{ "threat_severity" : "Important", "public_date" : "2025-09-15T00:00:00Z", "bugzilla" : { "description" : "firefox: thunderbird: expat: libexpat in Expat allows attackers to trigger large dynamic memory allocations via a small document that is submitted for parsing", "id" : "2395108", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2395108" }, "cvss3" : { "cvss3_base_score" : "5.3", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "status" : "verified" }, "cwe" : "CWE-770", "details" : [ "libexpat in Expat before 2.7.2 allows attackers to trigger large dynamic memory allocations via a small document that is submitted for parsing.", "A memory amplification vulnerability in libexpat allows attackers to trigger excessive dynamic memory allocations by submitting specially crafted XML input. A small input (~250 KiB) can cause the parser to allocate hundreds of megabytes, leading to denial-of-service (DoS) through memory exhaustion." ], "statement" : "This issue is Important rather than Critical because, while it allows for significant resource exhaustion leading to denial-of-service (DoS), it does not enable arbitrary code execution, data leakage, or privilege escalation. The vulnerability stems from an uncontrolled memory amplification behavior in libexpat’s parser, where a relatively small XML payload can cause disproportionately large heap allocations. However, the flaw is limited in scope to service disruption and requires the attacker to submit a crafted XML document—something that can be mitigated with proper input validation and memory usage limits. Therefore, while the exploitability is high, the impact is confined to availability, not confidentiality or integrity, making it a high-severity but not critical flaw.\nIn Firefox and Thunderbird, where libexpat is a transitive userspace dependency, exploitation usually just crashes the application (app-level DoS), so it is classified as Moderate instead of Important.", "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 10", "release_date" : "2025-11-03T00:00:00Z", "advisory" : "RHSA-2025:19403", "cpe" : "cpe:/o:redhat:enterprise_linux:10.0", "package" : "expat-0:2.7.1-1.el10_0.3", "impact" : "important" }, { "product_name" : "Red Hat Enterprise Linux 10", "release_date" : "2025-11-11T00:00:00Z", "advisory" : "RHSA-2025:21030", "cpe" : "cpe:/o:redhat:enterprise_linux:10.1", "package" : "expat-0:2.7.1-1.el10_1.3", "impact" : "important" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2025-11-24T00:00:00Z", "advisory" : "RHSA-2025:21974", "cpe" : "cpe:/a:redhat:enterprise_linux:8::crb", "package" : "mingw-expat-0:2.5.0-1.el8_10", "impact" : "important" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2026-02-26T00:00:00Z", "advisory" : "RHSA-2026:3407", "cpe" : "cpe:/a:redhat:enterprise_linux:8::crb", "package" : "mingw-fontconfig-0:2.12.6-4.el8_10", "impact" : "important" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2025-11-19T00:00:00Z", "advisory" : "RHSA-2025:21776", "cpe" : "cpe:/o:redhat:enterprise_linux:8", "package" : "expat-0:2.5.0-1.el8_10", "impact" : "important" }, { "product_name" : "Red Hat Enterprise Linux 8.2 Advanced Update Support", "release_date" : "2026-01-05T00:00:00Z", "advisory" : "RHSA-2026:0078", "cpe" : "cpe:/a:redhat:rhel_aus:8.2", "package" : "spice-client-win-0:8.10-3.el8_2.1" }, { "product_name" : "Red Hat Enterprise Linux 8.2 Advanced Update