-2023-2975", "title" : "AES-SIV implementation ignores empty associated data entries", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2023-2975" ], "unique" : false }, { "id" : "CVE-2023-3446", "title" : "Excessive time spent checking DH keys and parameters", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2023-3446" ], "unique" : false }, { "id" : "CVE-2023-3817", "title" : "Excessive time spent checking DH q parameter value", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2023-3817" ], "unique" : false }, { "id" : "CVE-2023-5678", "title" : "Excessive time spent in DH check / generation with large Q parameter value", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2023-5678" ], "unique" : false }, { "id" : "CVE-2024-4603", "title" : "Excessive time spent checking DSA keys and parameters", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2024-4603" ], "unique" : false }, { "id" : "CVE-2026-42766", "title" : "Possible NULL Dereference in Password-Based CMS Decryption", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-42766" ], "unique" : false }, { "id" : "CVE-2026-42767", "title" : "NULL Pointer Dereference in CRMF EncryptedValue Decryption", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-42767" ], "unique" : false }, { "id" : "CVE-2023-1255", "title" : "Input buffer over-read in AES-XTS implementation on 64 bit ARM", "source" : "redhat-csaf", "cvssScore" : 5.1, "severity" : "MEDIUM", "cves" : [ "CVE-2023-1255" ], "unique" : false }, { "id" : "CVE-2026-34180", "title" : "Heap Buffer Over-read in ASN.1 Content Parsing", "source" : "redhat-csaf", "cvssScore" : 5.0, "severity" : "MEDIUM", "cves" : [ "CVE-2026-34180" ], "unique" : false }, { "id" : "CVE-2025-68160", "title" : "Heap out-of-bounds write in BIO_f_linebuffer on short writes", "source" : "redhat-csaf", "cvssScore" : 4.7, "severity" : "MEDIUM", "cves" : [ "CVE-2025-68160" ], "unique" : false }, { "id" : "CVE-2025-69418", "title" : "Unauthenticated/unencrypted trailing bytes with low-level OCB function calls", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2025-69418" ], "unique" : false }, { "id" : "CVE-2024-2511", "title" : "Unbounded memory growth with session handling in TLSv1.3", "source" : "redhat-csaf", "cvssScore" : 3.7, "severity" : "LOW", "cves" : [ "CVE-2024-2511" ], "unique" : false }, { "id" : "CVE-2026-45446", "title" : "Incorrect Tag Processing for Empty Messages in AES-GCM-SIV and AES-SIV modes", "source" : "redhat-csaf", "cvssScore" : 3.7, "severity" : "LOW", "cves" : [ "CVE-2026-45446" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2025-15467", "title" : "Stack buffer overflow in CMS (Auth)EnvelopedData parsing", "source" : "redhat-csaf", "cvssScore" : 9.8, "severity" : "CRITICAL", "cves" : [ "CVE-2025-15467" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/ca-certificates@2022.2.54-90.2.el9_0?arch=noarch&distro=rhel-9.1&upstream=ca-certificates-2022.2.54-90.2.el9_0.src.rpm", "issues" : [ { "id" : "CVE-2023-37920", "title" : "Certifi's removal of e-Tugra root certificate", "source" : "redhat-csaf", "cvssScore" : 9.1, "severity" : "CRITICAL", "cves" : [ "CVE-2023-37920" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2023-37920", "title" : "Certifi's removal of e-Tugra root certificate", "source" : "redhat-csaf", "cvssScore" : 9.1, "severity" : "CRITICAL", "cves" : [ "CVE-2023-37920" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/krb5-libs@1.19.1-24.el9_1?arch=x86_64&distro=rhel-9.1&upstream=krb5-1.19.1-24.el9_1.src.rpm", "issues" : [ { "id" : "CVE-2024-3596", "title" : "RADIUS Protocol under RFC2865 is vulnerable to forgery attacks.", "source" : "redhat-csaf", "cvssScore" : 9.0, "severity" : "CRITICAL", "cves" : [ "CVE-2024-3596" ], "unique" : false }, { "id" : "CVE-2023-39975", "title" : "kdc/do_tgs_req.c in MIT Kerberos 5 (aka krb5) 1.21 before 1.21.2 has a double free that is reachable if an authenticated user can trigger an authorization-data handling failure. Incorrect data is copied from one ticket to another.", "source" : "redhat-csaf", "cvssScore" : 8.8, "severity" : "HIGH", "cves" : [ "CVE-2023-39975" ], "unique" : false }, { "id" : "CVE-2024-26462", "title" : "Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/kdc/ndr.c.", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2024-26462" ], "unique" : false }, { "id" : "CVE-2024-37370", "title" : "In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can modify the plaintext Extra Count field of a confidential GSS krb5 wrap token, causing the unwrapped token to appear truncated to the application.", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2024-37370" ], "unique" : false }, { "id" : "CVE-2020-17049", "title" : "Kerberos KDC Security Feature Bypass Vulnerability", "source" : "redhat-csaf", "cvssScore" : 7.2, "severity" : "HIGH", "cves" : [ "CVE-2020-17049" ], "unique" : false }, { "id" : "CVE-2023-36054", "title" : "lib/kadm5/kadm_rpc_xdr.c in MIT Kerberos 5 (aka krb5) before 1.20.2 and 1.21.x before 1.21.1 frees an uninitialized pointer. A remote authenticated user can trigger a kadmind crash. This occurs because _xdr_kadm5_principal_ent_rec does not validate the relationship between n_key_data and the key_data array count.", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-36054" ], "unique" : false }, { "id" : "CVE-2024-37371", "title" : "In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can cause invalid memory reads during GSS message token handling by sending message tokens with invalid length fields.", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-37371" ], "unique" : false }, { "id" : "CVE-2025-24528", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2025-24528" ], "unique" : false }, { "id" : "CVE-2024-26458", "title" : "Kerberos 5 (aka krb5) 1.21.2 contains a memory leak in /krb5/src/lib/rpc/pmap_rmt.c.", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2024-26458" ], "unique" : false }, { "id" : "CVE-2024-26461", "title" : "Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/lib/gssapi/krb5/k5sealv3.c.", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2024-26461" ], "unique" : false }, { "id" : "CVE-2025-3576", "title" : "Krb5: kerberos rc4-hmac-md5 checksum vulnerability enabling message spoofing via md5 collisions", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2025-3576" ], "unique" : false }, { "id" : "CVE-2026-40355", "title" : "In MIT Kerberos 5 (aka krb5) before 1.22.3, there is a NULL pointer dereference if an application calls gss_accept_sec_context() on a system with a NegoEx mechanism registered in /etc/gss/mech. An unauthenticated remote attacker can trigger this, causing the process to terminate in parse_nego_message.", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-40355" ], "unique" : false }, { "id" : "CVE-2026-40356", "title" : "In MIT Kerberos 5 (aka krb5) before 1.22.3, there is an integer underflow and resultant out-of-bounds read if an application calls gss_accept_sec_context() on a system with a NegoEx mechanism registered in /etc/gss/mech. An unauthenticated remote attacker can trigger this, possibly causing the process to terminate in parse_message.", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-40356" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2024-3596", "title" : "RADIUS Protocol under RFC2865 is vulnerable to forgery attacks.", "source" : "redhat-csaf", "cvssScore" : 9.0, "severity" : "CRITICAL", "cves" : [ "CVE-2024-3596" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/glibc@2.34-40.el9_1.1?arch=x86_64&distro=rhel-9.1&upstream=glibc-2.34-40.el9_1.1.src.rpm", "issues" : [ { "id" : "CVE-2024-2961", "title" : "The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.", "source" : "redhat-csaf", "cvssScore" : 8.8, "severity" : "HIGH", "cves" : [ "CVE-2024-2961" ], "unique" : false }, { "id" : "CVE-2026-0861", "title" : "Integer overflow in memalign leads to heap corruption", "source" : "redhat-csaf", "cvssScore" : 8.1, "severity" : "HIGH", "cves" : [ "CVE-2026-0861" ], "unique" : false }, { "id" : "CVE-2023-4911", "title" : "Glibc: buffer overflow in ld.so leading to privilege escalation", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2023-4911" ], "unique" : false }, { "id" : "CVE-2024-33599", "title" : "nscd: Stack-based buffer overflow in netgroup cache", "source" : "redhat-csaf", "cvssScore" : 7.6, "severity" : "HIGH", "cves" : [ "CVE-2024-33599" ], "unique" : false }, { "id" : "CVE-2025-4802", "source" : "redhat-csaf", "cvssScore" : 7.0, "severity" : "HIGH", "cves" : [ "CVE-2025-4802" ], "unique" : false }, { "id" : "CVE-2023-4527", "title" : "Glibc: stack read overflow in getaddrinfo in no-aaaa mode", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4527" ], "unique" : false }, { "id" : "CVE-2026-4437", "title" : "gethostbyaddr and gethostbyaddr_r may incorrectly handle DNS response", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4437" ], "unique" : false }, { "id" : "CVE-2026-6238", "title" : "Buffer overread in ns_printrrf with corrupted RDATA field", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2026-6238" ], "unique" : false }, { "id" : "CVE-2023-4806", "title" : "Glibc: potential use-after-free in getaddrinfo()", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4806" ], "unique" : false }, { "id" : "CVE-2023-4813", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4813" ], "unique" : false }, { "id" : "CVE-2025-15281", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2025-15281" ], "unique" : false }, { "id" : "CVE-2026-3904", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-3904" ], "unique" : false }, { "id" : "CVE-2026-5435", "title" : "Potential buffer overflow in ns_sprintrrf TSIG handling path", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-5435" ], "unique" : false }, { "id" : "CVE-2025-5702", "title" : "The strcmp implementation optimized for the Power10 processor in the GNU C Library version 2.39 and later writes to vector registers v20 to v31 without saving contents from the caller (those registers are defined as non-volatile registers by the powerpc64le ABI), resulting in overwriting of its contents and potentially altering control flow of the caller, or leaking the input strings to the function to other parts of the program.", "source" : "redhat-csaf", "cvssScore" : 5.6, "severity" : "MEDIUM", "cves" : [ "CVE-2025-5702" ], "unique" : false }, { "id" : "CVE-2025-0395", "title" : "When the assert() function in the GNU C Library versions 2.13 to 2.40 fails, it does not allocate enough space for the assertion failure message string and size information, which may lead to a buffer overflow if the message string size aligns to page size.", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2025-0395" ], "unique" : false }, { "id" : "CVE-2024-33600", "title" : "nscd: Null pointer crashes after notfound response", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33600" ], "unique" : false }, { "id" : "CVE-2026-0915", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-0915" ], "unique" : false }, { "id" : "CVE-2026-4046", "title" : "iconv crash due to assertion failure with untrusted input", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4046" ], "unique" : false }, { "id" : "CVE-2026-5450", "title" : "scanf %mc off-by-one heap buffer overflow", "source" : "redhat-csaf", "cvssScore" : 5.0, "severity" : "MEDIUM", "cves" : [ "CVE-2026-5450" ], "unique" : false }, { "id" : "CVE-2026-5928", "title" : "Potential buffer under-read in ungetwc", "source" : "redhat-csaf", "cvssScore" : 5.0, "severity" : "MEDIUM", "cves" : [ "CVE-2026-5928" ], "unique" : false }, { "id" : "CVE-2025-8058", "source" : "redhat-csaf", "cvssScore" : 4.2, "severity" : "MEDIUM", "cves" : [ "CVE-2025-8058" ], "unique" : false }, { "id" : "CVE-2024-33601", "title" : "nscd: netgroup cache may terminate daemon on memory allocation failure", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33601" ], "unique" : false }, { "id" : "CVE-2024-33602", "title" : "nscd: netgroup cache assumes NSS callback uses in-buffer strings", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33602" ], "unique" : false }, { "id" : "CVE-2026-4438", "title" : "gethostbyaddr and gethostbyaddr_r return invalid DNS hostnames", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4438" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2024-2961", "title" : "The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.", "source" : "redhat-csaf", "cvssScore" : 8.8, "severity" : "HIGH", "cves" : [ "CVE-2024-2961" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/glibc-common@2.34-40.el9_1.1?arch=x86_64&distro=rhel-9.1&upstream=glibc-2.34-40.el9_1.1.src.rpm", "issues" : [ { "id" : "CVE-2024-2961", "title" : "The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.", "source" : "redhat-csaf", "cvssScore" : 8.8, "severity" : "HIGH", "cves" : [ "CVE-2024-2961" ], "unique" : false }, { "id" : "CVE-2026-0861", "title" : "Integer overflow in memalign leads to heap corruption", "source" : "redhat-csaf", "cvssScore" : 8.1, "severity" : "HIGH", "cves" : [ "CVE-2026-0861" ], "unique" : false }, { "id" : "CVE-2023-4911", "title" : "Glibc: buffer overflow in ld.so leading to privilege escalation", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2023-4911" ], "unique" : false }, { "id" : "CVE-2024-33599", "title" : "nscd: Stack-based buffer overflow in netgroup cache", "source" : "redhat-csaf", "cvssScore" : 7.6, "severity" : "HIGH", "cves" : [ "CVE-2024-33599" ], "unique" : false }, { "id" : "CVE-2025-4802", "source" : "redhat-csaf", "cvssScore" : 7.0, "severity" : "HIGH", "cves" : [ "CVE-2025-4802" ], "unique" : false }, { "id" : "CVE-2023-4527", "title" : "Glibc: stack read overflow in getaddrinfo in no-aaaa mode", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4527" ], "unique" : false }, { "id" : "CVE-2026-4437", "title" : "gethostbyaddr and gethostbyaddr_r may incorrectly handle DNS response", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4437" ], "unique" : false }, { "id" : "CVE-2023-4806", "title" : "Glibc: potential use-after-free in getaddrinfo()", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4806" ], "unique" : false }, { "id" : "CVE-2023-4813", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4813" ], "unique" : false }, { "id" : "CVE-2025-15281", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2025-15281" ], "unique" : false }, { "id" : "CVE-2025-5702", "title" : "The strcmp implementation optimized for the Power10 processor in the GNU C Library version 2.39 and later writes to vector registers v20 to v31 without saving contents from the caller (those registers are defined as non-volatile registers by the powerpc64le ABI), resulting in overwriting of its contents and potentially altering control flow of the caller, or leaking the input strings to the function to other parts of the program.", "source" : "redhat-csaf", "cvssScore" : 5.6, "severity" : "MEDIUM", "cves" : [ "CVE-2025-5702" ], "unique" : false }, { "id" : "CVE-2025-0395", "title" : "When the assert() function in the GNU C Library versions 2.13 to 2.40 fails, it does not allocate enough space for the assertion failure message string and size information, which may lead to a buffer overflow if the message string size aligns to page size.", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2025-0395" ], "unique" : false }, { "id" : "CVE-2024-33600", "title" : "nscd: Null pointer crashes after notfound response", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33600" ], "unique" : false }, { "id" : "CVE-2026-0915", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-0915" ], "unique" : false }, { "id" : "CVE-2026-4046", "title" : "iconv crash due to assertion failure with untrusted input", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4046" ], "unique" : false }, { "id" : "CVE-2026-5450", "title" : "scanf %mc off-by-one heap buffer overflow", "source" : "redhat-csaf", "cvssScore" : 5.0, "severity" : "MEDIUM", "cves" : [ "CVE-2026-5450" ], "unique" : false }, { "id" : "CVE-2025-8058", "source" : "redhat-csaf", "cvssScore" : 4.2, "severity" : "MEDIUM", "cves" : [ "CVE-2025-8058" ], "unique" : false }, { "id" : "CVE-2024-33601", "title" : "nscd: netgroup cache may terminate daemon on memory allocation failure", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33601" ], "unique" : false }, { "id" : "CVE-2024-33602", "title" : "nscd: netgroup cache assumes NSS callback uses in-buffer strings", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33602" ], "unique" : false }, { "id" : "CVE-2026-4438", "title" : "gethostbyaddr and gethostbyaddr_r return invalid DNS hostnames", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4438" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2024-2961", "title" : "The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.", "source" : "redhat-csaf", "cvssScore" : 8.8, "severity" : "HIGH", "cves" : [ "CVE-2024-2961" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/glibc-langpack-en@2.34-40.el9_1.1?arch=x86_64&distro=rhel-9.1&upstream=glibc-2.34-40.el9_1.1.src.rpm", "issues" : [ { "id" : "CVE-2024-2961", "title" : "The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.", "source" : "redhat-csaf", "cvssScore" : 8.8, "severity" : "HIGH", "cves" : [ "CVE-2024-2961" ], "unique" : false }, { "id" : "CVE-2026-0861", "title" : "Integer overflow in memalign leads to heap corruption", "source" : "redhat-csaf", "cvssScore" : 8.1, "severity" : "HIGH", "cves" : [ "CVE-2026-0861" ], "unique" : false }, { "id" : "CVE-2023-4911", "title" : "Glibc: buffer overflow in ld.so leading to privilege escalation", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2023-4911" ], "unique" : false }, { "id" : "CVE-2024-33599", "title" : "nscd: Stack-based buffer overflow in netgroup cache", "source" : "redhat-csaf", "cvssScore" : 7.6, "severity" : "HIGH", "cves" : [ "CVE-2024-33599" ], "unique" : false }, { "id" : "CVE-2025-4802", "source" : "redhat-csaf", "cvssScore" : 7.0, "severity" : "HIGH", "cves" : [ "CVE-2025-4802" ], "unique" : false }, { "id" : "CVE-2023-4527", "title" : "Glibc: stack read overflow in getaddrinfo in no-aaaa mode", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4527" ], "unique" : false }, { "id" : "CVE-2026-4437", "title" : "gethostbyaddr and gethostbyaddr_r may incorrectly handle DNS response", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4437" ], "unique" : false }, { "id" : "CVE-2023-4806", "title" : "Glibc: potential use-after-free in getaddrinfo()", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4806" ], "unique" : false }, { "id" : "CVE-2023-4813", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4813" ], "unique" : false }, { "id" : "CVE-2025-15281", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2025-15281" ], "unique" : false }, { "id" : "CVE-2025-5702", "title" : "The strcmp implementation optimized for the Power10 processor in the GNU C Library version 2.39 and later writes to vector registers v20 to v31 without saving contents from the caller (those registers are defined as non-volatile registers by the powerpc64le ABI), resulting in overwriting of its contents and potentially altering control flow of the caller, or leaking the input strings to the function to other parts of the program.", "source" : "redhat-csaf", "cvssScore" : 5.6, "severity" : "MEDIUM", "cves" : [ "CVE-2025-5702" ], "unique" : false }, { "id" : "CVE-2025-0395", "title" : "When the assert() function in the GNU C Library versions 2.13 to 2.40 fails, it does not allocate enough space for the assertion failure message string and size information, which may lead to a buffer overflow if the message string size aligns to page size.", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2025-0395" ], "unique" : false }, { "id" : "CVE-2024-33600", "title" : "nscd: Null pointer crashes after notfound response", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33600" ], "unique" : false }, { "id" : "CVE-2026-0915", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-0915" ], "unique" : false }, { "id" : "CVE-2026-4046", "title" : "iconv crash due to assertion failure with untrusted input", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4046" ], "unique" : false }, { "id" : "CVE-2026-5450", "title" : "scanf %mc off-by-one heap buffer overflow", "source" : "redhat-csaf", "cvssScore" : 5.0, "severity" : "MEDIUM", "cves" : [ "CVE-2026-5450" ], "unique" : false }, { "id" : "CVE-2025-8058", "source" : "redhat-csaf", "cvssScore" : 4.2, "severity" : "MEDIUM", "cves" : [ "CVE-2025-8058" ], "unique" : false }, { "id" : "CVE-2024-33601", "title" : "nscd: netgroup cache may terminate daemon on memory allocation failure", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33601" ], "unique" : false }, { "id" : "CVE-2024-33602", "title" : "nscd: netgroup cache assumes NSS callback uses in-buffer strings", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33602" ], "unique" : false }, { "id" : "CVE-2026-4438", "title" : "gethostbyaddr and gethostbyaddr_r return invalid DNS hostnames", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4438" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2024-2961", "title" : "The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.", "source" : "redhat-csaf", "cvssScore" : 8.8, "severity" : "HIGH", "cves" : [ "CVE-2024-2961" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/less@590-1.el9_0?arch=x86_64&distro=rhel-9.1&upstream=less-590-1.el9_0.src.rpm", "issues" : [ { "id" : "CVE-2024-32487", "title" : "less through 653 allows OS command execution via a newline character in the name of a file, because quoting is mishandled in filename.c. Exploitation typically requires use with attacker-controlled file names, such as the files extracted from an untrusted archive. Exploitation also requires the LESSOPEN environment variable, but this is set by default in many common cases.", "source" : "redhat-csaf", "cvssScore" : 8.6, "severity" : "HIGH", "cves" : [ "CVE-2024-32487" ], "unique" : false }, { "id" : "CVE-2022-46663", "title" : "In GNU Less before 609, crafted data can result in \"less -R\" not filtering ANSI escape sequences sent to the terminal.", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2022-46663" ], "unique" : false }, { "id" : "CVE-2022-48624", "title" : "close_altfile in filename.c in less before 606 omits shell_quote calls for LESSCLOSE.", "source" : "redhat-csaf", "cvssScore" : 7.0, "severity" : "HIGH", "cves" : [ "CVE-2022-48624" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2024-32487", "title" : "less through 653 allows OS command execution via a newline character in the name of a file, because quoting is mishandled in filename.c. Exploitation typically requires use with attacker-controlled file names, such as the files extracted from an untrusted archive. Exploitation also requires the LESSOPEN environment variable, but this is set by default in many common cases.", "source" : "redhat-csaf", "cvssScore" : 8.6, "severity" : "HIGH", "cves" : [ "CVE-2024-32487" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/libcurl-minimal@7.76.1-19.el9_1.1?arch=x86_64&distro=rhel-9.1&upstream=curl-7.76.1-19.el9_1.1.src.rpm", "issues" : [ { "id" : "CVE-2023-38545", "title" : "This flaw makes curl overflow a heap based buffer in the SOCKS5 proxy\nhandshake.\n\nWhen curl is asked to pass along the host name to the SOCKS5 proxy to allow\nthat to resolve the address instead of it getting done by curl itself, the\nmaximum length that host name can be is 255 bytes.\n\nIf the host name is detected to be longer, curl switches to local name\nresolving and instead passes on the resolved address only. Due to this bug,\nthe local variable that means \"let the host resolve the name\" could get the\nwrong value during a slow SOCKS5 handshake, and contrary to the intention,\ncopy the too long host name to the target buffer instead of copying just the\nresolved address there.\n\nThe target buffer being a heap based buffer, and the host name coming from the\nURL that curl has been told to operate with.", "source" : "redhat-csaf", "cvssScore" : 8.1, "severity" : "HIGH", "cves" : [ "CVE-2023-38545" ], "unique" : false }, { "id" : "CVE-2024-2398", "title" : "HTTP/2 push headers memory-leak", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2024-2398" ], "unique" : false }, { "id" : "CVE-2023-23916", "title" : "An allocation of resources without limits or throttling vulnerability exists in curl unit exists and is running.", "source" : "redhat-csaf", "cvssScore" : 4.7, "severity" : "MEDIUM", "cves" : [ "CVE-2026-40223" ], "unique" : false }, { "id" : "CVE-2026-40228", "title" : "In systemd 259, systemd-journald can send ANSI escape sequences to the terminals of arbitrary users when a \"logger -p emerg\" command is executed, if ForwardToWall=yes is set.", "source" : "redhat-csaf", "cvssScore" : 2.9, "severity" : "LOW", "cves" : [ "CVE-2026-40228" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2026-29111", "title" : "systemd: Local unprivileged user can trigger an assert", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2026-29111" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/systemd-libs@250-12.el9_1.3?arch=x86_64&distro=rhel-9.1&upstream=systemd-250-12.el9_1.3.src.rpm", "issues" : [ { "id" : "CVE-2026-29111", "title" : "systemd: Local unprivileged user can trigger an assert", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2026-29111" ], "unique" : false }, { "id" : "CVE-2023-7008", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-7008" ], "unique" : false }, { "id" : "CVE-2025-4598", "title" : "Systemd-coredump: race condition that allows a local attacker to crash a suid program and gain read access to the resulting core dump", "source" : "redhat-csaf", "cvssScore" : 4.7, "severity" : "MEDIUM", "cves" : [ "CVE-2025-4598" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2026-29111", "title" : "systemd: Local unprivileged user can trigger an assert", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2026-29111" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/sqlite-libs@3.34.1-6.el9_1?arch=x86_64&distro=rhel-9.1&upstream=sqlite-3.34.1-6.el9_1.src.rpm", "issues" : [ { "id" : "CVE-2025-6965", "title" : "Integer Truncation on SQLite", "source" : "redhat-csaf", "cvssScore" : 7.7, "severity" : "HIGH", "cves" : [ "CVE-2025-6965" ], "unique" : false }, { "id" : "CVE-2023-7104", "source" : "redhat-csaf", "cvssScore" : 7.3, "severity" : "HIGH", "cves" : [ "CVE-2023-7104" ], "unique" : false }, { "id" : "CVE-2025-3277", "title" : "An integer overflow can be triggered in SQLite’s `concat_ws()` function. The resulting, truncated integer is then used to allocate a buffer. When SQLite then writes the resulting string to the buffer, it uses the original, untruncated size and thus a wild Heap Buffer overflow of size ~4GB can be triggered. This can result in arbitrary code execution.", "source" : "redhat-csaf", "cvssScore" : 7.3, "severity" : "HIGH", "cves" : [ "CVE-2025-3277" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2025-6965", "title" : "Integer Truncation on SQLite", "source" : "redhat-csaf", "cvssScore" : 7.7, "severity" : "HIGH", "cves" : [ "CVE-2025-6965" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/libnghttp2@1.43.0-5.el9?arch=x86_64&distro=rhel-9.1&upstream=nghttp2-1.43.0-5.el9.src.rpm", "issues" : [ { "id" : "CVE-2023-44487", "title" : "The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2023-44487" ], "unique" : false }, { "id" : "CVE-2026-27135", "title" : "nghttp2 Denial of service: Assertion failure due to the missing state validation", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2026-27135" ], "unique" : false }, { "id" : "CVE-2024-28182", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2024-28182" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2023-44487", "title" : "The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2023-44487" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/expat@2.4.9-1.el9_1.1?arch=x86_64&distro=rhel-9.1&upstream=expat-2.4.9-1.el9_1.1.src.rpm", "issues" : [ { "id" : "CVE-2023-52425", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2023-52425" ], "unique" : false }, { "id" : "CVE-2024-28757", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2024-28757" ], "unique" : false }, { "id" : "CVE-2024-45490", "title" : "An issue was discovered in libexpat before 2.6.3. xmlparse.c does not reject a negative length for XML_ParseBuffer.", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2024-45490" ], "unique" : false }, { "id" : "CVE-2024-45491", "title" : "An issue was discovered in libexpat before 2.6.3. dtdCopy in xmlparse.c can have an integer overflow for nDefaultAtts on 32-bit platforms (where UINT_MAX equals SIZE_MAX).", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2024-45491" ], "unique" : false }, { "id" : "CVE-2024-8176", "title" : "Libexpat: expat: improper restriction of xml entity expansion depth in libexpat", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2024-8176" ], "unique" : false }, { "id" : "CVE-2026-45186", "title" : "In libexpat before 2.8.1, the computational complexity of attribute name collision checks allows a denial of service via moderately sized crafted XML input.", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2026-45186" ], "unique" : false }, { "id" : "CVE-2026-56132", "title" : "In libexpat before 2.8.2, there is a heap-based buffer overflow in doProlog in xmlparse.c because scaffold backing array reallocation is mishandled when there is data-structure sharing across parsers.", "source" : "redhat-csaf", "cvssScore" : 6.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-56132" ], "unique" : false }, { "id" : "CVE-2022-23990", "title" : "Expat (aka libexpat) before 2.4.4 has an integer overflow in the doProlog function.", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2022-23990" ], "unique" : false }, { "id" : "CVE-2024-45492", "title" : "An issue was discovered in libexpat before 2.6.3. nextScaffoldPart in xmlparse.c can have an integer overflow for m_groupSize on 32-bit platforms (where UINT_MAX equals SIZE_MAX).", "source" : "redhat-csaf", "cvssScore" : 6.2, "severity" : "MEDIUM", "cves" : [ "CVE-2024-45492" ], "unique" : false }, { "id" : "CVE-2024-50602", "title" : "An issue was discovered in libexpat before 2.6.4. There is a crash within the XML_ResumeParser function because XML_StopParser can stop/suspend an unstarted parser.", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2024-50602" ], "unique" : false }, { "id" : "CVE-2025-59375", "title" : "libexpat in Expat before 2.7.2 allows attackers to trigger large dynamic memory allocations via a small document that is submitted for parsing.", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2025-59375" ], "unique" : false }, { "id" : "CVE-2026-50219", "title" : "libexpat before 2.8.2 lacks handler call depth tracking for calls to XML_GetBuffer, XML_Parse, XML_ParseBuffer, XML_ParserFree, or XML_ParserReset from within handlers in cases of a policy violation. Thus, a use-after-free can occur,", "source" : "redhat-csaf", "cvssScore" : 4.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-50219" ], "unique" : false }, { "id" : "CVE-2026-41080", "title" : "libexpat before 2.8.0 uses insufficient entropy, and thus hash flooding can occur via a crafted XML document.", "source" : "redhat-csaf", "cvssScore" : 3.7, "severity" : "LOW", "cves" : [ "CVE-2026-41080" ], "unique" : false }, { "id" : "CVE-2013-0340", "source" : "redhat-csaf", "cves" : [ "CVE-2013-0340" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2023-52425", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2023-52425" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/xz-libs@5.2.5-8.el9_0?arch=x86_64&distro=rhel-9.1&upstream=xz-5.2.5-8.el9_0.src.rpm", "issues" : [ { "id" : "CVE-2025-31115", "title" : "XZ has a heap-use-after-free bug in threaded .xz decoder", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2025-31115" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2025-31115", "title" : "XZ has a heap-use-after-free bug in threaded .xz decoder", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2025-31115" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/libgcrypt@1.10.0-8.el9_0?arch=x86_64&distro=rhel-9.1&upstream=libgcrypt-1.10.0-8.el9_0.src.rpm", "issues" : [ { "id" : "CVE-2026-41989", "title" : "Libgcrypt before 1.12.2 sometimes allows a heap-based buffer overflow and denial of service via crafted ECDH ciphertext to gcry_pk_decrypt.", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2026-41989" ], "unique" : false }, { "id" : "CVE-2024-2236", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2024-2236" ], "unique" : false }, { "id" : "CVE-2026-41990", "title" : "Libgcrypt before 1.12.2 mishandles Dilithium signing. Writes to a static array lack a bounds check but do not use attacker-controlled data.", "source" : "redhat-csaf", "cvssScore" : 3.3, "severity" : "LOW", "cves" : [ "CVE-2026-41990" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2026-41989", "title" : "Libgcrypt before 1.12.2 sometimes allows a heap-based buffer overflow and denial of service via crafted ECDH ciphertext to gcry_pk_decrypt.", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2026-41989" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/dmidecode@3.3-7.el9?arch=x86_64&distro=rhel-9.1&epoch=1&upstream=dmidecode-3.3-7.el9.src.rpm", "issues" : [ { "id" : "CVE-2023-30630", "title" : "Dmidecode before 3.5 allows -dump-bin to overwrite a local file. This has security relevance because, for example, execution of Dmidecode via Sudo is plausible. NOTE: Some third parties have indicated the fix in 3.5 does not adequately address the vulnerability. The argument is that the proposed patch prevents dmidecode from writing to an existing file. However, there are multiple attack vectors that would not require overwriting an existing file that would provide the same level of unauthorized privilege escalation (e.g. creating a new file in /etc/cron.hourly).", "source" : "redhat-csaf", "cvssScore" : 7.1, "severity" : "HIGH", "cves" : [ "CVE-2023-30630" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2023-30630", "title" : "Dmidecode before 3.5 allows -dump-bin to overwrite a local file. This has security relevance because, for example, execution of Dmidecode via Sudo is plausible. NOTE: Some third parties have indicated the fix in 3.5 does not adequately address the vulnerability. The argument is that the proposed patch prevents dmidecode from writing to an existing file. However, there are multiple attack vectors that would not require overwriting an existing file that would provide the same level of unauthorized privilege escalation (e.g. creating a new file in /etc/cron.hourly).", "source" : "redhat-csaf", "cvssScore" : 7.1, "severity" : "HIGH", "cves" : [ "CVE-2023-30630" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/openldap@2.6.2-3.el9?arch=x86_64&distro=rhel-9.1&upstream=openldap-2.6.2-3.el9.src.rpm", "issues" : [ { "id" : "CVE-2023-2953", "title" : "A vulnerability was found in openldap. This security flaw causes a null pointer dereference in ber_memalloc_x() function.", "source" : "redhat-csaf", "cvssScore" : 7.1, "severity" : "HIGH", "cves" : [ "CVE-2023-2953" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2023-2953", "title" : "A vulnerability was found in openldap. This security flaw causes a null pointer dereference in ber_memalloc_x() function.", "source" : "redhat-csaf", "cvssScore" : 7.1, "severity" : "HIGH", "cves" : [ "CVE-2023-2953" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/openldap-compat@2.6.2-3.el9?arch=x86_64&distro=rhel-9.1&upstream=openldap-2.6.2-3.el9.src.rpm", "issues" : [ { "id" : "CVE-2023-2953", "title" : "A vulnerability was found in openldap. This security flaw causes a null pointer dereference in ber_memalloc_x() function.", "source" : "redhat-csaf", "cvssScore" : 7.1, "severity" : "HIGH", "cves" : [ "CVE-2023-2953" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2023-2953", "title" : "A vulnerability was found in openldap. This security flaw causes a null pointer dereference in ber_memalloc_x() function.", "source" : "redhat-csaf", "cvssScore" : 7.1, "severity" : "HIGH", "cves" : [ "CVE-2023-2953" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/python3-rpm@4.16.1.3-19.el9_1?arch=x86_64&distro=rhel-9.1&upstream=rpm-4.16.1.3-19.el9_1.src.rpm", "issues" : [ { "id" : "CVE-2026-44604", "title" : "Rpm: command injection in rpmuncompress dountar() via unescaped archive top-level directory name in popen() shell command", "source" : "redhat-csaf", "cvssScore" : 7.0, "severity" : "HIGH", "cves" : [ "CVE-2026-44604" ], "unique" : false }, { "id" : "CVE-2021-35938", "title" : "A symbolic link issue was found in rpm. It occurs when rpm sets the desired permissions and credentials after installing a file. A local unprivileged user could use this flaw to exchange the original file with a symbolic link to a security-critical file and escalate their privileges on the system. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2021-35938" ], "unique" : false }, { "id" : "CVE-2021-35939", "title" : "It was found that the fix for CVE-2017-7500 and CVE-2017-7501 was incomplete: the check was only implemented for the parent directory of the file to be created. A local unprivileged user who owns another ancestor directory could potentially use this flaw to gain root privileges. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2021-35939" ], "unique" : false }, { "id" : "CVE-2021-35937", "title" : "A race condition vulnerability was found in rpm. A local unprivileged user could use this flaw to bypass the checks that were introduced in response to CVE-2017-7500 and CVE-2017-7501, potentially gaining root privileges. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.", "source" : "redhat-csaf", "cvssScore" : 6.3, "severity" : "MEDIUM", "cves" : [ "CVE-2021-35937" ], "unique" : false }, { "id" : "CVE-2026-44605", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2026-44605" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2026-44604", "title" : "Rpm: command injection in rpmuncompress dountar() via unescaped archive top-level directory name in popen() shell command", "source" : "redhat-csaf", "cvssScore" : 7.0, "severity" : "HIGH", "cves" : [ "CVE-2026-44604" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/rpm@4.16.1.3-19.el9_1?arch=x86_64&distro=rhel-9.1&upstream=rpm-4.16.1.3-19.el9_1.src.rpm", "issues" : [ { "id" : "CVE-2026-44604", "title" : "Rpm: command injection in rpmuncompress dountar() via unescaped archive top-level directory name in popen() shell command", "source" : "redhat-csaf", "cvssScore" : 7.0, "severity" : "HIGH", "cves" : [ "CVE-2026-44604" ], "unique" : false }, { "id" : "CVE-2021-35938", "title" : "A symbolic link issue was found in rpm. It occurs when rpm sets the desired permissions and credentials after installing a file. A local unprivileged user could use this flaw to exchange the original file with a symbolic link to a security-critical file and escalate their privileges on the system. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2021-35938" ], "unique" : false }, { "id" : "CVE-2021-35939", "title" : "It was found that the fix for CVE-2017-7500 and CVE-2017-7501 was incomplete: the check was only implemented for the parent directory of the file to be created. A local unprivileged user who owns another ancestor directory could potentially use this flaw to gain root privileges. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2021-35939" ], "unique" : false }, { "id" : "CVE-2021-35937", "title" : "A race condition vulnerability was found in rpm. A local unprivileged user could use this flaw to bypass the checks that were introduced in response to CVE-2017-7500 and CVE-2017-7501, potentially gaining root privileges. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.", "source" : "redhat-csaf", "cvssScore" : 6.3, "severity" : "MEDIUM", "cves" : [ "CVE-2021-35937" ], "unique" : false }, { "id" : "CVE-2026-44605", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2026-44605" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2026-44604", "title" : "Rpm: command injection in rpmuncompress dountar() via unescaped archive top-level directory name in popen() shell command", "source" : "redhat-csaf", "cvssScore" : 7.0, "severity" : "HIGH", "cves" : [ "CVE-2026-44604" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/libblkid@2.37.4-9.el9?arch=x86_64&distro=rhel-9.1&upstream=util-linux-2.37.4-9.el9.src.rpm", "issues" : [ { "id" : "CVE-2026-13595", "title" : "Util-linux: util-linux: heap use-after-free in libblkid nested partition probing", "source" : "redhat-csaf", "cvssScore" : 6.8, "severity" : "MEDIUM", "cves" : [ "CVE-2026-13595" ], "unique" : false }, { "id" : "CVE-2025-14104", "title" : "Util-linux: util-linux: heap buffer overread in setpwnam() when processing 256-byte usernames", "source" : "redhat-csaf", "cvssScore" : 6.1, "severity" : "MEDIUM", "cves" : [ "CVE-2025-14104" ], "unique" : false }, { "id" : "CVE-2026-27456", "title" : "util-linux: TOCTOU Race Condition in util-linux mount(8) - Loop Device Setup", "source" : "redhat-csaf", "cvssScore" : 4.7, "severity" : "MEDIUM", "cves" : [ "CVE-2026-27456" ], "unique" : false }, { "id" : "CVE-2026-3184", "title" : "Util-linux: util-linux: access control bypass due to improper hostname canonicalization", "source" : "redhat-csaf", "cvssScore" : 3.7, "severity" : "LOW", "cves" : [ "CVE-2026-3184" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2026-13595", "title" : "Util-linux: util-linux: heap use-after-free in libblkid nested partition probing", "source" : "redhat-csaf", "cvssScore" : 6.8, "severity" : "MEDIUM", "cves" : [ "CVE-2026-13595" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/util-linux@2.37.4-9.el9?arch=x86_64&distro=rhel-9.1&upstream=util-linux-2.37.4-9.el9.src.rpm", "issues" : [ { "id" : "CVE-2026-13595", "title" : "Util-linux: util-linux: heap use-after-free in libblkid nested partition probing", "source" : "redhat-csaf", "cvssScore" : 6.8, "severity" : "MEDIUM", "cves" : [ "CVE-2026-13595" ], "unique" : false }, { "id" : "CVE-2025-14104", "title" : "Util-linux: util-linux: heap buffer overread in setpwnam() when processing 256-byte usernames", "source" : "redhat-csaf", "cvssScore" : 6.1, "severity" : "MEDIUM", "cves" : [ "CVE-2025-14104" ], "unique" : false }, { "id" : "CVE-2026-27456", "title" : "util-linux: TOCTOU Race Condition in util-linux mount(8) - Loop Device Setup", "source" : "redhat-csaf", "cvssScore" : 4.7, "severity" : "MEDIUM", "cves" : [ "CVE-2026-27456" ], "unique" : false }, { "id" : "CVE-2026-3184", "title" : "Util-linux: util-linux: access control bypass due to improper hostname canonicalization", "source" : "redhat-csaf", "cvssScore" : 3.7, "severity" : "LOW", "cves" : [ "CVE-2026-3184" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2026-13595", "title" : "Util-linux: util-linux: heap use-after-free in libblkid nested partition probing", "source" : "redhat-csaf", "cvssScore" : 6.8, "severity" : "MEDIUM", "cves" : [ "CVE-2026-13595" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/python3-decorator@4.4.2-6.el9?arch=noarch&distro=rhel-9.1&upstream=python-decorator-4.4.2-6.el9.src.rpm", "issues" : [ { "id" : "CVE-2023-2727", "title" : "Bypassing policies imposed by the ImagePolicyWebhook admission plugin", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-2727" ], "unique" : false }, { "id" : "CVE-2023-2728", "title" : "Bypassing enforce mountable secrets policy imposed by the ServiceAccount admission plugin", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-2728" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2023-2727", "title" : "Bypassing policies imposed by the ImagePolicyWebhook admission plugin", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-2727" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/rpm-sign-libs@4.16.1.3-19.el9_1?arch=x86_64&distro=rhel-9.1&upstream=rpm-4.16.1.3-19.el9_1.src.rpm", "issues" : [ { "id" : "CVE-2021-35938", "title" : "A symbolic link issue was found in rpm. It occurs when rpm sets the desired permissions and credentials after installing a file. A local unprivileged user could use this flaw to exchange the original file with a symbolic link to a security-critical file and escalate their privileges on the system. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2021-35938" ], "unique" : false }, { "id" : "CVE-2021-35939", "title" : "It was found that the fix for CVE-2017-7500 and CVE-2017-7501 was incomplete: the check was only implemented for the parent directory of the file to be created. A local unprivileged user who owns another ancestor directory could potentially use this flaw to gain root privileges. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2021-35939" ], "unique" : false }, { "id" : "CVE-2021-35937", "title" : "A race condition vulnerability was found in rpm. A local unprivileged user could use this flaw to bypass the checks that were introduced in response to CVE-2017-7500 and CVE-2017-7501, potentially gaining root privileges. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.", "source" : "redhat-csaf", "cvssScore" : 6.3, "severity" : "MEDIUM", "cves" : [ "CVE-2021-35937" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2021-35938", "title" : "A symbolic link issue was found in rpm. It occurs when rpm sets the desired permissions and credentials after installing a file. A local unprivileged user could use this flaw to exchange the original file with a symbolic link to a security-critical file and escalate their privileges on the system. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2021-35938" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/rpm-build-libs@4.16.1.3-19.el9_1?arch=x86_64&distro=rhel-9.1&upstream=rpm-4.16.1.3-19.el9_1.src.rpm", "issues" : [ { "id" : "CVE-2021-35938", "title" : "A symbolic link issue was found in rpm. It occurs when rpm sets the desired permissions and credentials after installing a file. A local unprivileged user could use this flaw to exchange the original file with a symbolic link to a security-critical file and escalate their privileges on the system. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2021-35938" ], "unique" : false }, { "id" : "CVE-2021-35939", "title" : "It was found that the fix for CVE-2017-7500 and CVE-2017-7501 was incomplete: the check was only implemented for the parent directory of the file to be created. A local unprivileged user who owns another ancestor directory could potentially use this flaw to gain root privileges. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2021-35939" ], "unique" : false }, { "id" : "CVE-2021-35937", "title" : "A race condition vulnerability was found in rpm. A local unprivileged user could use this flaw to bypass the checks that were introduced in response to CVE-2017-7500 and CVE-2017-7501, potentially gaining root privileges. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.", "source" : "redhat-csaf", "cvssScore" : 6.3, "severity" : "MEDIUM", "cves" : [ "CVE-2021-35937" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2021-35938", "title" : "A symbolic link issue was found in rpm. It occurs when rpm sets the desired permissions and credentials after installing a file. A local unprivileged user could use this flaw to exchange the original file with a symbolic link to a security-critical file and escalate their privileges on the system. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2021-35938" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/rpm-libs@4.16.1.3-19.el9_1?arch=x86_64&distro=rhel-9.1&upstream=rpm-4.16.1.3-19.el9_1.src.rpm", "issues" : [ { "id" : "CVE-2021-35938", "title" : "A symbolic link issue was found in rpm. It occurs when rpm sets the desired permissions and credentials after installing a file. A local unprivileged user could use this flaw to exchange the original file with a symbolic link to a security-critical file and escalate their privileges on the system. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2021-35938" ], "unique" : false }, { "id" : "CVE-2021-35939", "title" : "It was found that the fix for CVE-2017-7500 and CVE-2017-7501 was incomplete: the check was only implemented for the parent directory of the file to be created. A local unprivileged user who owns another ancestor directory could potentially use this flaw to gain root privileges. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2021-35939" ], "unique" : false }, { "id" : "CVE-2021-35937", "title" : "A race condition vulnerability was found in rpm. A local unprivileged user could use this flaw to bypass the checks that were introduced in response to CVE-2017-7500 and CVE-2017-7501, potentially gaining root privileges. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.", "source" : "redhat-csaf", "cvssScore" : 6.3, "severity" : "MEDIUM", "cves" : [ "CVE-2021-35937" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2021-35938", "title" : "A symbolic link issue was found in rpm. It occurs when rpm sets the desired permissions and credentials after installing a file. A local unprivileged user could use this flaw to exchange the original file with a symbolic link to a security-critical file and escalate their privileges on the system. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2021-35938" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/libeconf@0.4.1-2.el9?arch=x86_64&distro=rhel-9.1&upstream=libeconf-0.4.1-2.el9.src.rpm", "issues" : [ { "id" : "CVE-2023-22652", "title" : "Stack buffer overflow in \"read_file\" function", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-22652" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2023-22652", "title" : "Stack buffer overflow in \"read_file\" function", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-22652" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/tpm2-tss@3.0.3-8.el9?arch=x86_64&distro=rhel-9.1&upstream=tpm2-tss-3.0.3-8.el9.src.rpm", "issues" : [ { "id" : "CVE-2023-22745", "source" : "redhat-csaf", "cvssScore" : 6.4, "severity" : "MEDIUM", "cves" : [ "CVE-2023-22745" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2023-22745", "source" : "redhat-csaf", "cvssScore" : 6.4, "severity" : "MEDIUM", "cves" : [ "CVE-2023-22745" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/sed@4.8-9.el9?arch=x86_64&distro=rhel-9.1&upstream=sed-4.8-9.el9.src.rpm", "issues" : [ { "id" : "CVE-2026-5958", "title" : "Race Condition in GNU Sed", "source" : "redhat-csaf", "cvssScore" : 6.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-5958" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2026-5958", "title" : "Race Condition in GNU Sed", "source" : "redhat-csaf", "cvssScore" : 6.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-5958" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/lua-libs@5.4.4-2.el9_1?arch=x86_64&distro=rhel-9.1&upstream=lua-5.4.4-2.el9_1.src.rpm", "issues" : [ { "id" : "CVE-2022-28805", "title" : "singlevar in lparser.c in Lua from (including) 5.4.0 up to (excluding) 5.4.4 lacks a certain luaK_exp2anyregup call, leading to a heap-based buffer over-read that might affect a system that compiles untrusted Lua code.", "source" : "redhat-csaf", "cvssScore" : 6.2, "severity" : "MEDIUM", "cves" : [ "CVE-2022-28805" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2022-28805", "title" : "singlevar in lparser.c in Lua from (including) 5.4.0 up to (excluding) 5.4.4 lacks a certain luaK_exp2anyregup call, leading to a heap-based buffer over-read that might affect a system that compiles untrusted Lua code.", "source" : "redhat-csaf", "cvssScore" : 6.2, "severity" : "MEDIUM", "cves" : [ "CVE-2022-28805" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/gmp@6.2.0-10.el9?arch=x86_64&distro=rhel-9.1&epoch=1&upstream=gmp-6.2.0-10.el9.src.rpm", "issues" : [ { "id" : "CVE-2021-43618", "title" : "GNU Multiple Precision Arithmetic Library (GMP) through 6.2.1 has an mpz/inp_raw.c integer overflow and resultant buffer overflow via crafted input, leading to a segmentation fault on 32-bit platforms.", "source" : "redhat-csaf", "cvssScore" : 6.2, "severity" : "MEDIUM", "cves" : [ "CVE-2021-43618" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2021-43618", "title" : "GNU Multiple Precision Arithmetic Library (GMP) through 6.2.1 has an mpz/inp_raw.c integer overflow and resultant buffer overflow via crafted input, leading to a segmentation fault on 32-bit platforms.", "source" : "redhat-csaf", "cvssScore" : 6.2, "severity" : "MEDIUM", "cves" : [ "CVE-2021-43618" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/dbus@1.12.20-7.el9_1?arch=x86_64&distro=rhel-9.1&epoch=1&upstream=dbus-1.12.20-7.el9_1.src.rpm", "issues" : [ { "id" : "CVE-2023-34969", "title" : "D-Bus before 1.15.6 sometimes allows unprivileged users to crash dbus-daemon. If a privileged user with control over the dbus-daemon is using the org.freedesktop.DBus.Monitoring interface to monitor message bus traffic, then an unprivileged user with the ability to connect to the same dbus-daemon can cause a dbus-daemon crash under some circumstances via an unreplyable message. When done on the well-known system bus, this is a denial-of-service vulnerability. The fixed versions are 1.12.28, 1.14.8, and 1.15.6.", "source" : "redhat-csaf", "cvssScore" : 6.2, "severity" : "MEDIUM", "cves" : [ "CVE-2023-34969" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2023-34969", "title" : "D-Bus before 1.15.6 sometimes allows unprivileged users to crash dbus-daemon. If a privileged user with control over the dbus-daemon is using the org.freedesktop.DBus.Monitoring interface to monitor message bus traffic, then an unprivileged user with the ability to connect to the same dbus-daemon can cause a dbus-daemon crash under some circumstances via an unreplyable message. When done on the well-known system bus, this is a denial-of-service vulnerability. The fixed versions are 1.12.28, 1.14.8, and 1.15.6.", "source" : "redhat-csaf", "cvssScore" : 6.2, "severity" : "MEDIUM", "cves" : [ "CVE-2023-34969" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/dbus-libs@1.12.20-7.el9_1?arch=x86_64&distro=rhel-9.1&epoch=1&upstream=dbus-1.12.20-7.el9_1.src.rpm", "issues" : [ { "id" : "CVE-2023-34969", "title" : "D-Bus before 1.15.6 sometimes allows unprivileged users to crash dbus-daemon. If a privileged user with control over the dbus-daemon is using the org.freedesktop.DBus.Monitoring interface to monitor message bus traffic, then an unprivileged user with the ability to connect to the same dbus-daemon can cause a dbus-daemon crash under some circumstances via an unreplyable message. When done on the well-known system bus, this is a denial-of-service vulnerability. The fixed versions are 1.12.28, 1.14.8, and 1.15.6.", "source" : "redhat-csaf", "cvssScore" : 6.2, "severity" : "MEDIUM", "cves" : [ "CVE-2023-34969" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2023-34969", "title" : "D-Bus before 1.15.6 sometimes allows unprivileged users to crash dbus-daemon. If a privileged user with control over the dbus-daemon is using the org.freedesktop.DBus.Monitoring interface to monitor message bus traffic, then an unprivileged user with the ability to connect to the same dbus-daemon can cause a dbus-daemon crash under some circumstances via an unreplyable message. When done on the well-known system bus, this is a denial-of-service vulnerability. The fixed versions are 1.12.28, 1.14.8, and 1.15.6.", "source" : "redhat-csaf", "cvssScore" : 6.2, "severity" : "MEDIUM", "cves" : [ "CVE-2023-34969" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/libstdc%2B%2B@11.3.1-2.1.el9?arch=x86_64&distro=rhel-9.1&upstream=gcc-11.3.1-2.1.el9.src.rpm", "issues" : [ { "id" : "CVE-2020-11023", "title" : "Potential XSS vulnerability in jQuery", "source" : "redhat-csaf", "cvssScore" : 6.1, "severity" : "MEDIUM", "cves" : [ "CVE-2020-11023" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2020-11023", "title" : "Potential XSS vulnerability in jQuery", "source" : "redhat-csaf", "cvssScore" : 6.1, "severity" : "MEDIUM", "cves" : [ "CVE-2020-11023" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/util-linux-core@2.37.4-9.el9?arch=x86_64&distro=rhel-9.1&upstream=util-linux-2.37.4-9.el9.src.rpm", "issues" : [ { "id" : "CVE-2025-14104", "title" : "Util-linux: util-linux: heap buffer overread in setpwnam() when processing 256-byte usernames", "source" : "redhat-csaf", "cvssScore" : 6.1, "severity" : "MEDIUM", "cves" : [ "CVE-2025-14104" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2025-14104", "title" : "Util-linux: util-linux: heap buffer overread in setpwnam() when processing 256-byte usernames", "source" : "redhat-csaf", "cvssScore" : 6.1, "severity" : "MEDIUM", "cves" : [ "CVE-2025-14104" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/libuuid@2.37.4-9.el9?arch=x86_64&distro=rhel-9.1&upstream=util-linux-2.37.4-9.el9.src.rpm", "issues" : [ { "id" : "CVE-2025-14104", "title" : "Util-linux: util-linux: heap buffer overread in setpwnam() when processing 256-byte usernames", "source" : "redhat-csaf", "cvssScore" : 6.1, "severity" : "MEDIUM", "cves" : [ "CVE-2025-14104" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2025-14104", "title" : "Util-linux: util-linux: heap buffer overread in setpwnam() when processing 256-byte usernames", "source" : "redhat-csaf", "cvssScore" : 6.1, "severity" : "MEDIUM", "cves" : [ "CVE-2025-14104" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/libsmartcols@2.37.4-9.el9?arch=x86_64&distro=rhel-9.1&upstream=util-linux-2.37.4-9.el9.src.rpm", "issues" : [ { "id" : "CVE-2025-14104", "title" : "Util-linux: util-linux: heap buffer overread in setpwnam() when processing 256-byte usernames", "source" : "redhat-csaf", "cvssScore" : 6.1, "severity" : "MEDIUM", "cves" : [ "CVE-2025-14104" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2025-14104", "title" : "Util-linux: util-linux: heap buffer overread in setpwnam() when processing 256-byte usernames", "source" : "redhat-csaf", "cvssScore" : 6.1, "severity" : "MEDIUM", "cves" : [ "CVE-2025-14104" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/libgomp@11.3.1-2.1.el9?arch=x86_64&distro=rhel-9.1&upstream=gcc-11.3.1-2.1.el9.src.rpm", "issues" : [ { "id" : "CVE-2020-11023", "title" : "Potential XSS vulnerability in jQuery", "source" : "redhat-csaf", "cvssScore" : 6.1, "severity" : "MEDIUM", "cves" : [ "CVE-2020-11023" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2020-11023", "title" : "Potential XSS vulnerability in jQuery", "source" : "redhat-csaf", "cvssScore" : 6.1, "severity" : "MEDIUM", "cves" : [ "CVE-2020-11023" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/gzip@1.12-1.el9?arch=x86_64&distro=rhel-9.1&upstream=gzip-1.12-1.el9.src.rpm", "issues" : [ { "id" : "CVE-2026-41991", "title" : "Predictable Temporary File in GNU gzip", "source" : "redhat-csaf", "cvssScore" : 6.0, "severity" : "MEDIUM", "cves" : [ "CVE-2026-41991" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2026-41991", "title" : "Predictable Temporary File in GNU gzip", "source" : "redhat-csaf", "cvssScore" : 6.0, "severity" : "MEDIUM", "cves" : [ "CVE-2026-41991" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/libtasn1@4.16.0-8.el9_1?arch=x86_64&distro=rhel-9.1&upstream=libtasn1-4.16.0-8.el9_1.src.rpm", "issues" : [ { "id" : "CVE-2025-13151", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2025-13151" ], "unique" : false }, { "id" : "CVE-2024-12133", "title" : "Libtasn1: inefficient der decoding in libtasn1 leading to potential remote dos", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2024-12133" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2025-13151", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2025-13151" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/file-libs@5.39-10.el9?arch=x86_64&distro=rhel-9.1&upstream=file-5.39-10.el9.src.rpm", "issues" : [ { "id" : "CVE-2022-48554", "title" : "File before 5.43 has an stack-based buffer over-read in file_copystr in funcs.c. NOTE: \"File\" is the name of an Open Source project.", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2022-48554" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2022-48554", "title" : "File before 5.43 has an stack-based buffer over-read in file_copystr in funcs.c. NOTE: \"File\" is the name of an Open Source project.", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2022-48554" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/p11-kit-trust@0.24.1-2.el9?arch=x86_64&distro=rhel-9.1&upstream=p11-kit-0.24.1-2.el9.src.rpm", "issues" : [ { "id" : "CVE-2026-2100", "title" : "P11-kit: null dereference via c_derivekey with specific null parameters", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-2100" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2026-2100", "title" : "P11-kit: null dereference via c_derivekey with specific null parameters", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-2100" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/p11-kit@0.24.1-2.el9?arch=x86_64&distro=rhel-9.1&upstream=p11-kit-0.24.1-2.el9.src.rpm", "issues" : [ { "id" : "CVE-2026-2100", "title" : "P11-kit: null dereference via c_derivekey with specific null parameters", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-2100" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2026-2100", "title" : "P11-kit: null dereference via c_derivekey with specific null parameters", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-2100" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/shadow-utils@4.9-5.el9?arch=x86_64&distro=rhel-9.1&epoch=2&upstream=shadow-utils-4.9-5.el9.src.rpm", "issues" : [ { "id" : "CVE-2023-4641", "source" : "redhat-csaf", "cvssScore" : 4.7, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4641" ], "unique" : false }, { "id" : "CVE-2024-56433", "title" : "shadow-utils (aka shadow) 4.4 through 4.17.0 establishes a default /etc/subuid behavior (e.g., uid 100000 through 165535 for the first user account) that can realistically conflict with the uids of users defined on locally administered networks, potentially leading to account takeover, e.g., by leveraging newuidmap for access to an NFS home directory (or same-host resources in the case of remote logins by these local network users). NOTE: it may also be argued that system administrators should not have assigned uids, within local networks, that are within the range that can occur in /etc/subuid.", "source" : "redhat-csaf", "cvssScore" : 3.6, "severity" : "LOW", "cves" : [ "CVE-2024-56433" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2023-4641", "source" : "redhat-csaf", "cvssScore" : 4.7, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4641" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/bzip2-libs@1.0.8-8.el9?arch=x86_64&distro=rhel-9.1&upstream=bzip2-1.0.8-8.el9.src.rpm", "issues" : [ { "id" : "CVE-2019-12900", "title" : "BZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out-of-bounds write when there are many selectors.", "source" : "redhat-csaf", "cvssScore" : 4.4, "severity" : "MEDIUM", "cves" : [ "CVE-2019-12900" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2019-12900", "title" : "BZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out-of-bounds write when there are many selectors.", "source" : "redhat-csaf", "cvssScore" : 4.4, "severity" : "MEDIUM", "cves" : [ "CVE-2019-12900" ], "unique" : false } } ], "highestVulnerability" : { "id" : "CVE-2025-15467", "title" : "Stack buffer overflow in CMS (Auth)EnvelopedData parsing", "source" : "redhat-csaf", "cvssScore" : 9.8, "severity" : "CRITICAL", "cves" : [ "CVE-2025-15467" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/golang@1.18.9-1.el9_1?arch=x86_64&distro=rhel-9.1&upstream=golang-1.18.9-1.el9_1.src.rpm", "transitive" : [ { "ref" : "pkg:rpm/redhat/openssl-devel@3.0.1-47.el9_1?arch=x86_64&distro=rhel-9.1&epoch=1&upstream=openssl-3.0.1-47.el9_1.src.rpm", "issues" : [ { "id" : "CVE-2025-15467", "title" : "Stack buffer overflow in CMS (Auth)EnvelopedData parsing", "source" : "redhat-csaf", "cvssScore" : 9.8, "severity" : "CRITICAL", "cves" : [ "CVE-2025-15467" ], "unique" : false }, { "id" : "CVE-2026-45445", "title" : "AES-OCB IV Ignored on EVP_Cipher() Path", "source" : "redhat-csaf", "cvssScore" : 9.1, "severity" : "CRITICAL", "cves" : [ "CVE-2026-45445" ], "unique" : false }, { "id" : "CVE-2026-45447", "title" : "Heap Use-After-Free in the PKCS7_verify() Function", "source" : "redhat-csaf", "cvssScore" : 8.1, "severity" : "HIGH", "cves" : [ "CVE-2026-45447" ], "unique" : false }, { "id" : "CVE-2022-3358", "title" : "Using a Custom Cipher with NID_undef may lead to NULL encryption", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2022-3358" ], "unique" : false }, { "id" : "CVE-2023-5363", "title" : "Incorrect cipher key & IV length processing", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2023-5363" ], "unique" : false }, { "id" : "CVE-2026-28390", "title" : "Possible NULL Dereference When Processing CMS KeyTransportRecipientInfo", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2026-28390" ], "unique" : false }, { "id" : "CVE-2026-34183", "title" : "Unbounded Memory Growth in the QUIC PATH_CHALLENGE Handler", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2026-34183" ], "unique" : false }, { "id" : "CVE-2024-12797", "title" : "RFC7250 handshakes with unauthenticated servers don't abort as expected", "source" : "redhat-csaf", "cvssScore" : 7.4, "severity" : "HIGH", "cves" : [ "CVE-2024-12797" ], "unique" : false }, { "id" : "CVE-2025-69419", "title" : "Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion", "source" : "redhat-csaf", "cvssScore" : 7.4, "severity" : "HIGH", "cves" : [ "CVE-2025-69419" ], "unique" : false }, { "id" : "CVE-2026-34182", "title" : "CMS AuthEnvelopedData Processing May Accept Forged Messages", "source" : "redhat-csaf", "cvssScore" : 7.4, "severity" : "HIGH", "cves" : [ "CVE-2026-34182" ], "unique" : false }, { "id" : "CVE-2023-2650", "title" : "Possible DoS translating ASN.1 object identifiers", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-2650" ], "unique" : false }, { "id" : "CVE-2023-6129", "title" : "POLY1305 MAC implementation corrupts vector registers on PowerPC", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-6129" ], "unique" : false }, { "id" : "CVE-2025-69421", "title" : "NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2025-69421" ], "unique" : false }, { "id" : "CVE-2026-34181", "title" : "PKCS#12 Files with PBMAC1 Are Accepted with Short HMAC Keys", "source" : "redhat-csaf", "cvssScore" : 6.