Openshift

This hub aggregates every CVE we track for Openshift. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 15 most recently published vulnerabilities affecting Openshift.

• CVE-2026-35092Corosync: corosync: denial of service via integer overflow in join message validation7.5Apr 1, 2026
• CVE-2026-35091Corosync: corosync: denial of service and information disclosure via crafted udp packet8.2Apr 1, 2026
• CVE-2026-32285Denial of service in github.com/buger/jsonparser7.5Mar 26, 2026
• CVE-2025-61594URI Credential Leakage Bypass over CVE-2025-272217.5Dec 30, 2025
• CVE-2025-14512Glib: integer overflow in glib gio attribute escaping causes heap buffer overflow6.5Dec 11, 2025
• CVE-2024-45777Grub2: grub-core/gettext: integer overflow leads to heap oob write.6.7Feb 19, 2025
• CVE-2024-12085Rsync: info leak via uninitialized stack contents7.5Jan 14, 2025
• CVE-2024-1485Registry-support: decompress can delete files outside scope via relative paths8.0Feb 13, 2024
• CVE-2023-44487The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.KEV7.5Oct 10, 2023
• CVE-2023-24538Backticks not treated as string delimiters in html/template9.8Apr 6, 2023
• CVE-2023-0229A flaw was found in github.com/openshift/apiserver-library-go, used in OpenShift 4.12 and 4.11, that contains an issue that can allow low-privileged users to set the seccomp profile for pods they c...6.3Jan 25, 2023
• CVE-2023-0296The Birthday attack against 64-bit block ciphers flaw (CVE-2016-2183) was reported for the health checks port (9979) on etcd grpc-proxy component. Even though the CVE-2016-2183 has been fixed in th...5.3Jan 17, 2023
• CVE-2022-3259Openshift 4.9 does not use HTTP Strict Transport Security (HSTS) which may allow man-in-the-middle (MITM) attacks.7.4Dec 9, 2022
• CVE-2022-3262A flaw was found in Openshift. A pod with a DNSPolicy of "ClusterFirst" may incorrectly resolve the hostname based on a service provided. This flaw allows an attacker to supply an incorrect name wi...8.1Dec 8, 2022
• CVE-2022-3260The response header has not enabled X-FRAME-OPTIONS, Which helps prevents against Clickjacking attack.. Some browsers would interpret these results incorrectly, allowing clickjacking attacks.4.8Dec 8, 2022