Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2026-32281 (GCVE-0-2026-32281)
Vulnerability from cvelistv5 – Published: 2026-04-08 01:06 – Updated: 2026-04-13 18:19
VLAI
EPSS
Title
Inefficient policy validation in crypto/x509
Summary
Validating certificate chains which use policies is unexpectedly inefficient when certificates in the chain contain a very large number of policy mappings, possibly causing denial of service. This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-407 - Inefficient Algorithmic Complexity
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Go standard library | crypto/x509 |
Affected:
0 , < 1.25.9
(semver)
Affected: 1.26.0-0 , < 1.26.2 (semver) |
Credits
Jakub Ciolek - https://ciolek.dev
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-32281",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-13T17:52:37.734298Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-13T18:19:44.779Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "crypto/x509",
"product": "crypto/x509",
"programRoutines": [
{
"name": "policiesValid"
},
{
"name": "Certificate.Verify"
}
],
"vendor": "Go standard library",
"versions": [
{
"lessThan": "1.25.9",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "1.26.2",
"status": "affected",
"version": "1.26.0-0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Jakub Ciolek - https://ciolek.dev"
}
],
"descriptions": [
{
"lang": "en",
"value": "Validating certificate chains which use policies is unexpectedly inefficient when certificates in the chain contain a very large number of policy mappings, possibly causing denial of service. This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-407: Inefficient Algorithmic Complexity",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T01:06:58.354Z",
"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"shortName": "Go"
},
"references": [
{
"url": "https://go.dev/cl/758061"
},
{
"url": "https://go.dev/issue/78281"
},
{
"url": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU"
},
{
"url": "https://pkg.go.dev/vuln/GO-2026-4946"
}
],
"title": "Inefficient policy validation in crypto/x509"
}
},
"cveMetadata": {
"assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"assignerShortName": "Go",
"cveId": "CVE-2026-32281",
"datePublished": "2026-04-08T01:06:58.354Z",
"dateReserved": "2026-03-11T16:38:46.556Z",
"dateUpdated": "2026-04-13T18:19:44.779Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-32281",
"date": "2026-06-29",
"epss": "0.00349",
"percentile": "0.26795"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-32281\",\"sourceIdentifier\":\"security@golang.org\",\"published\":\"2026-04-08T02:16:03.350\",\"lastModified\":\"2026-06-17T10:35:28.980\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Validating certificate chains which use policies is unexpectedly inefficient when certificates in the chain contain a very large number of policy mappings, possibly causing denial of service. This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool.\"}],\"affected\":[{\"source\":\"security@golang.org\",\"affectedData\":[{\"vendor\":\"Go standard library\",\"product\":\"crypto/x509\",\"defaultStatus\":\"unaffected\",\"collectionURL\":\"https://pkg.go.dev\",\"packageName\":\"crypto/x509\",\"programRoutines\":[{\"name\":\"policiesValid\"},{\"name\":\"Certificate.Verify\"}],\"versions\":[{\"version\":\"0\",\"lessThan\":\"1.25.9\",\"versionType\":\"semver\",\"status\":\"affected\"},{\"version\":\"1.26.0-0\",\"lessThan\":\"1.26.2\",\"versionType\":\"semver\",\"status\":\"affected\"}]}]}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}],\"ssvcV203\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"ssvcData\":{\"timestamp\":\"2026-04-13T17:52:37.734298Z\",\"id\":\"CVE-2026-32281\",\"options\":[{\"exploitation\":\"none\"},{\"automatable\":\"yes\"},{\"technicalImpact\":\"partial\"}],\"role\":\"CISA Coordinator\",\"version\":\"2.0.3\"}}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-295\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.25.9\",\"matchCriteriaId\":\"C6C9C072-9817-402D-877F-F83584B07017\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"1.26.0\",\"versionEndExcluding\":\"1.26.2\",\"matchCriteriaId\":\"39FE9BAF-55E9-43AA-B14E-239E7EF1D65D\"}]}]}],\"references\":[{\"url\":\"https://go.dev/cl/758061\",\"source\":\"security@golang.org\",\"tags\":[\"Patch\"]},{\"url\":\"https://go.dev/issue/78281\",\"source\":\"security@golang.org\",\"tags\":[\"Issue Tracking\"]},{\"url\":\"https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU\",\"source\":\"security@golang.org\",\"tags\":[\"Issue Tracking\",\"Release Notes\"]},{\"url\":\"https://pkg.go.dev/vuln/GO-2026-4946\",\"source\":\"security@golang.org\",\"tags\":[\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-32281\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-04-13T17:52:37.734298Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-04-13T17:52:33.394Z\"}}], \"cna\": {\"title\": \"Inefficient policy validation in crypto/x509\", \"credits\": [{\"lang\": \"en\", \"value\": \"Jakub Ciolek - https://ciolek.dev\"}], \"affected\": [{\"vendor\": \"Go standard library\", \"product\": \"crypto/x509\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"1.25.9\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"1.26.0-0\", \"lessThan\": \"1.26.2\", \"versionType\": \"semver\"}], \"packageName\": \"crypto/x509\", \"collectionURL\": \"https://pkg.go.dev\", \"defaultStatus\": \"unaffected\", \"programRoutines\": [{\"name\": \"policiesValid\"}, {\"name\": \"Certificate.Verify\"}]}], \"references\": [{\"url\": \"https://go.dev/cl/758061\"}, {\"url\": \"https://go.dev/issue/78281\"}, {\"url\": \"https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU\"}, {\"url\": \"https://pkg.go.dev/vuln/GO-2026-4946\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Validating certificate chains which use policies is unexpectedly inefficient when certificates in the chain contain a very large number of policy mappings, possibly causing denial of service. This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"description\": \"CWE-407: Inefficient Algorithmic Complexity\"}]}], \"providerMetadata\": {\"orgId\": \"1bb62c36-49e3-4200-9d77-64a1400537cc\", \"shortName\": \"Go\", \"dateUpdated\": \"2026-04-08T01:06:58.354Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-32281\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-04-13T18:19:44.779Z\", \"dateReserved\": \"2026-03-11T16:38:46.556Z\", \"assignerOrgId\": \"1bb62c36-49e3-4200-9d77-64a1400537cc\", \"datePublished\": \"2026-04-08T01:06:58.354Z\", \"assignerShortName\": \"Go\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
RHSA-2026:19719
Vulnerability from csaf_redhat - Published: 2026-05-20 16:45 - Updated: 2026-06-30 12:53Summary
Red Hat Security Advisory: opentelemetry-collector security update
Severity
Important
Notes
Topic: An update for opentelemetry-collector is now available for Red Hat Enterprise Linux 10.0 Extended Update Support.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Collector with the supported components for a Red Hat build of OpenTelemetry
Security Fix(es):
* net/url: Incorrect parsing of IPv6 host literals in net/url (CVE-2026-25679)
* google.golang.org/grpc/grpc-go: google.golang.org/grpc/authz: gRPC-Go: Authorization bypass due to improper HTTP/2 path validation (CVE-2026-33186)
* github.com/go-jose/go-jose/v3: github.com/go-jose/go-jose/v4: Go JOSE: Denial of Service via crafted JSON Web Encryption (JWE) object (CVE-2026-34986)
* crypto/x509: golang: Go crypto/x509: Denial of Service via inefficient certificate chain validation (CVE-2026-32281)
* crypto/x509: golang: Go crypto/x509: Certificate validation bypass due to incorrect DNS constraint application (CVE-2026-33810)
* golang: internal/syscall/unix: Root.Chmod can follow symlinks out of the root (CVE-2026-32282)
* crypto/tls: golang: Go crypto/tls: Denial of Service via multiple TLS 1.3 key update messages (CVE-2026-32283)
* crypto/x509: crypto/tls: golang: Go: Denial of Service vulnerability in certificate chain building (CVE-2026-32280)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
The Go standard library function net/url.Parse insufficiently validated the host/authority component and accepted some invalid URLs by effectively treating garbage before an IP-literal as ignorable. The function should have rejected this as invalid.
7.5 (High)
Affected products
Fixed
5 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A flaw was found in the Go standard library packages `crypto/x509` and `crypto/tls`. During the process of building a certificate chain, an attacker can provide a large number of intermediate certificates. This excessive input is not properly limited, leading to an uncontrolled amount of work being performed. This can result in a denial of service (DoS) condition, making the affected system or application unavailable to legitimate users.
7.5 (High)
Affected products
Fixed
5 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Important
A flaw was found in Go's `crypto/x509` package. A remote attacker could exploit this by presenting a specially crafted certificate chain containing a large number of policy mappings. This inefficient validation process consumes excessive resources, which can lead to a denial of service (DoS) for applications or systems performing certificate validation.
5.9 (Medium)
Affected products
Fixed
5 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in the internal/syscall/unix package in the Go standard library. If the target of the `Root.Chmod` function is replaced with a symbolic link during execution, specifically after `Root.Chmod` checks the target but before acting, the `chmod` operation will be performed on the file the symbolic link points to. This issue can bypass directory restrictions and lead to unauthorized permission changes on the filesystem.
7.8 (High)
Affected products
Fixed
5 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in the `crypto/tls` package within the Go (golang) standard library, specifically affecting TLS 1.3 connections. A remote attacker can exploit this vulnerability by sending multiple key update messages in a single record after the handshake. This can cause the connection to deadlock, leading to uncontrolled consumption of resources and ultimately a denial of service (DoS).
7.5 (High)
Affected products
Fixed
5 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Important
A flaw was found in gRPC-Go, the Go language implementation of gRPC. This vulnerability, an authorization bypass, is caused by improper input validation of the HTTP/2 `:path` pseudo-header. A remote attacker can exploit this by sending raw HTTP/2 frames with a malformed `:path` that omits the mandatory leading slash. This allows the attacker to bypass defined security policies, potentially leading to unauthorized access to services or information disclosure.
9.1 (Critical)
Affected products
Fixed
5 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A flaw was found in the `crypto/x509` package within Go (golang). When verifying a certificate chain, excluded DNS (Domain Name System) constraints are not correctly applied to wildcard DNS Subject Alternative Names (SANs) if the case of the SAN differs from the constraint. This oversight could allow an attacker to bypass certificate validation, potentially leading to the acceptance of a malicious certificate that should have been rejected. This issue specifically impacts the validation of trusted certificate chains.
8.8 (High)
Affected products
Fixed
5 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Important
A flaw was found in Go JOSE, a library for handling JSON Web Encryption (JWE) objects. A remote attacker could exploit this vulnerability by providing a specially crafted JWE object. When decrypting such an object, if a key wrapping algorithm is specified but the encrypted key field is empty, the application can crash. This leads to a denial of service (DoS), making the affected service unavailable to legitimate users.
7.5 (High)
Affected products
Fixed
5 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
References
66 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for opentelemetry-collector is now available for Red Hat Enterprise Linux 10.0 Extended Update Support.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Collector with the supported components for a Red Hat build of OpenTelemetry\n\nSecurity Fix(es):\n\n* net/url: Incorrect parsing of IPv6 host literals in net/url (CVE-2026-25679)\n\n* google.golang.org/grpc/grpc-go: google.golang.org/grpc/authz: gRPC-Go: Authorization bypass due to improper HTTP/2 path validation (CVE-2026-33186)\n\n* github.com/go-jose/go-jose/v3: github.com/go-jose/go-jose/v4: Go JOSE: Denial of Service via crafted JSON Web Encryption (JWE) object (CVE-2026-34986)\n\n* crypto/x509: golang: Go crypto/x509: Denial of Service via inefficient certificate chain validation (CVE-2026-32281)\n\n* crypto/x509: golang: Go crypto/x509: Certificate validation bypass due to incorrect DNS constraint application (CVE-2026-33810)\n\n* golang: internal/syscall/unix: Root.Chmod can follow symlinks out of the root (CVE-2026-32282)\n\n* crypto/tls: golang: Go crypto/tls: Denial of Service via multiple TLS 1.3 key update messages (CVE-2026-32283)\n\n* crypto/x509: crypto/tls: golang: Go: Denial of Service vulnerability in certificate chain building (CVE-2026-32280)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:19719",
"url": "https://access.redhat.com/errata/RHSA-2026:19719"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "2445356",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2445356"
},
{
"category": "external",
"summary": "2449833",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2449833"
},
{
"category": "external",
"summary": "2455470",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2455470"
},
{
"category": "external",
"summary": "2456333",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456333"
},
{
"category": "external",
"summary": "2456335",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456335"
},
{
"category": "external",
"summary": "2456336",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456336"
},
{
"category": "external",
"summary": "2456338",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456338"
},
{
"category": "external",
"summary": "2456339",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456339"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_19719.json"
}
],
"title": "Red Hat Security Advisory: opentelemetry-collector security update",
"tracking": {
"current_release_date": "2026-06-30T12:53:48+00:00",
"generator": {
"date": "2026-06-30T12:53:48+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "5.3.1"
}
},
"id": "RHSA-2026:19719",
"initial_release_date": "2026-05-20T16:45:20+00:00",
"revision_history": [
{
"date": "2026-05-20T16:45:20+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-05-20T16:45:20+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-06-30T12:53:48+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AppStream EUS (v. 10.0)",
"product": {
"name": "Red Hat Enterprise Linux AppStream EUS (v. 10.0)",
"product_id": "AppStream-10.0.Z.E2S",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux_eus:10.0"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "opentelemetry-collector-0:0.144.0-2.el10_0.src",
"product": {
"name": "opentelemetry-collector-0:0.144.0-2.el10_0.src",
"product_id": "opentelemetry-collector-0:0.144.0-2.el10_0.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/opentelemetry-collector@0.144.0-2.el10_0?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "opentelemetry-collector-0:0.144.0-2.el10_0.aarch64",
"product": {
"name": "opentelemetry-collector-0:0.144.0-2.el10_0.aarch64",
"product_id": "opentelemetry-collector-0:0.144.0-2.el10_0.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/opentelemetry-collector@0.144.0-2.el10_0?arch=aarch64"
}
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "opentelemetry-collector-0:0.144.0-2.el10_0.ppc64le",
"product": {
"name": "opentelemetry-collector-0:0.144.0-2.el10_0.ppc64le",
"product_id": "opentelemetry-collector-0:0.144.0-2.el10_0.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/opentelemetry-collector@0.144.0-2.el10_0?arch=ppc64le"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "opentelemetry-collector-0:0.144.0-2.el10_0.s390x",
"product": {
"name": "opentelemetry-collector-0:0.144.0-2.el10_0.s390x",
"product_id": "opentelemetry-collector-0:0.144.0-2.el10_0.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/opentelemetry-collector@0.144.0-2.el10_0?arch=s390x"
}
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "opentelemetry-collector-0:0.144.0-2.el10_0.x86_64",
"product": {
"name": "opentelemetry-collector-0:0.144.0-2.el10_0.x86_64",
"product_id": "opentelemetry-collector-0:0.144.0-2.el10_0.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/opentelemetry-collector@0.144.0-2.el10_0?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "opentelemetry-collector-0:0.144.0-2.el10_0.aarch64 as a component of Red Hat Enterprise Linux AppStream EUS (v. 10.0)",
"product_id": "AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.aarch64"
},
"product_reference": "opentelemetry-collector-0:0.144.0-2.el10_0.aarch64",
"relates_to_product_reference": "AppStream-10.0.Z.E2S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "opentelemetry-collector-0:0.144.0-2.el10_0.ppc64le as a component of Red Hat Enterprise Linux AppStream EUS (v. 10.0)",
"product_id": "AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.ppc64le"
},
"product_reference": "opentelemetry-collector-0:0.144.0-2.el10_0.ppc64le",
"relates_to_product_reference": "AppStream-10.0.Z.E2S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "opentelemetry-collector-0:0.144.0-2.el10_0.s390x as a component of Red Hat Enterprise Linux AppStream EUS (v. 10.0)",
"product_id": "AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.s390x"
},
"product_reference": "opentelemetry-collector-0:0.144.0-2.el10_0.s390x",
"relates_to_product_reference": "AppStream-10.0.Z.E2S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "opentelemetry-collector-0:0.144.0-2.el10_0.src as a component of Red Hat Enterprise Linux AppStream EUS (v. 10.0)",
"product_id": "AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.src"
},
"product_reference": "opentelemetry-collector-0:0.144.0-2.el10_0.src",
"relates_to_product_reference": "AppStream-10.0.Z.E2S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "opentelemetry-collector-0:0.144.0-2.el10_0.x86_64 as a component of Red Hat Enterprise Linux AppStream EUS (v. 10.0)",
"product_id": "AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.x86_64"
},
"product_reference": "opentelemetry-collector-0:0.144.0-2.el10_0.x86_64",
"relates_to_product_reference": "AppStream-10.0.Z.E2S"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-25679",
"cwe": {
"id": "CWE-1286",
"name": "Improper Validation of Syntactic Correctness of Input"
},
"discovery_date": "2026-03-06T22:02:11.567841+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2445356"
}
],
"notes": [
{
"category": "description",
"text": "The Go standard library function net/url.Parse insufficiently validated the host/authority component and accepted some invalid URLs by effectively treating garbage before an IP-literal as ignorable. The function should have rejected this as invalid.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "net/url: Incorrect parsing of IPv6 host literals in net/url",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.aarch64",
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.ppc64le",
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.s390x",
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.src",
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-25679"
},
{
"category": "external",
"summary": "RHBZ#2445356",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2445356"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-25679",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-25679"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-25679",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25679"
},
{
"category": "external",
"summary": "https://go.dev/cl/752180",
"url": "https://go.dev/cl/752180"
},
{
"category": "external",
"summary": "https://go.dev/issue/77578",
"url": "https://go.dev/issue/77578"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/EdhZqrQ98hk",
"url": "https://groups.google.com/g/golang-announce/c/EdhZqrQ98hk"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2026-4601",
"url": "https://pkg.go.dev/vuln/GO-2026-4601"
}
],
"release_date": "2026-03-06T21:28:14.211000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-05-20T16:45:20+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.aarch64",
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.ppc64le",
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.s390x",
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.src",
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:19719"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.aarch64",
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.ppc64le",
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.s390x",
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.src",
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.aarch64",
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.ppc64le",
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.s390x",
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.src",
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "net/url: Incorrect parsing of IPv6 host literals in net/url"
},
{
"cve": "CVE-2026-32280",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2026-04-08T02:01:19.572351+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2456339"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the Go standard library packages `crypto/x509` and `crypto/tls`. During the process of building a certificate chain, an attacker can provide a large number of intermediate certificates. This excessive input is not properly limited, leading to an uncontrolled amount of work being performed. This can result in a denial of service (DoS) condition, making the affected system or application unavailable to legitimate users.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "crypto/x509: crypto/tls: golang: Go: Denial of Service vulnerability in certificate chain building",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.aarch64",
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.ppc64le",
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.s390x",
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.src",
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-32280"
},
{
"category": "external",
"summary": "RHBZ#2456339",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456339"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-32280",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-32280"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-32280",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32280"
},
{
"category": "external",
"summary": "https://go.dev/cl/758320",
"url": "https://go.dev/cl/758320"
},
{
"category": "external",
"summary": "https://go.dev/issue/78282",
"url": "https://go.dev/issue/78282"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU",
"url": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2026-4947",
"url": "https://pkg.go.dev/vuln/GO-2026-4947"
}
],
"release_date": "2026-04-08T01:06:58.595000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-05-20T16:45:20+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.aarch64",
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.ppc64le",
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.s390x",
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.src",
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:19719"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.aarch64",
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.ppc64le",
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.s390x",
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.src",
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "crypto/x509: crypto/tls: golang: Go: Denial of Service vulnerability in certificate chain building"
},
{
"cve": "CVE-2026-32281",
"cwe": {
"id": "CWE-1050",
"name": "Excessive Platform Resource Consumption within a Loop"
},
"discovery_date": "2026-04-08T02:01:00.930989+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2456333"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Go\u0027s `crypto/x509` package. A remote attacker could exploit this by presenting a specially crafted certificate chain containing a large number of policy mappings. This inefficient validation process consumes excessive resources, which can lead to a denial of service (DoS) for applications or systems performing certificate validation.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "crypto/x509: golang: Go crypto/x509: Denial of Service via inefficient certificate chain validation",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This flaw occurs during the validation of otherwise trusted certificate chains that contain a large number of policy mappings, leading to excessive resource consumption. Exploitation requires an attacker to present a specially crafted, yet trusted, certificate chain which would require the attacker has already compromised a trusted certificate root. Red Hat continuously monitors certificate authorities and curates the set which is trusted by default for Red Hat products.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.aarch64",
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.ppc64le",
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.s390x",
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.src",
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-32281"
},
{
"category": "external",
"summary": "RHBZ#2456333",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456333"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-32281",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-32281"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-32281",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32281"
},
{
"category": "external",
"summary": "https://go.dev/cl/758061",
"url": "https://go.dev/cl/758061"
},
{
"category": "external",
"summary": "https://go.dev/issue/78281",
"url": "https://go.dev/issue/78281"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU",
"url": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2026-4946",
"url": "https://pkg.go.dev/vuln/GO-2026-4946"
}
],
"release_date": "2026-04-08T01:06:58.354000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-05-20T16:45:20+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.aarch64",
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.ppc64le",
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.s390x",
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.src",
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:19719"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.aarch64",
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.ppc64le",
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.s390x",
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.src",
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.aarch64",
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.ppc64le",
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.s390x",
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.src",
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "crypto/x509: golang: Go crypto/x509: Denial of Service via inefficient certificate chain validation"
},
{
"cve": "CVE-2026-32282",
"cwe": {
"id": "CWE-367",
"name": "Time-of-check Time-of-use (TOCTOU) Race Condition"
},
