Red Hat (and Red Hat clone) users should `grype db update`

TL;DR

Last’ night’s Grype database has some incorrect fixed versions for Red Hat RPMs, and you should run grype db update (or let grype notice and download the new database; by default grype checks for a new database if it’s been more than 2 hours since the last check). Vunnel users should also upgrade to the latest release ( Release v0.36.0 · anchore/vunnel · GitHub ). Upgrading Grype itself is not required to benefit from this fix.

If you’re reading this much after 2025-08-01T21:00:00Z, Grype by default will notice the new database, and no action is needed unless you have configured Grype to check for new databases less often.

Details

Over night (about 4 AM August 1 UTC) the grype database that was published had incorrect Red Hat version parsing in it, resulting in some false positives and some false negatives for RPMs on Red Hat (and distros that follow Red Hat very closely, such as CentOS, Alma, and Rocky). The affected packages were members of RPM modules. The root cause of the issue was Red Hat’s CSAF Vex JSON changed how it represents PURLs for RPM modules, and Vunnel incorrectly parsed the new CSAF.

You can see the vunnel fix at fix(rhel): account for new rpmmod purl shape by westonsteimel · Pull Request #836 · anchore/vunnel · GitHub .

Please reply here if you have any questions.