Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2026-40898 (GCVE-0-2026-40898)
Vulnerability from cvelistv5 – Published: 2026-06-04 17:43 – Updated: 2026-06-04 18:40- CWE-770 - Allocation of Resources Without Limits or Throttling
| URL | Tags |
|---|---|
| https://github.com/quic-go/quic-go/security/advis… | x_refsource_CONFIRM |
| https://github.com/quic-go/quic-go/releases/tag/v0.59.1 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-40898",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-04T18:40:25.619349Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-04T18:40:44.304Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "quic-go",
"vendor": "quic-go",
"versions": [
{
"status": "affected",
"version": "\u003c 0.59.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "quic-go is an implementation of the QUIC protocol in Go. Prior to version 0.59.1, an attacker can cause excessive memory allocation in quic-go\u0027s HTTP/3 client and server implementations by sending a QPACK-encoded HEADERS frame that decodes into a large trailer field section with many unique field names and/or large values. The implementation builds an `http.Header` for the corresponding `http.Request` or `http.Response`, while only enforcing limits on the size of the QPACK-compressed HEADERS frame, not on the decoded field section. This can lead to memory exhaustion. This is very similar to CVE-2025-64702. The difference is that this issue uses HTTP trailers, rather than HTTP headers, as the attack vector. A misbehaving or malicious peer can cause a denial-of-service (DoS) attack against quic-go\u0027s HTTP/3 servers or clients by triggering excessive memory allocation, potentially leading to crashes or resource exhaustion. This affects both servers and clients due to symmetric header construction. Version 0.59.1 enforces RFC 9114 decoded field section size limits for trailers as well. It incrementally decodes QPACK entries and checks the field section size after each entry, aborting the stream if an entry causes the limit to be exceeded."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770: Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-04T17:43:36.803Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/quic-go/quic-go/security/advisories/GHSA-vvgj-x9jq-8cj9",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/quic-go/quic-go/security/advisories/GHSA-vvgj-x9jq-8cj9"
},
{
"name": "https://github.com/quic-go/quic-go/releases/tag/v0.59.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/quic-go/quic-go/releases/tag/v0.59.1"
}
],
"source": {
"advisory": "GHSA-vvgj-x9jq-8cj9",
"discovery": "UNKNOWN"
},
"title": "quic-go: HTTP/3 QPACK Trailer Expansion Memory Exhaustion"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-40898",
"datePublished": "2026-06-04T17:43:36.803Z",
"dateReserved": "2026-04-15T16:37:22.766Z",
"dateUpdated": "2026-06-04T18:40:44.304Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-40898",
"date": "2026-07-13",
"epss": "0.00279",
"percentile": "0.19782"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-40898\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-06-04T19:16:28.713\",\"lastModified\":\"2026-06-17T10:45:50.917\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"quic-go is an implementation of the QUIC protocol in Go. Prior to version 0.59.1, an attacker can cause excessive memory allocation in quic-go\u0027s HTTP/3 client and server implementations by sending a QPACK-encoded HEADERS frame that decodes into a large trailer field section with many unique field names and/or large values. The implementation builds an `http.Header` for the corresponding `http.Request` or `http.Response`, while only enforcing limits on the size of the QPACK-compressed HEADERS frame, not on the decoded field section. This can lead to memory exhaustion. This is very similar to CVE-2025-64702. The difference is that this issue uses HTTP trailers, rather than HTTP headers, as the attack vector. A misbehaving or malicious peer can cause a denial-of-service (DoS) attack against quic-go\u0027s HTTP/3 servers or clients by triggering excessive memory allocation, potentially leading to crashes or resource exhaustion. This affects both servers and clients due to symmetric header construction. Version 0.59.1 enforces RFC 9114 decoded field section size limits for trailers as well. It incrementally decodes QPACK entries and checks the field section size after each entry, aborting the stream if an entry causes the limit to be exceeded.\"}],\"affected\":[{\"source\":\"security-advisories@github.com\",\"affectedData\":[{\"vendor\":\"quic-go\",\"product\":\"quic-go\",\"versions\":[{\"version\":\"\u003c 0.59.1\",\"status\":\"affected\"}]}]}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}],\"ssvcV203\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"ssvcData\":{\"timestamp\":\"2026-06-04T18:40:25.619349Z\",\"id\":\"CVE-2026-40898\",\"options\":[{\"exploitation\":\"none\"},{\"automatable\":\"yes\"},{\"technicalImpact\":\"partial\"}],\"role\":\"CISA Coordinator\",\"version\":\"2.0.3\"}}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-770\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:quic-go_project:quic-go:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"0.59.1\",\"matchCriteriaId\":\"24C2AA10-3C35-459E-9F17-9415D9ED7147\"}]}]}],\"references\":[{\"url\":\"https://github.com/quic-go/quic-go/releases/tag/v0.59.1\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Product\",\"Release Notes\"]},{\"url\":\"https://github.com/quic-go/quic-go/security/advisories/GHSA-vvgj-x9jq-8cj9\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Mitigation\",\"Vendor Advisory\"]}]}}",
"redhat_vex": {
"aggregate_severity": "Important",
"current_release_date": "2026-07-12T19:34:03+00:00",
"cve": "CVE-2026-40898",
"id": "CVE-2026-40898",
"initial_release_date": "2026-06-04T17:43:36.803000+00:00",
"product_status:fixed": "7",
"product_status:known_affected": "17",
"product_status:known_not_affected": "7",
"source": "Red Hat CSAF VEX",
"status": "final",
"title": "github.com/quic-go/quic-go: quic-go: Denial of Service via excessive memory allocation in HTTP/3 trailers",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-40898.json",
"version": "3"
},
