Red Hat Product Errata RHSA-2026:18479 - Security Advisory Issued: 2026-05-19 Updated: 2026-05-19 RHSA-2026:18479 - Security Advisory Overview Updated Packages Synopsis Important: qemu-kvm security update Type/Severity Security Advisory: Important Red Hat Lightspeed patch analysis Identify and remediate systems affected by this advisory. View affected systems Topic An update for qemu-kvm is now available for Red Hat Enterprise Linux 10. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Description Kernel-based Virtual Machine (KVM) is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm packages provide the user-space component for running virtual machines that use KVM. Security Fix(es): firefox: thunderbird: CSP Bypass and XSS Exposure via Web Compatibility Shims (CVE-2024-11694) firefox: thunderbird: Unhandled Exception in Add-on Signature Verification (CVE-2024-11696) firefox: thunderbird: Select list elements could be shown over another site (CVE-2024-11692) firefox: thunderbird: Memory safety bugs fixed in Firefox 133, Thunderbird 133, Firefox ESR 128.5, and Thunderbird 128.5 (CVE-2024-11699) firefox: thunderbird: URL Bar Spoofing via Manipulated Punycode and Whitespace Characters (CVE-2024-11695) firefox: thunderbird: Improper Keypress Handling in Executable File Confirmation Dialog (CVE-2024-11697) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 10 Release Notes linked from the References section. Solution For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 Affected Products Red Hat Enterprise Linux for x86_64 10 x86_64 Red Hat Enterprise Linux for IBM z Systems 10 s390x Red Hat Enterprise Linux for Power, little endian 10 ppc64le Red Hat Enterprise Linux for ARM 64 10 aarch64 Fixes BZ - 2328941 - CVE-2024-11694 firefox: thunderbird: CSP Bypass and XSS Exposure via Web Compatibility Shims BZ - 2328943 - CVE-2024-11696 firefox: thunderbird: Unhandled Exception in Add-on Signature Verification BZ - 2328946 - CVE-2024-11692 firefox: thunderbird: Select list elements could be shown over another site BZ - 2328947 - CVE-2024-11699 firefox: thunderbird: Memory safety bugs fixed in Firefox 133, Thunderbird 133, Firefox ESR 128.5, and Thunderbird 128.5 BZ - 2328948 - CVE-2024-11695 firefox: thunderbird: URL Bar Spoofing via Manipulated Punycode and Whitespace Characters BZ - 2328950 - CVE-2024-11697 firefox: thunderbird: Improper Keypress Handling in Executable File Confirmation Dialog RHEL-110003 - Expose block limits of block nodes in QMP and qemu-img RHEL-120115 - The vf nic created using the IGB emulated nic can not obtain ip address RHEL-121543 - The VM hit io error when do S3-PR integration on the pass-through failover multipath device RHEL-129540 - Assertion failure on drain with iothread and I/O load RHEL-130478 - Migration from RHEL 10.2 to RHEL 10.1 with virt-rhel10.0.0 machine type fails on Grace RHEL-130704 - [rhel10] Fix the typo under vfio-pci device's enable-migration option RHEL-126707 - [qemu, rhel-10] increase default TSEG size RHEL-143785 - backport support for GSO over UDP tunnel offload RHEL-101929 - enable 'usb-bot' device for proper support of USB