"discovery_date": "2026-04-08T02:01:12.683211+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2456336"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the internal/syscall/unix package in the Go standard library. If the target of the `Root.Chmod` function is replaced with a symbolic link during execution, specifically after `Root.Chmod` checks the target but before acting, the `chmod` operation will be performed on the file the symbolic link points to. This issue can bypass directory restrictions and lead to unauthorized permission changes on the filesystem.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: internal/syscall/unix: Root.Chmod can follow symlinks out of the root",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "To exploit this issue, an attacker needs access to the system and the required permissions to create a symbolic link. Additionally, the attacker must swap the target file with a symbolic link in the exact window after the `Root.Chmod` function checks its target but before acting. Due to these conditions, this flaw has been rated with a moderate severity.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.aarch64",
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.ppc64le",
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.s390x",
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.src",
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-32282"
},
{
"category": "external",
"summary": "RHBZ#2456336",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456336"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-32282",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-32282"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-32282",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32282"
},
{
"category": "external",
"summary": "https://go.dev/cl/763761",
"url": "https://go.dev/cl/763761"
},
{
"category": "external",
"summary": "https://go.dev/issue/78293",
"url": "https://go.dev/issue/78293"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU",
"url": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2026-4864",
"url": "https://pkg.go.dev/vuln/GO-2026-4864"
}
],
"release_date": "2026-04-08T01:06:55.953000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-05-20T16:45:20+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.aarch64",
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.ppc64le",
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.s390x",
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.src",
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:19719"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.aarch64",
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.ppc64le",
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.s390x",
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.src",
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.aarch64",
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.ppc64le",
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.s390x",
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.src",
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang: internal/syscall/unix: Root.Chmod can follow symlinks out of the root"
},
{
"cve": "CVE-2026-32283",
"cwe": {
"id": "CWE-764",
"name": "Multiple Locks of a Critical Resource"
},
"discovery_date": "2026-04-08T02:01:16.213799+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2456338"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the `crypto/tls` package within the Go (golang) standard library, specifically affecting TLS 1.3 connections. A remote attacker can exploit this vulnerability by sending multiple key update messages in a single record after the handshake. This can cause the connection to deadlock, leading to uncontrolled consumption of resources and ultimately a denial of service (DoS).",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "crypto/tls: golang: Go crypto/tls: Denial of Service via multiple TLS 1.3 key update messages",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.aarch64",
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.ppc64le",
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.s390x",
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.src",
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-32283"
},
{
"category": "external",
"summary": "RHBZ#2456338",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456338"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-32283",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-32283"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-32283",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32283"
},
{
"category": "external",
"summary": "https://go.dev/cl/763767",
"url": "https://go.dev/cl/763767"
},
{
"category": "external",
"summary": "https://go.dev/issue/78334",
"url": "https://go.dev/issue/78334"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU",
"url": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2026-4870",
"url": "https://pkg.go.dev/vuln/GO-2026-4870"
}
],
"release_date": "2026-04-08T01:06:57.670000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-05-20T16:45:20+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.aarch64",
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.ppc64le",
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.s390x",
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.src",
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:19719"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.aarch64",
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.ppc64le",
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.s390x",
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.src",
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "crypto/tls: golang: Go crypto/tls: Denial of Service via multiple TLS 1.3 key update messages"
},
{
"cve": "CVE-2026-33186",
"cwe": {
"id": "CWE-551",
"name": "Incorrect Behavior Order: Authorization Before Parsing and Canonicalization"
},
"discovery_date": "2026-03-20T23:02:27.802640+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2449833"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in gRPC-Go, the Go language implementation of gRPC. This vulnerability, an authorization bypass, is caused by improper input validation of the HTTP/2 `:path` pseudo-header. A remote attacker can exploit this by sending raw HTTP/2 frames with a malformed `:path` that omits the mandatory leading slash. This allows the attacker to bypass defined security policies, potentially leading to unauthorized access to services or information disclosure.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "google.golang.org/grpc/grpc-go: google.golang.org/grpc/authz: gRPC-Go: Authorization bypass due to improper HTTP/2 path validation",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.aarch64",
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.ppc64le",
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.s390x",
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.src",
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-33186"
},
{
"category": "external",
"summary": "RHBZ#2449833",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2449833"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-33186",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-33186"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-33186",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33186"
},
{
"category": "external",
"summary": "https://github.com/grpc/grpc-go/security/advisories/GHSA-p77j-4mvh-x3m3",
"url": "https://github.com/grpc/grpc-go/security/advisories/GHSA-p77j-4mvh-x3m3"
}
],
"release_date": "2026-03-20T22:23:32.147000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-05-20T16:45:20+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.aarch64",
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.ppc64le",
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.s390x",
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.src",
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:19719"
},
{
"category": "workaround",
"details": "To mitigate this issue, implement infrastructure-level normalization to ensure all incoming HTTP/2 `:path` headers are properly formatted with a leading slash before reaching the gRPC-Go server. This can be achieved by configuring a reverse proxy or API gateway to validate and normalize the `:path` header. Ensure that any such intermediary is properly configured and restarted to apply the changes, which may temporarily impact service availability.",
"product_ids": [
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.aarch64",
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.ppc64le",
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.s390x",
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.src",
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.aarch64",
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.ppc64le",
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.s390x",
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.src",
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "google.golang.org/grpc/grpc-go: google.golang.org/grpc/authz: gRPC-Go: Authorization bypass due to improper HTTP/2 path validation"
},
{
"cve": "CVE-2026-33810",
"cwe": {
"id": "CWE-1289",
"name": "Improper Validation of Unsafe Equivalence in Input"
},
"discovery_date": "2026-04-08T02:01:09.100830+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2456335"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the `crypto/x509` package within Go (golang). When verifying a certificate chain, excluded DNS (Domain Name System) constraints are not correctly applied to wildcard DNS Subject Alternative Names (SANs) if the case of the SAN differs from the constraint. This oversight could allow an attacker to bypass certificate validation, potentially leading to the acceptance of a malicious certificate that should have been rejected. This issue specifically impacts the validation of trusted certificate chains.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "crypto/x509: golang: Go crypto/x509: Certificate validation bypass due to incorrect DNS constraint application",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.aarch64",
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.ppc64le",
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.s390x",
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.src",
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-33810"
},
{
"category": "external",
"summary": "RHBZ#2456335",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456335"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-33810",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-33810"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-33810",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33810"
},
{
"category": "external",
"summary": "https://go.dev/cl/763763",
"url": "https://go.dev/cl/763763"
},
{
"category": "external",
"summary": "https://go.dev/issue/78332",
"url": "https://go.dev/issue/78332"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU",
"url": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2026-4866",
"url": "https://pkg.go.dev/vuln/GO-2026-4866"
}
],
"release_date": "2026-04-08T01:06:56.546000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-05-20T16:45:20+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.aarch64",
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.ppc64le",
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.s390x",
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.src",
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:19719"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:L",
"version": "3.1"
},
"products": [
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.aarch64",
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.ppc64le",
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.s390x",
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.src",
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "crypto/x509: golang: Go crypto/x509: Certificate validation bypass due to incorrect DNS constraint application"
},
{
"cve": "CVE-2026-34986",
"cwe": {
"id": "CWE-131",
"name": "Incorrect Calculation of Buffer Size"
},
"discovery_date": "2026-04-06T17:01:34.639203+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2455470"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Go JOSE, a library for handling JSON Web Encryption (JWE) objects. A remote attacker could exploit this vulnerability by providing a specially crafted JWE object. When decrypting such an object, if a key wrapping algorithm is specified but the encrypted key field is empty, the application can crash. This leads to a denial of service (DoS), making the affected service unavailable to legitimate users.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "github.com/go-jose/go-jose/v3: github.com/go-jose/go-jose/v4: Go JOSE: Denial of Service via crafted JSON Web Encryption (JWE) object",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.aarch64",
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.ppc64le",
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.s390x",
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.src",
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-34986"
},
{
"category": "external",
"summary": "RHBZ#2455470",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2455470"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-34986",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-34986"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-34986",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34986"
},
{
"category": "external",
"summary": "https://github.com/go-jose/go-jose/security/advisories/GHSA-78h2-9frx-2jm8",
"url": "https://github.com/go-jose/go-jose/security/advisories/GHSA-78h2-9frx-2jm8"
},
{
"category": "external",
"summary": "https://pkg.go.dev/github.com/go-jose/go-jose/v4#pkg-constants",
"url": "https://pkg.go.dev/github.com/go-jose/go-jose/v4#pkg-constants"
}
],
"release_date": "2026-04-06T16:22:45.353000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-05-20T16:45:20+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.aarch64",
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.ppc64le",
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.s390x",
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.src",
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:19719"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.aarch64",
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.ppc64le",
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.s390x",
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.src",
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.aarch64",
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.ppc64le",
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.s390x",
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.src",
"AppStream-10.0.Z.E2S:opentelemetry-collector-0:0.144.0-2.el10_0.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "github.com/go-jose/go-jose/v3: github.com/go-jose/go-jose/v4: Go JOSE: Denial of Service via crafted JSON Web Encryption (JWE) object"
}
]
}
RHSA-2026:19720
Vulnerability from csaf_redhat - Published: 2026-05-20 17:01 - Updated: 2026-06-30 12:53Summary
Red Hat Security Advisory: opentelemetry-collector security update
Severity
Important
Notes
Topic: An update for opentelemetry-collector is now available for Red Hat Enterprise Linux 9.6 Extended Update Support.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Collector with the supported components for a Red Hat build of OpenTelemetry
Security Fix(es):
* net/url: Incorrect parsing of IPv6 host literals in net/url (CVE-2026-25679)
* google.golang.org/grpc/grpc-go: google.golang.org/grpc/authz: gRPC-Go: Authorization bypass due to improper HTTP/2 path validation (CVE-2026-33186)
* github.com/go-jose/go-jose/v3: github.com/go-jose/go-jose/v4: Go JOSE: Denial of Service via crafted JSON Web Encryption (JWE) object (CVE-2026-34986)
* crypto/x509: golang: Go crypto/x509: Denial of Service via inefficient certificate chain validation (CVE-2026-32281)
* crypto/x509: golang: Go crypto/x509: Certificate validation bypass due to incorrect DNS constraint application (CVE-2026-33810)
* golang: internal/syscall/unix: Root.Chmod can follow symlinks out of the root (CVE-2026-32282)
* crypto/tls: golang: Go crypto/tls: Denial of Service via multiple TLS 1.3 key update messages (CVE-2026-32283)
* crypto/x509: crypto/tls: golang: Go: Denial of Service vulnerability in certificate chain building (CVE-2026-32280)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
The Go standard library function net/url.Parse insufficiently validated the host/authority component and accepted some invalid URLs by effectively treating garbage before an IP-literal as ignorable. The function should have rejected this as invalid.