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-40898\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-06-04T18:40:25.619349Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-06-04T18:40:33.584Z\"}}], \"cna\": {\"title\": \"quic-go: HTTP/3 QPACK Trailer Expansion Memory Exhaustion\", \"source\": {\"advisory\": \"GHSA-vvgj-x9jq-8cj9\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"quic-go\", \"product\": \"quic-go\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 0.59.1\"}]}], \"references\": [{\"url\": \"https://github.com/quic-go/quic-go/security/advisories/GHSA-vvgj-x9jq-8cj9\", \"name\": \"https://github.com/quic-go/quic-go/security/advisories/GHSA-vvgj-x9jq-8cj9\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/quic-go/quic-go/releases/tag/v0.59.1\", \"name\": \"https://github.com/quic-go/quic-go/releases/tag/v0.59.1\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"quic-go is an implementation of the QUIC protocol in Go. Prior to version 0.59.1, an attacker can cause excessive memory allocation in quic-go\u0027s HTTP/3 client and server implementations by sending a QPACK-encoded HEADERS frame that decodes into a large trailer field section with many unique field names and/or large values. The implementation builds an `http.Header` for the corresponding `http.Request` or `http.Response`, while only enforcing limits on the size of the QPACK-compressed HEADERS frame, not on the decoded field section. This can lead to memory exhaustion. This is very similar to CVE-2025-64702. The difference is that this issue uses HTTP trailers, rather than HTTP headers, as the attack vector. A misbehaving or malicious peer can cause a denial-of-service (DoS) attack against quic-go\u0027s HTTP/3 servers or clients by triggering excessive memory allocation, potentially leading to crashes or resource exhaustion. This affects both servers and clients due to symmetric header construction. Version 0.59.1 enforces RFC 9114 decoded field section size limits for trailers as well. It incrementally decodes QPACK entries and checks the field section size after each entry, aborting the stream if an entry causes the limit to be exceeded.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-770\", \"description\": \"CWE-770: Allocation of Resources Without Limits or Throttling\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-06-04T17:43:36.803Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-40898\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-06-04T18:40:44.304Z\", \"dateReserved\": \"2026-04-15T16:37:22.766Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-06-04T17:43:36.803Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
FKIE_CVE-2026-40898
Vulnerability from fkie_nvd - Published: 2026-06-04 19:16 - Updated: 2026-06-17 10:457.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
| URL | Tags | ||
|---|---|---|---|
| security-advisories@github.com | https://github.com/quic-go/quic-go/releases/tag/v0.59.1 | Product, Release Notes | |
| security-advisories@github.com | https://github.com/quic-go/quic-go/security/advisories/GHSA-vvgj-x9jq-8cj9 | Mitigation, Vendor Advisory |
| Vendor | Product | Version | |
|---|---|---|---|
| quic-go_project | quic-go | * |
{
"affected": [
{
"affectedData": [
{
"product": "quic-go",
"vendor": "quic-go",
"versions": [
{
"status": "affected",
"version": "\u003c 0.59.1"
}
]
}
],
"source": "security-advisories@github.com"
}
],
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:quic-go_project:quic-go:*:*:*:*:*:*:*:*",
"matchCriteriaId": "24C2AA10-3C35-459E-9F17-9415D9ED7147",
"versionEndExcluding": "0.59.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "quic-go is an implementation of the QUIC protocol in Go. Prior to version 0.59.1, an attacker can cause excessive memory allocation in quic-go\u0027s HTTP/3 client and server implementations by sending a QPACK-encoded HEADERS frame that decodes into a large trailer field section with many unique field names and/or large values. The implementation builds an `http.Header` for the corresponding `http.Request` or `http.Response`, while only enforcing limits on the size of the QPACK-compressed HEADERS frame, not on the decoded field section. This can lead to memory exhaustion. This is very similar to CVE-2025-64702. The difference is that this issue uses HTTP trailers, rather than HTTP headers, as the attack vector. A misbehaving or malicious peer can cause a denial-of-service (DoS) attack against quic-go\u0027s HTTP/3 servers or clients by triggering excessive memory allocation, potentially leading to crashes or resource exhaustion. This affects both servers and clients due to symmetric header construction. Version 0.59.1 enforces RFC 9114 decoded field section size limits for trailers as well. It incrementally decodes QPACK entries and checks the field section size after each entry, aborting the stream if an entry causes the limit to be exceeded."
}
],
"id": "CVE-2026-40898",
"lastModified": "2026-06-17T10:45:50.917",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"ssvcV203": [
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"ssvcData": {
"id": "CVE-2026-40898",
"options": [
{
"exploitation": "none"
},
{
"automatable": "yes"
},
{
"technicalImpact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-04T18:40:25.619349Z",
"version": "2.0.3"
}
}
]
},
"published": "2026-06-04T19:16:28.713",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Product",
"Release Notes"
],
"url": "https://github.com/quic-go/quic-go/releases/tag/v0.59.1"
},
{
"source": "security-advisories@github.com",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://github.com/quic-go/quic-go/security/advisories/GHSA-vvgj-x9jq-8cj9"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-770"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
GHSA-VVGJ-X9JQ-8CJ9
Vulnerability from github – Published: 2026-06-03 20:59 – Updated: 2026-06-09 11:54Summary
An attacker can cause excessive memory allocation in quic-go's HTTP/3 client and server implementations by sending a QPACK-encoded HEADERS frame that decodes into a large trailer field section with many unique field names and/or large values. The implementation builds an http.Header for the corresponding http.Request or http.Response, while only enforcing limits on the size of the QPACK-compressed HEADERS frame, not on the decoded field section. This can lead to memory exhaustion.
This is very similar to CVE-2025-64702. The difference is that this issue uses HTTP trailers, rather than HTTP headers, as the attack vector.
Impact
A misbehaving or malicious peer can cause a denial-of-service (DoS) attack against quic-go's HTTP/3 servers or clients by triggering excessive memory allocation, potentially leading to crashes or resource exhaustion. This affects both servers and clients due to symmetric header construction.