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-34181" ], "unique" : false }, { "id" : "CVE-2026-42768", "title" : "Multi-RecipientInfo Bleichenbacher Oracle in CMS_decrypt() and PKCS7_decrypt()", "source" : "redhat-csaf", "cvssScore" : 6.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-42768" ], "unique" : false }, { "id" : "CVE-2025-11187", "title" : "Improper validation of PBMAC1 parameters in PKCS#12 MAC verification", "source" : "redhat-csaf", "cvssScore" : 6.1, "severity" : "MEDIUM", "cves" : [ "CVE-2025-11187" ], "unique" : false }, { "id" : "CVE-2023-0464", "title" : "Excessive Resource Usage Verifying X.509 Policy Constraints", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-0464" ], "unique" : false }, { "id" : "CVE-2023-6237", "title" : "Excessive time spent checking invalid RSA public keys", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-6237" ], "unique" : false }, { "id" : "CVE-2024-5535", "title" : "SSL_select_next_proto buffer overread", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2024-5535" ], "unique" : false }, { "id" : "CVE-2024-6119", "title" : "Possible denial of service in X.509 name checks", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2024-6119" ], "unique" : false }, { "id" : "CVE-2025-15468", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2025-15468" ], "unique" : false }, { "id" : "CVE-2025-66199", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2025-66199" ], "unique" : false }, { "id" : "CVE-2025-69420", "title" : "Missing ASN1_TYPE validation in TS_RESP_verify_response() function", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2025-69420" ], "unique" : false }, { "id" : "CVE-2026-22796", "title" : "ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-22796" ], "unique" : false }, { "id" : "CVE-2026-31790", "title" : "Incorrect Failure Handling in RSA KEM RSASVE Encapsulation", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-31790" ], "unique" : false }, { "id" : "CVE-2026-42764", "title" : "NULL Pointer Dereference in QUIC Server Initial Packet Handling", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-42764" ], "unique" : false }, { "id" : "CVE-2026-42769", "title" : "Trust-Anchor Substitution via cert/issuer Typo in CMP rootCaKeyUpdate", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-42769" ], "unique" : false }, { "id" : "CVE-2026-42770", "title" : "FFC-DH Peer Validation Uses Attacker-Supplied q", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-42770" ], "unique" : false }, { "id" : "CVE-2026-9076", "title" : "Out-of-Bounds Read in CMS Password-Based Decryption", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-9076" ], "unique" : false }, { "id" : "CVE-2024-4741", "source" : "redhat-csaf", "cvssScore" : 5.6, "severity" : "MEDIUM", "cves" : [ "CVE-2024-4741" ], "unique" : false }, { "id" : "CVE-2025-9230", "title" : "Out-of-bounds read & write in RFC 3211 KEK Unwrap", "source" : "redhat-csaf", "cvssScore" : 5.6, "severity" : "MEDIUM", "cves" : [ "CVE-2025-9230" ], "unique" : false }, { "id" : "CVE-2024-0727", "title" : "PKCS12 Decoding crashes", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-0727" ], "unique" : false }, { "id" : "CVE-2025-15469", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2025-15469" ], "unique" : false }, { "id" : "CVE-2026-22795", "title" : "Missing ASN1_TYPE validation in PKCS#12 parsing", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2026-22795" ], "unique" : false }, { "id" : "CVE-2026-7383", "title" : "Possible Heap Buffer Overflow in ASN.1 Multibyte String Conversion", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2026-7383" ], "unique" : false }, { "id" : "CVE-2023-0465", "title" : "Invalid certificate policies in leaf certificates are silently ignored", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2023-0465" ], "unique" : false }, { "id" : "CVE-2023-0466", "title" : "Certificate policy check not enabled", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2023-0466" ], "unique" : false }, { "id" : "CVE-2023-2975", "title" : "AES-SIV implementation ignores empty associated data entries", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2023-2975" ], "unique" : false }, { "id" : "CVE-2023-3446", "title" : "Excessive time spent checking DH keys and parameters", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2023-3446" ], "unique" : false }, { "id" : "CVE-2023-3817", "title" : "Excessive time spent checking DH q parameter value", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2023-3817" ], "unique" : false }, { "id" : "CVE-2023-5678", "title" : "Excessive time spent in DH check / generation with large Q parameter value", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2023-5678" ], "unique" : false }, { "id" : "CVE-2024-4603", "title" : "Excessive time spent checking DSA keys and parameters", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2024-4603" ], "unique" : false }, { "id" : "CVE-2026-42766", "title" : "Possible NULL Dereference in Password-Based CMS Decryption", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-42766" ], "unique" : false }, { "id" : "CVE-2026-42767", "title" : "NULL Pointer Dereference in CRMF EncryptedValue Decryption", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-42767" ], "unique" : false }, { "id" : "CVE-2023-1255", "title" : "Input buffer over-read in AES-XTS implementation on 64 bit ARM", "source" : "redhat-csaf", "cvssScore" : 5.1, "severity" : "MEDIUM", "cves" : [ "CVE-2023-1255" ], "unique" : false }, { "id" : "CVE-2026-34180", "title" : "Heap Buffer Over-read in ASN.1 Content Parsing", "source" : "redhat-csaf", "cvssScore" : 5.0, "severity" : "MEDIUM", "cves" : [ "CVE-2026-34180" ], "unique" : false }, { "id" : "CVE-2025-68160", "title" : "Heap out-of-bounds write in BIO_f_linebuffer on short writes", "source" : "redhat-csaf", "cvssScore" : 4.7, "severity" : "MEDIUM", "cves" : [ "CVE-2025-68160" ], "unique" : false }, { "id" : "CVE-2025-69418", "title" : "Unauthenticated/unencrypted trailing bytes with low-level OCB function calls", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2025-69418" ], "unique" : false }, { "id" : "CVE-2024-2511", "title" : "Unbounded memory growth with session handling in TLSv1.3", "source" : "redhat-csaf", "cvssScore" : 3.7, "severity" : "LOW", "cves" : [ "CVE-2024-2511" ], "unique" : false }, { "id" : "CVE-2026-45446", "title" : "Incorrect Tag Processing for Empty Messages in AES-GCM-SIV and AES-SIV modes", "source" : "redhat-csaf", "cvssScore" : 3.7, "severity" : "LOW", "cves" : [ "CVE-2026-45446" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2025-15467", "title" : "Stack buffer overflow in CMS (Auth)EnvelopedData parsing", "source" : "redhat-csaf", "cvssScore" : 9.8, "severity" : "CRITICAL", "cves" : [ "CVE-2025-15467" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/golang-bin@1.18.9-1.el9_1?arch=x86_64&distro=rhel-9.1&upstream=golang-1.18.9-1.el9_1.src.rpm", "issues" : [ { "id" : "CVE-2023-24538", "title" : "Backticks not treated as string delimiters in html/template", "source" : "redhat-csaf", "cvssScore" : 9.8, "severity" : "CRITICAL", "cves" : [ "CVE-2023-24538" ], "unique" : false }, { "id" : "CVE-2026-27140", "title" : "Code execution vulnerability in SWIG code generation in cmd/go", "source" : "redhat-csaf", "cvssScore" : 9.0, "severity" : "CRITICAL", "cves" : [ "CVE-2026-27140" ], "unique" : false }, { "id" : "CVE-2025-4674", "source" : "redhat-csaf", "cvssScore" : 8.6, "severity" : "HIGH", "cves" : [ "CVE-2025-4674" ], "unique" : false }, { "id" : "CVE-2025-61731", "title" : "Arbitrary file write using cgo pkg-config directive in cmd/go", "source" : "redhat-csaf", "cvssScore" : 8.6, "severity" : "HIGH", "cves" : [ "CVE-2025-61731" ], "unique" : false }, { "id" : "CVE-2023-24540", "title" : "Improper handling of JavaScript whitespace in html/template", "source" : "redhat-csaf", "cvssScore" : 8.1, "severity" : "HIGH", "cves" : [ "CVE-2023-24540" ], "unique" : false }, { "id" : "CVE-2023-39323", "title" : "Arbitrary code execution during build via line directives in cmd/go", "source" : "redhat-csaf", "cvssScore" : 8.1, "severity" : "HIGH", "cves" : [ "CVE-2023-39323" ], "unique" : false }, { "id" : "CVE-2026-27143", "title" : "Missing bound checks can lead to memory corruption in safe Go in cmd/compile", "source" : "redhat-csaf", "cvssScore" : 8.1, "severity" : "HIGH", "cves" : [ "CVE-2026-27143" ], "unique" : false }, { "id" : "CVE-2026-27144", "title" : "Miscompilation allows memory corruption via CONVNOP-wrapped array copy in cmd/compile", "source" : "redhat-csaf", "cvssScore" : 8.1, "severity" : "HIGH", "cves" : [ "CVE-2026-27144" ], "unique" : false }, { "id" : "CVE-2023-29403", "title" : "Unsafe behavior in setuid/setgid binaries in runtime", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2023-29403" ], "unique" : false }, { "id" : "CVE-2026-32282", "title" : "TOCTOU permits root escape on Linux via Root.Chmod in os in internal/syscall/unix", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2026-32282" ], "unique" : false }, { "id" : "CVE-2022-2880", "title" : "Incorrect sanitization of forwarded query parameters in net/http/httputil", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2022-2880" ], "unique" : false }, { "id" : "CVE-2022-41723", "title" : "Denial of service via crafted HTTP/2 stream in net/http and golang.org/x/net", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2022-41723" ], "unique" : false }, { "id" : "CVE-2022-41724", "title" : "Panic on large handshake records in crypto/tls", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2022-41724" ], "unique" : false }, { "id" : "CVE-2022-41725", "title" : "Excessive resource consumption in mime/multipart", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2022-41725" ], "unique" : false }, { "id" : "CVE-2023-24534", "title" : "Excessive memory allocation in net/http and net/textproto", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2023-24534" ], "unique" : false }, { "id" : "CVE-2023-24536", "title" : "Excessive resource consumption in net/http, net/textproto and mime/multipart", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2023-24536" ], "unique" : false }, { "id" : "CVE-2023-24537", "title" : "Infinite loop in parsing in go/scanner", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2023-24537" ], "unique" : false }, { "id" : "CVE-2023-29404", "title" : "Improper handling of non-optional LDFLAGS in go command with cgo in cmd/go", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2023-29404" ], "unique" : false }, { "id" : "CVE-2023-29405", "title" : "Improper sanitization of LDFLAGS with embedded spaces in go command with cgo in cmd/go", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2023-29405" ], "unique" : false }, { "id" : "CVE-2023-39321", "title" : "Panic when processing post-handshake message on QUIC connections in crypto/tls", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2023-39321" ], "unique" : false }, { "id" : "CVE-2023-39322", "title" : "Memory exhaustion in QUIC connection handling in crypto/tls", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2023-39322" ], "unique" : false }, { "id" : "CVE-2023-39325", "title" : "HTTP/2 rapid reset can cause excessive work in net/http", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2023-39325" ], "unique" : false }, { "id" : "CVE-2023-44487", "title" : "The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2023-44487" ], "unique" : false }, { "id" : "CVE-2023-45285", "title" : "Command 'go get' may unexpectedly fallback to insecure git in cmd/go", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2023-45285" ], "unique" : false }, { "id" : "CVE-2023-45288", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2023-45288" ], "unique" : false }, { "id" : "CVE-2024-1394", "title" : "Golang-fips/openssl: memory leaks in code encrypting and decrypting rsa payloads", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2024-1394" ], "unique" : false }, { "id" : "CVE-2024-24788", "title" : "Malformed DNS message can cause infinite loop in net", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2024-24788" ], "unique" : false }, { "id" : "CVE-2024-34156", "title" : "Stack exhaustion in Decoder.Decode in encoding/gob", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2024-34156" ], "unique" : false }, { "id" : "CVE-2025-22874", "title" : "Usage of ExtKeyUsageAny disables policy validation in crypto/x509", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2025-22874" ], "unique" : false }, { "id" : "CVE-2025-58183", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2025-58183" ], "unique" : false }, { "id" : "CVE-2025-61726", "title" : "Memory exhaustion in query parameter parsing in net/url", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2025-61726" ], "unique" : false }, { "id" : "CVE-2025-61728", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2025-61728" ], "unique" : false }, { "id" : "CVE-2025-61729", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2025-61729" ], "unique" : false }, { "id" : "CVE-2026-25679", "title" : "Incorrect parsing of IPv6 host literals in net/url", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2026-25679" ], "unique" : false }, { "id" : "CVE-2026-27137", "title" : "Incorrect enforcement of email constraints in crypto/x509", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2026-27137" ], "unique" : false }, { "id" : "CVE-2026-32280", "title" : "Unexpected work during chain building in crypto/x509", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2026-32280" ], "unique" : false }, { "id" : "CVE-2026-32283", "title" : "Unauthenticated TLS 1.3 KeyUpdate record can cause persistent connection retention and DoS in crypto/tls", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2026-32283" ], "unique" : false }, { "id" : "CVE-2025-61732", "title" : "Potential code smuggling via doc comments in cmd/cgo", "source" : "redhat-csaf", "cvssScore" : 7.4, "severity" : "HIGH", "cves" : [ "CVE-2025-61732" ], "unique" : false }, { "id" : "CVE-2025-68121", "title" : "Unexpected session resumption in crypto/tls", "source" : "redhat-csaf", "cvssScore" : 7.4, "severity" : "HIGH", "cves" : [ "CVE-2025-68121" ], "unique" : false }, { "id" : "CVE-2023-24539", "title" : "Improper sanitization of CSS values in html/template", "source" : "redhat-csaf", "cvssScore" : 7.3, "severity" : "HIGH", "cves" : [ "CVE-2023-24539" ], "unique" : false }, { "id" : "CVE-2023-29400", "title" : "Improper handling of empty HTML attributes in html/template", "source" : "redhat-csaf", "cvssScore" : 7.3, "severity" : "HIGH", "cves" : [ "CVE-2023-29400" ], "unique" : false }, { "id" : "CVE-2023-29402", "title" : "Code injection via go command with cgo in cmd/go", "source" : "redhat-csaf", "cvssScore" : 7.0, "severity" : "HIGH", "cves" : [ "CVE-2023-29402" ], "unique" : false }, { "id" : "CVE-2025-47907", "source" : "redhat-csaf", "cvssScore" : 7.0, "severity" : "HIGH", "cves" : [ "CVE-2025-47907" ], "unique" : false }, { "id" : "CVE-2025-4673", "title" : "Sensitive headers not cleared on cross-origin redirect in net/http", "source" : "redhat-csaf", "cvssScore" : 6.8, "severity" : "MEDIUM", "cves" : [ "CVE-2025-4673" ], "unique" : false }, { "id" : "CVE-2024-24790", "title" : "Unexpected behavior from Is methods for IPv4-mapped IPv6 addresses in net/netip", "source" : "redhat-csaf", "cvssScore" : 6.7, "severity" : "MEDIUM", "cves" : [ "CVE-2024-24790" ], "unique" : false }, { "id" : "CVE-2022-27664", "title" : "In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error.", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2022-27664" ], "unique" : false }, { "id" : "CVE-2022-2879", "title" : "Unbounded memory consumption when reading headers in archive/tar", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2022-2879" ], "unique" : false }, { "id" : "CVE-2022-32189", "title" : "Panic when decoding Float and Rat types in math/big", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2022-32189" ], "unique" : false }, { "id" : "CVE-2022-41715", "title" : "Memory exhaustion when compiling regular expressions in regexp/syntax", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2022-41715" ], "unique" : false }, { "id" : "CVE-2023-29406", "title" : "Insufficient sanitization of Host header in net/http", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-29406" ], "unique" : false }, { "id" : "CVE-2024-24785", "title" : "Errors returned from JSON marshaling may break template escaping in html/template", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-24785" ], "unique" : false }, { "id" : "CVE-2024-9355", "title" : "Golang-fips: golang fips zeroed buffer", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-9355" ], "unique" : false }, { "id" : "CVE-2025-47906", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2025-47906" ], "unique" : false }, { "id" : "CVE-2023-39318", "title" : "Improper handling of HTML-like comments in script contexts in html/template", "source" : "redhat-csaf", "cvssScore" : 6.1, "severity" : "MEDIUM", "cves" : [ "CVE-2023-39318" ], "unique" : false }, { "id" : "CVE-2023-39319", "title" : "Improper handling of special tags within script contexts in html/template", "source" : "redhat-csaf", "cvssScore" : 6.1, "severity" : "MEDIUM", "cves" : [ "CVE-2023-39319" ], "unique" : false }, { "id" : "CVE-2024-24783", "title" : "Verify panics on certificates with an unknown public key algorithm in crypto/x509", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2024-24783" ], "unique" : false }, { "id" : "CVE-2024-24791", "title" : "Denial of service due to improper 100-continue handling in net/http", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2024-24791" ], "unique" : false }, { "id" : "CVE-2024-34155", "title" : "Stack exhaustion in all Parse functions in go/parser", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2024-34155" ], "unique" : false }, { "id" : "CVE-2024-34158", "title" : "Stack exhaustion in Parse in go/build/constraint", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2024-34158" ], "unique" : false }, { "id" : "CVE-2024-45336", "title" : "Sensitive headers incorrectly sent after cross-domain redirect in net/http", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2024-45336" ], "unique" : false }, { "id" : "CVE-2026-32281", "title" : "Inefficient policy validation in crypto/x509", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-32281" ], "unique" : false }, { "id" : "CVE-2024-24789", "title" : "Mishandling of corrupt central directory record in archive/zip", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-24789" ], "unique" : false }, { "id" : "CVE-2024-24784", "title" : "Comments in display names are incorrectly handled in net/mail", "source" : "redhat-csaf", "cvssScore" : 5.4, "severity" : "MEDIUM", "cves" : [ "CVE-2024-24784" ], "unique" : false }, { "id" : "CVE-2025-22871", "title" : "Request smuggling due to acceptance of invalid chunked data in net/http", "source" : "redhat-csaf", "cvssScore" : 5.4, "severity" : "MEDIUM", "cves" : [ "CVE-2025-22871" ], "unique" : false }, { "id" : "CVE-2022-41717", "title" : "Excessive memory growth in net/http and golang.org/x/net/http2", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2022-41717" ], "unique" : false }, { "id" : "CVE-2023-24532", "title" : "Incorrect calculation on P256 curves in crypto/internal/nistec", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2023-24532" ], "unique" : false }, { "id" : "CVE-2023-29409", "title" : "Large RSA keys can cause high CPU usage in crypto/tls", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2023-29409" ], "unique" : false }, { "id" : "CVE-2023-39326", "title" : "Denial of service via chunk extensions in net/http", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2023-39326" ], "unique" : false }, { "id" : "CVE-2023-45289", "title" : "Incorrect forwarding of sensitive headers and cookies on HTTP redirect in net/http", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2023-45289" ], "unique" : false }, { "id" : "CVE-2023-45290", "title" : "Memory exhaustion in multipart form parsing in net/textproto and net/http", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2023-45290" ], "unique" : false }, { "id" : "CVE-2025-22866", "title" : "Timing sidechannel for P-256 on ppc64le in crypto/internal/nistec", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2025-22866" ], "unique" : false }, { "id" : "CVE-2026-42507", "title" : "Arbitrary inputs are included in errors without any escaping in net/textproto", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-42507" ], "unique" : false }, { "id" : "CVE-2024-45341", "title" : "Usage of IPv6 zone IDs can bypass URI name constraints in crypto/x509", "source" : "redhat-csaf", "cvssScore" : 4.2, "severity" : "MEDIUM", "cves" : [ "CVE-2024-45341" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2023-24538", "title" : "Backticks not treated as string delimiters in html/template", "source" : "redhat-csaf", "cvssScore" : 9.8, "severity" : "CRITICAL", "cves" : [ "CVE-2023-24538" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/openssl-libs@3.0.1-47.el9_1?arch=x86_64&distro=rhel-9.1&epoch=1&upstream=openssl-3.0.1-47.el9_1.src.rpm", "issues" : [ { "id" : "CVE-2025-15467", "title" : "Stack buffer overflow in CMS (Auth)EnvelopedData parsing", "source" : "redhat-csaf", "cvssScore" : 9.8, "severity" : "CRITICAL", "cves" : [ "CVE-2025-15467" ], "unique" : false }, { "id" : "CVE-2026-45445", "title" : "AES-OCB IV Ignored on EVP_Cipher() Path", "source" : "redhat-csaf", "cvssScore" : 9.1, "severity" : "CRITICAL", "cves" : [ "CVE-2026-45445" ], "unique" : false }, { "id" : "CVE-2026-45447", "title" : "Heap Use-After-Free in the PKCS7_verify() Function", "source" : "redhat-csaf", "cvssScore" : 8.1, "severity" : "HIGH", "cves" : [ "CVE-2026-45447" ], "unique" : false }, { "id" : "CVE-2022-3358", "title" : "Using a Custom Cipher with NID_undef may lead to NULL encryption", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2022-3358" ], "unique" : false }, { "id" : "CVE-2023-5363", "title" : "Incorrect cipher key & IV length processing", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2023-5363" ], "unique" : false }, { "id" : "CVE-2026-28390", "title" : "Possible NULL Dereference When Processing CMS KeyTransportRecipientInfo", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2026-28390" ], "unique" : false }, { "id" : "CVE-2026-34183", "title" : "Unbounded Memory Growth in the QUIC PATH_CHALLENGE Handler", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2026-34183" ], "unique" : false }, { "id" : "CVE-2024-12797", "title" : "RFC7250 handshakes with unauthenticated servers don't abort as expected", "source" : "redhat-csaf", "cvssScore" : 7.4, "severity" : "HIGH", "cves" : [ "CVE-2024-12797" ], "unique" : false }, { "id" : "CVE-2025-69419", "title" : "Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion", "source" : "redhat-csaf", "cvssScore" : 7.4, "severity" : "HIGH", "cves" : [ "CVE-2025-69419" ], "unique" : false }, { "id" : "CVE-2026-34182", "title" : "CMS AuthEnvelopedData Processing May Accept Forged Messages", "source" : "redhat-csaf", "cvssScore" : 7.4, "severity" : "HIGH", "cves" : [ "CVE-2026-34182" ], "unique" : false }, { "id" : "CVE-2023-2650", "title" : "Possible DoS translating ASN.1 object identifiers", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-2650" ], "unique" : false }, { "id" : "CVE-2023-6129", "title" : "POLY1305 MAC implementation corrupts vector registers on PowerPC", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-6129" ], "unique" : false }, { "id" : "CVE-2025-69421", "title" : "NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2025-69421" ], "unique" : false }, { "id" : "CVE-2026-34181", "title" : "PKCS#12 Files with PBMAC1 Are Accepted with Short HMAC Keys", "source" : "redhat-csaf", "cvssScore" : 6.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-34181" ], "unique" : false }, { "id" : "CVE-2026-42768", "title" : "Multi-RecipientInfo Bleichenbacher Oracle in CMS_decrypt() and PKCS7_decrypt()", "source" : "redhat-csaf", "cvssScore" : 6.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-42768" ], "unique" : false }, { "id" : "CVE-2025-11187", "title" : "Improper validation of PBMAC1 parameters in PKCS#12 MAC verification", "source" : "redhat-csaf", "cvssScore" : 6.1, "severity" : "MEDIUM", "cves" : [ "CVE-2025-11187" ], "unique" : false }, { "id" : "CVE-2023-0464", "title" : "Excessive Resource Usage Verifying X.509 Policy Constraints", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-0464" ], "unique" : false }, { "id" : "CVE-2023-6237", "title" : "Excessive time spent checking invalid RSA public keys", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-6237" ], "unique" : false }, { "id" : "CVE-2024-5535", "title" : "SSL_select_next_proto buffer overread", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2024-5535" ], "unique" : false }, { "id" : "CVE-2024-6119", "title" : "Possible denial of service in X.509 name checks", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2024-6119" ], "unique" : false }, { "id" : "CVE-2025-15468", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2025-15468" ], "unique" : false }, { "id" : "CVE-2025-66199", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2025-66199" ], "unique" : false }, { "id" : "CVE-2025-69420", "title" : "Missing ASN1_TYPE validation in TS_RESP_verify_response() function", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2025-69420" ], "unique" : false }, { "id" : "CVE-2026-22796", "title" : "ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-22796" ], "unique" : false }, { "id" : "CVE-2026-31790", "title" : "Incorrect Failure Handling in RSA KEM RSASVE Encapsulation", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-31790" ], "unique" : false }, { "id" : "CVE-2026-42764", "title" : "NULL Pointer Dereference in QUIC Server Initial Packet Handling", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-42764" ], "unique" : false }, { "id" : "CVE-2026-42769", "title" : "Trust-Anchor Substitution via cert/issuer Typo in CMP rootCaKeyUpdate", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-42769" ], "unique" : false }, { "id" : "CVE-2026-42770", "title" : "FFC-DH Peer Validation Uses Attacker-Supplied q", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-42770" ], "unique" : false }, { "id" : "CVE-2026-9076", "title" : "Out-of-Bounds Read in CMS Password-Based Decryption", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-9076" ], "unique" : false }, { "id" : "CVE-2024-4741", "source" : "redhat-csaf", "cvssScore" : 5.6, "severity" : "MEDIUM", "cves" : [ "CVE-2024-4741" ], "unique" : false }, { "id" : "CVE-2025-9230", "title" : "Out-of-bounds read & write in RFC 3211 KEK Unwrap", "source" : "redhat-csaf", "cvssScore" : 5.6, "severity" : "MEDIUM", "cves" : [ "CVE-2025-9230" ], "unique" : false }, { "id" : "CVE-2024-0727", "title" : "PKCS12 Decoding crashes", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-0727" ], "unique" : false }, { "id" : "CVE-2025-15469", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2025-15469" ], "unique" : false }, { "id" : "CVE-2026-22795", "title" : "Missing ASN1_TYPE validation in PKCS#12 parsing", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2026-22795" ], "unique" : false }, { "id" : "CVE-2026-7383", "title" : "Possible Heap Buffer Overflow in ASN.1 Multibyte String Conversion", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2026-7383" ], "unique" : false }, { "id" : "CVE-2023-0465", "title" : "Invalid certificate policies in leaf certificates are silently ignored", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2023-0465" ], "unique" : false }, { "id" : "CVE-2023-0466", "title" : "Certificate policy check not enabled", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2023-0466" ], "unique" : false }, { "id" : "CVE-2023-2975", "title" : "AES-SIV implementation ignores empty associated data entries", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2023-2975" ], "unique" : false }, { "id" : "CVE-2023-3446", "title" : "Excessive time spent checking DH keys and parameters", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2023-3446" ], "unique" : false }, { "id" : "CVE-2023-3817", "title" : "Excessive time spent checking DH q parameter value", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2023-3817" ], "unique" : false }, { "id" : "CVE-2023-5678", "title" : "Excessive time spent in DH check / generation with large Q parameter value", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2023-5678" ], "unique" : false }, { "id" : "CVE-2024-4603", "title" : "Excessive time spent checking DSA keys and parameters", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2024-4603" ], "unique" : false }, { "id" : "CVE-2026-42766", "title" : "Possible NULL Dereference in Password-Based CMS Decryption", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-42766" ], "unique" : false }, { "id" : "CVE-2026-42767", "title" : "NULL Pointer Dereference in CRMF EncryptedValue Decryption", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-42767" ], "unique" : false }, { "id" : "CVE-2023-1255", "title" : "Input buffer over-read in AES-XTS implementation on 64 bit ARM", "source" : "redhat-csaf", "cvssScore" : 5.1, "severity" : "MEDIUM", "cves" : [ "CVE-2023-1255" ], "unique" : false }, { "id" : "CVE-2026-34180", "title" : "Heap Buffer Over-read in ASN.1 Content Parsing", "source" : "redhat-csaf", "cvssScore" : 5.0, "severity" : "MEDIUM", "cves" : [ "CVE-2026-34180" ], "unique" : false }, { "id" : "CVE-2025-68160", "title" : "Heap out-of-bounds write in BIO_f_linebuffer on short writes", "source" : "redhat-csaf", "cvssScore" : 4.7, "severity" : "MEDIUM", "cves" : [ "CVE-2025-68160" ], "unique" : false }, { "id" : "CVE-2025-69418", "title" : "Unauthenticated/unencrypted trailing bytes with low-level OCB function calls", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2025-69418" ], "unique" : false }, { "id" : "CVE-2024-2511", "title" : "Unbounded memory growth with session handling in TLSv1.3", "source" : "redhat-csaf", "cvssScore" : 3.7, "severity" : "LOW", "cves" : [ "CVE-2024-2511" ], "unique" : false }, { "id" : "CVE-2026-45446", "title" : "Incorrect Tag Processing for Empty Messages in AES-GCM-SIV and AES-SIV modes", "source" : "redhat-csaf", "cvssScore" : 3.7, "severity" : "LOW", "cves" : [ "CVE-2026-45446" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2025-15467", "title" : "Stack buffer overflow in CMS (Auth)EnvelopedData parsing", "source" : "redhat-csaf", "cvssScore" : 9.8, "severity" : "CRITICAL", "cves" : [ "CVE-2025-15467" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/ca-certificates@2022.2.54-90.2.el9_0?arch=noarch&distro=rhel-9.1&upstream=ca-certificates-2022.2.54-90.2.el9_0.src.rpm", "issues" : [ { "id" : "CVE-2023-37920", "title" : "Certifi's removal of e-Tugra root certificate", "source" : "redhat-csaf", "cvssScore" : 9.1, "severity" : "CRITICAL", "cves" : [ "CVE-2023-37920" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2023-37920", "title" : "Certifi's removal of e-Tugra root certificate", "source" : "redhat-csaf", "cvssScore" : 9.1, "severity" : "CRITICAL", "cves" : [ "CVE-2023-37920" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/krb5-libs@1.19.1-24.el9_1?arch=x86_64&distro=rhel-9.1&upstream=krb5-1.19.1-24.el9_1.src.rpm", "issues" : [ { "id" : "CVE-2024-3596", "title" : "RADIUS Protocol under RFC2865 is vulnerable to forgery attacks.", "source" : "redhat-csaf", "cvssScore" : 9.0, "severity" : "CRITICAL", "cves" : [ "CVE-2024-3596" ], "unique" : false }, { "id" : "CVE-2023-39975", "title" : "kdc/do_tgs_req.c in MIT Kerberos 5 (aka krb5) 1.21 before 1.21.2 has a double free that is reachable if an authenticated user can trigger an authorization-data handling failure. Incorrect data is copied from one ticket to another.", "source" : "redhat-csaf", "cvssScore" : 8.8, "severity" : "HIGH", "cves" : [ "CVE-2023-39975" ], "unique" : false }, { "id" : "CVE-2024-26462", "title" : "Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/kdc/ndr.c.", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2024-26462" ], "unique" : false }, { "id" : "CVE-2024-37370", "title" : "In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can modify the plaintext Extra Count field of a confidential GSS krb5 wrap token, causing the unwrapped token to appear truncated to the application.", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2024-37370" ], "unique" : false }, { "id" : "CVE-2020-17049", "title" : "Kerberos KDC Security Feature Bypass Vulnerability", "source" : "redhat-csaf", "cvssScore" : 7.2, "severity" : "HIGH", "cves" : [ "CVE-2020-17049" ], "unique" : false }, { "id" : "CVE-2023-36054", "title" : "lib/kadm5/kadm_rpc_xdr.c in MIT Kerberos 5 (aka krb5) before 1.20.2 and 1.21.x before 1.21.1 frees an uninitialized pointer. A remote authenticated user can trigger a kadmind crash. This occurs because _xdr_kadm5_principal_ent_rec does not validate the relationship between n_key_data and the key_data array count.", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-36054" ], "unique" : false }, { "id" : "CVE-2024-37371", "title" : "In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can cause invalid memory reads during GSS message token handling by sending message tokens with invalid length fields.", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-37371" ], "unique" : false }, { "id" : "CVE-2025-24528", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2025-24528" ], "unique" : false }, { "id" : "CVE-2024-26458", "title" : "Kerberos 5 (aka krb5) 1.21.2 contains a memory leak in /krb5/src/lib/rpc/pmap_rmt.c.", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2024-26458" ], "unique" : false }, { "id" : "CVE-2024-26461", "title" : "Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/lib/gssapi/krb5/k5sealv3.c.", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2024-26461" ], "unique" : false }, { "id" : "CVE-2025-3576", "title" : "Krb5: kerberos rc4-hmac-md5 checksum vulnerability enabling message spoofing via md5 collisions", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2025-3576" ], "unique" : false }, { "id" : "CVE-2026-40355", "title" : "In MIT Kerberos 5 (aka krb5) before 1.22.3, there is a NULL pointer dereference if an application calls gss_accept_sec_context() on a system with a NegoEx mechanism registered in /etc/gss/mech. An unauthenticated remote attacker can trigger this, causing the process to terminate in parse_nego_message.", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-40355" ], "unique" : false }, { "id" : "CVE-2026-40356", "title" : "In MIT Kerberos 5 (aka krb5) before 1.22.3, there is an integer underflow and resultant out-of-bounds read if an application calls gss_accept_sec_context() on a system with a NegoEx mechanism registered in /etc/gss/mech. An unauthenticated remote attacker can trigger this, possibly causing the process to terminate in parse_message.", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-40356" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2024-3596", "title" : "RADIUS Protocol under RFC2865 is vulnerable to forgery attacks.", "source" : "redhat-csaf", "cvssScore" : 9.0, "severity" : "CRITICAL", "cves" : [ "CVE-2024-3596" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/glibc-headers@2.34-40.el9_1.1?arch=x86_64&distro=rhel-9.1&upstream=glibc-2.34-40.el9_1.1.src.rpm", "issues" : [ { "id" : "CVE-2024-2961", "title" : "The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.", "source" : "redhat-csaf", "cvssScore" : 8.8, "severity" : "HIGH", "cves" : [ "CVE-2024-2961" ], "unique" : false }, { "id" : "CVE-2023-4911", "title" : "Glibc: buffer overflow in ld.so leading to privilege escalation", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2023-4911" ], "unique" : false }, { "id" : "CVE-2024-33599", "title" : "nscd: Stack-based buffer overflow in netgroup cache", "source" : "redhat-csaf", "cvssScore" : 7.6, "severity" : "HIGH", "cves" : [ "CVE-2024-33599" ], "unique" : false }, { "id" : "CVE-2025-4802", "source" : "redhat-csaf", "cvssScore" : 7.0, "severity" : "HIGH", "cves" : [ "CVE-2025-4802" ], "unique" : false }, { "id" : "CVE-2023-4527", "title" : "Glibc: stack read overflow in getaddrinfo in no-aaaa mode", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4527" ], "unique" : false }, { "id" : "CVE-2026-4437", "title" : "gethostbyaddr and gethostbyaddr_r may incorrectly handle DNS response", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4437" ], "unique" : false }, { "id" : "CVE-2023-4806", "title" : "Glibc: potential use-after-free in getaddrinfo()", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4806" ], "unique" : false }, { "id" : "CVE-2023-4813", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4813" ], "unique" : false }, { "id" : "CVE-2025-5702", "title" : "The strcmp implementation optimized for the Power10 processor in the GNU C Library version 2.39 and later writes to vector registers v20 to v31 without saving contents from the caller (those registers are defined as non-volatile registers by the powerpc64le ABI), resulting in overwriting of its contents and potentially altering control flow of the caller, or leaking the input strings to the function to other parts of the program.", "source" : "redhat-csaf", "cvssScore" : 5.6, "severity" : "MEDIUM", "cves" : [ "CVE-2025-5702" ], "unique" : false }, { "id" : "CVE-2025-0395", "title" : "When the assert() function in the GNU C Library versions 2.13 to 2.40 fails, it does not allocate enough space for the assertion failure message string and size information, which may lead to a buffer overflow if the message string size aligns to page size.", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2025-0395" ], "unique" : false }, { "id" : "CVE-2024-33600", "title" : "nscd: Null pointer crashes after notfound response", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33600" ], "unique" : false }, { "id" : "CVE-2026-4046", "title" : "iconv crash due to assertion failure with untrusted input", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4046" ], "unique" : false }, { "id" : "CVE-2026-5450", "title" : "scanf %mc off-by-one heap buffer overflow", "source" : "redhat-csaf", "cvssScore" : 5.0, "severity" : "MEDIUM", "cves" : [ "CVE-2026-5450" ], "unique" : false }, { "id" : "CVE-2025-8058", "source" : "redhat-csaf", "cvssScore" : 4.2, "severity" : "MEDIUM", "cves" : [ "CVE-2025-8058" ], "unique" : false }, { "id" : "CVE-2024-33601", "title" : "nscd: netgroup cache may terminate daemon on memory allocation failure", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33601" ], "unique" : false }, { "id" : "CVE-2024-33602", "title" : "nscd: netgroup cache assumes NSS callback uses in-buffer strings", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33602" ], "unique" : false }, { "id" : "CVE-2026-4438", "title" : "gethostbyaddr and gethostbyaddr_r return invalid DNS hostnames", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4438" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2024-2961", "title" : "The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.", "source" : "redhat-csaf", "cvssScore" : 8.8, "severity" : "HIGH", "cves" : [ "CVE-2024-2961" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/glibc@2.34-40.el9_1.1?arch=x86_64&distro=rhel-9.1&upstream=glibc-2.34-40.el9_1.1.src.rpm", "issues" : [ { "id" : "CVE-2024-2961", "title" : "The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.", "source" : "redhat-csaf", "cvssScore" : 8.8, "severity" : "HIGH", "cves" : [ "CVE-2024-2961" ], "unique" : false }, { "id" : "CVE-2026-0861", "title" : "Integer overflow in memalign leads to heap corruption", "source" : "redhat-csaf", "cvssScore" : 8.1, "severity" : "HIGH", "cves" : [ "CVE-2026-0861" ], "unique" : false }, { "id" : "CVE-2023-4911", "title" : "Glibc: buffer overflow in ld.so leading to privilege escalation", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2023-4911" ], "unique" : false }, { "id" : "CVE-2024-33599", "title" : "nscd: Stack-based buffer overflow in netgroup cache", "source" : "redhat-csaf", "cvssScore" : 7.6, "severity" : "HIGH", "cves" : [ "CVE-2024-33599" ], "unique" : false }, { "id" : "CVE-2025-4802", "source" : "redhat-csaf", "cvssScore" : 7.0, "severity" : "HIGH", "cves" : [ "CVE-2025-4802" ], "unique" : false }, { "id" : "CVE-2023-4527", "title" : "Glibc: stack read overflow in getaddrinfo in no-aaaa mode", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4527" ], "unique" : false }, { "id" : "CVE-2026-4437", "title" : "gethostbyaddr and gethostbyaddr_r may incorrectly handle DNS response", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4437" ], "unique" : false }, { "id" : "CVE-2026-6238", "title" : "Buffer overread in ns_printrrf with corrupted RDATA field", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2026-6238" ], "unique" : false }, { "id" : "CVE-2023-4806", "title" : "Glibc: potential use-after-free in getaddrinfo()", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4806" ], "unique" : false }, { "id" : "CVE-2023-4813", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4813" ], "unique" : false }, { "id" : "CVE-2025-15281", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2025-15281" ], "unique" : false }, { "id" : "CVE-2026-3904", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-3904" ], "unique" : false }, { "id" : "CVE-2026-5435", "title" : "Potential buffer overflow in ns_sprintrrf TSIG handling path", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-5435" ], "unique" : false }, { "id" : "CVE-2025-5702", "title" : "The strcmp implementation optimized for the Power10 processor in the GNU C Library version 2.39 and later writes to vector registers v20 to v31 without saving contents from the caller (those registers are defined as non-volatile registers by the powerpc64le ABI), resulting in overwriting of its contents and potentially altering control flow of the caller, or leaking the input strings to the function to other parts of the program.", "source" : "redhat-csaf", "cvssScore" : 5.6, "severity" : "MEDIUM", "cves" : [ "CVE-2025-5702" ], "unique" : false }, { "id" : "CVE-2025-0395", "title" : "When the assert() function in the GNU C Library versions 2.13 to 2.40 fails, it does not allocate enough space for the assertion failure message string and size information, which may lead to a buffer overflow if the message string size aligns to page size.", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2025-0395" ], "unique" : false }, { "id" : "CVE-2024-33600", "title" : "nscd: Null pointer crashes after notfound response", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33600" ], "unique" : false }, { "id" : "CVE-2026-0915", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-0915" ], "unique" : false }, { "id" : "CVE-2026-4046", "title" : "iconv crash due to assertion failure with untrusted input", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4046" ], "unique" : false }, { "id" : "CVE-2026-5450", "title" : "scanf %mc off-by-one heap buffer overflow", "source" : "redhat-csaf", "cvssScore" : 5.0, "severity" : "MEDIUM", "cves" : [ "CVE-2026-5450" ], "unique" : false }, { "id" : "CVE-2026-5928", "title" : "Potential buffer under-read in ungetwc", "source" : "redhat-csaf", "cvssScore" : 5.0, "severity" : "MEDIUM", "cves" : [ "CVE-2026-5928" ], "unique" : false }, { "id" : "CVE-2025-8058", "source" : "redhat-csaf", "cvssScore" : 4.2, "severity" : "MEDIUM", "cves" : [ "CVE-2025-8058" ], "unique" : false }, { "id" : "CVE-2024-33601", "title" : "nscd: netgroup cache may terminate daemon on memory allocation failure", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33601" ], "unique" : false }, { "id" : "CVE-2024-33602", "title" : "nscd: netgroup cache assumes NSS callback uses in-buffer strings", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33602" ], "unique" : false }, { "id" : "CVE-2026-4438", "title" : "gethostbyaddr and gethostbyaddr_r return invalid DNS hostnames", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4438" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2024-2961", "title" : "The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.", "source" : "redhat-csaf", "cvssScore" : 8.8, "severity" : "HIGH", "cves" : [ "CVE-2024-2961" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/kernel-headers@5.14.0-162.18.1.el9_1?arch=x86_64&distro=rhel-9.1&upstream=kernel-5.14.0-162.18.1.el9_1.src.rpm", "issues" : [ { "id" : "CVE-2023-44466", "title" : "An issue was discovered in net/ceph/messenger_v2.c in the Linux kernel before 6.4.5. There is an integer signedness error, leading to a buffer overflow and remote code execution via HELLO or one of the AUTH frames. This occurs because of an untrusted length taken from a TCP packet in ceph_decode_32.", "source" : "redhat-csaf", "cvssScore" : 8.8, "severity" : "HIGH", "cves" : [ "CVE-2023-44466" ], "unique" : false }, { "id" : "CVE-2024-5154", "source" : "redhat-csaf", "cvssScore" : 8.1, "severity" : "HIGH", "cves" : [ "CVE-2024-5154" ], "unique" : false }, { "id" : "CVE-2025-21927", "title" : "nvme-tcp: fix potential memory corruption in nvme_tcp_recv_pdu()", "source" : "redhat-csaf", "cvssScore" : 8.0, "severity" : "HIGH", "cves" : [ "CVE-2025-21927" ], "unique" : false }, { "id" : "CVE-2023-1652", "title" : "A use-after-free flaw was found in nfsd4_ssc_setup_dul in fs/nfsd/nfs4proc.c in the NFS filesystem in the Linux Kernel. This issue could allow a local attacker to crash the system or it may lead to a kernel information leak problem.", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2023-1652" ], "unique" : false }, { "id" : "CVE-2023-52922", "title" : "can: bcm: Fix UAF in bcm_proc_show()", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2023-52922" ], "unique" : false }, { "id" : "CVE-2024-36971", "title" : "net: fix __dst_negative_advice() race", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2024-36971" ], "unique" : false }, { "id" : "CVE-2025-21756", "title" : "vsock: Keep the binding until socket destruction", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2025-21756" ], "unique" : false }, { "id" : "CVE-2025-22020", "title" : "memstick: rtsx_usb_ms: Fix slab-use-after-free in rtsx_usb_ms_drv_remove", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2025-22020" ], "unique" : false }, { "id" : "CVE-2025-38052", "title" : "net/tipc: fix slab-use-after-free Read in tipc_aead_encrypt_done", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2025-38052" ], "unique" : false }, { "id" : "CVE-2025-38087", "title" : "net/sched: fix use-after-free in taprio_dev_notifier", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2025-38087" ], "unique" : false }, { "id" : "CVE-2022-41723", "title" : "Denial of service via crafted HTTP/2 stream in net/http and golang.org/x/net", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2022-41723" ], "unique" : false }, { "id" : "CVE-2025-38471", "title" : "tls: always refresh the queue when reading sock", "source" : "redhat-csaf", "cvssScore" : 7.4, "severity" : "HIGH", "cves" : [ "CVE-2025-38471" ], "unique" : false }, { "id" : "CVE-2023-53752", "title" : "net: deal with integer overflows in kmalloc_reserve()", "source" : "redhat-csaf", "cvssScore" : 7.3, "severity" : "HIGH", "cves" : [ "CVE-2023-53752" ], "unique" : false }, { "id" : "CVE-2024-42284", "title" : "tipc: Return non-zero value from tipc_udp_addr2str() on error", "source" : "redhat-csaf", "cvssScore" : 7.3, "severity" : "HIGH", "cves" : [ "CVE-2024-42284" ], "unique" : false }, { "id" : "CVE-2024-53104", "title" : "media: uvcvideo: Skip parsing frames of type UVC_VS_UNDEFINED in uvc_parse_format", "source" : "redhat-csaf", "cvssScore" : 7.3, "severity" : "HIGH", "cves" : [ "CVE-2024-53104" ], "unique" : false }, { "id" : "CVE-2025-37750", "title" : "smb: client: fix UAF in decryption with multichannel", "source" : "redhat-csaf", "cvssScore" : 7.3, "severity" : "HIGH", "cves" : [ "CVE-2025-37750" ], "unique" : false }, { "id" : "CVE-2025-38250", "title" : "Bluetooth: hci_core: Fix use-after-free in vhci_flush()", "source" : "redhat-csaf", "cvssScore" : 7.3, "severity" : "HIGH", "cves" : [ "CVE-2025-38250" ], "unique" : false }, { "id" : "CVE-2022-49846", "title" : "udf: Fix a slab-out-of-bounds write bug in udf_find_entry()", "source" : "redhat-csaf", "cvssScore" : 7.1, "severity" : "HIGH", "cves" : [ "CVE-2022-49846" ], "unique" : false }, { "id" : "CVE-2023-52933", "title" : "Squashfs: fix handling and sanity checking of xattr_ids count", "source" : "redhat-csaf", "cvssScore" : 7.1, "severity" : "HIGH", "cves" : [ "CVE-2023-52933" ], "unique" : false }, { "id" : "CVE-2023-53751", "title" : "cifs: fix potential use-after-free bugs in TCP_Server_Info::hostname", "source" : "redhat-csaf", "cvssScore" : 7.1, "severity" : "HIGH", "cves" : [ "CVE-2023-53751" ], "unique" : false }, { "id" : "CVE-2023-6606", "source" : "redhat-csaf", "cvssScore" : 7.1, "severity" : "HIGH", "cves" : [ "CVE-2023-6606" ], "unique" : false }, { "id" : "CVE-2023-6610", "source" : "redhat-csaf", "cvssScore" : 7.1, "severity" : "HIGH", "cves" : [ "CVE-2023-6610" ], "unique" : false }, { "id" : "CVE-2024-35937", "title" : "wifi: cfg80211: check A-MSDU format more carefully", "source" : "redhat-csaf", "cvssScore" : 7.1, "severity" : "HIGH", "cves" : [ "CVE-2024-35937" ], "unique" : false }, { "id" : "CVE-2024-38538", "title" : "net: bridge: xmit: make sure we have at least eth header len bytes", "source" : "redhat-csaf", "cvssScore" : 7.1, "severity" : "HIGH", "cves" : [ "CVE-2024-38538" ], "unique" : false }, { "id" : "CVE-2024-53150", "title" : "ALSA: usb-audio: Fix out of bounds reads when finding clock sources", "source" : "redhat-csaf", "cvssScore" : 7.1, "severity" : "HIGH", "cves" : [ "CVE-2024-53150" ], "unique" : false }, { "id" : "CVE-2024-57947", "title" : "netfilter: nf_set_pipapo: fix initial map fill", "source" : "redhat-csaf", "cvssScore" : 7.1, "severity" : "HIGH", "cves" : [ "CVE-2024-57947" ], "unique" : false }, { "id" : "CVE-2025-21887", "title" : "ovl: fix UAF in ovl_dentry_update_reval by moving dput() in ovl_link_up", "source" : "redhat-csaf", "cvssScore" : 7.1, "severity" : "HIGH", "cves" : [ "CVE-2025-21887" ], "unique" : false }, { "id" : "CVE-2025-21893", "title" : "keys: Fix UAF in key_put()", "source" : "redhat-csaf", "cvssScore" : 7.1, "severity" : "HIGH", "cves" : [ "CVE-2025-21893" ], "unique" : false }, { "id" : "CVE-2025-21920", "title" : "vlan: enforce underlying device type", "source" : "redhat-csaf", "cvssScore" : 7.1, "severity" : "HIGH", "cves" : [ "CVE-2025-21920" ], "unique" : false }, { "id" : "CVE-2025-21969", "title" : "Bluetooth: L2CAP: Fix slab-use-after-free Read in l2cap_send_cmd", "source" : "redhat-csaf", "cvssScore" : 7.1, "severity" : "HIGH", "cves" : [ "CVE-2025-21969" ], "unique" : false }, { "id" : "CVE-2025-21979", "title" : "wifi: cfg80211: cancel wiphy_work before freeing wiphy", "source" : "redhat-csaf", "cvssScore" : 7.1, "severity" : "HIGH", "cves" : [ "CVE-2025-21979" ], "unique" : false }, { "id" : "CVE-2025-21993", "title" : "iscsi_ibft: Fix UBSAN shift-out-of-bounds warning in ibft_attr_show_nic()", "source" : "redhat-csaf", "cvssScore" : 7.1, "severity" : "HIGH", "cves" : [ "CVE-2025-21993" ], "unique" : false }, { "id" : "CVE-2025-21997", "title" : "xsk: fix an integer overflow in xp_create_and_assign_umem()", "source" : "redhat-csaf", "cvssScore" : 7.1, "severity" : "HIGH", "cves" : [ "CVE-2025-21997" ], "unique" : false }, { "id" : "CVE-2025-22026", "title" : "nfsd: don't ignore the return code of svc_proc_register()", "source" : "redhat-csaf", "cvssScore" : 7.1, "severity" : "HIGH", "cves" : [ "CVE-2025-22026" ], "unique" : false }, { "id" : "CVE-2025-22055", "title" : "net: fix geneve_opt length integer overflow", "source" : "redhat-csaf", "cvssScore" : 7.1, "severity" : "HIGH", "cves" : [ "CVE-2025-22055" ], "unique" : false }, { "id" : "CVE-2025-22058", "title" : "udp: Fix memory accounting leak.", "source" : "redhat-csaf", "cvssScore" : 7.1, "severity" : "HIGH", "cves" : [ "CVE-2025-22058" ], "unique" : false }, { "id" : "CVE-2025-22104", "title" : "ibmvnic: Use kernel helpers for hex dumps", "source" : "redhat-csaf", "cvssScore" : 7.1, "severity" : "HIGH", "cves" : [ "CVE-2025-22104" ], "unique" : false }, { "id" : "CVE-2025-22113", "title" : "ext4: avoid journaling sb update on error if journal is destroying", "source" : "redhat-csaf", "cvssScore" : 7.1, "severity" : "HIGH", "cves" : [ "CVE-2025-22113" ], "unique" : false }, { "id" : "CVE-2025-22121", "title" : "ext4: fix out-of-bound read in ext4_xattr_inode_dec_ref_all()", "source" : "redhat-csaf", "cvssScore" : 7.1, "severity" : "HIGH", "cves" : [ "CVE-2025-22121" ], "unique" : false }, { "id" : "CVE-2025-37738", "title" : "ext4: ignore xattrs past end", "source" : "redhat-csaf", "cvssScore" : 7.1, "severity" : "HIGH", "cves" : [ "CVE-2025-37738" ], "unique" : false }, { "id" : "CVE-2025-37799", "title" : "vmxnet3: Fix malformed packet sizing in vmxnet3_process_xdp", "source" : "redhat-csaf", "cvssScore" : 7.1, "severity" : "HIGH", "cves" : [ "CVE-2025-37799" ], "unique" : false }, { "id" : "CVE-2025-38264", "title" : "nvme-tcp: sanitize request list handling", "source" : "redhat-csaf", "cvssScore" : 7.1, "severity" : "HIGH", "cves" : [ "CVE-2025-38264" ], "unique" : false }, { "id" : "CVE-2022-49977", "title" : "ftrace: Fix NULL pointer dereference in is_ftrace_trampoline when ftrace is dead", "source" : "redhat-csaf", "cvssScore" : 7.0, "severity" : "HIGH", "cves" : [ "CVE-2022-49977" ], "unique" : false }, { "id" : "CVE-2022-50066", "title" : "net: atlantic: fix aq_vec index out of range error", "source" : "redhat-csaf", "cvssScore" : 7.0, "severity" : "HIGH", "cves" : [ "CVE-2022-50066" ], "unique" : false }, { "id" : "CVE-2023-53047", "title" : "tee: amdtee: fix race condition in amdtee_open_session", "source" : "redhat-csaf", "cvssScore" : 7.0, "severity" : "HIGH", "cves" : [ "CVE-2023-53047" ], "unique" : false }, { "id" : "CVE-2023-53107", "title" : "veth: Fix use after free in XDP_REDIRECT", "source" : "redhat-csaf", "cvssScore" : 7.0, "severity" : "HIGH", "cves" : [ "CVE-2023-53107" ], "unique" : false }, { "id" : "CVE-2023-6932", "title" : "Use-after-free in Linux kernel's ipv4: igmp component", "source" : "redhat-csaf", "cvssScore" : 7.0, "severity" : "HIGH", "cves" : [ "CVE-2023-6932" ], "unique" : false }, { "id" : "CVE-2024-0646", "source" : "redhat-csaf", "cvssScore" : 7.0, "severity" : "HIGH", "cves" : [ "CVE-2024-0646" ], "unique" : false }, { "id" : "CVE-2024-46858", "title" : "mptcp: pm: Fix uaf in __timer_delete_sync", "source" : "redhat-csaf", "cvssScore" : 7.0, "severity" : "HIGH", "cves" : [ "CVE-2024-46858" ], "unique" : false }, { "id" : "CVE-2024-50154", "title" : "tcp/dccp: Don't use timer_pending() in reqsk_queue_unlink().", "source" : "redhat-csaf", "cvssScore" : 7.0, "severity" : "HIGH", "cves" : [ "CVE-2024-50154" ], "unique" : false }, { "id" : "CVE-2024-53141", "title" : "netfilter: ipset: add missing range check in bitmap_ip_uadt", "source" : "redhat-csaf", "cvssScore" : 7.0, "severity" : "HIGH", "cves" : [ "CVE-2024-53141" ], "unique" : false }, { "id" : "CVE-2025-21727", "title" : "padata: fix UAF in padata_reorder", "source" : "redhat-csaf", "cvssScore" : 7.0, "severity" : "HIGH", "cves" : [ "CVE-2025-21727" ], "unique" : false }, { "id" : "CVE-2025-21764", "title" : "ndisc: use RCU protection in ndisc_alloc_skb()", "source" : "redhat-csaf", "cvssScore" : 7.0, "severity" : "HIGH", "cves" : [ "CVE-2025-21764" ], "unique" : false }, { "id" : "CVE-2025-21867", "title" : "bpf, test_run: Fix use-after-free issue in eth_skb_pkt_type()", "source" : "redhat-csaf", "cvssScore" : 7.0, "severity" : "HIGH", "cves" : [ "CVE-2025-21867" ], "unique" : false }, { "id" : "CVE-2025-21919", "title" : "sched/fair: Fix potential memory corruption in child_cfs_rq_on_list", "source" : "redhat-csaf", "cvssScore" : 7.0, "severity" : "HIGH", "cves" : [ "CVE-2025-21919" ], "unique" : false }, { "id" : "CVE-2025-21926", "title" : "net: gso: fix ownership in __udp_gso_segment", "source" : "redhat-csaf", "cvssScore" : 7.0, "severity" : "HIGH", "cves" : [ "CVE-2025-21926" ], "unique" : false }, { "id" : "CVE-2025-21966", "title" : "dm-flakey: Fix memory corruption in optional corrupt_bio_byte feature", "source" : "redhat-csaf", "cvssScore" : 7.0, "severity" : "HIGH", "cves" : [ "CVE-2025-21966" ], "unique" : false }, { "id" : "CVE-2025-22004", "title" : "net: atm: fix use after free in lec_send()", "source" : "redhat-csaf", "cvssScore" : 7.0, "severity" : "HIGH", "cves" : [ "CVE-2025-22004" ], "unique" : false }, { "id" : "CVE-2025-22126", "title" : "md: fix mddev uaf while iterating all_mddevs list", "source" : "redhat-csaf", "cvssScore" : 7.0, "severity" : "HIGH", "cves" : [ "CVE-2025-22126" ], "unique" : false }, { "id" : "CVE-2025-37797", "title" : "net_sched: hfsc: Fix a UAF vulnerability in class handling", "source" : "redhat-csaf", "cvssScore" : 7.0, "severity" : "HIGH", "cves" : [ "CVE-2025-37797" ], "unique" : false }, { "id" : "CVE-2025-37803", "title" : "udmabuf: fix a buf size overflow issue during udmabuf creation", "source" : "redhat-csaf", "cvssScore" : 7.0, "severity" : "HIGH", "cves" : [ "CVE-2025-37803" ], "unique" : false }, { "id" : "CVE-2025-37890", "title" : "net_sched: hfsc: Fix a UAF vulnerability in class with netem as child qdisc", "source" : "redhat-csaf", "cvssScore" : 7.0, "severity" : "HIGH", "cves" : [ "CVE-2025-37890" ], "unique" : false }, { "id" : "CVE-2025-37914", "title" : "net_sched: ets: Fix double list add in class with netem as child qdisc", "source" : "redhat-csaf", "cvssScore" : 7.0, "severity" : "HIGH", "cves" : [ "CVE-2025-37914" ], "unique" : false }, { "id" : "CVE-2025-37943", "title" : "wifi: ath12k: Fix invalid data access in ath12k_dp_rx_h_undecap_nwifi", "source" : "redhat-csaf", "cvssScore" : 7.0, "severity" : "HIGH", "cves" : [ "CVE-2025-37943" ], "unique" : false }, { "id" : "CVE-2025-38079", "title" : "crypto: algif_hash - fix double free in hash_accept", "source" : "redhat-csaf", "cvssScore" : 7.0, "severity" : "HIGH", "cves" : [ "CVE-2025-38079" ], "unique" : false }, { "id" : "CVE-2025-38086", "title" : "net: ch9200: fix uninitialised access during mii_nway_restart", "source" : "redhat-csaf", "cvssScore" : 7.0, "severity" : "HIGH", "cves" : [ "CVE-2025-38086" ], "unique" : false }, { "id" : "CVE-2025-38124", "title" : "net: fix udp gso skb_segment after pull from frag_list", "source" : "redhat-csaf", "cvssScore" : 7.0, "severity" : "HIGH", "cves" : [ "CVE-2025-38124" ], "unique" : false }, { "id" : "CVE-2025-38177", "title" : "sch_hfsc: make hfsc_qlen_notify() idempotent", "source" : "redhat-csaf", "cvssScore" : 7.0, "severity" : "HIGH", "cves" : [ "CVE-2025-38177" ], "unique" : false }, { "id" : "CVE-2025-38200", "title" : "i40e: fix MMIO write access to an invalid page in i40e_clear_hw", "source" : "redhat-csaf", "cvssScore" : 7.0, "severity" : "HIGH", "cves" : [ "CVE-2025-38200" ], "unique" : false }, { "id" : "CVE-2025-38332", "title" : "scsi: lpfc: Use memcpy() for BIOS version", "source" : "redhat-csaf", "cvssScore" : 7.0, "severity" : "HIGH", "cves" : [ "CVE-2025-38332" ], "unique" : false }, { "id" : "CVE-2022-50616", "title" : "regulator: core: Use different devices for resource allocation and DT lookup", "source" : "redhat-csaf", "cvssScore" : 6.7, "severity" : "MEDIUM", "cves" : [ "CVE-2022-50616" ], "unique" : false }, { "id" : "CVE-2024-56614", "title" : "xsk: fix OOB map writes when deleting elements", "source" : "redhat-csaf", "cvssScore" : 6.7, "severity" : "MEDIUM", "cves" : [ "CVE-2024-56614" ], "unique" : false }, { "id" : "CVE-2024-56615", "title" : "bpf: fix OOB devmap writes when deleting elements", "source" : "redhat-csaf", "cvssScore" : 6.7, "severity" : "MEDIUM", "cves" : [ "CVE-2024-56615" ], "unique" : false }, { "id" : "CVE-2025-21883", "title" : "ice: Fix deinitializing VF in error path", "source" : "redhat-csaf", "cvssScore" : 6.7, "severity" : "MEDIUM", "cves" : [ "CVE-2025-21883" ], "unique" : false }, { "id" : "CVE-2025-21928", "title" : "HID: intel-ish-hid: Fix use-after-free issue in ishtp_hid_remove()", "source" : "redhat-csaf", "cvssScore" : 6.7, "severity" : "MEDIUM", "cves" : [ "CVE-2025-21928" ], "unique" : false }, { "id" : "CVE-2025-21929", "title" : "HID: intel-ish-hid: Fix use-after-free issue in hid_ishtp_cl_remove()", "source" : "redhat-csaf", "cvssScore" : 6.7, "severity" : "MEDIUM", "cves" : [ "CVE-2025-21929" ], "unique" : false }, { "id" : "CVE-2025-21991", "title" : "x86/microcode/AMD: Fix out-of-bounds on systems with CPU-less NUMA nodes", "source" : "redhat-csaf", "cvssScore" : 6.7, "severity" : "MEDIUM", "cves" : [ "CVE-2025-21991" ], "unique" : false }, { "id" : "CVE-2025-22085", "title" : "RDMA/core: Fix use-after-free when rename device name", "source" : "redhat-csaf", "cvssScore" : 6.7, "severity" : "MEDIUM", "cves" : [ "CVE-2025-22085" ], "unique" : false }, { "id" : "CVE-2021-47383", "title" : "tty: Fix out-of-bound vmalloc access in imageblit", "source" : "redhat-csaf", "cvssScore" : 6.6, "severity" : "MEDIUM", "cves" : [ "CVE-2021-47383" ], "unique" : false }, { "id" : "CVE-2025-21759", "title" : "ipv6: mcast: extend RCU protection in igmp6_send()", "source" : "redhat-csaf", "cvssScore" : 