{ "document": { "aggregate_severity": { "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "TuxCare License Agreement", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Cloud Linux Inc. and provide a link to the original.", "title": "Terms of Use" }, { "category": "details", "text": "CVE-2026-24734: fix improper input validation vulnerability", "title": "Details" } ], "publisher": { "category": "vendor", "contact_details": "https://tuxcare.com/contact/", "name": "TuxCare", "namespace": "https://tuxcare.com/" }, "references": [ { "category": "self", "summary": "https://cve.tuxcare.com/els/releases/CLSA-2026:1774442729", "url": "https://cve.tuxcare.com/els/releases/CLSA-2026:1774442729" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.tuxcare.com/csaf/v2/els_os/tuxcare9.6esu/advisories/2026/clsa-2026_1774442729.json" } ], "tracking": { "current_release_date": "2026-03-25T12:46:09Z", "generator": { "date": "2026-03-25T12:46:09Z", "engine": { "name": "pyCSAF" } }, "id": "CLSA-2026:1774442729", "initial_release_date": "2026-03-25T12:46:09Z", "revision_history": [ { "date": "2026-03-25T12:46:09Z", "number": "1", "summary": "Initial version" } ], "status": "final", "version": "1" }, "title": "tomcat: Fix of CVE-2026-24734" }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "AlmaLinux 9.6", "product": { "name": "AlmaLinux 9.6", "product_id": "AlmaLinux-9.6", "product_identification_helper": { "cpe": "cpe:2.3:o:almalinux:almalinux:9.6:*:*:*:*:*:*:*" } } } ], "category": "product_family", "name": "AlmaLinux" } ], "category": "vendor", "name": "AlmaLinux OS Foundation" }, { "branches": [ { "branches": [ { "category": "product_name", "name": "Rocky Linux 9.6", "product": { "name": "Rocky Linux 9.6", "product_id": "Rocky Linux-9.6", "product_identification_helper": { "cpe": "cpe:2.3:o:resf:rocky_linux:9.6:*:*:*:*:*:*:*" } } } ], "category": "product_family", "name": "Rocky Linux" } ], "category": "vendor", "name": "Rocky Linux" }, { "branches": [ { "branches": [ { "category": "product_version", "name": "tomcat-el-3.0-api-1:9.0.87-3.el9_6.3.tuxcare.els4.noarch", "product": { "name": "tomcat-el-3.0-api-1:9.0.87-3.el9_6.3.tuxcare.els4.noarch", "product_id": "tomcat-el-3.0-api-1:9.0.87-3.el9_6.3.tuxcare.els4.noarch", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/tomcat-el-3.0-api@9.0.87-3.el9_6.3.tuxcare.els4?arch=noarch&epoch=1" } } }, { "category": "product_version", "name": "tomcat-lib-1:9.0.87-3.el9_6.3.tuxcare.els4.noarch", "product": { "name": "tomcat-lib-1:9.0.87-3.el9_6.3.tuxcare.els4.noarch", "product_id": "tomcat-lib-1:9.0.87-3.el9_6.3.tuxcare.els4.noarch", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/tomcat-lib@9.0.87-3.el9_6.3.tuxcare.els4?arch=noarch&epoch=1" } } }, { "category": "product_version", "name": "tomcat-admin-webapps-1:9.0.87-3.el9_6.3.tuxcare.els4.noarch", "product": { "name": "tomcat-admin-webapps-1:9.0.87-3.el9_6.3.tuxcare.els4.noarch", "product_id": "tomcat-admin-webapps-1:9.0.87-3.el9_6.3.tuxcare.els4.noarch", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/tomcat-admin-webapps@9.0.87-3.el9_6.3.tuxcare.els4?arch=noarch&epoch=1" } } }, { "category": "product_version", "name": "tomcat-1:9.0.87-3.el9_6.3.tuxcare.els4.noarch", "product": { "name": "tomcat-1:9.0.87-3.el9_6.3.tuxcare.els4.noarch", "product_id": "tomcat-1:9.0.87-3.el9_6.3.tuxcare.els4.noarch", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/tomcat@9.0.87-3.el9_6.3.tuxcare.els4?arch=noarch&epoch=1" } } }, { "category": "product_version", "name": "tomcat-jsp-2.3-api-1:9.0.87-3.el9_6.3.tuxcare.els4.noarch", "product": { "name": "tomcat-jsp-2.3-api-1:9.0.87-3.el9_6.3.tuxcare.els4.noarch", "product_id": "tomcat-jsp-2.3-api-1:9.0.87-3.el9_6.3.tuxcare.els4.noarch", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/tomcat-jsp-2.3-api@9.0.87-3.el9_6.3.tuxcare.els4?arch=noarch&epoch=1" } } }, { "category": "product_version", "name": "tomcat-webapps-1:9.0.87-3.el9_6.3.tuxcare.els4.noarch", "product": { "name": "tomcat-webapps-1:9.0.87-3.el9_6.3.tuxcare.els4.noarch", "product_id": "tomcat-webapps-1:9.0.87-3.el9_6.3.tuxcare.els4.noarch", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/tomcat-webapps@9.0.87-3.el9_6.3.tuxcare.els4?arch=noarch&epoch=1" } } }, { "category": "product_version", "name": "tomcat-servlet-4.0-api-1:9.0.87-3.el9_6.3.tuxcare.els4.noarch", "product": { "name": "tomcat-servlet-4.0-api-1:9.0.87-3.el9_6.3.tuxcare.els4.noarch", "product_id": "tomcat-servlet-4.0-api-1:9.0.87-3.el9_6.3.tuxcare.els4.noarch", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/tomcat-servlet-4.0-api@9.0.87-3.el9_6.3.tuxcare.els4?arch=noarch&epoch=1" } } }, { "category": "product_version", "name": "tomcat-docs-webapp-1:9.0.87-3.el9_6.3.tuxcare.els4.noarch", "product": { "name": "tomcat-docs-webapp-1:9.0.87-3.el9_6.3.tuxcare.els4.noarch", "product_id": "tomcat-docs-webapp-1:9.0.87-3.el9_6.3.tuxcare.els4.noarch", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/tomcat-docs-webapp@9.0.87-3.el9_6.3.tuxcare.els4?arch=noarch&epoch=1" } } } ], "category": "architecture", "name": "noarch" } ], "category": "vendor", "name": "TuxCare" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "tomcat-el-3.0-api-1:9.0.87-3.el9_6.3.tuxcare.els4.noarch as a component of AlmaLinux 9.6", "product_id": "AlmaLinux-9.6:tomcat-el-3.0-api-1:9.0.87-3.el9_6.3.tuxcare.els4.noarch" }, "product_reference": "tomcat-el-3.0-api-1:9.0.87-3.el9_6.3.tuxcare.els4.noarch", "relates_to_product_reference": "AlmaLinux-9.6" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat-lib-1:9.0.87-3.el9_6.3.tuxcare.els4.noarch as a component of AlmaLinux 9.6", "product_id": "AlmaLinux-9.6:tomcat-lib-1:9.0.87-3.el9_6.3.tuxcare.els4.noarch" }, "product_reference": "tomcat-lib-1:9.0.87-3.el9_6.3.tuxcare.els4.noarch", "relates_to_product_reference": "AlmaLinux-9.6" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat-admin-webapps-1:9.0.87-3.el9_6.3.tuxcare.els4.noarch as a component of AlmaLinux 9.6", "product_id": "AlmaLinux-9.6:tomcat-admin-webapps-1:9.0.87-3.el9_6.3.tuxcare.els4.noarch" }, "product_reference": "tomcat-admin-webapps-1:9.0.87-3.el9_6.3.tuxcare.els4.noarch", "relates_to_product_reference": "AlmaLinux-9.6" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat-1:9.0.87-3.el9_6.3.tuxcare.els4.noarch as a component of AlmaLinux 9.6", "product_id": "AlmaLinux-9.6:tomcat-1:9.0.87-3.el9_6.3.tuxcare.els4.noarch" }, "product_reference": "tomcat-1:9.0.87-3.el9_6.3.tuxcare.els4.noarch", "relates_to_product_reference": "AlmaLinux-9.6" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat-jsp-2.3-api-1:9.0.87-3.el9_6.3.tuxcare.els4.noarch