These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
CVE-2026-12969 is an out-of-bounds read vulnerability in dnsmasq's find_soa() function in src/rfc1035.c. The vulnerability occurs when parsing NS section records, where extract_name() is called with extrabytes=0, failing to validate that 10 additional bytes exist for fixed-length DNS record fields. A remote attacker controlling a DNS zone can exploit this via a crafted NXDOMAIN response to cause a 10-byte [truncated]
A missing authorization flaw was found in the OpenShift Cluster Logging Operator. The operator creates and forwards ServiceAccount tokens to output destinations without verifying that the ClusterLogForwarder creator has permission to use those credentials. This allows a delegated editor to exfiltrate SA tokens and escalate privileges. The vulnerability has a CVSS score of 6.8 and is classified as medium s [truncated]
CVE-2026-55654 is a low-severity vulnerability in OpenSSH that can cause a denial of service (DoS) due to a heap out-of-bounds read. The vulnerability occurs during the cleanup of GSSAPI indicators when a trailing NULL termination is missing in the auth-indicators array. A remote attacker, under specific configurations involving GSSAPI authentication and a Kerberos environment, could exploit this to cause [truncated]
CVE-2026-55653 is a medium-severity vulnerability in OpenSSH, allowing a malicious SSH server to exploit a double free vulnerability in the Diffie-Hellman Group Exchange (DH-GEX) client path. This occurs during FIPS mode known-group validation when the client processes attacker-controlled DH-GEX group parameters. Successful exploitation leads to client-side process termination, resulting in a Denial of Se [truncated]
CVE-2026-12549 is a vulnerability caused by a regression in the fix for CVE-2026-2443. A subsequent rework commit replaced specific overflow checks with a general signed comparison, leading to improper clamping of negative start values when a client sends a Range request with a suffix length exceeding the content size. This results in malformed HTTP 206 responses and log flooding. The vulnerability has a [truncated]
CVE-2026-54100 is a high-severity flaw in the Windows Machine Config Operator (WMCO) for Red Hat OpenShift Container Platform. The issue allows an adjacent-network attacker to intercept or redirect WMCO's SSH session and capture credentials, potentially compromising Windows node identities. The CVSS score is 8.3, indicating a high level of severity. The vulnerability was published on June 22, 2026.
CVE-2026-54099 is a HIGH-severity vulnerability in the Windows Machine Config Operator (WMCO) for Red Hat OpenShift Container Platform. The WICD CSR auto-approver improperly validates Certificate Signing Requests, allowing a compromised Windows worker node to gain cluster-administrator privileges. This flaw can lead to full cluster takeover. The vulnerability has a CVSS score of 8.8. Red Hat OpenShift Con [truncated]
CVE-2026-56208 is a high-severity heap buffer overflow vulnerability in libaom, the reference AV1 codec implementation. A flaw in the AV1 encoder's Look-Ahead Processing (LAP) mode causes the first-pass stats ring buffer wrap-around guard to be bypassed when g_lag_in_frames is set to 1 or higher. This results in a 232-byte out-of-bounds write on every encoded frame after the second, corrupting adjacent he [truncated]
CVE-2026-3196 is an integer overflow vulnerability in the virtio-snd device. A malicious guest can provide out-of-bounds stream counts, potentially leading to unbounded memory allocation on the host and a denial of service condition. This vulnerability has a CVSS score of 5.5 and is classified as MEDIUM severity. The vulnerability was published on June 19, 2026, and no modifications have been made since then.
