{
  "threat_severity" : "Moderate",
  "public_date" : "2026-05-29T19:55:07Z",
  "bugzilla" : {
    "description" : "brace-expansion: brace-expansion: Denial of Service due to excessive memory allocation when expanding large numeric ranges",
    "id" : "2483481",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2483481"
  },
  "cvss3" : {
    "cvss3_base_score" : "6.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-770",
  "details" : [ "The brace-expansion library generates arbitrary strings containing a common prefix and suffix. From 5.0.0 to before 5.0.6, the max option was being applied too late. When expanding a single large numeric range like {1..10000000}, the sequence generation loop generates all 10 million intermediate elements before the max limit is applied With max=10, the output is correctly limited to 10 items, but the process still allocates ~505 MB and spends ~800ms building the full intermediate array. This vulnerability is fixed in 5.0.6.", "A flaw was found in the brace-expansion library. This vulnerability allows an attacker to cause a Denial of Service (DoS) by providing a large numeric range for expansion. The library allocates excessive memory to generate all intermediate elements before applying the maximum limit, leading to high memory consumption and potential application crashes. This can impact the availability of systems using the library." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Hardened Images",
    "release_date" : "2026-06-02T00:00:00Z",
    "advisory" : "RHSA-2026:22380",
    "cpe" : "cpe:/a:redhat:hummingbird:1",
    "package" : "nodejs26-main-26.3.0-1.2.hum1"
  }, {
    "product_name" : "Red Hat Hardened Images",
    "release_date" : "2026-06-03T00:00:00Z",
    "advisory" : "RHSA-2026:22934",
    "cpe" : "cpe:/a:redhat:hummingbird:1",
    "package" : "rust-main-1.96.0-1.hum1"
  }, {
    "product_name" : "Red Hat Hardened Images",
    "release_date" : "2026-06-07T00:00:00Z",
    "advisory" : "RHSA-2026:24069",
    "cpe" : "cpe:/a:redhat:hummingbird:1",
    "package" : "llvm21-main-21.1.8-6.hum1"
  }, {
    "product_name" : "Red Hat Hardened Images",
    "release_date" : "2026-04-10T00:00:00Z",
    "advisory" : "RHSA-2026:7378",
    "cpe" : "cpe:/a:redhat:hummingbird:1",
    "package" : "nodejs25-main-25.9.0-1.1.hum1"
  }, {
    "product_name" : "Red Hat Hardened Images",
    "release_date" : "2026-04-11T00:00:00Z",
    "advisory" : "RHSA-2026:7634",
    "cpe" : "cpe:/a:redhat:hummingbird:1",
    "package" : "llvm-main-21.1.8-1.1.hum1"
  }, {
    "product_name" : "Red Hat Hardened Images",
    "release_date" : "2026-04-11T00:00:00Z",
    "advisory" : "RHSA-2026:7655",
    "cpe" : "cpe:/a:redhat:hummingbird:1",
    "package" : "yarnpkg-main-1.22.22-18.1.hum1"
  } ],
  "package_state" : [ {
    "product_name" : "Confidential Compute Attestation",
    "fix_state" : "Under investigation",
    "package_name" : "openshift-sandboxed-containers/osc-pccs",
    "cpe" : "cpe:/a:redhat:confidential_compute_attestation:1"
  }, {
    "product_name" : "Cryostat 4",
    "fix_state" : "Not affected",
    "package_name" : "brace-expansion",
    "cpe" : "cpe:/a:redhat:cryostat:4"
  }, {
    "product_name" : "Cryostat 4",
    "fix_state" : "Affected",
    "package_name" : "cryostat-openshift-console-plugin-npm",
    "cpe" : "cpe:/a:redhat:cryostat:4"
  }, {
    "product_name" : "Cryostat 4",
    "fix_state" : "Not affected",
    "package_name" : "grafana-infinity-datasource-npm",
    "cpe" : "cpe:/a:redhat:cryostat:4"
  }, {
    "product_name" : "Exploit Intelligence",
    "fix_state" : "Affected",
    "package_name" : "exploit-intelligence-tech-preview/vulnerability-analysis-rhel9",
    "cpe" : "cpe:/a:redhat:exploit_intelligence:0"
  }, {
    "product_name" : "Gatekeeper 3",
    "fix_state" : "Not affected",
    "package_name" : "gatekeeper/gatekeeper-rhel9",
    "cpe" : "cpe:/a:redhat:gatekeeper:3"
  }, {
    "product_name" : "Migration Toolkit for Applications 8",
    "fix_state" : "Not affected",