7.5 (High)
Affected products
Fixed
5 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A flaw was found in the Go standard library packages `crypto/x509` and `crypto/tls`. During the process of building a certificate chain, an attacker can provide a large number of intermediate certificates. This excessive input is not properly limited, leading to an uncontrolled amount of work being performed. This can result in a denial of service (DoS) condition, making the affected system or application unavailable to legitimate users.
7.5 (High)
Affected products
Fixed
5 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Important
A flaw was found in Go's `crypto/x509` package. A remote attacker could exploit this by presenting a specially crafted certificate chain containing a large number of policy mappings. This inefficient validation process consumes excessive resources, which can lead to a denial of service (DoS) for applications or systems performing certificate validation.
5.9 (Medium)
Affected products
Fixed
5 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in the internal/syscall/unix package in the Go standard library. If the target of the `Root.Chmod` function is replaced with a symbolic link during execution, specifically after `Root.Chmod` checks the target but before acting, the `chmod` operation will be performed on the file the symbolic link points to. This issue can bypass directory restrictions and lead to unauthorized permission changes on the filesystem.
7.8 (High)
Affected products
Fixed
5 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in the `crypto/tls` package within the Go (golang) standard library, specifically affecting TLS 1.3 connections. A remote attacker can exploit this vulnerability by sending multiple key update messages in a single record after the handshake. This can cause the connection to deadlock, leading to uncontrolled consumption of resources and ultimately a denial of service (DoS).
7.5 (High)
Affected products
Fixed
5 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Important
A flaw was found in gRPC-Go, the Go language implementation of gRPC. This vulnerability, an authorization bypass, is caused by improper input validation of the HTTP/2 `:path` pseudo-header. A remote attacker can exploit this by sending raw HTTP/2 frames with a malformed `:path` that omits the mandatory leading slash. This allows the attacker to bypass defined security policies, potentially leading to unauthorized access to services or information disclosure.
9.1 (Critical)
Affected products
Fixed
5 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A flaw was found in the `crypto/x509` package within Go (golang). When verifying a certificate chain, excluded DNS (Domain Name System) constraints are not correctly applied to wildcard DNS Subject Alternative Names (SANs) if the case of the SAN differs from the constraint. This oversight could allow an attacker to bypass certificate validation, potentially leading to the acceptance of a malicious certificate that should have been rejected. This issue specifically impacts the validation of trusted certificate chains.
8.8 (High)
Affected products
Fixed
5 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Important
A flaw was found in Go JOSE, a library for handling JSON Web Encryption (JWE) objects. A remote attacker could exploit this vulnerability by providing a specially crafted JWE object. When decrypting such an object, if a key wrapping algorithm is specified but the encrypted key field is empty, the application can crash. This leads to a denial of service (DoS), making the affected service unavailable to legitimate users.
7.5 (High)
Affected products
Fixed
5 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
References
66 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for opentelemetry-collector is now available for Red Hat Enterprise Linux 9.6 Extended Update Support.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Collector with the supported components for a Red Hat build of OpenTelemetry\n\nSecurity Fix(es):\n\n* net/url: Incorrect parsing of IPv6 host literals in net/url (CVE-2026-25679)\n\n* google.golang.org/grpc/grpc-go: google.golang.org/grpc/authz: gRPC-Go: Authorization bypass due to improper HTTP/2 path validation (CVE-2026-33186)\n\n* github.com/go-jose/go-jose/v3: github.com/go-jose/go-jose/v4: Go JOSE: Denial of Service via crafted JSON Web Encryption (JWE) object (CVE-2026-34986)\n\n* crypto/x509: golang: Go crypto/x509: Denial of Service via inefficient certificate chain validation (CVE-2026-32281)\n\n* crypto/x509: golang: Go crypto/x509: Certificate validation bypass due to incorrect DNS constraint application (CVE-2026-33810)\n\n* golang: internal/syscall/unix: Root.Chmod can follow symlinks out of the root (CVE-2026-32282)\n\n* crypto/tls: golang: Go crypto/tls: Denial of Service via multiple TLS 1.3 key update messages (CVE-2026-32283)\n\n* crypto/x509: crypto/tls: golang: Go: Denial of Service vulnerability in certificate chain building (CVE-2026-32280)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:19720",
"url": "https://access.redhat.com/errata/RHSA-2026:19720"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "2445356",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2445356"
},
{
"category": "external",
"summary": "2449833",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2449833"
},
{
"category": "external",
"summary": "2455470",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2455470"
},
{
"category": "external",
"summary": "2456333",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456333"
},
{
"category": "external",
"summary": "2456335",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456335"
},
{
"category": "external",
"summary": "2456336",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456336"
},
{
"category": "external",
"summary": "2456338",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456338"
},
{
"category": "external",
"summary": "2456339",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456339"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_19720.json"
}
],
"title": "Red Hat Security Advisory: opentelemetry-collector security update",
"tracking": {
"current_release_date": "2026-06-30T12:53:49+00:00",
"generator": {
"date": "2026-06-30T12:53:49+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "5.3.1"
}
},
"id": "RHSA-2026:19720",
"initial_release_date": "2026-05-20T17:01:05+00:00",
"revision_history": [
{
"date": "2026-05-20T17:01:05+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-05-20T17:01:05+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-06-30T12:53:49+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"product": {
"name": "Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"product_id": "AppStream-9.6.0.Z.EUS",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_eus:9.6::appstream"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "opentelemetry-collector-0:0.144.0-2.el9_6.src",
"product": {
"name": "opentelemetry-collector-0:0.144.0-2.el9_6.src",
"product_id": "opentelemetry-collector-0:0.144.0-2.el9_6.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/opentelemetry-collector@0.144.0-2.el9_6?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "opentelemetry-collector-0:0.144.0-2.el9_6.aarch64",
"product": {
"name": "opentelemetry-collector-0:0.144.0-2.el9_6.aarch64",
"product_id": "opentelemetry-collector-0:0.144.0-2.el9_6.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/opentelemetry-collector@0.144.0-2.el9_6?arch=aarch64"
}
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "opentelemetry-collector-0:0.144.0-2.el9_6.ppc64le",
"product": {
"name": "opentelemetry-collector-0:0.144.0-2.el9_6.ppc64le",
"product_id": "opentelemetry-collector-0:0.144.0-2.el9_6.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/opentelemetry-collector@0.144.0-2.el9_6?arch=ppc64le"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "opentelemetry-collector-0:0.144.0-2.el9_6.x86_64",
"product": {
"name": "opentelemetry-collector-0:0.144.0-2.el9_6.x86_64",
"product_id": "opentelemetry-collector-0:0.144.0-2.el9_6.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/opentelemetry-collector@0.144.0-2.el9_6?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "opentelemetry-collector-0:0.144.0-2.el9_6.s390x",
"product": {
"name": "opentelemetry-collector-0:0.144.0-2.el9_6.s390x",
"product_id": "opentelemetry-collector-0:0.144.0-2.el9_6.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/opentelemetry-collector@0.144.0-2.el9_6?arch=s390x"
}
}
}
],
"category": "architecture",
"name": "s390x"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "opentelemetry-collector-0:0.144.0-2.el9_6.aarch64 as a component of Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"product_id": "AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.aarch64"
},
"product_reference": "opentelemetry-collector-0:0.144.0-2.el9_6.aarch64",
"relates_to_product_reference": "AppStream-9.6.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "opentelemetry-collector-0:0.144.0-2.el9_6.ppc64le as a component of Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"product_id": "AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.ppc64le"
},
"product_reference": "opentelemetry-collector-0:0.144.0-2.el9_6.ppc64le",
"relates_to_product_reference": "AppStream-9.6.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "opentelemetry-collector-0:0.144.0-2.el9_6.s390x as a component of Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"product_id": "AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.s390x"
},
"product_reference": "opentelemetry-collector-0:0.144.0-2.el9_6.s390x",
"relates_to_product_reference": "AppStream-9.6.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "opentelemetry-collector-0:0.144.0-2.el9_6.src as a component of Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"product_id": "AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.src"
},
"product_reference": "opentelemetry-collector-0:0.144.0-2.el9_6.src",
"relates_to_product_reference": "AppStream-9.6.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "opentelemetry-collector-0:0.144.0-2.el9_6.x86_64 as a component of Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"product_id": "AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.x86_64"
},
"product_reference": "opentelemetry-collector-0:0.144.0-2.el9_6.x86_64",
"relates_to_product_reference": "AppStream-9.6.0.Z.EUS"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-25679",
"cwe": {
"id": "CWE-1286",
"name": "Improper Validation of Syntactic Correctness of Input"
},
"discovery_date": "2026-03-06T22:02:11.567841+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2445356"
}
],
"notes": [
{
"category": "description",
"text": "The Go standard library function net/url.Parse insufficiently validated the host/authority component and accepted some invalid URLs by effectively treating garbage before an IP-literal as ignorable. The function should have rejected this as invalid.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "net/url: Incorrect parsing of IPv6 host literals in net/url",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.src",
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-25679"
},
{
"category": "external",
"summary": "RHBZ#2445356",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2445356"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-25679",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-25679"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-25679",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25679"