Support", "release_date" : "2025-12-09T00:00:00Z", "advisory" : "RHSA-2025:22871", "cpe" : "cpe:/o:redhat:rhel_aus:8.2", "package" : "expat-0:2.2.10-1.el8_2" }, { "product_name" : "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support", "release_date" : "2026-01-05T00:00:00Z", "advisory" : "RHSA-2026:0077", "cpe" : "cpe:/a:redhat:rhel_aus:8.4", "package" : "spice-client-win-0:8.10-3.el8_4.1" }, { "product_name" : "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support", "release_date" : "2025-12-04T00:00:00Z", "advisory" : "RHSA-2025:22785", "cpe" : "cpe:/o:redhat:rhel_aus:8.4", "package" : "expat-0:2.2.10-1.el8_4" }, { "product_name" : "Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On", "release_date" : "2026-01-05T00:00:00Z", "advisory" : "RHSA-2026:0077", "cpe" : "cpe:/a:redhat:rhel_eus_long_life:8.4", "package" : "spice-client-win-0:8.10-3.el8_4.1" }, { "product_name" : "Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On", "release_date" : "2025-12-04T00:00:00Z", "advisory" : "RHSA-2025:22785", "cpe" : "cpe:/o:redhat:rhel_eus_long_life:8.4", "package" : "expat-0:2.2.10-1.el8_4" }, { "product_name" : "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support", "release_date" : "2026-01-05T00:00:00Z", "advisory" : "RHSA-2026:0076", "cpe" : "cpe:/a:redhat:rhel_aus:8.6", "package" : "spice-client-win-0:8.10-3.el8_6.1" }, { "product_name" : "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support", "release_date" : "2025-12-09T00:00:00Z", "advisory" : "RHSA-2025:22842", "cpe" : "cpe:/o:redhat:rhel_aus:8.6", "package" : "expat-0:2.2.10-1.el8_6" }, { "product_name" : "Red Hat Enterprise Linux 8.6 Telecommunications Update Service", "release_date" : "2026-01-05T00:00:00Z", "advisory" : "RHSA-2026:0076", "cpe" : "cpe:/a:redhat:rhel_tus:8.6", "package" : "spice-client-win-0:8.10-3.el8_6.1" }, { "product_name" : "Red Hat Enterprise Linux 8.6 Telecommunications Update Service", "release_date" : "2025-12-09T00:00:00Z", "advisory" : "RHSA-2025:22842", "cpe" : "cpe:/o:redhat:rhel_tus:8.6", "package" : "expat-0:2.2.10-1.el8_6" }, { "product_name" : "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions", "release_date" : "2026-01-05T00:00:00Z", "advisory" : "RHSA-2026:0076", "cpe" : "cpe:/a:redhat:rhel_e4s:8.6", "package" : "spice-client-win-0:8.10-3.el8_6.1" }, { "product_name" : "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions", "release_date" : "2025-12-09T00:00:00Z", "advisory" : "RHSA-2025:22842", "cpe" : "cpe:/o:redhat:rhel_e4s:8.6", "package" : "expat-0:2.2.10-1.el8_6" }, { "product_name" : "Red Hat Enterprise Linux 8.8 Telecommunications Update Service", "release_date" : "2026-01-05T00:00:00Z", "advisory" : "RHSA-2026:0001", "cpe" : "cpe:/a:redhat:rhel_tus:8.8", "package" : "spice-client-win-0:8.10-3.el8_8.1" }, { "product_name" : "Red Hat Enterprise Linux 8.8 Telecommunications Update Service", "release_date" : "2025-12-02T00:00:00Z", "advisory" : "RHSA-2025:22607", "cpe" : "cpe:/o:redhat:rhel_tus:8.8", "package" : "expat-0:2.2.10-1.el8_8" }, { "product_name" : "Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions", "release_date" : "2026-01-05T00:00:00Z", "advisory" : "RHSA-2026:0001", "cpe" : "cpe:/a:redhat:rhel_e4s:8.8", "package" : "spice-client-win-0:8.10-3.el8_8.1" }, { "product_name" : "Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions", "release_date" : "2025-12-02T00:00:00Z", "advisory" : "RHSA-2025:22607", "cpe" : "cpe:/o:redhat:rhel_e4s:8.8", "package" : "expat-0:2.2.10-1.el8_8" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2025-11-26T00:00:00Z", "advisory" : "RHSA-2025:22175", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "expat-0:2.5.0-5.el9_7.1", "impact" : "important" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2025-11-26T00:00:00Z", "advisory" : "RHSA-2025:22175", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "expat-0:2.5.0-5.el9_7.1", "impact" : "important" }, { "product_name" : "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions", "release_date" : "2025-11-25T00:00:00Z", "advisory" : "RHSA-2025:22035", "cpe" : "cpe:/a:redhat:rhel_e4s:9.0", "package" : "expat-0:2.2.10-12.el9_0.4" }, { "product_name" : "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions", "release_date" : "2025-11-25T00:00:00Z", "advisory" : "RHSA-2025:22034", "cpe" : "cpe:/a:redhat:rhel_e4s:9.2", "package" : "expat-0:2.5.0-1.el9_2.3" }, { "product_name" : "Red Hat Enterprise Linux 9.4 Extended Update Support", "release_date" : "2025-11-25T00:00:00Z", "advisory" : "RHSA-2025:22033", "cpe" : "cpe:/a:redhat:rhel_eus:9.4", "package" : "expat-0:2.5.0-2.el9_4.3" }, { "product_name" : "Red Hat Enterprise Linux 9.6 Extended Update Support", "release_date" : "2025-11-19T00:00:00Z", "advisory" : "RHSA-2025:21773", "cpe" : "cpe:/a:redhat:rhel_eus:9.6", "package" : "expat-0:2.5.0-5.el9_6.1" }, { "product_name" : "Red Hat JBoss Core Services 2.4.62.SP2", "release_date" : "2025-10-27T00:00:00Z", "advisory" : "RHSA-2025:19020", "cpe" : "cpe:/a:redhat:jboss_core_services:1", "package" : "expat", "impact" : "important" }, { "product_name" : "Red Hat OpenShift Container Platform 4.12", "release_date" : "2026-01-15T00:00:00Z", "advisory" : "RHSA-2026:0316", "cpe" : "cpe:/a:redhat:openshift:4.12::el8", "package" : "rhcos-412.86.202601061735-0", "impact" : "important" }, { "product_name" : "Red Hat OpenShift Container Platform 4.13", "release_date" : "2026-01-22T00:00:00Z", "advisory" : "RHSA-2026:0677", "cpe" : "cpe:/a:redhat:openshift:4.13::el9", "package" : "rhcos-413.92.202601130113-0", "impact" : "important" }, { "product_name" : "Red Hat OpenShift Container Platform 4.14", "release_date" : "2026-01-30T00:00:00Z", "advisory" : "RHSA-2026:0996", "cpe" : "cpe:/a:redhat:openshift:4.14::el9", "package" : "rhcos-414.92.202601191325-0", "impact" : "important" }, { "product_name" : "Red Hat OpenShift Container Platform 4.15", "release_date" : "2026-02-05T00:00:00Z", "advisory" : "RHSA-2026:1541", "cpe" : "cpe:/a:redhat:openshift:4.15::el9", "package" : "rhcos-415.92.202601271320-0", "impact" : "important" }, { "product_name" : "Red Hat OpenShift Container Platform 4.16", "release_date" : "2026-01-15T00:00:00Z", "advisory" : "RHSA-2026:0326", "cpe" : "cpe:/a:redhat:openshift:4.16::el9", "package" : "rhcos-416.94.202601071926-0", "impact" : "important" }, { "product_name" : "Red Hat OpenShift Container Platform 4.17", "release_date" : "2026-01-22T00:00:00Z", "advisory" : "RHSA-2026:0702", "cpe" : "cpe:/a:redhat:openshift:4.17::el9", "package" : "rhcos-417.94.202601120213-0", "impact" : "important" }, { "product_name" : "Red Hat OpenShift Container Platform 4.18", "release_date" : "2026-01-15T00:00:00Z", "advisory" : "RHSA-2026:0332", "cpe" : "cpe:/a:redhat:openshift:4.18::el9", "package" : "rhcos-418.94.202601071817-0", "impact" : "important" }, { "product_name" : "Red Hat OpenShift Container Platform 