    "package_name" : "mta/mta-ui-rhel8",
    "cpe" : "cpe:/a:redhat:migration_toolkit_applications:8"
  }, {
    "product_name" : "Migration Toolkit for Applications 8",
    "fix_state" : "Not affected",
    "package_name" : "mta/mta-ui-rhel9",
    "cpe" : "cpe:/a:redhat:migration_toolkit_applications:8"
  }, {
    "product_name" : "Migration Toolkit for Containers",
    "fix_state" : "Affected",
    "package_name" : "rhmtc/openshift-migration-ui-rhel8",
    "cpe" : "cpe:/a:redhat:rhmt:1"
  }, {
    "product_name" : "Node HealthCheck Operator",
    "fix_state" : "Not affected",
    "package_name" : "workload-availability/node-healthcheck-must-gather-rhel9",
    "cpe" : "cpe:/a:redhat:workload_availability_nhc:0"
  }, {
    "product_name" : "Node HealthCheck Operator",
    "fix_state" : "Not affected",
    "package_name" : "workload-availability/node-healthcheck-operator-bundle",
    "cpe" : "cpe:/a:redhat:workload_availability_nhc:0"
  }, {
    "product_name" : "Node HealthCheck Operator",
    "fix_state" : "Not affected",
    "package_name" : "workload-availability/node-healthcheck-rhel9-operator",
    "cpe" : "cpe:/a:redhat:workload_availability_nhc:0"
  }, {
    "product_name" : "Node HealthCheck Operator",
    "fix_state" : "Not affected",
    "package_name" : "workload-availability/node-remediation-console-rhel8",
    "cpe" : "cpe:/a:redhat:workload_availability_nhc:0"
  }, {
    "product_name" : "OpenShift Lightspeed",
    "fix_state" : "Not affected",
    "package_name" : "openshift-lightspeed/lightspeed-console-plugin-419-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_lightspeed"
  }, {
    "product_name" : "OpenShift Lightspeed",
    "fix_state" : "Not affected",
    "package_name" : "openshift-lightspeed/lightspeed-console-plugin-pf5-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_lightspeed"
  }, {
    "product_name" : "OpenShift Lightspeed",
    "fix_state" : "Not affected",
    "package_name" : "openshift-lightspeed/lightspeed-console-plugin-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_lightspeed"
  }, {
    "product_name" : "OpenShift Pipelines",
    "fix_state" : "Not affected",
    "package_name" : "openshift-pipelines/pipelines-console-plugin-pf5-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_pipelines:1"
  }, {
    "product_name" : "OpenShift Pipelines",
    "fix_state" : "Affected",
    "package_name" : "openshift-pipelines/pipelines-console-plugin-rhel8",
    "cpe" : "cpe:/a:redhat:openshift_pipelines:1"
  }, {
    "product_name" : "OpenShift Pipelines",
    "fix_state" : "Not affected",
    "package_name" : "openshift-pipelines/pipelines-console-plugin-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_pipelines:1"
  }, {
    "product_name" : "OpenShift Pipelines",
    "fix_state" : "Not affected",
    "package_name" : "openshift-pipelines/pipelines-hub-ui-rhel8",
    "cpe" : "cpe:/a:redhat:openshift_pipelines:1"
  }, {
    "product_name" : "OpenShift Pipelines",
    "fix_state" : "Not affected",
    "package_name" : "openshift-pipelines/pipelines-hub-ui-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_pipelines:1"
  }, {
    "product_name" : "OpenShift Service Mesh 2",
    "fix_state" : "Affected",
    "package_name" : "openshift-service-mesh/kiali-ossmc-rhel8",
    "cpe" : "cpe:/a:redhat:service_mesh:2"
  }, {
    "product_name" : "OpenShift Service Mesh 2",
    "fix_state" : "Affected",
    "package_name" : "openshift-service-mesh/kiali-rhel8",
    "cpe" : "cpe:/a:redhat:service_mesh:2"
  }, {
    "product_name" : "OpenShift Service Mesh 3",
    "fix_state" : "Not affected",
    "package_name" : "openshift-service-mesh/kiali-operator-bundle",
    "cpe" : "cpe:/a:redhat:service_mesh:3"
  }, {
    "product_name" : "OpenShift Service Mesh 3",
    "fix_state" : "Affected",
    "package_name" : "openshift-service-mesh/kiali-ossmc-rhel9",
    "cpe" : "cpe:/a:redhat:service_mesh:3"
  }, {
    "product_name" : "OpenShift Service Mesh 3",
    "fix_state" : "Affected",
