{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/rhel/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["libxslt","rhel","vulnerability","code-execution","denial-of-service","linux"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA vulnerability exists in the libxslt library within Red Hat Enterprise Linux (RHEL) that could allow a local attacker to perform a denial-of-service (DoS) attack or execute arbitrary code. While specific versions and CVEs are not mentioned in the advisory, the potential impact is significant. This vulnerability could be exploited if a user processes a malicious XSLT stylesheet, leading to memory corruption or other exploitable conditions. This poses a serious risk to systems where libxslt is used to process untrusted or user-supplied XSLT files, potentially allowing for complete system compromise. Defenders should prioritize identifying vulnerable systems and applying patches as soon as they become available.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA local attacker gains access to the target RHEL system.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious XSLT stylesheet designed to exploit the libxslt vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages a local program that uses libxslt to parse the crafted stylesheet. This could be a custom application or a common utility that relies on libxslt for XSLT processing.\u003c/li\u003e\n\u003cli\u003eWhen the vulnerable libxslt library parses the malicious stylesheet, it triggers a buffer overflow or other memory corruption vulnerability.\u003c/li\u003e\n\u003cli\u003eThe memory corruption allows the attacker to overwrite critical system memory or inject malicious code.\u003c/li\u003e\n\u003cli\u003eIf a DoS condition is triggered, the affected service or application crashes, leading to a disruption of service.\u003c/li\u003e\n\u003cli\u003eIf the attacker successfully injects and executes arbitrary code, they gain control of the affected process with the privileges of the user running the application.\u003c/li\u003e\n\u003cli\u003eThe attacker can then leverage their gained access to escalate privileges and perform further malicious activities on the system, such as installing backdoors or exfiltrating sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can lead to a denial-of-service condition, causing the affected application or service to crash and become unavailable. More critically, it can allow a local attacker to execute arbitrary code with the privileges of the user running the vulnerable application. This could lead to full system compromise if the affected application runs with elevated privileges. The impact is amplified in environments where libxslt is used to process untrusted or user-supplied XSLT files.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eIdentify all systems running Red Hat Enterprise Linux that utilize the libxslt library.\u003c/li\u003e\n\u003cli\u003eMonitor process creations for suspicious child processes spawned by applications utilizing libxslt with the provided Sigma rules.\u003c/li\u003e\n\u003cli\u003eWhen available, apply the appropriate patches or updates for libxslt provided by Red Hat to remediate the vulnerability.\u003c/li\u003e\n\u003cli\u003eImplement strict input validation and sanitization for XSLT stylesheets processed by applications to mitigate the risk of exploitation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-01T09:20:35Z","date_published":"2026-04-01T09:20:35Z","id":"/briefs/2024-05-rhel-libxslt-vuln/","summary":"A local attacker can exploit a vulnerability in libxslt on Red Hat Enterprise Linux to cause a denial of service or execute arbitrary program code.","title":"Red Hat Enterprise Linux libxslt Vulnerability Allows DoS and Code Execution","url":"https://feed.craftedsignal.io/briefs/2024-05-rhel-libxslt-vuln/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["rhel","code-execution","denial-of-service","linux"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA vulnerability exists in Red Hat Enterprise Linux, specifically within the 389-ds-base component. This flaw allows a remote, authenticated attacker to execute arbitrary code on the affected system. While the specific nature of the vulnerability isn\u0026rsquo;t detailed, the authentication requirement suggests it likely involves a flaw in how the 389 Directory Server handles authenticated requests. Successful exploitation could lead to complete system compromise, allowing the attacker to install malware, steal sensitive data, or disrupt services. Additionally, the vulnerability has the potential to be leveraged for a denial-of-service (DoS) attack, rendering the system unavailable. Defenders should prioritize patching and monitoring for suspicious activity related to the 389-ds-base service.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains valid credentials for the 389 Directory Server, possibly through credential stuffing, phishing, or other means.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes an authenticated connection to the 389 Directory Server (likely over LDAP or LDAPS).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious request that exploits the vulnerability within 389-ds-base. This request could involve a specially formatted LDAP query or modification operation.\u003c/li\u003e\n\u003cli\u003eThe vulnerable code within 389-ds-base processes the malicious request, leading to arbitrary code execution in the context of the 389 Directory Server process.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the initial code execution to escalate privileges to root or another privileged account. This could involve exploiting other vulnerabilities or misconfigurations on the system.\u003c/li\u003e\n\u003cli\u003eThe attacker installs malware, backdoors, or other malicious tools on the compromised system.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker triggers a denial-of-service condition, causing the 389 Directory Server to crash or become unresponsive.