as a component of AlmaLinux 9.6", "product_id": "AlmaLinux-9.6:tomcat-jsp-2.3-api-1:9.0.87-3.el9_6.3.tuxcare.els4.noarch" }, "product_reference": "tomcat-jsp-2.3-api-1:9.0.87-3.el9_6.3.tuxcare.els4.noarch", "relates_to_product_reference": "AlmaLinux-9.6" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat-webapps-1:9.0.87-3.el9_6.3.tuxcare.els4.noarch as a component of AlmaLinux 9.6", "product_id": "AlmaLinux-9.6:tomcat-webapps-1:9.0.87-3.el9_6.3.tuxcare.els4.noarch" }, "product_reference": "tomcat-webapps-1:9.0.87-3.el9_6.3.tuxcare.els4.noarch", "relates_to_product_reference": "AlmaLinux-9.6" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat-servlet-4.0-api-1:9.0.87-3.el9_6.3.tuxcare.els4.noarch as a component of AlmaLinux 9.6", "product_id": "AlmaLinux-9.6:tomcat-servlet-4.0-api-1:9.0.87-3.el9_6.3.tuxcare.els4.noarch" }, "product_reference": "tomcat-servlet-4.0-api-1:9.0.87-3.el9_6.3.tuxcare.els4.noarch", "relates_to_product_reference": "AlmaLinux-9.6" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat-docs-webapp-1:9.0.87-3.el9_6.3.tuxcare.els4.noarch as a component of AlmaLinux 9.6", "product_id": "AlmaLinux-9.6:tomcat-docs-webapp-1:9.0.87-3.el9_6.3.tuxcare.els4.noarch" }, "product_reference": "tomcat-docs-webapp-1:9.0.87-3.el9_6.3.tuxcare.els4.noarch", "relates_to_product_reference": "AlmaLinux-9.6" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat-el-3.0-api-1:9.0.87-3.el9_6.3.tuxcare.els4.noarch as a component of Rocky Linux 9.6", "product_id": "Rocky Linux-9.6:tomcat-el-3.0-api-1:9.0.87-3.el9_6.3.tuxcare.els4.noarch" }, "product_reference": "tomcat-el-3.0-api-1:9.0.87-3.el9_6.3.tuxcare.els4.noarch", "relates_to_product_reference": "Rocky Linux-9.6" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat-lib-1:9.0.87-3.el9_6.3.tuxcare.els4.noarch as a component of Rocky Linux 9.6", "product_id": "Rocky Linux-9.6:tomcat-lib-1:9.0.87-3.el9_6.3.tuxcare.els4.noarch" }, "product_reference": "tomcat-lib-1:9.0.87-3.el9_6.3.tuxcare.els4.noarch", "relates_to_product_reference": "Rocky Linux-9.6" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat-admin-webapps-1:9.0.87-3.el9_6.3.tuxcare.els4.noarch as a component of Rocky Linux 9.6", "product_id": "Rocky Linux-9.6:tomcat-admin-webapps-1:9.0.87-3.el9_6.3.tuxcare.els4.noarch" }, "product_reference": "tomcat-admin-webapps-1:9.0.87-3.el9_6.3.tuxcare.els4.noarch", "relates_to_product_reference": "Rocky Linux-9.6" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat-1:9.0.87-3.el9_6.3.tuxcare.els4.noarch as a component of Rocky Linux 9.6", "product_id": "Rocky Linux-9.6:tomcat-1:9.0.87-3.el9_6.3.tuxcare.els4.noarch" }, "product_reference": "tomcat-1:9.0.87-3.el9_6.3.tuxcare.els4.noarch", "relates_to_product_reference": "Rocky Linux-9.6" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat-jsp-2.3-api-1:9.0.87-3.el9_6.3.tuxcare.els4.noarch as a component of Rocky Linux 9.6", "product_id": "Rocky Linux-9.6:tomcat-jsp-2.3-api-1:9.0.87-3.el9_6.3.tuxcare.els4.noarch" }, "product_reference": "tomcat-jsp-2.3-api-1:9.0.87-3.el9_6.3.tuxcare.els4.noarch", "relates_to_product_reference": "Rocky