Description
A flaw was found in GNU Emacs. This vulnerability, a memory corruption issue, occurs when Emacs processes specially crafted SVG (Scalable Vector Graphics) CSS (Cascading Style Sheets) data. A local user could exploit this by convincing a victim to open a malicious SVG file, which may lead to a denial of service (DoS) or potentially information disclosure.
Published: 2026-04-22
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service or Information Disclosure
Action: Assess Impact
AI Analysis

Impact

A memory corruption flaw in GNU Emacs arises when it processes specially crafted SVG files that contain CSS. The vulnerability allows a local user who can convince a victim to open a malicious SVG to trigger a crash, which can lead to a denial of service or, in some cases, reveal sensitive information from memory.

Affected Systems

The flaw affects the Emacs component installed on Red Hat Enterprise Linux releases 6 through 10. No specific Emacs or RHEL version numbers are supplied; the issue applies broadly to all Emacs packages shipped with these operating systems.

Risk and Exploitability

The CVSS score of 6.1 indicates moderate severity, and the EPSS score is not available. This vulnerability is not listed in the CISA KEV catalog and no workaround has been identified. The attack vector is local: an attacker must convince a user to open a malicious SVG file with Emacs, meaning that external network access is not required.

Generated by OpenCVE AI on April 27, 2026 at 19:18 UTC.

Remediation

Vendor Workaround

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.

OpenCVE Recommended Actions

  • Install the latest RHEL update that includes the patched Emacs package by running the appropriate system package manager command (e.g., dnf update emacs).
  • If a patch has not yet been released, reduce exposure by restricting file permissions so that only trusted users or directories can provide SVG files to Emacs, preventing untrusted content from being opened.
  • Enable SELinux in enforcing mode and configure the policy so that Emacs is restricted from accessing arbitrary SVG files, limiting its ability to process dangerous CSS content.

Generated by OpenCVE AI on April 27, 2026 at 19:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 06 May 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Gnu
Gnu emacs
CPEs cpe:2.3:a:gnu:emacs:*:*:*:*:*:*:*:*
Vendors & Products Gnu
Gnu emacs

Mon, 27 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Redhat emacs
Vendors & Products Redhat emacs

Thu, 23 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Wed, 22 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Description A flaw was found in GNU Emacs. This vulnerability, a memory corruption issue, occurs when Emacs processes specially crafted SVG (Scalable Vector Graphics) CSS (Cascading Style Sheets) data. A local user could exploit this by convincing a victim to open a malicious SVG file, which may lead to a denial of service (DoS) or potentially information disclosure.
Title Emacs: emacs: memory corruption vulnerability when processing svg css
First Time appeared Redhat
Redhat enterprise Linux
Weaknesses CWE-193
CPEs cpe:/o:redhat:enterprise_linux:10
cpe:/o:redhat:enterprise_linux:6
cpe:/o:redhat:enterprise_linux:7
cpe:/o:redhat:enterprise_linux:8
cpe:/o:redhat:enterprise_linux:9
Vendors & Products Redhat
Redhat enterprise Linux
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H'}

Subscriptions

Gnu Emacs
Redhat Emacs Enterprise Linux
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-04-22T15:59:40.836Z

Reserved: 2026-04-22T13:05:41.130Z

Link: CVE-2026-6861

cve-icon Vulnrichment

Updated: 2026-04-22T15:53:47.065Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-22T14:17:07.860

Modified: 2026-05-06T20:27:36.917

Link: CVE-2026-6861

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-19T00:00:00Z

Links: CVE-2026-6861 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-27T20:21:04Z

Weaknesses