The Red Hat security advisory RHSA-2026:0076 details security fixes for the spice-client-win MSI installers targeting Windows clients. It addresses four distinct vulnerabilities: an integer truncation flaw in SQLite (CVE-2025-6965), a use-after-free vulnerability and a write-what-where vulnerability in libtiff (CVE-2025-8176 and CVE-2025-9900), and a vulnerability in libexpat that can cause large dynamic memory allocations from small XML documents (CVE-2025-59375). These vulnerabilities affect Red Hat Enterprise Linux 8.6 variants including AppStream AUS, E4S, and TUS. Updated packages are available from Red Hat to remediate these issues. The advisory does not provide CVSS scores but classifies the impact as important. There are no reports of active exploitation in the wild.

The vulnerabilities collectively could allow attackers to cause memory corruption or resource exhaustion conditions in affected components of the spice-client-win installer environment. This may lead to potential denial of service or other impacts depending on the specific vulnerability. However, no known exploits in the wild have been reported. The advisory rates the overall security impact as important, indicating a high but not critical severity level.

Red Hat has released updated spice-client-win packages that address these vulnerabilities. Users and administrators should apply the security update as detailed in the Red Hat advisory RHSA-2026:0076 and the referenced update article (https://access.redhat.com/articles/11258). Applying these official patches is the recommended and effective mitigation. There is no indication that additional mitigation steps are required beyond applying the update.