CVE-2026-11791 is a medium-severity vulnerability in 389 Directory Server that can cause a denial of service (server crash) during schema reload with concurrent LDAP query traffic. The flaw occurs in the attr_syntax_swap_ht() function, which unconditionally frees attribute syntax information nodes, bypassing refcount-based deferred deletion. This can lead to use-after-free or double-free crashes. Administ [truncated]
A high-severity vulnerability, CVE-2026-12505, was found in the cifs-utils package. The cifs.upcall helper fails to securely drop its root privileges before looking up user information in a user-controlled environment. This allows a local, low-privileged attacker to exploit the vulnerability using a crafted request_key payload, tricking the root-owned helper into entering a custom environment with a malic [truncated]
CVE-2026-12515 is a medium-severity vulnerability in Red Hat Satellite's Katello component. It stems from insufficient authorization checks in the ContentUploadsController, allowing users with edit_products permission to query content information for repositories they shouldn't access. This issue, published on 2026-06-17, was modified on 2026-06-18. Exploitation requires authentication but doesn't permit [truncated]
CVE-2026-12528 is a MEDIUM severity vulnerability in the 389 Directory Server, specifically in the __aclp__normalize_acltxt() function. An authenticated user with write access to the aci attribute can send a crafted ACI value, triggering a heap-buffer-overflow write and subsequent out-of-bounds reads. This flaw can silently corrupt heap memory in the directory server process. The CVSS score for this vulne [truncated]
The CVE-2026-12491 vulnerability in vLLM, an open-source library for large language model inference, arises from improper handling of image metadata. Specifically, EXIF orientation and PNG transparency (tRNS) data are not correctly processed when images are converted to RGB. This can lead to unexpected rendering of transparent pixels and distortion of input content, potentially affecting the integrity of [truncated]
CVE-2026-4367 is a MEDIUM-severity vulnerability in libXpm, a library for handling X PixMap (XPM) images. The vulnerability, with a CVSS score of 5.5, allows a local user with low privileges to exploit an Out-of-Bounds Read vulnerability in the `xpmNextWord()` function. This can be done by processing a specially crafted or very small XPM image file, which can cause an internal pointer to read beyond the f [truncated]
CVE-2026-10649 is a high-severity vulnerability in Pacemaker, a software for managing cluster resources. An unauthenticated remote attacker can exploit an integer overflow vulnerability in the remote message decompression process. By sending a specially crafted compressed remote message before authentication, an attacker can cause memory corruption, leading to a denial of service (DoS) in the CIB remote l [truncated]
CVE-2026-12398 is a HIGH severity vulnerability with a CVSS score of 7.5. A command injection vulnerability was found in galaxy_ng. The do_git_checkout() function in the legacy role import API (v1) interpolates unsanitized git ref names (branch/tag names) into shell commands executed via subprocess.run() with shell=True. An authenticated user who controls a git repository can create a branch or tag with s [truncated]
A flaw was found in GnuTLS. The `gnutls_pkcs11_token_set_pin` function, used for changing the Security Officer PIN, can lead to a use-after-free vulnerability. This occurs when an attacker attempts to change the PIN with a NULL old PIN for a token that lacks a protected authentication path.
A flaw was found in the GNOME localsearch (previously known as tracker-miners) MP3 Extractor `tracker-extract-mp3` component. A remote attacker could exploit this heap buffer overflow vulnerability by providing a specially crafted MP3 file containing malformed ID3 tags. This incorrect length calculation during the parsing of performer tags can lead to a read beyond the allocated buffer, potentially causin [truncated]
A flaw was found in GNOME localsearch (previously known as tracker-miners) MP3 Extractor, specifically within the tracker-extract-mp3 component. This heap buffer overflow vulnerability occurs when processing specially crafted MP3 files containing malformed ID3v2.3 COMM (Comment) tags. An attacker could exploit this by providing a malicious MP3 file, leading to a denial of service (DoS), which causes an ap [truncated]
A flaw was found in the `tracker-extract-mp3` component of GNOME localsearch (previously known as tracker-miners). This vulnerability, a heap buffer overflow, occurs when processing specially crafted MP3 files. A remote attacker could exploit this by providing a malicious MP3 file, leading to a Denial of Service (DoS) where the application crashes. It may also potentially expose sensitive information from [truncated]
A flaw was found in GNOME localsearch (previously known as tracker-miners) MP3 Extractor. When processing specially crafted MP3 files containing ID3v2.4 tags, a missing bounds check in the `extract_performers_tags` function can lead to a heap buffer overflow. This vulnerability allows a remote attacker to cause a Denial of Service (DoS) by triggering a read of unmapped memory. In some cases, it could also [truncated]
CVE-2026-53705 is a high-severity vulnerability in GStreamer's WavPack audio decoder. The flaw occurs when processing specially crafted WavPack files, leading to an integer overflow in buffer size calculation. This causes a small heap allocation, allowing the WavPack library to write decoded audio samples beyond the allocated buffer, resulting in heap memory corruption. The vulnerability affects both 32-b [truncated]
A flaw was found in GStreamer's RealMedia demuxer in the gst-plugins-ugly package. When processing a RealMedia file containing a specially crafted FILEINFO metadata section, the demuxer parses variable-name and variable-value pairs using re_skip_pascal_string() without validating that offsets remain within the mapped buffer. Additionally, the element count controlling the parsing loop is read from attacke [truncated]
A vulnerability was found in the GStreamer RealMedia demuxer (gst-plugins-ugly). When processing a RealMedia (.rm) file, the demuxer parses MDPR (media properties) chunks to configure audio streams. For audio stream header versions 4 and 5, the parser reads fields such as codec type, packet size, sample rate, channel count, and extra codec data length from fixed offsets within the chunk without first chec [truncated]
CVE-2026-52722 is a HIGH severity vulnerability in GStreamer's VMnc decoder. A remote attacker could trick a user into opening a specially crafted VMnc file, potentially causing a crash or information disclosure. The vulnerability has a CVSS score of 7.1 and was published on [cvePublishedAt](https://www.cve.org/CVERecord?id=CVE-2026-52722).