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised system as a foothold to move laterally within the network, targeting other critical systems and data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability could allow attackers to gain complete control of Red Hat Enterprise Linux systems running the 389 Directory Server. This could lead to data breaches, system outages, and further compromise of the network. The potential for denial-of-service attacks could disrupt critical services and impact business operations. The number of affected systems depends on the prevalence of 389-ds-base deployments within an organization\u0026rsquo;s infrastructure.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the security patches provided by Red Hat for the 389-ds-base package to remediate the vulnerability.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules below to your SIEM to detect potential exploitation attempts targeting 389-ds-base.\u003c/li\u003e\n\u003cli\u003eMonitor authentication logs for the 389 Directory Server for suspicious login attempts or unusual activity.\u003c/li\u003e\n\u003cli\u003eReview and enforce strong password policies to mitigate the risk of credential compromise.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the impact of a potential breach.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-25T09:51:23Z","date_published":"2026-03-25T09:51:23Z","id":"/briefs/2026-03-rhel-code-execution/","summary":"A remote, authenticated attacker can exploit a vulnerability in Red Hat Enterprise Linux (specifically 389-ds-base) to achieve arbitrary code execution and potentially cause a denial of service.","title":"Red Hat Enterprise Linux Vulnerability Leads to Code Execution and Potential DoS","url":"https://feed.craftedsignal.io/briefs/2026-03-rhel-code-execution/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["libxslt","rhel","code-execution","file-manipulation","linux"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA vulnerability exists within the libxslt library in Red Hat Enterprise Linux (RHEL) that could be exploited by a local attacker. While specific details regarding the vulnerability (CVE number, affected versions) are not provided in this advisory, the potential impact includes arbitrary code execution or manipulation of files on the affected system. Due to the lack of specific details, the scope of targeting remains unknown, but any RHEL system utilizing libxslt is potentially vulnerable. It is imperative that detection engineers address this threat by implementing proactive measures to identify and mitigate potential exploitation attempts, particularly focusing on detecting unexpected behavior associated with libxslt processes.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains local access to a Red Hat Enterprise Linux system. This could be achieved through various means, such as compromising a user account or exploiting a separate vulnerability to gain initial access.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious XSLT stylesheet specifically designed to exploit the libxslt vulnerability. This stylesheet could contain code intended for execution or file manipulation.\u003c/li\u003e\n\u003cli\u003eThe attacker utilizes a program or script that leverages libxslt to process the crafted malicious stylesheet. This could involve using command-line tools or applications that rely on libxslt for XML transformations.\u003c/li\u003e\n\u003cli\u003eDuring the processing of the malicious stylesheet, the libxslt vulnerability is triggered, leading to the execution of arbitrary code within the context of the application using libxslt.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the code execution to escalate privileges on the system, potentially gaining root access.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker uses the vulnerability to manipulate files on the system, modifying configurations, injecting malicious code into existing files, or exfiltrating sensitive data.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistence on the compromised system, ensuring continued access and control.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, which could be data theft, system disruption, or further lateral movement within the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability could allow a local attacker to gain complete control over the affected Red Hat Enterprise Linux system. This may lead to data breaches, system outages, or the installation of backdoors for persistent access. Given the widespread use of RHEL in enterprise environments, a successful attack could have significant consequences across various sectors. The potential for arbitrary code execution and file manipulation makes this a high-severity vulnerability.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process execution for unexpected or unusual activity involving libxslt binaries using the provided Sigma rule \u003ccode\u003eDetect Suspicious Libxslt Process Execution\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eImplement file integrity monitoring to detect unauthorized modifications to critical system files using the Sigma rule \u003ccode\u003eDetect Malicious File Modification via Libxslt\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eRegularly audit user privileges and access controls to minimize the potential impact of a successful exploit.\u003c/li\u003e\n\u003cli\u003eInvestigate and remediate any identified instances of potentially malicious XSLT stylesheets being processed on RHEL systems.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-24T10:16:03Z","date_published":"2026-03-24T10:16:03Z","id":"/briefs/2026-03-rhel-libxslt-vuln/","summary":"A local attacker can exploit a vulnerability in libxslt in Red Hat Enterprise Linux to execute arbitrary program code or manipulate files.","title":"Red Hat Enterprise Linux libxslt Vulnerability Allows Code Execution or File Manipulation","url":"https://feed.craftedsignal.io/briefs/2026-03-rhel-libxslt-vuln/"}],"language":"en","title":"CraftedSignal Threat Feed — Rhel","version":"https://jsonfeed.org/version/1.1"}