CD-ROM drives via libvirt RHEL-105828 - Add new -rhel10.2.0 machine type to qemu-kvm [x86_64] RHEL-116443 - qemu crash after hot-unplug disk from the multifunction enabled bus,crash point PCIDevice *vf = dev->exp.sriov_pf.vf[i] RHEL-119368 - [rhel10] Backport "arm/kvm: report registers we failed to set" RHEL-120253 - Backport fixes for PDCM and ARCH_CAPABILITIES migration incompatibility RHEL-126573 - [RHEL 10.2] VFIO migration using multifd should be disabled by default RHEL-71834 - Support more than one pxe boot entry RHEL-79118 - [network-storage][rbd][core-dump]installation of guest failed sometimes with multiqueue enabled [rhel10] RHEL-81894 - Support live migration in qemu-vdagent RHEL-88788 - [arm64] (qemu) rom: file vgabios-ramfb.bin : error Failed to open file ?vgabios-ramfb.bin?: No such file or directory RHEL-94534 - [virtiofs]qemu coredumped during migration while the virtiofsd daemon is down[rhel10.1] RHEL-132749 - Migrate SCSI PR state and preempt reservation upon live migration RHEL-134989 - Hotplugged interface device can not be shown in the guest RHEL-146584 - [RHEL-10.2][ARM]: Unable to Check the mem prefetched size on Guest RHEL-144004 - [rhel-10] Regression in BLOCK_IO_ERROR event delivery with (w|r)error setting of 'stop' or 'enospc' due to event rate limiting RHEL-153058 - Qemu crashes with "double free" during restore --reset-nvram with uefi-vars secure boot RHEL-155601 - Mirror job can miss writes during startup, corrupting the copy [rhel-10.2] CVEs CVE-2024-11692 CVE-2024-11694 CVE-2024-11695 CVE-2024-11696 CVE-2024-11697 CVE-2024-11699 References https://access.redhat.com/security/updates/classification/#important https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/10/html/10.2_release_notes/index Note: More recent versions of these packages may be available. Click a package name for more details. Red Hat Enterprise Linux for x86_64 10 SRPM qemu-kvm-10.1.0-16.el10_2.src.rpm SHA-256: 61427db8ad902d501f28ff906abba67409018507619d0eeb40442332e2a1e650 x86_64 qemu-guest-agent-10.1.0-16.el10_2.x86_64.rpm SHA-256: a8f89bba3578ad401deadeedbcf59e388c68639379791c002ff40a48321b6a66 qemu-guest-agent-debuginfo-10.1.0-16.el10_2.x86_64.rpm SHA-256: 873fde9fc69873fbc1c7b70273da4895cb55625185bf0045d35b7c6ce7ca6113 qemu-img-10.1.0-16.el10_2.x86_64.rpm SHA-256: e25b4489e65e6219dfd9f89c65da53b4559b6dbc1307416e0fde2f2c80b7b51b qemu-img-debuginfo-10.1.0-16.el10_2.x86_64.rpm SHA-256: 49966a48a1a5f2a25b18346cbc038af43ecb21bc84aa9470922e0e613e134973 qemu-kvm-10.1.0-16.el10_2.x86_64.rpm SHA-256: 879ce83d3a99f7977b710cfcebea8fad025e33a5bcc8918aec7051dd5d185583 qemu-kvm-audio-dbus-debuginfo-10.1.0-16.el10_2.x86_64.rpm SHA-256: 2ba816ebc32cf8eb93756e031b3fa56729adb1c47e3400b5004a82f22bc8abd2 qemu-kvm-audio-pa-10.1.0-16.el10_2.x86_64.rpm SHA-256: 19571466e3587a118bb68f685f559adfaee13768fe0cc56070f14406f24fe395 qemu-kvm-audio-pa-debuginfo-10.1.0-16.el10_2.x86_64.rpm SHA-256: be89d9c5d46d8c4f45191ffcdf44bab46ba284e28afd940c13f5ff01c784c28f qemu-kvm-block-blkio-10.1.0-16.el10_2.x86_64.rpm SHA-256: 709a948bcbf7de10fbbc92e666d143de885573f9f798d78208a0060f192b3c89 