},
{
"category": "external",
"summary": "https://go.dev/cl/752180",
"url": "https://go.dev/cl/752180"
},
{
"category": "external",
"summary": "https://go.dev/issue/77578",
"url": "https://go.dev/issue/77578"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/EdhZqrQ98hk",
"url": "https://groups.google.com/g/golang-announce/c/EdhZqrQ98hk"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2026-4601",
"url": "https://pkg.go.dev/vuln/GO-2026-4601"
}
],
"release_date": "2026-03-06T21:28:14.211000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-05-20T17:01:05+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.src",
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:19720"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.src",
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.src",
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "net/url: Incorrect parsing of IPv6 host literals in net/url"
},
{
"cve": "CVE-2026-32280",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2026-04-08T02:01:19.572351+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2456339"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the Go standard library packages `crypto/x509` and `crypto/tls`. During the process of building a certificate chain, an attacker can provide a large number of intermediate certificates. This excessive input is not properly limited, leading to an uncontrolled amount of work being performed. This can result in a denial of service (DoS) condition, making the affected system or application unavailable to legitimate users.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "crypto/x509: crypto/tls: golang: Go: Denial of Service vulnerability in certificate chain building",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.src",
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-32280"
},
{
"category": "external",
"summary": "RHBZ#2456339",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456339"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-32280",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-32280"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-32280",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32280"
},
{
"category": "external",
"summary": "https://go.dev/cl/758320",
"url": "https://go.dev/cl/758320"
},
{
"category": "external",
"summary": "https://go.dev/issue/78282",
"url": "https://go.dev/issue/78282"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU",
"url": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2026-4947",
"url": "https://pkg.go.dev/vuln/GO-2026-4947"
}
],
"release_date": "2026-04-08T01:06:58.595000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-05-20T17:01:05+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.src",
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:19720"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.src",
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "crypto/x509: crypto/tls: golang: Go: Denial of Service vulnerability in certificate chain building"
},
{
"cve": "CVE-2026-32281",
"cwe": {
"id": "CWE-1050",
"name": "Excessive Platform Resource Consumption within a Loop"
},
"discovery_date": "2026-04-08T02:01:00.930989+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2456333"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Go\u0027s `crypto/x509` package. A remote attacker could exploit this by presenting a specially crafted certificate chain containing a large number of policy mappings. This inefficient validation process consumes excessive resources, which can lead to a denial of service (DoS) for applications or systems performing certificate validation.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "crypto/x509: golang: Go crypto/x509: Denial of Service via inefficient certificate chain validation",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This flaw occurs during the validation of otherwise trusted certificate chains that contain a large number of policy mappings, leading to excessive resource consumption. Exploitation requires an attacker to present a specially crafted, yet trusted, certificate chain which would require the attacker has already compromised a trusted certificate root. Red Hat continuously monitors certificate authorities and curates the set which is trusted by default for Red Hat products.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.src",
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-32281"
},
{
"category": "external",
"summary": "RHBZ#2456333",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456333"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-32281",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-32281"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-32281",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32281"
},
{
"category": "external",
"summary": "https://go.dev/cl/758061",
"url": "https://go.dev/cl/758061"
},
{
"category": "external",
"summary": "https://go.dev/issue/78281",
"url": "https://go.dev/issue/78281"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU",
"url": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2026-4946",
"url": "https://pkg.go.dev/vuln/GO-2026-4946"
}
],
"release_date": "2026-04-08T01:06:58.354000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-05-20T17:01:05+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.src",
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:19720"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.src",
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.src",
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "crypto/x509: golang: Go crypto/x509: Denial of Service via inefficient certificate chain validation"
},
{
"cve": "CVE-2026-32282",
"cwe": {
"id": "CWE-367",
"name": "Time-of-check Time-of-use (TOCTOU) Race Condition"
},
"discovery_date": "2026-04-08T02:01:12.683211+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2456336"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the internal/syscall/unix package in the Go standard library. If the target of the `Root.Chmod` function is replaced with a symbolic link during execution, specifically after `Root.Chmod` checks the target but before acting, the `chmod` operation will be performed on the file the symbolic link points to. This issue can bypass directory restrictions and lead to unauthorized permission changes on the filesystem.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: internal/syscall/unix: Root.Chmod can follow symlinks out of the root",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "To exploit this issue, an attacker needs access to the system and the required permissions to create a symbolic link. Additionally, the attacker must swap the target file with a symbolic link in the exact window after the `Root.Chmod` function checks its target but before acting. Due to these conditions, this flaw has been rated with a moderate severity.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.src",
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-32282"
},
{
"category": "external",
"summary": "RHBZ#2456336",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456336"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-32282",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-32282"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-32282",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32282"
},
{
"category": "external",
"summary": "https://go.dev/cl/763761",
"url": "https://go.dev/cl/763761"
},
{
"category": "external",
"summary": "https://go.dev/issue/78293",
"url": "https://go.dev/issue/78293"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU",
"url": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2026-4864",
"url": "https://pkg.go.dev/vuln/GO-2026-4864"
}
],
"release_date": "2026-04-08T01:06:55.953000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-05-20T17:01:05+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.src",
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:19720"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.src",
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.src",
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang: internal/syscall/unix: Root.Chmod can follow symlinks out of the root"
},
{
"cve": "CVE-2026-32283",
"cwe": {
"id": "CWE-764",
"name": "Multiple Locks of a Critical Resource"
},
"discovery_date": "2026-04-08T02:01:16.213799+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2456338"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the `crypto/tls` package within the Go (golang) standard library, specifically affecting TLS 1.3 connections. A remote attacker can exploit this vulnerability by sending multiple key update messages in a single record after the handshake. This can cause the connection to deadlock, leading to uncontrolled consumption of resources and ultimately a denial of service (DoS).",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "crypto/tls: golang: Go crypto/tls: Denial of Service via multiple TLS 1.3 key update messages",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.src",
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-32283"
},
{
"category": "external",
"summary": "RHBZ#2456338",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456338"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-32283",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-32283"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-32283",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32283"
},
{
"category": "external",
"summary": "https://go.dev/cl/763767",
"url": "https://go.dev/cl/763767"
},
{
"category": "external",
"summary": "https://go.dev/issue/78334",
"url": "https://go.dev/issue/78334"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU",
"url": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2026-4870",
"url": "https://pkg.go.dev/vuln/GO-2026-4870"
}
],
"release_date": "2026-04-08T01:06:57.670000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-05-20T17:01:05+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.src",
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:19720"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.src",
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "crypto/tls: golang: Go crypto/tls: Denial of Service via multiple TLS 1.3 key update messages"
},
{
"cve": "CVE-2026-33186",
"cwe": {
"id": "CWE-551",
"name": "Incorrect Behavior Order: Authorization Before Parsing and Canonicalization"
},
"discovery_date": "2026-03-20T23:02:27.802640+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2449833"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in gRPC-Go, the Go language implementation of gRPC. This vulnerability, an authorization bypass, is caused by improper input validation of the HTTP/2 `:path` pseudo-header. A remote attacker can exploit this by sending raw HTTP/2 frames with a malformed `:path` that omits the mandatory leading slash. This allows the attacker to bypass defined security policies, potentially leading to unauthorized access to services or information disclosure.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "google.golang.org/grpc/grpc-go: google.golang.org/grpc/authz: gRPC-Go: Authorization bypass due to improper HTTP/2 path validation",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.src",
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-33186"
},
{
"category": "external",
