Red Hat Product Security issued an advisory (RHSA-2026:0077) for spice-client-win MSI installers addressing four vulnerabilities: an integer truncation in SQLite (CVE-2025-6965), a use-after-free and a write-what-where vulnerability in libtiff (CVE-2025-8176 and CVE-2025-9900), and a large dynamic memory allocation vulnerability in libexpat (CVE-2025-59375). These issues affect Red Hat Enterprise Linux 8.4 variants and related packages. The advisory provides updated packages that remediate these vulnerabilities. The CVSS scores are available on the respective CVE pages, but not included here. The vendor rates the overall impact as Important and recommends applying the updates as detailed in their official documentation.

The vulnerabilities could potentially allow attackers to cause memory corruption or trigger large memory allocations, which may lead to denial of service or other impacts depending on the context of use. The integer truncation and use-after-free issues could lead to memory safety violations. However, no known exploits in the wild have been reported. The overall security impact is rated Important by Red Hat.

Red Hat has released updated spice-client-win packages that address these vulnerabilities. Users of affected Red Hat Enterprise Linux 8.4 versions should apply the security update as described in the Red Hat advisory RHSA-2026:0077 and the referenced article https://access.redhat.com/articles/11258. Since this is a traditional software update, remediation requires applying the vendor-provided patches. No additional mitigations or workarounds are specified by the vendor.