CVE-2026-52721 is a MEDIUM-severity vulnerability with a CVSS score of 5.3. The vulnerability affects GStreamer's pcapparse element, which is primarily used in debugging pipelines. A local attacker could trick a user into processing a specially crafted PCAP file, potentially leading to a crash or information disclosure.
A heap buffer overflow vulnerability was found in GStreamer's librfb (RFB/VNC client). The rectangle bounds check incorrectly validates area rather than individual dimensions, allowing a malicious VNC server to send a rectangle that extends beyond the framebuffer. A remote attacker could set up a malicious VNC server and trick a user into connecting, resulting in an out-of-bounds heap write that could lea [truncated]
CVE-2026-52719 is an out-of-bounds read vulnerability found in the VA JPEG decoder in GStreamer's gst-plugins-bad. The vulnerability occurs because the JPEG parser reads a segment length value from the bitstream without validating it against available data. This allows a remote attacker to trick a user into opening a specially crafted JPEG file, causing downstream parsing to read beyond the provided input [truncated]
A denial of service vulnerability was found in GStreamer's AV1 codec parser in gst-plugins-bad. The gst_av1_parser_parse_tile_list_obu() function passes a byte count to a bit-reader API that expects a bit count, causing parser desynchronization. A remote attacker could trick a user into opening a specially crafted AV1 media file, triggering an assertion abort and causing the application to crash.
A flaw was found in Ansible Lightspeed, related to insufficient session expiration. This vulnerability allows a remote attacker to maintain persistent access to the Ansible Lightspeed instance. If an attacker exfiltrates a valid OAuth access token before a user logs out, they can continue to authenticate and access sensitive data. This is because the application fails to invalidate the token on the backen [truncated]
A content injection vulnerability was found in the ABRT post-create event handler scripts in libreport. The event script queries the systemd journal for log entries matching the crashed process and writes the results to files in the dump directory without sanitizing embedded control characters. A local user can inject arbitrary content into the journal output by embedding newline characters in syslog mess [truncated]
A symlink following vulnerability was found in the ABRT post-create event handler scripts in libreport. Event scripts write output files using shell redirections without the O_NOFOLLOW flag. If the target file is replaced with a symlink, the shell process running as root follows the symlink and writes content to the symlink target, allowing arbitrary file overwrites on the system.
CVE-2026-54229 is a HIGH-severity vulnerability with a CVSS score of 7. The vulnerability is caused by a race condition in the abrt-dbus D-Bus service's ChownProblemDir method. This method opens the dump directory with DD_OPEN_READONLY and calls dd_chown to change ownership of all files to the caller's uid, succeeding even while post-create event handlers hold a write lock. This allows an attacker to gain [truncated]
A time-of-check time-of-use (TOCTOU) race condition was found in the abrt-dbus D-Bus service's SetElement method. Between dump directory creation and post-create event execution, any local user can call SetElement to write arbitrary text files into the root-owned dump directory, bypassing package validation and allowing crashes of unpackaged binaries to survive post-create processing.
CVE-2026-48914 is a medium-severity vulnerability in QEMU's virtio-blk device. The device fails to properly validate the size of input descriptors before writing data, allowing a malicious guest with high privileges to submit a malformed virtio-blk SCSI request. This can lead to an out-of-bounds write in the host heap memory and potentially cause a denial of service (DoS) for the QEMU process.
A stack buffer overflow flaw was found in the GStreamer H.265 codec parser library (gst-plugins-bad). When parsing a buffering period SEI message, the parser uses an incorrect loop bound derived from cpb_cnt_minus1[i] (the loop index) instead of the sub-layer 0 CPB count cpb_cnt_minus1[0] from the referenced Sequence Parameter Set. A crafted H.265 video file or stream can cause the parser to write beyond [truncated]
CVE-2026-53701 is a MEDIUM-severity vulnerability with a CVSS score of 6.5. The vulnerability was published on 2026-06-11T19:16:47.913Z and last modified on 2026-06-11T20:56:29.653Z. The vulnerability affects GStreamer's H.266/VVC PPS picture partition parser in gst-plugins-bad, allowing an out-of-bounds write via a crafted H.266/VVC media file.
