Threats Tagged 'cve-2026-23950'

The Red Hat Trusted Artifact Signer (RHTAS) Operator version 1. 3. 2 is associated with multiple security vulnerabilities identified by CVE-2025-61729 and 11 additional CVEs. It is designed for use with OpenShift Container Platform versions 4. 16 through 4. 20 and facilitates cryptographic signing and verification of software artifacts. The advisory does not specify any fixes or patches for these vulnerabilities. The product is a self-managed on-premise deployment of the Sigstore project, aimed at ensuring software supply chain integrity. No known exploits are reported in the wild at this time.

This Red Hat security advisory addresses multiple vulnerabilities in the linux-sgx package for Red Hat Enterprise Linux 10. The vulnerabilities include denial of service via improper input validation, arbitrary file overwrite and symlink poisoning, prototype pollution, and path traversal bypass issues. These flaws affect components such as qs, node-tar, and lodash libraries used within the Intel SGX SDK environment. The update is rated as important by Red Hat Product Security and addresses eight CVEs including CVE-2025-13465 and CVE-2025-15284. The advisory provides updated packages to remediate these issues. No known exploits in the wild have been reported at this time.

node-tar,a Tar for Node.js, has a race condition vulnerability in versions up to and including 7.5.3. This is due to an incomplete handling of Unicode path collisions in the `path-reservations` system. On case-insensitive or normalization-insensitive filesystems (such as macOS APFS, In which it has been tested), the library fails to lock colliding paths (e.g., `ß` and `ss`), allowing them to be processed in parallel. This bypasses the library's internal concurrency safeguards and permits Symlink Poisoning attacks via race conditions. The library uses a `PathReservations` system to ensure that metadata checks and file operations for the same path are serialized. This prevents race conditions where one entry might clobber another concurrently. This is a Race Condition which enables Arbitrary File Overwrite. This vulnerability affects users and systems using node-tar on macOS (APFS/HFS+). Because of using `NFD` Unicode normalization (in which `ß` and `ss` are different), conflicting paths do not have their order properly preserved under filesystems that ignore Unicode normalization (e.g., APFS (in which `ß` causes an inode collision with `ss`)). This enables an attacker to circumvent internal parallelization locks (`PathReservations`) using conflicting filenames within a malicious tar archive. The patch in version 7.5.4 updates `path-reservations.js` to use a normalization form that matches the target filesystem's behavior (e.g., `NFKD`), followed by first `toLocaleLowerCase('en')` and then `toLocaleUpperCase('en')`. As a workaround, users who cannot upgrade promptly, and who are programmatically using `node-tar` to extract arbitrary tarball data should filter out all `SymbolicLink` entries (as npm does) to defend against arbitrary file writes via this file system entry name collision issue.

HighVulnerabilityGermanyFranceUnited Kingdom+4#cve#cve-2026-23950#cwe-176