<Vulnerability name="CVE-2026-44582">
    <DocumentDistribution xml:lang="en">Copyright © 2012 Red Hat, Inc. All rights reserved.</DocumentDistribution>
    <ThreatSeverity>Low</ThreatSeverity>
    <PublicDate>2026-05-13T17:08:22</PublicDate>
    <Bugzilla id="2477211" url="https://bugzilla.redhat.com/show_bug.cgi?id=2477211" xml:lang="en:us">
Next.js: Next.js: Cache poisoning allows incorrect response delivery
    </Bugzilla>
    <CVSS3 status="draft">
        <CVSS3BaseScore>3.7</CVSS3BaseScore>
        <CVSS3ScoringVector>CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N</CVSS3ScoringVector>
    </CVSS3>
    <CWE>CWE-354</CWE>
    <Details xml:lang="en:us" source="Mitre">
Next.js is a React framework for building full-stack web applications. From 13.4.6 to before 15.5.16 and 16.2.5, React Server Component responses can be vulnerable to cache poisoning in deployments that rely on shared caches with insufficient response partitioning. In affected conditions, collisions in the _rsc cache-busting value can allow an attacker to poison cache entries so users receive the wrong response variant for a given URL. This vulnerability is fixed in 15.5.16 and 16.2.5.
    </Details>
    <Details xml:lang="en:us" source="Red Hat">
A flaw was found in Next.js. React Server Component responses are vulnerable to cache poisoning in deployments that use shared caches without proper response partitioning. An attacker can exploit collisions in the _rsc cache-busting value to poison cache entries. This allows users to receive incorrect response variants for a given URL, potentially leading to information integrity issues.
    </Details>
    <Statement xml:lang="en:us">
Low: This flaw in Next.js affects deployments utilizing shared caches without adequate response partitioning. An attacker could leverage collisions in the `_rsc` cache-busting mechanism to poison cache entries, resulting in users receiving unintended content for a given URL. This issue primarily impacts the integrity of cached responses in specific deployment configurations.
    </Statement>
    <Mitigation xml:lang="en:us">
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
    </Mitigation>
    <PackageState cpe="cpe:/o:redhat:enterprise_linux:10">
        <ProductName>Red Hat Enterprise Linux 10</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>firefox</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/o:redhat:enterprise_linux:10">
        <ProductName>Red Hat Enterprise Linux 10</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>thunderbird</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/o:redhat:enterprise_linux:7">
        <ProductName>Red Hat Enterprise Linux 7</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>firefox</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/o:redhat:enterprise_linux:8">
        <ProductName>Red Hat Enterprise Linux 8</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>firefox</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/o:redhat:enterprise_linux:8">
        <ProductName>Red Hat Enterprise Linux 8</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>thunderbird</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/o:redhat:enterprise_linux:9">
        <ProductName>Red Hat Enterprise Linux 9</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>firefox</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/o:redhat:enterprise_linux:9">
        <ProductName>Red Hat Enterprise Linux 9</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>thunderbird</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:enterprise_linux_ai:3">
        <ProductName>Red Hat Enterprise Linux AI (RHEL AI) 3</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>rhelai3/bootc-cuda-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:enterprise_linux_ai:3">
        <ProductName>Red Hat Enterprise Linux AI (RHEL AI) 3</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>rhelai3/bootc-gaudi-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:enterprise_linux_ai:3">
        <ProductName>Red Hat Enterprise Linux AI (RHEL AI) 3</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>rhelai3/bootc-rocm-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:enterprise_linux_ai:3">
        <ProductName>Red Hat Enterprise Linux AI (RHEL AI) 3</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>rhelai3/disk-image-cuda-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:trusted_artifact_signer:1">
        <ProductName>Red Hat Trusted Artifact Signer</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>rhtas/rekor-search-ui-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:amq_streams:2">
        <ProductName>streams for Apache Kafka 2</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>next</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:amq_streams:3">
        <ProductName>streams for Apache Kafka 3</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>next</PackageName>
    </PackageState>
    <References xml:lang="en:us">
https://www.cve.org/CVERecord?id=CVE-2026-44582
https://nvd.nist.gov/vuln/detail/CVE-2026-44582
https://github.com/vercel/next.js/security/advisories/GHSA-vfv6-92ff-j949
    </References>
</Vulnerability>