Fedora Account System
Red Hat Associate
Red Hat Customer
The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example, ToUnicode("xn--example-.com") incorrectly returns the name "example.com" rather than an error. This behavior can lead to privilege escalation in programs using the idna package. For example, a program which performs privilege checks on the ASCII hostname may reject "example.com" but permit "xn--example-.com". If that program subsequently converts the ASCII hostname to Unicode, it will inadvertently permits access to the Unicode name "example.com".
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2026:30853 https://access.redhat.com/errata/RHSA-2026:30853
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2026:30854 https://access.redhat.com/errata/RHSA-2026:30854
This issue has been addressed in the following products: Red Hat Enterprise Linux 10 Via RHSA-2026:30855 https://access.redhat.com/errata/RHSA-2026:30855
This issue has been addressed in the following products: Red Hat Enterprise Linux 10 Via RHSA-2026:34357 https://access.redhat.com/errata/RHSA-2026:34357
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2026:34359 https://access.redhat.com/errata/RHSA-2026:34359