6.6, "severity" : "MEDIUM", "cves" : [ "CVE-2025-21759" ], "unique" : false }, { "id" : "CVE-2023-28746", "title" : "Information exposure through microarchitectural state after transient execution from some register files for some Intel(R) Atom(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-28746" ], "unique" : false }, { "id" : "CVE-2023-6356", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-6356" ], "unique" : false }, { "id" : "CVE-2023-6535", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-6535" ], "unique" : false }, { "id" : "CVE-2023-6536", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-6536" ], "unique" : false }, { "id" : "CVE-2024-21823", "title" : "Hardware logic with insecure de-synchronization in Intel(R) DSA and Intel(R) IAA for some Intel(R) 4th or 5th generation Xeon(R) processors may allow an authorized user to potentially enable escalation of privilege local access", "source" : "redhat-csaf", "cvssScore" : 6.4, "severity" : "MEDIUM", "cves" : [ "CVE-2024-21823" ], "unique" : false }, { "id" : "CVE-2025-21999", "title" : "proc: fix UAF in proc_get_inode()", "source" : "redhat-csaf", "cvssScore" : 6.4, "severity" : "MEDIUM", "cves" : [ "CVE-2025-21999" ], "unique" : false }, { "id" : "CVE-2025-38350", "title" : "net/sched: Always pass notifications when child class becomes empty", "source" : "redhat-csaf", "cvssScore" : 6.4, "severity" : "MEDIUM", "cves" : [ "CVE-2025-38350" ], "unique" : false }, { "id" : "CVE-2024-46695", "title" : "selinux,smack: don't bypass permissions check in inode_setsecctx hook", "source" : "redhat-csaf", "cvssScore" : 6.3, "severity" : "MEDIUM", "cves" : [ "CVE-2024-46695" ], "unique" : false }, { "id" : "CVE-2024-50275", "title" : "arm64/sve: Discard stale CPU state when handling SVE traps", "source" : "redhat-csaf", "cvssScore" : 6.3, "severity" : "MEDIUM", "cves" : [ "CVE-2024-50275" ], "unique" : false }, { "id" : "CVE-2024-42292", "title" : "kobject_uevent: Fix OOB access within zap_modalias_env()", "source" : "redhat-csaf", "cvssScore" : 6.1, "severity" : "MEDIUM", "cves" : [ "CVE-2024-42292" ], "unique" : false }, { "id" : "CVE-2024-50302", "title" : "HID: core: zero-initialize the report buffer", "source" : "redhat-csaf", "cvssScore" : 6.1, "severity" : "MEDIUM", "cves" : [ "CVE-2024-50302" ], "unique" : false }, { "id" : "CVE-2022-49395", "title" : "um: Fix out-of-bounds read in LDT setup", "source" : "redhat-csaf", "cvssScore" : 6.0, "severity" : "MEDIUM", "cves" : [ "CVE-2022-49395" ], "unique" : false }, { "id" : "CVE-2023-5090", "source" : "redhat-csaf", "cvssScore" : 6.0, "severity" : "MEDIUM", "cves" : [ "CVE-2023-5090" ], "unique" : false }, { "id" : "CVE-2024-26664", "title" : "hwmon: (coretemp) Fix out-of-bounds memory access", "source" : "redhat-csaf", "cvssScore" : 6.0, "severity" : "MEDIUM", "cves" : [ "CVE-2024-26664" ], "unique" : false }, { "id" : "CVE-2024-50264", "title" : "vsock/virtio: Initialization of the dangling pointer occurring in vsk->trans", "source" : "redhat-csaf", "cvssScore" : 6.0, "severity" : "MEDIUM", "cves" : [ "CVE-2024-50264" ], "unique" : false }, { "id" : "CVE-2025-38110", "title" : "net/mdiobus: Fix potential out-of-bounds clause 45 read/write access", "source" : "redhat-csaf", "cvssScore" : 6.0, "severity" : "MEDIUM", "cves" : [ "CVE-2025-38110" ], "unique" : false }, { "id" : "CVE-2024-53122", "title" : "mptcp: cope racing subflow creation in mptcp_rcv_space_adjust", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2024-53122" ], "unique" : false }, { "id" : "CVE-2024-53197", "title" : "ALSA: usb-audio: Fix potential out-of-bound accesses for Extigy and Mbox devices", "source" : "redhat-csaf", "cvssScore" : 5.8, "severity" : "MEDIUM", "cves" : [ "CVE-2024-53197" ], "unique" : false }, { "id" : "CVE-2024-36941", "title" : "wifi: nl80211: don't free NULL coalescing rule", "source" : "redhat-csaf", "cvssScore" : 5.7, "severity" : "MEDIUM", "cves" : [ "CVE-2024-36941" ], "unique" : false }, { "id" : "CVE-2024-38627", "title" : "stm class: Fix a double free in stm_register_device()", "source" : "redhat-csaf", "cvssScore" : 5.6, "severity" : "MEDIUM", "cves" : [ "CVE-2024-38627" ], "unique" : false }, { "id" : "CVE-2022-50042", "title" : "net: genl: fix error path memory leak in policy dumping", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2022-50042" ], "unique" : false }, { "id" : "CVE-2022-50353", "title" : "mmc: wmt-sdmmc: fix return value check of mmc_add_host()", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2022-50353" ], "unique" : false }, { "id" : "CVE-2022-50678", "title" : "wifi: brcmfmac: fix invalid address access when enabling SCAN log level", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2022-50678" ], "unique" : false }, { "id" : "CVE-2023-1074", "title" : "A memory leak flaw was found in the Linux kernel's Stream Control Transmission Protocol. This issue may occur when a user starts a malicious networking service and someone connects to this service. This could allow a local user to starve resources, causing a denial of service.", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-1074" ], "unique" : false }, { "id" : "CVE-2023-45862", "title" : "An issue was discovered in drivers/usb/storage/ene_ub6250.c for the ENE UB6250 reader driver in the Linux kernel before 6.2.5. An object could potentially extend beyond the end of an allocation.", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-45862" ], "unique" : false }, { "id" : "CVE-2023-52490", "title" : "mm: migrate: fix getting incorrect page mapping during page migration", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-52490" ], "unique" : false }, { "id" : "CVE-2023-52658", "title" : "Revert \"net/mlx5: Block entering switchdev mode with ns inconsistency\"", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-52658" ], "unique" : false }, { "id" : "CVE-2023-53291", "title" : "rcu/rcuscale: Stop kfree_scale_thread thread(s) after unloading rcuscale", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-53291" ], "unique" : false }, { "id" : "CVE-2023-53391", "title" : "shmem: use ramfs_kill_sb() for kill_sb method of ramfs-based tmpfs", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-53391" ], "unique" : false }, { "id" : "CVE-2023-53597", "title" : "cifs: fix mid leak during reconnection after timeout threshold", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-53597" ], "unique" : false }, { "id" : "CVE-2023-53704", "title" : "clk: imx: clk-imx8mp: improve error handling in imx8mp_clocks_probe()", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-53704" ], "unique" : false }, { "id" : "CVE-2023-54004", "title" : "udplite: Fix NULL pointer dereference in __sk_mem_raise_allocated().", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-54004" ], "unique" : false }, { "id" : "CVE-2023-54093", "title" : "media: anysee: fix null-ptr-deref in anysee_master_xfer", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-54093" ], "unique" : false }, { "id" : "CVE-2023-54271", "title" : "blk-cgroup: Fix NULL deref caused by blkg_policy_data being installed before init", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-54271" ], "unique" : false }, { "id" : "CVE-2023-7192", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-7192" ], "unique" : false }, { "id" : "CVE-2024-0443", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-0443" ], "unique" : false }, { "id" : "CVE-2024-26615", "title" : "net/smc: fix illegal rmb_desc access in SMC-D connection dump", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-26615" ], "unique" : false }, { "id" : "CVE-2024-26878", "title" : "quota: Fix potential NULL pointer dereference", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-26878" ], "unique" : false }, { "id" : "CVE-2024-27046", "title" : "nfp: flower: handle acti_netdevs allocation failure", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-27046" ], "unique" : false }, { "id" : "CVE-2024-27052", "title" : "wifi: rtl8xxxu: add cancel_work_sync() for c2hcmd_work", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-27052" ], "unique" : false }, { "id" : "CVE-2024-35789", "title" : "wifi: mac80211: check/clear fast rx for non-4addr sta VLAN changes", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-35789" ], "unique" : false }, { "id" : "CVE-2024-35852", "title" : "mlxsw: spectrum_acl_tcam: Fix memory leak when canceling rehash work", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-35852" ], "unique" : false }, { "id" : "CVE-2024-35890", "title" : "gro: fix ownership transfer", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-35890" ], "unique" : false }, { "id" : "CVE-2024-35907", "title" : "mlxbf_gige: call request_irq() after NAPI initialized", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-35907" ], "unique" : false }, { "id" : "CVE-2024-35952", "title" : "drm/ast: Fix soft lockup", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-35952" ], "unique" : false }, { "id" : "CVE-2024-35989", "title" : "dmaengine: idxd: Fix oops during rmmod on single-CPU platforms", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-35989" ], "unique" : false }, { "id" : "CVE-2024-39483", "title" : "KVM: SVM: WARN on vNMI + NMI window iff NMIs are outright masked", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-39483" ], "unique" : false }, { "id" : "CVE-2024-40959", "title" : "xfrm6: check ip6_dst_idev() return value in xfrm6_get_saddr()", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-40959" ], "unique" : false }, { "id" : "CVE-2024-41035", "title" : "USB: core: Fix duplicate endpoint bug by clearing reserved bits in the descriptor", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-41035" ], "unique" : false }, { "id" : "CVE-2024-41064", "title" : "powerpc/eeh: avoid possible crash when edev->pdev changes", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-41064" ], "unique" : false }, { "id" : "CVE-2024-42079", "title" : "gfs2: Fix NULL pointer dereference in gfs2_log_flush", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-42079" ], "unique" : false }, { "id" : "CVE-2024-42272", "title" : "sched: act_ct: take care of padding in struct zones_ht_key", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-42272" ], "unique" : false }, { "id" : "CVE-2024-42283", "title" : "net: nexthop: Initialize all fields in dumped nexthops", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-42283" ], "unique" : false }, { "id" : "CVE-2024-42322", "title" : "ipvs: properly dereference pe in ip_vs_add_service", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-42322" ], "unique" : false }, { "id" : "CVE-2024-43854", "title" : "block: initialize integrity buffer to zero before writing it to media", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-43854" ], "unique" : false }, { "id" : "CVE-2024-44990", "title" : "bonding: fix null pointer deref in bond_ipsec_offload_ok", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-44990" ], "unique" : false }, { "id" : "CVE-2024-44994", "title" : "iommu: Restore lost return in iommu_report_device_fault()", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-44994" ], "unique" : false }, { "id" : "CVE-2024-45018", "title" : "netfilter: flowtable: initialise extack before use", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-45018" ], "unique" : false }, { "id" : "CVE-2024-46713", "title" : "perf/aux: Fix AUX buffer serialization", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-46713" ], "unique" : false }, { "id" : "CVE-2024-46824", "title" : "iommufd: Require drivers to supply the cache_invalidate_user ops", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-46824" ], "unique" : false }, { "id" : "CVE-2024-49949", "title" : "net: avoid potential underflow in qdisc_pkt_len_init() with UFO", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-49949" ], "unique" : false }, { "id" : "CVE-2024-50208", "title" : "RDMA/bnxt_re: Fix a bug while setting up Level-2 PBL pages", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-50208" ], "unique" : false }, { "id" : "CVE-2024-50251", "title" : "netfilter: nft_payload: sanitize offset and length before calling skb_checksum()", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-50251" ], "unique" : false }, { "id" : "CVE-2024-50252", "title" : "mlxsw: spectrum_ipip: Fix memory leak when changing remote IPv6 address", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-50252" ], "unique" : false }, { "id" : "CVE-2024-53113", "title" : "mm: fix NULL pointer dereference in alloc_pages_bulk_noprof", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-53113" ], "unique" : false }, { "id" : "CVE-2025-21669", "title" : "vsock/virtio: discard packets if the transport changes", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2025-21669" ], "unique" : false }, { "id" : "CVE-2025-21962", "title" : "cifs: Fix integer overflow while processing closetimeo mount option", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2025-21962" ], "unique" : false }, { "id" : "CVE-2025-21963", "title" : "cifs: Fix integer overflow while processing acdirmax mount option", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2025-21963" ], "unique" : false }, { "id" : "CVE-2025-21964", "title" : "cifs: Fix integer overflow while processing acregmax mount option", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2025-21964" ], "unique" : false }, { "id" : "CVE-2025-37785", "title" : "ext4: fix OOB read when checking dotdot dir", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2025-37785" ], "unique" : false }, { "id" : "CVE-2025-38234", "title" : "sched/rt: Fix race in push_rt_task", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2025-38234" ], "unique" : false }, { "id" : "CVE-2023-52448", "title" : "gfs2: Fix kernel NULL pointer dereference in gfs2_rgrp_dump", "source" : "redhat-csaf", "cvssScore" : 4.7, "severity" : "MEDIUM", "cves" : [ "CVE-2023-52448" ], "unique" : false }, { "id" : "CVE-2023-53755", "title" : "dmaengine: ptdma: check for null desc before calling pt_cmd_callback", "source" : "redhat-csaf", "cvssScore" : 4.7, "severity" : "MEDIUM", "cves" : [ "CVE-2023-53755" ], "unique" : false }, { "id" : "CVE-2024-47745", "title" : "mm: call the security_mmap_file() LSM hook in remap_file_pages()", "source" : "redhat-csaf", "cvssScore" : 4.7, "severity" : "MEDIUM", "cves" : [ "CVE-2024-47745" ], "unique" : false }, { "id" : "CVE-2024-53088", "title" : "i40e: fix race condition by adding filter's intermediate sync state", "source" : "redhat-csaf", "cvssScore" : 4.7, "severity" : "MEDIUM", "cves" : [ "CVE-2024-53088" ], "unique" : false }, { "id" : "CVE-2025-21961", "title" : "eth: bnxt: fix truesize for mb-xdp-pass case", "source" : "redhat-csaf", "cvssScore" : 4.7, "severity" : "MEDIUM", "cves" : [ "CVE-2025-21961" ], "unique" : false }, { "id" : "CVE-2025-22036", "title" : "exfat: fix random stack corruption after get_block", "source" : "redhat-csaf", "cvssScore" : 4.7, "severity" : "MEDIUM", "cves" : [ "CVE-2025-22036" ], "unique" : false }, { "id" : "CVE-2025-38417", "title" : "ice: fix eswitch code memory leak in reset scenario", "source" : "redhat-csaf", "cvssScore" : 4.7, "severity" : "MEDIUM", "cves" : [ "CVE-2025-38417" ], "unique" : false }, { "id" : "CVE-2023-52771", "title" : "cxl/port: Fix delete_endpoint() vs parent unregistration race", "source" : "redhat-csaf", "cvssScore" : 4.4, "severity" : "MEDIUM", "cves" : [ "CVE-2023-52771" ], "unique" : false }, { "id" : "CVE-2023-52864", "title" : "platform/x86: wmi: Fix opening of char device", "source" : "redhat-csaf", "cvssScore" : 4.4, "severity" : "MEDIUM", "cves" : [ "CVE-2023-52864" ], "unique" : false }, { "id" : "CVE-2024-26855", "title" : "net: ice: Fix potential NULL pointer dereference in ice_bridge_setlink()", "source" : "redhat-csaf", "cvssScore" : 4.4, "severity" : "MEDIUM", "cves" : [ "CVE-2024-26855" ], "unique" : false }, { "id" : "CVE-2024-35845", "title" : "wifi: iwlwifi: dbg-tlv: ensure NUL termination", "source" : "redhat-csaf", "cvssScore" : 4.4, "severity" : "MEDIUM", "cves" : [ "CVE-2024-35845" ], "unique" : false }, { "id" : "CVE-2024-36922", "title" : "wifi: iwlwifi: read txq->read_ptr under lock", "source" : "redhat-csaf", "cvssScore" : 4.4, "severity" : "MEDIUM", "cves" : [ "CVE-2024-36922" ], "unique" : false }, { "id" : "CVE-2024-38555", "title" : "net/mlx5: Discard command completions in internal error", "source" : "redhat-csaf", "cvssScore" : 4.4, "severity" : "MEDIUM", "cves" : [ "CVE-2024-38555" ], "unique" : false }, { "id" : "CVE-2024-38556", "title" : "net/mlx5: Add a timeout to acquire the command queue semaphore", "source" : "redhat-csaf", "cvssScore" : 4.4, "severity" : "MEDIUM", "cves" : [ "CVE-2024-38556" ], "unique" : false }, { "id" : "CVE-2024-43855", "title" : "md: fix deadlock between mddev_suspend and flush bio", "source" : "redhat-csaf", "cvssScore" : 4.4, "severity" : "MEDIUM", "cves" : [ "CVE-2024-43855" ], "unique" : false }, { "id" : "CVE-2024-46826", "title" : "ELF: fix kernel.randomize_va_space double read", "source" : "redhat-csaf", "cvssScore" : 4.4, "severity" : "MEDIUM", "cves" : [ "CVE-2024-46826" ], "unique" : false }, { "id" : "CVE-2024-26897", "title" : "wifi: ath9k: delay all of ath9k_wmi_event_tasklet() until init is complete", "source" : "redhat-csaf", "cvssScore" : 4.1, "severity" : "MEDIUM", "cves" : [ "CVE-2024-26897" ], "unique" : false }, { "id" : "CVE-2024-38586", "title" : "r8169: Fix possible ring buffer corruption on fragmented Tx packets.", "source" : "redhat-csaf", "cvssScore" : 4.1, "severity" : "MEDIUM", "cves" : [ "CVE-2024-38586" ], "unique" : false }, { "id" : "CVE-2022-50846", "title" : "mmc: via-sdmmc: fix return value check of mmc_add_host()", "source" : "redhat-csaf", "cvssScore" : 3.3, "severity" : "LOW", "cves" : [ "CVE-2022-50846" ], "unique" : false }, { "id" : "CVE-2023-53639", "title" : "wifi: ath6kl: reduce WARN to dev_dbg() in callback", "source" : "redhat-csaf", "cvssScore" : 3.3, "severity" : "LOW", "cves" : [ "CVE-2023-53639" ], "unique" : false }, { "id" : "CVE-2023-54153", "title" : "ext4: turn quotas off if mount failed after enabling quotas", "source" : "redhat-csaf", "cvssScore" : 3.3, "severity" : "LOW", "cves" : [ "CVE-2023-54153" ], "unique" : false }, { "id" : "CVE-2023-54267", "title" : "powerpc/pseries: Rework lppaca_shared_proc() to avoid DEBUG_PREEMPT", "source" : "redhat-csaf", "cvssScore" : 2.5, "severity" : "LOW", "cves" : [ "CVE-2023-54267" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2023-44466", "title" : "An issue was discovered in net/ceph/messenger_v2.c in the Linux kernel before 6.4.5. There is an integer signedness error, leading to a buffer overflow and remote code execution via HELLO or one of the AUTH frames. This occurs because of an untrusted length taken from a TCP packet in ceph_decode_32.", "source" : "redhat-csaf", "cvssScore" : 8.8, "severity" : "HIGH", "cves" : [ "CVE-2023-44466" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/glibc-common@2.34-40.el9_1.1?arch=x86_64&distro=rhel-9.1&upstream=glibc-2.34-40.el9_1.1.src.rpm", "issues" : [ { "id" : "CVE-2024-2961", "title" : "The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.", "source" : "redhat-csaf", "cvssScore" : 8.8, "severity" : "HIGH", "cves" : [ "CVE-2024-2961" ], "unique" : false }, { "id" : "CVE-2026-0861", "title" : "Integer overflow in memalign leads to heap corruption", "source" : "redhat-csaf", "cvssScore" : 8.1, "severity" : "HIGH", "cves" : [ "CVE-2026-0861" ], "unique" : false }, { "id" : "CVE-2023-4911", "title" : "Glibc: buffer overflow in ld.so leading to privilege escalation", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2023-4911" ], "unique" : false }, { "id" : "CVE-2024-33599", "title" : "nscd: Stack-based buffer overflow in netgroup cache", "source" : "redhat-csaf", "cvssScore" : 7.6, "severity" : "HIGH", "cves" : [ "CVE-2024-33599" ], "unique" : false }, { "id" : "CVE-2025-4802", "source" : "redhat-csaf", "cvssScore" : 7.0, "severity" : "HIGH", "cves" : [ "CVE-2025-4802" ], "unique" : false }, { "id" : "CVE-2023-4527", "title" : "Glibc: stack read overflow in getaddrinfo in no-aaaa mode", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4527" ], "unique" : false }, { "id" : "CVE-2026-4437", "title" : "gethostbyaddr and gethostbyaddr_r may incorrectly handle DNS response", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4437" ], "unique" : false }, { "id" : "CVE-2023-4806", "title" : "Glibc: potential use-after-free in getaddrinfo()", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4806" ], "unique" : false }, { "id" : "CVE-2023-4813", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4813" ], "unique" : false }, { "id" : "CVE-2025-15281", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2025-15281" ], "unique" : false }, { "id" : "CVE-2025-5702", "title" : "The strcmp implementation optimized for the Power10 processor in the GNU C Library version 2.39 and later writes to vector registers v20 to v31 without saving contents from the caller (those registers are defined as non-volatile registers by the powerpc64le ABI), resulting in overwriting of its contents and potentially altering control flow of the caller, or leaking the input strings to the function to other parts of the program.", "source" : "redhat-csaf", "cvssScore" : 5.6, "severity" : "MEDIUM", "cves" : [ "CVE-2025-5702" ], "unique" : false }, { "id" : "CVE-2025-0395", "title" : "When the assert() function in the GNU C Library versions 2.13 to 2.40 fails, it does not allocate enough space for the assertion failure message string and size information, which may lead to a buffer overflow if the message string size aligns to page size.", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2025-0395" ], "unique" : false }, { "id" : "CVE-2024-33600", "title" : "nscd: Null pointer crashes after notfound response", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33600" ], "unique" : false }, { "id" : "CVE-2026-0915", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-0915" ], "unique" : false }, { "id" : "CVE-2026-4046", "title" : "iconv crash due to assertion failure with untrusted input", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4046" ], "unique" : false }, { "id" : "CVE-2026-5450", "title" : "scanf %mc off-by-one heap buffer overflow", "source" : "redhat-csaf", "cvssScore" : 5.0, "severity" : "MEDIUM", "cves" : [ "CVE-2026-5450" ], "unique" : false }, { "id" : "CVE-2025-8058", "source" : "redhat-csaf", "cvssScore" : 4.2, "severity" : "MEDIUM", "cves" : [ "CVE-2025-8058" ], "unique" : false }, { "id" : "CVE-2024-33601", "title" : "nscd: netgroup cache may terminate daemon on memory allocation failure", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33601" ], "unique" : false }, { "id" : "CVE-2024-33602", "title" : "nscd: netgroup cache assumes NSS callback uses in-buffer strings", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33602" ], "unique" : false }, { "id" : "CVE-2026-4438", "title" : "gethostbyaddr and gethostbyaddr_r return invalid DNS hostnames", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4438" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2024-2961", "title" : "The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.", "source" : "redhat-csaf", "cvssScore" : 8.8, "severity" : "HIGH", "cves" : [ "CVE-2024-2961" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/glibc-devel@2.34-40.el9_1.1?arch=x86_64&distro=rhel-9.1&upstream=glibc-2.34-40.el9_1.1.src.rpm", "issues" : [ { "id" : "CVE-2024-2961", "title" : "The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.", "source" : "redhat-csaf", "cvssScore" : 8.8, "severity" : "HIGH", "cves" : [ "CVE-2024-2961" ], "unique" : false }, { "id" : "CVE-2026-0861", "title" : "Integer overflow in memalign leads to heap corruption", "source" : "redhat-csaf", "cvssScore" : 8.1, "severity" : "HIGH", "cves" : [ "CVE-2026-0861" ], "unique" : false }, { "id" : "CVE-2023-4911", "title" : "Glibc: buffer overflow in ld.so leading to privilege escalation", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2023-4911" ], "unique" : false }, { "id" : "CVE-2024-33599", "title" : "nscd: Stack-based buffer overflow in netgroup cache", "source" : "redhat-csaf", "cvssScore" : 7.6, "severity" : "HIGH", "cves" : [ "CVE-2024-33599" ], "unique" : false }, { "id" : "CVE-2025-4802", "source" : "redhat-csaf", "cvssScore" : 7.0, "severity" : "HIGH", "cves" : [ "CVE-2025-4802" ], "unique" : false }, { "id" : "CVE-2023-4527", "title" : "Glibc: stack read overflow in getaddrinfo in no-aaaa mode", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4527" ], "unique" : false }, { "id" : "CVE-2026-4437", "title" : "gethostbyaddr and gethostbyaddr_r may incorrectly handle DNS response", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4437" ], "unique" : false }, { "id" : "CVE-2023-4806", "title" : "Glibc: potential use-after-free in getaddrinfo()", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4806" ], "unique" : false }, { "id" : "CVE-2023-4813", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4813" ], "unique" : false }, { "id" : "CVE-2025-15281", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2025-15281" ], "unique" : false }, { "id" : "CVE-2025-5702", "title" : "The strcmp implementation optimized for the Power10 processor in the GNU C Library version 2.39 and later writes to vector registers v20 to v31 without saving contents from the caller (those registers are defined as non-volatile registers by the powerpc64le ABI), resulting in overwriting of its contents and potentially altering control flow of the caller, or leaking the input strings to the function to other parts of the program.", "source" : "redhat-csaf", "cvssScore" : 5.6, "severity" : "MEDIUM", "cves" : [ "CVE-2025-5702" ], "unique" : false }, { "id" : "CVE-2025-0395", "title" : "When the assert() function in the GNU C Library versions 2.13 to 2.40 fails, it does not allocate enough space for the assertion failure message string and size information, which may lead to a buffer overflow if the message string size aligns to page size.", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2025-0395" ], "unique" : false }, { "id" : "CVE-2024-33600", "title" : "nscd: Null pointer crashes after notfound response", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33600" ], "unique" : false }, { "id" : "CVE-2026-0915", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-0915" ], "unique" : false }, { "id" : "CVE-2026-4046", "title" : "iconv crash due to assertion failure with untrusted input", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4046" ], "unique" : false }, { "id" : "CVE-2026-5450", "title" : "scanf %mc off-by-one heap buffer overflow", "source" : "redhat-csaf", "cvssScore" : 5.0, "severity" : "MEDIUM", "cves" : [ "CVE-2026-5450" ], "unique" : false }, { "id" : "CVE-2025-8058", "source" : "redhat-csaf", "cvssScore" : 4.2, "severity" : "MEDIUM", "cves" : [ "CVE-2025-8058" ], "unique" : false }, { "id" : "CVE-2024-33601", "title" : "nscd: netgroup cache may terminate daemon on memory allocation failure", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33601" ], "unique" : false }, { "id" : "CVE-2024-33602", "title" : "nscd: netgroup cache assumes NSS callback uses in-buffer strings", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33602" ], "unique" : false }, { "id" : "CVE-2026-4438", "title" : "gethostbyaddr and gethostbyaddr_r return invalid DNS hostnames", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4438" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2024-2961", "title" : "The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.", "source" : "redhat-csaf", "cvssScore" : 8.8, "severity" : "HIGH", "cves" : [ "CVE-2024-2961" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/glibc-langpack-en@2.34-40.el9_1.1?arch=x86_64&distro=rhel-9.1&upstream=glibc-2.34-40.el9_1.1.src.rpm", "issues" : [ { "id" : "CVE-2024-2961", "title" : "The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.", "source" : "redhat-csaf", "cvssScore" : 8.8, "severity" : "HIGH", "cves" : [ "CVE-2024-2961" ], "unique" : false }, { "id" : "CVE-2026-0861", "title" : "Integer overflow in memalign leads to heap corruption", "source" : "redhat-csaf", "cvssScore" : 8.1, "severity" : "HIGH", "cves" : [ "CVE-2026-0861" ], "unique" : false }, { "id" : "CVE-2023-4911", "title" : "Glibc: buffer overflow in ld.so leading to privilege escalation", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2023-4911" ], "unique" : false }, { "id" : "CVE-2024-33599", "title" : "nscd: Stack-based buffer overflow in netgroup cache", "source" : "redhat-csaf", "cvssScore" : 7.6, "severity" : "HIGH", "cves" : [ "CVE-2024-33599" ], "unique" : false }, { "id" : "CVE-2025-4802", "source" : "redhat-csaf", "cvssScore" : 7.0, "severity" : "HIGH", "cves" : [ "CVE-2025-4802" ], "unique" : false }, { "id" : "CVE-2023-4527", "title" : "Glibc: stack read overflow in getaddrinfo in no-aaaa mode", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4527" ], "unique" : false }, { "id" : "CVE-2026-4437", "title" : "gethostbyaddr and gethostbyaddr_r may incorrectly handle DNS response", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4437" ], "unique" : false }, { "id" : "CVE-2023-4806", "title" : "Glibc: potential use-after-free in getaddrinfo()", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4806" ], "unique" : false }, { "id" : "CVE-2023-4813", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4813" ], "unique" : false }, { "id" : "CVE-2025-15281", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2025-15281" ], "unique" : false }, { "id" : "CVE-2025-5702", "title" : "The strcmp implementation optimized for the Power10 processor in the GNU C Library version 2.39 and later writes to vector registers v20 to v31 without saving contents from the caller (those registers are defined as non-volatile registers by the powerpc64le ABI), resulting in overwriting of its contents and potentially altering control flow of the caller, or leaking the input strings to the function to other parts of the program.", "source" : "redhat-csaf", "cvssScore" : 5.6, "severity" : "MEDIUM", "cves" : [ "CVE-2025-5702" ], "unique" : false }, { "id" : "CVE-2025-0395", "title" : "When the assert() function in the GNU C Library versions 2.13 to 2.40 fails, it does not allocate enough space for the assertion failure message string and size information, which may lead to a buffer overflow if the message string size aligns to page size.", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2025-0395" ], "unique" : false }, { "id" : "CVE-2024-33600", "title" : "nscd: Null pointer crashes after notfound response", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33600" ], "unique" : false }, { "id" : "CVE-2026-0915", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-0915" ], "unique" : false }, { "id" : "CVE-2026-4046", "title" : "iconv crash due to assertion failure with untrusted input", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4046" ], "unique" : false }, { "id" : "CVE-2026-5450", "title" : "scanf %mc off-by-one heap buffer overflow", "source" : "redhat-csaf", "cvssScore" : 5.0, "severity" : "MEDIUM", "cves" : [ "CVE-2026-5450" ], "unique" : false }, { "id" : "CVE-2025-8058", "source" : "redhat-csaf", "cvssScore" : 4.2, "severity" : "MEDIUM", "cves" : [ "CVE-2025-8058" ], "unique" : false }, { "id" : "CVE-2024-33601", "title" : "nscd: netgroup cache may terminate daemon on memory allocation failure", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33601" ], "unique" : false }, { "id" : "CVE-2024-33602", "title" : "nscd: netgroup cache assumes NSS callback uses in-buffer strings", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33602" ], "unique" : false }, { "id" : "CVE-2026-4438", "title" : "gethostbyaddr and gethostbyaddr_r return invalid DNS hostnames", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4438" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2024-2961", "title" : "The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.", "source" : "redhat-csaf", "cvssScore" : 8.8, "severity" : "HIGH", "cves" : [ "CVE-2024-2961" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/libcurl-minimal@7.76.1-19.el9_1.1?arch=x86_64&distro=rhel-9.1&upstream=curl-7.76.1-19.el9_1.1.src.rpm", "issues" : [ { "id" : "CVE-2023-38545", "title" : "This flaw makes curl overflow a heap based buffer in the SOCKS5 proxy\nhandshake.\n\nWhen curl is asked to pass along the host name to the SOCKS5 proxy to allow\nthat to resolve the address instead of it getting done by curl itself, the\nmaximum length that host name can be is 255 bytes.\n\nIf the host name is detected to be longer, curl switches to local name\nresolving and instead passes on the resolved address only. Due to this bug,\nthe local variable that means \"let the host resolve the name\" could get the\nwrong value during a slow SOCKS5 handshake, and contrary to the intention,\ncopy the too long host name to the target buffer instead of copying just the\nresolved address there.\n\nThe target buffer being a heap based buffer, and the host name coming from the\nURL that curl has been told to operate with.", "source" : "redhat-csaf", "cvssScore" : 8.1, "severity" : "HIGH", "cves" : [ "CVE-2023-38545" ], "unique" : false }, { "id" : "CVE-2024-2398", "title" : "HTTP/2 push headers memory-leak", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2024-2398" ], "unique" : false }, { "id" : "CVE-2023-23916", "title" : "An allocation of resources without limits or throttling vulnerability exists in curl {\n socket.on('error', err => {\n console.log(err)\n })\n})\n```", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2025-59465" ], "unique" : false }, { "id" : "CVE-2026-1526", "title" : "undici is vulnerable to Unbounded Memory Consumption in undici WebSocket permessage-deflate Decompression", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2026-1526" ], "unique" : false }, { "id" : "CVE-2026-1528", "title" : "undici is vulnerable to Malicious WebSocket 64-bit length overflows undici parser and crashes the client", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2026-1528" ], "unique" : false }, { "id" : "CVE-2026-21710", "title" : "A flaw in Node.js HTTP request handling causes an uncaught `TypeError` when a request is received with a header named `__proto__` and the application accesses `req.headersDistinct`.\r\n\r\nWhen this occurs, `dest[\"__proto__\"]` resolves to `Object.prototype` rather than `undefined`, causing `.push()` to be called on a non-array. This exception is thrown synchronously inside a property getter and cannot be intercepted by `error` event listeners, meaning it cannot be handled without wrapping every `req.headersDistinct` access in a `try/catch`.\r\n\r\n* This vulnerability affects all Node.js HTTP servers on **20.x, 22.x, 24.x, and v25.x**", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2026-21710" ], "unique" : false }, { "id" : "CVE-2026-2229", "title" : "undici is vulnerable to Unhandled Exception in undici WebSocket Client Due to Invalid server_max_window_bits Validation", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2026-2229" ], "unique" : false }, { "id" : "CVE-2026-27135", "title" : "nghttp2 Denial of service: Assertion failure due to the missing state validation", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2026-27135" ], "unique" : false }, { "id" : "CVE-2025-3277", "title" : "An integer overflow can be triggered in SQLite’s `concat_ws()` function. The resulting, truncated integer is then used to allocate a buffer. When SQLite then writes the resulting string to the buffer, it uses the original, untruncated size and thus a wild Heap Buffer overflow of size ~4GB can be triggered. This can result in arbitrary code execution.", "source" : "redhat-csaf", "cvssScore" : 7.3, "severity" : "HIGH", "cves" : [ "CVE-2025-3277" ], "unique" : false }, { "id" : "CVE-2026-1525", "source" : "redhat-csaf", "cvssScore" : 7.3, "severity" : "HIGH", "cves" : [ "CVE-2026-1525" ], "unique" : false }, { "id" : "CVE-2025-55130", "title" : "A flaw in Node.js’s Permissions model allows attackers to bypass `--allow-fs-read` and `--allow-fs-write` restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory can escape the allowed path and read sensitive files. This breaks the expected isolation guarantees and enables arbitrary file read/write, leading to potential system compromise.\nThis vulnerability affects users of the permission model on Node.js v20, v22, v24, and v25.", "source" : "redhat-csaf", "cvssScore" : 7.1, "severity" : "HIGH", "cves" : [ "CVE-2025-55130" ], "unique" : false }, { "id" : "CVE-2025-55131", "title" : "A flaw in Node.js's buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the `vm` module with the timeout option. Under specific timing conditions, buffers allocated with `Buffer.alloc` and other `TypedArray` instances like `Uint8Array` may contain leftover data from previous operations, allowing in-process secrets like tokens or passwords to leak or causing data corruption. While exploitation typically requires precise timing or in-process code execution, it can become remotely exploitable when untrusted input influences workload and timeouts, leading to potential confidentiality and integrity impact.", "source" : "redhat-csaf", "cvssScore" : 7.1, "severity" : "HIGH", "cves" : [ "CVE-2025-55131" ], "unique" : false }, { "id" : "CVE-2023-30589", "source" : "redhat-csaf", "cvssScore" : 7.0, "severity" : "HIGH", "cves" : [ "CVE-2023-30589" ], "unique" : false }, { "id" : "CVE-2025-31498", "title" : "c-ares has a use-after-free in read_answers()", "source" : "redhat-csaf", "cvssScore" : 7.0, "severity" : "HIGH", "cves" : [ "CVE-2025-31498" ], "unique" : false }, { "id" : "CVE-2025-22150", "title" : "Undici Uses Insufficiently Random Values", "source" : "redhat-csaf", "cvssScore" : 6.8, "severity" : "MEDIUM", "cves" : [ "CVE-2025-22150" ], "unique" : false }, { "id" : "CVE-2023-23936", "title" : "CRLF Injection in Nodejs ‘undici’ via host", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-23936" ], "unique" : false }, { "id" : "CVE-2024-22025", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-22025" ], "unique" : false }, { "id" : "CVE-2026-1527", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2026-1527" ], "unique" : false }, { "id" : "CVE-2026-21712", "title" : "A flaw in Node.js URL processing causes an assertion failure in native code when `url.format()` is called with a malformed internationalized domain name (IDN) containing invalid characters, crashing the Node.js process.", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2026-21712" ], "unique" : false }, { "id" : "CVE-2026-25547", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2026-25547" ], "unique" : false }, { "id" : "CVE-2026-26996", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2026-26996" ], "unique" : false }, { "id" : "CVE-2026-27904", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2026-27904" ], "unique" : false }, { "id" : "CVE-2024-27982", "source" : "redhat-csaf", "cvssScore" : 6.1, "severity" : "MEDIUM", "cves" : [ "CVE-2024-27982" ], "unique" : false }, { "id" : "CVE-2023-31147", "title" : "Insufficient randomness in generation of DNS query IDs in c-ares", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-31147" ], "unique" : false }, { "id" : "CVE-2025-59466", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2025-59466" ], "unique" : false }, { "id" : "CVE-2026-21637", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-21637" ], "unique" : false }, { "id" : "CVE-2026-21713", "title" : "A flaw in Node.js HMAC verification uses a non-constant-time comparison when validating user-provided signatures, potentially leaking timing information proportional to the number of matching bytes. Under certain threat models where high-resolution timing measurements are possible, this behavior could be exploited as a timing oracle to infer HMAC values.\r\n\r\nNode.js already provides timing-safe comparison primitives used elsewhere in the codebase, indicating this is an oversight rather than an intentional design decision.\r\n\r\nThis vulnerability affects **20.x, 22.x, 24.x, and 25.x**.", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-21713" ], "unique" : false }, { "id" : "CVE-2026-21717", "title" : "A flaw in V8's string hashing mechanism causes integer-like strings to be hashed to their numeric value, making hash collisions trivially predictable. By crafting a request that causes many such collisions in V8's internal string table, an attacker can significantly degrade performance of the Node.js process.\r\n\r\nThe most common trigger is any endpoint that calls `JSON.parse()` on attacker-controlled input, as JSON parsing automatically internalizes short strings into the affected hash table.\r\n\r\nThis vulnerability affects **20.x, 22.x, 24.x, and 25.x**.", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-21717" ], "unique" : false }, { "id" : "CVE-2026-2581", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-2581" ], "unique" : false }, { "id" : "CVE-2023-31130", "title" : "Buffer Underwrite in ares_inet_net_pton()", "source" : "redhat-csaf", "cvssScore" : 5.7, "severity" : "MEDIUM", "cves" : [ "CVE-2023-31130" ], "unique" : false }, { "id" : "CVE-2023-30588", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2023-30588" ], "unique" : false }, { "id" : "CVE-2024-28182", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2024-28182" ], "unique" : false }, { "id" : "CVE-2025-23085", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2025-23085" ], "unique" : false }, { "id" : "CVE-2026-21714", "title" : "A memory leak occurs in Node.js HTTP/2 servers when a client sends WINDOW_UPDATE frames on stream 0 (connection-level) that cause the flow control window to exceed the maximum value of 2³¹-1. The server correctly sends a GOAWAY frame, but the Http2Session object is never cleaned up.\r\n\r\nThis vulnerability affects HTTP2 users on Node.js 20, 22, 24 and 25.", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-21714" ], "unique" : false }, { "id" : "CVE-2026-21711", "title" : "A flaw in Node.js Permission Model network enforcement leaves Unix Domain Socket (UDS) server operations without the required permission checks, while all comparable network paths correctly enforce them.\r\n\r\nAs a result, code running under `--permission` without `--allow-net` can create and expose local IPC endpoints, allowing communication with other processes on the same host outside of the intended network restriction boundary.\r\n\r\nThis vulnerability affects Node.js **25.x** processes using the Permission Model where `--allow-net` is intentionally omitted to restrict network access. Note that `--allow-net` is currently an experimental feature.", "source" : "redhat-csaf", "cvssScore" : 5.2, "severity" : "MEDIUM", "cves" : [ "CVE-2026-21711" ], "unique" : false }, { "id" : "CVE-2024-25629", "title" : "c-ares out of bounds read in ares__read_line()", "source" : "redhat-csaf", "cvssScore" : 4.4, "severity" : "MEDIUM", "cves" : [ "CVE-2024-25629" ], "unique" : false }, { "id" : "CVE-2023-23920", "title" : "An untrusted search path vulnerability exists in Node.js. <19.6.1, <18.14.1, <16.19.1, and <14.21.3 that could allow an attacker to search and potentially load ICU data when running with elevated privileges.", "source" : "redhat-csaf", "cvssScore" : 4.2, "severity" : "MEDIUM", "cves" : [ "CVE-2023-23920" ], "unique" : false }, { "id" : "CVE-2026-21716", "title" : "An incomplete fix for CVE-2024-36137 leaves `FileHandle.chmod()` and `FileHandle.chown()` in the promises API without the required permission checks, while their callback-based equivalents (`fs.fchmod()`, `fs.fchown()`) were correctly patched.\r\n\r\nAs a result, code running under `--permission` with restricted `--allow-fs-write` can still use promise-based `FileHandle` methods to modify file permissions and ownership on already-open file descriptors, bypassing the intended write restrictions.\r\n\r\nThis vulnerability affects **20.x, 22.x, 24.x, and 25.x** processes using the Permission Model where `--allow-fs-write` is intentionally restricted.", "source" : "redhat-csaf", "cvssScore" : 3.8, "severity" : "LOW", "cves" : [ "CVE-2026-21716" ], "unique" : false }, { "id" : "CVE-2023-31124", "title" : "AutoTools does not set CARES_RANDOM_FILE during cross compilation", "source" : "redhat-csaf", "cvssScore" : 3.7, "severity" : "LOW", "cves" : [ "CVE-2023-31124" ], "unique" : false }, { "id" : "CVE-2025-23165", "title" : "In Node.js, the `ReadFileUtf8` internal binding leaks memory due to a corrupted pointer in `uv_fs_s.file`: a UTF-16 path buffer is allocated but subsequently overwritten when the file descriptor is set. This results in an unrecoverable memory leak on every call. Repeated use can cause unbounded memory growth, leading to a denial of service.\r\n\r\nImpact:\r\n* This vulnerability affects APIs relying on `ReadFileUtf8` on Node.js release lines: v20 and v22.", "source" : "redhat-csaf", "cvssScore" : 3.7, "severity" : "LOW", "cves" : [ "CVE-2025-23165" ], "unique" : false }, { "id" : "CVE-2026-21715", "title" : "A flaw in Node.js Permission Model filesystem enforcement leaves `fs.realpathSync.native()` without the required read permission checks, while all comparable filesystem functions correctly enforce them.\r\n\r\nAs a result, code running under `--permission` with restricted `--allow-fs-read` can still use `fs.realpathSync.native()` to check file existence, resolve symlink targets, and enumerate filesystem paths outside of permitted directories.\r\n\r\nThis vulnerability affects **20.x, 22.x, 24.x, and 25.x** processes using the Permission Model where `--allow-fs-read` is intentionally restricted.", "source" : "redhat-csaf", "cvssScore" : 3.3, "severity" : "LOW", "cves" : [ "CVE-2026-21715" ], "unique" : false }, { "id" : "CVE-2025-55132", "source" : "redhat-csaf", "cvssScore" : 2.8, "severity" : "LOW", "cves" : [ "CVE-2025-55132" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2023-32006", "title" : "The use of `module.constructor.createRequire()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module.\n\nThis vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x, and, 20.x.\n\nPlease note that at the time this CVE was issued, the policy is an experimental feature of Node.js.", "source" : "redhat-csaf", "cvssScore" : 8.8, "severity" : "HIGH", "cves" : [ "CVE-2023-32006" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/glibc-common@2.34-40.el9_1.1?arch=x86_64&distro=rhel-9.1&upstream=glibc-2.34-40.el9_1.1.src.rpm", "issues" : [ { "id" : "CVE-2024-2961", "title" : "The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.", "source" : "redhat-csaf", "cvssScore" : 8.8, "severity" : "HIGH", "cves" : [ "CVE-2024-2961" ], "unique" : false }, { "id" : "CVE-2026-0861", "title" : "Integer overflow in memalign leads to heap corruption", "source" : "redhat-csaf", "cvssScore" : 8.1, "severity" : "HIGH", "cves" : [ "CVE-2026-0861" ], "unique" : false }, { "id" : "CVE-2023-4911", "title" : "Glibc: buffer overflow in ld.so leading to privilege escalation", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2023-4911" ], "unique" : false }, { "id" : "CVE-2024-33599", "title" : "nscd: Stack-based buffer overflow in netgroup cache", "source" : "redhat-csaf", "cvssScore" : 7.6, "severity" : "HIGH", "cves" : [ "CVE-2024-33599" ], "unique" : false }, { "id" : "CVE-2025-4802", "source" : "redhat-csaf", "cvssScore" : 7.0, "severity" : "HIGH", "cves" : [ "CVE-2025-4802" ], "unique" : false }, { "id" : "CVE-2023-4527", "title" : "Glibc: stack read overflow in getaddrinfo in no-aaaa mode", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4527" ], "unique" : false }, { "id" : "CVE-2026-4437", "title" : "gethostbyaddr and gethostbyaddr_r may incorrectly handle DNS response", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4437" ], "unique" : false }, { "id" : "CVE-2023-4806", "title" : "Glibc: potential use-after-free in getaddrinfo()", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4806" ], "unique" : false }, { "id" : "CVE-2023-4813", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4813" ], "unique" : false }, { "id" : "CVE-2025-15281", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2025-15281" ], "unique" : false }, { "id" : "CVE-2025-5702", "title" : "The strcmp implementation optimized for the Power10 processor in the GNU C Library version 2.39 and later writes to vector registers v20 to v31 without saving contents from the caller (those registers are defined as non-volatile registers by the powerpc64le ABI), resulting in overwriting of its contents and potentially altering control flow of the caller, or leaking the input strings to the function to other parts of the program.", "source" : "redhat-csaf", "cvssScore" : 5.6, "severity" : "MEDIUM", "cves" : [ "CVE-2025-5702" ], "unique" : false }, { "id" : "CVE-2025-0395", "title" : "When the assert() function in the GNU C Library versions 2.13 to 2.40 fails, it does not allocate enough space for the assertion failure message string and size information, which may lead to a buffer overflow if the message string size aligns to page size.", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2025-0395" ], "unique" : false }, { "id" : "CVE-2024-33600", "title" : "nscd: Null pointer crashes after notfound response", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33600" ], "unique" : false }, { "id" : "CVE-2026-0915", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-0915" ], "unique" : false }, { "id" : "CVE-2026-4046", "title" : "iconv crash due to assertion failure with untrusted input", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4046" ], "unique" : false }, { "id" : "CVE-2026-5450", "title" : "scanf %mc off-by-one heap buffer overflow", "source" : "redhat-csaf", "cvssScore" : 5.0, "severity" : "MEDIUM", "cves" : [ "CVE-2026-5450" ], "unique" : false }, { "id" : "CVE-2025-8058", "source" : "redhat-csaf", "cvssScore" : 4.2, "severity" : "MEDIUM", "cves" : [ "CVE-2025-8058" ], "unique" : false }, { "id" : "CVE-2024-33601", "title" : "nscd: netgroup cache may terminate daemon on memory allocation failure", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33601" ], "unique" : false }, { "id" : "CVE-2024-33602", "title" : "nscd: netgroup cache assumes NSS callback uses in-buffer strings", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33602" ], "unique" : false }, { "id" : "CVE-2026-4438", "title" : "gethostbyaddr and gethostbyaddr_r return invalid DNS hostnames", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4438" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2024-2961", "title" : "The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.", "source" : "redhat-csaf", "cvssScore" : 8.8, "severity" : "HIGH", "cves" : [ "CVE-2024-2961" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/glibc-langpack-en@2.34-40.el9_1.1?arch=x86_64&distro=rhel-9.1&upstream=glibc-2.34-40.el9_1.1.src.rpm", "issues" : [ { "id" : "CVE-2024-2961", "title" : "The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.", "source" : "redhat-csaf", "cvssScore" : 8.8, "severity" : "HIGH", "cves" : [ "CVE-2024-2961" ], "unique" : false }, { "id" : "CVE-2026-0861", "title" : "Integer overflow in memalign leads to heap corruption", "source" : "redhat-csaf", "cvssScore" : 8.1, "severity" : "HIGH", "cves" : [ "CVE-2026-0861" ], "unique" : false }, { "id" : "CVE-2023-4911", "title" : "Glibc: buffer overflow in ld.so leading to privilege escalation", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2023-4911" ], "unique" : false }, { "id" : "CVE-2024-33599", "title" : "nscd: Stack-based buffer overflow in netgroup cache", "source" : "redhat-csaf", "cvssScore" : 7.6, "severity" : "HIGH", "cves" : [ "CVE-2024-33599" ], "unique" : false }, { "id" : "CVE-2025-4802", "source" : "redhat-csaf", "cvssScore" : 7.0, "severity" : "HIGH", "cves" : [ "CVE-2025-4802" ], "unique" : false }, { "id" : "CVE-2023-4527", "title" : "Glibc: stack read overflow in getaddrinfo in no-aaaa mode", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4527" ], "unique" : false }, { "id" : "CVE-2026-4437", "title" : "gethostbyaddr and gethostbyaddr_r may incorrectly handle DNS response", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4437" ], "unique" : false }, { "id" : "CVE-2023-4806", "title" : "Glibc: potential use-after-free in getaddrinfo()", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4806" ], "unique" : false }, { "id" : "CVE-2023-4813", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4813" ], "unique" : false }, { "id" : "CVE-2025-15281", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2025-15281" ], "unique" : false }, { "id" : "CVE-2025-5702", "title" : "The strcmp implementation optimized for the Power10 processor in the GNU C Library version 2.39 and later writes to vector registers v20 to v31 without saving contents from the caller (those registers are defined as non-volatile registers by the powerpc64le ABI), resulting in overwriting of its contents and potentially altering control flow of the caller, or leaking the input strings to the function to other parts of the program.", "source" : "redhat-csaf", "cvssScore" : 5.6, "severity" : "MEDIUM", "cves" : [ "CVE-2025-5702" ], "unique" : false }, { "id" : "CVE-2025-0395", "title" : "When the assert() function in the GNU C Library versions 2.13 to 2.40 fails, it does not allocate enough space for the assertion failure message string and size information, which may lead to a buffer overflow if the message string size aligns to page size.", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2025-0395" ], "unique" : false }, { "id" : "CVE-2024-33600", "title" : "nscd: Null pointer crashes after notfound response", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33600" ], "unique" : false }, { "id" : "CVE-2026-0915", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-0915" ], "unique" : false }, { "id" : "CVE-2026-4046", "title" : "iconv crash due to assertion failure with untrusted input", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4046" ], "unique" : false }, { "id" : "CVE-2026-5450", "title" : "scanf %mc off-by-one heap buffer overflow", "source" : "redhat-csaf", "cvssScore" : 5.0, "severity" : "MEDIUM", "cves" : [ "CVE-2026-5450" ], "unique" : false }, { "id" : "CVE-2025-8058", "source" : "redhat-csaf", "cvssScore" : 4.2, "severity" : "MEDIUM", "cves" : [ "CVE-2025-8058" ], "unique" : false }, { "id" : "CVE-2024-33601", "title" : "nscd: netgroup cache may terminate daemon on memory allocation failure", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33601" ], "unique" : false }, { "id" : "CVE-2024-33602", "title" : "nscd: netgroup cache assumes NSS callback uses in-buffer strings", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33602" ], "unique" : false }, { "id" : "CVE-2026-4438", "title" : "gethostbyaddr and gethostbyaddr_r return invalid DNS hostnames", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4438" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2024-2961", "title" : "The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.", "source" : "redhat-csaf", "cvssScore" : 8.8, "severity" : "HIGH", "cves" : [ "CVE-2024-2961" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/ncurses-libs@6.2-8.20210508.el9?arch=x86_64&distro=rhel-9.1&upstream=ncurses-6.2-8.20210508.el9.src.rpm", "issues" : [ { "id" : "CVE-2023-29491", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2023-29491" ], "unique" : false }, { "id" : "CVE-2025-69720", "title" : "The infocmp command-line tool in ncurses before 6.5-20251213 has a stack-based buffer overflow in analyze_string in progs/infocmp.c.", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2025-69720" ], "unique" : false }, { "id" : "CVE-2022-29458", "title" : "ncurses 6.3 before patch 20220416 has an out-of-bounds read and segmentation violation in convert_strings in tinfo/read_entry.c in the terminfo library.", "source" : "redhat-csaf", "cvssScore" : 6.1, "severity" : "MEDIUM", "cves" : [ "CVE-2022-29458" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2023-29491", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2023-29491" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/ncurses-base@6.2-8.20210508.el9?arch=noarch&distro=rhel-9.1&upstream=ncurses-6.2-8.20210508.el9.src.rpm", "issues" : [ { "id" : "CVE-2023-29491", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2023-29491" ], "unique" : false }, { "id" : "CVE-2025-69720", "title" : "The infocmp command-line tool in ncurses before 6.5-20251213 has a stack-based buffer overflow in analyze_string in progs/infocmp.c.", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2025-69720" ], "unique" : false }, { "id" : "CVE-2022-29458", "title" : "ncurses 6.3 before patch 20220416 has an out-of-bounds read and segmentation violation in convert_strings in tinfo/read_entry.c in the terminfo library.", "source" : "redhat-csaf", "cvssScore" : 6.1, "severity" : "MEDIUM", "cves" : [ "CVE-2022-29458" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2023-29491", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2023-29491" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/libcap@2.48-8.el9?arch=x86_64&distro=rhel-9.1&upstream=libcap-2.48-8.el9.src.rpm", "issues" : [ { "id" : "CVE-2023-2603", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2023-2603" ], "unique" : false }, { "id" : "CVE-2026-4878", "title" : "Libcap: libcap: privilege escalation via toctou race condition in cap_set_file()", "source" : "redhat-csaf", "cvssScore" : 6.7, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4878" ], "unique" : false }, { "id" : "CVE-2023-2602", "title" : "A vulnerability was found in the pthread_create() function in libcap. This issue may allow a malicious actor to use cause __real_pthread_create() to return an error, which can exhaust the process memory.", "source" : "redhat-csaf", "cvssScore" : 3.3, "severity" : "LOW", "cves" : [ "CVE-2023-2602" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2023-2603", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2023-2603" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/libbrotli@1.0.9-6.el9?arch=x86_64&distro=rhel-9.1&upstream=brotli-1.0.9-6.el9.src.rpm", "issues" : [ { "id" : "CVE-2025-6176", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2025-6176" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2025-6176", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2025-6176" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/sed@4.8-9.el9?arch=x86_64&distro=rhel-9.1&upstream=sed-4.8-9.el9.src.rpm", "issues" : [ { "id" : "CVE-2026-5958", "title" : "Race Condition in GNU Sed", "source" : "redhat-csaf", "cvssScore" : 6.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-5958" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2026-5958", "title" : "Race Condition in GNU Sed", "source" : "redhat-csaf", "cvssScore" : 6.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-5958" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/libstdc%2B%2B@11.3.1-2.1.el9?arch=x86_64&distro=rhel-9.1&upstream=gcc-11.3.1-2.1.el9.src.rpm", "issues" : [ { "id" : "CVE-2020-11023", "title" : "Potential XSS vulnerability in jQuery", "source" : "redhat-csaf", "cvssScore" : 6.1, "severity" : "MEDIUM", "cves" : [ "CVE-2020-11023" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2020-11023", "title" : "Potential XSS vulnerability in jQuery", "source" : "redhat-csaf", "cvssScore" : 6.1, "severity" : "MEDIUM", "cves" : [ "CVE-2020-11023" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/libtasn1@4.16.0-8.el9_1?arch=x86_64&distro=rhel-9.1&upstream=libtasn1-4.16.0-8.el9_1.src.rpm", "issues" : [ { "id" : "CVE-2025-13151", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2025-13151" ], "unique" : false }, { "id" : "CVE-2024-12133", "title" : "Libtasn1: inefficient der decoding in libtasn1 leading to potential remote dos", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2024-12133" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2025-13151", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2025-13151" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/p11-kit@0.24.1-2.el9?arch=x86_64&distro=rhel-9.1&upstream=p11-kit-0.24.1-2.el9.src.rpm", "issues" : [ { "id" : "CVE-2026-2100", "title" : "P11-kit: null dereference via c_derivekey with specific null parameters", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-2100" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2026-2100", "title" : "P11-kit: null dereference via c_derivekey with specific null parameters", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-2100" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/p11-kit-trust@0.24.1-2.el9?arch=x86_64&distro=rhel-9.1&upstream=p11-kit-0.24.1-2.el9.src.rpm", "issues" : [ { "id" : "CVE-2026-2100", "title" : "P11-kit: null dereference via c_derivekey with specific null parameters", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-2100" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2026-2100", "title" : "P11-kit: null dereference via c_derivekey with specific null parameters", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-2100" ], "unique" : false } } ], "highestVulnerability" : { "id" : "CVE-2025-15467", "title" : "Stack buffer overflow in CMS (Auth)EnvelopedData parsing", "source" : "redhat-csaf", "cvssScore" : 9.8, "severity" : "CRITICAL", "cves" : [ "CVE-2025-15467" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/gd-devel@2.3.2-3.el9?arch=x86_64&distro=rhel-9.1&upstream=gd-2.3.2-3.el9.src.rpm", "transitive" : [ { "ref" : "pkg:rpm/redhat/openssl-libs@3.0.1-47.el9_1?arch=x86_64&distro=rhel-9.1&epoch=1&upstream=openssl-3.0.1-47.el9_1.src.rpm", "issues" : [ { "id" : "CVE-2025-15467", "title" : "Stack buffer overflow in CMS (Auth)EnvelopedData parsing", "source" : "redhat-csaf", "cvssScore" : 9.8, "severity" : "CRITICAL", "cves" : [ "CVE-2025-15467" ], "unique" : false }, { "id" : "CVE-2026-45445", "title" : "AES-OCB IV Ignored on EVP_Cipher() Path", "source" : "redhat-csaf", "cvssScore" : 9.1, "severity" : "CRITICAL", "cves" : [ "CVE-2026-45445" ], "unique" : false }, { "id" : "CVE-2026-45447", "title" : "Heap Use-After-Free in the PKCS7_verify() Function", "source" : "redhat-csaf", "cvssScore" : 8.1, "severity" : "HIGH", "cves" : [ "CVE-2026-45447" ], "unique" : false }, { "id" : "CVE-2022-3358", "title" : "Using a Custom Cipher with NID_undef may lead to NULL encryption", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2022-3358" ], "unique" : false }, { "id" : "CVE-2023-5363", "title" : "Incorrect cipher key & IV length processing", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2023-5363" ], "unique" : false }, { "id" : "CVE-2026-28390", "title" : "Possible NULL Dereference When Processing CMS KeyTransportRecipientInfo", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2026-28390" ], "unique" : false }, { "id" : "CVE-2026-34183", "title" : "Unbounded Memory Growth in the QUIC PATH_CHALLENGE Handler", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2026-34183" ], "unique" : false }, { "id" : "CVE-2024-12797", "title" : "RFC7250 handshakes with unauthenticated servers don't abort as expected", "source" : "redhat-csaf", "cvssScore" : 7.4, "severity" : "HIGH", "cves" : [ "CVE-2024-12797" ], "unique" : false }, { "id" : "CVE-2025-69419", "title" : "Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion", "source" : "redhat-csaf", "cvssScore" : 7.4, "severity" : "HIGH", "cves" : [ "CVE-2025-69419" ], "unique" : false }, { "id" : "CVE-2026-34182", "title" : "CMS AuthEnvelopedData Processing May Accept Forged Messages", "source" : "redhat-csaf", "cvssScore" : 7.4, "severity" : "HIGH", "cves" : [ "CVE-2026-34182" ], "unique" : false }, { "id" : "CVE-2023-2650", "title" : "Possible DoS translating ASN.1 object identifiers", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-2650" ], "unique" : false }, { "id" : "CVE-2023-6129", "title" : "POLY1305 MAC implementation corrupts vector registers on PowerPC", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-6129" ], "unique" : false }, { "id" : "CVE-2025-69421", "title" : "NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2025-69421" ], "unique" : false }, { "id" : "CVE-2026-34181", "title" : "PKCS#12 Files with PBMAC1 Are Accepted with Short HMAC Keys", "source" : "redhat-csaf", "cvssScore" : 6.