Details
In HTTP/3, field sections are compressed using QPACK (RFC 9204). Field sections are used for both HTTP headers and trailers. quic-go's HTTP/3 server and client decode the QPACK-encoded HEADERS frame into header fields, then construct an http.Request or http.Response.
http3.Server.MaxHeaderBytes and http3.Transport.MaxResponseHeaderBytes limit the encoded HEADERS frame size, with defaults of 1 MB for servers and 10 MB for clients. However, they did not limit the decoded field section size. A maliciously crafted HEADERS frame carrying trailers can expand to about 50x the encoded size using QPACK static table entries with long names and/or values.
RFC 9114 requires endpoints to enforce decoded field section size limits via SETTINGS, which quic-go did not do for trailers.
The Fix
quic-go now enforces RFC 9114 decoded field section size limits for trailers as well. It incrementally decodes QPACK entries and checks the field section size after each entry, aborting the stream if an entry causes the limit to be exceeded.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.59.0"
},
"package": {
"ecosystem": "Go",
"name": "github.com/quic-go/quic-go"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.59.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-40898"
],
"database_specific": {
"cwe_ids": [
"CWE-770"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-03T20:59:49Z",
"nvd_published_at": "2026-06-04T19:16:28Z",
"severity": "MODERATE"
},
"details": "## Summary\n\nAn attacker can cause excessive memory allocation in quic-go\u0027s HTTP/3 client and server implementations by sending a QPACK-encoded HEADERS frame that decodes into a large trailer field section with many unique field names and/or large values. The implementation builds an `http.Header` for the corresponding `http.Request` or `http.Response`, while only enforcing limits on the size of the QPACK-compressed HEADERS frame, not on the decoded field section. This can lead to memory exhaustion.\n\nThis is very similar to CVE-2025-64702. The difference is that this issue uses HTTP trailers, rather than HTTP headers, as the attack vector.\n\n## Impact\n\nA misbehaving or malicious peer can cause a denial-of-service (DoS) attack against quic-go\u0027s HTTP/3 servers or clients by triggering excessive memory allocation, potentially leading to crashes or resource exhaustion. This affects both servers and clients due to symmetric header construction.\n\n## Details\n\nIn HTTP/3, field sections are compressed using QPACK (RFC 9204). Field sections are used for both HTTP headers and trailers. quic-go\u0027s HTTP/3 server and client decode the QPACK-encoded HEADERS frame into header fields, then construct an `http.Request` or `http.Response`.\n\n`http3.Server.MaxHeaderBytes` and `http3.Transport.MaxResponseHeaderBytes` limit the encoded HEADERS frame size, with defaults of 1 MB for servers and 10 MB for clients. However, they did not limit the decoded field section size. A maliciously crafted HEADERS frame carrying trailers can expand to about 50x the encoded size using QPACK static table entries with long names and/or values.\n\nRFC 9114 requires endpoints to enforce decoded field section size limits via SETTINGS, which quic-go did not do for trailers.\n\n## The Fix\n\nquic-go now enforces RFC 9114 decoded field section size limits for trailers as well. It incrementally decodes QPACK entries and checks the field section size after each entry, aborting the stream if an entry causes the limit to be exceeded.",
"id": "GHSA-vvgj-x9jq-8cj9",
"modified": "2026-06-09T11:54:12Z",
"published": "2026-06-03T20:59:49Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/quic-go/quic-go/security/advisories/GHSA-vvgj-x9jq-8cj9"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40898"
},
{
"type": "WEB",
"url": "https://github.com/quic-go/quic-go/pull/5642"
},
{
"type": "WEB",
"url": "https://github.com/quic-go/quic-go/commit/c56e8c79d1627cc1ed6005b421b4b0adadd83665"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-g754-hx8w-x2g6"
},
{
"type": "PACKAGE",
"url": "https://github.com/quic-go/quic-go"
},
{
"type": "WEB",
"url": "https://github.com/quic-go/quic-go/releases/tag/v0.59.1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
],
"summary": "quic-go: HTTP/3 QPACK Trailer Expansion Memory Exhaustion "
}
RHSA-2026:25238
Vulnerability from csaf_redhat - Published: 2026-06-11 11:03 - Updated: 2026-07-12 19:34A flaw was found in quic-go, an implementation of the QUIC protocol in Go. A remote attacker can exploit this by sending specially crafted HTTP/3 trailer fields. This can cause the system to allocate excessive memory, leading to a denial-of-service (DoS) condition where the affected server or client may crash or run out of resources.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:caddy-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:caddy-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:caddy-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
A flaw was found in OpenTelemetry-Go (before schema package version 0.0.17). ParseFile in go.opentelemetry.io/otel/schema/v1.0 and v1.1 opens a schema file and passes it to Parse without closing it, leaking one file descriptor per successful call. Repeated parsing in a long-running process can exhaust the file descriptor limit and cause denial of service.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for Red Hat Hardened Images RPMs is now available.",
"title": "Topic"
},
{
"category": "general",
"text": "This update includes the following RPMs:\n\ncaddy:\n * caddy-2.11.4-0.1.hum1 (aarch64, x86_64)\n * caddy-2.11.4-0.1.hum1.src (src)",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:25238",
"url": "https://access.redhat.com/errata/RHSA-2026:25238"
},
{
"category": "external",
"summary": "https://images.redhat.com/",
"url": "https://images.redhat.com/"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-45287",
"url": "https://access.redhat.com/security/cve/CVE-2026-45287"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/",
"url": "https://access.redhat.com/security/updates/classification/"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-40898",
"url": "https://access.redhat.com/security/cve/CVE-2026-40898"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_25238.json"
}
],
"title": "Red Hat Security Advisory: Red Hat Hardened Images RPMs bug fix and enhancement update",
"tracking": {
"current_release_date": "2026-07-12T19:34:08+00:00",
"generator": {
"date": "2026-07-12T19:34:08+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "5.3.2"
}
},
"id": "RHSA-2026:25238",
"initial_release_date": "2026-06-11T11:03:27+00:00",
"revision_history": [
{
"date": "2026-06-11T11:03:27+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-07-12T19:20:59+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-07-12T19:34:08+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Hardened Images",
"product": {
"name": "Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:hummingbird:1"
}
}
}
],
"category": "product_family",
"name": "Red Hat Hardened Images"
},
{
"branches": [
{
"category": "product_version",
"name": "caddy-main@aarch64",
"product": {
"name": "caddy-main@aarch64",
"product_id": "caddy-main@aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/caddy@2.11.4-0.1.hum1?arch=aarch64\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-aarch64-rpms"
