Red Hat Security Advisory: Satellite 6.18.6 Async Update
Red Hat Satellite 6.18.6 addresses multiple security vulnerabilities including an out-of-bounds write in the Pillow library (CVE-2026-25990), arbitrary code execution via deserialization in c3p0 (CVE-2026-27830), and a symlink traversal issue in dynflow-utils (CVE-2026-32282). These vulnerabilities affect system management components used for provisioning and configuration management. The update is rated with an Important security impact by Red Hat Product Security. No CVSS score is provided for these vulnerabilities.
AI Analysis
Technical Summary
This advisory covers security fixes in Red Hat Satellite 6.18.6 for three vulnerabilities: CVE-2026-25990 is an out-of-bounds write vulnerability in python3.12-pillow triggered by specially crafted PSD images; CVE-2026-27830 is an arbitrary code execution vulnerability in candlepin's c3p0 component via deserialization of crafted objects; CVE-2026-32282 is a vulnerability in dynflow-utils where Root.Chmod can follow symlinks outside the root directory. These issues are addressed in the updated packages released by Red Hat. The advisory recommends applying the update after ensuring all previous errata are applied.
Potential Impact
Successful exploitation of these vulnerabilities could lead to out-of-bounds memory writes, arbitrary code execution, or unauthorized file permission changes via symlink traversal. This could compromise the integrity and security of systems managed by Red Hat Satellite. The advisory rates the overall impact as Important, indicating significant security concerns but does not provide a CVSS score.
Mitigation Recommendations
Red Hat has released an official update for Red Hat Satellite 6.18.6 that addresses these vulnerabilities. Users should apply this update after confirming that all previously released errata relevant to their systems have been installed. Detailed update instructions are available in the Red Hat Satellite documentation. No alternative mitigations or workarounds are specified in the advisory.
Red Hat Security Advisory: Satellite 6.18.6 Async Update
Description
Red Hat Satellite 6.18.6 addresses multiple security vulnerabilities including an out-of-bounds write in the Pillow library (CVE-2026-25990), arbitrary code execution via deserialization in c3p0 (CVE-2026-27830), and a symlink traversal issue in dynflow-utils (CVE-2026-32282). These vulnerabilities affect system management components used for provisioning and configuration management. The update is rated with an Important security impact by Red Hat Product Security. No CVSS score is provided for these vulnerabilities.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This advisory covers security fixes in Red Hat Satellite 6.18.6 for three vulnerabilities: CVE-2026-25990 is an out-of-bounds write vulnerability in python3.12-pillow triggered by specially crafted PSD images; CVE-2026-27830 is an arbitrary code execution vulnerability in candlepin's c3p0 component via deserialization of crafted objects; CVE-2026-32282 is a vulnerability in dynflow-utils where Root.Chmod can follow symlinks outside the root directory. These issues are addressed in the updated packages released by Red Hat. The advisory recommends applying the update after ensuring all previous errata are applied.
Potential Impact
Successful exploitation of these vulnerabilities could lead to out-of-bounds memory writes, arbitrary code execution, or unauthorized file permission changes via symlink traversal. This could compromise the integrity and security of systems managed by Red Hat Satellite. The advisory rates the overall impact as Important, indicating significant security concerns but does not provide a CVSS score.
Mitigation Recommendations
Red Hat has released an official update for Red Hat Satellite 6.18.6 that addresses these vulnerabilities. Users should apply this update after confirming that all previously released errata relevant to their systems have been installed. Detailed update instructions are available in the Red Hat Satellite documentation. No alternative mitigations or workarounds are specified in the advisory.
Technical Details
- Gcve Source
- db.gcve.eu
- Csaf Category
- csaf_security_advisory
- Csaf Version
- 2.0
- Publisher
- Red Hat Product Security
- Advisory Id
- RHSA-2026:28385
- Cve Count
- 3
- Additional Cves
- ["CVE-2026-27830","CVE-2026-32282"]
- Cvss Version
- null
Threat ID: 6a3c0ceaeed863c81e23732b
Added to database: 06/24/2026, 16:59:22 UTC
Last enriched: 06/24/2026, 17:00:41 UTC
Last updated: 06/24/2026, 19:36:42 UTC
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.