    "package_name" : "openshift-service-mesh/kiali-rhel9",
    "cpe" : "cpe:/a:redhat:service_mesh:3"
  }, {
    "product_name" : "OpenShift Service Mesh 3",
    "fix_state" : "Not affected",
    "package_name" : "openshift-service-mesh/kiali-rhel9-operator",
    "cpe" : "cpe:/a:redhat:service_mesh:3"
  }, {
    "product_name" : "Red Hat 3scale API Management Platform 2",
    "fix_state" : "Not affected",
    "package_name" : "3scale-amp21/system",
    "cpe" : "cpe:/a:redhat:red_hat_3scale_amp:2"
  }, {
    "product_name" : "Red Hat 3scale API Management Platform 2",
    "fix_state" : "Not affected",
    "package_name" : "3scale-amp22/system",
    "cpe" : "cpe:/a:redhat:red_hat_3scale_amp:2"
  }, {
    "product_name" : "Red Hat 3scale API Management Platform 2",
    "fix_state" : "Not affected",
    "package_name" : "3scale-amp2/system-rhel7",
    "cpe" : "cpe:/a:redhat:red_hat_3scale_amp:2"
  }, {
    "product_name" : "Red Hat 3scale API Management Platform 2",
    "fix_state" : "Not affected",
    "package_name" : "3scale-amp2/system-rhel8",
    "cpe" : "cpe:/a:redhat:red_hat_3scale_amp:2"
  }, {
    "product_name" : "Red Hat 3scale API Management Platform 2",
    "fix_state" : "Not affected",
    "package_name" : "3scale-amp2/system-rhel9",
    "cpe" : "cpe:/a:redhat:red_hat_3scale_amp:2"
  }, {
    "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2",
    "fix_state" : "Under investigation",
    "package_name" : "redhat-user-workloads/volsync-0-12",
    "cpe" : "cpe:/a:redhat:acm:2"
  }, {
    "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2",
    "fix_state" : "Under investigation",
    "package_name" : "redhat-user-workloads/volsync-bundle-0-12",
    "cpe" : "cpe:/a:redhat:acm:2"
  }, {
    "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2",
    "fix_state" : "Under investigation",
    "package_name" : "rhacm2/volsync-operator-bundle",
    "cpe" : "cpe:/a:redhat:acm:2"
  }, {
    "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2",
    "fix_state" : "Under investigation",
    "package_name" : "rhacm2/volsync-rhel9",
    "cpe" : "cpe:/a:redhat:acm:2"
  }, {
    "product_name" : "Red Hat Advanced Cluster Security 4",
    "fix_state" : "Not affected",
    "package_name" : "advanced-cluster-security/rhacs-main-rhel8",
    "cpe" : "cpe:/a:redhat:advanced_cluster_security:4"
  }, {
    "product_name" : "Red Hat AMQ Broker 7",
    "fix_state" : "Under investigation",
    "package_name" : "brace-expansion",
    "cpe" : "cpe:/a:redhat:amq_broker:7"
  }, {
    "product_name" : "Red Hat Ansible Automation Platform 2",
    "fix_state" : "Not affected",
    "package_name" : "ansible-automation-platform-24/lightspeed-rhel8",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform:2"
  }, {
    "product_name" : "Red Hat Ansible Automation Platform 2",
    "fix_state" : "Not affected",
    "package_name" : "ansible-automation-platform-25/lightspeed-rhel8",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform:2"
  }, {
    "product_name" : "Red Hat Ansible Automation Platform 2",
    "fix_state" : "Affected",
    "package_name" : "ansible-automation-platform-26/gateway-rhel9",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform:2"
  }, {
    "product_name" : "Red Hat Ansible Automation Platform 2",
    "fix_state" : "Not affected",
    "package_name" : "ansible-automation-platform-26/lightspeed-rhel9",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform:2"
  }, {
    "product_name" : "Red Hat Ansible Automation Platform 2",
    "fix_state" : "Affected",
    "package_name" : "ansible-automation-platform-27/gateway-rhel9",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform:2"
  }, {
    "product_name" : "Red Hat Ansible Automation Platform 2",
    "fix_state" : "Not affected",
    "package_name" : "automation-eda-controller",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform:2"
  }, {
    "product_name" : "Red Hat Ansible Automation Platform 2",
    "fix_state" : "Not affected",