4.19", "release_date" : "2026-01-22T00:00:00Z", "advisory" : "RHSA-2026:0674", "cpe" : "cpe:/a:redhat:openshift:4.19::el9", "package" : "rhcos-4.19.9.6.202601130152-0", "impact" : "important" }, { "product_name" : "Red Hat OpenShift Container Platform 4.20", "release_date" : "2026-01-14T00:00:00Z", "advisory" : "RHSA-2026:0420", "cpe" : "cpe:/a:redhat:openshift:4.20::el9", "package" : "rhcos-4.20.9.6.202601052146-0", "impact" : "important" }, { "product_name" : "RHOSS-1.36-RHEL-8", "release_date" : "2026-01-22T00:00:00Z", "advisory" : "RHSA-2026:0934", "cpe" : "cpe:/a:redhat:openshift_serverless:1.36::el8", "package" : "openshift-serverless-1/logic-data-index-ephemeral-rhel8:1.36.0-11" }, { "product_name" : "RHOSS-1.36-RHEL-8", "release_date" : "2026-01-22T00:00:00Z", "advisory" : "RHSA-2026:0934", "cpe" : "cpe:/a:redhat:openshift_serverless:1.36::el8", "package" : "openshift-serverless-1/logic-data-index-postgresql-rhel8:1.36.0-11" }, { "product_name" : "RHOSS-1.36-RHEL-8", "release_date" : "2026-01-22T00:00:00Z", "advisory" : "RHSA-2026:0934", "cpe" : "cpe:/a:redhat:openshift_serverless:1.36::el8", "package" : "openshift-serverless-1/logic-db-migrator-tool-rhel8:1.36.0-11" }, { "product_name" : "RHOSS-1.36-RHEL-8", "release_date" : "2026-01-22T00:00:00Z", "advisory" : "RHSA-2026:0934", "cpe" : "cpe:/a:redhat:openshift_serverless:1.36::el8", "package" : "openshift-serverless-1/logic-jobs-service-ephemeral-rhel8:1.36.0-10" }, { "product_name" : "RHOSS-1.36-RHEL-8", "release_date" : "2026-01-22T00:00:00Z", "advisory" : "RHSA-2026:0934", "cpe" : "cpe:/a:redhat:openshift_serverless:1.36::el8", "package" : "openshift-serverless-1/logic-jobs-service-postgresql-rhel8:1.36.0-10" }, { "product_name" : "RHOSS-1.36-RHEL-8", "release_date" : "2026-01-22T00:00:00Z", "advisory" : "RHSA-2026:0934", "cpe" : "cpe:/a:redhat:openshift_serverless:1.36::el8", "package" : "openshift-serverless-1/logic-kn-workflow-cli-artifacts-rhel8:1.36.0-4" }, { "product_name" : "RHOSS-1.36-RHEL-8", "release_date" : "2026-01-22T00:00:00Z", "advisory" : "RHSA-2026:0934", "cpe" : "cpe:/a:redhat:openshift_serverless:1.36::el8", "package" : "openshift-serverless-1/logic-management-console-rhel8:1.36.0-9" }, { "product_name" : "RHOSS-1.36-RHEL-8", "release_date" : "2026-01-22T00:00:00Z", "advisory" : "RHSA-2026:0934", "cpe" : "cpe:/a:redhat:openshift_serverless:1.36::el8", "package" : "openshift-serverless-1/logic-operator-bundle:1.36.0-12" }, { "product_name" : "RHOSS-1.36-RHEL-8", "release_date" : "2026-01-22T00:00:00Z", "advisory" : "RHSA-2026:0934", "cpe" : "cpe:/a:redhat:openshift_serverless:1.36::el8", "package" : "openshift-serverless-1/logic-rhel8-operator:1.36.0-18" }, { "product_name" : "RHOSS-1.36-RHEL-8", "release_date" : "2026-01-22T00:00:00Z", "advisory" : "RHSA-2026:0934", "cpe" : "cpe:/a:redhat:openshift_serverless:1.36::el8", "package" : "openshift-serverless-1/logic-swf-builder-rhel8:1.36.0-11" }, { "product_name" : "RHOSS-1.36-RHEL-8", "release_date" : "2026-01-22T00:00:00Z", "advisory" : "RHSA-2026:0934", "cpe" : "cpe:/a:redhat:openshift_serverless:1.36::el8", "package" : "openshift-serverless-1/logic-swf-devmode-rhel8:1.36.0-7" }, { "product_name" : "Red Hat Advanced Cluster Security 4.7", "release_date" : "2025-12-16T00:00:00Z", "advisory" : "RHSA-2025:23248", "cpe" : "cpe:/a:redhat:advanced_cluster_security:4.7::el8", "package" : "advanced-cluster-security/rhacs-scanner-db-rhel8:sha256:02a33bc81310601ebbe26391b472da8f558cbbd0c7ea1400f9cd7c3f44abb0ac" }, { "product_name" : "Red Hat Advanced Cluster