RHSA-2026:7109 - Security Advisory

Topic

An update is now available for Red Hat build of Quarkus.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability. For more information, see the CVE links in the References section.

Description

This release of Red Hat build of Quarkus 3.20.6 includes the following CVE fixes:

• netty-codec-http: Netty: Request smuggling via incorrect parsing of HTTP/1.1 chunked transfer encoding extension values [quarkus-3.20] (CVE-2026-33870)
• netty-codec-http2: Netty: Denial of Service via HTTP/2 CONTINUATION frame flood [quarkus-3.20] (CVE-2026-33871)
• plexus-utils: Plexus-utils: Directory Traversal in extractFile method [quarkus-3.20] (CVE-2025-67030)
• avro: Apache Avro Java SDK: Code injection on Java generated code [quarkus-3.20] (CVE-2025-33042)
• vertx-core: static handler component cache can be manipulated to deny the access to static files [quarkus-3.20] (CVE-2026-1002)

For more information, see the release notes page listed in the References section.

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Affected Products

• Red Hat build of Quarkus Text-Only Advisories x86_64

Fixes

• QUARKUS-6878 - [3.20] quarkus-tls-registry should declare its CLI plugin as fatjar
• QUARKUS-7203 - Fix Rest Client logging documentation
• QUARKUS-7204 - Fix a scope double-encoding issue in KeycloakTestClient
• QUARKUS-7206 - [3.20] build(deps): bump the hibernate group with 5 updates
• QUARKUS-7207 - Fix handling of multiple PreExceptionMapperHandler
• QUARKUS-7322 - [3.20] build(deps): bump the hibernate group with 6 updates
• QUARKUS-7323 - Bump org.assertj:assertj-core from 3.27.3 to 3.27.4 in /devtools/gradle
• QUARKUS-7324 - Bump org.assertj:assertj-core from 3.27.3 to 3.27.4
• QUARKUS-7325 - Bump org.assertj:assertj-core from 3.27.4 to 3.27.5 in /devtools/gradle
• QUARKUS-7326 - Bump org.assertj:assertj-core from 3.27.4 to 3.27.5
• QUARKUS-7327 - Bump org.assertj:assertj-core from 3.27.5 to 3.27.6
• QUARKUS-7328 - Bump org.assertj:assertj-core from 3.27.6 to 3.27.7 in /build-parent
• QUARKUS-7329 - Bump org.assertj:assertj-core from 3.27.6 to 3.27.7 in /devtools/gradle
• QUARKUS-7330 - Bump org.assertj:assertj-core from 3.27.6 to 3.27.7
• QUARKUS-7331 - Bump org.assertj:assertj-core from 3.27.5 to 3.27.6 in /devtools/gradle
• QUARKUS-7347 - Bump to Vert.x 4.5.25
• QUARKUS-7379 - [3.20] build(deps): bump the hibernate group with 6 updates

CVEs

• CVE-2025-33042
• CVE-2025-67030
• CVE-2026-1002
• CVE-2026-33870
• CVE-2026-33871

References

• https://access.redhat.com/security/updates/classification/#important
• https://access.redhat.com/products/quarkus/
• https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=redhat.quarkus&downloadType=distributions&version=3.20.6
• https://docs.redhat.com/en/documentation/red_hat_build_of_quarkus/3.20