"summary": "RHBZ#2449833",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2449833"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-33186",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-33186"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-33186",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33186"
},
{
"category": "external",
"summary": "https://github.com/grpc/grpc-go/security/advisories/GHSA-p77j-4mvh-x3m3",
"url": "https://github.com/grpc/grpc-go/security/advisories/GHSA-p77j-4mvh-x3m3"
}
],
"release_date": "2026-03-20T22:23:32.147000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-05-20T17:01:05+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.src",
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:19720"
},
{
"category": "workaround",
"details": "To mitigate this issue, implement infrastructure-level normalization to ensure all incoming HTTP/2 `:path` headers are properly formatted with a leading slash before reaching the gRPC-Go server. This can be achieved by configuring a reverse proxy or API gateway to validate and normalize the `:path` header. Ensure that any such intermediary is properly configured and restarted to apply the changes, which may temporarily impact service availability.",
"product_ids": [
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.src",
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.src",
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "google.golang.org/grpc/grpc-go: google.golang.org/grpc/authz: gRPC-Go: Authorization bypass due to improper HTTP/2 path validation"
},
{
"cve": "CVE-2026-33810",
"cwe": {
"id": "CWE-1289",
"name": "Improper Validation of Unsafe Equivalence in Input"
},
"discovery_date": "2026-04-08T02:01:09.100830+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2456335"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the `crypto/x509` package within Go (golang). When verifying a certificate chain, excluded DNS (Domain Name System) constraints are not correctly applied to wildcard DNS Subject Alternative Names (SANs) if the case of the SAN differs from the constraint. This oversight could allow an attacker to bypass certificate validation, potentially leading to the acceptance of a malicious certificate that should have been rejected. This issue specifically impacts the validation of trusted certificate chains.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "crypto/x509: golang: Go crypto/x509: Certificate validation bypass due to incorrect DNS constraint application",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.src",
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-33810"
},
{
"category": "external",
"summary": "RHBZ#2456335",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456335"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-33810",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-33810"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-33810",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33810"
},
{
"category": "external",
"summary": "https://go.dev/cl/763763",
"url": "https://go.dev/cl/763763"
},
{
"category": "external",
"summary": "https://go.dev/issue/78332",
"url": "https://go.dev/issue/78332"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU",
"url": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2026-4866",
"url": "https://pkg.go.dev/vuln/GO-2026-4866"
}
],
"release_date": "2026-04-08T01:06:56.546000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-05-20T17:01:05+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.src",
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:19720"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:L",
"version": "3.1"
},
"products": [
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.src",
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "crypto/x509: golang: Go crypto/x509: Certificate validation bypass due to incorrect DNS constraint application"
},
{
"cve": "CVE-2026-34986",
"cwe": {
"id": "CWE-131",
"name": "Incorrect Calculation of Buffer Size"
},
"discovery_date": "2026-04-06T17:01:34.639203+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2455470"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Go JOSE, a library for handling JSON Web Encryption (JWE) objects. A remote attacker could exploit this vulnerability by providing a specially crafted JWE object. When decrypting such an object, if a key wrapping algorithm is specified but the encrypted key field is empty, the application can crash. This leads to a denial of service (DoS), making the affected service unavailable to legitimate users.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "github.com/go-jose/go-jose/v3: github.com/go-jose/go-jose/v4: Go JOSE: Denial of Service via crafted JSON Web Encryption (JWE) object",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.src",
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-34986"
},
{
"category": "external",
"summary": "RHBZ#2455470",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2455470"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-34986",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-34986"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-34986",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34986"
},
{
"category": "external",
"summary": "https://github.com/go-jose/go-jose/security/advisories/GHSA-78h2-9frx-2jm8",
"url": "https://github.com/go-jose/go-jose/security/advisories/GHSA-78h2-9frx-2jm8"
},
{
"category": "external",
"summary": "https://pkg.go.dev/github.com/go-jose/go-jose/v4#pkg-constants",
"url": "https://pkg.go.dev/github.com/go-jose/go-jose/v4#pkg-constants"
}
],
"release_date": "2026-04-06T16:22:45.353000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-05-20T17:01:05+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.src",
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:19720"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.src",
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.src",
"AppStream-9.6.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_6.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "github.com/go-jose/go-jose/v3: github.com/go-jose/go-jose/v4: Go JOSE: Denial of Service via crafted JSON Web Encryption (JWE) object"
}
]
}
RHSA-2026:19721
Vulnerability from csaf_redhat - Published: 2026-05-20 16:56 - Updated: 2026-06-30 12:53Summary
Red Hat Security Advisory: opentelemetry-collector security update
Severity
Important
Notes
Topic: An update for opentelemetry-collector is now available for Red Hat Enterprise Linux 9.4 Extended Update Support.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Collector with the supported components for a Red Hat build of OpenTelemetry
Security Fix(es):
* net/url: Incorrect parsing of IPv6 host literals in net/url (CVE-2026-25679)
* google.golang.org/grpc/grpc-go: google.golang.org/grpc/authz: gRPC-Go: Authorization bypass due to improper HTTP/2 path validation (CVE-2026-33186)
* github.com/go-jose/go-jose/v3: github.com/go-jose/go-jose/v4: Go JOSE: Denial of Service via crafted JSON Web Encryption (JWE) object (CVE-2026-34986)
* crypto/x509: golang: Go crypto/x509: Denial of Service via inefficient certificate chain validation (CVE-2026-32281)
* crypto/x509: golang: Go crypto/x509: Certificate validation bypass due to incorrect DNS constraint application (CVE-2026-33810)
* golang: internal/syscall/unix: Root.Chmod can follow symlinks out of the root (CVE-2026-32282)
* crypto/tls: golang: Go crypto/tls: Denial of Service via multiple TLS 1.3 key update messages (CVE-2026-32283)
* crypto/x509: crypto/tls: golang: Go: Denial of Service vulnerability in certificate chain building (CVE-2026-32280)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
The Go standard library function net/url.Parse insufficiently validated the host/authority component and accepted some invalid URLs by effectively treating garbage before an IP-literal as ignorable. The function should have rejected this as invalid.
7.5 (High)
Affected products
Fixed
5 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A flaw was found in the Go standard library packages `crypto/x509` and `crypto/tls`. During the process of building a certificate chain, an attacker can provide a large number of intermediate certificates. This excessive input is not properly limited, leading to an uncontrolled amount of work being performed. This can result in a denial of service (DoS) condition, making the affected system or application unavailable to legitimate users.
7.5 (High)
Affected products
Fixed
5 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Important
A flaw was found in Go's `crypto/x509` package. A remote attacker could exploit this by presenting a specially crafted certificate chain containing a large number of policy mappings. This inefficient validation process consumes excessive resources, which can lead to a denial of service (DoS) for applications or systems performing certificate validation.
5.9 (Medium)
Affected products
Fixed
5 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in the internal/syscall/unix package in the Go standard library. If the target of the `Root.Chmod` function is replaced with a symbolic link during execution, specifically after `Root.Chmod` checks the target but before acting, the `chmod` operation will be performed on the file the symbolic link points to. This issue can bypass directory restrictions and lead to unauthorized permission changes on the filesystem.
7.8 (High)
Affected products
Fixed
5 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in the `crypto/tls` package within the Go (golang) standard library, specifically affecting TLS 1.3 connections. A remote attacker can exploit this vulnerability by sending multiple key update messages in a single record after the handshake. This can cause the connection to deadlock, leading to uncontrolled consumption of resources and ultimately a denial of service (DoS).
7.5 (High)
Affected products
Fixed
5 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Important
A flaw was found in gRPC-Go, the Go language implementation of gRPC. This vulnerability, an authorization bypass, is caused by improper input validation of the HTTP/2 `:path` pseudo-header. A remote attacker can exploit this by sending raw HTTP/2 frames with a malformed `:path` that omits the mandatory leading slash. This allows the attacker to bypass defined security policies, potentially leading to unauthorized access to services or information disclosure.
9.1 (Critical)
Affected products
Fixed
5 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A flaw was found in the `crypto/x509` package within Go (golang). When verifying a certificate chain, excluded DNS (Domain Name System) constraints are not correctly applied to wildcard DNS Subject Alternative Names (SANs) if the case of the SAN differs from the constraint. This oversight could allow an attacker to bypass certificate validation, potentially leading to the acceptance of a malicious certificate that should have been rejected. This issue specifically impacts the validation of trusted certificate chains.
8.8 (High)
Affected products
Fixed
5 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Important
A flaw was found in Go JOSE, a library for handling JSON Web Encryption (JWE) objects. A remote attacker could exploit this vulnerability by providing a specially crafted JWE object. When decrypting such an object, if a key wrapping algorithm is specified but the encrypted key field is empty, the application can crash. This leads to a denial of service (DoS), making the affected service unavailable to legitimate users.
