<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Red Hat Enterprise Linux 9 - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/red-hat-enterprise-linux-9/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 07 Jul 2026 10:19:46 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/red-hat-enterprise-linux-9/feed.xml" rel="self" type="application/rss+xml"/><item><title>CVE-2026-14476: SSSD AD GPO Provider Path Traversal to Root File Write and Authentication Bypass</title><link>https://feed.craftedsignal.io/briefs/2026-07-cve-2026-14476-sssd-path-traversal/</link><pubDate>Tue, 07 Jul 2026 10:19:46 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-cve-2026-14476-sssd-path-traversal/</guid><description>A path traversal vulnerability (CVE-2026-14476) in SSSD's Active Directory Group Policy Object (AD GPO) provider allows an authenticated attacker with AD GPO management access to write arbitrary files outside the GPO cache directory with root privileges, leading to Kerberos configuration injection and potential authentication bypass on Red Hat Enterprise Linux systems.</description><content:encoded><![CDATA[<p>A critical path traversal vulnerability, tracked as CVE-2026-14476, has been identified in the System Security Services Daemon (SSSD) AD GPO provider. This flaw resides within the <code>ad_gpo_extract_smb_components()</code> function, which fails to properly sanitize <code>..</code> sequences embedded within the <code>gPCFileSysPath</code> LDAP attribute. This oversight enables an attacker, who has already secured Active Directory GPO management privileges, to craft a malicious attribute that directs file writes outside the intended GPO cache directory. Exploitation results in the ability to write arbitrary files as the <code>root</code> user on affected systems. Specifically, on default Red Hat Enterprise Linux (RHEL) configurations with SELinux in enforcing mode, this vulnerability can be leveraged to inject malicious Kerberos configuration, ultimately leading to an authentication bypass, compromising system integrity and access controls.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains or already possesses valid Active Directory GPO management credentials and access.</li>
<li>Using their GPO management privileges, the attacker modifies the <code>gPCFileSysPath</code> LDAP attribute to include <code>..</code> path traversal sequences.</li>
<li>The crafted <code>gPCFileSysPath</code> attribute is designed to point to a sensitive system directory outside the normal GPO cache on the target SSSD-managed RHEL system.</li>
<li>When SSSD's <code>ad_gpo_extract_smb_components()</code> function processes this attribute, it inadequately sanitizes the <code>..</code> sequences, misinterpreting the attacker's intended path.</li>
<li>This allows the attacker to write arbitrary files with <code>root</code> privileges to a chosen location on the affected RHEL system, bypassing normal file system permissions.</li>
<li>The attacker injects a malicious Kerberos configuration file (e.g., within <code>/etc/krb5.conf.d/</code> or <code>/etc/krb5.conf</code>) into a directory that is processed by the system's Kerberos client.</li>
<li>The injected configuration manipulates Kerberos authentication parameters, potentially redirecting authentication requests or enabling compromise of Kerberos tickets.</li>
<li>This manipulation leads to an authentication bypass, granting the attacker unauthorized access or elevated privileges on the SSSD-managed RHEL system.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-14476 grants an authenticated attacker (with AD GPO management access) the ability to achieve arbitrary file write as root on targeted Red Hat Enterprise Linux systems. This level of access allows for critical system compromise, including the injection of malicious Kerberos configurations that can lead to a full authentication bypass. The consequence is a complete compromise of system integrity, confidentiality, and availability, enabling unauthorized access to sensitive data and critical system functions. Organizations relying on SSSD for Active Directory integration on RHEL are at risk, with potential for widespread compromise if AD GPO management systems are breached.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Patch CVE-2026-14476 by applying the latest security updates provided by Red Hat for SSSD to all affected Red Hat Enterprise Linux and OpenShift Container Platform installations.</li>
<li>Review and restrict Active Directory GPO management access to only necessary administrative accounts, following the principle of least privilege.</li>
<li>Monitor for unusual file creation or modification events in sensitive system directories (e.g., <code>/etc/krb5.conf</code>, <code>/etc/krb5.conf.d/</code>) on SSSD-managed RHEL systems.</li>
<li>Implement host-based intrusion detection systems to alert on unexpected changes to Kerberos configuration files or attempts to write files outside standard GPO cache locations.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>path-traversal</category><category>privilege-escalation</category><category>authentication-bypass</category><category>kerberos</category><category>linux</category><category>red-hat</category><category>sssd</category><category>cve</category></item><item><title>CVE-2026-58384: GIMP PSD Parser Integer Overflow Leads to RCE/DoS</title><link>https://feed.craftedsignal.io/briefs/2026-07-cve-2026-58384-gimp-psd-parser/</link><pubDate>Tue, 07 Jul 2026 09:18:26 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-cve-2026-58384-gimp-psd-parser/</guid><description>An integer overflow vulnerability (CVE-2026-58384) exists in GIMP's PSD parser within the `read_RLE_channel()` function, leading to undersized heap allocations that can cause subsequent heap memory corruption, potentially resulting in denial of service or arbitrary code execution.</description><content:encoded><![CDATA[<p>CVE-2026-58384 describes a critical flaw in the GIMP (GNU Image Manipulation Program) PSD (Photoshop Document) parser. Specifically, an integer overflow occurs within the <code>read_RLE_channel()</code> function. This vulnerability arises when processing specially crafted PSD files, causing an undersized heap allocation for the Run-Length Encoding (RLE) row-length table. Following this incorrect allocation, subsequent per-row writes attempt to use more memory than allocated, leading to heap memory corruption. This memory corruption can have severe consequences, including the application crashing (denial of service) or, in a more advanced scenario, the execution of arbitrary code on the affected system. The vulnerability has a CVSS v3.1 base score of 7.3 (High) and affects GIMP, including its package within Red Hat Enterprise Linux 9.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker crafts a malicious PSD file designed to trigger an integer overflow in GIMP's parser.</li>
