Threats Tagged 'cve-2026-1002'

Red Hat JBoss EAP XP 5. 0 Update 4. 0 addresses multiple security vulnerabilities including a denial of service (DoS) vulnerability in Netty's BrotliDecoder (CVE-2025-58057), a cache manipulation issue in vertx-core that can deny access to static files (CVE-2026-1002), and an information disclosure vulnerability in lz4-java due to insufficient output buffer clearing (CVE-2025-66566). These issues are fixed in this update. The advisory does not provide CVSS scores but classifies the overall severity as high. No known exploits are reported in the wild. Users should apply this update after ensuring all previous errata are applied.

Red Hat has released an important security update for its build of Quarkus 3. 20. 6 that addresses multiple vulnerabilities across several components. These include request smuggling in Netty's HTTP codec, denial of service via HTTP/2 CONTINUATION frame flood, directory traversal in Plexus-utils, code injection in Apache Avro Java SDK, and cache manipulation in Vert. x static handler. The update fixes five distinct CVEs and is rated with a high security impact by Red Hat. No known exploits in the wild have been reported. Users of Red Hat build of Quarkus are advised to apply this update after ensuring all prior errata are installed.

Red Hat has released an important security update for its build of Quarkus version 3. 27. 3 addressing five vulnerabilities. These include denial of service and request smuggling issues in Netty components, directory traversal in Plexus-utils, code injection in Apache Avro Java SDK, and cache manipulation in Vert. x core. The update fixes these vulnerabilities to improve security and stability. No known exploits in the wild have been reported. Users of Red Hat build of Quarkus are advised to apply this update after ensuring all prior errata are installed.

A security vulnerability (CVE-2026-1002) affecting Red Hat JBoss Enterprise Application Platform 8. 1. 5 XP 6. 0. 3. GA allows manipulation of the vertx-core static handler component cache, which can deny access to static files. This issue is addressed in a cumulative patch release provided by Red Hat. The vulnerability is classified as moderate severity by Red Hat. No known exploits in the wild have been reported. Users are advised to apply the provided update after ensuring all previous errata are installed and backing up their systems.

Red Hat has released an important security update for Red Hat Build of Apache Camel 4. 14 for Quarkus 3. 27 (RHBQ 3. 27. 3. GA). This update addresses three vulnerabilities: CVE-2026-1002, which allows manipulation of the static handler component cache to deny access to static files; CVE-2026-33870, a request smuggling vulnerability in Netty due to incorrect parsing of HTTP/1. 1 chunked transfer encoding extension values; and CVE-2026-33871, a denial of service vulnerability via HTTP/2 CONTINUATION frame flood in Netty. The update improves security and stability and is recommended for affected users. No known exploits in the wild have been reported at this time.

Red Hat has released a security update for the Red Hat Build of Apache Camel 4. 14. 4 for Spring Boot addressing multiple vulnerabilities. These include a flaw in undertow-core that fails to reject malformed Host headers, potentially enabling cache poisoning and SSRF (CVE-2025-12543); a vertx-core static handler cache manipulation vulnerability (CVE-2026-1002); and two arbitrary code execution vulnerabilities via JNDI dereferencing and deserialization in mchange-commons-java (CVE-2026-27727) and c3p0 (CVE-2026-27830). The update is rated as important by Red Hat Product Security. Users are advised to apply this patch after ensuring all prior errata are installed.

Red Hat Streams for Apache Kafka, based on the Apache Kafka project, offers a distributed backbone that allows microservices and other applications to share data with extremely high throughput and extremely low latency. This release of Red Hat Streams for Apache Kafka 3.2.0 serves as a replacement for Red Hat Streams for Apache Kafka 3.1.0, and includes security and bug fixes, and enhancements. Security Fix(es): * Drain Cleaner, Kafks Exporter - Eclipse Vert.x Web static handler file access denial [amq-st-3.2]"(CVE-2026-1002)" * Drain Cleaner, Kroxylicous - Netty denial of service[amqst-3.2]"(CVE-2026-33871)" * Drain Cleaner, Kroxylicous - Netty request smuggling attacks[amqst-3.2]"(CVE-2026-33870)" * Cruise Control - jose4j denial of service [amqst-3.2]"(CVE-2024-29371)" * Kafka Exporter - golang-github-danielqsj-kafka_exporter: Memory exhaustion in query parameter parsing in net/url [amq-st-3.2]"(CVE-2025-61726)" * Kafka Exporter - golang-github-danielqsj-kafka_exporter: golang: Denial of Service due to excessive resource consumption via crafted certificate [amq-st-3.2]"(CVE-2025-61729)" * Kafka Exporter - golang-github-danielqsj-kafka_exporter: Unexpected session resumption in crypto/tls [amqst-3.2]"(CVE-2025-68121)" * console UI - Next.js Server-Side Request Forgery in Server Actions [amqst-3.2]"(CVE-2024-34351)" * console UI - com.github.streamshub-console: Next.js: Unbounded next/image disk cache growth can exhaust storage[amqst-3.2]"(CVE-2026-27980)" * console UI - Axios: Server-Side Request Forgery and proxy bypass due to improper hostname normalization [amqst-3.2]"(CVE-2025-62718)" * console UI - React Server Components: Denial of Service via specially crafted HTTP requests [amqst-3.2]"(CVE-2026-23864)" * console UI - Axios: Remote Code Execution via Prototype Pollution escalation [amqst-3.2]"(CVE-2026-40175)" * console UI - lodash: Arbitrary code execution via untrusted input in template imports [amqst-3.2]"(CVE-2026-4800)"

Red Hat has released updated Cryostat 4 on RHEL 9 container images that address multiple security vulnerabilities affecting various components and libraries. These fixes include patches for denial of service, authorization bypass, information disclosure, request smuggling, memory safety, and arbitrary code execution issues. Users of Cryostat 4 on RHEL 9 container images are advised to upgrade to the updated images and rebuild dependent container images to ensure these vulnerabilities are mitigated.

Red Hat OpenShift AI version 3. 3. 3 addresses multiple critical security vulnerabilities identified by CVE-2025-6242 and 45 additional CVEs. The advisory announces updated container images for Red Hat OpenShift AI to mitigate these issues. No specific technical details or fixes for individual CVEs are provided in the advisory content. There are no known exploits in the wild at the time of publication. The vendor has released updated images and documentation to guide users on upgrading their clusters to apply the errata update. Patch status is not explicitly confirmed in the advisory, and no direct patch links are provided. Users should consult the official Red Hat documentation for upgrade instructions and remediation details. The vulnerabilities collectively are rated critical in severity.