Security 4.7", "release_date" : "2025-12-16T00:00:00Z", "advisory" : "RHSA-2025:23248", "cpe" : "cpe:/a:redhat:advanced_cluster_security:4.7::el8", "package" : "advanced-cluster-security/rhacs-scanner-db-slim-rhel8:sha256:16f3506332224b30b82a3112e1dd9972cd15f1e6431c22ab3f584424aede986f" }, { "product_name" : "Red Hat Advanced Cluster Security 4.8", "release_date" : "2025-12-17T00:00:00Z", "advisory" : "RHSA-2025:23550", "cpe" : "cpe:/a:redhat:advanced_cluster_security:4.8::el8", "package" : "advanced-cluster-security/rhacs-scanner-db-slim-rhel8:sha256:0c0992ea41ed0e01478199af484e921d472a1b1e34e09fe4ae7faa6009f0318e" }, { "product_name" : "Red Hat AI Inference Server 3.2", "release_date" : "2025-12-10T00:00:00Z", "advisory" : "RHSA-2025:23078", "cpe" : "cpe:/a:redhat:ai_inference_server:3.2::el9", "package" : "rhaiis/vllm-cuda-rhel9:sha256:bddcf7ab6d576572b6d60822c313ffebcd9869e4fde93e32ac327821f93cf32b" }, { "product_name" : "Red Hat AI Inference Server 3.2", "release_date" : "2025-12-10T00:00:00Z", "advisory" : "RHSA-2025:23079", "cpe" : "cpe:/a:redhat:ai_inference_server:3.2::el9", "package" : "rhaiis/vllm-rocm-rhel9:sha256:7856bdb7ae0d643a7b9362c164d4d4fe3c0c7186f5fff73a7ae9835b3df52e57" }, { "product_name" : "Red Hat AI Inference Server 3.2", "release_date" : "2025-12-10T00:00:00Z", "advisory" : "RHSA-2025:23080", "cpe" : "cpe:/a:redhat:ai_inference_server:3.2::el9", "package" : "rhaiis/model-opt-cuda-rhel9:sha256:14e32e88f1b89f59ed34a6d712746b82a6a54c6ed4727784f18aeff853abbdc7" }, { "product_name" : "Red Hat AI Inference Server 3.2", "release_date" : "2025-12-15T00:00:00Z", "advisory" : "RHSA-2025:23202", "cpe" : "cpe:/a:redhat:ai_inference_server:3.2::el9", "package" : "rhaiis/model-opt-cuda-rhel9:sha256:f083e52ef4198ab8123c49eb044c4374ec996f65633d224bb8152ef0c3f30e7d" }, { "product_name" : "Red Hat AI Inference Server 3.2", "release_date" : "2025-12-15T00:00:00Z", "advisory" : "RHSA-2025:23204", "cpe" : "cpe:/a:redhat:ai_inference_server:3.2::el9", "package" : "rhaiis/vllm-cuda-rhel9:sha256:7b04c0154c486aa7dd103ddeaf6bea7b9851859c33a4b979a85261a44a7b77f2" }, { "product_name" : "Red Hat AI Inference Server 3.2", "release_date" : "2025-12-15T00:00:00Z", "advisory" : "RHSA-2025:23205", "cpe" : "cpe:/a:redhat:ai_inference_server:3.2::el9", "package" : "rhaiis/vllm-rocm-rhel9:sha256:e3b3efcdd86f60b90664a249d45918b2ac5f45bae5eed5399e310d63e878b287" }, { "product_name" : "Red Hat AI Inference Server 3.2", "release_date" : "2025-12-15T00:00:00Z", "advisory" : "RHSA-2025:23209", "cpe" : "cpe:/a:redhat:ai_inference_server:3.2::el9", "package" : "rhaiis/vllm-tpu-rhel9:sha256:64796b48c68d31973a08e22c9530c39b1bc3ba9f376bbefa57643ef0fc857534" }, { "product_name" : "Red Hat AI Inference Server 3.2", "release_date" : "2025-12-17T00:00:00Z", "advisory" : "RHSA-2025:23449", "cpe" : "cpe:/a:redhat:ai_inference_server:3.2::el9", "package" : "rhaiis/vllm-rocm-rhel9:sha256:c5efe40fa2a6e98d7d3d6676befff0dbbd87b2887769bb7e5856c5b0b0ada125" }, { "product_name" : "Red Hat AI Inference Server 3.2", "release_date" : "2026-02-27T00:00:00Z", "advisory" : "RHSA-2026:3461", "cpe" : "cpe:/a:redhat:ai_inference_server:3.2::el9", "package" : "rhaiis/vllm-cuda-rhel9:sha256:dcb9d1cd005c40b6db6f893e56419e383b9dcc0d38315605cb1457e2af5354f7" }, { "product_name" : "Red Hat AI Inference Server 3.2", "release_date" : "2026-02-27T00:00:00Z", "advisory" : "RHSA-2026:3462", "cpe" : "cpe:/a:redhat:ai_inference_server:3.2::el9", "package" : "rhaiis/vllm-rocm-rhel9:sha256:53007894763e03f609c35c727cb738db3c2130b19fa0e1069c24240e0870fb7a" }, { "product_name" : "Red