<li>The malicious PSD file contains specially formatted RLE channel data intended to cause an undersized buffer allocation.</li>
<li>A user is enticed to open the malicious PSD file using an affected version of the GIMP application.</li>
<li>GIMP's <code>read_RLE_channel()</code> function begins processing the RLE channel data from the malicious file.</li>
<li>During the calculation for the RLE row-length table allocation, an integer overflow occurs due to the crafted input.</li>
<li>This integer overflow results in an undersized heap allocation for the RLE row-length table, creating a buffer overflow condition.</li>
<li>Subsequent writes by the <code>read_RLE_channel()</code> function, intended for per-row data, exceed the boundary of the undersized buffer, corrupting adjacent heap memory.</li>
<li>This heap memory corruption ultimately leads to either a denial-of-service condition (e.g., GIMP application crash) or, under specific exploit conditions, arbitrary code execution in the context of the user running GIMP.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The impact of CVE-2026-58384 is significant, potentially leading to application instability, data loss, or complete system compromise. If exploited for denial of service, GIMP users would experience application crashes, hindering productivity. More critically, successful exploitation for arbitrary code execution could allow an attacker to run malicious code with the privileges of the compromised user, potentially leading to further compromise of the system, data exfiltration, or installation of additional malware. While no specific victim counts or sectors are mentioned, any organization or individual using affected GIMP versions is at risk.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Update GIMP to a patched version immediately to remediate CVE-2026-58384, as referenced by the <code>https://gitlab.gnome.org/GNOME/gimp/-/commit/da29e217</code> commit.</li>
<li>Apply security updates for Red Hat Enterprise Linux 9 if using the GIMP package, addressing CVE-2026-58384, as detailed in the Red Hat advisory <code>https://access.redhat.com/security/cve/CVE-2026-58384</code>.</li>
<li>Ensure all software, particularly applications that handle untrusted file formats, are kept up-to-date with the latest security patches.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>vulnerability</category><category>rce</category><category>dos</category><category>gimp</category><category>linux</category><category>heap-overflow</category></item><item><title>CVE-2026-58380: GIMP PNM Parser Off-by-One Error Leads to RCE</title><link>https://feed.craftedsignal.io/briefs/2026-07-cve-2026-58380-gimp-pnm-parser-vulnerability/</link><pubDate>Mon, 06 Jul 2026 15:25:56 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-cve-2026-58380-gimp-pnm-parser-vulnerability/</guid><description>A high-severity off-by-one error, CVE-2026-58380, in GIMP's PNM file format parser (specifically the `pnmscanner_gettoken()` function) allows an attacker to corrupt memory by crafting a malicious PNM file, potentially leading to denial of service or arbitrary code execution when the file is opened.</description><content:encoded><![CDATA[<p>CVE-2026-58380 details a critical vulnerability discovered in GIMP's PNM (Portable Anymap) image file format parser. The flaw resides within the <code>pnmscanner_gettoken()</code> function, where an off-by-one error during a loop boundary check causes a null terminator to be written one byte beyond the intended boundary of a stack-allocated buffer. This memory corruption is triggered when GIMP attempts to parse a specially crafted PNM file. While not yet observed in active exploitation, successful exploitation could lead to application instability and denial of service due to crashes, or, more severely, arbitrary code execution, granting an attacker control over the compromised system. This vulnerability affects various GIMP versions, including those shipped with Red Hat Enterprise Linux distributions.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker crafts a malicious PNM image file specifically designed to exploit the off-by-one error in GIMP's <code>pnmscanner_gettoken()</code> function.</li>
<li>The malicious PNM file is delivered to a victim through common vectors such as email attachments, malicious websites, or untrusted file shares.</li>
<li>The victim opens the specially crafted PNM file using the vulnerable GIMP application.</li>
<li>During the file parsing process, the <code>pnmscanner_gettoken()</code> function attempts to process the malicious input.</li>
<li>The off-by-one error causes a null byte to be written past the end of a stack buffer, corrupting adjacent memory.</li>
<li>This memory corruption disrupts program execution flow, leading to either an immediate application crash (denial of service) or, under controlled conditions, enables arbitrary code execution on the victim's system.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The vulnerability, CVE-2026-58380, carries a CVSS v3.1 Base Score of 7.3 (High), indicating significant potential impact. If successfully exploited, systems running vulnerable versions of GIMP could suffer from denial of service, where the application crashes, leading to loss of productivity. More critically, an attacker could achieve arbitrary code execution, allowing them to install malware, exfiltrate data, or gain full control over the compromised system. While there are no reports of in-the-wild exploitation, the widespread use of GIMP, particularly on Linux distributions like Red Hat Enterprise Linux, makes this a high-risk vulnerability.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Apply available patches for CVE-2026-58380 immediately to all GIMP installations, particularly on Red Hat Enterprise Linux systems, by referring to the official Red Hat security advisory at <code>https://access.redhat.com/security/cve/CVE-2026-58380</code>.</li>
<li>Monitor Red Hat security channels for updates to affected products as detailed in the Red Hat advisory and apply them promptly.</li>
<li>Implement user awareness training regarding the risks associated with opening untrusted image files, especially those in less common formats like PNM.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">threat</category><category>vulnerability</category><category>memory-corruption</category><category>buffer-overflow</category><category>GIMP</category><category>linux</category></item></channel></rss>