}
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "caddy-main@src",
"product": {
"name": "caddy-main@src",
"product_id": "caddy-main@src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/caddy@2.11.4-0.1.hum1?arch=src\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-source-rpms"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "caddy-main@x86_64",
"product": {
"name": "caddy-main@x86_64",
"product_id": "caddy-main@x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/caddy@2.11.4-0.1.hum1?arch=x86_64\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-x86_64-rpms"
}
}
}
],
"category": "architecture",
"name": "x86_64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "caddy-main@aarch64 as a component of Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images:caddy-main@aarch64"
},
"product_reference": "caddy-main@aarch64",
"relates_to_product_reference": "Red Hat Hardened Images"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "caddy-main@src as a component of Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images:caddy-main@src"
},
"product_reference": "caddy-main@src",
"relates_to_product_reference": "Red Hat Hardened Images"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "caddy-main@x86_64 as a component of Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images:caddy-main@x86_64"
},
"product_reference": "caddy-main@x86_64",
"relates_to_product_reference": "Red Hat Hardened Images"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-40898",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2026-06-04T19:00:56.584166+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2484875"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in quic-go, an implementation of the QUIC protocol in Go. A remote attacker can exploit this by sending specially crafted HTTP/3 trailer fields. This can cause the system to allocate excessive memory, leading to a denial-of-service (DoS) condition where the affected server or client may crash or run out of resources.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "github.com/quic-go/quic-go: quic-go: Denial of Service via excessive memory allocation in HTTP/3 trailers",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This is an Important denial-of-service flaw in `quic-go` that allows a remote attacker to exhaust system memory by sending specially crafted HTTP/3 trailer fields. This can lead to crashes or resource unavailability in affected Red Hat products utilizing `quic-go` for HTTP/3 communication, impacting both client and server implementations.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:caddy-main@aarch64",
"Red Hat Hardened Images:caddy-main@src",
"Red Hat Hardened Images:caddy-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-40898"
},
{
"category": "external",
"summary": "RHBZ#2484875",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2484875"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-40898",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-40898"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-40898",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40898"
},
{
"category": "external",
"summary": "https://github.com/quic-go/quic-go/releases/tag/v0.59.1",
"url": "https://github.com/quic-go/quic-go/releases/tag/v0.59.1"
},
{
"category": "external",
"summary": "https://github.com/quic-go/quic-go/security/advisories/GHSA-vvgj-x9jq-8cj9",
"url": "https://github.com/quic-go/quic-go/security/advisories/GHSA-vvgj-x9jq-8cj9"
}
],
"release_date": "2026-06-04T17:43:36.803000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-11T11:03:27+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:caddy-main@aarch64",
"Red Hat Hardened Images:caddy-main@src",
"Red Hat Hardened Images:caddy-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:25238"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"Red Hat Hardened Images:caddy-main@aarch64",
"Red Hat Hardened Images:caddy-main@src",
"Red Hat Hardened Images:caddy-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:caddy-main@aarch64",
"Red Hat Hardened Images:caddy-main@src",
"Red Hat Hardened Images:caddy-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "github.com/quic-go/quic-go: quic-go: Denial of Service via excessive memory allocation in HTTP/3 trailers"
},
{
"cve": "CVE-2026-45287",
"cwe": {
"id": "CWE-772",
"name": "Missing Release of Resource after Effective Lifetime"
},
"discovery_date": "2026-06-04T16:01:14.155335+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2484831"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in OpenTelemetry-Go (before schema package version 0.0.17). ParseFile in go.opentelemetry.io/otel/schema/v1.0 and v1.1 opens a schema file and passes it to Parse without closing it, leaking one file descriptor per successful call. Repeated parsing in a long-running process can exhaust the file descriptor limit and cause denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "go.opentelemetry.io/otel: go.opentelemetry.io/otel/schema/v1.0: go.opentelemetry.io/otel/schema/v1.1: OpenTelemetry-Go: Denial of Service due to file descriptor leak",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "OpenTelemetry-Go schema parsing is vulnerable to file descriptor leak in ParseFile for otel/schema v1.0 and v1.1. An attacker who can cause repeated schema parsing against an attacker-influenced file path in a long-running Go process may exhaust file descriptors and crash or stall the service. Exposure is limited to applications that expose schema parsing to untrusted paths; many Red Hat Go services bundle the library transitively without hitting this code path.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:caddy-main@aarch64",
"Red Hat Hardened Images:caddy-main@src",
"Red Hat Hardened Images:caddy-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-45287"
},
{
"category": "external",
"summary": "RHBZ#2484831",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2484831"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-45287",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-45287"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-45287",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45287"
},
{
"category": "external",
"summary": "https://github.com/open-telemetry/opentelemetry-go/commit/e72a235518cb773137efd80336a179028bc34684",
"url": "https://github.com/open-telemetry/opentelemetry-go/commit/e72a235518cb773137efd80336a179028bc34684"
},
{
"category": "external",
"summary": "https://github.com/open-telemetry/opentelemetry-go/commit/f12d198f161b61735d65705248715aa97021ba8d",
"url": "https://github.com/open-telemetry/opentelemetry-go/commit/f12d198f161b61735d65705248715aa97021ba8d"
},
{
"category": "external",
"summary": "https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-995v-fvrw-c78m",
"url": "https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-995v-fvrw-c78m"
}
],
"release_date": "2026-06-04T14:45:54.522000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-11T11:03:27+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:caddy-main@aarch64",
"Red Hat Hardened Images:caddy-main@src",