7.5 (High)
Affected products
Fixed
5 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
References
66 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for opentelemetry-collector is now available for Red Hat Enterprise Linux 9.4 Extended Update Support.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Collector with the supported components for a Red Hat build of OpenTelemetry\n\nSecurity Fix(es):\n\n* net/url: Incorrect parsing of IPv6 host literals in net/url (CVE-2026-25679)\n\n* google.golang.org/grpc/grpc-go: google.golang.org/grpc/authz: gRPC-Go: Authorization bypass due to improper HTTP/2 path validation (CVE-2026-33186)\n\n* github.com/go-jose/go-jose/v3: github.com/go-jose/go-jose/v4: Go JOSE: Denial of Service via crafted JSON Web Encryption (JWE) object (CVE-2026-34986)\n\n* crypto/x509: golang: Go crypto/x509: Denial of Service via inefficient certificate chain validation (CVE-2026-32281)\n\n* crypto/x509: golang: Go crypto/x509: Certificate validation bypass due to incorrect DNS constraint application (CVE-2026-33810)\n\n* golang: internal/syscall/unix: Root.Chmod can follow symlinks out of the root (CVE-2026-32282)\n\n* crypto/tls: golang: Go crypto/tls: Denial of Service via multiple TLS 1.3 key update messages (CVE-2026-32283)\n\n* crypto/x509: crypto/tls: golang: Go: Denial of Service vulnerability in certificate chain building (CVE-2026-32280)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:19721",
"url": "https://access.redhat.com/errata/RHSA-2026:19721"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "2445356",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2445356"
},
{
"category": "external",
"summary": "2449833",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2449833"
},
{
"category": "external",
"summary": "2455470",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2455470"
},
{
"category": "external",
"summary": "2456333",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456333"
},
{
"category": "external",
"summary": "2456335",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456335"
},
{
"category": "external",
"summary": "2456336",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456336"
},
{
"category": "external",
"summary": "2456338",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456338"
},
{
"category": "external",
"summary": "2456339",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456339"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_19721.json"
}
],
"title": "Red Hat Security Advisory: opentelemetry-collector security update",
"tracking": {
"current_release_date": "2026-06-30T12:53:49+00:00",
"generator": {
"date": "2026-06-30T12:53:49+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "5.3.1"
}
},
"id": "RHSA-2026:19721",
"initial_release_date": "2026-05-20T16:56:10+00:00",
"revision_history": [
{
"date": "2026-05-20T16:56:10+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-05-20T16:56:10+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-06-30T12:53:49+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product": {
"name": "Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_eus:9.4::appstream"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "opentelemetry-collector-0:0.144.0-2.el9_4.src",
"product": {
"name": "opentelemetry-collector-0:0.144.0-2.el9_4.src",
"product_id": "opentelemetry-collector-0:0.144.0-2.el9_4.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/opentelemetry-collector@0.144.0-2.el9_4?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "opentelemetry-collector-0:0.144.0-2.el9_4.aarch64",
"product": {
"name": "opentelemetry-collector-0:0.144.0-2.el9_4.aarch64",
"product_id": "opentelemetry-collector-0:0.144.0-2.el9_4.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/opentelemetry-collector@0.144.0-2.el9_4?arch=aarch64"
}
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "opentelemetry-collector-0:0.144.0-2.el9_4.ppc64le",
"product": {
"name": "opentelemetry-collector-0:0.144.0-2.el9_4.ppc64le",
"product_id": "opentelemetry-collector-0:0.144.0-2.el9_4.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/opentelemetry-collector@0.144.0-2.el9_4?arch=ppc64le"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "opentelemetry-collector-0:0.144.0-2.el9_4.x86_64",
"product": {
"name": "opentelemetry-collector-0:0.144.0-2.el9_4.x86_64",
"product_id": "opentelemetry-collector-0:0.144.0-2.el9_4.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/opentelemetry-collector@0.144.0-2.el9_4?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "opentelemetry-collector-0:0.144.0-2.el9_4.s390x",
"product": {
"name": "opentelemetry-collector-0:0.144.0-2.el9_4.s390x",
"product_id": "opentelemetry-collector-0:0.144.0-2.el9_4.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/opentelemetry-collector@0.144.0-2.el9_4?arch=s390x"
}
}
}
],
"category": "architecture",
"name": "s390x"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "opentelemetry-collector-0:0.144.0-2.el9_4.aarch64 as a component of Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.aarch64"
},
"product_reference": "opentelemetry-collector-0:0.144.0-2.el9_4.aarch64",
"relates_to_product_reference": "AppStream-9.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "opentelemetry-collector-0:0.144.0-2.el9_4.ppc64le as a component of Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.ppc64le"
},
"product_reference": "opentelemetry-collector-0:0.144.0-2.el9_4.ppc64le",
"relates_to_product_reference": "AppStream-9.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "opentelemetry-collector-0:0.144.0-2.el9_4.s390x as a component of Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.s390x"
},
"product_reference": "opentelemetry-collector-0:0.144.0-2.el9_4.s390x",
"relates_to_product_reference": "AppStream-9.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "opentelemetry-collector-0:0.144.0-2.el9_4.src as a component of Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.src"
},
"product_reference": "opentelemetry-collector-0:0.144.0-2.el9_4.src",
"relates_to_product_reference": "AppStream-9.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "opentelemetry-collector-0:0.144.0-2.el9_4.x86_64 as a component of Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.x86_64"
},
"product_reference": "opentelemetry-collector-0:0.144.0-2.el9_4.x86_64",
"relates_to_product_reference": "AppStream-9.4.0.Z.EUS"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-25679",
"cwe": {
"id": "CWE-1286",
"name": "Improper Validation of Syntactic Correctness of Input"
},
"discovery_date": "2026-03-06T22:02:11.567841+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2445356"
}
],
"notes": [
{
"category": "description",
"text": "The Go standard library function net/url.Parse insufficiently validated the host/authority component and accepted some invalid URLs by effectively treating garbage before an IP-literal as ignorable. The function should have rejected this as invalid.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "net/url: Incorrect parsing of IPv6 host literals in net/url",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.src",
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-25679"
},
{
"category": "external",
"summary": "RHBZ#2445356",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2445356"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-25679",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-25679"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-25679",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25679"
},
{
"category": "external",
"summary": "https://go.dev/cl/752180",
"url": "https://go.dev/cl/752180"
},
{
"category": "external",
"summary": "https://go.dev/issue/77578",
"url": "https://go.dev/issue/77578"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/EdhZqrQ98hk",
"url": "https://groups.google.com/g/golang-announce/c/EdhZqrQ98hk"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2026-4601",
"url": "https://pkg.go.dev/vuln/GO-2026-4601"
}
],
"release_date": "2026-03-06T21:28:14.211000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-05-20T16:56:10+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.src",
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:19721"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.src",
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.src",
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "net/url: Incorrect parsing of IPv6 host literals in net/url"
},
{
"cve": "CVE-2026-32280",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2026-04-08T02:01:19.572351+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2456339"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the Go standard library packages `crypto/x509` and `crypto/tls`. During the process of building a certificate chain, an attacker can provide a large number of intermediate certificates. This excessive input is not properly limited, leading to an uncontrolled amount of work being performed. This can result in a denial of service (DoS) condition, making the affected system or application unavailable to legitimate users.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "crypto/x509: crypto/tls: golang: Go: Denial of Service vulnerability in certificate chain building",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.src",
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-32280"
},
{
"category": "external",
"summary": "RHBZ#2456339",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456339"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-32280",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-32280"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-32280",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32280"
},
{
"category": "external",
"summary": "https://go.dev/cl/758320",
"url": "https://go.dev/cl/758320"
},
{
"category": "external",
"summary": "https://go.dev/issue/78282",
"url": "https://go.dev/issue/78282"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU",
"url": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2026-4947",
"url": "https://pkg.go.dev/vuln/GO-2026-4947"
}
],
"release_date": "2026-04-08T01:06:58.595000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-05-20T16:56:10+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.src",
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:19721"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.src",
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "crypto/x509: crypto/tls: golang: Go: Denial of Service vulnerability in certificate chain building"
},
{
"cve": "CVE-2026-32281",
"cwe": {
"id": "CWE-1050",
"name": "Excessive Platform Resource Consumption within a Loop"
},
"discovery_date": "2026-04-08T02:01:00.930989+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2456333"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Go\u0027s `crypto/x509` package. A remote attacker could exploit this by presenting a specially crafted certificate chain containing a large number of policy mappings. This inefficient validation process consumes excessive resources, which can lead to a denial of service (DoS) for applications or systems performing certificate validation.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "crypto/x509: golang: Go crypto/x509: Denial of Service via inefficient certificate chain validation",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This flaw occurs during the validation of otherwise trusted certificate chains that contain a large number of policy mappings, leading to excessive resource consumption. Exploitation requires an attacker to present a specially crafted, yet trusted, certificate chain which would require the attacker has already compromised a trusted certificate root. Red Hat continuously monitors certificate authorities and curates the set which is trusted by default for Red Hat products.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.src",
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-32281"
},
{
"category": "external",
"summary": "RHBZ#2456333",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456333"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-32281",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-32281"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-32281",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32281"
},
{
"category": "external",
"summary": "https://go.dev/cl/758061",
"url": "https://go.dev/cl/758061"
},
{
"category": "external",
"summary": "https://go.dev/issue/78281",
"url": "https://go.dev/issue/78281"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU",
"url": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2026-4946",
"url": "https://pkg.go.dev/vuln/GO-2026-4946"
}
],
"release_date": "2026-04-08T01:06:58.354000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-05-20T16:56:10+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.src",
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:19721"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.src",
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.src",
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "crypto/x509: golang: Go crypto/x509: Denial of Service via inefficient certificate chain validation"
},
{
"cve": "CVE-2026-32282",
"cwe": {
"id": "CWE-367",
"name": "Time-of-check Time-of-use (TOCTOU) Race Condition"
},
"discovery_date": "2026-04-08T02:01:12.683211+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2456336"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the internal/syscall/unix package in the Go standard library. If the target of the `Root.Chmod` function is replaced with a symbolic link during execution, specifically after `Root.Chmod` checks the target but before acting, the `chmod` operation will be performed on the file the symbolic link points to. This issue can bypass directory restrictions and lead to unauthorized permission changes on the filesystem.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: internal/syscall/unix: Root.Chmod can follow symlinks out of the root",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "To exploit this issue, an attacker needs access to the system and the required permissions to create a symbolic link. Additionally, the attacker must swap the target file with a symbolic link in the exact window after the `Root.Chmod` function checks its target but before acting. Due to these conditions, this flaw has been rated with a moderate severity.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.src",
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-32282"
},
{
"category": "external",
"summary": "RHBZ#2456336",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456336"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-32282",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-32282"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-32282",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32282"
},
{
"category": "external",
"summary": "https://go.dev/cl/763761",
"url": "https://go.dev/cl/763761"
},
{
"category": "external",
"summary": "https://go.dev/issue/78293",
"url": "https://go.dev/issue/78293"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU",
"url": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2026-4864",
"url": "https://pkg.go.dev/vuln/GO-2026-4864"
}
],
"release_date": "2026-04-08T01:06:55.953000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-05-20T16:56:10+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.src",
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:19721"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.src",