qemu-kvm-block-blkio-debuginfo-10.1.0-16.el10_2.x86_64.rpm SHA-256: 190ba84ef576875c1a2b4fa2696c77ff6ad61287db4dfd08f7812ebbef1741b9 qemu-kvm-block-curl-10.1.0-16.el10_2.x86_64.rpm SHA-256: b0b3d40907a10158fffc13344da390125b7ca98ee5ba39b1712eaebc03a79d04 qemu-kvm-block-curl-debuginfo-10.1.0-16.el10_2.x86_64.rpm SHA-256: 28bacb3e149d74bda64ab0cdc2a3e9adc1b1426b96d17ef58811ea9b17fbf166 qemu-kvm-block-rbd-10.1.0-16.el10_2.x86_64.rpm SHA-256: 57f6b6db19e2ccd6f62610828e88dfa8085fb933e8f6f20cf90599d2083677ee qemu-kvm-block-rbd-debuginfo-10.1.0-16.el10_2.x86_64.rpm SHA-256: 413c2b25ecc0e5fa67d5b0b0f4f33e116faf8c51d4ec282b78caf8efd389bf6f qemu-kvm-common-10.1.0-16.el10_2.x86_64.rpm SHA-256: 1fdac47e67fd5713ec2f79303545f0d1a70bc3858ef8f9158a50df764c8eced5 qemu-kvm-common-debuginfo-10.1.0-16.el10_2.x86_64.rpm SHA-256: ba9c0b4341be2b8f5b112068c63f9f58bbb1758448753966cfda8f92d0f7d52c qemu-kvm-core-10.1.0-16.el10_2.x86_64.rpm SHA-256: f5b9df4dfa004ffb4b9dca492324d205f3fd6702c4f95236999a13417c4e1c69 qemu-kvm-core-debuginfo-10.1.0-16.el10_2.x86_64.rpm SHA-256: cd8babd04fdf3ccdc21e4706f1f416fc4ebb3c87a64af3ef5a9f4b98150053b5 qemu-kvm-debugsource-10.1.0-16.el10_2.x86_64.rpm SHA-256: 416a66a88711cc489be62ebc41ce3872fc97b49c4345dc1ae054d9ed2e0b65a2 qemu-kvm-device-display-virtio-gpu-10.1.0-16.el10_2.x86_64.rpm SHA-256: 65ae56b83fe0db36ee2d51b0ad026d72bea0e39626fb3b597bda0ea337bfd389 qemu-kvm-device-display-virtio-gpu-debuginfo-10.1.0-16.el10_2.x86_64.rpm SHA-256: 62525628d23a2d6c01c1b566ba6aaa8127e6c63dfe2fcbf5e77020056e9758f6 qemu-kvm-device-display-virtio-gpu-pci-10.1.0-16.el10_2.x86_64.rpm SHA-256: 6f8ba07a06e18c621b58478bbb94ecb9949d3e1b4c7cdff26e60450f3ea9da89 qemu-kvm-device-display-virtio-gpu-pci-debuginfo-10.1.0-16.el10_2.x86_64.rpm SHA-256: 2444dc0dd7947cab6e0d64ec02f3673cdbd3346932739d7448d4186eb5f231d3 qemu-kvm-device-display-virtio-vga-10.1.0-16.el10_2.x86_64.rpm SHA-256: dbf70fba91f1c1bfe31ddcfc938b732064d22b3e9dd2353dc3b684b7386ce05b qemu-kvm-device-display-virtio-vga-debuginfo-10.1.0-16.el10_2.x86_64.rpm SHA-256: e162c5d680ed3dd55e159d6eca938b68930401ba2f9810f64477fc8d8fd39c4b qemu-kvm-device-usb-host-10.1.0-16.el10_2.x86_64.rpm SHA-256: 3d6fe7669109d7f12c97b2afcd0f9b0a5cb6fc5f2a86a5ed3bce60b7f53f6b38 qemu-kvm-device-usb-host-debuginfo-10.1.0-16.el10_2.x86_64.rpm SHA-256: 5962135975cc6395da956090cfc886437dc87e8a41bbee678aaf380bc5d1bf4f qemu-kvm-device-usb-redirect-10.1.0-16.el10_2.x86_64.rpm SHA-256: a4e25513012c148e5dea9f5849ab3b94b056fb602b29feaeef858ab59c6c6989 qemu-kvm-device-usb-redirect-debuginfo-10.1.0-16.el10_2.x86_64.rpm SHA-256: 0696df0eebf3a9dec63538f0f92203f3c0253c2fed51deb8b18a7febc705f48c qemu-kvm-docs-10.1.0-16.el10_2.x86_64.rpm SHA-256: 4cbac0a921a0c9d35b7fa78ff94b3a1d40c761c63ec190953241c111a9e5001b qemu-kvm-tests-debuginfo-10.1.0-16.el10_2.x86_64.rpm SHA-256: 60215df533813bd7badca585d2178697666a490ed7829314fb92accc94344248 qemu-kvm-tools-10.1.0-16.el10_2.x86_64.rpm SHA-256: 5939ff4af9fabd33e12223ad5f6ce718e75e4862f8e18ac51a0c5eea84b6cb97 qemu-kvm-tools-debuginfo-10.1.0-16.el10_2.x86_64.rpm SHA-256: 95cf5ad0a412bd5e984bbe9ea6d9b3266dc973db751fbaca9de1c8ce36fff8b6 qemu-kvm-ui-dbus-debugin