Description
A flaw was found in Keycloak. This vulnerability allows an unauthenticated remote attacker to cause a denial of service (DoS) by repeatedly initiating TLS 1.2 client-initiated renegotiation requests to exhaust server CPU resources, making the service unavailable.
Problem types
Allocation of Resources Without Limits or Throttling
Product status
Any version before 26.0.16
26.1.0 (semver) before 26.1.*
26.2.0 (semver) before 26.2.10
26.3.0 (semver) before 26.3.*
26.4.0 (semver) before 26.4.1
26.0.16-2 (rpm) before *
26.0-20 (rpm) before *
26.0-21 (rpm) before *
26.2.10-2 (rpm) before *
26.2-11 (rpm) before *
26.2-11 (rpm) before *
Timeline
| 2025-10-07: | Reported to Red Hat. |
| 2025-10-07: | Made public. |
References
access.redhat.com/errata/RHSA-2025:18254 (RHSA-2025:18254)
access.redhat.com/errata/RHSA-2025:18255 (RHSA-2025:18255)
access.redhat.com/errata/RHSA-2025:18889 (RHSA-2025:18889)
access.redhat.com/errata/RHSA-2025:18890 (RHSA-2025:18890)
access.redhat.com/security/cve/CVE-2025-11419
bugzilla.redhat.com/show_bug.cgi?id=2402142 (RHBZ#2402142)
Data based on CVE®. Copyright © 1999-2025, The MITRE Corporation. All rights reserved.