Hat Ceph Storage 8", "release_date" : "2025-12-16T00:00:00Z", "advisory" : "RHSA-2025:23227", "cpe" : "cpe:/a:redhat:ceph_storage:8::el9", "package" : "rhceph/rhceph-8-rhel9:sha256:6e64e0e65a871117cff35f0eba405b311ac1d6ec3ccc2621d61d3811a873e0b4" }, { "product_name" : "Red Hat Ceph Storage 8", "release_date" : "2026-02-02T00:00:00Z", "advisory" : "RHSA-2026:1652", "cpe" : "cpe:/a:redhat:ceph_storage:8::el9", "package" : "rhceph/rhceph-8-rhel9:sha256:09aaeba975aa74bdf95d63e5619c0cabb1cd9e1410aa34e7f8ecf24a5e291d1a" }, { "product_name" : "Red Hat Discovery 2", "release_date" : "2026-01-08T00:00:00Z", "advisory" : "RHSA-2026:0414", "cpe" : "cpe:/a:redhat:discovery:2::el9", "package" : "discovery/discovery-server-rhel9:sha256:75723049a444b5136e2d40920e2852f0840fecf60832a8bbb06e488fc9bba543" }, { "product_name" : "Red Hat Discovery 2", "release_date" : "2026-01-08T00:00:00Z", "advisory" : "RHSA-2026:0414", "cpe" : "cpe:/a:redhat:discovery:2::el9", "package" : "discovery/discovery-ui-rhel9:sha256:899bd7f941512d54af8ab369ca03028a7d27d05887ccce24bc12c7ccd3e4dbee" }, { "product_name" : "Red Hat OpenShift distributed tracing 3.8.1", "release_date" : "2025-12-02T00:00:00Z", "advisory" : "RHSA-2025:22618", "cpe" : "cpe:/a:redhat:openshift_distributed_tracing:3.8::el8", "package" : "rhosdt/tempo-gateway-opa-rhel8:sha256:1a5d2d0363f67da79ed163a0334990ed47100fa9b27d0f5d6de175fd6eb262be" }, { "product_name" : "Red Hat OpenShift distributed tracing 3.8.1", "release_date" : "2025-12-02T00:00:00Z", "advisory" : "RHSA-2025:22618", "cpe" : "cpe:/a:redhat:openshift_distributed_tracing:3.8::el8", "package" : "rhosdt/tempo-gateway-rhel8:sha256:37e1131356229c7504b0eae1a3437e62473ad55b88b6431d874cc8ddf51cc560" }, { "product_name" : "Red Hat OpenShift distributed tracing 3.8.1", "release_date" : "2025-12-02T00:00:00Z", "advisory" : "RHSA-2025:22618", "cpe" : "cpe:/a:redhat:openshift_distributed_tracing:3.8::el8", "package" : "rhosdt/tempo-jaeger-query-rhel8:sha256:444e9e52db4c660e9c5bced414f5d1816ad205fe5a4938e06cd23860b0884b5e" }, { "product_name" : "Red Hat OpenShift distributed tracing 3.8.1", "release_date" : "2025-12-02T00:00:00Z", "advisory" : "RHSA-2025:22618", "cpe" : "cpe:/a:redhat:openshift_distributed_tracing:3.8::el8", "package" : "rhosdt/tempo-operator-bundle:sha256:f25a68576e0f207084864219afd15e6545e4942671cf52703cb97d1c37cc29da" }, { "product_name" : "Red Hat OpenShift distributed tracing 3.8.1", "release_date" : "2025-12-02T00:00:00Z", "advisory" : "RHSA-2025:22618", "cpe" : "cpe:/a:redhat:openshift_distributed_tracing:3.8::el8", "package" : "rhosdt/tempo-query-rhel8:sha256:552768ac844b3316e67d7381660d22732e769e0eb22ad6efe314cebabe81d918" }, { "product_name" : "Red Hat OpenShift distributed tracing 3.8.1", "release_date" : "2025-12-02T00:00:00Z", "advisory" : "RHSA-2025:22618", "cpe" : "cpe:/a:redhat:openshift_distributed_tracing:3.8::el8", "package" : "rhosdt/tempo-rhel8:sha256:4de4c5b2d5b1f4b4825b8f463b3c2173db026b725dc80130a4b0578158a5e96b" }, { "product_name" : "Red Hat OpenShift distributed tracing 3.8.1", "release_date" : "2025-12-02T00:00:00Z", "advisory" : "RHSA-2025:22618", "cpe" : "cpe:/a:redhat:openshift_distributed_tracing:3.8::el8", "package" : "rhosdt/tempo-rhel8-operator:sha256:50f96688b8fc7790ef0de9c0d002f9f93ae9f9037c4140de39f351ae951a44d7" }, { "product_name" : "Red