    "package_name" : "automation-gateway",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform:2"
  }, {
    "product_name" : "Red Hat Ansible Automation Platform 2",
    "fix_state" : "Not affected",
    "package_name" : "automation-platform-ui",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform:2"
  }, {
    "product_name" : "Red Hat build of Apache Camel for Spring Boot 4",
    "fix_state" : "Under investigation",
    "package_name" : "brace-expansion",
    "cpe" : "cpe:/a:redhat:camel_spring_boot:4"
  }, {
    "product_name" : "Red Hat build of Apache Camel - HawtIO 4",
    "fix_state" : "Under investigation",
    "package_name" : "brace-expansion",
    "cpe" : "cpe:/a:redhat:apache_camel_hawtio:4"
  }, {
    "product_name" : "Red Hat build of Apicurio Registry 2",
    "fix_state" : "Under investigation",
    "package_name" : "brace-expansion",
    "cpe" : "cpe:/a:redhat:service_registry:2"
  }, {
    "product_name" : "Red Hat build of Apicurio Registry 3",
    "fix_state" : "Under investigation",
    "package_name" : "apicurio/apicurio-registry-ui-rhel8",
    "cpe" : "cpe:/a:redhat:apicurio_registry:3"
  }, {
    "product_name" : "Red Hat build of Apicurio Registry 3",
    "fix_state" : "Under investigation",
    "package_name" : "apicurio/apicurio-registry-ui-rhel9",
    "cpe" : "cpe:/a:redhat:apicurio_registry:3"
  }, {
    "product_name" : "Red Hat Build of Keycloak",
    "fix_state" : "Under investigation",
    "package_name" : "brace-expansion",
    "cpe" : "cpe:/a:redhat:build_keycloak:"
  }, {
    "product_name" : "Red Hat Build of Podman Desktop",
    "fix_state" : "Affected",
    "package_name" : "rh-podman-desktop.git",
    "cpe" : "cpe:/a:redhat:podman_desktop:1"
  }, {
    "product_name" : "Red Hat Build of Podman Desktop - Tech Preview",
    "fix_state" : "Not affected",
    "package_name" : "rhdesktop/rh-podman-desktop-ext-bootc-rhel10",
    "cpe" : "cpe:/a:redhat:podman_desktop:0"
  }, {
    "product_name" : "Red Hat Build of Podman Desktop - Tech Preview",
    "fix_state" : "Not affected",
    "package_name" : "rhdesktop/rh-podman-desktop-ext-openshift-local-rhel10",
    "cpe" : "cpe:/a:redhat:podman_desktop:0"
  }, {
    "product_name" : "Red Hat Build of Podman Desktop - Tech Preview",
    "fix_state" : "Affected",
    "package_name" : "rhdesktop/rh-podman-desktop-ext-redhat-account-rhel10",
    "cpe" : "cpe:/a:redhat:podman_desktop:0"
  }, {
    "product_name" : "Red Hat Build of Podman Desktop - Tech Preview",
    "fix_state" : "Not affected",
    "package_name" : "rhdesktop/rh-podman-desktop-ext-rhel-rhel10",
    "cpe" : "cpe:/a:redhat:podman_desktop:0"
  }, {
    "product_name" : "Red Hat Build of Podman Desktop - Tech Preview",
    "fix_state" : "Not affected",
    "package_name" : "rhdesktop/rh-podman-desktop-ext-sandbox-rhel10",
    "cpe" : "cpe:/a:redhat:podman_desktop:0"
  }, {
    "product_name" : "Red Hat Connectivity Link 1",
    "fix_state" : "Affected",
    "package_name" : "rhcl-1/rhcl-console-plugin-rhel9",
    "cpe" : "cpe:/a:redhat:connectivity_link:1"
  }, {
    "product_name" : "Red Hat Data Grid 8",
    "fix_state" : "Not affected",
    "package_name" : "brace-expansion",
    "cpe" : "cpe:/a:redhat:jboss_data_grid:8"
  }, {
    "product_name" : "Red Hat Developer Hub",
    "fix_state" : "Under investigation",
    "package_name" : "rhdh/rhdh-hub-rhel9",
    "cpe" : "cpe:/a:redhat:rhdh:1"
  }, {
    "product_name" : "Red Hat Directory Server 11",
    "fix_state" : "Not affected",
    "package_name" : "redhat-ds:11/389-ds-base",
    "cpe" : "cpe:/a:redhat:directory_server:11"
  }, {
    "product_name" : "Red Hat Directory Server 12",
    "fix_state" : "Not affected",
    "package_name" : "redhat-ds:12/389-ds-base",
    "cpe" : "cpe:/a:redhat:directory_server:12"
  }, {
    "product_name" : "Red Hat Directory Server 13",
    "fix_state" : "Not affected",
    "package_name" : "389-ds-base",
    "cpe" : "cpe:/a:redhat:directory_server:13"
  }, {
    "product_name" : "Red Hat Discovery 2",