Linux-9.6" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat-webapps-1:9.0.87-3.el9_6.3.tuxcare.els4.noarch as a component of Rocky Linux 9.6", "product_id": "Rocky Linux-9.6:tomcat-webapps-1:9.0.87-3.el9_6.3.tuxcare.els4.noarch" }, "product_reference": "tomcat-webapps-1:9.0.87-3.el9_6.3.tuxcare.els4.noarch", "relates_to_product_reference": "Rocky Linux-9.6" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat-servlet-4.0-api-1:9.0.87-3.el9_6.3.tuxcare.els4.noarch as a component of Rocky Linux 9.6", "product_id": "Rocky Linux-9.6:tomcat-servlet-4.0-api-1:9.0.87-3.el9_6.3.tuxcare.els4.noarch" }, "product_reference": "tomcat-servlet-4.0-api-1:9.0.87-3.el9_6.3.tuxcare.els4.noarch", "relates_to_product_reference": "Rocky Linux-9.6" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat-docs-webapp-1:9.0.87-3.el9_6.3.tuxcare.els4.noarch as a component of Rocky Linux 9.6", "product_id": "Rocky Linux-9.6:tomcat-docs-webapp-1:9.0.87-3.el9_6.3.tuxcare.els4.noarch" }, "product_reference": "tomcat-docs-webapp-1:9.0.87-3.el9_6.3.tuxcare.els4.noarch", "relates_to_product_reference": "Rocky Linux-9.6" } ] }, "vulnerabilities": [ { "cve": "CVE-2026-24734", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "notes": [ { "category": "description", "text": "Improper Input Validation vulnerability in Apache Tomcat Native, Apache Tomcat.\n\nWhen using an OCSP responder, Tomcat Native (and Tomcat's FFM port of the Tomcat Native code) did not complete verification or freshness checks on the OCSP response which could allow certificate revocation to be bypassed.\n\nThis issue affects Apache Tomcat Native:  from 1.3.0 through 1.3.4, from 2.0.0 through 2.0.11; Apache Tomcat: from 11.0.0-M1 through 11.0.17, from 10.1.0-M7 through 10.1.51, from 9.0.83 through 9.0.114.\n\n\nThe following versions were EOL at the time the CVE was created but are \nknown to be affected: from 1.1.23 through 1.1.34, from 1.2.0 through 1.2.39. Older EOL versions are not affected.\n\nApache Tomcat Native users are recommended to upgrade to versions 1.3.5 or later or 2.0.12 or later, which fix the issue.\n\nApache Tomcat users are recommended to upgrade to versions 11.0.18 or later, 10.1.52 or later or 9.0.115 or later which fix the issue.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AlmaLinux-9.6:tomcat-1:9.0.87-3.el9_6.3.tuxcare.els4.noarch", "AlmaLinux-9.6:tomcat-admin-webapps-1:9.0.87-3.el9_6.3.tuxcare.els4.noarch", "AlmaLinux-9.6:tomcat-docs-webapp-1:9.0.87-3.el9_6.3.tuxcare.els4.noarch", "AlmaLinux-9.6:tomcat-el-3.0-api-1:9.0.87-3.el9_6.3.tuxcare.els4.noarch", "AlmaLinux-9.6:tomcat-jsp-2.3-api-1:9.0.87-3.el9_6.3.tuxcare.els4.noarch", "AlmaLinux-9.6:tomcat-lib-1:9.0.87-3.el9_6.3.tuxcare.els4.noarch", "AlmaLinux-9.6:tomcat-servlet-4.0-api-1:9.0.87-3.el9_6.3.tuxcare.els4.noarch", "AlmaLinux-9.6:tomcat-webapps-1:9.0.87-3.el9_6.3.tuxcare.els4.noarch", "Rocky Linux-9.6:tomcat-1:9.0.87-3.el9_6.3.tuxcare.els4.noarch", "Rocky Linux-9.6:tomcat-admin-webapps-1:9.0.87-3.el9_6.3.tuxcare.els4.noarch", "Rocky Linux-9.6:tomcat-docs-webapp-1:9.0.87-3.el9_6.3.tuxcare.els4.noarch", "Rocky Linux-9.6:tomcat-el-3.0-api-1:9.0.87-3.el9_6.3.tuxcare.els4.noarch", "Rocky Linux-9.6:tomcat-jsp-2.3-api-1:9.0.87-3.el9_6.3.tuxcare.els4.noarch", "Rocky Linux-9.6:tomcat-lib-1:9.0.87-3.el9_6.3.tuxcare.els4.noarch", "Rocky Linux-9.6:tomcat-servlet-4.0-api-1:9.0.87-3.el9_6.3.tuxcare.els4.noarch", "Rocky Linux-9.6:tomcat-webapps-1:9.0.87-3.el9_6.3.tuxcare.els4.