"Red Hat Hardened Images:caddy-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:25238"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 4.0,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:caddy-main@aarch64",
"Red Hat Hardened Images:caddy-main@src",
"Red Hat Hardened Images:caddy-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "go.opentelemetry.io/otel: go.opentelemetry.io/otel/schema/v1.0: go.opentelemetry.io/otel/schema/v1.1: OpenTelemetry-Go: Denial of Service due to file descriptor leak"
}
]
}
RHSA-2026:38187
Vulnerability from csaf_redhat - Published: 2026-07-11 01:14 - Updated: 2026-07-13 13:04A flaw was found in Undici. The cache interceptor in shared-cache mode incorrectly classifies certain responses as cacheable due to improper handling of whitespace-padded Cache-Control header field names. This vulnerability allows an unauthenticated attacker to access authenticated user data from the cache, leading to information disclosure. This occurs when both authenticated and unauthenticated requests resolve to the same cache key.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:rust-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:rust-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:rust-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:rust-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
A flaw was found in quic-go, an implementation of the QUIC protocol in Go. A remote attacker can exploit this by sending specially crafted HTTP/3 trailer fields. This can cause the system to allocate excessive memory, leading to a denial-of-service (DoS) condition where the affected server or client may crash or run out of resources.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:rust-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:rust-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:rust-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:rust-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
A flaw was found in Wasmtime, a runtime for WebAssembly. A remote attacker could exploit an arithmetic overflow vulnerability by instantiating a WebAssembly module or component that attempts to allocate an extremely large table using the WebAssembly memory64 proposal. This flaw causes Wasmtime to panic, resulting in a Denial of Service (DoS) for the affected system.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:rust-main@aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat Hardened Images:rust-main@noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat Hardened Images:rust-main@src | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat Hardened Images:rust-main@x86_64 | — |
Vendor Fix
fix
|
A flaw was found in PyJWT, a Python library for handling JSON Web Tokens (JWT). An attacker with control over a registered JSON Web Key (JWK) private key can bypass security checks by signing a token with a forbidden algorithm while claiming to use an allowed one. This allows the attacker to have the token accepted, potentially leading to unauthorized access or manipulation of sensitive information.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:rust-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:rust-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:rust-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:rust-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
A flaw was found in PyJWT. A remote attacker can exploit this by supplying an arbitrarily large Base64URL payload segment when verifying detached JSON Web Signature (JWS) tokens using the unencoded-payload option. This forces excessive CPU work and memory allocations, leading to a Denial of Service (DoS) against any endpoint verifying such tokens.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:rust-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:rust-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:rust-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:rust-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
A flaw was found in Wasmtime, a runtime for WebAssembly. A WebAssembly System Interface (WASI) guest with a read-only source file capability can exploit this vulnerability. During hard-link creation and renaming operations, the system checks directory permissions but fails to match file permissions on source and destination preopens. This allows the guest to overwrite host files exposed with read permissions through WASI filesystem interfaces.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:rust-main@aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat Hardened Images:rust-main@noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat Hardened Images:rust-main@src | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat Hardened Images:rust-main@x86_64 | — |
Vendor Fix
fix
|
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for Red Hat Hardened Images RPMs is now available.",
"title": "Topic"
},
{
"category": "general",
"text": "This update includes the following RPMs:\n\nrust:\n * cargo-1.97.0-1.1.hum1 (aarch64, x86_64)\n * clippy-1.97.0-1.1.hum1 (aarch64, x86_64)\n * rust-1.97.0-1.1.hum1 (aarch64, x86_64)\n * rust-analyzer-1.97.0-1.1.hum1 (aarch64, x86_64)\n * rust-debugger-common-1.97.0-1.1.hum1 (noarch)\n * rust-doc-1.97.0-1.1.hum1 (aarch64, x86_64)\n * rust-gdb-1.97.0-1.1.hum1 (noarch)\n * rust-lldb-1.97.0-1.1.hum1 (noarch)\n * rust-src-1.97.0-1.1.hum1 (noarch)\n * rust-std-static-1.97.0-1.1.hum1 (aarch64, x86_64)\n * rust-std-static-aarch64-unknown-none-softfloat-1.97.0-1.1.hum1 (noarch)\n * rust-std-static-aarch64-unknown-uefi-1.97.0-1.1.hum1 (noarch)\n * rust-std-static-i686-pc-windows-gnu-1.97.0-1.1.hum1 (noarch)\n * rust-std-static-wasm32-unknown-unknown-1.97.0-1.1.hum1 (noarch)\n * rust-std-static-wasm32-wasip1-1.97.0-1.1.hum1 (noarch)\n * rust-std-static-x86_64-pc-windows-gnu-1.97.0-1.1.hum1 (noarch)\n * rust-std-static-x86_64-unknown-none-1.97.0-1.1.hum1 (noarch)\n * rust-std-static-x86_64-unknown-uefi-1.97.0-1.1.hum1 (noarch)\n * rustfmt-1.97.0-1.1.hum1 (aarch64, x86_64)\n * rust-1.97.0-1.1.hum1.src (src)",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:38187",
"url": "https://access.redhat.com/errata/RHSA-2026:38187"
},
{
"category": "external",
"summary": "https://images.redhat.com/",
"url": "https://images.redhat.com/"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-59869",
"url": "https://access.redhat.com/security/cve/CVE-2026-59869"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/",
"url": "https://access.redhat.com/security/updates/classification/"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-9678",
"url": "https://access.redhat.com/security/cve/CVE-2026-9678"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-48525",
"url": "https://access.redhat.com/security/cve/CVE-2026-48525"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-48523",
"url": "https://access.redhat.com/security/cve/CVE-2026-48523"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-40898",
"url": "https://access.redhat.com/security/cve/CVE-2026-40898"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-44216",
"url": "https://access.redhat.com/security/cve/CVE-2026-44216"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-59887",
"url": "https://access.redhat.com/security/cve/CVE-2026-59887"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-58494",