    "fix_state" : "Not affected",
    "package_name" : "discovery/discovery-ui-rhel9",
    "cpe" : "cpe:/a:redhat:discovery:2::el9"
  }, {
    "product_name" : "Red Hat Edge Manager 1",
    "fix_state" : "Under investigation",
    "package_name" : "rhem/flightctl-ui-ocp-rhel10",
    "cpe" : "cpe:/a:redhat:edge_manager:1"
  }, {
    "product_name" : "Red Hat Edge Manager 1",
    "fix_state" : "Under investigation",
    "package_name" : "rhem/flightctl-ui-ocp-rhel9",
    "cpe" : "cpe:/a:redhat:edge_manager:1"
  }, {
    "product_name" : "Red Hat Edge Manager 1",
    "fix_state" : "Under investigation",
    "package_name" : "rhem/flightctl-ui-rhel10",
    "cpe" : "cpe:/a:redhat:edge_manager:1"
  }, {
    "product_name" : "Red Hat Edge Manager 1",
    "fix_state" : "Under investigation",
    "package_name" : "rhem/flightctl-ui-rhel9",
    "cpe" : "cpe:/a:redhat:edge_manager:1"
  }, {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Under investigation",
    "package_name" : "nodejs22",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Not affected",
    "package_name" : "nodejs24",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Not affected",
    "package_name" : "nodejs-nodemon",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Not affected",
    "package_name" : "rust",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "subscription-manager",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "389-ds-base",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Under investigation",
    "package_name" : "cockpit",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "cockpit-appstream",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "dotnet5.0-build-reference-packages",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "dotnet8.0",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "grafana",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "grafana-pcp",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "mozjs60",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "nodejs",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "nodejs-nodemon",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Under investigation",
    "package_name" : "pcs",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Under investigation",
    "package_name" : "rust",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Under investigation",
    "package_name" : "spirv-tools",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Under investigation",
    "package_name" : "thunderbird",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Under investigation",
    "package_name" : "gjs",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Under investigation",
    "package_name" : "grafana",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Under investigation",
    "package_name" : "nodejs:22/nodejs",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Under investigation",
    "package_name" : "nodejs:22/nodejs-nodemon",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Under investigation",
    "package_name" : "nodejs:24/nodejs",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Under investigation",
    "package_name" : "nodejs:24/nodejs-nodemon",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Under investigation",
    "package_name" : "pcs",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Under investigation",
    "package_name" : "rust",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux AI (RHEL AI) 3",
    "fix_state" : "Under investigation",
    "package_name" : "rhelai3/bootc-cuda-rhel9",
    "cpe" : "cpe:/a:redhat:enterprise_linux_ai:3"
  }, {
    "product_name" : "Red Hat Enterprise Linux AI (RHEL AI) 3",
    "fix_state" : "Under investigation",
    "package_name" : "rhelai3/bootc-gaudi-rhel9",
    "cpe" : "cpe:/a:redhat:enterprise_linux_ai:3"
  }, {
    "product_name" : "Red Hat Enterprise Linux AI (RHEL AI) 3",
    "fix_state" : "Under investigation",
    "package_name" : "rhelai3/bootc-rocm-rhel9",
