Red Hat Product Errata RHSA-2026:18480 - Security Advisory Issued: 2026-05-19 Updated: 2026-05-19 RHSA-2026:18480 - Security Advisory Overview Updated Packages Synopsis Important: linux-sgx security update Type/Severity Security Advisory: Important Red Hat Lightspeed patch analysis Identify and remediate systems affected by this advisory. View affected systems Topic An update for linux-sgx is now available for Red Hat Enterprise Linux 10. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Description The Intel SGX SDK is a collection of APIs, libraries, documentations and tools that allow software developers to create and debug Intel SGX enabled applications in C/C++. Security Fix(es): qs: qs: Denial of Service via improper input validation in array parsing (CVE-2025-15284) node-tar: tar: node-tar: Arbitrary file overwrite and symlink poisoning via unsanitized linkpaths in archives (CVE-2026-23745) node-tar: tar: node-tar: Arbitrary file overwrite via Unicode path collision race condition (CVE-2026-23950) lodash: prototype pollution in _.unset and _.omit functions (CVE-2025-13465) node-tar: tar: node-tar: Arbitrary file creation via path traversal bypass in hardlink security check (CVE-2026-24842) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 10 Release Notes linked from the References section. Solution For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 Affected Products Red Hat Enterprise Linux for x86_64 10 x86_64 Fixes BZ - 2425946 - CVE-2025-15284 qs: qs: Denial of Service via improper input validation in array parsing BZ - 2430538 - CVE-2026-23745 node-tar: tar: node-tar: Arbitrary file overwrite and symlink poisoning via unsanitized linkpaths in archives BZ - 2431036 - CVE-2026-23950 node-tar: tar: node-tar: Arbitrary file overwrite via Unicode path collision race condition BZ - 2431740 - CVE-2025-13465 lodash: prototype pollution in _.unset and _.omit functions BZ - 2433645 - CVE-2026-24842 node-tar: tar: node-tar: Arbitrary file creation via path traversal bypass in hardlink security check RHEL-110112 - [rhel10] Sgx-dcap: qgs service will failed with tdx guest attestation if not rebooting host RHEL-121612 - [RHEL-10.2] Rebase to latest upstream SGX 2.26 / dcap 1.24 releases RHEL-140108 - Typo in pccsadmin cache default info file name CVEs CVE-2025-13465 CVE-2025-15284 CVE-2026-23745 CVE-2026-23950 CVE-2026-24842 References https://access.redhat.com/security/updates/classification/#important https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/10/html/10.2_release_notes/index Note: More recent versions of these packages may be available. Click a package name for more details. Red Hat Enterprise Linux for x86_64 10 SRPM linux-sgx-2.26-7.el10.src.rpm SHA-256: db1baf24a3fd328d99a18c36a67d7c0f4a2b4c8e532d9d61f40c1997166667f6 x86_64 linux-sgx-debuginfo-2.26-7.el10.x86_64.rpm SHA-256: 4e09aab5d5e28e983396e7ff5b9f0519a39e29b0a35719ffdf29b5d5fd44c6fb linux-sgx-debugsource-2.26-7.el10.x86_64.rpm SHA-256: 53f7fafa430119223e82799115dc2587d76916d1ae64019b2e047082dbf184e9 sgx-common-2.26-7.el10.x86_64.rpm SHA-256: 5d14ea44ceaa0e6a8ce33d7413f59537e4c56eb389e7fc0533ac1406ba15adaf sgx-enclave-devel-debuginfo-2.26-7.el10.x86_64.rpm SHA-256: 6206099fcf9d2c0434dda7b5a8fada2c4b8ffc3d470fbdc22c24761f4e3936f2 sgx-libs-2.26-7.el10.x86_64.rpm SHA-256: 0d9a1f8664a5e8ebed6abc9da138aa58c34714a3b2f892d645e1030d46f036fc sgx-libs-debuginfo-2.26-7.el10.x86_64.rpm SHA-256: c4de0c2fc0904c7fadb9f69885899bb43d47807741449f881ec7043d7e3bf38e sgx-mpa-2.26-7.el10.x86_64.rpm SHA-256: 30d038ad079a1d2354b410270b5ef72485f4d216ac4cd4bd743ce88762805a00 sgx-mpa-debuginfo-2.26-7.el10.x86_64.rpm SHA-256: 900f46bf0404c71dd9d9d2be5096c261a518278af4c21b02c70c822ab1b043d4 sgx-pccs-2.26-7.el10.x86_64.rpm SHA-256: 6c0a1960f15ebe394671c7e1a073ec085eccc123844f65785b50e14298b91c9b sgx-pccs-admin-2.26-7.el10.x86_64.rpm SHA-256: 231ba5db9485bf36626562ca9cea6fdbb60c963646d2877cb13167d49cc036de sgx-pccs-debuginfo-2.26-7.el10.x86_64.rpm SHA-256: dd0839862d3a9c44792632222a3fcda4269347773ace9e34b34744dd33e59f70 sgx-pckid-tool-2.26-7.el10.x86_64.rpm SHA-256: 0b8813ed5f4a0c0dd9186d5f2109e6bb45703e6e491565f607baf0943a1e39f6 sgx-pckid-tool-debuginfo-2.26-7.el10.x86_64.rpm SHA-256: 427238cdfd3ba264149eaaa1ab867951457f9d4d56b5f8119b93cda6b9c0cc1f tdx-attest-libs-debuginfo-2.26-7.el10.x86_64.rpm SHA-256: 3a9ded8cf2cb8d9218134eedde12f9d37d2ef03ae0d952c5a150c068ef2a52a8 tdx-qgs-2.26-7.el10.x86_64.rpm SHA-256: 8efa2197d53ee7e5572522d1c125d3fddb72cd164814d3e2f78d5eb005d13a3e tdx-qgs-debuginfo-2.26-7.el10.x86_64.rpm SHA-256: 3aba3e5f4781d3ebf14e2b190e4dcd1eec83e90be92abb51b347027fc3ebbc5e The Red Hat security contact is secalert@redhat.com . More contact details at https://access.redhat.com/security/team/contact/ .