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2026-24734" }, { "category": "external", "summary": "https://lists.apache.org/thread/292dlmx3fz1888v6v16221kpozq56gml", "url": "https://lists.apache.org/thread/292dlmx3fz1888v6v16221kpozq56gml" } ], "release_date": "2026-02-17T19:21:00Z", "remediations": [ { "category": "vendor_fix", "date": "2026-03-25T12:45:32.650644Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els/releases/CLSA-2026:1774442729", "product_ids": [ "AlmaLinux-9.6:tomcat-1:9.0.87-3.el9_6.3.tuxcare.els4.noarch", "AlmaLinux-9.6:tomcat-admin-webapps-1:9.0.87-3.el9_6.3.tuxcare.els4.noarch", "AlmaLinux-9.6:tomcat-docs-webapp-1:9.0.87-3.el9_6.3.tuxcare.els4.noarch", "AlmaLinux-9.6:tomcat-el-3.0-api-1:9.0.87-3.el9_6.3.tuxcare.els4.noarch", "AlmaLinux-9.6:tomcat-jsp-2.3-api-1:9.0.87-3.el9_6.3.tuxcare.els4.noarch", "AlmaLinux-9.6:tomcat-lib-1:9.0.87-3.el9_6.3.tuxcare.els4.noarch", "AlmaLinux-9.6:tomcat-servlet-4.0-api-1:9.0.87-3.el9_6.3.tuxcare.els4.noarch", "AlmaLinux-9.6:tomcat-webapps-1:9.0.87-3.el9_6.3.tuxcare.els4.noarch", "Rocky Linux-9.6:tomcat-1:9.0.87-3.el9_6.3.tuxcare.els4.noarch", "Rocky Linux-9.6:tomcat-admin-webapps-1:9.0.87-3.el9_6.3.tuxcare.els4.noarch", "Rocky Linux-9.6:tomcat-docs-webapp-1:9.0.87-3.el9_6.3.tuxcare.els4.noarch", "Rocky Linux-9.6:tomcat-el-3.0-api-1:9.0.87-3.el9_6.3.tuxcare.els4.noarch", "Rocky Linux-9.6:tomcat-jsp-2.3-api-1:9.0.87-3.el9_6.3.tuxcare.els4.noarch", "Rocky Linux-9.6:tomcat-lib-1:9.0.87-3.el9_6.3.tuxcare.els4.noarch", "Rocky Linux-9.6:tomcat-servlet-4.0-api-1:9.0.87-3.el9_6.3.tuxcare.els4.noarch", "Rocky Linux-9.6:tomcat-webapps-1:9.0.87-3.el9_6.3.tuxcare.els4.noarch" ], "url": "https://cve.tuxcare.com/els/releases/CLSA-2026:1774442729" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1" }, "products": [ "AlmaLinux-9.6:tomcat-1:9.0.87-3.el9_6.3.tuxcare.els4.noarch", "AlmaLinux-9.6:tomcat-admin-webapps-1:9.0.87-3.el9_6.3.tuxcare.els4.noarch", "AlmaLinux-9.6:tomcat-docs-webapp-1:9.0.87-3.el9_6.3.tuxcare.els4.noarch", "AlmaLinux-9.6:tomcat-el-3.0-api-1:9.0.87-3.el9_6.3.tuxcare.els4.noarch", "AlmaLinux-9.6:tomcat-jsp-2.3-api-1:9.0.87-3.el9_6.3.tuxcare.els4.noarch", "AlmaLinux-9.6:tomcat-lib-1:9.0.87-3.el9_6.3.tuxcare.els4.noarch", "AlmaLinux-9.6:tomcat-servlet-4.0-api-1:9.0.87-3.el9_6.3.tuxcare.els4.noarch", "AlmaLinux-9.6:tomcat-webapps-1:9.0.87-3.el9_6.3.tuxcare.els4.noarch", "Rocky Linux-9.6:tomcat-1:9.0.87-3.el9_6.3.tuxcare.els4.noarch", "Rocky Linux-9.6:tomcat-admin-webapps-1:9.0.87-3.el9_6.3.tuxcare.els4.noarch", "Rocky Linux-9.6:tomcat-docs-webapp-1:9.0.87-3.el9_6.3.tuxcare.els4.noarch", "Rocky Linux-9.6:tomcat-el-3.0-api-1:9.0.87-3.el9_6.3.tuxcare.els4.noarch", "Rocky Linux-9.6:tomcat-jsp-2.3-api-1:9.0.87-3.el9_6.3.tuxcare.els4.noarch", "Rocky Linux-9.6:tomcat-lib-1:9.0.87-3.el9_6.3.tuxcare.els4.noarch", "Rocky Linux-9.6:tomcat-servlet-4.0-api-1:9.0.87-3.el9_6.3.tuxcare.els4.noarch", "Rocky Linux-9.6:tomcat-webapps-1:9.0.87-3.el9_6.3.tuxcare.els4.noarch" ] } ], "threats": [ { "category": "impact", "details": "Important" } ] } ] }