    "cpe" : "cpe:/a:redhat:enterprise_linux_ai:3"
  }, {
    "product_name" : "Red Hat Enterprise Linux AI (RHEL AI) 3",
    "fix_state" : "Under investigation",
    "package_name" : "rhelai3/disk-image-cuda-rhel9",
    "cpe" : "cpe:/a:redhat:enterprise_linux_ai:3"
  }, {
    "product_name" : "Red Hat Enterprise Linux AI (RHEL AI) 3",
    "fix_state" : "Under investigation",
    "package_name" : "rust",
    "cpe" : "cpe:/a:redhat:enterprise_linux_ai:3"
  }, {
    "product_name" : "Red Hat Fuse 7",
    "fix_state" : "Not affected",
    "package_name" : "brace-expansion",
    "cpe" : "cpe:/a:redhat:jboss_fuse:7"
  }, {
    "product_name" : "Red Hat Fuse 7",
    "fix_state" : "Not affected",
    "package_name" : "brace-expansion-1.1.11.tgz",
    "cpe" : "cpe:/a:redhat:jboss_fuse:7"
  }, {
    "product_name" : "Red Hat Hardened Images",
    "fix_state" : "Affected",
    "package_name" : "dotnet8.0",
    "cpe" : "cpe:/a:redhat:hummingbird:1"
  }, {
    "product_name" : "Red Hat Hardened Images",
    "fix_state" : "Affected",
    "package_name" : "nodejs20",
    "cpe" : "cpe:/a:redhat:hummingbird:1"
  }, {
    "product_name" : "Red Hat Hardened Images",
    "fix_state" : "Affected",
    "package_name" : "nodejs22",
    "cpe" : "cpe:/a:redhat:hummingbird:1"
  }, {
    "product_name" : "Red Hat Hardened Images",
    "fix_state" : "Affected",
    "package_name" : "nodejs24",
    "cpe" : "cpe:/a:redhat:hummingbird:1"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 7",
    "fix_state" : "Not affected",
    "package_name" : "brace-expansion",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 8",
    "fix_state" : "Not affected",
    "package_name" : "brace-expansion",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack",
    "fix_state" : "Under investigation",
    "package_name" : "brace-expansion",
    "cpe" : "cpe:/a:redhat:jbosseapxp"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack",
    "fix_state" : "Not affected",
    "package_name" : "brace-expansion-1.1.11.tgz",
    "cpe" : "cpe:/a:redhat:jbosseapxp"
  }, {
    "product_name" : "Red Hat OpenShift AI (RHOAI)",
    "fix_state" : "Not affected",
    "package_name" : "rhoai/odh-dashboard-rhel8",
    "cpe" : "cpe:/a:redhat:openshift_ai"
  }, {
    "product_name" : "Red Hat OpenShift AI (RHOAI)",
    "fix_state" : "Not affected",
    "package_name" : "rhoai/odh-dashboard-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_ai"
  }, {
    "product_name" : "Red Hat OpenShift AI (RHOAI)",
    "fix_state" : "Not affected",
    "package_name" : "rhoai/odh-mlflow-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_ai"
  }, {
    "product_name" : "Red Hat OpenShift AI (RHOAI)",
    "fix_state" : "Affected",
    "package_name" : "rhoai/odh-mod-arch-automl-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_ai"
  }, {
    "product_name" : "Red Hat OpenShift AI (RHOAI)",
    "fix_state" : "Affected",
    "package_name" : "rhoai/odh-mod-arch-autorag-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_ai"
  }, {
    "product_name" : "Red Hat OpenShift AI (RHOAI)",
    "fix_state" : "Affected",
    "package_name" : "rhoai/odh-mod-arch-eval-hub-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_ai"
  }, {
    "product_name" : "Red Hat OpenShift AI (RHOAI)",
    "fix_state" : "Not affected",
    "package_name" : "rhoai/odh-mod-arch-gen-ai-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_ai"
  }, {
    "product_name" : "Red Hat OpenShift AI (RHOAI)",
    "fix_state" : "Affected",
    "package_name" : "rhoai/odh-mod-arch-maas-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_ai"
  }, {
    "product_name" : "Red Hat OpenShift AI (RHOAI)",
    "fix_state" : "Affected",
    "package_name" : "rhoai/odh-mod-arch-mlflow-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_ai"
  }, {
    "product_name" : "Red Hat OpenShift AI (RHOAI)",
    "fix_state" : "Not affected",
    "package_name" : "rhoai/odh-mod-arch-model-registry-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_ai"