CVE-2026-11774 is a HIGH severity vulnerability in the SASL I/O layer of 389 Directory Server (389-ds-base). An integer overflow flaw was found in sasl_io_start_packet(), which can cause a heap buffer overflow of up to approximately 2 megabytes of attacker-controlled data after a successful SASL bind with integrity protection. This can lead to a Denial of Service (DoS) or achieve Remote Code Execution (RC [truncated]
A flaw was found in the admin-ui-ext component of Keycloak, which provides extended administrative user interface capabilities. The issue occurs because certain bulk role-removal endpoints fail to perform granular permission checks when deleting role mappings. This allows a delegated administrator with limited permissions to remove highly privileged roles from other users or groups, potentially disrupting [truncated]
CVE-2026-11850 is an integer underflow vulnerability in the MIT krb5 implementation, specifically in the `berval2tl_data()` function located in `plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c`. The function performs an unsigned subtraction (`bv_len - 2`) without a prior bounds check. When `bv_len` is 0 or 1, the subtraction wraps to a large value, which is then truncated to `uint16_t`, yielding 0xFFFE (65 [truncated]
A flaw was found in dracut. A remote attacker on the adjacent network can exploit this vulnerability by providing specially crafted DHCP (Dynamic Host Configuration Protocol) options, such as a malicious hostname, to a system using dracut's legacy DHCP path. These options are improperly handled and written into temporary shell scripts without proper escaping, leading to command injection. This allows the [truncated]
CVE-2026-53476 is a critical path traversal vulnerability in assisted-migration-agent. An unauthenticated attacker on the same LAN can exploit this flaw to bypass security checks and write arbitrary files to the system, potentially leading to unauthorized code execution.
CVE-2026-53475 is a critical vulnerability in assisted-migration-agent, with a CVSS score of 9.3. The application hardcodes insecure TLS connections when communicating with vCenter, allowing a Man-in-the-Middle (MITM) attacker to intercept and harvest vCenter administrator credentials. This can lead to unauthorized access to vCenter.
A critical SQL Injection vulnerability was found in migration-planner. A remote authenticated attacker could exploit this vulnerability by uploading a specially crafted RVTools .xlsx file. Due to improper input sanitization, malicious SQL embedded within a spreadsheet cell is executed when cluster names are processed. This SQL Injection allows for arbitrary file reading on the system, potentially exposing [truncated]
A cross-site scripting (XSS) vulnerability was discovered in migration-planner-ui-app. An attacker can register a malicious discovery agent with a specially crafted credentialUrl containing JavaScript code. When an organizational user clicks this link in the user interface, the embedded malicious code executes within the user's browser session. This vulnerability allows the attacker to compromise the vict [truncated]
A flaw was found in migration-planner. The agent-API middleware processes JSON Web Tokens (JWTs) for authentication, but its UpdateSourceInventory and UpdateAgentStatus handlers fail to validate the source_id claim within these tokens against the requested source ID. This oversight allows an authenticated attacker with a valid agent token to manipulate data across different tenants, leading to a complete [truncated]
CVE-2026-53470: A flaw was found in migration-planner. An authenticated attacker could exploit an improper access control vulnerability in the `/api/v1/sources/{id}/image-url` endpoint. This flaw allows the attacker to bypass an ownership check and obtain presigned S3 URLs for Open Virtual Appliance (OVA) images belonging to other users. Consequently, the attacker can download OVA images containing sensit [truncated]
CVE-2026-11884 is a heap buffer overflow vulnerability in 389 Directory Server. The vulnerability occurs when serializing objectclass definitions, where the oc_superior (SUP) field length is omitted from buffer size calculations in read_schema_dse() and schema_oc_to_string(), but the field is still written via strcat(). An attacker with Directory Manager privileges, or a compromised replication supplier, [truncated]
A local privilege escalation vulnerability was found in the ansible.posix authorized_key module. The module's keyfile() function uses os.chown() instead of os.lchown() and opens files without O_NOFOLLOW when managing SSH authorized keys. An unprivileged local user can pre-stage symbolic links in their ~/.ssh directory to redirect file ownership changes to arbitrary system paths when an operator runs the a [truncated]