"url": "https://access.redhat.com/security/cve/CVE-2026-58494"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_38187.json"
}
],
"title": "Red Hat Security Advisory: Red Hat Hardened Images RPMs bug fix and enhancement update",
"tracking": {
"current_release_date": "2026-07-13T13:04:51+00:00",
"generator": {
"date": "2026-07-13T13:04:51+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "5.3.2"
}
},
"id": "RHSA-2026:38187",
"initial_release_date": "2026-07-11T01:14:07+00:00",
"revision_history": [
{
"date": "2026-07-11T01:14:07+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-07-13T11:24:31+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-07-13T13:04:51+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Hardened Images",
"product": {
"name": "Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:hummingbird:1"
}
}
}
],
"category": "product_family",
"name": "Red Hat Hardened Images"
},
{
"branches": [
{
"category": "product_version",
"name": "rust-main@aarch64",
"product": {
"name": "rust-main@aarch64",
"product_id": "rust-main@aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cargo@1.97.0-1.1.hum1?arch=aarch64\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-aarch64-rpms"
}
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "rust-main@x86_64",
"product": {
"name": "rust-main@x86_64",
"product_id": "rust-main@x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cargo@1.97.0-1.1.hum1?arch=x86_64\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-x86_64-rpms"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "rust-main@src",
"product": {
"name": "rust-main@src",
"product_id": "rust-main@src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rust@1.97.0-1.1.hum1?arch=src\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-source-rpms"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "rust-main@noarch",
"product": {
"name": "rust-main@noarch",
"product_id": "rust-main@noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rust-debugger-common@1.97.0-1.1.hum1?arch=noarch\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-x86_64-rpms"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "rust-main@aarch64 as a component of Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images:rust-main@aarch64"
},
"product_reference": "rust-main@aarch64",
"relates_to_product_reference": "Red Hat Hardened Images"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rust-main@noarch as a component of Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images:rust-main@noarch"
},
"product_reference": "rust-main@noarch",
"relates_to_product_reference": "Red Hat Hardened Images"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rust-main@src as a component of Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images:rust-main@src"
},
"product_reference": "rust-main@src",
"relates_to_product_reference": "Red Hat Hardened Images"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rust-main@x86_64 as a component of Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images:rust-main@x86_64"
},
"product_reference": "rust-main@x86_64",
"relates_to_product_reference": "Red Hat Hardened Images"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-9678",
"cwe": {
"id": "CWE-1286",
"name": "Improper Validation of Syntactic Correctness of Input"
},
"discovery_date": "2026-06-17T19:01:33.359372+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2490000"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Undici. The cache interceptor in shared-cache mode incorrectly classifies certain responses as cacheable due to improper handling of whitespace-padded Cache-Control header field names. This vulnerability allows an unauthenticated attacker to access authenticated user data from the cache, leading to information disclosure. This occurs when both authenticated and unauthenticated requests resolve to the same cache key.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "undici: Undici: Information disclosure due to improper cache-control header parsing",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This Moderate information disclosure flaw in Undici\u0027s cache interceptor, when configured in shared-cache mode, allows an unauthenticated attacker to retrieve sensitive authenticated user data. This is due to incorrect parsing of Cache-Control headers containing whitespace-padded field names, leading to cached responses being served improperly. Red Hat products are affected if they explicitly enable shared-cache mode, forward Authorization headers, and process non-canonical Cache-Control directives.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:rust-main@aarch64",
"Red Hat Hardened Images:rust-main@noarch",
"Red Hat Hardened Images:rust-main@src",
"Red Hat Hardened Images:rust-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-9678"
},
{
"category": "external",
"summary": "RHBZ#2490000",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2490000"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-9678",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-9678"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-9678",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9678"
},
{
"category": "external",
"summary": "https://cna.openjsf.org/security-advisories.html",
"url": "https://cna.openjsf.org/security-advisories.html"
},
{
"category": "external",
"summary": "https://github.com/nodejs/undici/security/advisories/GHSA-pr7r-676h-xcf6",
"url": "https://github.com/nodejs/undici/security/advisories/GHSA-pr7r-676h-xcf6"
}
],
"release_date": "2026-06-17T17:04:09.680000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-07-11T01:14:07+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:rust-main@aarch64",
"Red Hat Hardened Images:rust-main@noarch",
"Red Hat Hardened Images:rust-main@src",
"Red Hat Hardened Images:rust-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:38187"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Hardened Images:rust-main@aarch64",
"Red Hat Hardened Images:rust-main@noarch",
"Red Hat Hardened Images:rust-main@src",
"Red Hat Hardened Images:rust-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:rust-main@aarch64",
"Red Hat Hardened Images:rust-main@noarch",
"Red Hat Hardened Images:rust-main@src",
"Red Hat Hardened Images:rust-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "undici: Undici: Information disclosure due to improper cache-control header parsing"
},
{
"cve": "CVE-2026-40898",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2026-06-04T19:00:56.584166+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2484875"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in quic-go, an implementation of the QUIC protocol in Go. A remote attacker can exploit this by sending specially crafted HTTP/3 trailer fields. This can cause the system to allocate excessive memory, leading to a denial-of-service (DoS) condition where the affected server or client may crash or run out of resources.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "github.com/quic-go/quic-go: quic-go: Denial of Service via excessive memory allocation in HTTP/3 trailers",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This is an Important denial-of-service flaw in `quic-go` that allows a remote attacker to exhaust system memory by sending specially crafted HTTP/3 trailer fields. This can lead to crashes or resource unavailability in affected Red Hat products utilizing `quic-go` for HTTP/3 communication, impacting both client and server implementations.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:rust-main@aarch64",