  }, {
    "product_name" : "Red Hat OpenShift AI (RHOAI)",
    "fix_state" : "Affected",
    "package_name" : "rhoai/odh-workbench-codeserver-datascience-cpu-py312-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_ai"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Not affected",
    "package_name" : "openshift4/nmstate-console-plugin-rhel9",
    "cpe" : "cpe:/a:redhat:openshift:4"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Not affected",
    "package_name" : "openshift4/ose-agent-installer-ui-rhel9",
    "cpe" : "cpe:/a:redhat:openshift:4"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Under investigation",
    "package_name" : "openshift4/ose-console",
    "cpe" : "cpe:/a:redhat:openshift:4"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Under investigation",
    "package_name" : "openshift4/ose-console-rhel9",
    "cpe" : "cpe:/a:redhat:openshift:4"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Under investigation",
    "package_name" : "openshift4/ose-monitoring-plugin-rhel8",
    "cpe" : "cpe:/a:redhat:openshift:4"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Under investigation",
    "package_name" : "openshift4/ose-monitoring-plugin-rhel9",
    "cpe" : "cpe:/a:redhat:openshift:4"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Under investigation",
    "package_name" : "redhat-user-workloads/art-images",
    "cpe" : "cpe:/a:redhat:openshift:4"
  }, {
    "product_name" : "Red Hat Openshift Data Foundation 4",
    "fix_state" : "Under investigation",
    "package_name" : "odf4/mcg-core-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_data_foundation:4"
  }, {
    "product_name" : "Red Hat Openshift Data Foundation 4",
    "fix_state" : "Under investigation",
    "package_name" : "odf4/ocs-client-console-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_data_foundation:4"
  }, {
    "product_name" : "Red Hat Openshift Data Foundation 4",
    "fix_state" : "Under investigation",
    "package_name" : "odf4/odf-console-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_data_foundation:4"
  }, {
    "product_name" : "Red Hat Openshift Data Foundation 4",
    "fix_state" : "Under investigation",
    "package_name" : "odf4/odf-multicluster-console-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_data_foundation:4"
  }, {
    "product_name" : "Red Hat Openshift Data Foundation 4",
    "fix_state" : "Under investigation",
    "package_name" : "rhceph-dev/odf4-mcg-core-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_data_foundation:4"
  }, {
    "product_name" : "Red Hat Openshift Data Foundation 4",
    "fix_state" : "Under investigation",
    "package_name" : "rhceph-dev/odf4-ocs-client-console-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_data_foundation:4"
  }, {
    "product_name" : "Red Hat Openshift Data Foundation 4",
    "fix_state" : "Under investigation",
    "package_name" : "rhceph-dev/odf4-odf-console-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_data_foundation:4"
  }, {
    "product_name" : "Red Hat Openshift Data Foundation 4",
    "fix_state" : "Under investigation",
    "package_name" : "rhceph-dev/odf4-odf-multicluster-console-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_data_foundation:4"
  }, {
    "product_name" : "Red Hat OpenShift Dev Spaces",
    "fix_state" : "Under investigation",
    "package_name" : "devspaces/code-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_devspaces:3"
  }, {
    "product_name" : "Red Hat OpenShift Dev Spaces",
    "fix_state" : "Under investigation",
    "package_name" : "devspaces/dashboard-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_devspaces:3"
  }, {
    "product_name" : "Red Hat OpenShift Dev Spaces",
    "fix_state" : "Under investigation",
    "package_name" : "devspaces/jetbrains-ide-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_devspaces:3"
  }, {
    "product_name" : "Red Hat OpenShift Dev Spaces",