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-34181" ], "unique" : false }, { "id" : "CVE-2026-42768", "title" : "Multi-RecipientInfo Bleichenbacher Oracle in CMS_decrypt() and PKCS7_decrypt()", "source" : "redhat-csaf", "cvssScore" : 6.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-42768" ], "unique" : false }, { "id" : "CVE-2025-11187", "title" : "Improper validation of PBMAC1 parameters in PKCS#12 MAC verification", "source" : "redhat-csaf", "cvssScore" : 6.1, "severity" : "MEDIUM", "cves" : [ "CVE-2025-11187" ], "unique" : false }, { "id" : "CVE-2023-0464", "title" : "Excessive Resource Usage Verifying X.509 Policy Constraints", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-0464" ], "unique" : false }, { "id" : "CVE-2023-6237", "title" : "Excessive time spent checking invalid RSA public keys", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-6237" ], "unique" : false }, { "id" : "CVE-2024-5535", "title" : "SSL_select_next_proto buffer overread", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2024-5535" ], "unique" : false }, { "id" : "CVE-2024-6119", "title" : "Possible denial of service in X.509 name checks", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2024-6119" ], "unique" : false }, { "id" : "CVE-2025-15468", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2025-15468" ], "unique" : false }, { "id" : "CVE-2025-66199", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2025-66199" ], "unique" : false }, { "id" : "CVE-2025-69420", "title" : "Missing ASN1_TYPE validation in TS_RESP_verify_response() function", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2025-69420" ], "unique" : false }, { "id" : "CVE-2026-22796", "title" : "ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-22796" ], "unique" : false }, { "id" : "CVE-2026-31790", "title" : "Incorrect Failure Handling in RSA KEM RSASVE Encapsulation", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-31790" ], "unique" : false }, { "id" : "CVE-2026-42764", "title" : "NULL Pointer Dereference in QUIC Server Initial Packet Handling", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-42764" ], "unique" : false }, { "id" : "CVE-2026-42769", "title" : "Trust-Anchor Substitution via cert/issuer Typo in CMP rootCaKeyUpdate", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-42769" ], "unique" : false }, { "id" : "CVE-2026-42770", "title" : "FFC-DH Peer Validation Uses Attacker-Supplied q", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-42770" ], "unique" : false }, { "id" : "CVE-2026-9076", "title" : "Out-of-Bounds Read in CMS Password-Based Decryption", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-9076" ], "unique" : false }, { "id" : "CVE-2024-4741", "source" : "redhat-csaf", "cvssScore" : 5.6, "severity" : "MEDIUM", "cves" : [ "CVE-2024-4741" ], "unique" : false }, { "id" : "CVE-2025-9230", "title" : "Out-of-bounds read & write in RFC 3211 KEK Unwrap", "source" : "redhat-csaf", "cvssScore" : 5.6, "severity" : "MEDIUM", "cves" : [ "CVE-2025-9230" ], "unique" : false }, { "id" : "CVE-2024-0727", "title" : "PKCS12 Decoding crashes", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-0727" ], "unique" : false }, { "id" : "CVE-2025-15469", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2025-15469" ], "unique" : false }, { "id" : "CVE-2026-22795", "title" : "Missing ASN1_TYPE validation in PKCS#12 parsing", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2026-22795" ], "unique" : false }, { "id" : "CVE-2026-7383", "title" : "Possible Heap Buffer Overflow in ASN.1 Multibyte String Conversion", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2026-7383" ], "unique" : false }, { "id" : "CVE-2023-0465", "title" : "Invalid certificate policies in leaf certificates are silently ignored", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2023-0465" ], "unique" : false }, { "id" : "CVE-2023-0466", "title" : "Certificate policy check not enabled", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2023-0466" ], "unique" : false }, { "id" : "CVE-2023-2975", "title" : "AES-SIV implementation ignores empty associated data entries", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2023-2975" ], "unique" : false }, { "id" : "CVE-2023-3446", "title" : "Excessive time spent checking DH keys and parameters", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2023-3446" ], "unique" : false }, { "id" : "CVE-2023-3817", "title" : "Excessive time spent checking DH q parameter value", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2023-3817" ], "unique" : false }, { "id" : "CVE-2023-5678", "title" : "Excessive time spent in DH check / generation with large Q parameter value", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2023-5678" ], "unique" : false }, { "id" : "CVE-2024-4603", "title" : "Excessive time spent checking DSA keys and parameters", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2024-4603" ], "unique" : false }, { "id" : "CVE-2026-42766", "title" : "Possible NULL Dereference in Password-Based CMS Decryption", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-42766" ], "unique" : false }, { "id" : "CVE-2026-42767", "title" : "NULL Pointer Dereference in CRMF EncryptedValue Decryption", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-42767" ], "unique" : false }, { "id" : "CVE-2023-1255", "title" : "Input buffer over-read in AES-XTS implementation on 64 bit ARM", "source" : "redhat-csaf", "cvssScore" : 5.1, "severity" : "MEDIUM", "cves" : [ "CVE-2023-1255" ], "unique" : false }, { "id" : "CVE-2026-34180", "title" : "Heap Buffer Over-read in ASN.1 Content Parsing", "source" : "redhat-csaf", "cvssScore" : 5.0, "severity" : "MEDIUM", "cves" : [ "CVE-2026-34180" ], "unique" : false }, { "id" : "CVE-2025-68160", "title" : "Heap out-of-bounds write in BIO_f_linebuffer on short writes", "source" : "redhat-csaf", "cvssScore" : 4.7, "severity" : "MEDIUM", "cves" : [ "CVE-2025-68160" ], "unique" : false }, { "id" : "CVE-2025-69418", "title" : "Unauthenticated/unencrypted trailing bytes with low-level OCB function calls", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2025-69418" ], "unique" : false }, { "id" : "CVE-2024-2511", "title" : "Unbounded memory growth with session handling in TLSv1.3", "source" : "redhat-csaf", "cvssScore" : 3.7, "severity" : "LOW", "cves" : [ "CVE-2024-2511" ], "unique" : false }, { "id" : "CVE-2026-45446", "title" : "Incorrect Tag Processing for Empty Messages in AES-GCM-SIV and AES-SIV modes", "source" : "redhat-csaf", "cvssScore" : 3.7, "severity" : "LOW", "cves" : [ "CVE-2026-45446" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2025-15467", "title" : "Stack buffer overflow in CMS (Auth)EnvelopedData parsing", "source" : "redhat-csaf", "cvssScore" : 9.8, "severity" : "CRITICAL", "cves" : [ "CVE-2025-15467" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/libwebp-devel@1.2.0-3.el9?arch=x86_64&distro=rhel-9.1&upstream=libwebp-1.2.0-3.el9.src.rpm", "issues" : [ { "id" : "CVE-2023-4863", "title" : "Heap buffer overflow in libwebp in Google Chrome prior to 116.0.5845.187 and libwebp 1.3.2 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: Critical)", "source" : "redhat-csaf", "cvssScore" : 9.6, "severity" : "CRITICAL", "cves" : [ "CVE-2023-4863" ], "unique" : false }, { "id" : "CVE-2023-1999", "title" : "Use after free in libwebp", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2023-1999" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2023-4863", "title" : "Heap buffer overflow in libwebp in Google Chrome prior to 116.0.5845.187 and libwebp 1.3.2 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: Critical)", "source" : "redhat-csaf", "cvssScore" : 9.6, "severity" : "CRITICAL", "cves" : [ "CVE-2023-4863" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/ca-certificates@2022.2.54-90.2.el9_0?arch=noarch&distro=rhel-9.1&upstream=ca-certificates-2022.2.54-90.2.el9_0.src.rpm", "issues" : [ { "id" : "CVE-2023-37920", "title" : "Certifi's removal of e-Tugra root certificate", "source" : "redhat-csaf", "cvssScore" : 9.1, "severity" : "CRITICAL", "cves" : [ "CVE-2023-37920" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2023-37920", "title" : "Certifi's removal of e-Tugra root certificate", "source" : "redhat-csaf", "cvssScore" : 9.1, "severity" : "CRITICAL", "cves" : [ "CVE-2023-37920" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/libxml2-devel@2.9.13-3.el9_1?arch=x86_64&distro=rhel-9.1&upstream=libxml2-2.9.13-3.el9_1.src.rpm", "issues" : [ { "id" : "CVE-2024-40896", "title" : "In libxml2 2.11 before 2.11.9, 2.12 before 2.12.9, and 2.13 before 2.13.3, the SAX parser can produce events for external entities even if custom SAX handlers try to override entity content (by setting \"checked\"). This makes classic XXE attacks possible.", "source" : "redhat-csaf", "cvssScore" : 9.1, "severity" : "CRITICAL", "cves" : [ "CVE-2024-40896" ], "unique" : false }, { "id" : "CVE-2025-49794", "title" : "Libxml: heap use after free (uaf) leads to denial of service (dos)", "source" : "redhat-csaf", "cvssScore" : 9.1, "severity" : "CRITICAL", "cves" : [ "CVE-2025-49794" ], "unique" : false }, { "id" : "CVE-2025-49796", "title" : "Libxml: type confusion leads to denial of service (dos)", "source" : "redhat-csaf", "cvssScore" : 9.1, "severity" : "CRITICAL", "cves" : [ "CVE-2025-49796" ], "unique" : false }, { "id" : "CVE-2024-56171", "source" : "redhat-csaf", "cvssScore" : 8.1, "severity" : "HIGH", "cves" : [ "CVE-2024-56171" ], "unique" : false }, { "id" : "CVE-2025-24928", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2025-24928" ], "unique" : false }, { "id" : "CVE-2025-7425", "title" : "Libxslt: libxml2: heap use-after-free in libxslt caused by atype corruption in xmlattrptr", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2025-7425" ], "unique" : false }, { "id" : "CVE-2024-25062", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2024-25062" ], "unique" : false }, { "id" : "CVE-2025-32415", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2025-32415" ], "unique" : false }, { "id" : "CVE-2025-49795", "title" : "Libxml: null pointer dereference leads to denial of service (dos)", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2025-49795" ], "unique" : false }, { "id" : "CVE-2025-6021", "title" : "Libxml2: integer overflow in xmlbuildqname() leads to stack buffer overflow in libxml2", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2025-6021" ], "unique" : false }, { "id" : "CVE-2025-7424", "title" : "Libxslt: type confusion in xmlnode.psvi between stylesheet and source nodes", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2025-7424" ], "unique" : false }, { "id" : "CVE-2023-39615", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-39615" ], "unique" : false }, { "id" : "CVE-2025-9714", "title" : "Stack overflow in libxml2", "source" : "redhat-csaf", "cvssScore" : 6.2, "severity" : "MEDIUM", "cves" : [ "CVE-2025-9714" ], "unique" : false }, { "id" : "CVE-2022-49043", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2022-49043" ], "unique" : false }, { "id" : "CVE-2023-28484", "title" : "In libxml2 before 2.10.4, parsing of certain invalid XSD schemas can lead to a NULL pointer dereference and subsequently a segfault. This occurs in xmlSchemaFixupComplexType in xmlschemas.c.", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-28484" ], "unique" : false }, { "id" : "CVE-2023-29469", "title" : "An issue was discovered in libxml2 before 2.10.4. When hashing empty dict strings in a crafted XML document, xmlDictComputeFastKey in dict.c can produce non-deterministic values, leading to various logic and memory errors, such as a double free. This behavior occurs because there is an attempt to use the first byte of an empty string, and any value is possible (not solely the '\\0' value).", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-29469" ], "unique" : false }, { "id" : "CVE-2025-32414", "source" : "redhat-csaf", "cvssScore" : 5.6, "severity" : "MEDIUM", "cves" : [ "CVE-2025-32414" ], "unique" : false }, { "id" : "CVE-2024-34459", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-34459" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2024-40896", "title" : "In libxml2 2.11 before 2.11.9, 2.12 before 2.12.9, and 2.13 before 2.13.3, the SAX parser can produce events for external entities even if custom SAX handlers try to override entity content (by setting \"checked\"). This makes classic XXE attacks possible.", "source" : "redhat-csaf", "cvssScore" : 9.1, "severity" : "CRITICAL", "cves" : [ "CVE-2024-40896" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/libxml2@2.9.13-3.el9_1?arch=x86_64&distro=rhel-9.1&upstream=libxml2-2.9.13-3.el9_1.src.rpm", "issues" : [ { "id" : "CVE-2024-40896", "title" : "In libxml2 2.11 before 2.11.9, 2.12 before 2.12.9, and 2.13 before 2.13.3, the SAX parser can produce events for external entities even if custom SAX handlers try to override entity content (by setting \"checked\"). This makes classic XXE attacks possible.", "source" : "redhat-csaf", "cvssScore" : 9.1, "severity" : "CRITICAL", "cves" : [ "CVE-2024-40896" ], "unique" : false }, { "id" : "CVE-2025-49794", "title" : "Libxml: heap use after free (uaf) leads to denial of service (dos)", "source" : "redhat-csaf", "cvssScore" : 9.1, "severity" : "CRITICAL", "cves" : [ "CVE-2025-49794" ], "unique" : false }, { "id" : "CVE-2025-49796", "title" : "Libxml: type confusion leads to denial of service (dos)", "source" : "redhat-csaf", "cvssScore" : 9.1, "severity" : "CRITICAL", "cves" : [ "CVE-2025-49796" ], "unique" : false }, { "id" : "CVE-2024-56171", "source" : "redhat-csaf", "cvssScore" : 8.1, "severity" : "HIGH", "cves" : [ "CVE-2024-56171" ], "unique" : false }, { "id" : "CVE-2025-24928", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2025-24928" ], "unique" : false }, { "id" : "CVE-2025-7425", "title" : "Libxslt: libxml2: heap use-after-free in libxslt caused by atype corruption in xmlattrptr", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2025-7425" ], "unique" : false }, { "id" : "CVE-2024-25062", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2024-25062" ], "unique" : false }, { "id" : "CVE-2025-32415", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2025-32415" ], "unique" : false }, { "id" : "CVE-2025-49795", "title" : "Libxml: null pointer dereference leads to denial of service (dos)", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2025-49795" ], "unique" : false }, { "id" : "CVE-2025-6021", "title" : "Libxml2: integer overflow in xmlbuildqname() leads to stack buffer overflow in libxml2", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2025-6021" ], "unique" : false }, { "id" : "CVE-2025-7424", "title" : "Libxslt: type confusion in xmlnode.psvi between stylesheet and source nodes", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2025-7424" ], "unique" : false }, { "id" : "CVE-2023-39615", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-39615" ], "unique" : false }, { "id" : "CVE-2026-6732", "title" : "Libxml2: libxml2: denial of service via crafted xsd-validated document", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2026-6732" ], "unique" : false }, { "id" : "CVE-2025-9714", "title" : "Stack overflow in libxml2", "source" : "redhat-csaf", "cvssScore" : 6.2, "severity" : "MEDIUM", "cves" : [ "CVE-2025-9714" ], "unique" : false }, { "id" : "CVE-2026-1757", "title" : "Libxml2: memory leak leading to local denial of service in xmllint interactive shell", "source" : "redhat-csaf", "cvssScore" : 6.2, "severity" : "MEDIUM", "cves" : [ "CVE-2026-1757" ], "unique" : false }, { "id" : "CVE-2022-49043", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2022-49043" ], "unique" : false }, { "id" : "CVE-2023-28484", "title" : "In libxml2 before 2.10.4, parsing of certain invalid XSD schemas can lead to a NULL pointer dereference and subsequently a segfault. This occurs in xmlSchemaFixupComplexType in xmlschemas.c.", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-28484" ], "unique" : false }, { "id" : "CVE-2023-29469", "title" : "An issue was discovered in libxml2 before 2.10.4. When hashing empty dict strings in a crafted XML document, xmlDictComputeFastKey in dict.c can produce non-deterministic values, leading to various logic and memory errors, such as a double free. This behavior occurs because there is an attempt to use the first byte of an empty string, and any value is possible (not solely the '\\0' value).", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-29469" ], "unique" : false }, { "id" : "CVE-2026-0990", "title" : "Libxml2: libxml2: denial of service via uncontrolled recursion in xml catalog processing", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-0990" ], "unique" : false }, { "id" : "CVE-2025-32414", "source" : "redhat-csaf", "cvssScore" : 5.6, "severity" : "MEDIUM", "cves" : [ "CVE-2025-32414" ], "unique" : false }, { "id" : "CVE-2024-34459", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-34459" ], "unique" : false }, { "id" : "CVE-2025-26434", "title" : "In libxml2, there is a possible out of bounds read due to a buffer overflow. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2025-26434" ], "unique" : false }, { "id" : "CVE-2026-11979", "title" : "Stack-Based Buffer Overflow in libxml2", "source" : "redhat-csaf", "cvssScore" : 4.8, "severity" : "MEDIUM", "cves" : [ "CVE-2026-11979" ], "unique" : false }, { "id" : "CVE-2026-0989", "title" : "Libxml2: unbounded relaxng include recursion leading to stack overflow", "source" : "redhat-csaf", "cvssScore" : 3.7, "severity" : "LOW", "cves" : [ "CVE-2026-0989" ], "unique" : false }, { "id" : "CVE-2026-0992", "title" : "Libxml2: libxml2: denial of service via crafted xml catalogs", "source" : "redhat-csaf", "cvssScore" : 2.9, "severity" : "LOW", "cves" : [ "CVE-2026-0992" ], "unique" : false }, { "id" : "CVE-2025-6170", "title" : "Libxml2: stack buffer overflow in xmllint interactive shell command handling", "source" : "redhat-csaf", "cvssScore" : 2.5, "severity" : "LOW", "cves" : [ "CVE-2025-6170" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2024-40896", "title" : "In libxml2 2.11 before 2.11.9, 2.12 before 2.12.9, and 2.13 before 2.13.3, the SAX parser can produce events for external entities even if custom SAX handlers try to override entity content (by setting \"checked\"). This makes classic XXE attacks possible.", "source" : "redhat-csaf", "cvssScore" : 9.1, "severity" : "CRITICAL", "cves" : [ "CVE-2024-40896" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/libtiff-devel@4.4.0-5.el9_1?arch=x86_64&distro=rhel-9.1&upstream=libtiff-4.4.0-5.el9_1.src.rpm", "issues" : [ { "id" : "CVE-2022-3970", "title" : "LibTIFF tif_getimage.c TIFFReadRGBATileExt integer overflow", "source" : "redhat-csaf", "cvssScore" : 8.8, "severity" : "HIGH", "cves" : [ "CVE-2022-3970" ], "unique" : false }, { "id" : "CVE-2025-9900", "title" : "Libtiff: libtiff write-what-where", "source" : "redhat-csaf", "cvssScore" : 8.8, "severity" : "HIGH", "cves" : [ "CVE-2025-9900" ], "unique" : false }, { "id" : "CVE-2025-8176", "title" : "LibTIFF tiffmedian.c get_histogram use after free", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2025-8176" ], "unique" : false }, { "id" : "CVE-2026-4775", "title" : "Libtiff: libtiff: arbitrary code execution or denial of service via signed integer overflow in tiff file processing", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2026-4775" ], "unique" : false }, { "id" : "CVE-2017-17095", "title" : "tools/pal2rgb.c in pal2rgb in LibTIFF 4.0.9 allows remote attackers to cause a denial of service (TIFFSetupStrips heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted TIFF file.", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2017-17095" ], "unique" : false }, { "id" : "CVE-2023-52355", "title" : "Libtiff: tiffrasterscanlinesize64 produce too-big size and could cause oom", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2023-52355" ], "unique" : false }, { "id" : "CVE-2023-52356", "title" : "Libtiff: segment fault in libtiff in tiffreadrgbatileext() leading to denial of service", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2023-52356" ], "unique" : false }, { "id" : "CVE-2024-7006", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2024-7006" ], "unique" : false }, { "id" : "CVE-2022-3597", "title" : "LibTIFF 4.4.0 has an out-of-bounds write in _TIFFmemcpy in libtiff/tif_unix.c:346 when called from extractImageSection, tools/tiffcrop.c:6826, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit 236b7191.", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2022-3597" ], "unique" : false }, { "id" : "CVE-2022-3598", "title" : "LibTIFF 4.4.0 has an out-of-bounds write in extractContigSamplesShifted24bits in tools/tiffcrop.c:3604, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit cfbb883b.", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2022-3598" ], "unique" : false }, { "id" : "CVE-2022-3599", "title" : "LibTIFF 4.4.0 has an out-of-bounds read in writeSingleSection in tools/tiffcrop.c:7345, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit e8131125.", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2022-3599" ], "unique" : false }, { "id" : "CVE-2022-3626", "title" : "LibTIFF 4.4.0 has an out-of-bounds write in _TIFFmemset in libtiff/tif_unix.c:340 when called from processCropSelections, tools/tiffcrop.c:7619, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit 236b7191.", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2022-3626" ], "unique" : false }, { "id" : "CVE-2022-3627", "title" : "LibTIFF 4.4.0 has an out-of-bounds write in _TIFFmemcpy in libtiff/tif_unix.c:346 when called from extractImageSection, tools/tiffcrop.c:6860, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit 236b7191.", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2022-3627" ], "unique" : false }, { "id" : "CVE-2022-40090", "title" : "An issue was discovered in function TIFFReadDirectory libtiff before 4.4.0 allows attackers to cause a denial of service via crafted TIFF file.", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2022-40090" ], "unique" : false }, { "id" : "CVE-2023-3618", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-3618" ], "unique" : false }, { "id" : "CVE-2023-40745", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-40745" ], "unique" : false }, { "id" : "CVE-2023-41175", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-41175" ], "unique" : false }, { "id" : "CVE-2023-30774", "title" : "A vulnerability was found in the libtiff library. This flaw causes a heap buffer overflow issue via the TIFFTAG_INKNAMES and TIFFTAG_NUMBEROFINKS values.", "source" : "redhat-csaf", "cvssScore" : 6.2, "severity" : "MEDIUM", "cves" : [ "CVE-2023-30774" ], "unique" : false }, { "id" : "CVE-2023-30775", "title" : "A vulnerability was found in the libtiff library. This security flaw causes a heap buffer overflow in extractContigSamples32bits, tiffcrop.c.", "source" : "redhat-csaf", "cvssScore" : 6.2, "severity" : "MEDIUM", "cves" : [ "CVE-2023-30775" ], "unique" : false }, { "id" : "CVE-2023-0795", "title" : "LibTIFF 4.4.0 has an out-of-bounds read in tiffcrop in tools/tiffcrop.c:3488, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit afaabc3e.", "source" : "redhat-csaf", "cvssScore" : 6.1, "severity" : "MEDIUM", "cves" : [ "CVE-2023-0795" ], "unique" : false }, { "id" : "CVE-2023-0796", "title" : "LibTIFF 4.4.0 has an out-of-bounds read in tiffcrop in tools/tiffcrop.c:3592, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit afaabc3e.", "source" : "redhat-csaf", "cvssScore" : 6.1, "severity" : "MEDIUM", "cves" : [ "CVE-2023-0796" ], "unique" : false }, { "id" : "CVE-2023-0797", "title" : "LibTIFF 4.4.0 has an out-of-bounds read in tiffcrop in libtiff/tif_unix.c:368, invoked by tools/tiffcrop.c:2903 and tools/tiffcrop.c:6921, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit afaabc3e.", "source" : "redhat-csaf", "cvssScore" : 6.1, "severity" : "MEDIUM", "cves" : [ "CVE-2023-0797" ], "unique" : false }, { "id" : "CVE-2023-0798", "title" : "LibTIFF 4.4.0 has an out-of-bounds read in tiffcrop in tools/tiffcrop.c:3400, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit afaabc3e.", "source" : "redhat-csaf", "cvssScore" : 6.1, "severity" : "MEDIUM", "cves" : [ "CVE-2023-0798" ], "unique" : false }, { "id" : "CVE-2023-0800", "title" : "LibTIFF 4.4.0 has an out-of-bounds write in tiffcrop in tools/tiffcrop.c:3502, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit 33aee127.", "source" : "redhat-csaf", "cvssScore" : 6.1, "severity" : "MEDIUM", "cves" : [ "CVE-2023-0800" ], "unique" : false }, { "id" : "CVE-2023-0801", "title" : "LibTIFF 4.4.0 has an out-of-bounds write in tiffcrop in libtiff/tif_unix.c:368, invoked by tools/tiffcrop.c:2903 and tools/tiffcrop.c:6778, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit 33aee127.", "source" : "redhat-csaf", "cvssScore" : 6.1, "severity" : "MEDIUM", "cves" : [ "CVE-2023-0801" ], "unique" : false }, { "id" : "CVE-2023-0802", "title" : "LibTIFF 4.4.0 has an out-of-bounds write in tiffcrop in tools/tiffcrop.c:3724, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit 33aee127.", "source" : "redhat-csaf", "cvssScore" : 6.1, "severity" : "MEDIUM", "cves" : [ "CVE-2023-0802" ], "unique" : false }, { "id" : "CVE-2023-0803", "title" : "LibTIFF 4.4.0 has an out-of-bounds write in tiffcrop in tools/tiffcrop.c:3516, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit 33aee127.", "source" : "redhat-csaf", "cvssScore" : 6.1, "severity" : "MEDIUM", "cves" : [ "CVE-2023-0803" ], "unique" : false }, { "id" : "CVE-2023-0804", "title" : "LibTIFF 4.4.0 has an out-of-bounds write in tiffcrop in tools/tiffcrop.c:3609, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit 33aee127.", "source" : "redhat-csaf", "cvssScore" : 6.1, "severity" : "MEDIUM", "cves" : [ "CVE-2023-0804" ], "unique" : false }, { "id" : "CVE-2022-4645", "title" : "LibTIFF 4.4.0 has an out-of-bounds read in tiffcp in tools/tiffcp.c:948, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit e8131125.", "source" : "redhat-csaf", "cvssScore" : 5.6, "severity" : "MEDIUM", "cves" : [ "CVE-2022-4645" ], "unique" : false }, { "id" : "CVE-2022-3570", "title" : "Multiple heap buffer overflows in tiffcrop.c utility in libtiff library Version 4.4.0 allows attacker to trigger unsafe or out of bounds memory access via crafted TIFF image file which could result into application crash, potential information disclosure or any other context-dependent impact", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2022-3570" ], "unique" : false }, { "id" : "CVE-2022-48281", "title" : "processCropSelections in tools/tiffcrop.c in LibTIFF through 4.5.0 has a heap-based buffer overflow (e.g., \"WRITE of size 307203\") via a crafted TIFF image.", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2022-48281" ], "unique" : false }, { "id" : "CVE-2023-0799", "title" : "LibTIFF 4.4.0 has an out-of-bounds read in tiffcrop in tools/tiffcrop.c:3701, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit afaabc3e.", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-0799" ], "unique" : false }, { "id" : "CVE-2023-26965", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-26965" ], "unique" : false }, { "id" : "CVE-2023-26966", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-26966" ], "unique" : false }, { "id" : "CVE-2023-2731", "title" : "A NULL pointer dereference flaw was found in Libtiff's LZWDecode() function in the libtiff/tif_lzw.c file. This flaw allows a local attacker to craft specific input data that can cause the program to dereference a NULL pointer when decompressing a TIFF format file, resulting in a program crash or denial of service.", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-2731" ], "unique" : false }, { "id" : "CVE-2023-30086", "title" : "Buffer Overflow vulnerability found in Libtiff V.4.0.7 allows a local attacker to cause a denial of service via the tiffcp function in tiffcp.c.", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-30086" ], "unique" : false }, { "id" : "CVE-2023-3316", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-3316" ], "unique" : false }, { "id" : "CVE-2023-3576", "title" : "Libtiff: memory leak in tiffcrop.c", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-3576" ], "unique" : false }, { "id" : "CVE-2023-6228", "source" : "redhat-csaf", "cvssScore" : 3.3, "severity" : "LOW", "cves" : [ "CVE-2023-6228" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2022-3970", "title" : "LibTIFF tif_getimage.c TIFFReadRGBATileExt integer overflow", "source" : "redhat-csaf", "cvssScore" : 8.8, "severity" : "HIGH", "cves" : [ "CVE-2022-3970" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/libtiff@4.4.0-5.el9_1?arch=x86_64&distro=rhel-9.1&upstream=libtiff-4.4.0-5.el9_1.src.rpm", "issues" : [ { "id" : "CVE-2022-3970", "title" : "LibTIFF tif_getimage.c TIFFReadRGBATileExt integer overflow", "source" : "redhat-csaf", "cvssScore" : 8.8, "severity" : "HIGH", "cves" : [ "CVE-2022-3970" ], "unique" : false }, { "id" : "CVE-2025-9900", "title" : "Libtiff: libtiff write-what-where", "source" : "redhat-csaf", "cvssScore" : 8.8, "severity" : "HIGH", "cves" : [ "CVE-2025-9900" ], "unique" : false }, { "id" : "CVE-2025-8176", "title" : "LibTIFF tiffmedian.c get_histogram use after free", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2025-8176" ], "unique" : false }, { "id" : "CVE-2026-4775", "title" : "Libtiff: libtiff: arbitrary code execution or denial of service via signed integer overflow in tiff file processing", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2026-4775" ], "unique" : false }, { "id" : "CVE-2017-17095", "title" : "tools/pal2rgb.c in pal2rgb in LibTIFF 4.0.9 allows remote attackers to cause a denial of service (TIFFSetupStrips heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted TIFF file.", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2017-17095" ], "unique" : false }, { "id" : "CVE-2023-52355", "title" : "Libtiff: tiffrasterscanlinesize64 produce too-big size and could cause oom", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2023-52355" ], "unique" : false }, { "id" : "CVE-2023-52356", "title" : "Libtiff: segment fault in libtiff in tiffreadrgbatileext() leading to denial of service", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2023-52356" ], "unique" : false }, { "id" : "CVE-2024-7006", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2024-7006" ], "unique" : false }, { "id" : "CVE-2026-12912", "title" : "Libtiff: libtiff: heap-based buffer overflow via crafted pixarlog-compressed tiff image", "source" : "redhat-csaf", "cvssScore" : 7.3, "severity" : "HIGH", "cves" : [ "CVE-2026-12912" ], "unique" : false }, { "id" : "CVE-2022-3597", "title" : "LibTIFF 4.4.0 has an out-of-bounds write in _TIFFmemcpy in libtiff/tif_unix.c:346 when called from extractImageSection, tools/tiffcrop.c:6826, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit 236b7191.", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2022-3597" ], "unique" : false }, { "id" : "CVE-2022-3598", "title" : "LibTIFF 4.4.0 has an out-of-bounds write in extractContigSamplesShifted24bits in tools/tiffcrop.c:3604, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit cfbb883b.", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2022-3598" ], "unique" : false }, { "id" : "CVE-2022-3599", "title" : "LibTIFF 4.4.0 has an out-of-bounds read in writeSingleSection in tools/tiffcrop.c:7345, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit e8131125.", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2022-3599" ], "unique" : false }, { "id" : "CVE-2022-3626", "title" : "LibTIFF 4.4.0 has an out-of-bounds write in _TIFFmemset in libtiff/tif_unix.c:340 when called from processCropSelections, tools/tiffcrop.c:7619, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit 236b7191.", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2022-3626" ], "unique" : false }, { "id" : "CVE-2022-3627", "title" : "LibTIFF 4.4.0 has an out-of-bounds write in _TIFFmemcpy in libtiff/tif_unix.c:346 when called from extractImageSection, tools/tiffcrop.c:6860, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit 236b7191.", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2022-3627" ], "unique" : false }, { "id" : "CVE-2022-40090", "title" : "An issue was discovered in function TIFFReadDirectory libtiff before 4.4.0 allows attackers to cause a denial of service via crafted TIFF file.", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2022-40090" ], "unique" : false }, { "id" : "CVE-2023-3618", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-3618" ], "unique" : false }, { "id" : "CVE-2023-40745", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-40745" ], "unique" : false }, { "id" : "CVE-2023-41175", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-41175" ], "unique" : false }, { "id" : "CVE-2023-30774", "title" : "A vulnerability was found in the libtiff library. This flaw causes a heap buffer overflow issue via the TIFFTAG_INKNAMES and TIFFTAG_NUMBEROFINKS values.", "source" : "redhat-csaf", "cvssScore" : 6.2, "severity" : "MEDIUM", "cves" : [ "CVE-2023-30774" ], "unique" : false }, { "id" : "CVE-2023-30775", "title" : "A vulnerability was found in the libtiff library. This security flaw causes a heap buffer overflow in extractContigSamples32bits, tiffcrop.c.", "source" : "redhat-csaf", "cvssScore" : 6.2, "severity" : "MEDIUM", "cves" : [ "CVE-2023-30775" ], "unique" : false }, { "id" : "CVE-2023-0795", "title" : "LibTIFF 4.4.0 has an out-of-bounds read in tiffcrop in tools/tiffcrop.c:3488, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit afaabc3e.", "source" : "redhat-csaf", "cvssScore" : 6.1, "severity" : "MEDIUM", "cves" : [ "CVE-2023-0795" ], "unique" : false }, { "id" : "CVE-2023-0796", "title" : "LibTIFF 4.4.0 has an out-of-bounds read in tiffcrop in tools/tiffcrop.c:3592, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit afaabc3e.", "source" : "redhat-csaf", "cvssScore" : 6.1, "severity" : "MEDIUM", "cves" : [ "CVE-2023-0796" ], "unique" : false }, { "id" : "CVE-2023-0797", "title" : "LibTIFF 4.4.0 has an out-of-bounds read in tiffcrop in libtiff/tif_unix.c:368, invoked by tools/tiffcrop.c:2903 and tools/tiffcrop.c:6921, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit afaabc3e.", "source" : "redhat-csaf", "cvssScore" : 6.1, "severity" : "MEDIUM", "cves" : [ "CVE-2023-0797" ], "unique" : false }, { "id" : "CVE-2023-0798", "title" : "LibTIFF 4.4.0 has an out-of-bounds read in tiffcrop in tools/tiffcrop.c:3400, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit afaabc3e.", "source" : "redhat-csaf", "cvssScore" : 6.1, "severity" : "MEDIUM", "cves" : [ "CVE-2023-0798" ], "unique" : false }, { "id" : "CVE-2023-0800", "title" : "LibTIFF 4.4.0 has an out-of-bounds write in tiffcrop in tools/tiffcrop.c:3502, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit 33aee127.", "source" : "redhat-csaf", "cvssScore" : 6.1, "severity" : "MEDIUM", "cves" : [ "CVE-2023-0800" ], "unique" : false }, { "id" : "CVE-2023-0801", "title" : "LibTIFF 4.4.0 has an out-of-bounds write in tiffcrop in libtiff/tif_unix.c:368, invoked by tools/tiffcrop.c:2903 and tools/tiffcrop.c:6778, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit 33aee127.", "source" : "redhat-csaf", "cvssScore" : 6.1, "severity" : "MEDIUM", "cves" : [ "CVE-2023-0801" ], "unique" : false }, { "id" : "CVE-2023-0802", "title" : "LibTIFF 4.4.0 has an out-of-bounds write in tiffcrop in tools/tiffcrop.c:3724, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit 33aee127.", "source" : "redhat-csaf", "cvssScore" : 6.1, "severity" : "MEDIUM", "cves" : [ "CVE-2023-0802" ], "unique" : false }, { "id" : "CVE-2023-0803", "title" : "LibTIFF 4.4.0 has an out-of-bounds write in tiffcrop in tools/tiffcrop.c:3516, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit 33aee127.", "source" : "redhat-csaf", "cvssScore" : 6.1, "severity" : "MEDIUM", "cves" : [ "CVE-2023-0803" ], "unique" : false }, { "id" : "CVE-2023-0804", "title" : "LibTIFF 4.4.0 has an out-of-bounds write in tiffcrop in tools/tiffcrop.c:3609, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit 33aee127.", "source" : "redhat-csaf", "cvssScore" : 6.1, "severity" : "MEDIUM", "cves" : [ "CVE-2023-0804" ], "unique" : false }, { "id" : "CVE-2022-4645", "title" : "LibTIFF 4.4.0 has an out-of-bounds read in tiffcp in tools/tiffcp.c:948, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit e8131125.", "source" : "redhat-csaf", "cvssScore" : 5.6, "severity" : "MEDIUM", "cves" : [ "CVE-2022-4645" ], "unique" : false }, { "id" : "CVE-2022-3570", "title" : "Multiple heap buffer overflows in tiffcrop.c utility in libtiff library Version 4.4.0 allows attacker to trigger unsafe or out of bounds memory access via crafted TIFF image file which could result into application crash, potential information disclosure or any other context-dependent impact", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2022-3570" ], "unique" : false }, { "id" : "CVE-2022-48281", "title" : "processCropSelections in tools/tiffcrop.c in LibTIFF through 4.5.0 has a heap-based buffer overflow (e.g., \"WRITE of size 307203\") via a crafted TIFF image.", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2022-48281" ], "unique" : false }, { "id" : "CVE-2023-0799", "title" : "LibTIFF 4.4.0 has an out-of-bounds read in tiffcrop in tools/tiffcrop.c:3701, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit afaabc3e.", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-0799" ], "unique" : false }, { "id" : "CVE-2023-26965", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-26965" ], "unique" : false }, { "id" : "CVE-2023-26966", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-26966" ], "unique" : false }, { "id" : "CVE-2023-2731", "title" : "A NULL pointer dereference flaw was found in Libtiff's LZWDecode() function in the libtiff/tif_lzw.c file. This flaw allows a local attacker to craft specific input data that can cause the program to dereference a NULL pointer when decompressing a TIFF format file, resulting in a program crash or denial of service.", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-2731" ], "unique" : false }, { "id" : "CVE-2023-30086", "title" : "Buffer Overflow vulnerability found in Libtiff V.4.0.7 allows a local attacker to cause a denial of service via the tiffcp function in tiffcp.c.", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-30086" ], "unique" : false }, { "id" : "CVE-2023-3316", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-3316" ], "unique" : false }, { "id" : "CVE-2023-3576", "title" : "Libtiff: memory leak in tiffcrop.c", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-3576" ], "unique" : false }, { "id" : "CVE-2025-61143", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2025-61143" ], "unique" : false }, { "id" : "CVE-2025-61144", "source" : "redhat-csaf", "cvssScore" : 5.0, "severity" : "MEDIUM", "cves" : [ "CVE-2025-61144" ], "unique" : false }, { "id" : "CVE-2025-61145", "source" : "redhat-csaf", "cvssScore" : 5.0, "severity" : "MEDIUM", "cves" : [ "CVE-2025-61145" ], "unique" : false }, { "id" : "CVE-2023-6228", "source" : "redhat-csaf", "cvssScore" : 3.3, "severity" : "LOW", "cves" : [ "CVE-2023-6228" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2022-3970", "title" : "LibTIFF tif_getimage.c TIFFReadRGBATileExt integer overflow", "source" : "redhat-csaf", "cvssScore" : 8.8, "severity" : "HIGH", "cves" : [ "CVE-2022-3970" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/python3-setuptools-wheel@53.0.0-10.el9_1.1?arch=noarch&distro=rhel-9.1&upstream=python-setuptools-53.0.0-10.el9_1.1.src.rpm", "issues" : [ { "id" : "CVE-2024-6345", "source" : "redhat-csaf", "cvssScore" : 8.8, "severity" : "HIGH", "cves" : [ "CVE-2024-6345" ], "unique" : false }, { "id" : "CVE-2025-47273", "title" : "setuptools has a path traversal vulnerability in PackageIndex.download that leads to Arbitrary File Write", "source" : "redhat-csaf", "cvssScore" : 7.1, "severity" : "HIGH", "cves" : [ "CVE-2025-47273" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2024-6345", "source" : "redhat-csaf", "cvssScore" : 8.8, "severity" : "HIGH", "cves" : [ "CVE-2024-6345" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/graphite2@1.3.14-9.el9?arch=x86_64&distro=rhel-9.1&upstream=graphite2-1.3.14-9.el9.src.rpm", "issues" : [ { "id" : "CVE-2017-5436", "title" : "An out-of-bounds write in the Graphite 2 library triggered with a maliciously crafted Graphite font. This results in a potentially exploitable crash. This issue was fixed in the Graphite 2 library as well as Mozilla products. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53.", "source" : "redhat-csaf", "cvssScore" : 8.8, "severity" : "HIGH", "cves" : [ "CVE-2017-5436" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2017-5436", "title" : "An out-of-bounds write in the Graphite 2 library triggered with a maliciously crafted Graphite font. This results in a potentially exploitable crash. This issue was fixed in the Graphite 2 library as well as Mozilla products. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53.", "source" : "redhat-csaf", "cvssScore" : 8.8, "severity" : "HIGH", "cves" : [ "CVE-2017-5436" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/glibc@2.34-40.el9_1.1?arch=x86_64&distro=rhel-9.1&upstream=glibc-2.34-40.el9_1.1.src.rpm", "issues" : [ { "id" : "CVE-2024-2961", "title" : "The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.", "source" : "redhat-csaf", "cvssScore" : 8.8, "severity" : "HIGH", "cves" : [ "CVE-2024-2961" ], "unique" : false }, { "id" : "CVE-2026-0861", "title" : "Integer overflow in memalign leads to heap corruption", "source" : "redhat-csaf", "cvssScore" : 8.1, "severity" : "HIGH", "cves" : [ "CVE-2026-0861" ], "unique" : false }, { "id" : "CVE-2023-4911", "title" : "Glibc: buffer overflow in ld.so leading to privilege escalation", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2023-4911" ], "unique" : false }, { "id" : "CVE-2024-33599", "title" : "nscd: Stack-based buffer overflow in netgroup cache", "source" : "redhat-csaf", "cvssScore" : 7.6, "severity" : "HIGH", "cves" : [ "CVE-2024-33599" ], "unique" : false }, { "id" : "CVE-2025-4802", "source" : "redhat-csaf", "cvssScore" : 7.0, "severity" : "HIGH", "cves" : [ "CVE-2025-4802" ], "unique" : false }, { "id" : "CVE-2023-4527", "title" : "Glibc: stack read overflow in getaddrinfo in no-aaaa mode", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4527" ], "unique" : false }, { "id" : "CVE-2026-4437", "title" : "gethostbyaddr and gethostbyaddr_r may incorrectly handle DNS response", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4437" ], "unique" : false }, { "id" : "CVE-2026-6238", "title" : "Buffer overread in ns_printrrf with corrupted RDATA field", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2026-6238" ], "unique" : false }, { "id" : "CVE-2023-4806", "title" : "Glibc: potential use-after-free in getaddrinfo()", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4806" ], "unique" : false }, { "id" : "CVE-2023-4813", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4813" ], "unique" : false }, { "id" : "CVE-2025-15281", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2025-15281" ], "unique" : false }, { "id" : "CVE-2026-3904", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-3904" ], "unique" : false }, { "id" : "CVE-2026-5435", "title" : "Potential buffer overflow in ns_sprintrrf TSIG handling path", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-5435" ], "unique" : false }, { "id" : "CVE-2025-5702", "title" : "The strcmp implementation optimized for the Power10 processor in the GNU C Library version 2.39 and later writes to vector registers v20 to v31 without saving contents from the caller (those registers are defined as non-volatile registers by the powerpc64le ABI), resulting in overwriting of its contents and potentially altering control flow of the caller, or leaking the input strings to the function to other parts of the program.", "source" : "redhat-csaf", "cvssScore" : 5.6, "severity" : "MEDIUM", "cves" : [ "CVE-2025-5702" ], "unique" : false }, { "id" : "CVE-2025-0395", "title" : "When the assert() function in the GNU C Library versions 2.13 to 2.40 fails, it does not allocate enough space for the assertion failure message string and size information, which may lead to a buffer overflow if the message string size aligns to page size.", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2025-0395" ], "unique" : false }, { "id" : "CVE-2024-33600", "title" : "nscd: Null pointer crashes after notfound response", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33600" ], "unique" : false }, { "id" : "CVE-2026-0915", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-0915" ], "unique" : false }, { "id" : "CVE-2026-4046", "title" : "iconv crash due to assertion failure with untrusted input", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4046" ], "unique" : false }, { "id" : "CVE-2026-5450", "title" : "scanf %mc off-by-one heap buffer overflow", "source" : "redhat-csaf", "cvssScore" : 5.0, "severity" : "MEDIUM", "cves" : [ "CVE-2026-5450" ], "unique" : false }, { "id" : "CVE-2026-5928", "title" : "Potential buffer under-read in ungetwc", "source" : "redhat-csaf", "cvssScore" : 5.0, "severity" : "MEDIUM", "cves" : [ "CVE-2026-5928" ], "unique" : false }, { "id" : "CVE-2025-8058", "source" : "redhat-csaf", "cvssScore" : 4.2, "severity" : "MEDIUM", "cves" : [ "CVE-2025-8058" ], "unique" : false }, { "id" : "CVE-2024-33601", "title" : "nscd: netgroup cache may terminate daemon on memory allocation failure", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33601" ], "unique" : false }, { "id" : "CVE-2024-33602", "title" : "nscd: netgroup cache assumes NSS callback uses in-buffer strings", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33602" ], "unique" : false }, { "id" : "CVE-2026-4438", "title" : "gethostbyaddr and gethostbyaddr_r return invalid DNS hostnames", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4438" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2024-2961", "title" : "The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.", "source" : "redhat-csaf", "cvssScore" : 8.8, "severity" : "HIGH", "cves" : [ "CVE-2024-2961" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/glibc-common@2.34-40.el9_1.1?arch=x86_64&distro=rhel-9.1&upstream=glibc-2.34-40.el9_1.1.src.rpm", "issues" : [ { "id" : "CVE-2024-2961", "title" : "The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.", "source" : "redhat-csaf", "cvssScore" : 8.8, "severity" : "HIGH", "cves" : [ "CVE-2024-2961" ], "unique" : false }, { "id" : "CVE-2026-0861", "title" : "Integer overflow in memalign leads to heap corruption", "source" : "redhat-csaf", "cvssScore" : 8.1, "severity" : "HIGH", "cves" : [ "CVE-2026-0861" ], "unique" : false }, { "id" : "CVE-2023-4911", "title" : "Glibc: buffer overflow in ld.so leading to privilege escalation", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2023-4911" ], "unique" : false }, { "id" : "CVE-2024-33599", "title" : "nscd: Stack-based buffer overflow in netgroup cache", "source" : "redhat-csaf", "cvssScore" : 7.6, "severity" : "HIGH", "cves" : [ "CVE-2024-33599" ], "unique" : false }, { "id" : "CVE-2025-4802", "source" : "redhat-csaf", "cvssScore" : 7.0, "severity" : "HIGH", "cves" : [ "CVE-2025-4802" ], "unique" : false }, { "id" : "CVE-2023-4527", "title" : "Glibc: stack read overflow in getaddrinfo in no-aaaa mode", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4527" ], "unique" : false }, { "id" : "CVE-2026-4437", "title" : "gethostbyaddr and gethostbyaddr_r may incorrectly handle DNS response", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4437" ], "unique" : false }, { "id" : "CVE-2023-4806", "title" : "Glibc: potential use-after-free in getaddrinfo()", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4806" ], "unique" : false }, { "id" : "CVE-2023-4813", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4813" ], "unique" : false }, { "id" : "CVE-2025-15281", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2025-15281" ], "unique" : false }, { "id" : "CVE-2025-5702", "title" : "The strcmp implementation optimized for the Power10 processor in the GNU C Library version 2.39 and later writes to vector registers v20 to v31 without saving contents from the caller (those registers are defined as non-volatile registers by the powerpc64le ABI), resulting in overwriting of its contents and potentially altering control flow of the caller, or leaking the input strings to the function to other parts of the program.", "source" : "redhat-csaf", "cvssScore" : 5.6, "severity" : "MEDIUM", "cves" : [ "CVE-2025-5702" ], "unique" : false }, { "id" : "CVE-2025-0395", "title" : "When the assert() function in the GNU C Library versions 2.13 to 2.40 fails, it does not allocate enough space for the assertion failure message string and size information, which may lead to a buffer overflow if the message string size aligns to page size.", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2025-0395" ], "unique" : false }, { "id" : "CVE-2024-33600", "title" : "nscd: Null pointer crashes after notfound response", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33600" ], "unique" : false }, { "id" : "CVE-2026-0915", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-0915" ], "unique" : false }, { "id" : "CVE-2026-4046", "title" : "iconv crash due to assertion failure with untrusted input", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4046" ], "unique" : false }, { "id" : "CVE-2026-5450", "title" : "scanf %mc off-by-one heap buffer overflow", "source" : "redhat-csaf", "cvssScore" : 5.0, "severity" : "MEDIUM", "cves" : [ "CVE-2026-5450" ], "unique" : false }, { "id" : "CVE-2025-8058", "source" : "redhat-csaf", "cvssScore" : 4.2, "severity" : "MEDIUM", "cves" : [ "CVE-2025-8058" ], "unique" : false }, { "id" : "CVE-2024-33601", "title" : "nscd: netgroup cache may terminate daemon on memory allocation failure", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33601" ], "unique" : false }, { "id" : "CVE-2024-33602", "title" : "nscd: netgroup cache assumes NSS callback uses in-buffer strings", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33602" ], "unique" : false }, { "id" : "CVE-2026-4438", "title" : "gethostbyaddr and gethostbyaddr_r return invalid DNS hostnames", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4438" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2024-2961", "title" : "The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.", "source" : "redhat-csaf", "cvssScore" : 8.8, "severity" : "HIGH", "cves" : [ "CVE-2024-2961" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/glibc-langpack-en@2.34-40.el9_1.1?arch=x86_64&distro=rhel-9.1&upstream=glibc-2.34-40.el9_1.1.src.rpm", "issues" : [ { "id" : "CVE-2024-2961", "title" : "The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.", "source" : "redhat-csaf", "cvssScore" : 8.8, "severity" : "HIGH", "cves" : [ "CVE-2024-2961" ], "unique" : false }, { "id" : "CVE-2026-0861", "title" : "Integer overflow in memalign leads to heap corruption", "source" : "redhat-csaf", "cvssScore" : 8.1, "severity" : "HIGH", "cves" : [ "CVE-2026-0861" ], "unique" : false }, { "id" : "CVE-2023-4911", "title" : "Glibc: buffer overflow in ld.so leading to privilege escalation", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2023-4911" ], "unique" : false }, { "id" : "CVE-2024-33599", "title" : "nscd: Stack-based buffer overflow in netgroup cache", "source" : "redhat-csaf", "cvssScore" : 7.6, "severity" : "HIGH", "cves" : [ "CVE-2024-33599" ], "unique" : false }, { "id" : "CVE-2025-4802", "source" : "redhat-csaf", "cvssScore" : 7.0, "severity" : "HIGH", "cves" : [ "CVE-2025-4802" ], "unique" : false }, { "id" : "CVE-2023-4527", "title" : "Glibc: stack read overflow in getaddrinfo in no-aaaa mode", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4527" ], "unique" : false }, { "id" : "CVE-2026-4437", "title" : "gethostbyaddr and gethostbyaddr_r may incorrectly handle DNS response", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4437" ], "unique" : false }, { "id" : "CVE-2023-4806", "title" : "Glibc: potential use-after-free in getaddrinfo()", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4806" ], "unique" : false }, { "id" : "CVE-2023-4813", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4813" ], "unique" : false }, { "id" : "CVE-2025-15281", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2025-15281" ], "unique" : false }, { "id" : "CVE-2025-5702", "title" : "The strcmp implementation optimized for the Power10 processor in the GNU C Library version 2.39 and later writes to vector registers v20 to v31 without saving contents from the caller (those registers are defined as non-volatile registers by the powerpc64le ABI), resulting in overwriting of its contents and potentially altering control flow of the caller, or leaking the input strings to the function to other parts of the program.", "source" : "redhat-csaf", "cvssScore" : 5.6, "severity" : "MEDIUM", "cves" : [ "CVE-2025-5702" ], "unique" : false }, { "id" : "CVE-2025-0395", "title" : "When the assert() function in the GNU C Library versions 2.13 to 2.40 fails, it does not allocate enough space for the assertion failure message string and size information, which may lead to a buffer overflow if the message string size aligns to page size.", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2025-0395" ], "unique" : false }, { "id" : "CVE-2024-33600", "title" : "nscd: Null pointer crashes after notfound response", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33600" ], "unique" : false }, { "id" : "CVE-2026-0915", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-0915" ], "unique" : false }, { "id" : "CVE-2026-4046", "title" : "iconv crash due to assertion failure with untrusted input", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4046" ], "unique" : false }, { "id" : "CVE-2026-5450", "title" : "scanf %mc off-by-one heap buffer overflow", "source" : "redhat-csaf", "cvssScore" : 5.0, "severity" : "MEDIUM", "cves" : [ "CVE-2026-5450" ], "unique" : false }, { "id" : "CVE-2025-8058", "source" : "redhat-csaf", "cvssScore" : 4.2, "severity" : "MEDIUM", "cves" : [ "CVE-2025-8058" ], "unique" : false }, { "id" : "CVE-2024-33601", "title" : "nscd: netgroup cache may terminate daemon on memory allocation failure", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33601" ], "unique" : false }, { "id" : "CVE-2024-33602", "title" : "nscd: netgroup cache assumes NSS callback uses in-buffer strings", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33602" ], "unique" : false }, { "id" : "CVE-2026-4438", "title" : "gethostbyaddr and gethostbyaddr_r return invalid DNS hostnames", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4438" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2024-2961", "title" : "The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.", "source" : "redhat-csaf", "cvssScore" : 8.8, "severity" : "HIGH", "cves" : [ "CVE-2024-2961" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/python3-libs@3.9.14-1.el9_1.2?arch=x86_64&distro=rhel-9.1&upstream=python3.9-3.9.14-1.el9_1.2.src.rpm", "issues" : [ { "id" : "CVE-2023-40217", "source" : "redhat-csaf", "cvssScore" : 8.6, "severity" : "HIGH", "cves" : [ "CVE-2023-40217" ], "unique" : false }, { "id" : "CVE-2026-6100", "title" : "Use-after-free in lzma.LZMADecompressor, bz2.BZ2Decompressor, and gzip.GzipFile after re-use under memory pressure", "source" : "redhat-csaf", "cvssScore" : 8.1, "severity" : "HIGH", "cves" : [ "CVE-2026-6100" ], "unique" : false }, { "id" : "CVE-2023-6597", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2023-6597" ], "unique" : false }, { "id" : "CVE-2024-12718", "title" : "Bypass extraction filter to modify file metadata outside extraction directory", "source" : "redhat-csaf", "cvssScore" : 7.6, "severity" : "HIGH", "cves" : [ "CVE-2024-12718" ], "unique" : false }, { "id" : "CVE-2025-4517", "title" : "Arbitrary writes via tarfile realpath overflow", "source" : "redhat-csaf", "cvssScore" : 7.6, "severity" : "HIGH", "cves" : [ "CVE-2025-4517" ], "unique" : false }, { "id" : "CVE-2023-24329", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2023-24329" ], "unique" : false }, { "id" : "CVE-2024-6232", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2024-6232" ], "unique" : false }, { "id" : "CVE-2025-12084", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2025-12084" ], "unique" : false }, { "id" : "CVE-2025-4138", "title" : "Bypassing extraction filter to create symlinks to arbitrary targets outside extraction directory", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2025-4138" ], "unique" : false }, { "id" : "CVE-2025-4435", "title" : "Tarfile extracts filtered members when errorlevel=0", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2025-4435" ], "unique" : false }, { "id" : "CVE-2025-8194", "title" : "Tarfile infinite loop during parsing with negative member offset", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2025-8194" ], "unique" : false }, { "id" : "CVE-2025-4330", "title" : "Extraction filter bypass for linking outside extraction directory", "source" : "redhat-csaf", "cvssScore" : 7.3, "severity" : "HIGH", "cves" : [ "CVE-2025-4330" ], "unique" : false }, { "id" : "CVE-2025-15366", "source" : "redhat-csaf", "cvssScore" : 7.1, "severity" : "HIGH", "cves" : [ "CVE-2025-15366" ], "unique" : false }, { "id" : "CVE-2025-15367", "source" : "redhat-csaf", "cvssScore" : 7.1, "severity" : "HIGH", "cves" : [ "CVE-2025-15367" ], "unique" : false }, { "id" : "CVE-2026-1299", "source" : "redhat-csaf", "cvssScore" : 7.1, "severity" : "HIGH", "cves" : [ "CVE-2026-1299" ], "unique" : false }, { "id" : "CVE-2026-4519", "title" : "webbrowser.open() allows leading dashes in URLs", "source" : "redhat-csaf", "cvssScore" : 7.1, "severity" : "HIGH", "cves" : [ "CVE-2026-4519" ], "unique" : false }, { "id" : "CVE-2026-4786", "title" : "Incomplete mitigation of CVE-2026-4519, %action expansion for command injection to webbrowser.open()", "source" : "redhat-csaf", "cvssScore" : 7.1, "severity" : "HIGH", "cves" : [ "CVE-2026-4786" ], "unique" : false }, { "id" : "CVE-2024-6923", "source" : "redhat-csaf", "cvssScore" : 6.8, "severity" : "MEDIUM", "cves" : [ "CVE-2024-6923" ], "unique" : false }, { "id" : "CVE-2025-0938", "title" : "URL parser allowed square brackets in domain names", "source" : "redhat-csaf", "cvssScore" : 6.8, "severity" : "MEDIUM", "cves" : [ "CVE-2025-0938" ], "unique" : false }, { "id" : "CVE-2025-13836", "source" : "redhat-csaf", "cvssScore" : 6.8, "severity" : "MEDIUM", "cves" : [ "CVE-2025-13836" ], "unique" : false }, { "id" : "CVE-2024-9287", "source" : "redhat-csaf", "cvssScore" : 6.3, "severity" : "MEDIUM", "cves" : [ "CVE-2024-9287" ], "unique" : false }, { "id" : "CVE-2024-0450", "source" : "redhat-csaf", "cvssScore" : 6.2, "severity" : "MEDIUM", "cves" : [ "CVE-2024-0450" ], "unique" : false }, { "id" : "CVE-2025-13837", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2025-13837" ], "unique" : false }, { "id" : "CVE-2026-4224", "title" : "Stack overflow parsing XML with deeply nested DTD content models", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4224" ], "unique" : false }, { "id" : "CVE-2007-4559", "title" : "Directory traversal vulnerability in the (1) extract and (2) extractall functions in the tarfile module in Python allows user-assisted remote attackers to overwrite arbitrary files via a .. (dot dot) sequence in filenames in a TAR archive, a related issue to CVE-2001-1267.", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2007-4559" ], "unique" : false }, { "id" : "CVE-2026-3644", "title" : "Incomplete control character validation in http.cookies", "source" : "redhat-csaf", "cvssScore" : 5.4, "severity" : "MEDIUM", "cves" : [ "CVE-2026-3644" ], "unique" : false }, { "id" : "CVE-2023-27043", "title" : "The email module of Python through 3.11.3 incorrectly parses e-mail addresses that contain a special character. The wrong portion of an RFC2822 header is identified as the value of the addr-spec. In some applications, an attacker can bypass a protection mechanism in which application access is granted only after verifying receipt of e-mail to a specific domain (e.g., only @company.example.com addresses may be used for signup). This occurs in email/_parseaddr.py in recent versions of Python.", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2023-27043" ], "unique" : false }, { "id" : "CVE-2024-8088", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2024-8088" ], "unique" : false }, { "id" : "CVE-2025-59375", "title" : "libexpat in Expat before 2.7.2 allows attackers to trigger large dynamic memory allocations via a small document that is submitted for parsing.", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2025-59375" ], "unique" : false }, { "id" : "CVE-2024-0397", "source" : "redhat-csaf", "cvssScore" : 5.0, "severity" : "MEDIUM", "cves" : [ "CVE-2024-0397" ], "unique" : false }, { "id" : "CVE-2024-7592", "source" : "redhat-csaf", "cvssScore" : 4.8, "severity" : "MEDIUM", "cves" : [ "CVE-2024-7592" ], "unique" : false }, { "id" : "CVE-2025-15282", "source" : "redhat-csaf", "cvssScore" : 4.8, "severity" : "MEDIUM", "cves" : [ "CVE-2025-15282" ], "unique" : false }, { "id" : "CVE-2026-0672", "source" : "redhat-csaf", "cvssScore" : 4.8, "severity" : "MEDIUM", "cves" : [ "CVE-2026-0672" ], "unique" : false }, { "id" : "CVE-2026-0865", "source" : "redhat-csaf", "cvssScore" : 4.5, "severity" : "MEDIUM", "cves" : [ "CVE-2026-0865" ], "unique" : false }, { "id" : "CVE-2026-1502", "title" : "HTTP client proxy tunnel headers not validated for CR/LF", "source" : "redhat-csaf", "cvssScore" : 4.5, "severity" : "MEDIUM", "cves" : [ "CVE-2026-1502" ], "unique" : false }, { "id" : "CVE-2025-6069", "title" : "HTMLParser quadratic complexity when processing malformed inputs", "source" : "redhat-csaf", "cvssScore" : 4.3, "severity" : "MEDIUM", "cves" : [ "CVE-2025-6069" ], "unique" : false }, { "id" : "CVE-2025-8291", "title" : "ZIP64 End of Central Directory (EOCD) Locator record offset not checked", "source" : "redhat-csaf", "cvssScore" : 4.3, "severity" : "MEDIUM", "cves" : [ "CVE-2025-8291" ], "unique" : false }, { "id" : "CVE-2025-6075", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2025-6075" ], "unique" : false }, { "id" : "CVE-2024-11168", "source" : "redhat-csaf", "cvssScore" : 3.7, "severity" : "LOW", "cves" : [ "CVE-2024-11168" ], "unique" : false }, { "id" : "CVE-2024-4032", "source" : "redhat-csaf", "cvssScore" : 3.7, "severity" : "LOW", "cves" : [ "CVE-2024-4032" ], "unique" : false }, { "id" : "CVE-2026-2297", "title" : "SourcelessFileLoader does not use io.open_code()", "source" : "redhat-csaf", "cvssScore" : 3.3, "severity" : "LOW", "cves" : [ "CVE-2026-2297" ], "unique" : false }, { "id" : "CVE-2024-5642", "title" : "Buffer overread when using an empty list with SSLContext.set_npn_protocols()", "source" : "redhat-csaf", "cvssScore" : 2.7, "severity" : "LOW", "cves" : [ "CVE-2024-5642" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2023-40217", "source" : "redhat-csaf", "cvssScore" : 8.6, "severity" : "HIGH", "cves" : [ "CVE-2023-40217" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/python3@3.9.14-1.el9_1.2?arch=x86_64&distro=rhel-9.1&upstream=python3.9-3.9.14-1.el9_1.2.src.rpm", "issues" : [ { "id" : "CVE-2023-40217", "source" : "redhat-csaf", "cvssScore" : 8.6, "severity" : "HIGH", "cves" : [ "CVE-2023-40217" ], "unique" : false }, { "id" : "CVE-2026-6100", "title" : "Use-after-free in lzma.LZMADecompressor, bz2.BZ2Decompressor, and gzip.GzipFile after re-use under memory pressure", "source" : "redhat-csaf", "cvssScore" : 8.1, "severity" : "HIGH", "cves" : [ "CVE-2026-6100" ], "unique" : false }, { "id" : "CVE-2023-6597", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2023-6597" ], "unique" : false }, { "id" : "CVE-2024-12718", "title" : "Bypass extraction filter to modify file metadata outside extraction directory", "source" : "redhat-csaf", "cvssScore" : 7.6, "severity" : "HIGH", "cves" : [ "CVE-2024-12718" ], "unique" : false }, { "id" : "CVE-2025-4517", "title" : "Arbitrary writes via tarfile realpath overflow", "source" : "redhat-csaf", "cvssScore" : 7.6, "severity" : "HIGH", "cves" : [ "CVE-2025-4517" ], "unique" : false }, { "id" : "CVE-2023-24329", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2023-24329" ], "unique" : false }, { "id" : "CVE-2024-6232", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2024-6232" ], "unique" : false }, { "id" : "CVE-2025-12084", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2025-12084" ], "unique" : false }, { "id" : "CVE-2025-4138", "title" : "Bypassing extraction filter to create symlinks to arbitrary targets outside extraction directory", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2025-4138" ], "unique" : false }, { "id" : "CVE-2025-4435", "title" : "Tarfile extracts filtered members when errorlevel=0", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2025-4435" ], "unique" : false }, { "id" : "CVE-2025-8194", "title" : "Tarfile infinite loop during parsing with negative member offset", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2025-8194" ], "unique" : false }, { "id" : "CVE-2025-4330", "title" : "Extraction filter bypass for linking outside extraction directory", "source" : "redhat-csaf", "cvssScore" : 7.3, "severity" : "HIGH", "cves" : [ "CVE-2025-4330" ], "unique" : false }, { "id" : "CVE-2025-15366", "source" : "redhat-csaf", "cvssScore" : 7.1, "severity" : "HIGH", "cves" : [ "CVE-2025-15366" ], "unique" : false }, { "id" : "CVE-2025-15367", "source" : "redhat-csaf", "cvssScore" : 7.1, "severity" : "HIGH", "cves" : [ "CVE-2025-15367" ], "unique" : false }, { "id" : "CVE-2026-1299", "source" : "redhat-csaf", "cvssScore" : 7.1, "severity" : "HIGH", "cves" : [ "CVE-2026-1299" ], "unique" : false }, { "id" : "CVE-2026-4519", "title" : "webbrowser.open() allows leading dashes in URLs", "source" : "redhat-csaf", "cvssScore" : 7.1, "severity" : "HIGH", "cves" : [ "CVE-2026-4519" ], "unique" : false }, { "id" : "CVE-2026-4786", "title" : "Incomplete mitigation of CVE-2026-4519, %action expansion for command injection to webbrowser.open()", "source" : "redhat-csaf", "cvssScore" : 7.1, "severity" : "HIGH", "cves" : [ "CVE-2026-4786" ], "unique" : false }, { "id" : "CVE-2024-6923", "source" : "redhat-csaf", "cvssScore" : 6.8, "severity" : "MEDIUM", "cves" : [ "CVE-2024-6923" ], "unique" : false }, { "id" : "CVE-2025-0938", "title" : "URL parser allowed square brackets in domain names", "source" : "redhat-csaf", "cvssScore" : 6.8, "severity" : "MEDIUM", "cves" : [ "CVE-2025-0938" ], "unique" : false }, { "id" : "CVE-2025-13836", "source" : "redhat-csaf", "cvssScore" : 6.8, "severity" : "MEDIUM", "cves" : [ "CVE-2025-13836" ], "unique" : false }, { "id" : "CVE-2026-6019", "title" : "BaseCookie.js_output() does not neutralize embedded characters", "source" : "redhat-csaf", "cvssScore" : 6.8, "severity" : "MEDIUM", "cves" : [ "CVE-2026-6019" ], "unique" : false }, { "id" : "CVE-2024-9287", "source" : "redhat-csaf", "cvssScore" : 6.3, "severity" : "MEDIUM", "cves" : [ "CVE-2024-9287" ], "unique" : false }, { "id" : "CVE-2024-0450", "source" : "redhat-csaf", "cvssScore" : 6.2, "severity" : "MEDIUM", "cves" : [ "CVE-2024-0450" ], "unique" : false }, { "id" : "CVE-2026-5713", "title" : "Out-of-bounds read/write during remote profiling and asyncio process introspection when connecting to malicious target", "source" : "redhat-csaf", "cvssScore" : 6.0, "severity" : "MEDIUM", "cves" : [ "CVE-2026-5713" ], "unique" : false }, { "id" : "CVE-2025-13837", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2025-13837" ], "unique" : false }, { "id" : "CVE-2026-4224", "title" : "Stack overflow parsing XML with deeply nested DTD content models", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4224" ], "unique" : false }, { "id" : "CVE-2007-4559", "title" : "Directory traversal vulnerability in the (1) extract and (2) extractall functions in the tarfile module in Python allows user-assisted remote attackers to overwrite arbitrary files via a .. (dot dot) sequence in filenames in a TAR archive, a related issue to CVE-2001-1267.", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2007-4559" ], "unique" : false }, { "id" : "CVE-2026-3644", "title" : "Incomplete control character validation in http.cookies", "source" : "redhat-csaf", "cvssScore" : 5.4, "severity" : "MEDIUM", "cves" : [ "CVE-2026-3644" ], "unique" : false }, { "id" : "CVE-2023-27043", "title" : "The email module of Python through 3.11.3 incorrectly parses e-mail addresses that contain a special character. The wrong portion of an RFC2822 header is identified as the value of the addr-spec. In some applications, an attacker can bypass a protection mechanism in which application access is granted only after verifying receipt of e-mail to a specific domain (e.g., only @company.example.com addresses may be used for signup). This occurs in email/_parseaddr.py in recent versions of Python.", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2023-27043" ], "unique" : false }, { "id" : "CVE-2024-8088", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2024-8088" ], "unique" : false }, { "id" : "CVE-2025-12781", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2025-12781" ], "unique" : false }, { "id" : "CVE-2025-59375", "title" : "libexpat in Expat before 2.7.2 allows attackers to trigger large dynamic memory allocations via a small document that is submitted for parsing.", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2025-59375" ], "unique" : false }, { "id" : "CVE-2026-3446", "title" : "Base64 decoding stops at first padded quad by default", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-3446" ], "unique" : false }, { "id" : "CVE-2024-0397", "source" : "redhat-csaf", "cvssScore" : 5.0, "severity" : "MEDIUM", "cves" : [ "CVE-2024-0397" ], "unique" : false }, { "id" : "CVE-2024-7592", "source" : "redhat-csaf", "cvssScore" : 4.8, "severity" : "MEDIUM", "cves" : [ "CVE-2024-7592" ], "unique" : false }, { "id" : "CVE-2025-15282", "source" : "redhat-csaf", "cvssScore" : 4.8, "severity" : "MEDIUM", "cves" : [ "CVE-2025-15282" ], "unique" : false }, { "id" : "CVE-2026-0672", "source" : "redhat-csaf", "cvssScore" : 4.8, "severity" : "MEDIUM", "cves" : [ "CVE-2026-0672" ], "unique" : false }, { "id" : "CVE-2025-11468", "source" : "redhat-csaf", "cvssScore" : 4.5, "severity" : "MEDIUM", "cves" : [ "CVE-2025-11468" ], "unique" : false }, { "id" : "CVE-2026-0865", "source" : "redhat-csaf", "cvssScore" : 4.5, "severity" : "MEDIUM", "cves" : [ "CVE-2026-0865" ], "unique" : false }, { "id" : "CVE-2026-1502", "title" : "HTTP client proxy tunnel headers not validated for CR/LF", "source" : "redhat-csaf", "cvssScore" : 4.5, "severity" : "MEDIUM", "cves" : [ "CVE-2026-1502" ], "unique" : false }, { "id" : "CVE-2025-6069", "title" : "HTMLParser quadratic complexity when processing malformed inputs", "source" : "redhat-csaf", "cvssScore" : 4.3, "severity" : "MEDIUM", "cves" : [ "CVE-2025-6069" ], "unique" : false }, { "id" : "CVE-2025-8291", "title" : "ZIP64 End of Central Directory (EOCD) Locator record offset not checked", "source" : "redhat-csaf", "cvssScore" : 4.3, "severity" : "MEDIUM", "cves" : [ "CVE-2025-8291" ], "unique" : false }, { "id" : "CVE-2025-6075", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2025-6075" ], "unique" : false }, { "id" : "CVE-2024-11168", "source" : "redhat-csaf", "cvssScore" : 3.7, "severity" : "LOW", "cves" : [ "CVE-2024-11168" ], "unique" : false }, { "id" : "CVE-2024-4032", "source" : "redhat-csaf", "cvssScore" : 3.7, "severity" : "LOW", "cves" : [ "CVE-2024-4032" ], "unique" : false }, { "id" : "CVE-2026-2297", "title" : "SourcelessFileLoader does not use io.open_code()", "source" : "redhat-csaf", "cvssScore" : 3.3, "severity" : "LOW", "cves" : [ "CVE-2026-2297" ], "unique" : false }, { "id" : "CVE-2026-3479", "title" : "pkgutil.get_data() does not enforce documented restrictions", "source" : "redhat-csaf", "cvssScore" : 3.3, "severity" : "LOW", "cves" : [ "CVE-2026-3479" ], "unique" : false }, { "id" : "CVE-2024-5642", "title" : "Buffer overread when using an empty list with SSLContext.set_npn_protocols()", "source" : "redhat-csaf", "cvssScore" : 2.7, "severity" : "LOW", "cves" : [ "CVE-2024-5642" ], "unique" : false }, { "id" : "CVE-2025-13462", "title" : "tarfile: Skip DIRTYPE normalization during GNU LONGNAME/LONGLINK handling", "source" : "redhat-csaf", "cvssScore" : 2.5, "severity" : "LOW", "cves" : [ "CVE-2025-13462" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2023-40217", "source" : "redhat-csaf", "cvssScore" : 8.6, "severity" : "HIGH", "cves" : [ "CVE-2023-40217" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/gnutls@3.7.6-12.el9_0?arch=x86_64&distro=rhel-9.1&upstream=gnutls-3.7.6-12.el9_0.src.rpm", "issues" : [ { "id" : "CVE-2026-42013", "title" : "Gnutls: gnutls: certificate validation bypass due to oversized subject alternative name", "source" : "redhat-csaf", "cvssScore" : 8.2, "severity" : "HIGH", "cves" : [ "CVE-2026-42013" ], "unique" : false }, { "id" : "CVE-2026-5260", "title" : "Gnutls: gnutls: information disclosure via heap overread in rsa key exchange", "source" : "redhat-csaf", "cvssScore" : 8.2, "severity" : "HIGH", "cves" : [ "CVE-2026-5260" ], "unique" : false }, { "id" : "CVE-2024-0553", "title" : "Gnutls: incomplete fix for cve-2023-5981", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2024-0553" ], "unique" : false }, { "id" : "CVE-2024-0567", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2024-0567" ], "unique" : false }, { "id" : "CVE-2026-1584", "title" : "Gnutls: gnutls: remote denial of service via crafted clienthello with invalid psk binder", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2026-1584" ], "unique" : false }, { "id" : "CVE-2026-33845", "title" : "Gnutls: gnutls: denial of service via dtls zero-length fragment", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2026-33845" ], "unique" : false }, { "id" : "CVE-2026-33846", "title" : "Gnutls: gnutls: denial of service via heap buffer overflow in dtls handshake fragment reassembly", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2026-33846" ], "unique" : false }, { "id" : "CVE-2026-42009", "title" : "Gnutls: gnutls: denial of service via dtls packet reordering vulnerability", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2026-42009" ], "unique" : false }, { "id" : "CVE-2023-0361", "title" : "A timing side-channel in the handling of RSA ClientKeyExchange messages was discovered in GnuTLS. This side-channel can be sufficient to recover the key encrypted in the RSA ciphertext across a network in a Bleichenbacher style attack. To achieve a successful decryption the attacker would need to send a large amount of specially crafted messages to the vulnerable server. By recovering the secret from the ClientKeyExchange message, the attacker would be able to decrypt the application data exchanged over that connection.", "source" : "redhat-csaf", "cvssScore" : 7.4, "severity" : "HIGH", "cves" : [ "CVE-2023-0361" ], "unique" : false }, { "id" : "CVE-2026-42011", "title" : "Gnutls: gnutls: security bypass due to incorrect name constraint handling", "source" : "redhat-csaf", "cvssScore" : 7.4, "severity" : "HIGH", "cves" : [ "CVE-2026-42011" ], "unique" : false }, { "id" : "CVE-2026-42010", "title" : "Gnutls: gnutls: authentication bypass via nul character in username", "source" : "redhat-csaf", "cvssScore" : 7.1, "severity" : "HIGH", "cves" : [ "CVE-2026-42010" ], "unique" : false }, { "id" : "CVE-2026-42012", "title" : "Gnutls: gnutls: certificate validation bypass due to improper handling of uri and srv sans", "source" : "redhat-csaf", "cvssScore" : 7.1, "severity" : "HIGH", "cves" : [ "CVE-2026-42012" ], "unique" : false }, { "id" : "CVE-2026-42014", "title" : "Gnutls: gnutls: use-after-free in gnutls_pkcs11_token_set_pin", "source" : "redhat-csaf", "cvssScore" : 6.6, "severity" : "MEDIUM", "cves" : [ "CVE-2026-42014" ], "unique" : false }, { "id" : "CVE-2025-32988", "title" : "Gnutls: vulnerability in gnutls othername san export", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2025-32988" ], "unique" : false }, { "id" : "CVE-2025-32990", "title" : "Gnutls: vulnerability in gnutls certtool template parsing", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2025-32990" ], "unique" : false }, { "id" : "CVE-2025-6395", "title" : "Gnutls: null pointer dereference in _gnutls_figure_common_ciphersuite()", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2025-6395" ], "unique" : false }, { "id" : "CVE-2026-3833", "title" : "Gnutls: gnutls: policy bypass due to case-sensitive nameconstraints comparison", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2026-3833" ], "unique" : false }, { "id" : "CVE-2023-5981", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-5981" ], "unique" : false }, { "id" : "CVE-2024-12243", "title" : "Gnutls: gnutls impacted by inefficient der decoding in libtasn1 leading to remote dos", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2024-12243" ], "unique" : false }, { "id" : "CVE-2024-28834", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2024-28834" ], "unique" : false }, { "id" : "CVE-2025-14831", "title" : "Gnutls: gnutls: denial of service via excessive resource consumption during certificate verification", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2025-14831" ], "unique" : false }, { "id" : "CVE-2025-32989", "title" : "Gnutls: vulnerability in gnutls sct extension parsing", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2025-32989" ], "unique" : false }, { "id" : "CVE-2026-42015", "title" : "Gnutls: gnutls: memory corruption due to off-by-one error in pkcs#12 bag handling", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-42015" ], "unique" : false }, { "id" : "CVE-2024-28835", "source" : "redhat-csaf", "cvssScore" : 5.0, "severity" : "MEDIUM", "cves" : [ "CVE-2024-28835" ], "unique" : false }, { "id" : "CVE-2025-9820", "title" : "Gnutls: stack-based buffer overflow in gnutls_pkcs11_token_init() function", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2025-9820" ], "unique" : false }, { "id" : "CVE-2026-3832", "title" : "Gnutls: gnutls: security bypass allows acceptance of revoked server certificates via crafted ocsp response", "source" : "redhat-csaf", "cvssScore" : 3.7, "severity" : "LOW", "cves" : [ "CVE-2026-3832" ], "unique" : false }, { "id" : "CVE-2026-5419", "title" : "Gnutls: gnutls: information disclosure via timing side-channel in pkcs#7 padding removal", "source" : "redhat-csaf", "cvssScore" : 3.7, "severity" : "LOW", "cves" : [ "CVE-2026-5419" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2026-42013", "title" : "Gnutls: gnutls: certificate validation bypass due to oversized subject alternative name", "source" : "redhat-csaf", "cvssScore" : 8.2, "severity" : "HIGH", "cves" : [ "CVE-2026-42013" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/freetype@2.10.4-9.el9?arch=x86_64&distro=rhel-9.1&upstream=freetype-2.10.4-9.el9.src.rpm", "issues" : [ { "id" : "CVE-2025-27363", "title" : "An out of bounds write exists in FreeType versions 2.13.0 and below (newer versions of FreeType are not vulnerable) when attempting to parse font subglyph structures related to TrueType GX and variable font files. The vulnerable code assigns a signed short value to an unsigned long and then adds a static value causing it to wrap around and allocate too small of a heap buffer. The code then writes up to 6 signed long integers out of bounds relative to this buffer. This may result in arbitrary code execution. This vulnerability may have been exploited in the wild.", "source" : "redhat-csaf", "cvssScore" : 8.1, "severity" : "HIGH", "cves" : [ "CVE-2025-27363" ], "unique" : false }, { "id" : "CVE-2026-23865", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-23865" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2025-27363", "title" : "An out of bounds write exists in FreeType versions 2.13.0 and below (newer versions of FreeType are not vulnerable) when attempting to parse font subglyph structures related to TrueType GX and variable font files. The vulnerable code assigns a signed short value to an unsigned long and then adds a static value causing it to wrap around and allocate too small of a heap buffer. The code then writes up to 6 signed long integers out of bounds relative to this buffer. This may result in arbitrary code execution. This vulnerability may have been exploited in the wild.", "source" : "redhat-csaf", "cvssScore" : 8.1, "severity" : "HIGH", "cves" : [ "CVE-2025-27363" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/freetype-devel@2.10.4-9.el9?arch=x86_64&distro=rhel-9.1&upstream=freetype-2.10.4-9.el9.src.rpm", "issues" : [ { "id" : "CVE-2025-27363", "title" : "An out of bounds write exists in FreeType versions 2.13.0 and below (newer versions of FreeType are not vulnerable) when attempting to parse font subglyph structures related to TrueType GX and variable font files. The vulnerable code assigns a signed short value to an unsigned long and then adds a static value causing it to wrap around and allocate too small of a heap buffer. The code then writes up to 6 signed long integers out of bounds relative to this buffer. This may result in arbitrary code execution. This vulnerability may have been exploited in the wild.", "source" : "redhat-csaf", "cvssScore" : 8.1, "severity" : "HIGH", "cves" : [ "CVE-2025-27363" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2025-27363", "title" : "An out of bounds write exists in FreeType versions 2.13.0 and below (newer versions of FreeType are not vulnerable) when attempting to parse font subglyph structures related to TrueType GX and variable font files. The vulnerable code assigns a signed short value to an unsigned long and then adds a static value causing it to wrap around and allocate too small of a heap buffer. The code then writes up to 6 signed long integers out of bounds relative to this buffer. This may result in arbitrary code execution. This vulnerability may have been exploited in the wild.", "source" : "redhat-csaf", "cvssScore" : 8.1, "severity" : "HIGH", "cves" : [ "CVE-2025-27363" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/libX11-common@1.7.0-7.el9?arch=noarch&distro=rhel-9.1&upstream=libX11-1.7.0-7.el9.src.rpm", "issues" : [ { "id" : "CVE-2023-43787", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2023-43787" ], "unique" : false }, { "id" : "CVE-2023-3138", "title" : "A vulnerability was found in libX11. The security flaw occurs because the functions in src/InitExt.c in libX11 do not check that the values provided for the Request, Event, or Error IDs are within the bounds of the arrays that those functions write to, using those IDs as array indexes. They trust that they were called with values provided by an Xserver adhering to the bounds specified in the X11 protocol, as all X servers provided by X.Org do. As the protocol only specifies a single byte for these values, an out-of-bounds value provided by a malicious server (or a malicious proxy-in-the-middle) can only overwrite other portions of the Display structure and not write outside the bounds of the Display structure itself, possibly causing the client to crash with this memory corruption.", "source" : "redhat-csaf", "cvssScore" : 7.3, "severity" : "HIGH", "cves" : [ "CVE-2023-3138" ], "unique" : false }, { "id" : "CVE-2023-43785", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-43785" ], "unique" : false }, { "id" : "CVE-2023-43786", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-43786" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2023-43787", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2023-43787" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/ncurses-base@6.2-8.20210508.el9?arch=noarch&distro=rhel-9.1&upstream=ncurses-6.2-8.20210508.el9.src.rpm", "issues" : [ { "id" : "CVE-2023-29491", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2023-29491" ], "unique" : false }, { "id" : "CVE-2025-69720", "title" : "The infocmp command-line tool in ncurses before 6.5-20251213 has a stack-based buffer overflow in analyze_string in progs/infocmp.c.", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2025-69720" ], "unique" : false }, { "id" : "CVE-2022-29458", "title" : "ncurses 6.3 before patch 20220416 has an out-of-bounds read and segmentation violation in convert_strings in tinfo/read_entry.c in the terminfo library.", "source" : "redhat-csaf", "cvssScore" : 6.1, "severity" : "MEDIUM", "cves" : [ "CVE-2022-29458" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2023-29491", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2023-29491" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/ncurses-libs@6.2-8.20210508.el9?arch=x86_64&distro=rhel-9.1&upstream=ncurses-6.2-8.20210508.el9.src.rpm", "issues" : [ { "id" : "CVE-2023-29491", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2023-29491" ], "unique" : false }, { "id" : "CVE-2025-69720", "title" : "The infocmp command-line tool in ncurses before 6.5-20251213 has a stack-based buffer overflow in analyze_string in progs/infocmp.c.", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2025-69720" ], "unique" : false }, { "id" : "CVE-2022-29458", "title" : "ncurses 6.3 before patch 20220416 has an out-of-bounds read and segmentation violation in convert_strings in tinfo/read_entry.c in the terminfo library.", "source" : "redhat-csaf", "cvssScore" : 6.1, "severity" : "MEDIUM", "cves" : [ "CVE-2022-29458" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2023-29491", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2023-29491" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/libcap@2.48-8.el9?arch=x86_64&distro=rhel-9.1&upstream=libcap-2.48-8.el9.src.rpm", "issues" : [ { "id" : "CVE-2023-2603", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2023-2603" ], "unique" : false }, { "id" : "CVE-2026-4878", "title" : "Libcap: libcap: privilege escalation via toctou race condition in cap_set_file()", "source" : "redhat-csaf", "cvssScore" : 6.7, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4878" ], "unique" : false }, { "id" : "CVE-2023-2602", "title" : "A vulnerability was found in the pthread_create() function in libcap. This issue may allow a malicious actor to use cause __real_pthread_create() to return an error, which can exhaust the process memory.", "source" : "redhat-csaf", "cvssScore" : 3.3, "severity" : "LOW", "cves" : [ "CVE-2023-2602" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2023-2603", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2023-2603" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/libX11-xcb@1.7.0-7.el9?arch=x86_64&distro=rhel-9.1&upstream=libX11-1.7.0-7.el9.src.rpm", "issues" : [ { "id" : "CVE-2023-43787", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2023-43787" ], "unique" : false }, { "id" : "CVE-2023-3138", "title" : "A vulnerability was found in libX11. The security flaw occurs because the functions in src/InitExt.c in libX11 do not check that the values provided for the Request, Event, or Error IDs are within the bounds of the arrays that those functions write to, using those IDs as array indexes. They trust that they were called with values provided by an Xserver adhering to the bounds specified in the X11 protocol, as all X servers provided by X.Org do. As the protocol only specifies a single byte for these values, an out-of-bounds value provided by a malicious server (or a malicious proxy-in-the-middle) can only overwrite other portions of the Display structure and not write outside the bounds of the Display structure itself, possibly causing the client to crash with this memory corruption.", "source" : "redhat-csaf", "cvssScore" : 7.3, "severity" : "HIGH", "cves" : [ "CVE-2023-3138" ], "unique" : false }, { "id" : "CVE-2023-43785", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-43785" ], "unique" : false }, { "id" : "CVE-2023-43786", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-43786" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2023-43787", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2023-43787" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/libX11-devel@1.7.0-7.el9?arch=x86_64&distro=rhel-9.1&upstream=libX11-1.7.0-7.el9.src.rpm", "issues" : [ { "id" : "CVE-2023-43787", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2023-43787" ], "unique" : false }, { "id" : "CVE-2023-3138", "title" : "A vulnerability was found in libX11. The security flaw occurs because the functions in src/InitExt.c in libX11 do not check that the values provided for the Request, Event, or Error IDs are within the bounds of the arrays that those functions write to, using those IDs as array indexes. They trust that they were called with values provided by an Xserver adhering to the bounds specified in the X11 protocol, as all X servers provided by X.Org do. As the protocol only specifies a single byte for these values, an out-of-bounds value provided by a malicious server (or a malicious proxy-in-the-middle) can only overwrite other portions of the Display structure and not write outside the bounds of the Display structure itself, possibly causing the client to crash with this memory corruption.", "source" : "redhat-csaf", "cvssScore" : 7.3, "severity" : "HIGH", "cves" : [ "CVE-2023-3138" ], "unique" : false }, { "id" : "CVE-2023-43785", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-43785" ], "unique" : false }, { "id" : "CVE-2023-43786", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-43786" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2023-43787", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2023-43787" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/glib2-devel@2.68.4-5.el9?arch=x86_64&distro=rhel-9.1&upstream=glib2-2.68.4-5.el9.src.rpm", "issues" : [ { "id" : "CVE-2025-13601", "title" : "Glib: integer overflow in in g_escape_uri_string()", "source" : "redhat-csaf", "cvssScore" : 7.7, "severity" : "HIGH", "cves" : [ "CVE-2025-13601" ], "unique" : false }, { "id" : "CVE-2024-52533", "title" : "gio/gsocks4aproxy.c in GNOME GLib before 2.82.1 has an off-by-one error and resultant buffer overflow because SOCKS4_CONN_MSG_LEN is not sufficient for a trailing '\\0' character.", "source" : "redhat-csaf", "cvssScore" : 7.0, "severity" : "HIGH", "cves" : [ "CVE-2024-52533" ], "unique" : false }, { "id" : "CVE-2023-32611", "title" : "G_variant_byteswap() can take a long time with some non-normal inputs", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-32611" ], "unique" : false }, { "id" : "CVE-2023-32665", "title" : "Gvariant deserialisation does not match spec for non-normal data", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-32665" ], "unique" : false }, { "id" : "CVE-2025-14512", "title" : "Glib: integer overflow in glib gio attribute escaping causes heap buffer overflow", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2025-14512" ], "unique" : false }, { "id" : "CVE-2023-29499", "source" : "redhat-csaf", "cvssScore" : 6.2, "severity" : "MEDIUM", "cves" : [ "CVE-2023-29499" ], "unique" : false }, { "id" : "CVE-2025-14087", "title" : "Glib: glib: buffer underflow in gvariant parser leads to heap corruption", "source" : "redhat-csaf", "cvssScore" : 5.6, "severity" : "MEDIUM", "cves" : [ "CVE-2025-14087" ], "unique" : false }, { "id" : "CVE-2025-4373", "title" : "Glib: buffer underflow on glib through glib/gstring.c via function g_string_insert_unichar", "source" : "redhat-csaf", "cvssScore" : 4.8, "severity" : "MEDIUM", "cves" : [ "CVE-2025-4373" ], "unique" : false }, { "id" : "CVE-2024-34397", "title" : "An issue was discovered in GNOME GLib before 2.78.5, and 2.79.x and 2.80.x before 2.80.1. When a GDBus-based client subscribes to signals from a trusted system service such as NetworkManager on a shared computer, other users of the same computer can send spoofed D-Bus signals that the GDBus-based client will wrongly interpret as having been sent by the trusted system service. This could lead to the GDBus-based client behaving incorrectly, with an application-dependent impact.", "source" : "redhat-csaf", "cvssScore" : 3.8, "severity" : "LOW", "cves" : [ "CVE-2024-34397" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2025-13601", "title" : "Glib: integer overflow in in g_escape_uri_string()", "source" : "redhat-csaf", "cvssScore" : 7.7, "severity" : "HIGH", "cves" : [ "CVE-2025-13601" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/sqlite-libs@3.34.1-6.el9_1?arch=x86_64&distro=rhel-9.1&upstream=sqlite-3.34.1-6.el9_1.src.rpm", "issues" : [ { "id" : "CVE-2025-6965", "title" : "Integer Truncation on SQLite", "source" : "redhat-csaf", "cvssScore" : 7.7, "severity" : "HIGH", "cves" : [ "CVE-2025-6965" ], "unique" : false }, { "id" : "CVE-2023-7104", "source" : "redhat-csaf", "cvssScore" : 7.3, "severity" : "HIGH", "cves" : [ "CVE-2023-7104" ], "unique" : false }, { "id" : "CVE-2025-3277", "title" : "An integer overflow can be triggered in SQLite’s `concat_ws()` function. The resulting, truncated integer is then used to allocate a buffer. When SQLite then writes the resulting string to the buffer, it uses the original, untruncated size and thus a wild Heap Buffer overflow of size ~4GB can be triggered. This can result in arbitrary code execution.", "source" : "redhat-csaf", "cvssScore" : 7.3, "severity" : "HIGH", "cves" : [ "CVE-2025-3277" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2025-6965", "title" : "Integer Truncation on SQLite", "source" : "redhat-csaf", "cvssScore" : 7.7, "severity" : "HIGH", "cves" : [ "CVE-2025-6965" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/libpng-devel@1.6.37-12.el9?arch=x86_64&distro=rhel-9.1&epoch=2&upstream=libpng-1.6.37-12.el9.src.rpm", "issues" : [ { "id" : "CVE-2026-33636", "title" : "LIBPNG has ARM NEON Palette Expansion Out-of-Bounds Read on AArch64", "source" : "redhat-csaf", "cvssScore" : 7.6, "severity" : "HIGH", "cves" : [ "CVE-2026-33636" ], "unique" : false }, { "id" : "CVE-2026-33416", "title" : "LIBPNG has use-after-free via pointer aliasing in `png_set_tRNS` and `png_set_PLTE`", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2026-33416" ], "unique" : false }, { "id" : "CVE-2025-64720", "source" : "redhat-csaf", "cvssScore" : 7.1, "severity" : "HIGH", "cves" : [ "CVE-2025-64720" ], "unique" : false }, { "id" : "CVE-2025-65018", "source" : "redhat-csaf", "cvssScore" : 7.1, "severity" : "HIGH", "cves" : [ "CVE-2025-65018" ], "unique" : false }, { "id" : "CVE-2025-66293", "source" : "redhat-csaf", "cvssScore" : 7.1, "severity" : "HIGH", "cves" : [ "CVE-2025-66293" ], "unique" : false }, { "id" : "CVE-2026-25646", "title" : "LIBPNG has a heap buffer overflow in png_set_quantize", "source" : "redhat-csaf", "cvssScore" : 7.0, "severity" : "HIGH", "cves" : [ "CVE-2026-25646" ], "unique" : false }, { "id" : "CVE-2026-22801", "source" : "redhat-csaf", "cvssScore" : 6.6, "severity" : "MEDIUM", "cves" : [ "CVE-2026-22801" ], "unique" : false }, { "id" : "CVE-2026-22695", "source" : "redhat-csaf", "cvssScore" : 6.1, "severity" : "MEDIUM", "cves" : [ "CVE-2026-22695" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2026-33636", "title" : "LIBPNG has ARM NEON Palette Expansion Out-of-Bounds Read on AArch64", "source" : "redhat-csaf", "cvssScore" : 7.6, "severity" : "HIGH", "cves" : [ "CVE-2026-33636" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/libpng@1.6.37-12.el9?arch=x86_64&distro=rhel-9.1&epoch=2&upstream=libpng-1.6.37-12.el9.src.rpm", "issues" : [ { "id" : "CVE-2026-33636", "title" : "LIBPNG has ARM NEON Palette Expansion Out-of-Bounds Read on AArch64", "source" : "redhat-csaf", "cvssScore" : 7.6, "severity" : "HIGH", "cves" : [ "CVE-2026-33636" ], "unique" : false }, { "id" : "CVE-2026-33416", "title" : "LIBPNG has use-after-free via pointer aliasing in `png_set_tRNS` and `png_set_PLTE`", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2026-33416" ], "unique" : false }, { "id" : "CVE-2025-64720", "source" : "redhat-csaf", "cvssScore" : 7.1, "severity" : "HIGH", "cves" : [ "CVE-2025-64720" ], "unique" : false }, { "id" : "CVE-2025-65018", "source" : "redhat-csaf", "cvssScore" : 7.1, "severity" : "HIGH", "cves" : [ "CVE-2025-65018" ], "unique" : false }, { "id" : "CVE-2025-66293", "source" : "redhat-csaf", "cvssScore" : 7.1, "severity" : "HIGH", "cves" : [ "CVE-2025-66293" ], "unique" : false }, { "id" : "CVE-2026-25646", "title" : "LIBPNG has a heap buffer overflow in png_set_quantize", "source" : "redhat-csaf", "cvssScore" : 7.0, "severity" : "HIGH", "cves" : [ "CVE-2026-25646" ], "unique" : false }, { "id" : "CVE-2026-22801", "source" : "redhat-csaf", "cvssScore" : 6.6, "severity" : "MEDIUM", "cves" : [ "CVE-2026-22801" ], "unique" : false }, { "id" : "CVE-2025-28162", "source" : "redhat-csaf", "cvssScore" : 6.2, "severity" : "MEDIUM", "cves" : [ "CVE-2025-28162" ], "unique" : false }, { "id" : "CVE-2025-64506", "source" : "redhat-csaf", "cvssScore" : 6.1, "severity" : "MEDIUM", "cves" : [ "CVE-2025-64506" ], "unique" : false }, { "id" : "CVE-2026-22695", "source" : "redhat-csaf", "cvssScore" : 6.1, "severity" : "MEDIUM", "cves" : [ "CVE-2026-22695" ], "unique" : false }, { "id" : "CVE-2026-3713", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-3713" ], "unique" : false }, { "id" : "CVE-2025-28164", "source" : "redhat-csaf", "cvssScore" : 5.0, "severity" : "MEDIUM", "cves" : [ "CVE-2025-28164" ], "unique" : false }, { "id" : "CVE-2025-64505", "source" : "redhat-csaf", "cvssScore" : 4.4, "severity" : "MEDIUM", "cves" : [ "CVE-2025-64505" ], "unique" : false }, { "id" : "CVE-2026-34757", "title" : "LIBPNG has a yse-after-free in png_set_PLTE, png_set_tRNS and png_set_hIST leading to corrupted chunk data and potential heap information disclosure", "source" : "redhat-csaf", "cvssScore" : 4.4, "severity" : "MEDIUM", "cves" : [ "CVE-2026-34757" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2026-33636", "title" : "LIBPNG has ARM NEON Palette Expansion Out-of-Bounds Read on AArch64", "source" : "redhat-csaf", "cvssScore" : 7.6, "severity" : "HIGH", "cves" : [ "CVE-2026-33636" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/brotli-devel@1.0.9-6.el9?arch=x86_64&distro=rhel-9.1&upstream=brotli-1.0.9-6.el9.src.rpm", "issues" : [ { "id" : "CVE-2025-6176", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2025-6176" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2025-6176", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2025-6176" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/expat@2.4.9-1.el9_1.1?arch=x86_64&distro=rhel-9.1&upstream=expat-2.4.9-1.el9_1.1.src.rpm", "issues" : [ { "id" : "CVE-2023-52425", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2023-52425" ], "unique" : false }, { "id" : "CVE-2024-28757", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2024-28757" ], "unique" : false }, { "id" : "CVE-2024-45490", "title" : "An issue was discovered in libexpat before 2.6.3. xmlparse.c does not reject a negative length for XML_ParseBuffer.", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2024-45490" ], "unique" : false }, { "id" : "CVE-2024-45491", "title" : "An issue was discovered in libexpat before 2.6.3. dtdCopy in xmlparse.c can have an integer overflow for nDefaultAtts on 32-bit platforms (where UINT_MAX equals SIZE_MAX).", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2024-45491" ], "unique" : false }, { "id" : "CVE-2024-8176", "title" : "Libexpat: expat: improper restriction of xml entity expansion depth in libexpat", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2024-8176" ], "unique" : false }, { "id" : "CVE-2026-45186", "title" : "In libexpat before 2.8.1, the computational complexity of attribute name collision checks allows a denial of service via moderately sized crafted XML input.", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2026-45186" ], "unique" : false }, { "id" : "CVE-2026-56132", "title" : "In libexpat before 2.8.2, there is a heap-based buffer overflow in doProlog in xmlparse.c because scaffold backing array reallocation is mishandled when there is data-structure sharing across parsers.", "source" : "redhat-csaf", "cvssScore" : 6.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-56132" ], "unique" : false }, { "id" : "CVE-2022-23990", "title" : "Expat (aka libexpat) before 2.4.4 has an integer overflow in the doProlog function.", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2022-23990" ], "unique" : false }, { "id" : "CVE-2024-45492", "title" : "An issue was discovered in libexpat before 2.6.3. nextScaffoldPart in xmlparse.c can have an integer overflow for m_groupSize on 32-bit platforms (where UINT_MAX equals SIZE_MAX).", "source" : "redhat-csaf", "cvssScore" : 6.2, "severity" : "MEDIUM", "cves" : [ "CVE-2024-45492" ], "unique" : false }, { "id" : "CVE-2024-50602", "title" : "An issue was discovered in libexpat before 2.6.4. There is a crash within the XML_ResumeParser function because XML_StopParser can stop/suspend an unstarted parser.", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2024-50602" ], "unique" : false }, { "id" : "CVE-2025-59375", "title" : "libexpat in Expat before 2.7.2 allows attackers to trigger large dynamic memory allocations via a small document that is submitted for parsing.", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2025-59375" ], "unique" : false }, { "id" : "CVE-2026-50219", "title" : "libexpat before 2.8.2 lacks handler call depth tracking for calls to XML_GetBuffer, XML_Parse, XML_ParseBuffer, XML_ParserFree, or XML_ParserReset from within handlers in cases of a policy violation. Thus, a use-after-free can occur,", "source" : "redhat-csaf", "cvssScore" : 4.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-50219" ], "unique" : false }, { "id" : "CVE-2026-41080", "title" : "libexpat before 2.8.0 uses insufficient entropy, and thus hash flooding can occur via a crafted XML document.", "source" : "redhat-csaf", "cvssScore" : 3.7, "severity" : "LOW", "cves" : [ "CVE-2026-41080" ], "unique" : false }, { "id" : "CVE-2013-0340", "source" : "redhat-csaf", "cves" : [ "CVE-2013-0340" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2023-52425", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2023-52425" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/libbrotli@1.0.9-6.el9?arch=x86_64&distro=rhel-9.1&upstream=brotli-1.0.9-6.el9.src.rpm", "issues" : [ { "id" : "CVE-2025-6176", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2025-6176" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2025-6176", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2025-6176" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/brotli@1.0.9-6.el9?arch=x86_64&distro=rhel-9.1&upstream=brotli-1.0.9-6.el9.src.rpm", "issues" : [ { "id" : "CVE-2025-6176", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2025-6176" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2025-6176", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2025-6176" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/xz-libs@5.2.5-8.el9_0?arch=x86_64&distro=rhel-9.1&upstream=xz-5.2.5-8.el9_0.src.rpm", "issues" : [ { "id" : "CVE-2025-31115", "title" : "XZ has a heap-use-after-free bug in threaded .xz decoder", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2025-31115" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2025-31115", "title" : "XZ has a heap-use-after-free bug in threaded .xz decoder", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2025-31115" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/harfbuzz-icu@2.7.4-8.el9?arch=x86_64&distro=rhel-9.1&upstream=harfbuzz-2.7.4-8.el9.src.rpm", "issues" : [ { "id" : "CVE-2023-25193", "title" : "hb-ot-layout-gsubgpos.hh in HarfBuzz through 6.0.0 allows attackers to trigger O(n^2) growth via consecutive marks during the process of looking back for base glyphs when attaching marks.", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2023-25193" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2023-25193", "title" : "hb-ot-layout-gsubgpos.hh in HarfBuzz through 6.0.0 allows attackers to trigger O(n^2) growth via consecutive marks during the process of looking back for base glyphs when attaching marks.", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2023-25193" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/harfbuzz@2.7.4-8.el9?arch=x86_64&distro=rhel-9.1&upstream=harfbuzz-2.7.4-8.el9.src.rpm", "issues" : [ { "id" : "CVE-2023-25193", "title" : "hb-ot-layout-gsubgpos.hh in HarfBuzz through 6.0.0 allows attackers to trigger O(n^2) growth via consecutive marks during the process of looking back for base glyphs when attaching marks.", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2023-25193" ], "unique" : false }, { "id" : "CVE-2026-22693", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-22693" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2023-25193", "title" : "hb-ot-layout-gsubgpos.hh in HarfBuzz through 6.0.0 allows attackers to trigger O(n^2) growth via consecutive marks during the process of looking back for base glyphs when attaching marks.", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2023-25193" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/libjpeg-turbo-devel@2.0.90-5.el9?arch=x86_64&distro=rhel-9.1&upstream=libjpeg-turbo-2.0.90-5.el9.src.rpm", "issues" : [ { "id" : "CVE-2021-29390", "title" : "libjpeg-turbo version 2.0.90 has a heap-based buffer over-read (2 bytes) in decompress_smooth_data in jdcoefct.c.", "source" : "redhat-csaf", "cvssScore" : 7.1, "severity" : "HIGH", "cves" : [ "CVE-2021-29390" ], "unique" : false }, { "id" : "CVE-2021-46822", "title" : "The PPM reader in libjpeg-turbo through 2.0.90 mishandles use of tjLoadImage for loading a 16-bit binary PPM file into a grayscale buffer and loading a 16-bit binary PGM file into an RGB buffer. This is related to a heap-based buffer overflow in the get_word_rgb_row function in rdppm.c.", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2021-46822" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2021-29390", "title" : "libjpeg-turbo version 2.0.90 has a heap-based buffer over-read (2 bytes) in decompress_smooth_data in jdcoefct.c.", "source" : "redhat-csaf", "cvssScore" : 7.1, "severity" : "HIGH", "cves" : [ "CVE-2021-29390" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/libjpeg-turbo@2.0.90-5.el9?arch=x86_64&distro=rhel-9.1&upstream=libjpeg-turbo-2.0.90-5.el9.src.rpm", "issues" : [ { "id" : "CVE-2021-29390", "title" : "libjpeg-turbo version 2.0.90 has a heap-based buffer over-read (2 bytes) in decompress_smooth_data in jdcoefct.c.", "source" : "redhat-csaf", "cvssScore" : 7.1, "severity" : "HIGH", "cves" : [ "CVE-2021-29390" ], "unique" : false }, { "id" : "CVE-2021-46822", "title" : "The PPM reader in libjpeg-turbo through 2.0.90 mishandles use of tjLoadImage for loading a 16-bit binary PPM file into a grayscale buffer and loading a 16-bit binary PGM file into an RGB buffer. This is related to a heap-based buffer overflow in the get_word_rgb_row function in rdppm.c.", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2021-46822" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2021-29390", "title" : "libjpeg-turbo version 2.0.90 has a heap-based buffer over-read (2 bytes) in decompress_smooth_data in jdcoefct.c.", "source" : "redhat-csaf", "cvssScore" : 7.1, "severity" : "HIGH", "cves" : [ "CVE-2021-29390" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/libicu@67.1-9.el9?arch=x86_64&distro=rhel-9.1&upstream=icu-67.1-9.el9.src.rpm", "issues" : [ { "id" : "CVE-2025-5222", "title" : "Icu: stack buffer overflow in the srbroot::addtag function", "source" : "redhat-csaf", "cvssScore" : 7.0, "severity" : "HIGH", "cves" : [ "CVE-2025-5222" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2025-5222", "title" : "Icu: stack buffer overflow in the srbroot::addtag function", "source" : "redhat-csaf", "cvssScore" : 7.0, "severity" : "HIGH", "cves" : [ "CVE-2025-5222" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/libicu-devel@67.1-9.el9?arch=x86_64&distro=rhel-9.1&upstream=icu-67.1-9.el9.src.rpm", "issues" : [ { "id" : "CVE-2025-5222", "title" : "Icu: stack buffer overflow in the srbroot::addtag function", "source" : "redhat-csaf", "cvssScore" : 7.0, "severity" : "HIGH", "cves" : [ "CVE-2025-5222" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2025-5222", "title" : "Icu: stack buffer overflow in the srbroot::addtag function", "source" : "redhat-csaf", "cvssScore" : 7.0, "severity" : "HIGH", "cves" : [ "CVE-2025-5222" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/libblkid@2.37.4-9.el9?arch=x86_64&distro=rhel-9.1&upstream=util-linux-2.37.4-9.el9.src.rpm", "issues" : [ { "id" : "CVE-2026-13595", "title" : "Util-linux: util-linux: heap use-after-free in libblkid nested partition probing", "source" : "redhat-csaf", "cvssScore" : 6.8, "severity" : "MEDIUM", "cves" : [ "CVE-2026-13595" ], "unique" : false }, { "id" : "CVE-2025-14104", "title" : "Util-linux: util-linux: heap buffer overread in setpwnam() when processing 256-byte usernames", "source" : "redhat-csaf", "cvssScore" : 6.1, "severity" : "MEDIUM", "cves" : [ "CVE-2025-14104" ], "unique" : false }, { "id" : "CVE-2026-27456", "title" : "util-linux: TOCTOU Race Condition in util-linux mount(8) - Loop Device Setup", "source" : "redhat-csaf", "cvssScore" : 4.7, "severity" : "MEDIUM", "cves" : [ "CVE-2026-27456" ], "unique" : false }, { "id" : "CVE-2026-3184", "title" : "Util-linux: util-linux: access control bypass due to improper hostname canonicalization", "source" : "redhat-csaf", "cvssScore" : 3.7, "severity" : "LOW", "cves" : [ "CVE-2026-3184" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2026-13595", "title" : "Util-linux: util-linux: heap use-after-free in libblkid nested partition probing", "source" : "redhat-csaf", "cvssScore" : 6.8, "severity" : "MEDIUM", "cves" : [ "CVE-2026-13595" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/fontconfig@2.14.0-2.el9_1?arch=x86_64&distro=rhel-9.1&upstream=fontconfig-2.14.0-2.el9_1.src.rpm", "issues" : [ { "id" : "CVE-2026-34085", "title" : "fontconfig before 2.17.1 has an off-by-one error in allocation during sfnt capability handling, leading to a one-byte out-of-bounds write, and potentially a crash or code execution. This is in FcFontCapabilities in fcfreetype.c.", "source" : "redhat-csaf", "cvssScore" : 6.6, "severity" : "MEDIUM", "cves" : [ "CVE-2026-34085" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2026-34085", "title" : "fontconfig before 2.17.1 has an off-by-one error in allocation during sfnt capability handling, leading to a one-byte out-of-bounds write, and potentially a crash or code execution. This is in FcFontCapabilities in fcfreetype.c.", "source" : "redhat-csaf", "cvssScore" : 6.6, "severity" : "MEDIUM", "cves" : [ "CVE-2026-34085" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/sed@4.8-9.el9?arch=x86_64&distro=rhel-9.1&upstream=sed-4.8-9.el9.src.rpm", "issues" : [ { "id" : "CVE-2026-5958", "title" : "Race Condition in GNU Sed", "source" : "redhat-csaf", "cvssScore" : 6.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-5958" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2026-5958", "title" : "Race Condition in GNU Sed", "source" : "redhat-csaf", "cvssScore" : 6.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-5958" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/libblkid-devel@2.37.4-9.el9?arch=x86_64&distro=rhel-9.1&upstream=util-linux-2.37.4-9.el9.src.rpm", "issues" : [ { "id" : "CVE-2025-14104", "title" : "Util-linux: util-linux: heap buffer overread in setpwnam() when processing 256-byte usernames", "source" : "redhat-csaf", "cvssScore" : 6.1, "severity" : "MEDIUM", "cves" : [ "CVE-2025-14104" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2025-14104", "title" : "Util-linux: util-linux: heap buffer overread in setpwnam() when processing 256-byte usernames", "source" : "redhat-csaf", "cvssScore" : 6.1, "severity" : "MEDIUM", "cves" : [ "CVE-2025-14104" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/libstdc%2B%2B@11.3.1-2.1.el9?arch=x86_64&distro=rhel-9.1&upstream=gcc-11.3.1-2.1.el9.src.rpm", "issues" : [ { "id" : "CVE-2020-11023", "title" : "Potential XSS vulnerability in jQuery", "source" : "redhat-csaf", "cvssScore" : 6.1, "severity" : "MEDIUM", "cves" : [ "CVE-2020-11023" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2020-11023", "title" : "Potential XSS vulnerability in jQuery", "source" : "redhat-csaf", "cvssScore" : 6.1, "severity" : "MEDIUM", "cves" : [ "CVE-2020-11023" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/libuuid@2.37.4-9.el9?arch=x86_64&distro=rhel-9.1&upstream=util-linux-2.37.4-9.el9.src.rpm", "issues" : [ { "id" : "CVE-2025-14104", "title" : "Util-linux: util-linux: heap buffer overread in setpwnam() when processing 256-byte usernames", "source" : "redhat-csaf", "cvssScore" : 6.1, "severity" : "MEDIUM", "cves" : [ "CVE-2025-14104" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2025-14104", "title" : "Util-linux: util-linux: heap buffer overread in setpwnam() when processing 256-byte usernames", "source" : "redhat-csaf", "cvssScore" : 6.1, "severity" : "MEDIUM", "cves" : [ "CVE-2025-14104" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/libmount-devel@2.37.4-9.el9?arch=x86_64&distro=rhel-9.1&upstream=util-linux-2.37.4-9.el9.src.rpm", "issues" : [ { "id" : "CVE-2025-14104", "title" : "Util-linux: util-linux: heap buffer overread in setpwnam() when processing 256-byte usernames", "source" : "redhat-csaf", "cvssScore" : 6.1, "severity" : "MEDIUM", "cves" : [ "CVE-2025-14104" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2025-14104", "title" : "Util-linux: util-linux: heap buffer overread in setpwnam() when processing 256-byte usernames", "source" : "redhat-csaf", "cvssScore" : 6.1, "severity" : "MEDIUM", "cves" : [ "CVE-2025-14104" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/libgomp@11.3.1-2.1.el9?arch=x86_64&distro=rhel-9.1&upstream=gcc-11.3.1-2.1.el9.src.rpm", "issues" : [ { "id" : "CVE-2020-11023", "title" : "Potential XSS vulnerability in jQuery", "source" : "redhat-csaf", "cvssScore" : 6.1, "severity" : "MEDIUM", "cves" : [ "CVE-2020-11023" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2020-11023", "title" : "Potential XSS vulnerability in jQuery", "source" : "redhat-csaf", "cvssScore" : 6.1, "severity" : "MEDIUM", "cves" : [ "CVE-2020-11023" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/libtasn1@4.16.0-8.el9_1?arch=x86_64&distro=rhel-9.1&upstream=libtasn1-4.16.0-8.el9_1.src.rpm", "issues" : [ { "id" : "CVE-2025-13151", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2025-13151" ], "unique" : false }, { "id" : "CVE-2024-12133", "title" : "Libtasn1: inefficient der decoding in libtasn1 leading to potential remote dos", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2024-12133" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2025-13151", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2025-13151" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/libXpm-devel@3.5.13-8.el9_1?arch=x86_64&distro=rhel-9.1&upstream=libXpm-3.5.13-8.el9_1.src.rpm", "issues" : [ { "id" : "CVE-2023-43788", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-43788" ], "unique" : false }, { "id" : "CVE-2023-43789", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-43789" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2023-43788", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-43788" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/p11-kit-trust@0.24.1-2.el9?arch=x86_64&distro=rhel-9.1&upstream=p11-kit-0.24.1-2.el9.src.rpm", "issues" : [ { "id" : "CVE-2026-2100", "title" : "P11-kit: null dereference via c_derivekey with specific null parameters", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-2100" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2026-2100", "title" : "P11-kit: null dereference via c_derivekey with specific null parameters", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-2100" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/p11-kit@0.24.1-2.el9?arch=x86_64&distro=rhel-9.1&upstream=p11-kit-0.24.1-2.el9.src.rpm", "issues" : [ { "id" : "CVE-2026-2100", "title" : "P11-kit: null dereference via c_derivekey with specific null parameters", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-2100" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2026-2100", "title" : "P11-kit: null dereference via c_derivekey with specific null parameters", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-2100" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/bzip2-devel@1.0.8-8.el9?arch=x86_64&distro=rhel-9.1&upstream=bzip2-1.0.8-8.el9.src.rpm", "issues" : [ { "id" : "CVE-2019-12900", "title" : "BZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out-of-bounds write when there are many selectors.", "source" : "redhat-csaf", "cvssScore" : 4.4, "severity" : "MEDIUM", "cves" : [ "CVE-2019-12900" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2019-12900", "title" : "BZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out-of-bounds write when there are many selectors.", "source" : "redhat-csaf", "cvssScore" : 4.4, "severity" : "MEDIUM", "cves" : [ "CVE-2019-12900" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/bzip2-libs@1.0.8-8.el9?arch=x86_64&distro=rhel-9.1&upstream=bzip2-1.0.8-8.el9.src.rpm", "issues" : [ { "id" : "CVE-2019-12900", "title" : "BZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out-of-bounds write when there are many selectors.", "source" : "redhat-csaf", "cvssScore" : 4.4, "severity" : "MEDIUM", "cves" : [ "CVE-2019-12900" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2019-12900", "title" : "BZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out-of-bounds write when there are many selectors.", "source" : "redhat-csaf", "cvssScore" : 4.4, "severity" : "MEDIUM", "cves" : [ "CVE-2019-12900" ], "unique" : false } } ], "highestVulnerability" : { "id" : "CVE-2025-15467", "title" : "Stack buffer overflow in CMS (Auth)EnvelopedData parsing", "source" : "redhat-csaf", "cvssScore" : 9.8, "severity" : "CRITICAL", "cves" : [ "CVE-2025-15467" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/scl-utils@2.0.3-2.el9?arch=x86_64&distro=rhel-9.1&epoch=1&upstream=scl-utils-2.0.3-2.el9.src.rpm", "issues" : [ { "id" : "CVE-2014-7811", "title" : "Multiple cross-site scripting (XSS) vulnerabilities in Spacewalk and Red Hat Network (RHN) Satellite before 5.7.0 allow remote authenticated users to inject arbitrary web script or HTML via crafted XML data to the REST API.", "source" : "redhat-csaf", "cves" : [ "CVE-2014-7811" ], "unique" : false }, { "id" : "CVE-2014-7812", "title" : "Cross-site scripting (XSS) vulnerability in Spacewalk and Red Hat Network (RHN) Satellite before 5.7.0 allows remote authenticated users to inject arbitrary web script or HTML via the System Groups field.", "source" : "redhat-csaf", "cves" : [ "CVE-2014-7812" ], "unique" : false } ], "transitive" : [ { "ref" : "pkg:rpm/redhat/openssl-libs@3.0.1-47.el9_1?arch=x86_64&distro=rhel-9.1&epoch=1&upstream=openssl-3.0.1-47.el9_1.src.rpm", "issues" : [ { "id" : "CVE-2025-15467", "title" : "Stack buffer overflow in CMS (Auth)EnvelopedData parsing", "source" : "redhat-csaf", "cvssScore" : 9.8, "severity" : "CRITICAL", "cves" : [ "CVE-2025-15467" ], "unique" : false }, { "id" : "CVE-2026-45445", "title" : "AES-OCB IV Ignored on EVP_Cipher() Path", "source" : "redhat-csaf", "cvssScore" : 9.1, "severity" : "CRITICAL", "cves" : [ "CVE-2026-45445" ], "unique" : false }, { "id" : "CVE-2026-45447", "title" : "Heap Use-After-Free in the PKCS7_verify() Function", "source" : "redhat-csaf", "cvssScore" : 8.1, "severity" : "HIGH", "cves" : [ "CVE-2026-45447" ], "unique" : false }, { "id" : "CVE-2022-3358", "title" : "Using a Custom Cipher with NID_undef may lead to NULL encryption", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2022-3358" ], "unique" : false }, { "id" : "CVE-2023-5363", "title" : "Incorrect cipher key & IV length processing", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2023-5363" ], "unique" : false }, { "id" : "CVE-2026-28390", "title" : "Possible NULL Dereference When Processing CMS KeyTransportRecipientInfo", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2026-28390" ], "unique" : false }, { "id" : "CVE-2026-34183", "title" : "Unbounded Memory Growth in the QUIC PATH_CHALLENGE Handler", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2026-34183" ], "unique" : false }, { "id" : "CVE-2024-12797", "title" : "RFC7250 handshakes with unauthenticated servers don't abort as expected", "source" : "redhat-csaf", "cvssScore" : 7.4, "severity" : "HIGH", "cves" : [ "CVE-2024-12797" ], "unique" : false }, { "id" : "CVE-2025-69419", "title" : "Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion", "source" : "redhat-csaf", "cvssScore" : 7.4, "severity" : "HIGH", "cves" : [ "CVE-2025-69419" ], "unique" : false }, { "id" : "CVE-2026-34182", "title" : "CMS AuthEnvelopedData Processing May Accept Forged Messages", "source" : "redhat-csaf", "cvssScore" : 7.4, "severity" : "HIGH", "cves" : [ "CVE-2026-34182" ], "unique" : false }, { "id" : "CVE-2023-2650", "title" : "Possible DoS translating ASN.1 object identifiers", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-2650" ], "unique" : false }, { "id" : "CVE-2023-6129", "title" : "POLY1305 MAC implementation corrupts vector registers on PowerPC", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-6129" ], "unique" : false }, { "id" : "CVE-2025-69421", "title" : "NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2025-69421" ], "unique" : false }, { "id" : "CVE-2026-34181", "title" : "PKCS#12 Files with PBMAC1 Are Accepted with Short HMAC Keys", "source" : "redhat-csaf", "cvssScore" : 6.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-34181" ], "unique" : false }, { "id" : "CVE-2026-42768", "title" : "Multi-RecipientInfo Bleichenbacher Oracle in CMS_decrypt() and PKCS7_decrypt()", "source" : "redhat-csaf", "cvssScore" : 6.