RHSA-2026:26018 - Security Advisory

Topic

An update is now available for Red Hat build of Quarkus.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability. For more information, see the CVE links in the References section.

Description

This release of Red Hat build of Quarkus 3.27.4.SP1 includes the following CVE fixes:

• quarkus-vertx-http: Authentication/Authorization Bypass via Advanced Path Normalization Vulnerabilities [quarkus-3.27] (CVE-2026-50559)
• vertx-core: eclipse-vertx/vert.x: Denial of Service via TLS handshake with wildcard server name [quarkus-3.27] (CVE-2026-6860)
• netty-handler: netty-handler: IPv6 subnet rule bypass due to incorrect masking operation [quarkus-3.27] (CVE-2026-44249)
• netty-codec-haproxy: Netty-codec-haproxy: Denial of Service via malformed HAProxy message [quarkus-3.27] (CVE-2026-44893)
• netty-codec-http2: netty-codec-http2: Denial of Service due to resource leak [quarkus-3.27] (CVE-2026-48043)
• netty-codec-haproxy: Netty HAProxy PROXY protocol v2 codec: Denial of Service via memory leak from crafted PROXY protocol headers [quarkus-3.27] (CVE-2026-48059)
• netty-resolver-dns: Netty has Insufficient Bailiwick Validation for NS Records [quarkus-3.27] (CVE-2026-47691)
• netty-handler: Netty: Improper trust manager handling leads to hostname verification bypass [quarkus-3.27] (CVE-2026-50010)
• netty-resolver-dns: Netty: Information disclosure and data manipulation due to improper CNAME record validation [quarkus-3.27] (CVE-2026-45674)
• netty-handler: Netty: Denial of Service due to eager buffer allocation in TLS handshake [quarkus-3.27] (CVE-2026-45416)
• netty-codec-http2: Netty: Denial of Service due to HTTP/2 max header size handling [quarkus-3.27] (CVE-2026-50560)
• netty-codec-http2: Netty: Denial of Service via uncontrolled HTTP/2 concurrent streams [quarkus-3.27] (CVE-2026-47244)
• netty-codec-http: Netty: Data manipulation via request-boundary confusion in HttpObjectDecoder [quarkus-3.27] (CVE-2026-50020)
• netty-resolver-dns: Netty DNS resolver: DNS Cache Poisoning via predictable transaction IDs [quarkus-3.27] (CVE-2026-45673)

For more information, see the release notes page listed in the References section.

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Affected Products

• Red Hat build of Quarkus Text-Only Advisories x86_64

Fixes

• QUARKUS-7954 - [3.27.4.SP1] Upgrade Netty to 4.1.135.Final and Vertx to 4.5.28

CVEs

• CVE-2026-6860
• CVE-2026-44249
• CVE-2026-44893
• CVE-2026-45416
• CVE-2026-45673
• CVE-2026-45674
• CVE-2026-47244
• CVE-2026-47691
• CVE-2026-48043
• CVE-2026-48059
• CVE-2026-50010
• CVE-2026-50020
• CVE-2026-50559
• CVE-2026-50560

References

• https://access.redhat.com/security/updates/classification/#important
• https://access.redhat.com/products/quarkus/
• https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=redhat.quarkus&downloadType=distributions&version=3.27.4.SP1
• https://docs.redhat.com/en/documentation/red_hat_build_of_quarkus/3.27