"Red Hat Hardened Images:rust-main@noarch",
"Red Hat Hardened Images:rust-main@src",
"Red Hat Hardened Images:rust-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-40898"
},
{
"category": "external",
"summary": "RHBZ#2484875",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2484875"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-40898",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-40898"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-40898",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40898"
},
{
"category": "external",
"summary": "https://github.com/quic-go/quic-go/releases/tag/v0.59.1",
"url": "https://github.com/quic-go/quic-go/releases/tag/v0.59.1"
},
{
"category": "external",
"summary": "https://github.com/quic-go/quic-go/security/advisories/GHSA-vvgj-x9jq-8cj9",
"url": "https://github.com/quic-go/quic-go/security/advisories/GHSA-vvgj-x9jq-8cj9"
}
],
"release_date": "2026-06-04T17:43:36.803000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-07-11T01:14:07+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:rust-main@aarch64",
"Red Hat Hardened Images:rust-main@noarch",
"Red Hat Hardened Images:rust-main@src",
"Red Hat Hardened Images:rust-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:38187"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"Red Hat Hardened Images:rust-main@aarch64",
"Red Hat Hardened Images:rust-main@noarch",
"Red Hat Hardened Images:rust-main@src",
"Red Hat Hardened Images:rust-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:rust-main@aarch64",
"Red Hat Hardened Images:rust-main@noarch",
"Red Hat Hardened Images:rust-main@src",
"Red Hat Hardened Images:rust-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "github.com/quic-go/quic-go: quic-go: Denial of Service via excessive memory allocation in HTTP/3 trailers"
},
{
"cve": "CVE-2026-44216",
"cwe": {
"id": "CWE-190",
"name": "Integer Overflow or Wraparound"
},
"discovery_date": "2026-05-14T16:01:38.636308+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2477467"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Wasmtime, a runtime for WebAssembly. A remote attacker could exploit an arithmetic overflow vulnerability by instantiating a WebAssembly module or component that attempts to allocate an extremely large table using the WebAssembly memory64 proposal. This flaw causes Wasmtime to panic, resulting in a Denial of Service (DoS) for the affected system.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "wasmtime: Wasmtime: Denial of Service via large WebAssembly table allocation",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:rust-main@aarch64",
"Red Hat Hardened Images:rust-main@noarch",
"Red Hat Hardened Images:rust-main@src",
"Red Hat Hardened Images:rust-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-44216"
},
{
"category": "external",
"summary": "RHBZ#2477467",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2477467"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-44216",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-44216"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-44216",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44216"
},
{
"category": "external",
"summary": "https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-p8xm-42r7-89xg",
"url": "https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-p8xm-42r7-89xg"
}
],
"release_date": "2026-05-14T14:54:32.975000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-07-11T01:14:07+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:rust-main@aarch64",
"Red Hat Hardened Images:rust-main@noarch",
"Red Hat Hardened Images:rust-main@src",
"Red Hat Hardened Images:rust-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:38187"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:rust-main@aarch64",
"Red Hat Hardened Images:rust-main@noarch",
"Red Hat Hardened Images:rust-main@src",
"Red Hat Hardened Images:rust-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "wasmtime: Wasmtime: Denial of Service via large WebAssembly table allocation"
},
{
"cve": "CVE-2026-48523",
"cwe": {
"id": "CWE-347",
"name": "Improper Verification of Cryptographic Signature"
},
"discovery_date": "2026-05-28T16:01:55.312396+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2482743"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in PyJWT, a Python library for handling JSON Web Tokens (JWT). An attacker with control over a registered JSON Web Key (JWK) private key can bypass security checks by signing a token with a forbidden algorithm while claiming to use an allowed one. This allows the attacker to have the token accepted, potentially leading to unauthorized access or manipulation of sensitive information.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "python-pyjwt: PyJWT: Verifier-side algorithm bypass leads to unauthorized information access",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This flaw is rated as Moderate. It impacts applications using PyJWT with PyJWK keys, specifically when jwt.decode() or jwt.decode_complete() are called with a PyJWK key and the PyJWKClient.get_signing_key_from_jwt flow. An attacker must control a registered JWK private key to bypass algorithm allow-lists, limiting the exploitability in environments with strict key management.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:rust-main@aarch64",
"Red Hat Hardened Images:rust-main@noarch",
"Red Hat Hardened Images:rust-main@src",
"Red Hat Hardened Images:rust-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-48523"
},
{
"category": "external",
"summary": "RHBZ#2482743",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2482743"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-48523",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-48523"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-48523",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48523"
},
{
"category": "external",
"summary": "https://github.com/jpadilla/pyjwt/security/advisories/GHSA-jq35-7prp-9v3f",
"url": "https://github.com/jpadilla/pyjwt/security/advisories/GHSA-jq35-7prp-9v3f"
}
],
"release_date": "2026-05-28T15:10:19.141000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-07-11T01:14:07+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:rust-main@aarch64",
"Red Hat Hardened Images:rust-main@noarch",
"Red Hat Hardened Images:rust-main@src",
"Red Hat Hardened Images:rust-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:38187"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Hardened Images:rust-main@aarch64",
"Red Hat Hardened Images:rust-main@noarch",
"Red Hat Hardened Images:rust-main@src",
"Red Hat Hardened Images:rust-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:rust-main@aarch64",
"Red Hat Hardened Images:rust-main@noarch",
"Red Hat Hardened Images:rust-main@src",
"Red Hat Hardened Images:rust-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "python-pyjwt: PyJWT: Verifier-side algorithm bypass leads to unauthorized information access"
},
{