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-42768" ], "unique" : false }, { "id" : "CVE-2025-11187", "title" : "Improper validation of PBMAC1 parameters in PKCS#12 MAC verification", "source" : "redhat-csaf", "cvssScore" : 6.1, "severity" : "MEDIUM", "cves" : [ "CVE-2025-11187" ], "unique" : false }, { "id" : "CVE-2023-0464", "title" : "Excessive Resource Usage Verifying X.509 Policy Constraints", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-0464" ], "unique" : false }, { "id" : "CVE-2023-6237", "title" : "Excessive time spent checking invalid RSA public keys", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-6237" ], "unique" : false }, { "id" : "CVE-2024-5535", "title" : "SSL_select_next_proto buffer overread", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2024-5535" ], "unique" : false }, { "id" : "CVE-2024-6119", "title" : "Possible denial of service in X.509 name checks", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2024-6119" ], "unique" : false }, { "id" : "CVE-2025-15468", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2025-15468" ], "unique" : false }, { "id" : "CVE-2025-66199", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2025-66199" ], "unique" : false }, { "id" : "CVE-2025-69420", "title" : "Missing ASN1_TYPE validation in TS_RESP_verify_response() function", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2025-69420" ], "unique" : false }, { "id" : "CVE-2026-22796", "title" : "ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-22796" ], "unique" : false }, { "id" : "CVE-2026-31790", "title" : "Incorrect Failure Handling in RSA KEM RSASVE Encapsulation", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-31790" ], "unique" : false }, { "id" : "CVE-2026-42764", "title" : "NULL Pointer Dereference in QUIC Server Initial Packet Handling", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-42764" ], "unique" : false }, { "id" : "CVE-2026-42769", "title" : "Trust-Anchor Substitution via cert/issuer Typo in CMP rootCaKeyUpdate", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-42769" ], "unique" : false }, { "id" : "CVE-2026-42770", "title" : "FFC-DH Peer Validation Uses Attacker-Supplied q", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-42770" ], "unique" : false }, { "id" : "CVE-2026-9076", "title" : "Out-of-Bounds Read in CMS Password-Based Decryption", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-9076" ], "unique" : false }, { "id" : "CVE-2024-4741", "source" : "redhat-csaf", "cvssScore" : 5.6, "severity" : "MEDIUM", "cves" : [ "CVE-2024-4741" ], "unique" : false }, { "id" : "CVE-2025-9230", "title" : "Out-of-bounds read & write in RFC 3211 KEK Unwrap", "source" : "redhat-csaf", "cvssScore" : 5.6, "severity" : "MEDIUM", "cves" : [ "CVE-2025-9230" ], "unique" : false }, { "id" : "CVE-2024-0727", "title" : "PKCS12 Decoding crashes", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-0727" ], "unique" : false }, { "id" : "CVE-2025-15469", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2025-15469" ], "unique" : false }, { "id" : "CVE-2026-22795", "title" : "Missing ASN1_TYPE validation in PKCS#12 parsing", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2026-22795" ], "unique" : false }, { "id" : "CVE-2026-7383", "title" : "Possible Heap Buffer Overflow in ASN.1 Multibyte String Conversion", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2026-7383" ], "unique" : false }, { "id" : "CVE-2023-0465", "title" : "Invalid certificate policies in leaf certificates are silently ignored", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2023-0465" ], "unique" : false }, { "id" : "CVE-2023-0466", "title" : "Certificate policy check not enabled", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2023-0466" ], "unique" : false }, { "id" : "CVE-2023-2975", "title" : "AES-SIV implementation ignores empty associated data entries", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2023-2975" ], "unique" : false }, { "id" : "CVE-2023-3446", "title" : "Excessive time spent checking DH keys and parameters", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2023-3446" ], "unique" : false }, { "id" : "CVE-2023-3817", "title" : "Excessive time spent checking DH q parameter value", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2023-3817" ], "unique" : false }, { "id" : "CVE-2023-5678", "title" : "Excessive time spent in DH check / generation with large Q parameter value", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2023-5678" ], "unique" : false }, { "id" : "CVE-2024-4603", "title" : "Excessive time spent checking DSA keys and parameters", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2024-4603" ], "unique" : false }, { "id" : "CVE-2026-42766", "title" : "Possible NULL Dereference in Password-Based CMS Decryption", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-42766" ], "unique" : false }, { "id" : "CVE-2026-42767", "title" : "NULL Pointer Dereference in CRMF EncryptedValue Decryption", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-42767" ], "unique" : false }, { "id" : "CVE-2023-1255", "title" : "Input buffer over-read in AES-XTS implementation on 64 bit ARM", "source" : "redhat-csaf", "cvssScore" : 5.1, "severity" : "MEDIUM", "cves" : [ "CVE-2023-1255" ], "unique" : false }, { "id" : "CVE-2026-34180", "title" : "Heap Buffer Over-read in ASN.1 Content Parsing", "source" : "redhat-csaf", "cvssScore" : 5.0, "severity" : "MEDIUM", "cves" : [ "CVE-2026-34180" ], "unique" : false }, { "id" : "CVE-2025-68160", "title" : "Heap out-of-bounds write in BIO_f_linebuffer on short writes", "source" : "redhat-csaf", "cvssScore" : 4.7, "severity" : "MEDIUM", "cves" : [ "CVE-2025-68160" ], "unique" : false }, { "id" : "CVE-2025-69418", "title" : "Unauthenticated/unencrypted trailing bytes with low-level OCB function calls", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2025-69418" ], "unique" : false }, { "id" : "CVE-2024-2511", "title" : "Unbounded memory growth with session handling in TLSv1.3", "source" : "redhat-csaf", "cvssScore" : 3.7, "severity" : "LOW", "cves" : [ "CVE-2024-2511" ], "unique" : false }, { "id" : "CVE-2026-45446", "title" : "Incorrect Tag Processing for Empty Messages in AES-GCM-SIV and AES-SIV modes", "source" : "redhat-csaf", "cvssScore" : 3.7, "severity" : "LOW", "cves" : [ "CVE-2026-45446" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2025-15467", "title" : "Stack buffer overflow in CMS (Auth)EnvelopedData parsing", "source" : "redhat-csaf", "cvssScore" : 9.8, "severity" : "CRITICAL", "cves" : [ "CVE-2025-15467" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/libxml2@2.9.13-3.el9_1?arch=x86_64&distro=rhel-9.1&upstream=libxml2-2.9.13-3.el9_1.src.rpm", "issues" : [ { "id" : "CVE-2024-40896", "title" : "In libxml2 2.11 before 2.11.9, 2.12 before 2.12.9, and 2.13 before 2.13.3, the SAX parser can produce events for external entities even if custom SAX handlers try to override entity content (by setting \"checked\"). This makes classic XXE attacks possible.", "source" : "redhat-csaf", "cvssScore" : 9.1, "severity" : "CRITICAL", "cves" : [ "CVE-2024-40896" ], "unique" : false }, { "id" : "CVE-2025-49794", "title" : "Libxml: heap use after free (uaf) leads to denial of service (dos)", "source" : "redhat-csaf", "cvssScore" : 9.1, "severity" : "CRITICAL", "cves" : [ "CVE-2025-49794" ], "unique" : false }, { "id" : "CVE-2025-49796", "title" : "Libxml: type confusion leads to denial of service (dos)", "source" : "redhat-csaf", "cvssScore" : 9.1, "severity" : "CRITICAL", "cves" : [ "CVE-2025-49796" ], "unique" : false }, { "id" : "CVE-2024-56171", "source" : "redhat-csaf", "cvssScore" : 8.1, "severity" : "HIGH", "cves" : [ "CVE-2024-56171" ], "unique" : false }, { "id" : "CVE-2025-24928", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2025-24928" ], "unique" : false }, { "id" : "CVE-2025-7425", "title" : "Libxslt: libxml2: heap use-after-free in libxslt caused by atype corruption in xmlattrptr", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2025-7425" ], "unique" : false }, { "id" : "CVE-2024-25062", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2024-25062" ], "unique" : false }, { "id" : "CVE-2025-32415", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2025-32415" ], "unique" : false }, { "id" : "CVE-2025-49795", "title" : "Libxml: null pointer dereference leads to denial of service (dos)", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2025-49795" ], "unique" : false }, { "id" : "CVE-2025-6021", "title" : "Libxml2: integer overflow in xmlbuildqname() leads to stack buffer overflow in libxml2", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2025-6021" ], "unique" : false }, { "id" : "CVE-2025-7424", "title" : "Libxslt: type confusion in xmlnode.psvi between stylesheet and source nodes", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2025-7424" ], "unique" : false }, { "id" : "CVE-2023-39615", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-39615" ], "unique" : false }, { "id" : "CVE-2026-6732", "title" : "Libxml2: libxml2: denial of service via crafted xsd-validated document", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2026-6732" ], "unique" : false }, { "id" : "CVE-2025-9714", "title" : "Stack overflow in libxml2", "source" : "redhat-csaf", "cvssScore" : 6.2, "severity" : "MEDIUM", "cves" : [ "CVE-2025-9714" ], "unique" : false }, { "id" : "CVE-2026-1757", "title" : "Libxml2: memory leak leading to local denial of service in xmllint interactive shell", "source" : "redhat-csaf", "cvssScore" : 6.2, "severity" : "MEDIUM", "cves" : [ "CVE-2026-1757" ], "unique" : false }, { "id" : "CVE-2022-49043", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2022-49043" ], "unique" : false }, { "id" : "CVE-2023-28484", "title" : "In libxml2 before 2.10.4, parsing of certain invalid XSD schemas can lead to a NULL pointer dereference and subsequently a segfault. This occurs in xmlSchemaFixupComplexType in xmlschemas.c.", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-28484" ], "unique" : false }, { "id" : "CVE-2023-29469", "title" : "An issue was discovered in libxml2 before 2.10.4. When hashing empty dict strings in a crafted XML document, xmlDictComputeFastKey in dict.c can produce non-deterministic values, leading to various logic and memory errors, such as a double free. This behavior occurs because there is an attempt to use the first byte of an empty string, and any value is possible (not solely the '\\0' value).", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-29469" ], "unique" : false }, { "id" : "CVE-2026-0990", "title" : "Libxml2: libxml2: denial of service via uncontrolled recursion in xml catalog processing", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-0990" ], "unique" : false }, { "id" : "CVE-2025-32414", "source" : "redhat-csaf", "cvssScore" : 5.6, "severity" : "MEDIUM", "cves" : [ "CVE-2025-32414" ], "unique" : false }, { "id" : "CVE-2024-34459", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-34459" ], "unique" : false }, { "id" : "CVE-2025-26434", "title" : "In libxml2, there is a possible out of bounds read due to a buffer overflow. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2025-26434" ], "unique" : false }, { "id" : "CVE-2026-11979", "title" : "Stack-Based Buffer Overflow in libxml2", "source" : "redhat-csaf", "cvssScore" : 4.8, "severity" : "MEDIUM", "cves" : [ "CVE-2026-11979" ], "unique" : false }, { "id" : "CVE-2026-0989", "title" : "Libxml2: unbounded relaxng include recursion leading to stack overflow", "source" : "redhat-csaf", "cvssScore" : 3.7, "severity" : "LOW", "cves" : [ "CVE-2026-0989" ], "unique" : false }, { "id" : "CVE-2026-0992", "title" : "Libxml2: libxml2: denial of service via crafted xml catalogs", "source" : "redhat-csaf", "cvssScore" : 2.9, "severity" : "LOW", "cves" : [ "CVE-2026-0992" ], "unique" : false }, { "id" : "CVE-2025-6170", "title" : "Libxml2: stack buffer overflow in xmllint interactive shell command handling", "source" : "redhat-csaf", "cvssScore" : 2.5, "severity" : "LOW", "cves" : [ "CVE-2025-6170" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2024-40896", "title" : "In libxml2 2.11 before 2.11.9, 2.12 before 2.12.9, and 2.13 before 2.13.3, the SAX parser can produce events for external entities even if custom SAX handlers try to override entity content (by setting \"checked\"). This makes classic XXE attacks possible.", "source" : "redhat-csaf", "cvssScore" : 9.1, "severity" : "CRITICAL", "cves" : [ "CVE-2024-40896" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/ca-certificates@2022.2.54-90.2.el9_0?arch=noarch&distro=rhel-9.1&upstream=ca-certificates-2022.2.54-90.2.el9_0.src.rpm", "issues" : [ { "id" : "CVE-2023-37920", "title" : "Certifi's removal of e-Tugra root certificate", "source" : "redhat-csaf", "cvssScore" : 9.1, "severity" : "CRITICAL", "cves" : [ "CVE-2023-37920" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2023-37920", "title" : "Certifi's removal of e-Tugra root certificate", "source" : "redhat-csaf", "cvssScore" : 9.1, "severity" : "CRITICAL", "cves" : [ "CVE-2023-37920" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/krb5-libs@1.19.1-24.el9_1?arch=x86_64&distro=rhel-9.1&upstream=krb5-1.19.1-24.el9_1.src.rpm", "issues" : [ { "id" : "CVE-2024-3596", "title" : "RADIUS Protocol under RFC2865 is vulnerable to forgery attacks.", "source" : "redhat-csaf", "cvssScore" : 9.0, "severity" : "CRITICAL", "cves" : [ "CVE-2024-3596" ], "unique" : false }, { "id" : "CVE-2023-39975", "title" : "kdc/do_tgs_req.c in MIT Kerberos 5 (aka krb5) 1.21 before 1.21.2 has a double free that is reachable if an authenticated user can trigger an authorization-data handling failure. Incorrect data is copied from one ticket to another.", "source" : "redhat-csaf", "cvssScore" : 8.8, "severity" : "HIGH", "cves" : [ "CVE-2023-39975" ], "unique" : false }, { "id" : "CVE-2024-26462", "title" : "Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/kdc/ndr.c.", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2024-26462" ], "unique" : false }, { "id" : "CVE-2024-37370", "title" : "In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can modify the plaintext Extra Count field of a confidential GSS krb5 wrap token, causing the unwrapped token to appear truncated to the application.", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2024-37370" ], "unique" : false }, { "id" : "CVE-2020-17049", "title" : "Kerberos KDC Security Feature Bypass Vulnerability", "source" : "redhat-csaf", "cvssScore" : 7.2, "severity" : "HIGH", "cves" : [ "CVE-2020-17049" ], "unique" : false }, { "id" : "CVE-2023-36054", "title" : "lib/kadm5/kadm_rpc_xdr.c in MIT Kerberos 5 (aka krb5) before 1.20.2 and 1.21.x before 1.21.1 frees an uninitialized pointer. A remote authenticated user can trigger a kadmind crash. This occurs because _xdr_kadm5_principal_ent_rec does not validate the relationship between n_key_data and the key_data array count.", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-36054" ], "unique" : false }, { "id" : "CVE-2024-37371", "title" : "In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can cause invalid memory reads during GSS message token handling by sending message tokens with invalid length fields.", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-37371" ], "unique" : false }, { "id" : "CVE-2025-24528", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2025-24528" ], "unique" : false }, { "id" : "CVE-2024-26458", "title" : "Kerberos 5 (aka krb5) 1.21.2 contains a memory leak in /krb5/src/lib/rpc/pmap_rmt.c.", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2024-26458" ], "unique" : false }, { "id" : "CVE-2024-26461", "title" : "Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/lib/gssapi/krb5/k5sealv3.c.", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2024-26461" ], "unique" : false }, { "id" : "CVE-2025-3576", "title" : "Krb5: kerberos rc4-hmac-md5 checksum vulnerability enabling message spoofing via md5 collisions", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2025-3576" ], "unique" : false }, { "id" : "CVE-2026-40355", "title" : "In MIT Kerberos 5 (aka krb5) before 1.22.3, there is a NULL pointer dereference if an application calls gss_accept_sec_context() on a system with a NegoEx mechanism registered in /etc/gss/mech. An unauthenticated remote attacker can trigger this, causing the process to terminate in parse_nego_message.", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-40355" ], "unique" : false }, { "id" : "CVE-2026-40356", "title" : "In MIT Kerberos 5 (aka krb5) before 1.22.3, there is an integer underflow and resultant out-of-bounds read if an application calls gss_accept_sec_context() on a system with a NegoEx mechanism registered in /etc/gss/mech. An unauthenticated remote attacker can trigger this, possibly causing the process to terminate in parse_message.", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-40356" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2024-3596", "title" : "RADIUS Protocol under RFC2865 is vulnerable to forgery attacks.", "source" : "redhat-csaf", "cvssScore" : 9.0, "severity" : "CRITICAL", "cves" : [ "CVE-2024-3596" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/glibc@2.34-40.el9_1.1?arch=x86_64&distro=rhel-9.1&upstream=glibc-2.34-40.el9_1.1.src.rpm", "issues" : [ { "id" : "CVE-2024-2961", "title" : "The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.", "source" : "redhat-csaf", "cvssScore" : 8.8, "severity" : "HIGH", "cves" : [ "CVE-2024-2961" ], "unique" : false }, { "id" : "CVE-2026-0861", "title" : "Integer overflow in memalign leads to heap corruption", "source" : "redhat-csaf", "cvssScore" : 8.1, "severity" : "HIGH", "cves" : [ "CVE-2026-0861" ], "unique" : false }, { "id" : "CVE-2023-4911", "title" : "Glibc: buffer overflow in ld.so leading to privilege escalation", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2023-4911" ], "unique" : false }, { "id" : "CVE-2024-33599", "title" : "nscd: Stack-based buffer overflow in netgroup cache", "source" : "redhat-csaf", "cvssScore" : 7.6, "severity" : "HIGH", "cves" : [ "CVE-2024-33599" ], "unique" : false }, { "id" : "CVE-2025-4802", "source" : "redhat-csaf", "cvssScore" : 7.0, "severity" : "HIGH", "cves" : [ "CVE-2025-4802" ], "unique" : false }, { "id" : "CVE-2023-4527", "title" : "Glibc: stack read overflow in getaddrinfo in no-aaaa mode", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4527" ], "unique" : false }, { "id" : "CVE-2026-4437", "title" : "gethostbyaddr and gethostbyaddr_r may incorrectly handle DNS response", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4437" ], "unique" : false }, { "id" : "CVE-2026-6238", "title" : "Buffer overread in ns_printrrf with corrupted RDATA field", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2026-6238" ], "unique" : false }, { "id" : "CVE-2023-4806", "title" : "Glibc: potential use-after-free in getaddrinfo()", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4806" ], "unique" : false }, { "id" : "CVE-2023-4813", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4813" ], "unique" : false }, { "id" : "CVE-2025-15281", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2025-15281" ], "unique" : false }, { "id" : "CVE-2026-3904", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-3904" ], "unique" : false }, { "id" : "CVE-2026-5435", "title" : "Potential buffer overflow in ns_sprintrrf TSIG handling path", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-5435" ], "unique" : false }, { "id" : "CVE-2025-5702", "title" : "The strcmp implementation optimized for the Power10 processor in the GNU C Library version 2.39 and later writes to vector registers v20 to v31 without saving contents from the caller (those registers are defined as non-volatile registers by the powerpc64le ABI), resulting in overwriting of its contents and potentially altering control flow of the caller, or leaking the input strings to the function to other parts of the program.", "source" : "redhat-csaf", "cvssScore" : 5.6, "severity" : "MEDIUM", "cves" : [ "CVE-2025-5702" ], "unique" : false }, { "id" : "CVE-2025-0395", "title" : "When the assert() function in the GNU C Library versions 2.13 to 2.40 fails, it does not allocate enough space for the assertion failure message string and size information, which may lead to a buffer overflow if the message string size aligns to page size.", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2025-0395" ], "unique" : false }, { "id" : "CVE-2024-33600", "title" : "nscd: Null pointer crashes after notfound response", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33600" ], "unique" : false }, { "id" : "CVE-2026-0915", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-0915" ], "unique" : false }, { "id" : "CVE-2026-4046", "title" : "iconv crash due to assertion failure with untrusted input", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4046" ], "unique" : false }, { "id" : "CVE-2026-5450", "title" : "scanf %mc off-by-one heap buffer overflow", "source" : "redhat-csaf", "cvssScore" : 5.0, "severity" : "MEDIUM", "cves" : [ "CVE-2026-5450" ], "unique" : false }, { "id" : "CVE-2026-5928", "title" : "Potential buffer under-read in ungetwc", "source" : "redhat-csaf", "cvssScore" : 5.0, "severity" : "MEDIUM", "cves" : [ "CVE-2026-5928" ], "unique" : false }, { "id" : "CVE-2025-8058", "source" : "redhat-csaf", "cvssScore" : 4.2, "severity" : "MEDIUM", "cves" : [ "CVE-2025-8058" ], "unique" : false }, { "id" : "CVE-2024-33601", "title" : "nscd: netgroup cache may terminate daemon on memory allocation failure", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33601" ], "unique" : false }, { "id" : "CVE-2024-33602", "title" : "nscd: netgroup cache assumes NSS callback uses in-buffer strings", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33602" ], "unique" : false }, { "id" : "CVE-2026-4438", "title" : "gethostbyaddr and gethostbyaddr_r return invalid DNS hostnames", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4438" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2024-2961", "title" : "The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.", "source" : "redhat-csaf", "cvssScore" : 8.8, "severity" : "HIGH", "cves" : [ "CVE-2024-2961" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/glibc-common@2.34-40.el9_1.1?arch=x86_64&distro=rhel-9.1&upstream=glibc-2.34-40.el9_1.1.src.rpm", "issues" : [ { "id" : "CVE-2024-2961", "title" : "The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.", "source" : "redhat-csaf", "cvssScore" : 8.8, "severity" : "HIGH", "cves" : [ "CVE-2024-2961" ], "unique" : false }, { "id" : "CVE-2026-0861", "title" : "Integer overflow in memalign leads to heap corruption", "source" : "redhat-csaf", "cvssScore" : 8.1, "severity" : "HIGH", "cves" : [ "CVE-2026-0861" ], "unique" : false }, { "id" : "CVE-2023-4911", "title" : "Glibc: buffer overflow in ld.so leading to privilege escalation", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2023-4911" ], "unique" : false }, { "id" : "CVE-2024-33599", "title" : "nscd: Stack-based buffer overflow in netgroup cache", "source" : "redhat-csaf", "cvssScore" : 7.6, "severity" : "HIGH", "cves" : [ "CVE-2024-33599" ], "unique" : false }, { "id" : "CVE-2025-4802", "source" : "redhat-csaf", "cvssScore" : 7.0, "severity" : "HIGH", "cves" : [ "CVE-2025-4802" ], "unique" : false }, { "id" : "CVE-2023-4527", "title" : "Glibc: stack read overflow in getaddrinfo in no-aaaa mode", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4527" ], "unique" : false }, { "id" : "CVE-2026-4437", "title" : "gethostbyaddr and gethostbyaddr_r may incorrectly handle DNS response", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4437" ], "unique" : false }, { "id" : "CVE-2023-4806", "title" : "Glibc: potential use-after-free in getaddrinfo()", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4806" ], "unique" : false }, { "id" : "CVE-2023-4813", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4813" ], "unique" : false }, { "id" : "CVE-2025-15281", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2025-15281" ], "unique" : false }, { "id" : "CVE-2025-5702", "title" : "The strcmp implementation optimized for the Power10 processor in the GNU C Library version 2.39 and later writes to vector registers v20 to v31 without saving contents from the caller (those registers are defined as non-volatile registers by the powerpc64le ABI), resulting in overwriting of its contents and potentially altering control flow of the caller, or leaking the input strings to the function to other parts of the program.", "source" : "redhat-csaf", "cvssScore" : 5.6, "severity" : "MEDIUM", "cves" : [ "CVE-2025-5702" ], "unique" : false }, { "id" : "CVE-2025-0395", "title" : "When the assert() function in the GNU C Library versions 2.13 to 2.40 fails, it does not allocate enough space for the assertion failure message string and size information, which may lead to a buffer overflow if the message string size aligns to page size.", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2025-0395" ], "unique" : false }, { "id" : "CVE-2024-33600", "title" : "nscd: Null pointer crashes after notfound response", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33600" ], "unique" : false }, { "id" : "CVE-2026-0915", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-0915" ], "unique" : false }, { "id" : "CVE-2026-4046", "title" : "iconv crash due to assertion failure with untrusted input", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4046" ], "unique" : false }, { "id" : "CVE-2026-5450", "title" : "scanf %mc off-by-one heap buffer overflow", "source" : "redhat-csaf", "cvssScore" : 5.0, "severity" : "MEDIUM", "cves" : [ "CVE-2026-5450" ], "unique" : false }, { "id" : "CVE-2025-8058", "source" : "redhat-csaf", "cvssScore" : 4.2, "severity" : "MEDIUM", "cves" : [ "CVE-2025-8058" ], "unique" : false }, { "id" : "CVE-2024-33601", "title" : "nscd: netgroup cache may terminate daemon on memory allocation failure", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33601" ], "unique" : false }, { "id" : "CVE-2024-33602", "title" : "nscd: netgroup cache assumes NSS callback uses in-buffer strings", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33602" ], "unique" : false }, { "id" : "CVE-2026-4438", "title" : "gethostbyaddr and gethostbyaddr_r return invalid DNS hostnames", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4438" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2024-2961", "title" : "The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.", "source" : "redhat-csaf", "cvssScore" : 8.8, "severity" : "HIGH", "cves" : [ "CVE-2024-2961" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/glibc-langpack-en@2.34-40.el9_1.1?arch=x86_64&distro=rhel-9.1&upstream=glibc-2.34-40.el9_1.1.src.rpm", "issues" : [ { "id" : "CVE-2024-2961", "title" : "The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.", "source" : "redhat-csaf", "cvssScore" : 8.8, "severity" : "HIGH", "cves" : [ "CVE-2024-2961" ], "unique" : false }, { "id" : "CVE-2026-0861", "title" : "Integer overflow in memalign leads to heap corruption", "source" : "redhat-csaf", "cvssScore" : 8.1, "severity" : "HIGH", "cves" : [ "CVE-2026-0861" ], "unique" : false }, { "id" : "CVE-2023-4911", "title" : "Glibc: buffer overflow in ld.so leading to privilege escalation", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2023-4911" ], "unique" : false }, { "id" : "CVE-2024-33599", "title" : "nscd: Stack-based buffer overflow in netgroup cache", "source" : "redhat-csaf", "cvssScore" : 7.6, "severity" : "HIGH", "cves" : [ "CVE-2024-33599" ], "unique" : false }, { "id" : "CVE-2025-4802", "source" : "redhat-csaf", "cvssScore" : 7.0, "severity" : "HIGH", "cves" : [ "CVE-2025-4802" ], "unique" : false }, { "id" : "CVE-2023-4527", "title" : "Glibc: stack read overflow in getaddrinfo in no-aaaa mode", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4527" ], "unique" : false }, { "id" : "CVE-2026-4437", "title" : "gethostbyaddr and gethostbyaddr_r may incorrectly handle DNS response", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4437" ], "unique" : false }, { "id" : "CVE-2023-4806", "title" : "Glibc: potential use-after-free in getaddrinfo()", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4806" ], "unique" : false }, { "id" : "CVE-2023-4813", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4813" ], "unique" : false }, { "id" : "CVE-2025-15281", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2025-15281" ], "unique" : false }, { "id" : "CVE-2025-5702", "title" : "The strcmp implementation optimized for the Power10 processor in the GNU C Library version 2.39 and later writes to vector registers v20 to v31 without saving contents from the caller (those registers are defined as non-volatile registers by the powerpc64le ABI), resulting in overwriting of its contents and potentially altering control flow of the caller, or leaking the input strings to the function to other parts of the program.", "source" : "redhat-csaf", "cvssScore" : 5.6, "severity" : "MEDIUM", "cves" : [ "CVE-2025-5702" ], "unique" : false }, { "id" : "CVE-2025-0395", "title" : "When the assert() function in the GNU C Library versions 2.13 to 2.40 fails, it does not allocate enough space for the assertion failure message string and size information, which may lead to a buffer overflow if the message string size aligns to page size.", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2025-0395" ], "unique" : false }, { "id" : "CVE-2024-33600", "title" : "nscd: Null pointer crashes after notfound response", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33600" ], "unique" : false }, { "id" : "CVE-2026-0915", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-0915" ], "unique" : false }, { "id" : "CVE-2026-4046", "title" : "iconv crash due to assertion failure with untrusted input", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4046" ], "unique" : false }, { "id" : "CVE-2026-5450", "title" : "scanf %mc off-by-one heap buffer overflow", "source" : "redhat-csaf", "cvssScore" : 5.0, "severity" : "MEDIUM", "cves" : [ "CVE-2026-5450" ], "unique" : false }, { "id" : "CVE-2025-8058", "source" : "redhat-csaf", "cvssScore" : 4.2, "severity" : "MEDIUM", "cves" : [ "CVE-2025-8058" ], "unique" : false }, { "id" : "CVE-2024-33601", "title" : "nscd: netgroup cache may terminate daemon on memory allocation failure", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33601" ], "unique" : false }, { "id" : "CVE-2024-33602", "title" : "nscd: netgroup cache assumes NSS callback uses in-buffer strings", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33602" ], "unique" : false }, { "id" : "CVE-2026-4438", "title" : "gethostbyaddr and gethostbyaddr_r return invalid DNS hostnames", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4438" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2024-2961", "title" : "The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.", "source" : "redhat-csaf", "cvssScore" : 8.8, "severity" : "HIGH", "cves" : [ "CVE-2024-2961" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/less@590-1.el9_0?arch=x86_64&distro=rhel-9.1&upstream=less-590-1.el9_0.src.rpm", "issues" : [ { "id" : "CVE-2024-32487", "title" : "less through 653 allows OS command execution via a newline character in the name of a file, because quoting is mishandled in filename.c. Exploitation typically requires use with attacker-controlled file names, such as the files extracted from an untrusted archive. Exploitation also requires the LESSOPEN environment variable, but this is set by default in many common cases.", "source" : "redhat-csaf", "cvssScore" : 8.6, "severity" : "HIGH", "cves" : [ "CVE-2024-32487" ], "unique" : false }, { "id" : "CVE-2022-46663", "title" : "In GNU Less before 609, crafted data can result in \"less -R\" not filtering ANSI escape sequences sent to the terminal.", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2022-46663" ], "unique" : false }, { "id" : "CVE-2022-48624", "title" : "close_altfile in filename.c in less before 606 omits shell_quote calls for LESSCLOSE.", "source" : "redhat-csaf", "cvssScore" : 7.0, "severity" : "HIGH", "cves" : [ "CVE-2022-48624" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2024-32487", "title" : "less through 653 allows OS command execution via a newline character in the name of a file, because quoting is mishandled in filename.c. Exploitation typically requires use with attacker-controlled file names, such as the files extracted from an untrusted archive. Exploitation also requires the LESSOPEN environment variable, but this is set by default in many common cases.", "source" : "redhat-csaf", "cvssScore" : 8.6, "severity" : "HIGH", "cves" : [ "CVE-2024-32487" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/curl-minimal@7.76.1-19.el9_1.1?arch=x86_64&distro=rhel-9.1&upstream=curl-7.76.1-19.el9_1.1.src.rpm", "issues" : [ { "id" : "CVE-2023-38545", "title" : "This flaw makes curl overflow a heap based buffer in the SOCKS5 proxy\nhandshake.\n\nWhen curl is asked to pass along the host name to the SOCKS5 proxy to allow\nthat to resolve the address instead of it getting done by curl itself, the\nmaximum length that host name can be is 255 bytes.\n\nIf the host name is detected to be longer, curl switches to local name\nresolving and instead passes on the resolved address only. Due to this bug,\nthe local variable that means \"let the host resolve the name\" could get the\nwrong value during a slow SOCKS5 handshake, and contrary to the intention,\ncopy the too long host name to the target buffer instead of copying just the\nresolved address there.\n\nThe target buffer being a heap based buffer, and the host name coming from the\nURL that curl has been told to operate with.", "source" : "redhat-csaf", "cvssScore" : 8.1, "severity" : "HIGH", "cves" : [ "CVE-2023-38545" ], "unique" : false }, { "id" : "CVE-2024-2398", "title" : "HTTP/2 push headers memory-leak", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2024-2398" ], "unique" : false }, { "id" : "CVE-2023-23916", "title" : "An allocation of resources without limits or throttling vulnerability exists in curl trans", "source" : "redhat-csaf", "cvssScore" : 6.0, "severity" : "MEDIUM", "cves" : [ "CVE-2024-50264" ], "unique" : false }, { "id" : "CVE-2025-38110", "title" : "net/mdiobus: Fix potential out-of-bounds clause 45 read/write access", "source" : "redhat-csaf", "cvssScore" : 6.0, "severity" : "MEDIUM", "cves" : [ "CVE-2025-38110" ], "unique" : false }, { "id" : "CVE-2024-53122", "title" : "mptcp: cope racing subflow creation in mptcp_rcv_space_adjust", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2024-53122" ], "unique" : false }, { "id" : "CVE-2024-53197", "title" : "ALSA: usb-audio: Fix potential out-of-bound accesses for Extigy and Mbox devices", "source" : "redhat-csaf", "cvssScore" : 5.8, "severity" : "MEDIUM", "cves" : [ "CVE-2024-53197" ], "unique" : false }, { "id" : "CVE-2024-36941", "title" : "wifi: nl80211: don't free NULL coalescing rule", "source" : "redhat-csaf", "cvssScore" : 5.7, "severity" : "MEDIUM", "cves" : [ "CVE-2024-36941" ], "unique" : false }, { "id" : "CVE-2024-38627", "title" : "stm class: Fix a double free in stm_register_device()", "source" : "redhat-csaf", "cvssScore" : 5.6, "severity" : "MEDIUM", "cves" : [ "CVE-2024-38627" ], "unique" : false }, { "id" : "CVE-2022-50042", "title" : "net: genl: fix error path memory leak in policy dumping", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2022-50042" ], "unique" : false }, { "id" : "CVE-2022-50353", "title" : "mmc: wmt-sdmmc: fix return value check of mmc_add_host()", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2022-50353" ], "unique" : false }, { "id" : "CVE-2022-50678", "title" : "wifi: brcmfmac: fix invalid address access when enabling SCAN log level", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2022-50678" ], "unique" : false }, { "id" : "CVE-2023-1074", "title" : "A memory leak flaw was found in the Linux kernel's Stream Control Transmission Protocol. This issue may occur when a user starts a malicious networking service and someone connects to this service. This could allow a local user to starve resources, causing a denial of service.", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-1074" ], "unique" : false }, { "id" : "CVE-2023-45862", "title" : "An issue was discovered in drivers/usb/storage/ene_ub6250.c for the ENE UB6250 reader driver in the Linux kernel before 6.2.5. An object could potentially extend beyond the end of an allocation.", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-45862" ], "unique" : false }, { "id" : "CVE-2023-52490", "title" : "mm: migrate: fix getting incorrect page mapping during page migration", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-52490" ], "unique" : false }, { "id" : "CVE-2023-52658", "title" : "Revert \"net/mlx5: Block entering switchdev mode with ns inconsistency\"", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-52658" ], "unique" : false }, { "id" : "CVE-2023-53291", "title" : "rcu/rcuscale: Stop kfree_scale_thread thread(s) after unloading rcuscale", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-53291" ], "unique" : false }, { "id" : "CVE-2023-53391", "title" : "shmem: use ramfs_kill_sb() for kill_sb method of ramfs-based tmpfs", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-53391" ], "unique" : false }, { "id" : "CVE-2023-53597", "title" : "cifs: fix mid leak during reconnection after timeout threshold", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-53597" ], "unique" : false }, { "id" : "CVE-2023-53704", "title" : "clk: imx: clk-imx8mp: improve error handling in imx8mp_clocks_probe()", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-53704" ], "unique" : false }, { "id" : "CVE-2023-54004", "title" : "udplite: Fix NULL pointer dereference in __sk_mem_raise_allocated().", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-54004" ], "unique" : false }, { "id" : "CVE-2023-54093", "title" : "media: anysee: fix null-ptr-deref in anysee_master_xfer", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-54093" ], "unique" : false }, { "id" : "CVE-2023-54271", "title" : "blk-cgroup: Fix NULL deref caused by blkg_policy_data being installed before init", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-54271" ], "unique" : false }, { "id" : "CVE-2023-7192", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-7192" ], "unique" : false }, { "id" : "CVE-2024-0443", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-0443" ], "unique" : false }, { "id" : "CVE-2024-26615", "title" : "net/smc: fix illegal rmb_desc access in SMC-D connection dump", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-26615" ], "unique" : false }, { "id" : "CVE-2024-26878", "title" : "quota: Fix potential NULL pointer dereference", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-26878" ], "unique" : false }, { "id" : "CVE-2024-27046", "title" : "nfp: flower: handle acti_netdevs allocation failure", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-27046" ], "unique" : false }, { "id" : "CVE-2024-27052", "title" : "wifi: rtl8xxxu: add cancel_work_sync() for c2hcmd_work", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-27052" ], "unique" : false }, { "id" : "CVE-2024-35789", "title" : "wifi: mac80211: check/clear fast rx for non-4addr sta VLAN changes", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-35789" ], "unique" : false }, { "id" : "CVE-2024-35852", "title" : "mlxsw: spectrum_acl_tcam: Fix memory leak when canceling rehash work", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-35852" ], "unique" : false }, { "id" : "CVE-2024-35890", "title" : "gro: fix ownership transfer", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-35890" ], "unique" : false }, { "id" : "CVE-2024-35907", "title" : "mlxbf_gige: call request_irq() after NAPI initialized", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-35907" ], "unique" : false }, { "id" : "CVE-2024-35952", "title" : "drm/ast: Fix soft lockup", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-35952" ], "unique" : false }, { "id" : "CVE-2024-35989", "title" : "dmaengine: idxd: Fix oops during rmmod on single-CPU platforms", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-35989" ], "unique" : false }, { "id" : "CVE-2024-39483", "title" : "KVM: SVM: WARN on vNMI + NMI window iff NMIs are outright masked", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-39483" ], "unique" : false }, { "id" : "CVE-2024-40959", "title" : "xfrm6: check ip6_dst_idev() return value in xfrm6_get_saddr()", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-40959" ], "unique" : false }, { "id" : "CVE-2024-41035", "title" : "USB: core: Fix duplicate endpoint bug by clearing reserved bits in the descriptor", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-41035" ], "unique" : false }, { "id" : "CVE-2024-41064", "title" : "powerpc/eeh: avoid possible crash when edev->pdev changes", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-41064" ], "unique" : false }, { "id" : "CVE-2024-42079", "title" : "gfs2: Fix NULL pointer dereference in gfs2_log_flush", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-42079" ], "unique" : false }, { "id" : "CVE-2024-42272", "title" : "sched: act_ct: take care of padding in struct zones_ht_key", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-42272" ], "unique" : false }, { "id" : "CVE-2024-42283", "title" : "net: nexthop: Initialize all fields in dumped nexthops", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-42283" ], "unique" : false }, { "id" : "CVE-2024-42322", "title" : "ipvs: properly dereference pe in ip_vs_add_service", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-42322" ], "unique" : false }, { "id" : "CVE-2024-43854", "title" : "block: initialize integrity buffer to zero before writing it to media", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-43854" ], "unique" : false }, { "id" : "CVE-2024-44990", "title" : "bonding: fix null pointer deref in bond_ipsec_offload_ok", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-44990" ], "unique" : false }, { "id" : "CVE-2024-44994", "title" : "iommu: Restore lost return in iommu_report_device_fault()", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-44994" ], "unique" : false }, { "id" : "CVE-2024-45018", "title" : "netfilter: flowtable: initialise extack before use", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-45018" ], "unique" : false }, { "id" : "CVE-2024-46713", "title" : "perf/aux: Fix AUX buffer serialization", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-46713" ], "unique" : false }, { "id" : "CVE-2024-46824", "title" : "iommufd: Require drivers to supply the cache_invalidate_user ops", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-46824" ], "unique" : false }, { "id" : "CVE-2024-49949", "title" : "net: avoid potential underflow in qdisc_pkt_len_init() with UFO", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-49949" ], "unique" : false }, { "id" : "CVE-2024-50208", "title" : "RDMA/bnxt_re: Fix a bug while setting up Level-2 PBL pages", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-50208" ], "unique" : false }, { "id" : "CVE-2024-50251", "title" : "netfilter: nft_payload: sanitize offset and length before calling skb_checksum()", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-50251" ], "unique" : false }, { "id" : "CVE-2024-50252", "title" : "mlxsw: spectrum_ipip: Fix memory leak when changing remote IPv6 address", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-50252" ], "unique" : false }, { "id" : "CVE-2024-53113", "title" : "mm: fix NULL pointer dereference in alloc_pages_bulk_noprof", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-53113" ], "unique" : false }, { "id" : "CVE-2025-21669", "title" : "vsock/virtio: discard packets if the transport changes", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2025-21669" ], "unique" : false }, { "id" : "CVE-2025-21962", "title" : "cifs: Fix integer overflow while processing closetimeo mount option", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2025-21962" ], "unique" : false }, { "id" : "CVE-2025-21963", "title" : "cifs: Fix integer overflow while processing acdirmax mount option", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2025-21963" ], "unique" : false }, { "id" : "CVE-2025-21964", "title" : "cifs: Fix integer overflow while processing acregmax mount option", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2025-21964" ], "unique" : false }, { "id" : "CVE-2025-37785", "title" : "ext4: fix OOB read when checking dotdot dir", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2025-37785" ], "unique" : false }, { "id" : "CVE-2025-38234", "title" : "sched/rt: Fix race in push_rt_task", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2025-38234" ], "unique" : false }, { "id" : "CVE-2023-52448", "title" : "gfs2: Fix kernel NULL pointer dereference in gfs2_rgrp_dump", "source" : "redhat-csaf", "cvssScore" : 4.7, "severity" : "MEDIUM", "cves" : [ "CVE-2023-52448" ], "unique" : false }, { "id" : "CVE-2023-53755", "title" : "dmaengine: ptdma: check for null desc before calling pt_cmd_callback", "source" : "redhat-csaf", "cvssScore" : 4.7, "severity" : "MEDIUM", "cves" : [ "CVE-2023-53755" ], "unique" : false }, { "id" : "CVE-2024-47745", "title" : "mm: call the security_mmap_file() LSM hook in remap_file_pages()", "source" : "redhat-csaf", "cvssScore" : 4.7, "severity" : "MEDIUM", "cves" : [ "CVE-2024-47745" ], "unique" : false }, { "id" : "CVE-2024-53088", "title" : "i40e: fix race condition by adding filter's intermediate sync state", "source" : "redhat-csaf", "cvssScore" : 4.7, "severity" : "MEDIUM", "cves" : [ "CVE-2024-53088" ], "unique" : false }, { "id" : "CVE-2025-21961", "title" : "eth: bnxt: fix truesize for mb-xdp-pass case", "source" : "redhat-csaf", "cvssScore" : 4.7, "severity" : "MEDIUM", "cves" : [ "CVE-2025-21961" ], "unique" : false }, { "id" : "CVE-2025-22036", "title" : "exfat: fix random stack corruption after get_block", "source" : "redhat-csaf", "cvssScore" : 4.7, "severity" : "MEDIUM", "cves" : [ "CVE-2025-22036" ], "unique" : false }, { "id" : "CVE-2025-38417", "title" : "ice: fix eswitch code memory leak in reset scenario", "source" : "redhat-csaf", "cvssScore" : 4.7, "severity" : "MEDIUM", "cves" : [ "CVE-2025-38417" ], "unique" : false }, { "id" : "CVE-2023-52771", "title" : "cxl/port: Fix delete_endpoint() vs parent unregistration race", "source" : "redhat-csaf", "cvssScore" : 4.4, "severity" : "MEDIUM", "cves" : [ "CVE-2023-52771" ], "unique" : false }, { "id" : "CVE-2023-52864", "title" : "platform/x86: wmi: Fix opening of char device", "source" : "redhat-csaf", "cvssScore" : 4.4, "severity" : "MEDIUM", "cves" : [ "CVE-2023-52864" ], "unique" : false }, { "id" : "CVE-2024-26855", "title" : "net: ice: Fix potential NULL pointer dereference in ice_bridge_setlink()", "source" : "redhat-csaf", "cvssScore" : 4.4, "severity" : "MEDIUM", "cves" : [ "CVE-2024-26855" ], "unique" : false }, { "id" : "CVE-2024-35845", "title" : "wifi: iwlwifi: dbg-tlv: ensure NUL termination", "source" : "redhat-csaf", "cvssScore" : 4.4, "severity" : "MEDIUM", "cves" : [ "CVE-2024-35845" ], "unique" : false }, { "id" : "CVE-2024-36922", "title" : "wifi: iwlwifi: read txq->read_ptr under lock", "source" : "redhat-csaf", "cvssScore" : 4.4, "severity" : "MEDIUM", "cves" : [ "CVE-2024-36922" ], "unique" : false }, { "id" : "CVE-2024-38555", "title" : "net/mlx5: Discard command completions in internal error", "source" : "redhat-csaf", "cvssScore" : 4.4, "severity" : "MEDIUM", "cves" : [ "CVE-2024-38555" ], "unique" : false }, { "id" : "CVE-2024-38556", "title" : "net/mlx5: Add a timeout to acquire the command queue semaphore", "source" : "redhat-csaf", "cvssScore" : 4.4, "severity" : "MEDIUM", "cves" : [ "CVE-2024-38556" ], "unique" : false }, { "id" : "CVE-2024-43855", "title" : "md: fix deadlock between mddev_suspend and flush bio", "source" : "redhat-csaf", "cvssScore" : 4.4, "severity" : "MEDIUM", "cves" : [ "CVE-2024-43855" ], "unique" : false }, { "id" : "CVE-2024-46826", "title" : "ELF: fix kernel.randomize_va_space double read", "source" : "redhat-csaf", "cvssScore" : 4.4, "severity" : "MEDIUM", "cves" : [ "CVE-2024-46826" ], "unique" : false }, { "id" : "CVE-2024-26897", "title" : "wifi: ath9k: delay all of ath9k_wmi_event_tasklet() until init is complete", "source" : "redhat-csaf", "cvssScore" : 4.1, "severity" : "MEDIUM", "cves" : [ "CVE-2024-26897" ], "unique" : false }, { "id" : "CVE-2024-38586", "title" : "r8169: Fix possible ring buffer corruption on fragmented Tx packets.", "source" : "redhat-csaf", "cvssScore" : 4.1, "severity" : "MEDIUM", "cves" : [ "CVE-2024-38586" ], "unique" : false }, { "id" : "CVE-2022-50846", "title" : "mmc: via-sdmmc: fix return value check of mmc_add_host()", "source" : "redhat-csaf", "cvssScore" : 3.3, "severity" : "LOW", "cves" : [ "CVE-2022-50846" ], "unique" : false }, { "id" : "CVE-2023-53639", "title" : "wifi: ath6kl: reduce WARN to dev_dbg() in callback", "source" : "redhat-csaf", "cvssScore" : 3.3, "severity" : "LOW", "cves" : [ "CVE-2023-53639" ], "unique" : false }, { "id" : "CVE-2023-54153", "title" : "ext4: turn quotas off if mount failed after enabling quotas", "source" : "redhat-csaf", "cvssScore" : 3.3, "severity" : "LOW", "cves" : [ "CVE-2023-54153" ], "unique" : false }, { "id" : "CVE-2023-54267", "title" : "powerpc/pseries: Rework lppaca_shared_proc() to avoid DEBUG_PREEMPT", "source" : "redhat-csaf", "cvssScore" : 2.5, "severity" : "LOW", "cves" : [ "CVE-2023-54267" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2023-44466", "title" : "An issue was discovered in net/ceph/messenger_v2.c in the Linux kernel before 6.4.5. There is an integer signedness error, leading to a buffer overflow and remote code execution via HELLO or one of the AUTH frames. This occurs because of an untrusted length taken from a TCP packet in ceph_decode_32.", "source" : "redhat-csaf", "cvssScore" : 8.8, "severity" : "HIGH", "cves" : [ "CVE-2023-44466" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/glibc-common@2.34-40.el9_1.1?arch=x86_64&distro=rhel-9.1&upstream=glibc-2.34-40.el9_1.1.src.rpm", "issues" : [ { "id" : "CVE-2024-2961", "title" : "The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.", "source" : "redhat-csaf", "cvssScore" : 8.8, "severity" : "HIGH", "cves" : [ "CVE-2024-2961" ], "unique" : false }, { "id" : "CVE-2026-0861", "title" : "Integer overflow in memalign leads to heap corruption", "source" : "redhat-csaf", "cvssScore" : 8.1, "severity" : "HIGH", "cves" : [ "CVE-2026-0861" ], "unique" : false }, { "id" : "CVE-2023-4911", "title" : "Glibc: buffer overflow in ld.so leading to privilege escalation", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2023-4911" ], "unique" : false }, { "id" : "CVE-2024-33599", "title" : "nscd: Stack-based buffer overflow in netgroup cache", "source" : "redhat-csaf", "cvssScore" : 7.6, "severity" : "HIGH", "cves" : [ "CVE-2024-33599" ], "unique" : false }, { "id" : "CVE-2025-4802", "source" : "redhat-csaf", "cvssScore" : 7.0, "severity" : "HIGH", "cves" : [ "CVE-2025-4802" ], "unique" : false }, { "id" : "CVE-2023-4527", "title" : "Glibc: stack read overflow in getaddrinfo in no-aaaa mode", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4527" ], "unique" : false }, { "id" : "CVE-2026-4437", "title" : "gethostbyaddr and gethostbyaddr_r may incorrectly handle DNS response", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4437" ], "unique" : false }, { "id" : "CVE-2023-4806", "title" : "Glibc: potential use-after-free in getaddrinfo()", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4806" ], "unique" : false }, { "id" : "CVE-2023-4813", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4813" ], "unique" : false }, { "id" : "CVE-2025-15281", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2025-15281" ], "unique" : false }, { "id" : "CVE-2025-5702", "title" : "The strcmp implementation optimized for the Power10 processor in the GNU C Library version 2.39 and later writes to vector registers v20 to v31 without saving contents from the caller (those registers are defined as non-volatile registers by the powerpc64le ABI), resulting in overwriting of its contents and potentially altering control flow of the caller, or leaking the input strings to the function to other parts of the program.", "source" : "redhat-csaf", "cvssScore" : 5.6, "severity" : "MEDIUM", "cves" : [ "CVE-2025-5702" ], "unique" : false }, { "id" : "CVE-2025-0395", "title" : "When the assert() function in the GNU C Library versions 2.13 to 2.40 fails, it does not allocate enough space for the assertion failure message string and size information, which may lead to a buffer overflow if the message string size aligns to page size.", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2025-0395" ], "unique" : false }, { "id" : "CVE-2024-33600", "title" : "nscd: Null pointer crashes after notfound response", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33600" ], "unique" : false }, { "id" : "CVE-2026-0915", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-0915" ], "unique" : false }, { "id" : "CVE-2026-4046", "title" : "iconv crash due to assertion failure with untrusted input", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4046" ], "unique" : false }, { "id" : "CVE-2026-5450", "title" : "scanf %mc off-by-one heap buffer overflow", "source" : "redhat-csaf", "cvssScore" : 5.0, "severity" : "MEDIUM", "cves" : [ "CVE-2026-5450" ], "unique" : false }, { "id" : "CVE-2025-8058", "source" : "redhat-csaf", "cvssScore" : 4.2, "severity" : "MEDIUM", "cves" : [ "CVE-2025-8058" ], "unique" : false }, { "id" : "CVE-2024-33601", "title" : "nscd: netgroup cache may terminate daemon on memory allocation failure", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33601" ], "unique" : false }, { "id" : "CVE-2024-33602", "title" : "nscd: netgroup cache assumes NSS callback uses in-buffer strings", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33602" ], "unique" : false }, { "id" : "CVE-2026-4438", "title" : "gethostbyaddr and gethostbyaddr_r return invalid DNS hostnames", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4438" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2024-2961", "title" : "The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.", "source" : "redhat-csaf", "cvssScore" : 8.8, "severity" : "HIGH", "cves" : [ "CVE-2024-2961" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/glibc-devel@2.34-40.el9_1.1?arch=x86_64&distro=rhel-9.1&upstream=glibc-2.34-40.el9_1.1.src.rpm", "issues" : [ { "id" : "CVE-2024-2961", "title" : "The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.", "source" : "redhat-csaf", "cvssScore" : 8.8, "severity" : "HIGH", "cves" : [ "CVE-2024-2961" ], "unique" : false }, { "id" : "CVE-2026-0861", "title" : "Integer overflow in memalign leads to heap corruption", "source" : "redhat-csaf", "cvssScore" : 8.1, "severity" : "HIGH", "cves" : [ "CVE-2026-0861" ], "unique" : false }, { "id" : "CVE-2023-4911", "title" : "Glibc: buffer overflow in ld.so leading to privilege escalation", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2023-4911" ], "unique" : false }, { "id" : "CVE-2024-33599", "title" : "nscd: Stack-based buffer overflow in netgroup cache", "source" : "redhat-csaf", "cvssScore" : 7.6, "severity" : "HIGH", "cves" : [ "CVE-2024-33599" ], "unique" : false }, { "id" : "CVE-2025-4802", "source" : "redhat-csaf", "cvssScore" : 7.0, "severity" : "HIGH", "cves" : [ "CVE-2025-4802" ], "unique" : false }, { "id" : "CVE-2023-4527", "title" : "Glibc: stack read overflow in getaddrinfo in no-aaaa mode", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4527" ], "unique" : false }, { "id" : "CVE-2026-4437", "title" : "gethostbyaddr and gethostbyaddr_r may incorrectly handle DNS response", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4437" ], "unique" : false }, { "id" : "CVE-2023-4806", "title" : "Glibc: potential use-after-free in getaddrinfo()", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4806" ], "unique" : false }, { "id" : "CVE-2023-4813", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4813" ], "unique" : false }, { "id" : "CVE-2025-15281", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2025-15281" ], "unique" : false }, { "id" : "CVE-2025-5702", "title" : "The strcmp implementation optimized for the Power10 processor in the GNU C Library version 2.39 and later writes to vector registers v20 to v31 without saving contents from the caller (those registers are defined as non-volatile registers by the powerpc64le ABI), resulting in overwriting of its contents and potentially altering control flow of the caller, or leaking the input strings to the function to other parts of the program.", "source" : "redhat-csaf", "cvssScore" : 5.6, "severity" : "MEDIUM", "cves" : [ "CVE-2025-5702" ], "unique" : false }, { "id" : "CVE-2025-0395", "title" : "When the assert() function in the GNU C Library versions 2.13 to 2.40 fails, it does not allocate enough space for the assertion failure message string and size information, which may lead to a buffer overflow if the message string size aligns to page size.", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2025-0395" ], "unique" : false }, { "id" : "CVE-2024-33600", "title" : "nscd: Null pointer crashes after notfound response", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33600" ], "unique" : false }, { "id" : "CVE-2026-0915", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-0915" ], "unique" : false }, { "id" : "CVE-2026-4046", "title" : "iconv crash due to assertion failure with untrusted input", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4046" ], "unique" : false }, { "id" : "CVE-2026-5450", "title" : "scanf %mc off-by-one heap buffer overflow", "source" : "redhat-csaf", "cvssScore" : 5.0, "severity" : "MEDIUM", "cves" : [ "CVE-2026-5450" ], "unique" : false }, { "id" : "CVE-2025-8058", "source" : "redhat-csaf", "cvssScore" : 4.2, "severity" : "MEDIUM", "cves" : [ "CVE-2025-8058" ], "unique" : false }, { "id" : "CVE-2024-33601", "title" : "nscd: netgroup cache may terminate daemon on memory allocation failure", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33601" ], "unique" : false }, { "id" : "CVE-2024-33602", "title" : "nscd: netgroup cache assumes NSS callback uses in-buffer strings", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33602" ], "unique" : false }, { "id" : "CVE-2026-4438", "title" : "gethostbyaddr and gethostbyaddr_r return invalid DNS hostnames", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4438" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2024-2961", "title" : "The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.", "source" : "redhat-csaf", "cvssScore" : 8.8, "severity" : "HIGH", "cves" : [ "CVE-2024-2961" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/glibc-langpack-en@2.34-40.el9_1.1?arch=x86_64&distro=rhel-9.1&upstream=glibc-2.34-40.el9_1.1.src.rpm", "issues" : [ { "id" : "CVE-2024-2961", "title" : "The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.", "source" : "redhat-csaf", "cvssScore" : 8.8, "severity" : "HIGH", "cves" : [ "CVE-2024-2961" ], "unique" : false }, { "id" : "CVE-2026-0861", "title" : "Integer overflow in memalign leads to heap corruption", "source" : "redhat-csaf", "cvssScore" : 8.1, "severity" : "HIGH", "cves" : [ "CVE-2026-0861" ], "unique" : false }, { "id" : "CVE-2023-4911", "title" : "Glibc: buffer overflow in ld.so leading to privilege escalation", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2023-4911" ], "unique" : false }, { "id" : "CVE-2024-33599", "title" : "nscd: Stack-based buffer overflow in netgroup cache", "source" : "redhat-csaf", "cvssScore" : 7.6, "severity" : "HIGH", "cves" : [ "CVE-2024-33599" ], "unique" : false }, { "id" : "CVE-2025-4802", "source" : "redhat-csaf", "cvssScore" : 7.0, "severity" : "HIGH", "cves" : [ "CVE-2025-4802" ], "unique" : false }, { "id" : "CVE-2023-4527", "title" : "Glibc: stack read overflow in getaddrinfo in no-aaaa mode", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4527" ], "unique" : false }, { "id" : "CVE-2026-4437", "title" : "gethostbyaddr and gethostbyaddr_r may incorrectly handle DNS response", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4437" ], "unique" : false }, { "id" : "CVE-2023-4806", "title" : "Glibc: potential use-after-free in getaddrinfo()", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4806" ], "unique" : false }, { "id" : "CVE-2023-4813", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4813" ], "unique" : false }, { "id" : "CVE-2025-15281", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2025-15281" ], "unique" : false }, { "id" : "CVE-2025-5702", "title" : "The strcmp implementation optimized for the Power10 processor in the GNU C Library version 2.39 and later writes to vector registers v20 to v31 without saving contents from the caller (those registers are defined as non-volatile registers by the powerpc64le ABI), resulting in overwriting of its contents and potentially altering control flow of the caller, or leaking the input strings to the function to other parts of the program.", "source" : "redhat-csaf", "cvssScore" : 5.6, "severity" : "MEDIUM", "cves" : [ "CVE-2025-5702" ], "unique" : false }, { "id" : "CVE-2025-0395", "title" : "When the assert() function in the GNU C Library versions 2.13 to 2.40 fails, it does not allocate enough space for the assertion failure message string and size information, which may lead to a buffer overflow if the message string size aligns to page size.", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2025-0395" ], "unique" : false }, { "id" : "CVE-2024-33600", "title" : "nscd: Null pointer crashes after notfound response", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33600" ], "unique" : false }, { "id" : "CVE-2026-0915", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-0915" ], "unique" : false }, { "id" : "CVE-2026-4046", "title" : "iconv crash due to assertion failure with untrusted input", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4046" ], "unique" : false }, { "id" : "CVE-2026-5450", "title" : "scanf %mc off-by-one heap buffer overflow", "source" : "redhat-csaf", "cvssScore" : 5.0, "severity" : "MEDIUM", "cves" : [ "CVE-2026-5450" ], "unique" : false }, { "id" : "CVE-2025-8058", "source" : "redhat-csaf", "cvssScore" : 4.2, "severity" : "MEDIUM", "cves" : [ "CVE-2025-8058" ], "unique" : false }, { "id" : "CVE-2024-33601", "title" : "nscd: netgroup cache may terminate daemon on memory allocation failure", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33601" ], "unique" : false }, { "id" : "CVE-2024-33602", "title" : "nscd: netgroup cache assumes NSS callback uses in-buffer strings", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33602" ], "unique" : false }, { "id" : "CVE-2026-4438", "title" : "gethostbyaddr and gethostbyaddr_r return invalid DNS hostnames", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4438" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2024-2961", "title" : "The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.", "source" : "redhat-csaf", "cvssScore" : 8.8, "severity" : "HIGH", "cves" : [ "CVE-2024-2961" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/libcurl-minimal@7.76.1-19.el9_1.1?arch=x86_64&distro=rhel-9.1&upstream=curl-7.76.1-19.el9_1.1.src.rpm", "issues" : [ { "id" : "CVE-2023-38545", "title" : "This flaw makes curl overflow a heap based buffer in the SOCKS5 proxy\nhandshake.\n\nWhen curl is asked to pass along the host name to the SOCKS5 proxy to allow\nthat to resolve the address instead of it getting done by curl itself, the\nmaximum length that host name can be is 255 bytes.\n\nIf the host name is detected to be longer, curl switches to local name\nresolving and instead passes on the resolved address only. Due to this bug,\nthe local variable that means \"let the host resolve the name\" could get the\nwrong value during a slow SOCKS5 handshake, and contrary to the intention,\ncopy the too long host name to the target buffer instead of copying just the\nresolved address there.\n\nThe target buffer being a heap based buffer, and the host name coming from the\nURL that curl has been told to operate with.", "source" : "redhat-csaf", "cvssScore" : 8.1, "severity" : "HIGH", "cves" : [ "CVE-2023-38545" ], "unique" : false }, { "id" : "CVE-2024-2398", "title" : "HTTP/2 push headers memory-leak", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2024-2398" ], "unique" : false }, { "id" : "CVE-2023-23916", "title" : "An allocation of resources without limits or throttling vulnerability exists in curl = 12.22.9, >= 14.18.3, >= 16.13.2, and >= 17.3.1 use a null protoype for the object these properties are being assigned to.", "source" : "redhat-csaf", "cvssScore" : 8.2, "severity" : "HIGH", "cves" : [ "CVE-2022-21824" ], "unique" : false }, { "id" : "CVE-2022-35255", "title" : "A weak randomness in WebCrypto keygen vulnerability exists in Node.js 18 due to a change with EntropySource() in SecretKeyGenTraits::DoKeyGen() in src/crypto/crypto_keygen.cc. There are two problems with this: 1) It does not check the return value, it assumes EntropySource() always succeeds, but it can (and sometimes will) fail. 2) The random data returned byEntropySource() may not be cryptographically strong and therefore not suitable as keying material.", "source" : "redhat-csaf", "cvssScore" : 8.2, "severity" : "HIGH", "cves" : [ "CVE-2022-35255" ], "unique" : false }, { "id" : "CVE-2023-32002", "title" : "The use of `Module._load()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module.\n\nThis vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x.\n\nPlease note that at the time this CVE was issued, the policy is an experimental feature of Node.js.", "source" : "redhat-csaf", "cvssScore" : 8.1, "severity" : "HIGH", "cves" : [ "CVE-2023-32002" ], "unique" : false }, { "id" : "CVE-2024-21892", "title" : "On Linux, Node.js ignores certain environment variables if those may have been set by an unprivileged user while the process is running with elevated privileges with the only exception of CAP_NET_BIND_SERVICE.\nDue to a bug in the implementation of this exception, Node.js incorrectly applies this exception even when certain other capabilities have been set.\nThis allows unprivileged users to inject code that inherits the process's elevated privileges.", "source" : "redhat-csaf", "cvssScore" : 8.1, "severity" : "HIGH", "cves" : [ "CVE-2024-21892" ], "unique" : false }, { "id" : "CVE-2024-21896", "title" : "The permission model protects itself against path traversal attacks by calling path.resolve() on any paths given by the user. If the path is to be treated as a Buffer, the implementation uses Buffer.from() to obtain a Buffer from the result of path.resolve(). By monkey-patching Buffer internals, namely, Buffer.prototype.utf8Write, the application can modify the result of path.resolve(), which leads to a path traversal vulnerability.\nThis vulnerability affects all users using the experimental permission model in Node.js 20 and Node.js 21.\nPlease note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.", "source" : "redhat-csaf", "cvssScore" : 7.9, "severity" : "HIGH", "cves" : [ "CVE-2024-21896" ], "unique" : false }, { "id" : "CVE-2025-23083", "title" : "With the aid of the diagnostics_channel utility, an event can be hooked into whenever a worker thread is created. This is not limited only to workers but also exposes internal workers, where an instance of them can be fetched, and its constructor can be grabbed and reinstated for malicious usage. \r\n\r\nThis vulnerability affects Permission Model users (--permission) on Node.js v20, v22, and v23.", "source" : "redhat-csaf", "cvssScore" : 7.7, "severity" : "HIGH", "cves" : [ "CVE-2025-23083" ], "unique" : false }, { "id" : "CVE-2025-6965", "title" : "Integer Truncation on SQLite", "source" : "redhat-csaf", "cvssScore" : 7.7, "severity" : "HIGH", "cves" : [ "CVE-2025-6965" ], "unique" : false }, { "id" : "CVE-2021-35065", "title" : "The glob-parent package before 6.0.1 for Node.js allows ReDoS (regular expression denial of service) attacks against the enclosure regular expression.", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2021-35065" ], "unique" : false }, { "id" : "CVE-2022-25881", "title" : "This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library.", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2022-25881" ], "unique" : false }, { "id" : "CVE-2022-25883", "title" : "Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.