How to check whether Red Hat products are affected by the CVE list (vulnerability issues)

Solution Verified - Updated -

Environment

  • All Red Hat Products

Issue

How to check whether Red Hat products and versions are affected by one or more CVE identifiers (security vulnerabilities).

Resolution

  1. Access the Red Hat CVE search page: https://access.redhat.com/security/cve/.

  2. For each CVE identifier in the list (for example, CVE-2026-12345), search for the exact ID on the Red Hat CVE page.

  3. If a CVE entry is present:

    • Review the “Affected Products” section to see whether the relevant product and version appear as affected.
    • Review the “Impact” and any available advisory or errata links to understand severity and available fixes or mitigations.

  4. If the CVE entry does not list the relevant product or version under “Affected Products”, treat that product and version as not currently listed as affected by that CVE according to available Red Hat information.

  5. If the CVE is recent and no Red Hat entry exists yet, or if the impact remains unclear for the environment in use, open a support case with Red Hat Support and provide:

    • The CVE ID or list of CVEs.
    • The product name and exact version.
    • Any relevant package versions or errata already applied.

  6. When a CVE entry indicates that fixes are available for the affected product and version, follow the linked security advisory or errata to plan and apply the required updates.

  7. For larger CVE lists (for example, from a vulnerability scanner), work through the list systematically, recording for each CVE:

    • Whether Red Hat lists the product and version as affected.
    • The advisory or errata reference, if available.
    • The planned remediation action (update, configuration change, accepted risk).

Diagnostic Steps

Perform these steps to confirm the relationship between reported CVEs and specific Red Hat products before applying changes:

  1. Review the complete Red Hat CVE database:

    • Go to the Security Updates CVE page.
    • Search by CVE ID and, if necessary, filter by product to confirm whether Red Hat has evaluated that CVE and which products are affected.

  2. Check advisories by product and version:

    • Open the Security Advisories page.
    • Filter by product (for example, Red Hat Enterprise Linux, Red Hat OpenShift) and version to list all associated security advisories and related CVEs.
    • Use this view to confirm whether any additional CVEs or advisories apply to the environment beyond the initially provided list.

  3. Understand status values such as “Not affected”:

    • Open the Red Hat Security Glossary.
    • Review definitions for terms such as “Affected”, “Not affected”, “Under investigation”, and similar states to correctly interpret the CVE page.

  4. When a vulnerability scanner reports that a CVE affects a system but the Red Hat CVE entry lists the product as “Not affected”:

    • Confirm that the installed RPMs are genuine Red Hat packages for the reported product and version.
    • Verify that the scanner uses current Red Hat vendor data and signatures.
    • If the discrepancy persists, open a support case with Red Hat Support and include scanner output, product details, and CVE IDs.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments