Rhel — CraftedSignal Threat Feed

Red Hat Enterprise Linux libxslt Vulnerability Allows DoS and Code Execution

hello@craftedsignal.io — Wed, 01 Apr 2026 09:20:35 +0000

A vulnerability exists in the libxslt library within Red Hat Enterprise Linux (RHEL) that could allow a local attacker to perform a denial-of-service (DoS) attack or execute arbitrary code. While specific versions and CVEs are not mentioned in the advisory, the potential impact is significant. This vulnerability could be exploited if a user processes a malicious XSLT stylesheet, leading to memory corruption or other exploitable conditions. This poses a serious risk to systems where libxslt is used to process untrusted or user-supplied XSLT files, potentially allowing for complete system compromise. Defenders should prioritize identifying vulnerable systems and applying patches as soon as they become available.

Attack Chain

A local attacker gains access to the target RHEL system.
The attacker crafts a malicious XSLT stylesheet designed to exploit the libxslt vulnerability.
The attacker leverages a local program that uses libxslt to parse the crafted stylesheet. This could be a custom application or a common utility that relies on libxslt for XSLT processing.
When the vulnerable libxslt library parses the malicious stylesheet, it triggers a buffer overflow or other memory corruption vulnerability.
The memory corruption allows the attacker to overwrite critical system memory or inject malicious code.
If a DoS condition is triggered, the affected service or application crashes, leading to a disruption of service.
If the attacker successfully injects and executes arbitrary code, they gain control of the affected process with the privileges of the user running the application.
The attacker can then leverage their gained access to escalate privileges and perform further malicious activities on the system, such as installing backdoors or exfiltrating sensitive data.

Impact

Successful exploitation of this vulnerability can lead to a denial-of-service condition, causing the affected application or service to crash and become unavailable. More critically, it can allow a local attacker to execute arbitrary code with the privileges of the user running the vulnerable application. This could lead to full system compromise if the affected application runs with elevated privileges. The impact is amplified in environments where libxslt is used to process untrusted or user-supplied XSLT files.

Recommendation

Identify all systems running Red Hat Enterprise Linux that utilize the libxslt library.
Monitor process creations for suspicious child processes spawned by applications utilizing libxslt with the provided Sigma rules.
When available, apply the appropriate patches or updates for libxslt provided by Red Hat to remediate the vulnerability.
Implement strict input validation and sanitization for XSLT stylesheets processed by applications to mitigate the risk of exploitation.

Red Hat Enterprise Linux Vulnerability Leads to Code Execution and Potential DoS

hello@craftedsignal.io — Wed, 25 Mar 2026 09:51:23 +0000

A vulnerability exists in Red Hat Enterprise Linux, specifically within the 389-ds-base component. This flaw allows a remote, authenticated attacker to execute arbitrary code on the affected system. While the specific nature of the vulnerability isn’t detailed, the authentication requirement suggests it likely involves a flaw in how the 389 Directory Server handles authenticated requests. Successful exploitation could lead to complete system compromise, allowing the attacker to install malware, steal sensitive data, or disrupt services. Additionally, the vulnerability has the potential to be leveraged for a denial-of-service (DoS) attack, rendering the system unavailable. Defenders should prioritize patching and monitoring for suspicious activity related to the 389-ds-base service.

Attack Chain

The attacker gains valid credentials for the 389 Directory Server, possibly through credential stuffing, phishing, or other means.
The attacker establishes an authenticated connection to the 389 Directory Server (likely over LDAP or LDAPS).
The attacker crafts a malicious request that exploits the vulnerability within 389-ds-base. This request could involve a specially formatted LDAP query or modification operation.
The vulnerable code within 389-ds-base processes the malicious request, leading to arbitrary code execution in the context of the 389 Directory Server process.
The attacker leverages the initial code execution to escalate privileges to root or another privileged account. This could involve exploiting other vulnerabilities or misconfigurations on the system.
The attacker installs malware, backdoors, or other malicious tools on the compromised system.
Alternatively, the attacker triggers a denial-of-service condition, causing the 389 Directory Server to crash or become unresponsive.
The attacker uses the compromised system as a foothold to move laterally within the network, targeting other critical systems and data.

Impact

Successful exploitation of this vulnerability could allow attackers to gain complete control of Red Hat Enterprise Linux systems running the 389 Directory Server. This could lead to data breaches, system outages, and further compromise of the network. The potential for denial-of-service attacks could disrupt critical services and impact business operations. The number of affected systems depends on the prevalence of 389-ds-base deployments within an organization’s infrastructure.

Recommendation

Apply the security patches provided by Red Hat for the 389-ds-base package to remediate the vulnerability.
Deploy the Sigma rules below to your SIEM to detect potential exploitation attempts targeting 389-ds-base.
Monitor authentication logs for the 389 Directory Server for suspicious login attempts or unusual activity.
Review and enforce strong password policies to mitigate the risk of credential compromise.
Implement network segmentation to limit the impact of a potential breach.

Red Hat Enterprise Linux libxslt Vulnerability Allows Code Execution or File Manipulation

hello@craftedsignal.io — Tue, 24 Mar 2026 10:16:03 +0000

A vulnerability exists within the libxslt library in Red Hat Enterprise Linux (RHEL) that could be exploited by a local attacker. While specific details regarding the vulnerability (CVE number, affected versions) are not provided in this advisory, the potential impact includes arbitrary code execution or manipulation of files on the affected system. Due to the lack of specific details, the scope of targeting remains unknown, but any RHEL system utilizing libxslt is potentially vulnerable. It is imperative that detection engineers address this threat by implementing proactive measures to identify and mitigate potential exploitation attempts, particularly focusing on detecting unexpected behavior associated with libxslt processes.

Attack Chain

The attacker gains local access to a Red Hat Enterprise Linux system. This could be achieved through various means, such as compromising a user account or exploiting a separate vulnerability to gain initial access.
The attacker crafts a malicious XSLT stylesheet specifically designed to exploit the libxslt vulnerability. This stylesheet could contain code intended for execution or file manipulation.
The attacker utilizes a program or script that leverages libxslt to process the crafted malicious stylesheet. This could involve using command-line tools or applications that rely on libxslt for XML transformations.
During the processing of the malicious stylesheet, the libxslt vulnerability is triggered, leading to the execution of arbitrary code within the context of the application using libxslt.
The attacker leverages the code execution to escalate privileges on the system, potentially gaining root access.
Alternatively, the attacker uses the vulnerability to manipulate files on the system, modifying configurations, injecting malicious code into existing files, or exfiltrating sensitive data.
The attacker maintains persistence on the compromised system, ensuring continued access and control.
The attacker achieves their objective, which could be data theft, system disruption, or further lateral movement within the network.

Impact

Successful exploitation of this vulnerability could allow a local attacker to gain complete control over the affected Red Hat Enterprise Linux system. This may lead to data breaches, system outages, or the installation of backdoors for persistent access. Given the widespread use of RHEL in enterprise environments, a successful attack could have significant consequences across various sectors. The potential for arbitrary code execution and file manipulation makes this a high-severity vulnerability.

Recommendation

Monitor process execution for unexpected or unusual activity involving libxslt binaries using the provided Sigma rule Detect Suspicious Libxslt Process Execution.
Implement file integrity monitoring to detect unauthorized modifications to critical system files using the Sigma rule Detect Malicious File Modification via Libxslt.
Regularly audit user privileges and access controls to minimize the potential impact of a successful exploit.
Investigate and remediate any identified instances of potentially malicious XSLT stylesheets being processed on RHEL systems.