\r\r\r", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2022-25883" ], "unique" : false }, { "id" : "CVE-2022-3517", "title" : "A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2022-3517" ], "unique" : false }, { "id" : "CVE-2022-43548", "title" : "A OS Command Injection vulnerability exists in Node.js versions <14.21.1, <16.18.1, <18.12.1, <19.0.1 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding attacks.The fix for this issue in https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32212 was incomplete and this new CVE is to complete the fix.", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2022-43548" ], "unique" : false }, { "id" : "CVE-2023-23918", "title" : "A privilege escalation vulnerability exists in Node.js <19.6.1, <18.14.1, <16.19.1 and <14.21.3 that made it possible to bypass the experimental Permissions (https://nodejs.org/api/permissions.html) feature in Node.js and access non authorized modules by using process.mainModule.require(). This only affects users who had enabled the experimental permissions option with --experimental-policy.", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2023-23918" ], "unique" : false }, { "id" : "CVE-2023-23919", "title" : "A cryptographic vulnerability exists in Node.js <19.2.0, <18.14.1, <16.19.1, <14.21.3 that in some cases did does not clear the OpenSSL error stack after operations that may set it. This may lead to false positive errors during subsequent cryptographic operations that happen to be on the same thread. This in turn could be used to cause a denial of service.", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2023-23919" ], "unique" : false }, { "id" : "CVE-2023-24807", "title" : "Undici vulnerable to Regular Expression Denial of Service in Headers", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2023-24807" ], "unique" : false }, { "id" : "CVE-2023-30581", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2023-30581" ], "unique" : false }, { "id" : "CVE-2023-30590", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2023-30590" ], "unique" : false }, { "id" : "CVE-2023-32067", "title" : "0-byte UDP payload DoS in c-ares", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2023-32067" ], "unique" : false }, { "id" : "CVE-2023-32559", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2023-32559" ], "unique" : false }, { "id" : "CVE-2023-38552", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2023-38552" ], "unique" : false }, { "id" : "CVE-2023-39331", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2023-39331" ], "unique" : false }, { "id" : "CVE-2023-44487", "title" : "The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2023-44487" ], "unique" : false }, { "id" : "CVE-2024-22019", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2024-22019" ], "unique" : false }, { "id" : "CVE-2024-27983", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2024-27983" ], "unique" : false }, { "id" : "CVE-2025-23166", "title" : "The C++ method SignTraits::DeriveBits() may incorrectly call ThrowException() based on user-supplied inputs when executing in a background thread, crashing the Node.js process. Such cryptographic operations are commonly applied to untrusted inputs. Thus, this mechanism potentially allows an adversary to remotely crash a Node.js runtime.", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2025-23166" ], "unique" : false }, { "id" : "CVE-2025-59465", "title" : "A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node.js to crash by triggering an unhandled `TLSSocket` error `ECONNRESET`. Instead of safely closing the connection, the process crashes, enabling a remote denial of service. This primarily affects applications that do not attach explicit error handlers to secure sockets, for example:\n```\nserver.on('secureConnection', socket => {\n socket.on('error', err => {\n console.log(err)\n })\n})\n```", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2025-59465" ], "unique" : false }, { "id" : "CVE-2026-1526", "title" : "undici is vulnerable to Unbounded Memory Consumption in undici WebSocket permessage-deflate Decompression", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2026-1526" ], "unique" : false }, { "id" : "CVE-2026-1528", "title" : "undici is vulnerable to Malicious WebSocket 64-bit length overflows undici parser and crashes the client", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2026-1528" ], "unique" : false }, { "id" : "CVE-2026-21710", "title" : "A flaw in Node.js HTTP request handling causes an uncaught `TypeError` when a request is received with a header named `__proto__` and the application accesses `req.headersDistinct`.\r\n\r\nWhen this occurs, `dest[\"__proto__\"]` resolves to `Object.prototype` rather than `undefined`, causing `.push()` to be called on a non-array. This exception is thrown synchronously inside a property getter and cannot be intercepted by `error` event listeners, meaning it cannot be handled without wrapping every `req.headersDistinct` access in a `try/catch`.\r\n\r\n* This vulnerability affects all Node.js HTTP servers on **20.x, 22.x, 24.x, and v25.x**", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2026-21710" ], "unique" : false }, { "id" : "CVE-2026-2229", "title" : "undici is vulnerable to Unhandled Exception in undici WebSocket Client Due to Invalid server_max_window_bits Validation", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2026-2229" ], "unique" : false }, { "id" : "CVE-2026-27135", "title" : "nghttp2 Denial of service: Assertion failure due to the missing state validation", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2026-27135" ], "unique" : false }, { "id" : "CVE-2021-44531", "title" : "Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI is specifically defined to use a particular SAN type, can result in bypassing name-constrained intermediates. Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 was accepting URI SAN types, which PKIs are often not defined to use. Additionally, when a protocol allows URI SANs, Node.js did not match the URI correctly.Versions of Node.js with the fix for this disable the URI SAN type when checking a certificate against a hostname. This behavior can be reverted through the --security-revert command-line option.", "source" : "redhat-csaf", "cvssScore" : 7.4, "severity" : "HIGH", "cves" : [ "CVE-2021-44531" ], "unique" : false }, { "id" : "CVE-2021-44532", "title" : "Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 converts SANs (Subject Alternative Names) to a string format. It uses this string to check peer certificates against hostnames when validating connections. The string format was subject to an injection vulnerability when name constraints were used within a certificate chain, allowing the bypass of these name constraints.Versions of Node.js with the fix for this escape SANs containing the problematic characters in order to prevent the injection. This behavior can be reverted through the --security-revert command-line option.", "source" : "redhat-csaf", "cvssScore" : 7.4, "severity" : "HIGH", "cves" : [ "CVE-2021-44532" ], "unique" : false }, { "id" : "CVE-2021-44533", "title" : "Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 did not handle multi-value Relative Distinguished Names correctly. Attackers could craft certificate subjects containing a single-value Relative Distinguished Name that would be interpreted as a multi-value Relative Distinguished Name, for example, in order to inject a Common Name that would allow bypassing the certificate subject verification.Affected versions of Node.js that do not accept multi-value Relative Distinguished Names and are thus not vulnerable to such attacks themselves. However, third-party code that uses node's ambiguous presentation of certificate subjects may be vulnerable.", "source" : "redhat-csaf", "cvssScore" : 7.4, "severity" : "HIGH", "cves" : [ "CVE-2021-44533" ], "unique" : false }, { "id" : "CVE-2024-22017", "title" : "setuid() does not affect libuv's internal io_uring operations if initialized before the call to setuid().\nThis allows the process to perform privileged operations despite presumably having dropped such privileges through a call to setuid().\nThis vulnerability affects all users using version greater or equal than Node.js 18.18.0, Node.js 20.4.0 and Node.js 21.", "source" : "redhat-csaf", "cvssScore" : 7.3, "severity" : "HIGH", "cves" : [ "CVE-2024-22017" ], "unique" : false }, { "id" : "CVE-2025-3277", "title" : "An integer overflow can be triggered in SQLite’s `concat_ws()` function. The resulting, truncated integer is then used to allocate a buffer. When SQLite then writes the resulting string to the buffer, it uses the original, untruncated size and thus a wild Heap Buffer overflow of size ~4GB can be triggered. This can result in arbitrary code execution.", "source" : "redhat-csaf", "cvssScore" : 7.3, "severity" : "HIGH", "cves" : [ "CVE-2025-3277" ], "unique" : false }, { "id" : "CVE-2026-1525", "source" : "redhat-csaf", "cvssScore" : 7.3, "severity" : "HIGH", "cves" : [ "CVE-2026-1525" ], "unique" : false }, { "id" : "CVE-2025-55130", "title" : "A flaw in Node.js’s Permissions model allows attackers to bypass `--allow-fs-read` and `--allow-fs-write` restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory can escape the allowed path and read sensitive files. This breaks the expected isolation guarantees and enables arbitrary file read/write, leading to potential system compromise.\nThis vulnerability affects users of the permission model on Node.js v20, v22, v24, and v25.", "source" : "redhat-csaf", "cvssScore" : 7.1, "severity" : "HIGH", "cves" : [ "CVE-2025-55130" ], "unique" : false }, { "id" : "CVE-2025-55131", "title" : "A flaw in Node.js's buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the `vm` module with the timeout option. Under specific timing conditions, buffers allocated with `Buffer.alloc` and other `TypedArray` instances like `Uint8Array` may contain leftover data from previous operations, allowing in-process secrets like tokens or passwords to leak or causing data corruption. While exploitation typically requires precise timing or in-process code execution, it can become remotely exploitable when untrusted input influences workload and timeouts, leading to potential confidentiality and integrity impact.", "source" : "redhat-csaf", "cvssScore" : 7.1, "severity" : "HIGH", "cves" : [ "CVE-2025-55131" ], "unique" : false }, { "id" : "CVE-2023-30589", "source" : "redhat-csaf", "cvssScore" : 7.0, "severity" : "HIGH", "cves" : [ "CVE-2023-30589" ], "unique" : false }, { "id" : "CVE-2025-31498", "title" : "c-ares has a use-after-free in read_answers()", "source" : "redhat-csaf", "cvssScore" : 7.0, "severity" : "HIGH", "cves" : [ "CVE-2025-31498" ], "unique" : false }, { "id" : "CVE-2025-22150", "title" : "Undici Uses Insufficiently Random Values", "source" : "redhat-csaf", "cvssScore" : 6.8, "severity" : "MEDIUM", "cves" : [ "CVE-2025-22150" ], "unique" : false }, { "id" : "CVE-2024-21891", "title" : "Node.js depends on multiple built-in utility functions to normalize paths provided to node:fs functions, which can be overwitten with user-defined implementations leading to filesystem permission model bypass through path traversal attack.\nThis vulnerability affects all users using the experimental permission model in Node.js 20 and Node.js 21.\nPlease note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.", "source" : "redhat-csaf", "cvssScore" : 6.6, "severity" : "MEDIUM", "cves" : [ "CVE-2024-21891" ], "unique" : false }, { "id" : "CVE-2022-35256", "title" : "The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may result in HTTP Request Smuggling.", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2022-35256" ], "unique" : false }, { "id" : "CVE-2023-23936", "title" : "CRLF Injection in Nodejs ‘undici’ via host", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-23936" ], "unique" : false }, { "id" : "CVE-2024-22020", "title" : "A security flaw in Node.js allows a bypass of network import restrictions.\nBy embedding non-network imports in data URLs, an attacker can execute arbitrary code, compromising system security.\nVerified on various platforms, the vulnerability is mitigated by forbidding data URLs in network imports.\nExploiting this flaw can violate network import security, posing a risk to developers and servers.", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-22020" ], "unique" : false }, { "id" : "CVE-2024-22025", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-22025" ], "unique" : false }, { "id" : "CVE-2024-28863", "title" : "node-tar vulnerable to denial of service while parsing a tar file due to lack of folders count validation", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-28863" ], "unique" : false }, { "id" : "CVE-2025-23167", "title" : "A flaw in Node.js 20's HTTP parser allows improper termination of HTTP/1 headers using `\\r\\n\\rX` instead of the required `\\r\\n\\r\\n`.\nThis inconsistency enables request smuggling, allowing attackers to bypass proxy-based access controls and submit unauthorized requests.\n\nThe issue was resolved by upgrading `llhttp` to version 9, which enforces correct header termination.\n\nImpact:\n* This vulnerability affects only Node.js 20.x users prior to the `llhttp` v9 upgrade.", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2025-23167" ], "unique" : false }, { "id" : "CVE-2026-1527", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2026-1527" ], "unique" : false }, { "id" : "CVE-2026-21712", "title" : "A flaw in Node.js URL processing causes an assertion failure in native code when `url.format()` is called with a malformed internationalized domain name (IDN) containing invalid characters, crashing the Node.js process.", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2026-21712" ], "unique" : false }, { "id" : "CVE-2026-25547", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2026-25547" ], "unique" : false }, { "id" : "CVE-2026-26996", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2026-26996" ], "unique" : false }, { "id" : "CVE-2026-27904", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2026-27904" ], "unique" : false }, { "id" : "CVE-2024-27982", "source" : "redhat-csaf", "cvssScore" : 6.1, "severity" : "MEDIUM", "cves" : [ "CVE-2024-27982" ], "unique" : false }, { "id" : "CVE-2023-31147", "title" : "Insufficient randomness in generation of DNS query IDs in c-ares", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-31147" ], "unique" : false }, { "id" : "CVE-2023-46809", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-46809" ], "unique" : false }, { "id" : "CVE-2025-59466", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2025-59466" ], "unique" : false }, { "id" : "CVE-2026-21637", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-21637" ], "unique" : false }, { "id" : "CVE-2026-21713", "title" : "A flaw in Node.js HMAC verification uses a non-constant-time comparison when validating user-provided signatures, potentially leaking timing information proportional to the number of matching bytes. Under certain threat models where high-resolution timing measurements are possible, this behavior could be exploited as a timing oracle to infer HMAC values.\r\n\r\nNode.js already provides timing-safe comparison primitives used elsewhere in the codebase, indicating this is an oversight rather than an intentional design decision.\r\n\r\nThis vulnerability affects **20.x, 22.x, 24.x, and 25.x**.", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-21713" ], "unique" : false }, { "id" : "CVE-2026-21717", "title" : "A flaw in V8's string hashing mechanism causes integer-like strings to be hashed to their numeric value, making hash collisions trivially predictable. By crafting a request that causes many such collisions in V8's internal string table, an attacker can significantly degrade performance of the Node.js process.\r\n\r\nThe most common trigger is any endpoint that calls `JSON.parse()` on attacker-controlled input, as JSON parsing automatically internalizes short strings into the affected hash table.\r\n\r\nThis vulnerability affects **20.x, 22.x, 24.x, and 25.x**.", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-21717" ], "unique" : false }, { "id" : "CVE-2026-2581", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-2581" ], "unique" : false }, { "id" : "CVE-2023-31130", "title" : "Buffer Underwrite in ares_inet_net_pton()", "source" : "redhat-csaf", "cvssScore" : 5.7, "severity" : "MEDIUM", "cves" : [ "CVE-2023-31130" ], "unique" : false }, { "id" : "CVE-2023-30588", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2023-30588" ], "unique" : false }, { "id" : "CVE-2023-39333", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2023-39333" ], "unique" : false }, { "id" : "CVE-2024-28182", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2024-28182" ], "unique" : false }, { "id" : "CVE-2025-23085", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2025-23085" ], "unique" : false }, { "id" : "CVE-2026-21714", "title" : "A memory leak occurs in Node.js HTTP/2 servers when a client sends WINDOW_UPDATE frames on stream 0 (connection-level) that cause the flow control window to exceed the maximum value of 2³¹-1. The server correctly sends a GOAWAY frame, but the Http2Session object is never cleaned up.\r\n\r\nThis vulnerability affects HTTP2 users on Node.js 20, 22, 24 and 25.", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-21714" ], "unique" : false }, { "id" : "CVE-2026-21711", "title" : "A flaw in Node.js Permission Model network enforcement leaves Unix Domain Socket (UDS) server operations without the required permission checks, while all comparable network paths correctly enforce them.\r\n\r\nAs a result, code running under `--permission` without `--allow-net` can create and expose local IPC endpoints, allowing communication with other processes on the same host outside of the intended network restriction boundary.\r\n\r\nThis vulnerability affects Node.js **25.x** processes using the Permission Model where `--allow-net` is intentionally omitted to restrict network access. Note that `--allow-net` is currently an experimental feature.", "source" : "redhat-csaf", "cvssScore" : 5.2, "severity" : "MEDIUM", "cves" : [ "CVE-2026-21711" ], "unique" : false }, { "id" : "CVE-2024-21890", "title" : "The Node.js Permission Model does not clarify in the documentation that wildcards should be only used as the last character of a file path. For example:\n```\n --allow-fs-read=/home/node/.ssh/*.pub\n```\n\nwill ignore `pub` and give access to everything after `.ssh/`.\n\nThis misleading documentation affects all users using the experimental permission model in Node.js 20 and Node.js 21.\n\nPlease note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.", "source" : "redhat-csaf", "cvssScore" : 5.0, "severity" : "MEDIUM", "cves" : [ "CVE-2024-21890" ], "unique" : false }, { "id" : "CVE-2024-25629", "title" : "c-ares out of bounds read in ares__read_line()", "source" : "redhat-csaf", "cvssScore" : 4.4, "severity" : "MEDIUM", "cves" : [ "CVE-2024-25629" ], "unique" : false }, { "id" : "CVE-2023-23920", "title" : "An untrusted search path vulnerability exists in Node.js. <19.6.1, <18.14.1, <16.19.1, and <14.21.3 that could allow an attacker to search and potentially load ICU data when running with elevated privileges.", "source" : "redhat-csaf", "cvssScore" : 4.2, "severity" : "MEDIUM", "cves" : [ "CVE-2023-23920" ], "unique" : false }, { "id" : "CVE-2023-45143", "title" : "Undici's cookie header not cleared on cross-origin redirect in fetch", "source" : "redhat-csaf", "cvssScore" : 3.9, "severity" : "LOW", "cves" : [ "CVE-2023-45143" ], "unique" : false }, { "id" : "CVE-2024-36137", "title" : "A vulnerability has been identified in Node.js, affecting users of the experimental permission model when the --allow-fs-write flag is used.\r\n\r\nNode.js Permission Model do not operate on file descriptors, however, operations such as fs.fchown or fs.fchmod can use a \"read-only\" file descriptor to change the owner and permissions of a file.", "source" : "redhat-csaf", "cvssScore" : 3.9, "severity" : "LOW", "cves" : [ "CVE-2024-36137" ], "unique" : false }, { "id" : "CVE-2026-21716", "title" : "An incomplete fix for CVE-2024-36137 leaves `FileHandle.chmod()` and `FileHandle.chown()` in the promises API without the required permission checks, while their callback-based equivalents (`fs.fchmod()`, `fs.fchown()`) were correctly patched.\r\n\r\nAs a result, code running under `--permission` with restricted `--allow-fs-write` can still use promise-based `FileHandle` methods to modify file permissions and ownership on already-open file descriptors, bypassing the intended write restrictions.\r\n\r\nThis vulnerability affects **20.x, 22.x, 24.x, and 25.x** processes using the Permission Model where `--allow-fs-write` is intentionally restricted.", "source" : "redhat-csaf", "cvssScore" : 3.8, "severity" : "LOW", "cves" : [ "CVE-2026-21716" ], "unique" : false }, { "id" : "CVE-2023-31124", "title" : "AutoTools does not set CARES_RANDOM_FILE during cross compilation", "source" : "redhat-csaf", "cvssScore" : 3.7, "severity" : "LOW", "cves" : [ "CVE-2023-31124" ], "unique" : false }, { "id" : "CVE-2025-23165", "title" : "In Node.js, the `ReadFileUtf8` internal binding leaks memory due to a corrupted pointer in `uv_fs_s.file`: a UTF-16 path buffer is allocated but subsequently overwritten when the file descriptor is set. This results in an unrecoverable memory leak on every call. Repeated use can cause unbounded memory growth, leading to a denial of service.\r\n\r\nImpact:\r\n* This vulnerability affects APIs relying on `ReadFileUtf8` on Node.js release lines: v20 and v22.", "source" : "redhat-csaf", "cvssScore" : 3.7, "severity" : "LOW", "cves" : [ "CVE-2025-23165" ], "unique" : false }, { "id" : "CVE-2026-21715", "title" : "A flaw in Node.js Permission Model filesystem enforcement leaves `fs.realpathSync.native()` without the required read permission checks, while all comparable filesystem functions correctly enforce them.\r\n\r\nAs a result, code running under `--permission` with restricted `--allow-fs-read` can still use `fs.realpathSync.native()` to check file existence, resolve symlink targets, and enumerate filesystem paths outside of permitted directories.\r\n\r\nThis vulnerability affects **20.x, 22.x, 24.x, and 25.x** processes using the Permission Model where `--allow-fs-read` is intentionally restricted.", "source" : "redhat-csaf", "cvssScore" : 3.3, "severity" : "LOW", "cves" : [ "CVE-2026-21715" ], "unique" : false }, { "id" : "CVE-2021-44906", "title" : "Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).", "source" : "redhat-csaf", "cvssScore" : 3.1, "severity" : "LOW", "cves" : [ "CVE-2021-44906" ], "unique" : false }, { "id" : "CVE-2024-22018", "title" : "A vulnerability has been identified in Node.js, affecting users of the experimental permission model when the --allow-fs-read flag is used.\nThis flaw arises from an inadequate permission model that fails to restrict file stats through the fs.lstat API. As a result, malicious actors can retrieve stats from files that they do not have explicit read access to.\nThis vulnerability affects all users using the experimental permission model in Node.js 20 and Node.js 21.\nPlease note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.", "source" : "redhat-csaf", "cvssScore" : 2.9, "severity" : "LOW", "cves" : [ "CVE-2024-22018" ], "unique" : false }, { "id" : "CVE-2025-55132", "source" : "redhat-csaf", "cvssScore" : 2.8, "severity" : "LOW", "cves" : [ "CVE-2025-55132" ], "unique" : false } ], "transitive" : [ ], "highestVulnerability" : { "id" : "CVE-2023-39332", "source" : "redhat-csaf", "cvssScore" : 9.8, "severity" : "CRITICAL", "cves" : [ "CVE-2023-39332" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/gcc-plugin-annobin@11.3.1-2.1.el9?arch=x86_64&distro=rhel-9.1&upstream=gcc-11.3.1-2.1.el9.src.rpm", "transitive" : [ { "ref" : "pkg:rpm/redhat/openssl-libs@3.0.1-47.el9_1?arch=x86_64&distro=rhel-9.1&epoch=1&upstream=openssl-3.0.1-47.el9_1.src.rpm", "issues" : [ { "id" : "CVE-2025-15467", "title" : "Stack buffer overflow in CMS (Auth)EnvelopedData parsing", "source" : "redhat-csaf", "cvssScore" : 9.8, "severity" : "CRITICAL", "cves" : [ "CVE-2025-15467" ], "unique" : false }, { "id" : "CVE-2026-45445", "title" : "AES-OCB IV Ignored on EVP_Cipher() Path", "source" : "redhat-csaf", "cvssScore" : 9.1, "severity" : "CRITICAL", "cves" : [ "CVE-2026-45445" ], "unique" : false }, { "id" : "CVE-2026-45447", "title" : "Heap Use-After-Free in the PKCS7_verify() Function", "source" : "redhat-csaf", "cvssScore" : 8.1, "severity" : "HIGH", "cves" : [ "CVE-2026-45447" ], "unique" : false }, { "id" : "CVE-2022-3358", "title" : "Using a Custom Cipher with NID_undef may lead to NULL encryption", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2022-3358" ], "unique" : false }, { "id" : "CVE-2023-5363", "title" : "Incorrect cipher key & IV length processing", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2023-5363" ], "unique" : false }, { "id" : "CVE-2026-28390", "title" : "Possible NULL Dereference When Processing CMS KeyTransportRecipientInfo", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2026-28390" ], "unique" : false }, { "id" : "CVE-2026-34183", "title" : "Unbounded Memory Growth in the QUIC PATH_CHALLENGE Handler", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2026-34183" ], "unique" : false }, { "id" : "CVE-2024-12797", "title" : "RFC7250 handshakes with unauthenticated servers don't abort as expected", "source" : "redhat-csaf", "cvssScore" : 7.4, "severity" : "HIGH", "cves" : [ "CVE-2024-12797" ], "unique" : false }, { "id" : "CVE-2025-69419", "title" : "Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion", "source" : "redhat-csaf", "cvssScore" : 7.4, "severity" : "HIGH", "cves" : [ "CVE-2025-69419" ], "unique" : false }, { "id" : "CVE-2026-34182", "title" : "CMS AuthEnvelopedData Processing May Accept Forged Messages", "source" : "redhat-csaf", "cvssScore" : 7.4, "severity" : "HIGH", "cves" : [ "CVE-2026-34182" ], "unique" : false }, { "id" : "CVE-2023-2650", "title" : "Possible DoS translating ASN.1 object identifiers", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-2650" ], "unique" : false }, { "id" : "CVE-2023-6129", "title" : "POLY1305 MAC implementation corrupts vector registers on PowerPC", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-6129" ], "unique" : false }, { "id" : "CVE-2025-69421", "title" : "NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2025-69421" ], "unique" : false }, { "id" : "CVE-2026-34181", "title" : "PKCS#12 Files with PBMAC1 Are Accepted with Short HMAC Keys", "source" : "redhat-csaf", "cvssScore" : 6.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-34181" ], "unique" : false }, { "id" : "CVE-2026-42768", "title" : "Multi-RecipientInfo Bleichenbacher Oracle in CMS_decrypt() and PKCS7_decrypt()", "source" : "redhat-csaf", "cvssScore" : 6.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-42768" ], "unique" : false }, { "id" : "CVE-2025-11187", "title" : "Improper validation of PBMAC1 parameters in PKCS#12 MAC verification", "source" : "redhat-csaf", "cvssScore" : 6.1, "severity" : "MEDIUM", "cves" : [ "CVE-2025-11187" ], "unique" : false }, { "id" : "CVE-2023-0464", "title" : "Excessive Resource Usage Verifying X.509 Policy Constraints", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-0464" ], "unique" : false }, { "id" : "CVE-2023-6237", "title" : "Excessive time spent checking invalid RSA public keys", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-6237" ], "unique" : false }, { "id" : "CVE-2024-5535", "title" : "SSL_select_next_proto buffer overread", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2024-5535" ], "unique" : false }, { "id" : "CVE-2024-6119", "title" : "Possible denial of service in X.509 name checks", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2024-6119" ], "unique" : false }, { "id" : "CVE-2025-15468", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2025-15468" ], "unique" : false }, { "id" : "CVE-2025-66199", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2025-66199" ], "unique" : false }, { "id" : "CVE-2025-69420", "title" : "Missing ASN1_TYPE validation in TS_RESP_verify_response() function", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2025-69420" ], "unique" : false }, { "id" : "CVE-2026-22796", "title" : "ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-22796" ], "unique" : false }, { "id" : "CVE-2026-31790", "title" : "Incorrect Failure Handling in RSA KEM RSASVE Encapsulation", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-31790" ], "unique" : false }, { "id" : "CVE-2026-42764", "title" : "NULL Pointer Dereference in QUIC Server Initial Packet Handling", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-42764" ], "unique" : false }, { "id" : "CVE-2026-42769", "title" : "Trust-Anchor Substitution via cert/issuer Typo in CMP rootCaKeyUpdate", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-42769" ], "unique" : false }, { "id" : "CVE-2026-42770", "title" : "FFC-DH Peer Validation Uses Attacker-Supplied q", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-42770" ], "unique" : false }, { "id" : "CVE-2026-9076", "title" : "Out-of-Bounds Read in CMS Password-Based Decryption", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-9076" ], "unique" : false }, { "id" : "CVE-2024-4741", "source" : "redhat-csaf", "cvssScore" : 5.6, "severity" : "MEDIUM", "cves" : [ "CVE-2024-4741" ], "unique" : false }, { "id" : "CVE-2025-9230", "title" : "Out-of-bounds read & write in RFC 3211 KEK Unwrap", "source" : "redhat-csaf", "cvssScore" : 5.6, "severity" : "MEDIUM", "cves" : [ "CVE-2025-9230" ], "unique" : false }, { "id" : "CVE-2024-0727", "title" : "PKCS12 Decoding crashes", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-0727" ], "unique" : false }, { "id" : "CVE-2025-15469", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2025-15469" ], "unique" : false }, { "id" : "CVE-2026-22795", "title" : "Missing ASN1_TYPE validation in PKCS#12 parsing", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2026-22795" ], "unique" : false }, { "id" : "CVE-2026-7383", "title" : "Possible Heap Buffer Overflow in ASN.1 Multibyte String Conversion", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2026-7383" ], "unique" : false }, { "id" : "CVE-2023-0465", "title" : "Invalid certificate policies in leaf certificates are silently ignored", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2023-0465" ], "unique" : false }, { "id" : "CVE-2023-0466", "title" : "Certificate policy check not enabled", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2023-0466" ], "unique" : false }, { "id" : "CVE-2023-2975", "title" : "AES-SIV implementation ignores empty associated data entries", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2023-2975" ], "unique" : false }, { "id" : "CVE-2023-3446", "title" : "Excessive time spent checking DH keys and parameters", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2023-3446" ], "unique" : false }, { "id" : "CVE-2023-3817", "title" : "Excessive time spent checking DH q parameter value", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2023-3817" ], "unique" : false }, { "id" : "CVE-2023-5678", "title" : "Excessive time spent in DH check / generation with large Q parameter value", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2023-5678" ], "unique" : false }, { "id" : "CVE-2024-4603", "title" : "Excessive time spent checking DSA keys and parameters", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2024-4603" ], "unique" : false }, { "id" : "CVE-2026-42766", "title" : "Possible NULL Dereference in Password-Based CMS Decryption", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-42766" ], "unique" : false }, { "id" : "CVE-2026-42767", "title" : "NULL Pointer Dereference in CRMF EncryptedValue Decryption", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-42767" ], "unique" : false }, { "id" : "CVE-2023-1255", "title" : "Input buffer over-read in AES-XTS implementation on 64 bit ARM", "source" : "redhat-csaf", "cvssScore" : 5.1, "severity" : "MEDIUM", "cves" : [ "CVE-2023-1255" ], "unique" : false }, { "id" : "CVE-2026-34180", "title" : "Heap Buffer Over-read in ASN.1 Content Parsing", "source" : "redhat-csaf", "cvssScore" : 5.0, "severity" : "MEDIUM", "cves" : [ "CVE-2026-34180" ], "unique" : false }, { "id" : "CVE-2025-68160", "title" : "Heap out-of-bounds write in BIO_f_linebuffer on short writes", "source" : "redhat-csaf", "cvssScore" : 4.7, "severity" : "MEDIUM", "cves" : [ "CVE-2025-68160" ], "unique" : false }, { "id" : "CVE-2025-69418", "title" : "Unauthenticated/unencrypted trailing bytes with low-level OCB function calls", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2025-69418" ], "unique" : false }, { "id" : "CVE-2024-2511", "title" : "Unbounded memory growth with session handling in TLSv1.3", "source" : "redhat-csaf", "cvssScore" : 3.7, "severity" : "LOW", "cves" : [ "CVE-2024-2511" ], "unique" : false }, { "id" : "CVE-2026-45446", "title" : "Incorrect Tag Processing for Empty Messages in AES-GCM-SIV and AES-SIV modes", "source" : "redhat-csaf", "cvssScore" : 3.7, "severity" : "LOW", "cves" : [ "CVE-2026-45446" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2025-15467", "title" : "Stack buffer overflow in CMS (Auth)EnvelopedData parsing", "source" : "redhat-csaf", "cvssScore" : 9.8, "severity" : "CRITICAL", "cves" : [ "CVE-2025-15467" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/ca-certificates@2022.2.54-90.2.el9_0?arch=noarch&distro=rhel-9.1&upstream=ca-certificates-2022.2.54-90.2.el9_0.src.rpm", "issues" : [ { "id" : "CVE-2023-37920", "title" : "Certifi's removal of e-Tugra root certificate", "source" : "redhat-csaf", "cvssScore" : 9.1, "severity" : "CRITICAL", "cves" : [ "CVE-2023-37920" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2023-37920", "title" : "Certifi's removal of e-Tugra root certificate", "source" : "redhat-csaf", "cvssScore" : 9.1, "severity" : "CRITICAL", "cves" : [ "CVE-2023-37920" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/krb5-libs@1.19.1-24.el9_1?arch=x86_64&distro=rhel-9.1&upstream=krb5-1.19.1-24.el9_1.src.rpm", "issues" : [ { "id" : "CVE-2024-3596", "title" : "RADIUS Protocol under RFC2865 is vulnerable to forgery attacks.", "source" : "redhat-csaf", "cvssScore" : 9.0, "severity" : "CRITICAL", "cves" : [ "CVE-2024-3596" ], "unique" : false }, { "id" : "CVE-2023-39975", "title" : "kdc/do_tgs_req.c in MIT Kerberos 5 (aka krb5) 1.21 before 1.21.2 has a double free that is reachable if an authenticated user can trigger an authorization-data handling failure. Incorrect data is copied from one ticket to another.", "source" : "redhat-csaf", "cvssScore" : 8.8, "severity" : "HIGH", "cves" : [ "CVE-2023-39975" ], "unique" : false }, { "id" : "CVE-2024-26462", "title" : "Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/kdc/ndr.c.", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2024-26462" ], "unique" : false }, { "id" : "CVE-2024-37370", "title" : "In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can modify the plaintext Extra Count field of a confidential GSS krb5 wrap token, causing the unwrapped token to appear truncated to the application.", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2024-37370" ], "unique" : false }, { "id" : "CVE-2020-17049", "title" : "Kerberos KDC Security Feature Bypass Vulnerability", "source" : "redhat-csaf", "cvssScore" : 7.2, "severity" : "HIGH", "cves" : [ "CVE-2020-17049" ], "unique" : false }, { "id" : "CVE-2023-36054", "title" : "lib/kadm5/kadm_rpc_xdr.c in MIT Kerberos 5 (aka krb5) before 1.20.2 and 1.21.x before 1.21.1 frees an uninitialized pointer. A remote authenticated user can trigger a kadmind crash. This occurs because _xdr_kadm5_principal_ent_rec does not validate the relationship between n_key_data and the key_data array count.", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-36054" ], "unique" : false }, { "id" : "CVE-2024-37371", "title" : "In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can cause invalid memory reads during GSS message token handling by sending message tokens with invalid length fields.", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-37371" ], "unique" : false }, { "id" : "CVE-2025-24528", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2025-24528" ], "unique" : false }, { "id" : "CVE-2024-26458", "title" : "Kerberos 5 (aka krb5) 1.21.2 contains a memory leak in /krb5/src/lib/rpc/pmap_rmt.c.", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2024-26458" ], "unique" : false }, { "id" : "CVE-2024-26461", "title" : "Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/lib/gssapi/krb5/k5sealv3.c.", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2024-26461" ], "unique" : false }, { "id" : "CVE-2025-3576", "title" : "Krb5: kerberos rc4-hmac-md5 checksum vulnerability enabling message spoofing via md5 collisions", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2025-3576" ], "unique" : false }, { "id" : "CVE-2026-40355", "title" : "In MIT Kerberos 5 (aka krb5) before 1.22.3, there is a NULL pointer dereference if an application calls gss_accept_sec_context() on a system with a NegoEx mechanism registered in /etc/gss/mech. An unauthenticated remote attacker can trigger this, causing the process to terminate in parse_nego_message.", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-40355" ], "unique" : false }, { "id" : "CVE-2026-40356", "title" : "In MIT Kerberos 5 (aka krb5) before 1.22.3, there is an integer underflow and resultant out-of-bounds read if an application calls gss_accept_sec_context() on a system with a NegoEx mechanism registered in /etc/gss/mech. An unauthenticated remote attacker can trigger this, possibly causing the process to terminate in parse_message.", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-40356" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2024-3596", "title" : "RADIUS Protocol under RFC2865 is vulnerable to forgery attacks.", "source" : "redhat-csaf", "cvssScore" : 9.0, "severity" : "CRITICAL", "cves" : [ "CVE-2024-3596" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/glibc-headers@2.34-40.el9_1.1?arch=x86_64&distro=rhel-9.1&upstream=glibc-2.34-40.el9_1.1.src.rpm", "issues" : [ { "id" : "CVE-2024-2961", "title" : "The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.", "source" : "redhat-csaf", "cvssScore" : 8.8, "severity" : "HIGH", "cves" : [ "CVE-2024-2961" ], "unique" : false }, { "id" : "CVE-2023-4911", "title" : "Glibc: buffer overflow in ld.so leading to privilege escalation", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2023-4911" ], "unique" : false }, { "id" : "CVE-2024-33599", "title" : "nscd: Stack-based buffer overflow in netgroup cache", "source" : "redhat-csaf", "cvssScore" : 7.6, "severity" : "HIGH", "cves" : [ "CVE-2024-33599" ], "unique" : false }, { "id" : "CVE-2025-4802", "source" : "redhat-csaf", "cvssScore" : 7.0, "severity" : "HIGH", "cves" : [ "CVE-2025-4802" ], "unique" : false }, { "id" : "CVE-2023-4527", "title" : "Glibc: stack read overflow in getaddrinfo in no-aaaa mode", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4527" ], "unique" : false }, { "id" : "CVE-2026-4437", "title" : "gethostbyaddr and gethostbyaddr_r may incorrectly handle DNS response", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4437" ], "unique" : false }, { "id" : "CVE-2023-4806", "title" : "Glibc: potential use-after-free in getaddrinfo()", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4806" ], "unique" : false }, { "id" : "CVE-2023-4813", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4813" ], "unique" : false }, { "id" : "CVE-2025-5702", "title" : "The strcmp implementation optimized for the Power10 processor in the GNU C Library version 2.39 and later writes to vector registers v20 to v31 without saving contents from the caller (those registers are defined as non-volatile registers by the powerpc64le ABI), resulting in overwriting of its contents and potentially altering control flow of the caller, or leaking the input strings to the function to other parts of the program.", "source" : "redhat-csaf", "cvssScore" : 5.6, "severity" : "MEDIUM", "cves" : [ "CVE-2025-5702" ], "unique" : false }, { "id" : "CVE-2025-0395", "title" : "When the assert() function in the GNU C Library versions 2.13 to 2.40 fails, it does not allocate enough space for the assertion failure message string and size information, which may lead to a buffer overflow if the message string size aligns to page size.", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2025-0395" ], "unique" : false }, { "id" : "CVE-2024-33600", "title" : "nscd: Null pointer crashes after notfound response", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33600" ], "unique" : false }, { "id" : "CVE-2026-4046", "title" : "iconv crash due to assertion failure with untrusted input", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4046" ], "unique" : false }, { "id" : "CVE-2026-5450", "title" : "scanf %mc off-by-one heap buffer overflow", "source" : "redhat-csaf", "cvssScore" : 5.0, "severity" : "MEDIUM", "cves" : [ "CVE-2026-5450" ], "unique" : false }, { "id" : "CVE-2025-8058", "source" : "redhat-csaf", "cvssScore" : 4.2, "severity" : "MEDIUM", "cves" : [ "CVE-2025-8058" ], "unique" : false }, { "id" : "CVE-2024-33601", "title" : "nscd: netgroup cache may terminate daemon on memory allocation failure", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33601" ], "unique" : false }, { "id" : "CVE-2024-33602", "title" : "nscd: netgroup cache assumes NSS callback uses in-buffer strings", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33602" ], "unique" : false }, { "id" : "CVE-2026-4438", "title" : "gethostbyaddr and gethostbyaddr_r return invalid DNS hostnames", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4438" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2024-2961", "title" : "The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.", "source" : "redhat-csaf", "cvssScore" : 8.8, "severity" : "HIGH", "cves" : [ "CVE-2024-2961" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/glibc@2.34-40.el9_1.1?arch=x86_64&distro=rhel-9.1&upstream=glibc-2.34-40.el9_1.1.src.rpm", "issues" : [ { "id" : "CVE-2024-2961", "title" : "The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.", "source" : "redhat-csaf", "cvssScore" : 8.8, "severity" : "HIGH", "cves" : [ "CVE-2024-2961" ], "unique" : false }, { "id" : "CVE-2026-0861", "title" : "Integer overflow in memalign leads to heap corruption", "source" : "redhat-csaf", "cvssScore" : 8.1, "severity" : "HIGH", "cves" : [ "CVE-2026-0861" ], "unique" : false }, { "id" : "CVE-2023-4911", "title" : "Glibc: buffer overflow in ld.so leading to privilege escalation", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2023-4911" ], "unique" : false }, { "id" : "CVE-2024-33599", "title" : "nscd: Stack-based buffer overflow in netgroup cache", "source" : "redhat-csaf", "cvssScore" : 7.6, "severity" : "HIGH", "cves" : [ "CVE-2024-33599" ], "unique" : false }, { "id" : "CVE-2025-4802", "source" : "redhat-csaf", "cvssScore" : 7.0, "severity" : "HIGH", "cves" : [ "CVE-2025-4802" ], "unique" : false }, { "id" : "CVE-2023-4527", "title" : "Glibc: stack read overflow in getaddrinfo in no-aaaa mode", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4527" ], "unique" : false }, { "id" : "CVE-2026-4437", "title" : "gethostbyaddr and gethostbyaddr_r may incorrectly handle DNS response", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4437" ], "unique" : false }, { "id" : "CVE-2026-6238", "title" : "Buffer overread in ns_printrrf with corrupted RDATA field", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2026-6238" ], "unique" : false }, { "id" : "CVE-2023-4806", "title" : "Glibc: potential use-after-free in getaddrinfo()", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4806" ], "unique" : false }, { "id" : "CVE-2023-4813", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4813" ], "unique" : false }, { "id" : "CVE-2025-15281", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2025-15281" ], "unique" : false }, { "id" : "CVE-2026-3904", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-3904" ], "unique" : false }, { "id" : "CVE-2026-5435", "title" : "Potential buffer overflow in ns_sprintrrf TSIG handling path", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2026-5435" ], "unique" : false }, { "id" : "CVE-2025-5702", "title" : "The strcmp implementation optimized for the Power10 processor in the GNU C Library version 2.39 and later writes to vector registers v20 to v31 without saving contents from the caller (those registers are defined as non-volatile registers by the powerpc64le ABI), resulting in overwriting of its contents and potentially altering control flow of the caller, or leaking the input strings to the function to other parts of the program.", "source" : "redhat-csaf", "cvssScore" : 5.6, "severity" : "MEDIUM", "cves" : [ "CVE-2025-5702" ], "unique" : false }, { "id" : "CVE-2025-0395", "title" : "When the assert() function in the GNU C Library versions 2.13 to 2.40 fails, it does not allocate enough space for the assertion failure message string and size information, which may lead to a buffer overflow if the message string size aligns to page size.", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2025-0395" ], "unique" : false }, { "id" : "CVE-2024-33600", "title" : "nscd: Null pointer crashes after notfound response", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33600" ], "unique" : false }, { "id" : "CVE-2026-0915", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-0915" ], "unique" : false }, { "id" : "CVE-2026-4046", "title" : "iconv crash due to assertion failure with untrusted input", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4046" ], "unique" : false }, { "id" : "CVE-2026-5450", "title" : "scanf %mc off-by-one heap buffer overflow", "source" : "redhat-csaf", "cvssScore" : 5.0, "severity" : "MEDIUM", "cves" : [ "CVE-2026-5450" ], "unique" : false }, { "id" : "CVE-2026-5928", "title" : "Potential buffer under-read in ungetwc", "source" : "redhat-csaf", "cvssScore" : 5.0, "severity" : "MEDIUM", "cves" : [ "CVE-2026-5928" ], "unique" : false }, { "id" : "CVE-2025-8058", "source" : "redhat-csaf", "cvssScore" : 4.2, "severity" : "MEDIUM", "cves" : [ "CVE-2025-8058" ], "unique" : false }, { "id" : "CVE-2024-33601", "title" : "nscd: netgroup cache may terminate daemon on memory allocation failure", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33601" ], "unique" : false }, { "id" : "CVE-2024-33602", "title" : "nscd: netgroup cache assumes NSS callback uses in-buffer strings", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33602" ], "unique" : false }, { "id" : "CVE-2026-4438", "title" : "gethostbyaddr and gethostbyaddr_r return invalid DNS hostnames", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4438" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2024-2961", "title" : "The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.", "source" : "redhat-csaf", "cvssScore" : 8.8, "severity" : "HIGH", "cves" : [ "CVE-2024-2961" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/kernel-headers@5.14.0-162.18.1.el9_1?arch=x86_64&distro=rhel-9.1&upstream=kernel-5.14.0-162.18.1.el9_1.src.rpm", "issues" : [ { "id" : "CVE-2023-44466", "title" : "An issue was discovered in net/ceph/messenger_v2.c in the Linux kernel before 6.4.5. There is an integer signedness error, leading to a buffer overflow and remote code execution via HELLO or one of the AUTH frames. This occurs because of an untrusted length taken from a TCP packet in ceph_decode_32.", "source" : "redhat-csaf", "cvssScore" : 8.8, "severity" : "HIGH", "cves" : [ "CVE-2023-44466" ], "unique" : false }, { "id" : "CVE-2024-5154", "source" : "redhat-csaf", "cvssScore" : 8.1, "severity" : "HIGH", "cves" : [ "CVE-2024-5154" ], "unique" : false }, { "id" : "CVE-2025-21927", "title" : "nvme-tcp: fix potential memory corruption in nvme_tcp_recv_pdu()", "source" : "redhat-csaf", "cvssScore" : 8.0, "severity" : "HIGH", "cves" : [ "CVE-2025-21927" ], "unique" : false }, { "id" : "CVE-2023-1652", "title" : "A use-after-free flaw was found in nfsd4_ssc_setup_dul in fs/nfsd/nfs4proc.c in the NFS filesystem in the Linux Kernel. This issue could allow a local attacker to crash the system or it may lead to a kernel information leak problem.", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2023-1652" ], "unique" : false }, { "id" : "CVE-2023-52922", "title" : "can: bcm: Fix UAF in bcm_proc_show()", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2023-52922" ], "unique" : false }, { "id" : "CVE-2024-36971", "title" : "net: fix __dst_negative_advice() race", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2024-36971" ], "unique" : false }, { "id" : "CVE-2025-21756", "title" : "vsock: Keep the binding until socket destruction", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2025-21756" ], "unique" : false }, { "id" : "CVE-2025-22020", "title" : "memstick: rtsx_usb_ms: Fix slab-use-after-free in rtsx_usb_ms_drv_remove", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2025-22020" ], "unique" : false }, { "id" : "CVE-2025-38052", "title" : "net/tipc: fix slab-use-after-free Read in tipc_aead_encrypt_done", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2025-38052" ], "unique" : false }, { "id" : "CVE-2025-38087", "title" : "net/sched: fix use-after-free in taprio_dev_notifier", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2025-38087" ], "unique" : false }, { "id" : "CVE-2022-41723", "title" : "Denial of service via crafted HTTP/2 stream in net/http and golang.org/x/net", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2022-41723" ], "unique" : false }, { "id" : "CVE-2025-38471", "title" : "tls: always refresh the queue when reading sock", "source" : "redhat-csaf", "cvssScore" : 7.4, "severity" : "HIGH", "cves" : [ "CVE-2025-38471" ], "unique" : false }, { "id" : "CVE-2023-53752", "title" : "net: deal with integer overflows in kmalloc_reserve()", "source" : "redhat-csaf", "cvssScore" : 7.3, "severity" : "HIGH", "cves" : [ "CVE-2023-53752" ], "unique" : false }, { "id" : "CVE-2024-42284", "title" : "tipc: Return non-zero value from tipc_udp_addr2str() on error", "source" : "redhat-csaf", "cvssScore" : 7.3, "severity" : "HIGH", "cves" : [ "CVE-2024-42284" ], "unique" : false }, { "id" : "CVE-2024-53104", "title" : "media: uvcvideo: Skip parsing frames of type UVC_VS_UNDEFINED in uvc_parse_format", "source" : "redhat-csaf", "cvssScore" : 7.3, "severity" : "HIGH", "cves" : [ "CVE-2024-53104" ], "unique" : false }, { "id" : "CVE-2025-37750", "title" : "smb: client: fix UAF in decryption with multichannel", "source" : "redhat-csaf", "cvssScore" : 7.3, "severity" : "HIGH", "cves" : [ "CVE-2025-37750" ], "unique" : false }, { "id" : "CVE-2025-38250", "title" : "Bluetooth: hci_core: Fix use-after-free in vhci_flush()", "source" : "redhat-csaf", "cvssScore" : 7.3, "severity" : "HIGH", "cves" : [ "CVE-2025-38250" ], "unique" : false }, { "id" : "CVE-2022-49846", "title" : "udf: Fix a slab-out-of-bounds write bug in udf_find_entry()", "source" : "redhat-csaf", "cvssScore" : 7.1, "severity" : "HIGH", "cves" : [ "CVE-2022-49846" ], "unique" : false }, { "id" : "CVE-2023-52933", "title" : "Squashfs: fix handling and sanity checking of xattr_ids count", "source" : "redhat-csaf", "cvssScore" : 7.1, "severity" : "HIGH", "cves" : [ "CVE-2023-52933" ], "unique" : false }, { "id" : "CVE-2023-53751", "title" : "cifs: fix potential use-after-free bugs in TCP_Server_Info::hostname", "source" : "redhat-csaf", "cvssScore" : 7.1, "severity" : "HIGH", "cves" : [ "CVE-2023-53751" ], "unique" : false }, { "id" : "CVE-2023-6606", "source" : "redhat-csaf", "cvssScore" : 7.1, "severity" : "HIGH", "cves" : [ "CVE-2023-6606" ], "unique" : false }, { "id" : "CVE-2023-6610", "source" : "redhat-csaf", "cvssScore" : 7.1, "severity" : "HIGH", "cves" : [ "CVE-2023-6610" ], "unique" : false }, { "id" : "CVE-2024-35937", "title" : "wifi: cfg80211: check A-MSDU format more carefully", "source" : "redhat-csaf", "cvssScore" : 7.1, "severity" : "HIGH", "cves" : [ "CVE-2024-35937" ], "unique" : false }, { "id" : "CVE-2024-38538", "title" : "net: bridge: xmit: make sure we have at least eth header len bytes", "source" : "redhat-csaf", "cvssScore" : 7.1, "severity" : "HIGH", "cves" : [ "CVE-2024-38538" ], "unique" : false }, { "id" : "CVE-2024-53150", "title" : "ALSA: usb-audio: Fix out of bounds reads when finding clock sources", "source" : "redhat-csaf", "cvssScore" : 7.1, "severity" : "HIGH", "cves" : [ "CVE-2024-53150" ], "unique" : false }, { "id" : "CVE-2024-57947", "title" : "netfilter: nf_set_pipapo: fix initial map fill", "source" : "redhat-csaf", "cvssScore" : 7.1, "severity" : "HIGH", "cves" : [ "CVE-2024-57947" ], "unique" : false }, { "id" : "CVE-2025-21887", "title" : "ovl: fix UAF in ovl_dentry_update_reval by moving dput() in ovl_link_up", "source" : "redhat-csaf", "cvssScore" : 7.1, "severity" : "HIGH", "cves" : [ "CVE-2025-21887" ], "unique" : false }, { "id" : "CVE-2025-21893", "title" : "keys: Fix UAF in key_put()", "source" : "redhat-csaf", "cvssScore" : 7.1, "severity" : "HIGH", "cves" : [ "CVE-2025-21893" ], "unique" : false }, { "id" : "CVE-2025-21920", "title" : "vlan: enforce underlying device type", "source" : "redhat-csaf", "cvssScore" : 7.1, "severity" : "HIGH", "cves" : [ "CVE-2025-21920" ], "unique" : false }, { "id" : "CVE-2025-21969", "title" : "Bluetooth: L2CAP: Fix slab-use-after-free Read in l2cap_send_cmd", "source" : "redhat-csaf", "cvssScore" : 7.1, "severity" : "HIGH", "cves" : [ "CVE-2025-21969" ], "unique" : false }, { "id" : "CVE-2025-21979", "title" : "wifi: cfg80211: cancel wiphy_work before freeing wiphy", "source" : "redhat-csaf", "cvssScore" : 7.1, "severity" : "HIGH", "cves" : [ "CVE-2025-21979" ], "unique" : false }, { "id" : "CVE-2025-21993", "title" : "iscsi_ibft: Fix UBSAN shift-out-of-bounds warning in ibft_attr_show_nic()", "source" : "redhat-csaf", "cvssScore" : 7.1, "severity" : "HIGH", "cves" : [ "CVE-2025-21993" ], "unique" : false }, { "id" : "CVE-2025-21997", "title" : "xsk: fix an integer overflow in xp_create_and_assign_umem()", "source" : "redhat-csaf", "cvssScore" : 7.1, "severity" : "HIGH", "cves" : [ "CVE-2025-21997" ], "unique" : false }, { "id" : "CVE-2025-22026", "title" : "nfsd: don't ignore the return code of svc_proc_register()", "source" : "redhat-csaf", "cvssScore" : 7.1, "severity" : "HIGH", "cves" : [ "CVE-2025-22026" ], "unique" : false }, { "id" : "CVE-2025-22055", "title" : "net: fix geneve_opt length integer overflow", "source" : "redhat-csaf", "cvssScore" : 7.1, "severity" : "HIGH", "cves" : [ "CVE-2025-22055" ], "unique" : false }, { "id" : "CVE-2025-22058", "title" : "udp: Fix memory accounting leak.", "source" : "redhat-csaf", "cvssScore" : 7.1, "severity" : "HIGH", "cves" : [ "CVE-2025-22058" ], "unique" : false }, { "id" : "CVE-2025-22104", "title" : "ibmvnic: Use kernel helpers for hex dumps", "source" : "redhat-csaf", "cvssScore" : 7.1, "severity" : "HIGH", "cves" : [ "CVE-2025-22104" ], "unique" : false }, { "id" : "CVE-2025-22113", "title" : "ext4: avoid journaling sb update on error if journal is destroying", "source" : "redhat-csaf", "cvssScore" : 7.1, "severity" : "HIGH", "cves" : [ "CVE-2025-22113" ], "unique" : false }, { "id" : "CVE-2025-22121", "title" : "ext4: fix out-of-bound read in ext4_xattr_inode_dec_ref_all()", "source" : "redhat-csaf", "cvssScore" : 7.1, "severity" : "HIGH", "cves" : [ "CVE-2025-22121" ], "unique" : false }, { "id" : "CVE-2025-37738", "title" : "ext4: ignore xattrs past end", "source" : "redhat-csaf", "cvssScore" : 7.1, "severity" : "HIGH", "cves" : [ "CVE-2025-37738" ], "unique" : false }, { "id" : "CVE-2025-37799", "title" : "vmxnet3: Fix malformed packet sizing in vmxnet3_process_xdp", "source" : "redhat-csaf", "cvssScore" : 7.1, "severity" : "HIGH", "cves" : [ "CVE-2025-37799" ], "unique" : false }, { "id" : "CVE-2025-38264", "title" : "nvme-tcp: sanitize request list handling", "source" : "redhat-csaf", "cvssScore" : 7.1, "severity" : "HIGH", "cves" : [ "CVE-2025-38264" ], "unique" : false }, { "id" : "CVE-2022-49977", "title" : "ftrace: Fix NULL pointer dereference in is_ftrace_trampoline when ftrace is dead", "source" : "redhat-csaf", "cvssScore" : 7.0, "severity" : "HIGH", "cves" : [ "CVE-2022-49977" ], "unique" : false }, { "id" : "CVE-2022-50066", "title" : "net: atlantic: fix aq_vec index out of range error", "source" : "redhat-csaf", "cvssScore" : 7.0, "severity" : "HIGH", "cves" : [ "CVE-2022-50066" ], "unique" : false }, { "id" : "CVE-2023-53047", "title" : "tee: amdtee: fix race condition in amdtee_open_session", "source" : "redhat-csaf", "cvssScore" : 7.0, "severity" : "HIGH", "cves" : [ "CVE-2023-53047" ], "unique" : false }, { "id" : "CVE-2023-53107", "title" : "veth: Fix use after free in XDP_REDIRECT", "source" : "redhat-csaf", "cvssScore" : 7.0, "severity" : "HIGH", "cves" : [ "CVE-2023-53107" ], "unique" : false }, { "id" : "CVE-2023-6932", "title" : "Use-after-free in Linux kernel's ipv4: igmp component", "source" : "redhat-csaf", "cvssScore" : 7.0, "severity" : "HIGH", "cves" : [ "CVE-2023-6932" ], "unique" : false }, { "id" : "CVE-2024-0646", "source" : "redhat-csaf", "cvssScore" : 7.0, "severity" : "HIGH", "cves" : [ "CVE-2024-0646" ], "unique" : false }, { "id" : "CVE-2024-46858", "title" : "mptcp: pm: Fix uaf in __timer_delete_sync", "source" : "redhat-csaf", "cvssScore" : 7.0, "severity" : "HIGH", "cves" : [ "CVE-2024-46858" ], "unique" : false }, { "id" : "CVE-2024-50154", "title" : "tcp/dccp: Don't use timer_pending() in reqsk_queue_unlink().", "source" : "redhat-csaf", "cvssScore" : 7.0, "severity" : "HIGH", "cves" : [ "CVE-2024-50154" ], "unique" : false }, { "id" : "CVE-2024-53141", "title" : "netfilter: ipset: add missing range check in bitmap_ip_uadt", "source" : "redhat-csaf", "cvssScore" : 7.0, "severity" : "HIGH", "cves" : [ "CVE-2024-53141" ], "unique" : false }, { "id" : "CVE-2025-21727", "title" : "padata: fix UAF in padata_reorder", "source" : "redhat-csaf", "cvssScore" : 7.0, "severity" : "HIGH", "cves" : [ "CVE-2025-21727" ], "unique" : false }, { "id" : "CVE-2025-21764", "title" : "ndisc: use RCU protection in ndisc_alloc_skb()", "source" : "redhat-csaf", "cvssScore" : 7.0, "severity" : "HIGH", "cves" : [ "CVE-2025-21764" ], "unique" : false }, { "id" : "CVE-2025-21867", "title" : "bpf, test_run: Fix use-after-free issue in eth_skb_pkt_type()", "source" : "redhat-csaf", "cvssScore" : 7.0, "severity" : "HIGH", "cves" : [ "CVE-2025-21867" ], "unique" : false }, { "id" : "CVE-2025-21919", "title" : "sched/fair: Fix potential memory corruption in child_cfs_rq_on_list", "source" : "redhat-csaf", "cvssScore" : 7.0, "severity" : "HIGH", "cves" : [ "CVE-2025-21919" ], "unique" : false }, { "id" : "CVE-2025-21926", "title" : "net: gso: fix ownership in __udp_gso_segment", "source" : "redhat-csaf", "cvssScore" : 7.0, "severity" : "HIGH", "cves" : [ "CVE-2025-21926" ], "unique" : false }, { "id" : "CVE-2025-21966", "title" : "dm-flakey: Fix memory corruption in optional corrupt_bio_byte feature", "source" : "redhat-csaf", "cvssScore" : 7.0, "severity" : "HIGH", "cves" : [ "CVE-2025-21966" ], "unique" : false }, { "id" : "CVE-2025-22004", "title" : "net: atm: fix use after free in lec_send()", "source" : "redhat-csaf", "cvssScore" : 7.0, "severity" : "HIGH", "cves" : [ "CVE-2025-22004" ], "unique" : false }, { "id" : "CVE-2025-22126", "title" : "md: fix mddev uaf while iterating all_mddevs list", "source" : "redhat-csaf", "cvssScore" : 7.0, "severity" : "HIGH", "cves" : [ "CVE-2025-22126" ], "unique" : false }, { "id" : "CVE-2025-37797", "title" : "net_sched: hfsc: Fix a UAF vulnerability in class handling", "source" : "redhat-csaf", "cvssScore" : 7.0, "severity" : "HIGH", "cves" : [ "CVE-2025-37797" ], "unique" : false }, { "id" : "CVE-2025-37803", "title" : "udmabuf: fix a buf size overflow issue during udmabuf creation", "source" : "redhat-csaf", "cvssScore" : 7.0, "severity" : "HIGH", "cves" : [ "CVE-2025-37803" ], "unique" : false }, { "id" : "CVE-2025-37890", "title" : "net_sched: hfsc: Fix a UAF vulnerability in class with netem as child qdisc", "source" : "redhat-csaf", "cvssScore" : 7.0, "severity" : "HIGH", "cves" : [ "CVE-2025-37890" ], "unique" : false }, { "id" : "CVE-2025-37914", "title" : "net_sched: ets: Fix double list add in class with netem as child qdisc", "source" : "redhat-csaf", "cvssScore" : 7.0, "severity" : "HIGH", "cves" : [ "CVE-2025-37914" ], "unique" : false }, { "id" : "CVE-2025-37943", "title" : "wifi: ath12k: Fix invalid data access in ath12k_dp_rx_h_undecap_nwifi", "source" : "redhat-csaf", "cvssScore" : 7.0, "severity" : "HIGH", "cves" : [ "CVE-2025-37943" ], "unique" : false }, { "id" : "CVE-2025-38079", "title" : "crypto: algif_hash - fix double free in hash_accept", "source" : "redhat-csaf", "cvssScore" : 7.0, "severity" : "HIGH", "cves" : [ "CVE-2025-38079" ], "unique" : false }, { "id" : "CVE-2025-38086", "title" : "net: ch9200: fix uninitialised access during mii_nway_restart", "source" : "redhat-csaf", "cvssScore" : 7.0, "severity" : "HIGH", "cves" : [ "CVE-2025-38086" ], "unique" : false }, { "id" : "CVE-2025-38124", "title" : "net: fix udp gso skb_segment after pull from frag_list", "source" : "redhat-csaf", "cvssScore" : 7.0, "severity" : "HIGH", "cves" : [ "CVE-2025-38124" ], "unique" : false }, { "id" : "CVE-2025-38177", "title" : "sch_hfsc: make hfsc_qlen_notify() idempotent", "source" : "redhat-csaf", "cvssScore" : 7.0, "severity" : "HIGH", "cves" : [ "CVE-2025-38177" ], "unique" : false }, { "id" : "CVE-2025-38200", "title" : "i40e: fix MMIO write access to an invalid page in i40e_clear_hw", "source" : "redhat-csaf", "cvssScore" : 7.0, "severity" : "HIGH", "cves" : [ "CVE-2025-38200" ], "unique" : false }, { "id" : "CVE-2025-38332", "title" : "scsi: lpfc: Use memcpy() for BIOS version", "source" : "redhat-csaf", "cvssScore" : 7.0, "severity" : "HIGH", "cves" : [ "CVE-2025-38332" ], "unique" : false }, { "id" : "CVE-2022-50616", "title" : "regulator: core: Use different devices for resource allocation and DT lookup", "source" : "redhat-csaf", "cvssScore" : 6.7, "severity" : "MEDIUM", "cves" : [ "CVE-2022-50616" ], "unique" : false }, { "id" : "CVE-2024-56614", "title" : "xsk: fix OOB map writes when deleting elements", "source" : "redhat-csaf", "cvssScore" : 6.7, "severity" : "MEDIUM", "cves" : [ "CVE-2024-56614" ], "unique" : false }, { "id" : "CVE-2024-56615", "title" : "bpf: fix OOB devmap writes when deleting elements", "source" : "redhat-csaf", "cvssScore" : 6.7, "severity" : "MEDIUM", "cves" : [ "CVE-2024-56615" ], "unique" : false }, { "id" : "CVE-2025-21883", "title" : "ice: Fix deinitializing VF in error path", "source" : "redhat-csaf", "cvssScore" : 6.7, "severity" : "MEDIUM", "cves" : [ "CVE-2025-21883" ], "unique" : false }, { "id" : "CVE-2025-21928", "title" : "HID: intel-ish-hid: Fix use-after-free issue in ishtp_hid_remove()", "source" : "redhat-csaf", "cvssScore" : 6.7, "severity" : "MEDIUM", "cves" : [ "CVE-2025-21928" ], "unique" : false }, { "id" : "CVE-2025-21929", "title" : "HID: intel-ish-hid: Fix use-after-free issue in hid_ishtp_cl_remove()", "source" : "redhat-csaf", "cvssScore" : 6.7, "severity" : "MEDIUM", "cves" : [ "CVE-2025-21929" ], "unique" : false }, { "id" : "CVE-2025-21991", "title" : "x86/microcode/AMD: Fix out-of-bounds on systems with CPU-less NUMA nodes", "source" : "redhat-csaf", "cvssScore" : 6.7, "severity" : "MEDIUM", "cves" : [ "CVE-2025-21991" ], "unique" : false }, { "id" : "CVE-2025-22085", "title" : "RDMA/core: Fix use-after-free when rename device name", "source" : "redhat-csaf", "cvssScore" : 6.7, "severity" : "MEDIUM", "cves" : [ "CVE-2025-22085" ], "unique" : false }, { "id" : "CVE-2021-47383", "title" : "tty: Fix out-of-bound vmalloc access in imageblit", "source" : "redhat-csaf", "cvssScore" : 6.6, "severity" : "MEDIUM", "cves" : [ "CVE-2021-47383" ], "unique" : false }, { "id" : "CVE-2025-21759", "title" : "ipv6: mcast: extend RCU protection in igmp6_send()", "source" : "redhat-csaf", "cvssScore" : 6.6, "severity" : "MEDIUM", "cves" : [ "CVE-2025-21759" ], "unique" : false }, { "id" : "CVE-2023-28746", "title" : "Information exposure through microarchitectural state after transient execution from some register files for some Intel(R) Atom(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-28746" ], "unique" : false }, { "id" : "CVE-2023-6356", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-6356" ], "unique" : false }, { "id" : "CVE-2023-6535", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-6535" ], "unique" : false }, { "id" : "CVE-2023-6536", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-6536" ], "unique" : false }, { "id" : "CVE-2024-21823", "title" : "Hardware logic with insecure de-synchronization in Intel(R) DSA and Intel(R) IAA for some Intel(R) 4th or 5th generation Xeon(R) processors may allow an authorized user to potentially enable escalation of privilege local access", "source" : "redhat-csaf", "cvssScore" : 6.4, "severity" : "MEDIUM", "cves" : [ "CVE-2024-21823" ], "unique" : false }, { "id" : "CVE-2025-21999", "title" : "proc: fix UAF in proc_get_inode()", "source" : "redhat-csaf", "cvssScore" : 6.4, "severity" : "MEDIUM", "cves" : [ "CVE-2025-21999" ], "unique" : false }, { "id" : "CVE-2025-38350", "title" : "net/sched: Always pass notifications when child class becomes empty", "source" : "redhat-csaf", "cvssScore" : 6.4, "severity" : "MEDIUM", "cves" : [ "CVE-2025-38350" ], "unique" : false }, { "id" : "CVE-2024-46695", "title" : "selinux,smack: don't bypass permissions check in inode_setsecctx hook", "source" : "redhat-csaf", "cvssScore" : 6.3, "severity" : "MEDIUM", "cves" : [ "CVE-2024-46695" ], "unique" : false }, { "id" : "CVE-2024-50275", "title" : "arm64/sve: Discard stale CPU state when handling SVE traps", "source" : "redhat-csaf", "cvssScore" : 6.3, "severity" : "MEDIUM", "cves" : [ "CVE-2024-50275" ], "unique" : false }, { "id" : "CVE-2024-42292", "title" : "kobject_uevent: Fix OOB access within zap_modalias_env()", "source" : "redhat-csaf", "cvssScore" : 6.1, "severity" : "MEDIUM", "cves" : [ "CVE-2024-42292" ], "unique" : false }, { "id" : "CVE-2024-50302", "title" : "HID: core: zero-initialize the report buffer", "source" : "redhat-csaf", "cvssScore" : 6.1, "severity" : "MEDIUM", "cves" : [ "CVE-2024-50302" ], "unique" : false }, { "id" : "CVE-2022-49395", "title" : "um: Fix out-of-bounds read in LDT setup", "source" : "redhat-csaf", "cvssScore" : 6.0, "severity" : "MEDIUM", "cves" : [ "CVE-2022-49395" ], "unique" : false }, { "id" : "CVE-2023-5090", "source" : "redhat-csaf", "cvssScore" : 6.0, "severity" : "MEDIUM", "cves" : [ "CVE-2023-5090" ], "unique" : false }, { "id" : "CVE-2024-26664", "title" : "hwmon: (coretemp) Fix out-of-bounds memory access", "source" : "redhat-csaf", "cvssScore" : 6.0, "severity" : "MEDIUM", "cves" : [ "CVE-2024-26664" ], "unique" : false }, { "id" : "CVE-2024-50264", "title" : "vsock/virtio: Initialization of the dangling pointer occurring in vsk->trans", "source" : "redhat-csaf", "cvssScore" : 6.0, "severity" : "MEDIUM", "cves" : [ "CVE-2024-50264" ], "unique" : false }, { "id" : "CVE-2025-38110", "title" : "net/mdiobus: Fix potential out-of-bounds clause 45 read/write access", "source" : "redhat-csaf", "cvssScore" : 6.0, "severity" : "MEDIUM", "cves" : [ "CVE-2025-38110" ], "unique" : false }, { "id" : "CVE-2024-53122", "title" : "mptcp: cope racing subflow creation in mptcp_rcv_space_adjust", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2024-53122" ], "unique" : false }, { "id" : "CVE-2024-53197", "title" : "ALSA: usb-audio: Fix potential out-of-bound accesses for Extigy and Mbox devices", "source" : "redhat-csaf", "cvssScore" : 5.8, "severity" : "MEDIUM", "cves" : [ "CVE-2024-53197" ], "unique" : false }, { "id" : "CVE-2024-36941", "title" : "wifi: nl80211: don't free NULL coalescing rule", "source" : "redhat-csaf", "cvssScore" : 5.7, "severity" : "MEDIUM", "cves" : [ "CVE-2024-36941" ], "unique" : false }, { "id" : "CVE-2024-38627", "title" : "stm class: Fix a double free in stm_register_device()", "source" : "redhat-csaf", "cvssScore" : 5.6, "severity" : "MEDIUM", "cves" : [ "CVE-2024-38627" ], "unique" : false }, { "id" : "CVE-2022-50042", "title" : "net: genl: fix error path memory leak in policy dumping", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2022-50042" ], "unique" : false }, { "id" : "CVE-2022-50353", "title" : "mmc: wmt-sdmmc: fix return value check of mmc_add_host()", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2022-50353" ], "unique" : false }, { "id" : "CVE-2022-50678", "title" : "wifi: brcmfmac: fix invalid address access when enabling SCAN log level", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2022-50678" ], "unique" : false }, { "id" : "CVE-2023-1074", "title" : "A memory leak flaw was found in the Linux kernel's Stream Control Transmission Protocol. This issue may occur when a user starts a malicious networking service and someone connects to this service. This could allow a local user to starve resources, causing a denial of service.", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-1074" ], "unique" : false }, { "id" : "CVE-2023-45862", "title" : "An issue was discovered in drivers/usb/storage/ene_ub6250.c for the ENE UB6250 reader driver in the Linux kernel before 6.2.5. An object could potentially extend beyond the end of an allocation.", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-45862" ], "unique" : false }, { "id" : "CVE-2023-52490", "title" : "mm: migrate: fix getting incorrect page mapping during page migration", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-52490" ], "unique" : false }, { "id" : "CVE-2023-52658", "title" : "Revert \"net/mlx5: Block entering switchdev mode with ns inconsistency\"", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-52658" ], "unique" : false }, { "id" : "CVE-2023-53291", "title" : "rcu/rcuscale: Stop kfree_scale_thread thread(s) after unloading rcuscale", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-53291" ], "unique" : false }, { "id" : "CVE-2023-53391", "title" : "shmem: use ramfs_kill_sb() for kill_sb method of ramfs-based tmpfs", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-53391" ], "unique" : false }, { "id" : "CVE-2023-53597", "title" : "cifs: fix mid leak during reconnection after timeout threshold", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-53597" ], "unique" : false }, { "id" : "CVE-2023-53704", "title" : "clk: imx: clk-imx8mp: improve error handling in imx8mp_clocks_probe()", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-53704" ], "unique" : false }, { "id" : "CVE-2023-54004", "title" : "udplite: Fix NULL pointer dereference in __sk_mem_raise_allocated().", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-54004" ], "unique" : false }, { "id" : "CVE-2023-54093", "title" : "media: anysee: fix null-ptr-deref in anysee_master_xfer", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-54093" ], "unique" : false }, { "id" : "CVE-2023-54271", "title" : "blk-cgroup: Fix NULL deref caused by blkg_policy_data being installed before init", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-54271" ], "unique" : false }, { "id" : "CVE-2023-7192", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-7192" ], "unique" : false }, { "id" : "CVE-2024-0443", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-0443" ], "unique" : false }, { "id" : "CVE-2024-26615", "title" : "net/smc: fix illegal rmb_desc access in SMC-D connection dump", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-26615" ], "unique" : false }, { "id" : "CVE-2024-26878", "title" : "quota: Fix potential NULL pointer dereference", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-26878" ], "unique" : false }, { "id" : "CVE-2024-27046", "title" : "nfp: flower: handle acti_netdevs allocation failure", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-27046" ], "unique" : false }, { "id" : "CVE-2024-27052", "title" : "wifi: rtl8xxxu: add cancel_work_sync() for c2hcmd_work", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-27052" ], "unique" : false }, { "id" : "CVE-2024-35789", "title" : "wifi: mac80211: check/clear fast rx for non-4addr sta VLAN changes", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-35789" ], "unique" : false }, { "id" : "CVE-2024-35852", "title" : "mlxsw: spectrum_acl_tcam: Fix memory leak when canceling rehash work", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-35852" ], "unique" : false }, { "id" : "CVE-2024-35890", "title" : "gro: fix ownership transfer", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-35890" ], "unique" : false }, { "id" : "CVE-2024-35907", "title" : "mlxbf_gige: call request_irq() after NAPI initialized", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-35907" ], "unique" : false }, { "id" : "CVE-2024-35952", "title" : "drm/ast: Fix soft lockup", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-35952" ], "unique" : false }, { "id" : "CVE-2024-35989", "title" : "dmaengine: idxd: Fix oops during rmmod on single-CPU platforms", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-35989" ], "unique" : false }, { "id" : "CVE-2024-39483", "title" : "KVM: SVM: WARN on vNMI + NMI window iff NMIs are outright masked", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-39483" ], "unique" : false }, { "id" : "CVE-2024-40959", "title" : "xfrm6: check ip6_dst_idev() return value in xfrm6_get_saddr()", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-40959" ], "unique" : false }, { "id" : "CVE-2024-41035", "title" : "USB: core: Fix duplicate endpoint bug by clearing reserved bits in the descriptor", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-41035" ], "unique" : false }, { "id" : "CVE-2024-41064", "title" : "powerpc/eeh: avoid possible crash when edev->pdev changes", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-41064" ], "unique" : false }, { "id" : "CVE-2024-42079", "title" : "gfs2: Fix NULL pointer dereference in gfs2_log_flush", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-42079" ], "unique" : false }, { "id" : "CVE-2024-42272", "title" : "sched: act_ct: take care of padding in struct zones_ht_key", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-42272" ], "unique" : false }, { "id" : "CVE-2024-42283", "title" : "net: nexthop: Initialize all fields in dumped nexthops", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-42283" ], "unique" : false }, { "id" : "CVE-2024-42322", "title" : "ipvs: properly dereference pe in ip_vs_add_service", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-42322" ], "unique" : false }, { "id" : "CVE-2024-43854", "title" : "block: initialize integrity buffer to zero before writing it to media", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-43854" ], "unique" : false }, { "id" : "CVE-2024-44990", "title" : "bonding: fix null pointer deref in bond_ipsec_offload_ok", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-44990" ], "unique" : false }, { "id" : "CVE-2024-44994", "title" : "iommu: Restore lost return in iommu_report_device_fault()", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-44994" ], "unique" : false }, { "id" : "CVE-2024-45018", "title" : "netfilter: flowtable: initialise extack before use", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-45018" ], "unique" : false }, { "id" : "CVE-2024-46713", "title" : "perf/aux: Fix AUX buffer serialization", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-46713" ], "unique" : false }, { "id" : "CVE-2024-46824", "title" : "iommufd: Require drivers to supply the cache_invalidate_user ops", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-46824" ], "unique" : false }, { "id" : "CVE-2024-49949", "title" : "net: avoid potential underflow in qdisc_pkt_len_init() with UFO", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-49949" ], "unique" : false }, { "id" : "CVE-2024-50208", "title" : "RDMA/bnxt_re: Fix a bug while setting up Level-2 PBL pages", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-50208" ], "unique" : false }, { "id" : "CVE-2024-50251", "title" : "netfilter: nft_payload: sanitize offset and length before calling skb_checksum()", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-50251" ], "unique" : false }, { "id" : "CVE-2024-50252", "title" : "mlxsw: spectrum_ipip: Fix memory leak when changing remote IPv6 address", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-50252" ], "unique" : false }, { "id" : "CVE-2024-53113", "title" : "mm: fix NULL pointer dereference in alloc_pages_bulk_noprof", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-53113" ], "unique" : false }, { "id" : "CVE-2025-21669", "title" : "vsock/virtio: discard packets if the transport changes", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2025-21669" ], "unique" : false }, { "id" : "CVE-2025-21962", "title" : "cifs: Fix integer overflow while processing closetimeo mount option", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2025-21962" ], "unique" : false }, { "id" : "CVE-2025-21963", "title" : "cifs: Fix integer overflow while processing acdirmax mount option", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2025-21963" ], "unique" : false }, { "id" : "CVE-2025-21964", "title" : "cifs: Fix integer overflow while processing acregmax mount option", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2025-21964" ], "unique" : false }, { "id" : "CVE-2025-37785", "title" : "ext4: fix OOB read when checking dotdot dir", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2025-37785" ], "unique" : false }, { "id" : "CVE-2025-38234", "title" : "sched/rt: Fix race in push_rt_task", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2025-38234" ], "unique" : false }, { "id" : "CVE-2023-52448", "title" : "gfs2: Fix kernel NULL pointer dereference in gfs2_rgrp_dump", "source" : "redhat-csaf", "cvssScore" : 4.7, "severity" : "MEDIUM", "cves" : [ "CVE-2023-52448" ], "unique" : false }, { "id" : "CVE-2023-53755", "title" : "dmaengine: ptdma: check for null desc before calling pt_cmd_callback", "source" : "redhat-csaf", "cvssScore" : 4.7, "severity" : "MEDIUM", "cves" : [ "CVE-2023-53755" ], "unique" : false }, { "id" : "CVE-2024-47745", "title" : "mm: call the security_mmap_file() LSM hook in remap_file_pages()", "source" : "redhat-csaf", "cvssScore" : 4.7, "severity" : "MEDIUM", "cves" : [ "CVE-2024-47745" ], "unique" : false }, { "id" : "CVE-2024-53088", "title" : "i40e: fix race condition by adding filter's intermediate sync state", "source" : "redhat-csaf", "cvssScore" : 4.7, "severity" : "MEDIUM", "cves" : [ "CVE-2024-53088" ], "unique" : false }, { "id" : "CVE-2025-21961", "title" : "eth: bnxt: fix truesize for mb-xdp-pass case", "source" : "redhat-csaf", "cvssScore" : 4.7, "severity" : "MEDIUM", "cves" : [ "CVE-2025-21961" ], "unique" : false }, { "id" : "CVE-2025-22036", "title" : "exfat: fix random stack corruption after get_block", "source" : "redhat-csaf", "cvssScore" : 4.7, "severity" : "MEDIUM", "cves" : [ "CVE-2025-22036" ], "unique" : false }, { "id" : "CVE-2025-38417", "title" : "ice: fix eswitch code memory leak in reset scenario", "source" : "redhat-csaf", "cvssScore" : 4.7, "severity" : "MEDIUM", "cves" : [ "CVE-2025-38417" ], "unique" : false }, { "id" : "CVE-2023-52771", "title" : "cxl/port: Fix delete_endpoint() vs parent unregistration race", "source" : "redhat-csaf", "cvssScore" : 4.4, "severity" : "MEDIUM", "cves" : [ "CVE-2023-52771" ], "unique" : false }, { "id" : "CVE-2023-52864", "title" : "platform/x86: wmi: Fix opening of char device", "source" : "redhat-csaf", "cvssScore" : 4.4, "severity" : "MEDIUM", "cves" : [ "CVE-2023-52864" ], "unique" : false }, { "id" : "CVE-2024-26855", "title" : "net: ice: Fix potential NULL pointer dereference in ice_bridge_setlink()", "source" : "redhat-csaf", "cvssScore" : 4.4, "severity" : "MEDIUM", "cves" : [ "CVE-2024-26855" ], "unique" : false }, { "id" : "CVE-2024-35845", "title" : "wifi: iwlwifi: dbg-tlv: ensure NUL termination", "source" : "redhat-csaf", "cvssScore" : 4.4, "severity" : "MEDIUM", "cves" : [ "CVE-2024-35845" ], "unique" : false }, { "id" : "CVE-2024-36922", "title" : "wifi: iwlwifi: read txq->read_ptr under lock", "source" : "redhat-csaf", "cvssScore" : 4.4, "severity" : "MEDIUM", "cves" : [ "CVE-2024-36922" ], "unique" : false }, { "id" : "CVE-2024-38555", "title" : "net/mlx5: Discard command completions in internal error", "source" : "redhat-csaf", "cvssScore" : 4.4, "severity" : "MEDIUM", "cves" : [ "CVE-2024-38555" ], "unique" : false }, { "id" : "CVE-2024-38556", "title" : "net/mlx5: Add a timeout to acquire the command queue semaphore", "source" : "redhat-csaf", "cvssScore" : 4.4, "severity" : "MEDIUM", "cves" : [ "CVE-2024-38556" ], "unique" : false }, { "id" : "CVE-2024-43855", "title" : "md: fix deadlock between mddev_suspend and flush bio", "source" : "redhat-csaf", "cvssScore" : 4.4, "severity" : "MEDIUM", "cves" : [ "CVE-2024-43855" ], "unique" : false }, { "id" : "CVE-2024-46826", "title" : "ELF: fix kernel.randomize_va_space double read", "source" : "redhat-csaf", "cvssScore" : 4.4, "severity" : "MEDIUM", "cves" : [ "CVE-2024-46826" ], "unique" : false }, { "id" : "CVE-2024-26897", "title" : "wifi: ath9k: delay all of ath9k_wmi_event_tasklet() until init is complete", "source" : "redhat-csaf", "cvssScore" : 4.1, "severity" : "MEDIUM", "cves" : [ "CVE-2024-26897" ], "unique" : false }, { "id" : "CVE-2024-38586", "title" : "r8169: Fix possible ring buffer corruption on fragmented Tx packets.", "source" : "redhat-csaf", "cvssScore" : 4.1, "severity" : "MEDIUM", "cves" : [ "CVE-2024-38586" ], "unique" : false }, { "id" : "CVE-2022-50846", "title" : "mmc: via-sdmmc: fix return value check of mmc_add_host()", "source" : "redhat-csaf", "cvssScore" : 3.3, "severity" : "LOW", "cves" : [ "CVE-2022-50846" ], "unique" : false }, { "id" : "CVE-2023-53639", "title" : "wifi: ath6kl: reduce WARN to dev_dbg() in callback", "source" : "redhat-csaf", "cvssScore" : 3.3, "severity" : "LOW", "cves" : [ "CVE-2023-53639" ], "unique" : false }, { "id" : "CVE-2023-54153", "title" : "ext4: turn quotas off if mount failed after enabling quotas", "source" : "redhat-csaf", "cvssScore" : 3.3, "severity" : "LOW", "cves" : [ "CVE-2023-54153" ], "unique" : false }, { "id" : "CVE-2023-54267", "title" : "powerpc/pseries: Rework lppaca_shared_proc() to avoid DEBUG_PREEMPT", "source" : "redhat-csaf", "cvssScore" : 2.5, "severity" : "LOW", "cves" : [ "CVE-2023-54267" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2023-44466", "title" : "An issue was discovered in net/ceph/messenger_v2.c in the Linux kernel before 6.4.5. There is an integer signedness error, leading to a buffer overflow and remote code execution via HELLO or one of the AUTH frames. This occurs because of an untrusted length taken from a TCP packet in ceph_decode_32.", "source" : "redhat-csaf", "cvssScore" : 8.8, "severity" : "HIGH", "cves" : [ "CVE-2023-44466" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/glibc-common@2.34-40.el9_1.1?arch=x86_64&distro=rhel-9.1&upstream=glibc-2.34-40.el9_1.1.src.rpm", "issues" : [ { "id" : "CVE-2024-2961", "title" : "The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.", "source" : "redhat-csaf", "cvssScore" : 8.8, "severity" : "HIGH", "cves" : [ "CVE-2024-2961" ], "unique" : false }, { "id" : "CVE-2026-0861", "title" : "Integer overflow in memalign leads to heap corruption", "source" : "redhat-csaf", "cvssScore" : 8.1, "severity" : "HIGH", "cves" : [ "CVE-2026-0861" ], "unique" : false }, { "id" : "CVE-2023-4911", "title" : "Glibc: buffer overflow in ld.so leading to privilege escalation", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2023-4911" ], "unique" : false }, { "id" : "CVE-2024-33599", "title" : "nscd: Stack-based buffer overflow in netgroup cache", "source" : "redhat-csaf", "cvssScore" : 7.6, "severity" : "HIGH", "cves" : [ "CVE-2024-33599" ], "unique" : false }, { "id" : "CVE-2025-4802", "source" : "redhat-csaf", "cvssScore" : 7.0, "severity" : "HIGH", "cves" : [ "CVE-2025-4802" ], "unique" : false }, { "id" : "CVE-2023-4527", "title" : "Glibc: stack read overflow in getaddrinfo in no-aaaa mode", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4527" ], "unique" : false }, { "id" : "CVE-2026-4437", "title" : "gethostbyaddr and gethostbyaddr_r may incorrectly handle DNS response", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4437" ], "unique" : false }, { "id" : "CVE-2023-4806", "title" : "Glibc: potential use-after-free in getaddrinfo()", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4806" ], "unique" : false }, { "id" : "CVE-2023-4813", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4813" ], "unique" : false }, { "id" : "CVE-2025-15281", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2025-15281" ], "unique" : false }, { "id" : "CVE-2025-5702", "title" : "The strcmp implementation optimized for the Power10 processor in the GNU C Library version 2.39 and later writes to vector registers v20 to v31 without saving contents from the caller (those registers are defined as non-volatile registers by the powerpc64le ABI), resulting in overwriting of its contents and potentially altering control flow of the caller, or leaking the input strings to the function to other parts of the program.", "source" : "redhat-csaf", "cvssScore" : 5.6, "severity" : "MEDIUM", "cves" : [ "CVE-2025-5702" ], "unique" : false }, { "id" : "CVE-2025-0395", "title" : "When the assert() function in the GNU C Library versions 2.13 to 2.40 fails, it does not allocate enough space for the assertion failure message string and size information, which may lead to a buffer overflow if the message string size aligns to page size.", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2025-0395" ], "unique" : false }, { "id" : "CVE-2024-33600", "title" : "nscd: Null pointer crashes after notfound response", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33600" ], "unique" : false }, { "id" : "CVE-2026-0915", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-0915" ], "unique" : false }, { "id" : "CVE-2026-4046", "title" : "iconv crash due to assertion failure with untrusted input", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4046" ], "unique" : false }, { "id" : "CVE-2026-5450", "title" : "scanf %mc off-by-one heap buffer overflow", "source" : "redhat-csaf", "cvssScore" : 5.0, "severity" : "MEDIUM", "cves" : [ "CVE-2026-5450" ], "unique" : false }, { "id" : "CVE-2025-8058", "source" : "redhat-csaf", "cvssScore" : 4.2, "severity" : "MEDIUM", "cves" : [ "CVE-2025-8058" ], "unique" : false }, { "id" : "CVE-2024-33601", "title" : "nscd: netgroup cache may terminate daemon on memory allocation failure", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33601" ], "unique" : false }, { "id" : "CVE-2024-33602", "title" : "nscd: netgroup cache assumes NSS callback uses in-buffer strings", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33602" ], "unique" : false }, { "id" : "CVE-2026-4438", "title" : "gethostbyaddr and gethostbyaddr_r return invalid DNS hostnames", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4438" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2024-2961", "title" : "The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.", "source" : "redhat-csaf", "cvssScore" : 8.8, "severity" : "HIGH", "cves" : [ "CVE-2024-2961" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/glibc-devel@2.34-40.el9_1.1?arch=x86_64&distro=rhel-9.1&upstream=glibc-2.34-40.el9_1.1.src.rpm", "issues" : [ { "id" : "CVE-2024-2961", "title" : "The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.", "source" : "redhat-csaf", "cvssScore" : 8.8, "severity" : "HIGH", "cves" : [ "CVE-2024-2961" ], "unique" : false }, { "id" : "CVE-2026-0861", "title" : "Integer overflow in memalign leads to heap corruption", "source" : "redhat-csaf", "cvssScore" : 8.1, "severity" : "HIGH", "cves" : [ "CVE-2026-0861" ], "unique" : false }, { "id" : "CVE-2023-4911", "title" : "Glibc: buffer overflow in ld.so leading to privilege escalation", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2023-4911" ], "unique" : false }, { "id" : "CVE-2024-33599", "title" : "nscd: Stack-based buffer overflow in netgroup cache", "source" : "redhat-csaf", "cvssScore" : 7.6, "severity" : "HIGH", "cves" : [ "CVE-2024-33599" ], "unique" : false }, { "id" : "CVE-2025-4802", "source" : "redhat-csaf", "cvssScore" : 7.0, "severity" : "HIGH", "cves" : [ "CVE-2025-4802" ], "unique" : false }, { "id" : "CVE-2023-4527", "title" : "Glibc: stack read overflow in getaddrinfo in no-aaaa mode", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4527" ], "unique" : false }, { "id" : "CVE-2026-4437", "title" : "gethostbyaddr and gethostbyaddr_r may incorrectly handle DNS response", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4437" ], "unique" : false }, { "id" : "CVE-2023-4806", "title" : "Glibc: potential use-after-free in getaddrinfo()", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4806" ], "unique" : false }, { "id" : "CVE-2023-4813", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4813" ], "unique" : false }, { "id" : "CVE-2025-15281", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2025-15281" ], "unique" : false }, { "id" : "CVE-2025-5702", "title" : "The strcmp implementation optimized for the Power10 processor in the GNU C Library version 2.39 and later writes to vector registers v20 to v31 without saving contents from the caller (those registers are defined as non-volatile registers by the powerpc64le ABI), resulting in overwriting of its contents and potentially altering control flow of the caller, or leaking the input strings to the function to other parts of the program.", "source" : "redhat-csaf", "cvssScore" : 5.6, "severity" : "MEDIUM", "cves" : [ "CVE-2025-5702" ], "unique" : false }, { "id" : "CVE-2025-0395", "title" : "When the assert() function in the GNU C Library versions 2.13 to 2.40 fails, it does not allocate enough space for the assertion failure message string and size information, which may lead to a buffer overflow if the message string size aligns to page size.", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2025-0395" ], "unique" : false }, { "id" : "CVE-2024-33600", "title" : "nscd: Null pointer crashes after notfound response", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33600" ], "unique" : false }, { "id" : "CVE-2026-0915", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-0915" ], "unique" : false }, { "id" : "CVE-2026-4046", "title" : "iconv crash due to assertion failure with untrusted input", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4046" ], "unique" : false }, { "id" : "CVE-2026-5450", "title" : "scanf %mc off-by-one heap buffer overflow", "source" : "redhat-csaf", "cvssScore" : 5.0, "severity" : "MEDIUM", "cves" : [ "CVE-2026-5450" ], "unique" : false }, { "id" : "CVE-2025-8058", "source" : "redhat-csaf", "cvssScore" : 4.2, "severity" : "MEDIUM", "cves" : [ "CVE-2025-8058" ], "unique" : false }, { "id" : "CVE-2024-33601", "title" : "nscd: netgroup cache may terminate daemon on memory allocation failure", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33601" ], "unique" : false }, { "id" : "CVE-2024-33602", "title" : "nscd: netgroup cache assumes NSS callback uses in-buffer strings", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33602" ], "unique" : false }, { "id" : "CVE-2026-4438", "title" : "gethostbyaddr and gethostbyaddr_r return invalid DNS hostnames", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4438" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2024-2961", "title" : "The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.", "source" : "redhat-csaf", "cvssScore" : 8.8, "severity" : "HIGH", "cves" : [ "CVE-2024-2961" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/glibc-langpack-en@2.34-40.el9_1.1?arch=x86_64&distro=rhel-9.1&upstream=glibc-2.34-40.el9_1.1.src.rpm", "issues" : [ { "id" : "CVE-2024-2961", "title" : "The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.", "source" : "redhat-csaf", "cvssScore" : 8.8, "severity" : "HIGH", "cves" : [ "CVE-2024-2961" ], "unique" : false }, { "id" : "CVE-2026-0861", "title" : "Integer overflow in memalign leads to heap corruption", "source" : "redhat-csaf", "cvssScore" : 8.1, "severity" : "HIGH", "cves" : [ "CVE-2026-0861" ], "unique" : false }, { "id" : "CVE-2023-4911", "title" : "Glibc: buffer overflow in ld.so leading to privilege escalation", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2023-4911" ], "unique" : false }, { "id" : "CVE-2024-33599", "title" : "nscd: Stack-based buffer overflow in netgroup cache", "source" : "redhat-csaf", "cvssScore" : 7.6, "severity" : "HIGH", "cves" : [ "CVE-2024-33599" ], "unique" : false }, { "id" : "CVE-2025-4802", "source" : "redhat-csaf", "cvssScore" : 7.0, "severity" : "HIGH", "cves" : [ "CVE-2025-4802" ], "unique" : false }, { "id" : "CVE-2023-4527", "title" : "Glibc: stack read overflow in getaddrinfo in no-aaaa mode", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4527" ], "unique" : false }, { "id" : "CVE-2026-4437", "title" : "gethostbyaddr and gethostbyaddr_r may incorrectly handle DNS response", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4437" ], "unique" : false }, { "id" : "CVE-2023-4806", "title" : "Glibc: potential use-after-free in getaddrinfo()", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4806" ], "unique" : false }, { "id" : "CVE-2023-4813", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4813" ], "unique" : false }, { "id" : "CVE-2025-15281", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2025-15281" ], "unique" : false }, { "id" : "CVE-2025-5702", "title" : "The strcmp implementation optimized for the Power10 processor in the GNU C Library version 2.39 and later writes to vector registers v20 to v31 without saving contents from the caller (those registers are defined as non-volatile registers by the powerpc64le ABI), resulting in overwriting of its contents and potentially altering control flow of the caller, or leaking the input strings to the function to other parts of the program.", "source" : "redhat-csaf", "cvssScore" : 5.6, "severity" : "MEDIUM", "cves" : [ "CVE-2025-5702" ], "unique" : false }, { "id" : "CVE-2025-0395", "title" : "When the assert() function in the GNU C Library versions 2.13 to 2.40 fails, it does not allocate enough space for the assertion failure message string and size information, which may lead to a buffer overflow if the message string size aligns to page size.", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2025-0395" ], "unique" : false }, { "id" : "CVE-2024-33600", "title" : "nscd: Null pointer crashes after notfound response", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33600" ], "unique" : false }, { "id" : "CVE-2026-0915", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-0915" ], "unique" : false }, { "id" : "CVE-2026-4046", "title" : "iconv crash due to assertion failure with untrusted input", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4046" ], "unique" : false }, { "id" : "CVE-2026-5450", "title" : "scanf %mc off-by-one heap buffer overflow", "source" : "redhat-csaf", "cvssScore" : 5.0, "severity" : "MEDIUM", "cves" : [ "CVE-2026-5450" ], "unique" : false }, { "id" : "CVE-2025-8058", "source" : "redhat-csaf", "cvssScore" : 4.2, "severity" : "MEDIUM", "cves" : [ "CVE-2025-8058" ], "unique" : false }, { "id" : "CVE-2024-33601", "title" : "nscd: netgroup cache may terminate daemon on memory allocation failure", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33601" ], "unique" : false }, { "id" : "CVE-2024-33602", "title" : "nscd: netgroup cache assumes NSS callback uses in-buffer strings", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33602" ], "unique" : false }, { "id" : "CVE-2026-4438", "title" : "gethostbyaddr and gethostbyaddr_r return invalid DNS hostnames", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4438" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2024-2961", "title" : "The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.", "source" : "redhat-csaf", "cvssScore" : 8.8, "severity" : "HIGH", "cves" : [ "CVE-2024-2961" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/libcurl-minimal@7.76.1-19.el9_1.1?arch=x86_64&distro=rhel-9.1&upstream=curl-7.76.1-19.el9_1.1.src.rpm", "issues" : [ { "id" : "CVE-2023-38545", "title" : "This flaw makes curl overflow a heap based buffer in the SOCKS5 proxy\nhandshake.\n\nWhen curl is asked to pass along the host name to the SOCKS5 proxy to allow\nthat to resolve the address instead of it getting done by curl itself, the\nmaximum length that host name can be is 255 bytes.\n\nIf the host name is detected to be longer, curl switches to local name\nresolving and instead passes on the resolved address only. Due to this bug,\nthe local variable that means \"let the host resolve the name\" could get the\nwrong value during a slow SOCKS5 handshake, and contrary to the intention,\ncopy the too long host name to the target buffer instead of copying just the\nresolved address there.\n\nThe target buffer being a heap based buffer, and the host name coming from the\nURL that curl has been told to operate with.", "source" : "redhat-csaf", "cvssScore" : 8.1, "severity" : "HIGH", "cves" : [ "CVE-2023-38545" ], "unique" : false }, { "id" : "CVE-2024-2398", "title" : "HTTP/2 push headers memory-leak", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2024-2398" ], "unique" : false }, { "id" : "CVE-2023-23916", "title" : "An allocation of resources without limits or throttling vulnerability exists in curl trans", "source" : "redhat-csaf", "cvssScore" : 6.0, "severity" : "MEDIUM", "cves" : [ "CVE-2024-50264" ], "unique" : false }, { "id" : "CVE-2025-38110", "title" : "net/mdiobus: Fix potential out-of-bounds clause 45 read/write access", "source" : "redhat-csaf", "cvssScore" : 6.0, "severity" : "MEDIUM", "cves" : [ "CVE-2025-38110" ], "unique" : false }, { "id" : "CVE-2024-53122", "title" : "mptcp: cope racing subflow creation in mptcp_rcv_space_adjust", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2024-53122" ], "unique" : false }, { "id" : "CVE-2024-53197", "title" : "ALSA: usb-audio: Fix potential out-of-bound accesses for Extigy and Mbox devices", "source" : "redhat-csaf", "cvssScore" : 5.8, "severity" : "MEDIUM", "cves" : [ "CVE-2024-53197" ], "unique" : false }, { "id" : "CVE-2024-36941", "title" : "wifi: nl80211: don't free NULL coalescing rule", "source" : "redhat-csaf", "cvssScore" : 5.7, "severity" : "MEDIUM", "cves" : [ "CVE-2024-36941" ], "unique" : false }, { "id" : "CVE-2024-38627", "title" : "stm class: Fix a double free in stm_register_device()", "source" : "redhat-csaf", "cvssScore" : 5.6, "severity" : "MEDIUM", "cves" : [ "CVE-2024-38627" ], "unique" : false }, { "id" : "CVE-2022-50042", "title" : "net: genl: fix error path memory leak in policy dumping", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2022-50042" ], "unique" : false }, { "id" : "CVE-2022-50353", "title" : "mmc: wmt-sdmmc: fix return value check of mmc_add_host()", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2022-50353" ], "unique" : false }, { "id" : "CVE-2022-50678", "title" : "wifi: brcmfmac: fix invalid address access when enabling SCAN log level", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2022-50678" ], "unique" : false }, { "id" : "CVE-2023-1074", "title" : "A memory leak flaw was found in the Linux kernel's Stream Control Transmission Protocol. This issue may occur when a user starts a malicious networking service and someone connects to this service. This could allow a local user to starve resources, causing a denial of service.", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-1074" ], "unique" : false }, { "id" : "CVE-2023-45862", "title" : "An issue was discovered in drivers/usb/storage/ene_ub6250.c for the ENE UB6250 reader driver in the Linux kernel before 6.2.5. An object could potentially extend beyond the end of an allocation.", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-45862" ], "unique" : false }, { "id" : "CVE-2023-52490", "title" : "mm: migrate: fix getting incorrect page mapping during page migration", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-52490" ], "unique" : false }, { "id" : "CVE-2023-52658", "title" : "Revert \"net/mlx5: Block entering switchdev mode with ns inconsistency\"", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-52658" ], "unique" : false }, { "id" : "CVE-2023-53291", "title" : "rcu/rcuscale: Stop kfree_scale_thread thread(s) after unloading rcuscale", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-53291" ], "unique" : false }, { "id" : "CVE-2023-53391", "title" : "shmem: use ramfs_kill_sb() for kill_sb method of ramfs-based tmpfs", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-53391" ], "unique" : false }, { "id" : "CVE-2023-53597", "title" : "cifs: fix mid leak during reconnection after timeout threshold", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-53597" ], "unique" : false }, { "id" : "CVE-2023-53704", "title" : "clk: imx: clk-imx8mp: improve error handling in imx8mp_clocks_probe()", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-53704" ], "unique" : false }, { "id" : "CVE-2023-54004", "title" : "udplite: Fix NULL pointer dereference in __sk_mem_raise_allocated().", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-54004" ], "unique" : false }, { "id" : "CVE-2023-54093", "title" : "media: anysee: fix null-ptr-deref in anysee_master_xfer", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-54093" ], "unique" : false }, { "id" : "CVE-2023-54271", "title" : "blk-cgroup: Fix NULL deref caused by blkg_policy_data being installed before init", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-54271" ], "unique" : false }, { "id" : "CVE-2023-7192", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-7192" ], "unique" : false }, { "id" : "CVE-2024-0443", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-0443" ], "unique" : false }, { "id" : "CVE-2024-26615", "title" : "net/smc: fix illegal rmb_desc access in SMC-D connection dump", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-26615" ], "unique" : false }, { "id" : "CVE-2024-26878", "title" : "quota: Fix potential NULL pointer dereference", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-26878" ], "unique" : false }, { "id" : "CVE-2024-27046", "title" : "nfp: flower: handle acti_netdevs allocation failure", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-27046" ], "unique" : false }, { "id" : "CVE-2024-27052", "title" : "wifi: rtl8xxxu: add cancel_work_sync() for c2hcmd_work", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-27052" ], "unique" : false }, { "id" : "CVE-2024-35789", "title" : "wifi: mac80211: check/clear fast rx for non-4addr sta VLAN changes", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-35789" ], "unique" : false }, { "id" : "CVE-2024-35852", "title" : "mlxsw: spectrum_acl_tcam: Fix memory leak when canceling rehash work", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-35852" ], "unique" : false }, { "id" : "CVE-2024-35890", "title" : "gro: fix ownership transfer", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-35890" ], "unique" : false }, { "id" : "CVE-2024-35907", "title" : "mlxbf_gige: call request_irq() after NAPI initialized", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-35907" ], "unique" : false }, { "id" : "CVE-2024-35952", "title" : "drm/ast: Fix soft lockup", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-35952" ], "unique" : false }, { "id" : "CVE-2024-35989", "title" : "dmaengine: idxd: Fix oops during rmmod on single-CPU platforms", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-35989" ], "unique" : false }, { "id" : "CVE-2024-39483", "title" : "KVM: SVM: WARN on vNMI + NMI window iff NMIs are outright masked", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-39483" ], "unique" : false }, { "id" : "CVE-2024-40959", "title" : "xfrm6: check ip6_dst_idev() return value in xfrm6_get_saddr()", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-40959" ], "unique" : false }, { "id" : "CVE-2024-41035", "title" : "USB: core: Fix duplicate endpoint bug by clearing reserved bits in the descriptor", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-41035" ], "unique" : false }, { "id" : "CVE-2024-41064", "title" : "powerpc/eeh: avoid possible crash when edev->pdev changes", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-41064" ], "unique" : false }, { "id" : "CVE-2024-42079", "title" : "gfs2: Fix NULL pointer dereference in gfs2_log_flush", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-42079" ], "unique" : false }, { "id" : "CVE-2024-42272", "title" : "sched: act_ct: take care of padding in struct zones_ht_key", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-42272" ], "unique" : false }, { "id" : "CVE-2024-42283", "title" : "net: nexthop: Initialize all fields in dumped nexthops", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-42283" ], "unique" : false }, { "id" : "CVE-2024-42322", "title" : "ipvs: properly dereference pe in ip_vs_add_service", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-42322" ], "unique" : false }, { "id" : "CVE-2024-43854", "title" : "block: initialize integrity buffer to zero before writing it to media", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-43854" ], "unique" : false }, { "id" : "CVE-2024-44990", "title" : "bonding: fix null pointer deref in bond_ipsec_offload_ok", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-44990" ], "unique" : false }, { "id" : "CVE-2024-44994", "title" : "iommu: Restore lost return in iommu_report_device_fault()", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-44994" ], "unique" : false }, { "id" : "CVE-2024-45018", "title" : "netfilter: flowtable: initialise extack before use", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-45018" ], "unique" : false }, { "id" : "CVE-2024-46713", "title" : "perf/aux: Fix AUX buffer serialization", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-46713" ], "unique" : false }, { "id" : "CVE-2024-46824", "title" : "iommufd: Require drivers to supply the cache_invalidate_user ops", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-46824" ], "unique" : false }, { "id" : "CVE-2024-49949", "title" : "net: avoid potential underflow in qdisc_pkt_len_init() with UFO", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-49949" ], "unique" : false }, { "id" : "CVE-2024-50208", "title" : "RDMA/bnxt_re: Fix a bug while setting up Level-2 PBL pages", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-50208" ], "unique" : false }, { "id" : "CVE-2024-50251", "title" : "netfilter: nft_payload: sanitize offset and length before calling skb_checksum()", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-50251" ], "unique" : false }, { "id" : "CVE-2024-50252", "title" : "mlxsw: spectrum_ipip: Fix memory leak when changing remote IPv6 address", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-50252" ], "unique" : false }, { "id" : "CVE-2024-53113", "title" : "mm: fix NULL pointer dereference in alloc_pages_bulk_noprof", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2024-53113" ], "unique" : false }, { "id" : "CVE-2025-21669", "title" : "vsock/virtio: discard packets if the transport changes", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2025-21669" ], "unique" : false }, { "id" : "CVE-2025-21962", "title" : "cifs: Fix integer overflow while processing closetimeo mount option", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2025-21962" ], "unique" : false }, { "id" : "CVE-2025-21963", "title" : "cifs: Fix integer overflow while processing acdirmax mount option", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2025-21963" ], "unique" : false }, { "id" : "CVE-2025-21964", "title" : "cifs: Fix integer overflow while processing acregmax mount option", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2025-21964" ], "unique" : false }, { "id" : "CVE-2025-37785", "title" : "ext4: fix OOB read when checking dotdot dir", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2025-37785" ], "unique" : false }, { "id" : "CVE-2025-38234", "title" : "sched/rt: Fix race in push_rt_task", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2025-38234" ], "unique" : false }, { "id" : "CVE-2023-52448", "title" : "gfs2: Fix kernel NULL pointer dereference in gfs2_rgrp_dump", "source" : "redhat-csaf", "cvssScore" : 4.7, "severity" : "MEDIUM", "cves" : [ "CVE-2023-52448" ], "unique" : false }, { "id" : "CVE-2023-53755", "title" : "dmaengine: ptdma: check for null desc before calling pt_cmd_callback", "source" : "redhat-csaf", "cvssScore" : 4.7, "severity" : "MEDIUM", "cves" : [ "CVE-2023-53755" ], "unique" : false }, { "id" : "CVE-2024-47745", "title" : "mm: call the security_mmap_file() LSM hook in remap_file_pages()", "source" : "redhat-csaf", "cvssScore" : 4.7, "severity" : "MEDIUM", "cves" : [ "CVE-2024-47745" ], "unique" : false }, { "id" : "CVE-2024-53088", "title" : "i40e: fix race condition by adding filter's intermediate sync state", "source" : "redhat-csaf", "cvssScore" : 4.7, "severity" : "MEDIUM", "cves" : [ "CVE-2024-53088" ], "unique" : false }, { "id" : "CVE-2025-21961", "title" : "eth: bnxt: fix truesize for mb-xdp-pass case", "source" : "redhat-csaf", "cvssScore" : 4.7, "severity" : "MEDIUM", "cves" : [ "CVE-2025-21961" ], "unique" : false }, { "id" : "CVE-2025-22036", "title" : "exfat: fix random stack corruption after get_block", "source" : "redhat-csaf", "cvssScore" : 4.7, "severity" : "MEDIUM", "cves" : [ "CVE-2025-22036" ], "unique" : false }, { "id" : "CVE-2025-38417", "title" : "ice: fix eswitch code memory leak in reset scenario", "source" : "redhat-csaf", "cvssScore" : 4.7, "severity" : "MEDIUM", "cves" : [ "CVE-2025-38417" ], "unique" : false }, { "id" : "CVE-2023-52771", "title" : "cxl/port: Fix delete_endpoint() vs parent unregistration race", "source" : "redhat-csaf", "cvssScore" : 4.4, "severity" : "MEDIUM", "cves" : [ "CVE-2023-52771" ], "unique" : false }, { "id" : "CVE-2023-52864", "title" : "platform/x86: wmi: Fix opening of char device", "source" : "redhat-csaf", "cvssScore" : 4.4, "severity" : "MEDIUM", "cves" : [ "CVE-2023-52864" ], "unique" : false }, { "id" : "CVE-2024-26855", "title" : "net: ice: Fix potential NULL pointer dereference in ice_bridge_setlink()", "source" : "redhat-csaf", "cvssScore" : 4.4, "severity" : "MEDIUM", "cves" : [ "CVE-2024-26855" ], "unique" : false }, { "id" : "CVE-2024-35845", "title" : "wifi: iwlwifi: dbg-tlv: ensure NUL termination", "source" : "redhat-csaf", "cvssScore" : 4.4, "severity" : "MEDIUM", "cves" : [ "CVE-2024-35845" ], "unique" : false }, { "id" : "CVE-2024-36922", "title" : "wifi: iwlwifi: read txq->read_ptr under lock", "source" : "redhat-csaf", "cvssScore" : 4.4, "severity" : "MEDIUM", "cves" : [ "CVE-2024-36922" ], "unique" : false }, { "id" : "CVE-2024-38555", "title" : "net/mlx5: Discard command completions in internal error", "source" : "redhat-csaf", "cvssScore" : 4.4, "severity" : "MEDIUM", "cves" : [ "CVE-2024-38555" ], "unique" : false }, { "id" : "CVE-2024-38556", "title" : "net/mlx5: Add a timeout to acquire the command queue semaphore", "source" : "redhat-csaf", "cvssScore" : 4.4, "severity" : "MEDIUM", "cves" : [ "CVE-2024-38556" ], "unique" : false }, { "id" : "CVE-2024-43855", "title" : "md: fix deadlock between mddev_suspend and flush bio", "source" : "redhat-csaf", "cvssScore" : 4.4, "severity" : "MEDIUM", "cves" : [ "CVE-2024-43855" ], "unique" : false }, { "id" : "CVE-2024-46826", "title" : "ELF: fix kernel.randomize_va_space double read", "source" : "redhat-csaf", "cvssScore" : 4.4, "severity" : "MEDIUM", "cves" : [ "CVE-2024-46826" ], "unique" : false }, { "id" : "CVE-2024-26897", "title" : "wifi: ath9k: delay all of ath9k_wmi_event_tasklet() until init is complete", "source" : "redhat-csaf", "cvssScore" : 4.1, "severity" : "MEDIUM", "cves" : [ "CVE-2024-26897" ], "unique" : false }, { "id" : "CVE-2024-38586", "title" : "r8169: Fix possible ring buffer corruption on fragmented Tx packets.", "source" : "redhat-csaf", "cvssScore" : 4.1, "severity" : "MEDIUM", "cves" : [ "CVE-2024-38586" ], "unique" : false }, { "id" : "CVE-2022-50846", "title" : "mmc: via-sdmmc: fix return value check of mmc_add_host()", "source" : "redhat-csaf", "cvssScore" : 3.3, "severity" : "LOW", "cves" : [ "CVE-2022-50846" ], "unique" : false }, { "id" : "CVE-2023-53639", "title" : "wifi: ath6kl: reduce WARN to dev_dbg() in callback", "source" : "redhat-csaf", "cvssScore" : 3.3, "severity" : "LOW", "cves" : [ "CVE-2023-53639" ], "unique" : false }, { "id" : "CVE-2023-54153", "title" : "ext4: turn quotas off if mount failed after enabling quotas", "source" : "redhat-csaf", "cvssScore" : 3.3, "severity" : "LOW", "cves" : [ "CVE-2023-54153" ], "unique" : false }, { "id" : "CVE-2023-54267", "title" : "powerpc/pseries: Rework lppaca_shared_proc() to avoid DEBUG_PREEMPT", "source" : "redhat-csaf", "cvssScore" : 2.5, "severity" : "LOW", "cves" : [ "CVE-2023-54267" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2023-44466", "title" : "An issue was discovered in net/ceph/messenger_v2.c in the Linux kernel before 6.4.5. There is an integer signedness error, leading to a buffer overflow and remote code execution via HELLO or one of the AUTH frames. This occurs because of an untrusted length taken from a TCP packet in ceph_decode_32.", "source" : "redhat-csaf", "cvssScore" : 8.8, "severity" : "HIGH", "cves" : [ "CVE-2023-44466" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/glibc-common@2.34-40.el9_1.1?arch=x86_64&distro=rhel-9.1&upstream=glibc-2.34-40.el9_1.1.src.rpm", "issues" : [ { "id" : "CVE-2024-2961", "title" : "The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.", "source" : "redhat-csaf", "cvssScore" : 8.8, "severity" : "HIGH", "cves" : [ "CVE-2024-2961" ], "unique" : false }, { "id" : "CVE-2026-0861", "title" : "Integer overflow in memalign leads to heap corruption", "source" : "redhat-csaf", "cvssScore" : 8.1, "severity" : "HIGH", "cves" : [ "CVE-2026-0861" ], "unique" : false }, { "id" : "CVE-2023-4911", "title" : "Glibc: buffer overflow in ld.so leading to privilege escalation", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2023-4911" ], "unique" : false }, { "id" : "CVE-2024-33599", "title" : "nscd: Stack-based buffer overflow in netgroup cache", "source" : "redhat-csaf", "cvssScore" : 7.6, "severity" : "HIGH", "cves" : [ "CVE-2024-33599" ], "unique" : false }, { "id" : "CVE-2025-4802", "source" : "redhat-csaf", "cvssScore" : 7.0, "severity" : "HIGH", "cves" : [ "CVE-2025-4802" ], "unique" : false }, { "id" : "CVE-2023-4527", "title" : "Glibc: stack read overflow in getaddrinfo in no-aaaa mode", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4527" ], "unique" : false }, { "id" : "CVE-2026-4437", "title" : "gethostbyaddr and gethostbyaddr_r may incorrectly handle DNS response", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4437" ], "unique" : false }, { "id" : "CVE-2023-4806", "title" : "Glibc: potential use-after-free in getaddrinfo()", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4806" ], "unique" : false }, { "id" : "CVE-2023-4813", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4813" ], "unique" : false }, { "id" : "CVE-2025-15281", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2025-15281" ], "unique" : false }, { "id" : "CVE-2025-5702", "title" : "The strcmp implementation optimized for the Power10 processor in the GNU C Library version 2.39 and later writes to vector registers v20 to v31 without saving contents from the caller (those registers are defined as non-volatile registers by the powerpc64le ABI), resulting in overwriting of its contents and potentially altering control flow of the caller, or leaking the input strings to the function to other parts of the program.", "source" : "redhat-csaf", "cvssScore" : 5.6, "severity" : "MEDIUM", "cves" : [ "CVE-2025-5702" ], "unique" : false }, { "id" : "CVE-2025-0395", "title" : "When the assert() function in the GNU C Library versions 2.13 to 2.40 fails, it does not allocate enough space for the assertion failure message string and size information, which may lead to a buffer overflow if the message string size aligns to page size.", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2025-0395" ], "unique" : false }, { "id" : "CVE-2024-33600", "title" : "nscd: Null pointer crashes after notfound response", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33600" ], "unique" : false }, { "id" : "CVE-2026-0915", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-0915" ], "unique" : false }, { "id" : "CVE-2026-4046", "title" : "iconv crash due to assertion failure with untrusted input", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4046" ], "unique" : false }, { "id" : "CVE-2026-5450", "title" : "scanf %mc off-by-one heap buffer overflow", "source" : "redhat-csaf", "cvssScore" : 5.0, "severity" : "MEDIUM", "cves" : [ "CVE-2026-5450" ], "unique" : false }, { "id" : "CVE-2025-8058", "source" : "redhat-csaf", "cvssScore" : 4.2, "severity" : "MEDIUM", "cves" : [ "CVE-2025-8058" ], "unique" : false }, { "id" : "CVE-2024-33601", "title" : "nscd: netgroup cache may terminate daemon on memory allocation failure", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33601" ], "unique" : false }, { "id" : "CVE-2024-33602", "title" : "nscd: netgroup cache assumes NSS callback uses in-buffer strings", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33602" ], "unique" : false }, { "id" : "CVE-2026-4438", "title" : "gethostbyaddr and gethostbyaddr_r return invalid DNS hostnames", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4438" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2024-2961", "title" : "The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.", "source" : "redhat-csaf", "cvssScore" : 8.8, "severity" : "HIGH", "cves" : [ "CVE-2024-2961" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/glibc-devel@2.34-40.el9_1.1?arch=x86_64&distro=rhel-9.1&upstream=glibc-2.34-40.el9_1.1.src.rpm", "issues" : [ { "id" : "CVE-2024-2961", "title" : "The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.", "source" : "redhat-csaf", "cvssScore" : 8.8, "severity" : "HIGH", "cves" : [ "CVE-2024-2961" ], "unique" : false }, { "id" : "CVE-2026-0861", "title" : "Integer overflow in memalign leads to heap corruption", "source" : "redhat-csaf", "cvssScore" : 8.1, "severity" : "HIGH", "cves" : [ "CVE-2026-0861" ], "unique" : false }, { "id" : "CVE-2023-4911", "title" : "Glibc: buffer overflow in ld.so leading to privilege escalation", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2023-4911" ], "unique" : false }, { "id" : "CVE-2024-33599", "title" : "nscd: Stack-based buffer overflow in netgroup cache", "source" : "redhat-csaf", "cvssScore" : 7.6, "severity" : "HIGH", "cves" : [ "CVE-2024-33599" ], "unique" : false }, { "id" : "CVE-2025-4802", "source" : "redhat-csaf", "cvssScore" : 7.0, "severity" : "HIGH", "cves" : [ "CVE-2025-4802" ], "unique" : false }, { "id" : "CVE-2023-4527", "title" : "Glibc: stack read overflow in getaddrinfo in no-aaaa mode", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4527" ], "unique" : false }, { "id" : "CVE-2026-4437", "title" : "gethostbyaddr and gethostbyaddr_r may incorrectly handle DNS response", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4437" ], "unique" : false }, { "id" : "CVE-2023-4806", "title" : "Glibc: potential use-after-free in getaddrinfo()", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4806" ], "unique" : false }, { "id" : "CVE-2023-4813", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4813" ], "unique" : false }, { "id" : "CVE-2025-15281", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2025-15281" ], "unique" : false }, { "id" : "CVE-2025-5702", "title" : "The strcmp implementation optimized for the Power10 processor in the GNU C Library version 2.39 and later writes to vector registers v20 to v31 without saving contents from the caller (those registers are defined as non-volatile registers by the powerpc64le ABI), resulting in overwriting of its contents and potentially altering control flow of the caller, or leaking the input strings to the function to other parts of the program.", "source" : "redhat-csaf", "cvssScore" : 5.6, "severity" : "MEDIUM", "cves" : [ "CVE-2025-5702" ], "unique" : false }, { "id" : "CVE-2025-0395", "title" : "When the assert() function in the GNU C Library versions 2.13 to 2.40 fails, it does not allocate enough space for the assertion failure message string and size information, which may lead to a buffer overflow if the message string size aligns to page size.", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2025-0395" ], "unique" : false }, { "id" : "CVE-2024-33600", "title" : "nscd: Null pointer crashes after notfound response", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33600" ], "unique" : false }, { "id" : "CVE-2026-0915", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-0915" ], "unique" : false }, { "id" : "CVE-2026-4046", "title" : "iconv crash due to assertion failure with untrusted input", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4046" ], "unique" : false }, { "id" : "CVE-2026-5450", "title" : "scanf %mc off-by-one heap buffer overflow", "source" : "redhat-csaf", "cvssScore" : 5.0, "severity" : "MEDIUM", "cves" : [ "CVE-2026-5450" ], "unique" : false }, { "id" : "CVE-2025-8058", "source" : "redhat-csaf", "cvssScore" : 4.2, "severity" : "MEDIUM", "cves" : [ "CVE-2025-8058" ], "unique" : false }, { "id" : "CVE-2024-33601", "title" : "nscd: netgroup cache may terminate daemon on memory allocation failure", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33601" ], "unique" : false }, { "id" : "CVE-2024-33602", "title" : "nscd: netgroup cache assumes NSS callback uses in-buffer strings", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33602" ], "unique" : false }, { "id" : "CVE-2026-4438", "title" : "gethostbyaddr and gethostbyaddr_r return invalid DNS hostnames", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4438" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2024-2961", "title" : "The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.", "source" : "redhat-csaf", "cvssScore" : 8.8, "severity" : "HIGH", "cves" : [ "CVE-2024-2961" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/glibc-langpack-en@2.34-40.el9_1.1?arch=x86_64&distro=rhel-9.1&upstream=glibc-2.34-40.el9_1.1.src.rpm", "issues" : [ { "id" : "CVE-2024-2961", "title" : "The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.", "source" : "redhat-csaf", "cvssScore" : 8.8, "severity" : "HIGH", "cves" : [ "CVE-2024-2961" ], "unique" : false }, { "id" : "CVE-2026-0861", "title" : "Integer overflow in memalign leads to heap corruption", "source" : "redhat-csaf", "cvssScore" : 8.1, "severity" : "HIGH", "cves" : [ "CVE-2026-0861" ], "unique" : false }, { "id" : "CVE-2023-4911", "title" : "Glibc: buffer overflow in ld.so leading to privilege escalation", "source" : "redhat-csaf", "cvssScore" : 7.8, "severity" : "HIGH", "cves" : [ "CVE-2023-4911" ], "unique" : false }, { "id" : "CVE-2024-33599", "title" : "nscd: Stack-based buffer overflow in netgroup cache", "source" : "redhat-csaf", "cvssScore" : 7.6, "severity" : "HIGH", "cves" : [ "CVE-2024-33599" ], "unique" : false }, { "id" : "CVE-2025-4802", "source" : "redhat-csaf", "cvssScore" : 7.0, "severity" : "HIGH", "cves" : [ "CVE-2025-4802" ], "unique" : false }, { "id" : "CVE-2023-4527", "title" : "Glibc: stack read overflow in getaddrinfo in no-aaaa mode", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4527" ], "unique" : false }, { "id" : "CVE-2026-4437", "title" : "gethostbyaddr and gethostbyaddr_r may incorrectly handle DNS response", "source" : "redhat-csaf", "cvssScore" : 6.5, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4437" ], "unique" : false }, { "id" : "CVE-2023-4806", "title" : "Glibc: potential use-after-free in getaddrinfo()", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4806" ], "unique" : false }, { "id" : "CVE-2023-4813", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2023-4813" ], "unique" : false }, { "id" : "CVE-2025-15281", "source" : "redhat-csaf", "cvssScore" : 5.9, "severity" : "MEDIUM", "cves" : [ "CVE-2025-15281" ], "unique" : false }, { "id" : "CVE-2025-5702", "title" : "The strcmp implementation optimized for the Power10 processor in the GNU C Library version 2.39 and later writes to vector registers v20 to v31 without saving contents from the caller (those registers are defined as non-volatile registers by the powerpc64le ABI), resulting in overwriting of its contents and potentially altering control flow of the caller, or leaking the input strings to the function to other parts of the program.", "source" : "redhat-csaf", "cvssScore" : 5.6, "severity" : "MEDIUM", "cves" : [ "CVE-2025-5702" ], "unique" : false }, { "id" : "CVE-2025-0395", "title" : "When the assert() function in the GNU C Library versions 2.13 to 2.40 fails, it does not allocate enough space for the assertion failure message string and size information, which may lead to a buffer overflow if the message string size aligns to page size.", "source" : "redhat-csaf", "cvssScore" : 5.5, "severity" : "MEDIUM", "cves" : [ "CVE-2025-0395" ], "unique" : false }, { "id" : "CVE-2024-33600", "title" : "nscd: Null pointer crashes after notfound response", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33600" ], "unique" : false }, { "id" : "CVE-2026-0915", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-0915" ], "unique" : false }, { "id" : "CVE-2026-4046", "title" : "iconv crash due to assertion failure with untrusted input", "source" : "redhat-csaf", "cvssScore" : 5.3, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4046" ], "unique" : false }, { "id" : "CVE-2026-5450", "title" : "scanf %mc off-by-one heap buffer overflow", "source" : "redhat-csaf", "cvssScore" : 5.0, "severity" : "MEDIUM", "cves" : [ "CVE-2026-5450" ], "unique" : false }, { "id" : "CVE-2025-8058", "source" : "redhat-csaf", "cvssScore" : 4.2, "severity" : "MEDIUM", "cves" : [ "CVE-2025-8058" ], "unique" : false }, { "id" : "CVE-2024-33601", "title" : "nscd: netgroup cache may terminate daemon on memory allocation failure", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33601" ], "unique" : false }, { "id" : "CVE-2024-33602", "title" : "nscd: netgroup cache assumes NSS callback uses in-buffer strings", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2024-33602" ], "unique" : false }, { "id" : "CVE-2026-4438", "title" : "gethostbyaddr and gethostbyaddr_r return invalid DNS hostnames", "source" : "redhat-csaf", "cvssScore" : 4.0, "severity" : "MEDIUM", "cves" : [ "CVE-2026-4438" ], "unique" : false } ], "highestVulnerability" : { "id" : "CVE-2024-2961", "title" : "The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.", "source" : "redhat-csaf", "cvssScore" : 8.8, "severity" : "HIGH", "cves" : [ "CVE-2024-2961" ], "unique" : false } }, { "ref" : "pkg:rpm/redhat/libcurl-minimal@7.76.1-19.el9_1.1?arch=x86_64&distro=rhel-9.1&upstream=curl-7.76.1-19.el9_1.1.src.rpm", "issues" : [ { "id" : "CVE-2023-38545", "title" : "This flaw makes curl overflow a heap based buffer in the SOCKS5 proxy\nhandshake.\n\nWhen curl is asked to pass along the host name to the SOCKS5 proxy to allow\nthat to resolve the address instead of it getting done by curl itself, the\nmaximum length that host name can be is 255 bytes.\n\nIf the host name is detected to be longer, curl switches to local name\nresolving and instead passes on the resolved address only. Due to this bug,\nthe local variable that means \"let the host resolve the name\" could get the\nwrong value during a slow SOCKS5 handshake, and contrary to the intention,\ncopy the too long host name to the target buffer instead of copying just the\nresolved address there.\n\nThe target buffer being a heap based buffer, and the host name coming from the\nURL that curl has been told to operate with.", "source" : "redhat-csaf", "cvssScore" : 8.1, "severity" : "HIGH", "cves" : [ "CVE-2023-38545" ], "unique" : false }, { "id" : "CVE-2024-2398", "title" : "HTTP/2 push headers memory-leak", "source" : "redhat-csaf", "cvssScore" : 7.5, "severity" : "HIGH", "cves" : [ "CVE-2024-2398" ], "unique" : false }, { "id" : "CVE-2023-23916", "title" : "An allocation of resources without limits or throttling vulnerability exists in curl