Issued:: 2026-03-05
Updated:: 2026-03-05

RHSA-2026:3951 - Important: JBoss EAP XP 5.0 Update 4.0 release. See references for release notes.

Synopsis

Important: JBoss EAP XP 5.0 Update 4.0 release. See references for release notes.

Type/Severity

Security Advisory Important

Topic

JBoss EAP XP 5.0 Update 4.0 release. See references for release notes.

Description

JBoss EAP XP 5.0 Update 4.0 GA release. See references for release notes.

Security Fix(es):

vertx-core: static handler component cache can be manipulated to deny the access to static files [eapxp-5] (CVE-2026-1002)
netty-codec: Netty's BrotliDecoder is vulnerable to DoS via zip bomb style attack [eapxp-5] (CVE-2025-58057)
lz4-java: lz4-java: Information Disclosure via Insufficient Output Buffer Clearing [eapxp-5] (CVE-2025-66566)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

Before applying this update, make sure all previously released errata relevant to your system have been applied.

For details on how to apply this update, refer to: https://docs.redhat.com/en/documentation/red_hat_jboss_enterprise_application_platform/8.0/html/jboss_eap_xp_5.0_upgrade_and_migration_guide/index

Affected Products

Product	Version	Arch
JBoss Enterprise Application Platform	Text-Only Advisories	x86_64

Fixes

(none)

CVEs

References

Additional information

The Red Hat security contact is This content is not included.secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.
Offline Security Data data is available for integration with other systems. See Offline Security Data API to get started.