The Red Hat security advisory RHSA-2026:0078 addresses four vulnerabilities impacting spice-client-win MSI installers for Windows clients distributed with Red Hat Enterprise Linux 8.2 AUS. The vulnerabilities include an integer truncation flaw in SQLite (CVE-2025-6965), two memory corruption issues in libtiff (use-after-free CVE-2025-8176 and write-what-where CVE-2025-9900), and a libexpat vulnerability allowing attackers to trigger large dynamic memory allocations via crafted XML documents (CVE-2025-59375). These issues could potentially lead to memory corruption or denial of service. Red Hat has released updated packages to fix these vulnerabilities and recommends applying the update. The advisory does not provide CVSS scores but classifies the impact as important.

The vulnerabilities affect the spice-client-win MSI installers for Windows clients, potentially allowing attackers to exploit memory corruption and resource exhaustion issues. The integer truncation in SQLite and the use-after-free and write-what-where vulnerabilities in libtiff could lead to memory corruption, which might be leveraged for denial of service or other impacts. The libexpat vulnerability allows triggering large dynamic memory allocations, potentially causing denial of service. No known exploits in the wild have been reported. The overall security impact is rated as important by Red Hat.

Red Hat has released updated spice-client-win packages for Red Hat Enterprise Linux 8.2 AUS that address these vulnerabilities. Users should apply the security update as described in the Red Hat advisory RHSA-2026:0078 and the referenced article https://access.redhat.com/articles/11258. Since this is an on-premises product, remediation requires manual update by system administrators. There are no indications that no action is required or that the issues are already mitigated without patching.