SB2026050632 - Red Hat Enterprise Linux 10 update for fence-agents

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2026050632

SB2026050632 - Red Hat Enterprise Linux 10 update for fence-agents

Published: May 6, 2026

Security Bulletin ID SB2026050632
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 2
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

Medium 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 2 vulnerabilities.


1) Insufficient verification of data authenticity (CVE-ID: CVE-2026-32597)

The vulnerability allows a remote attacker to bypass security policy enforcement.

The vulnerability exists due to insufficient verification of data authenticity in the PyJWT token header validation logic when processing JWS tokens with unknown critical header extensions. A remote attacker can send a specially crafted token to bypass security policy enforcement.

This can cause split-brain verification in mixed-library deployments, where other RFC-compliant libraries reject the same token.


2) Uncontrolled Recursion (CVE-ID: CVE-2026-30922)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to uncontrolled recursion in the pyasn1 BER decoder when decoding deeply nested ASN.1 data with indefinite-length constructed types. A remote attacker can supply a specially crafted payload containing nested SEQUENCE or SET tags to cause a denial of service.

Services that parse untrusted ASN.1 data may terminate with a RecursionError or exhaust available memory.


Remediation

Install update from vendor's website.

References