"cve": "CVE-2026-48525",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2026-05-28T16:02:28.870149+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2482752"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in PyJWT. A remote attacker can exploit this by supplying an arbitrarily large Base64URL payload segment when verifying detached JSON Web Signature (JWS) tokens using the unencoded-payload option. This forces excessive CPU work and memory allocations, leading to a Denial of Service (DoS) against any endpoint verifying such tokens.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "python-pyjwt: PyJWT: Denial of Service via processing of crafted detached JWS tokens",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Moderate: This flaw in PyJWT, a dependency across multiple Red Hat products, allows a remote, unauthenticated attacker to trigger a Denial of Service. By submitting a specially crafted JSON Web Signature (JWS) token with an oversized unencoded payload, an attacker can force excessive CPU and memory consumption on systems verifying these tokens, leading to service disruption.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:rust-main@aarch64",
"Red Hat Hardened Images:rust-main@noarch",
"Red Hat Hardened Images:rust-main@src",
"Red Hat Hardened Images:rust-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-48525"
},
{
"category": "external",
"summary": "RHBZ#2482752",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2482752"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-48525",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-48525"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-48525",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48525"
},
{
"category": "external",
"summary": "https://github.com/jpadilla/pyjwt/security/advisories/GHSA-w7vc-732c-9m39",
"url": "https://github.com/jpadilla/pyjwt/security/advisories/GHSA-w7vc-732c-9m39"
}
],
"release_date": "2026-05-28T15:11:12.483000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-07-11T01:14:07+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:rust-main@aarch64",
"Red Hat Hardened Images:rust-main@noarch",
"Red Hat Hardened Images:rust-main@src",
"Red Hat Hardened Images:rust-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:38187"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Hardened Images:rust-main@aarch64",
"Red Hat Hardened Images:rust-main@noarch",
"Red Hat Hardened Images:rust-main@src",
"Red Hat Hardened Images:rust-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:rust-main@aarch64",
"Red Hat Hardened Images:rust-main@noarch",
"Red Hat Hardened Images:rust-main@src",
"Red Hat Hardened Images:rust-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "python-pyjwt: PyJWT: Denial of Service via processing of crafted detached JWS tokens"
},
{
"cve": "CVE-2026-58494",
"cwe": {
"id": "CWE-280",
"name": "Improper Handling of Insufficient Permissions or Privileges"
},
"discovery_date": "2026-07-08T21:01:32.491033+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2498250"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Wasmtime, a runtime for WebAssembly. A WebAssembly System Interface (WASI) guest with a read-only source file capability can exploit this vulnerability. During hard-link creation and renaming operations, the system checks directory permissions but fails to match file permissions on source and destination preopens. This allows the guest to overwrite host files exposed with read permissions through WASI filesystem interfaces.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "wasmtime: Wasmtime: Overwrite host files via insufficient permission checks in wasmtime-wasi",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This Moderate-impact flaw in Wasmtime allows a malicious WebAssembly System Interface (WASI) guest to overwrite host files. By exploiting insufficient permission checks during hard-link and rename operations, a guest with read-only file capabilities can modify host files that are exposed with read permissions through WASI filesystem interfaces. This could lead to data integrity issues on the host system.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:rust-main@aarch64",
"Red Hat Hardened Images:rust-main@noarch",
"Red Hat Hardened Images:rust-main@src",
"Red Hat Hardened Images:rust-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-58494"
},
{
"category": "external",
"summary": "RHBZ#2498250",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2498250"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-58494",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-58494"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-58494",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-58494"
},
{
"category": "external",
"summary": "https://github.com/bytecodealliance/wasmtime/commit/5ddfd5f1ef28f2041fa07d237ad0336e167b0e0c",
"url": "https://github.com/bytecodealliance/wasmtime/commit/5ddfd5f1ef28f2041fa07d237ad0336e167b0e0c"
},
{
"category": "external",
"summary": "https://github.com/bytecodealliance/wasmtime/commit/7db94cdcf0c79cb3dfde884b534b653f2dd83367",
"url": "https://github.com/bytecodealliance/wasmtime/commit/7db94cdcf0c79cb3dfde884b534b653f2dd83367"
},
{
"category": "external",
"summary": "https://github.com/bytecodealliance/wasmtime/commit/8a250aac0962ca1364b5f16525720e9d0b39edcd",
"url": "https://github.com/bytecodealliance/wasmtime/commit/8a250aac0962ca1364b5f16525720e9d0b39edcd"
},
{
"category": "external",
"summary": "https://github.com/bytecodealliance/wasmtime/commit/d3ceb56ec35f39e02496eeb4e2d9c7f4fb964d9e",
"url": "https://github.com/bytecodealliance/wasmtime/commit/d3ceb56ec35f39e02496eeb4e2d9c7f4fb964d9e"
},
{
"category": "external",
"summary": "https://github.com/bytecodealliance/wasmtime/releases/tag/v24.0.11",
"url": "https://github.com/bytecodealliance/wasmtime/releases/tag/v24.0.11"
},
{
"category": "external",
"summary": "https://github.com/bytecodealliance/wasmtime/releases/tag/v36.0.12",
"url": "https://github.com/bytecodealliance/wasmtime/releases/tag/v36.0.12"
},
{
"category": "external",
"summary": "https://github.com/bytecodealliance/wasmtime/releases/tag/v45.0.3",
"url": "https://github.com/bytecodealliance/wasmtime/releases/tag/v45.0.3"
},
{
"category": "external",
"summary": "https://github.com/bytecodealliance/wasmtime/releases/tag/v46.0.1",
"url": "https://github.com/bytecodealliance/wasmtime/releases/tag/v46.0.1"
},
{
"category": "external",
"summary": "https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-4ch3-9j33-3pmj",
"url": "https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-4ch3-9j33-3pmj"
}
],
"release_date": "2026-07-08T20:22:16.039000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-07-11T01:14:07+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:rust-main@aarch64",
"Red Hat Hardened Images:rust-main@noarch",
"Red Hat Hardened Images:rust-main@src",
"Red Hat Hardened Images:rust-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:38187"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:rust-main@aarch64",
"Red Hat Hardened Images:rust-main@noarch",
"Red Hat Hardened Images:rust-main@src",
"Red Hat Hardened Images:rust-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "wasmtime: Wasmtime: Overwrite host files via insufficient permission checks in wasmtime-wasi"
}
]
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.