{}

{}

{}

{"acknowledgement": "Red Hat would like to thank asotyc for reporting this issue.", "bugzilla": {"description": "glib-networking: glib-networking: Denial of Service and information disclosure via crafted TLS client-CA list", "id": "2440139", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2440139"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.4", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L", "status": "draft"}, "cwe": "CWE-125", "details": ["A flaw was found in glib-networking. A malicious Transport Layer Security (TLS) server can exploit an out-of-bounds read and invalid free vulnerability when a client using the OpenSSL backend connects. By advertising a specially crafted client-CA list, the server can trigger an issue where memory is accessed outside of its allocated buffer and subsequently freed incorrectly. This can lead to a denial-of-service and potentially disclose limited heap memory."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}, "name": "CVE-2026-2574", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "glib-networking", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "glib-networking", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "glib-networking", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "glib-networking", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "glib-networking", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-02-16T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-2574\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-2574"], "statement": "This is a LOW impact vulnerability affecting the OpenSSL backend of the glib-networking library used by GNOME applications. When a client configured to use the OpenSSL backend connects to a malicious TLS server, improper handling of certificate authority data can result in an out-of-bounds heap read and an invalid free condition. Successful exploitation may cause application crashes (denial-of-service) and potentially limited heap memory disclosure.\nRed Hat products are not affected because the vulnerable OpenSSL backend is not built or shipped in supported configurations; therefore, the overall impact to Red Hat customers is considered Low.", "threat_severity": "Low"}

{}