Hat Quay 3.16", "release_date" : "2026-01-13T00:00:00Z", "advisory" : "RHSA-2026:0518", "cpe" : "cpe:/a:redhat:quay:3.16::el9", "package" : "quay/quay-builder-rhel9:sha256:835936fd4e539387d9b8c9f9c1d2965d03835873b8c6027e4e9a1cde5ef6df55" }, { "product_name" : "Red Hat Update Infrastructure 5", "release_date" : "2025-12-09T00:00:00Z", "advisory" : "RHSA-2025:22935", "cpe" : "cpe:/a:redhat:rhui:5::el9", "package" : "rhui5/cds-rhel9:sha256:a71cf22ac5a6c6488f6fd261b37ed423fb7f8ae21716d57542cb964908e5dff6" }, { "product_name" : "Red Hat Update Infrastructure 5", "release_date" : "2025-12-09T00:00:00Z", "advisory" : "RHSA-2025:22935", "cpe" : "cpe:/a:redhat:rhui:5::el9", "package" : "rhui5/haproxy-rhel9:sha256:67ea913cd9963ae2863633501da0fe05ddbdb6064d1f6ca9597649e44665f0ed" }, { "product_name" : "Red Hat Update Infrastructure 5", "release_date" : "2025-12-09T00:00:00Z", "advisory" : "RHSA-2025:22935", "cpe" : "cpe:/a:redhat:rhui:5::el9", "package" : "rhui5/installer-rhel9:sha256:8641fa15608fbbb0d27c4b958cfaf52ca32f39f2b06b0b3e6d41c33ae902edbd" }, { "product_name" : "Red Hat Update Infrastructure 5", "release_date" : "2025-12-09T00:00:00Z", "advisory" : "RHSA-2025:22935", "cpe" : "cpe:/a:redhat:rhui:5::el9", "package" : "rhui5/rhua-rhel9:sha256:72ac7afb81d57da7ee569790df6697785afe8f5b1379f3f6d3df5fc1ad741824" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Will not fix", "package_name" : "firefox", "cpe" : "cpe:/o:redhat:enterprise_linux:10", "impact" : "moderate" }, { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Will not fix", "package_name" : "thunderbird", "cpe" : "cpe:/o:redhat:enterprise_linux:10", "impact" : "moderate" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "compat-expat1", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "expat", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "expat", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "firefox", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Will not fix", "package_name" : "firefox", "cpe" : "cpe:/o:redhat:enterprise_linux:8", "impact" : "moderate" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Will not fix", "package_name" : "thunderbird", "cpe" : "cpe:/o:redhat:enterprise_linux:8", "impact" : "moderate" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "xmlrpc-c", "cpe" : "cpe:/o:redhat:enterprise_linux:8", "impact" : "important" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Will not fix", "package_name" : "firefox", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "impact" : "moderate" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Will not fix", "package_name" : "thunderbird", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "impact" : "moderate" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-59375\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-59375\nhttps://www.mozilla.org/security/advisories/mfsa2026-22/#CVE-2025-59375\nhttps://www.mozilla.org/security/advisories/mfsa2026-24/#CVE-2025-59375" ], "name" : "CVE-2025-59375", "mitigation" : { "value" : "To mitigate the issue, limit XML input size and complexity before parsing, and avoid accepting compressed or deeply nested XML. Use OS-level resource controls (like ulimit or setrlimit()) to cap memory usage, or run the parser in a sandboxed or isolated process with strict memory and CPU limits. This helps prevent denial-of-service by containing excessive resource consumption.", "lang" : "en:us" }, "csaw" : false }