    "fix_state" : "Under investigation",
    "package_name" : "devspaces/openvsx-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_devspaces:3"
  }, {
    "product_name" : "Red Hat OpenShift Dev Spaces",
    "fix_state" : "Under investigation",
    "package_name" : "devspaces/pluginregistry-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_devspaces:3"
  }, {
    "product_name" : "Red Hat OpenShift GitOps",
    "fix_state" : "Not affected",
    "package_name" : "openshift-gitops-1/argocd-rhel8",
    "cpe" : "cpe:/a:redhat:openshift_gitops:1"
  }, {
    "product_name" : "Red Hat OpenShift GitOps",
    "fix_state" : "Not affected",
    "package_name" : "openshift-gitops-1/argocd-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_gitops:1"
  }, {
    "product_name" : "Red Hat OpenShift Virtualization 4",
    "fix_state" : "Not affected",
    "package_name" : "container-native-virtualization/kubevirt-console-plugin",
    "cpe" : "cpe:/a:redhat:container_native_virtualization:4"
  }, {
    "product_name" : "Red Hat OpenShift Virtualization 4",
    "fix_state" : "Not affected",
    "package_name" : "container-native-virtualization/kubevirt-console-plugin-rhel9",
    "cpe" : "cpe:/a:redhat:container_native_virtualization:4"
  }, {
    "product_name" : "Red Hat Process Automation 7",
    "fix_state" : "Under investigation",
    "package_name" : "brace-expansion",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7"
  }, {
    "product_name" : "Red Hat Quay 3",
    "fix_state" : "Not affected",
    "package_name" : "quay/quay-rhel8",
    "cpe" : "cpe:/a:redhat:quay:3"
  }, {
    "product_name" : "Red Hat Quay 3",
    "fix_state" : "Not affected",
    "package_name" : "quay/quay-rhel9",
    "cpe" : "cpe:/a:redhat:quay:3"
  }, {
    "product_name" : "Red Hat Satellite 6",
    "fix_state" : "Under investigation",
    "package_name" : "satellite/iop-advisor-frontend-rhel9",
    "cpe" : "cpe:/a:redhat:satellite:6"
  }, {
    "product_name" : "Red Hat Satellite 6",
    "fix_state" : "Under investigation",
    "package_name" : "satellite/iop-host-inventory-frontend-rhel9",
    "cpe" : "cpe:/a:redhat:satellite:6"
  }, {
    "product_name" : "Red Hat Satellite 6",
    "fix_state" : "Under investigation",
    "package_name" : "satellite/iop-remediations-rhel9",
    "cpe" : "cpe:/a:redhat:satellite:6"
  }, {
    "product_name" : "Red Hat Satellite 6",
    "fix_state" : "Under investigation",
    "package_name" : "satellite/iop-vulnerability-frontend-rhel9",
    "cpe" : "cpe:/a:redhat:satellite:6"
  }, {
    "product_name" : "Red Hat Single Sign-On 7",
    "fix_state" : "Under investigation",
    "package_name" : "brace-expansion",
    "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7"
  }, {
    "product_name" : "Red Hat Trusted Profile Analyzer",
    "fix_state" : "Under investigation",
    "package_name" : "rhtpa/rhtpa-trustification-service-rhel9",
    "cpe" : "cpe:/a:redhat:trusted_profile_analyzer:2"
  }, {
    "product_name" : "Self-service automation portal 2",
    "fix_state" : "Under investigation",
    "package_name" : "ansible-automation-platform/automation-portal",
    "cpe" : "cpe:/a:redhat:ansible_portal:2"
  }, {
    "product_name" : "Self-service automation portal 2",
    "fix_state" : "Not affected",
    "package_name" : "ansible-automation-platform/bootc-automation-portal-rhel9",
    "cpe" : "cpe:/a:redhat:ansible_portal:2"
  }, {
    "product_name" : "streams for Apache Kafka 2",
    "fix_state" : "Not affected",
    "package_name" : "brace-expansion",
    "cpe" : "cpe:/a:redhat:amq_streams:2"
  }, {
    "product_name" : "streams for Apache Kafka 3",
    "fix_state" : "Not affected",
    "package_name" : "brace-expansion",
    "cpe" : "cpe:/a:redhat:amq_streams:3"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-45149\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-45149\nhttps://github.com/juliangruber/brace-expansion/security/advisories/GHSA-jxxr-4gwj-5jf2" ],
  "name" : "CVE-2026-45149",
  "csaw" : false
}