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.src",
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang: internal/syscall/unix: Root.Chmod can follow symlinks out of the root"
},
{
"cve": "CVE-2026-32283",
"cwe": {
"id": "CWE-764",
"name": "Multiple Locks of a Critical Resource"
},
"discovery_date": "2026-04-08T02:01:16.213799+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2456338"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the `crypto/tls` package within the Go (golang) standard library, specifically affecting TLS 1.3 connections. A remote attacker can exploit this vulnerability by sending multiple key update messages in a single record after the handshake. This can cause the connection to deadlock, leading to uncontrolled consumption of resources and ultimately a denial of service (DoS).",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "crypto/tls: golang: Go crypto/tls: Denial of Service via multiple TLS 1.3 key update messages",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.src",
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-32283"
},
{
"category": "external",
"summary": "RHBZ#2456338",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456338"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-32283",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-32283"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-32283",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32283"
},
{
"category": "external",
"summary": "https://go.dev/cl/763767",
"url": "https://go.dev/cl/763767"
},
{
"category": "external",
"summary": "https://go.dev/issue/78334",
"url": "https://go.dev/issue/78334"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU",
"url": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2026-4870",
"url": "https://pkg.go.dev/vuln/GO-2026-4870"
}
],
"release_date": "2026-04-08T01:06:57.670000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-05-20T16:56:10+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.src",
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:19721"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.src",
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "crypto/tls: golang: Go crypto/tls: Denial of Service via multiple TLS 1.3 key update messages"
},
{
"cve": "CVE-2026-33186",
"cwe": {
"id": "CWE-551",
"name": "Incorrect Behavior Order: Authorization Before Parsing and Canonicalization"
},
"discovery_date": "2026-03-20T23:02:27.802640+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2449833"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in gRPC-Go, the Go language implementation of gRPC. This vulnerability, an authorization bypass, is caused by improper input validation of the HTTP/2 `:path` pseudo-header. A remote attacker can exploit this by sending raw HTTP/2 frames with a malformed `:path` that omits the mandatory leading slash. This allows the attacker to bypass defined security policies, potentially leading to unauthorized access to services or information disclosure.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "google.golang.org/grpc/grpc-go: google.golang.org/grpc/authz: gRPC-Go: Authorization bypass due to improper HTTP/2 path validation",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.src",
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-33186"
},
{
"category": "external",
"summary": "RHBZ#2449833",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2449833"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-33186",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-33186"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-33186",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33186"
},
{
"category": "external",
"summary": "https://github.com/grpc/grpc-go/security/advisories/GHSA-p77j-4mvh-x3m3",
"url": "https://github.com/grpc/grpc-go/security/advisories/GHSA-p77j-4mvh-x3m3"
}
],
"release_date": "2026-03-20T22:23:32.147000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-05-20T16:56:10+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.src",
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:19721"
},
{
"category": "workaround",
"details": "To mitigate this issue, implement infrastructure-level normalization to ensure all incoming HTTP/2 `:path` headers are properly formatted with a leading slash before reaching the gRPC-Go server. This can be achieved by configuring a reverse proxy or API gateway to validate and normalize the `:path` header. Ensure that any such intermediary is properly configured and restarted to apply the changes, which may temporarily impact service availability.",
"product_ids": [
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.src",
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.src",
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "google.golang.org/grpc/grpc-go: google.golang.org/grpc/authz: gRPC-Go: Authorization bypass due to improper HTTP/2 path validation"
},
{
"cve": "CVE-2026-33810",
"cwe": {
"id": "CWE-1289",
"name": "Improper Validation of Unsafe Equivalence in Input"
},
"discovery_date": "2026-04-08T02:01:09.100830+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2456335"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the `crypto/x509` package within Go (golang). When verifying a certificate chain, excluded DNS (Domain Name System) constraints are not correctly applied to wildcard DNS Subject Alternative Names (SANs) if the case of the SAN differs from the constraint. This oversight could allow an attacker to bypass certificate validation, potentially leading to the acceptance of a malicious certificate that should have been rejected. This issue specifically impacts the validation of trusted certificate chains.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "crypto/x509: golang: Go crypto/x509: Certificate validation bypass due to incorrect DNS constraint application",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.src",
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-33810"
},
{
"category": "external",
"summary": "RHBZ#2456335",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456335"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-33810",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-33810"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-33810",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33810"
},
{
"category": "external",
"summary": "https://go.dev/cl/763763",
"url": "https://go.dev/cl/763763"
},
{
"category": "external",
"summary": "https://go.dev/issue/78332",
"url": "https://go.dev/issue/78332"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU",
"url": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2026-4866",
"url": "https://pkg.go.dev/vuln/GO-2026-4866"
}
],
"release_date": "2026-04-08T01:06:56.546000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-05-20T16:56:10+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.src",
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:19721"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:L",
"version": "3.1"
},
"products": [
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.src",
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "crypto/x509: golang: Go crypto/x509: Certificate validation bypass due to incorrect DNS constraint application"
},
{
"cve": "CVE-2026-34986",
"cwe": {
"id": "CWE-131",
"name": "Incorrect Calculation of Buffer Size"
},
"discovery_date": "2026-04-06T17:01:34.639203+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2455470"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Go JOSE, a library for handling JSON Web Encryption (JWE) objects. A remote attacker could exploit this vulnerability by providing a specially crafted JWE object. When decrypting such an object, if a key wrapping algorithm is specified but the encrypted key field is empty, the application can crash. This leads to a denial of service (DoS), making the affected service unavailable to legitimate users.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "github.com/go-jose/go-jose/v3: github.com/go-jose/go-jose/v4: Go JOSE: Denial of Service via crafted JSON Web Encryption (JWE) object",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.src",
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-34986"
},
{
"category": "external",
"summary": "RHBZ#2455470",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2455470"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-34986",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-34986"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-34986",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34986"
},
{
"category": "external",
"summary": "https://github.com/go-jose/go-jose/security/advisories/GHSA-78h2-9frx-2jm8",
"url": "https://github.com/go-jose/go-jose/security/advisories/GHSA-78h2-9frx-2jm8"
},
{
"category": "external",
"summary": "https://pkg.go.dev/github.com/go-jose/go-jose/v4#pkg-constants",
"url": "https://pkg.go.dev/github.com/go-jose/go-jose/v4#pkg-constants"
}
],
"release_date": "2026-04-06T16:22:45.353000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-05-20T16:56:10+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.src",
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:19721"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.src",
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.src",
"AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.144.0-2.el9_4.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "github.com/go-jose/go-jose/v3: github.com/go-jose/go-jose/v4: Go JOSE: Denial of Service via crafted JSON Web Encryption (JWE) object"
}
]
}
RHSA-2026:19839
Vulnerability from csaf_redhat - Published: 2026-05-21 00:04 - Updated: 2026-06-30 02:58Summary
Red Hat Security Advisory: grafana-pcp security update
Severity
Important
Notes
Topic: An update for grafana-pcp is now available for Red Hat Enterprise Linux 9.6
Extended Update Support.
Red Hat Product Security has rated this update as having a security impact of
Important. A Common Vulnerability Scoring System (CVSS) base score, which gives
a detailed severity rating, is available for each vulnerability from the CVE
link(s) in the References section.
Details: The Grafana plugin for Performance Co-Pilot includes datasources for scalable
time series from pmseries and Redis, live PCP metrics and bpftrace scripts from
pmdabpftrace, as well as several dashboards.
Security Fix(es):
* golang: internal/syscall/unix: Root.Chmod can follow symlinks out of the root
(CVE-2026-32282)
* crypto/tls: golang: Go crypto/tls: Denial of Service via multiple TLS 1.3 key
update messages (CVE-2026-32283)
* crypto/x509: crypto/tls: golang: Go: Denial of Service vulnerability in
certificate chain building (CVE-2026-32280)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE page(s)
listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in the Go standard library packages `crypto/x509` and `crypto/tls`. During the process of building a certificate chain, an attacker can provide a large number of intermediate certificates. This excessive input is not properly limited, leading to an uncontrolled amount of work being performed. This can result in a denial of service (DoS) condition, making the affected system or application unavailable to legitimate users.
7.5 (High)
Affected products
Fixed
13 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.6.0.Z.EUS:grafana-pcp-0:5.1.1-14.el9_6.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:grafana-pcp-0:5.1.1-14.el9_6.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:grafana-pcp-0:5.1.1-14.el9_6.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:grafana-pcp-0:5.1.1-14.el9_6.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:grafana-pcp-0:5.1.1-14.el9_6.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:grafana-pcp-debuginfo-0:5.1.1-14.el9_6.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:grafana-pcp-debuginfo-0:5.1.1-14.el9_6.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:grafana-pcp-debuginfo-0:5.1.1-14.el9_6.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:grafana-pcp-debuginfo-0:5.1.1-14.el9_6.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:grafana-pcp-debugsource-0:5.1.1-14.el9_6.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:grafana-pcp-debugsource-0:5.1.1-14.el9_6.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:grafana-pcp-debugsource-0:5.1.1-14.el9_6.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:grafana-pcp-debugsource-0:5.1.1-14.el9_6.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Important
A flaw was found in Go's `crypto/x509` package. A remote attacker could exploit this by presenting a specially crafted certificate chain containing a large number of policy mappings. This inefficient validation process consumes excessive resources, which can lead to a denial of service (DoS) for applications or systems performing certificate validation.
5.9 (Medium)
Affected products
Fixed
13 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.6.0.Z.EUS:grafana-pcp-0:5.1.1-14.el9_6.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:grafana-pcp-0:5.1.1-14.el9_6.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:grafana-pcp-0:5.1.1-14.el9_6.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:grafana-pcp-0:5.1.1-14.el9_6.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:grafana-pcp-0:5.1.1-14.el9_6.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:grafana-pcp-debuginfo-0:5.1.1-14.el9_6.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:grafana-pcp-debuginfo-0:5.1.1-14.el9_6.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:grafana-pcp-debuginfo-0:5.1.1-14.el9_6.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:grafana-pcp-debuginfo-0:5.1.1-14.el9_6.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:grafana-pcp-debugsource-0:5.1.1-14.el9_6.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:grafana-pcp-debugsource-0:5.1.1-14.el9_6.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:grafana-pcp-debugsource-0:5.1.1-14.el9_6.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:grafana-pcp-debugsource-0:5.1.1-14.el9_6.x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in the internal/syscall/unix package in the Go standard library. If the target of the `Root.Chmod` function is replaced with a symbolic link during execution, specifically after `Root.Chmod` checks the target but before acting, the `chmod` operation will be performed on the file the symbolic link points to. This issue can bypass directory restrictions and lead to unauthorized permission changes on the filesystem.
7.8 (High)
Affected products
Fixed
13 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.6.0.Z.EUS:grafana-pcp-0:5.1.1-14.el9_6.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:grafana-pcp-0:5.1.1-14.el9_6.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:grafana-pcp-0:5.1.1-14.el9_6.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:grafana-pcp-0:5.1.1-14.el9_6.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:grafana-pcp-0:5.1.1-14.el9_6.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:grafana-pcp-debuginfo-0:5.1.1-14.el9_6.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:grafana-pcp-debuginfo-0:5.1.1-14.el9_6.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:grafana-pcp-debuginfo-0:5.1.1-14.el9_6.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:grafana-pcp-debuginfo-0:5.1.1-14.el9_6.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:grafana-pcp-debugsource-0:5.1.1-14.el9_6.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:grafana-pcp-debugsource-0:5.1.1-14.el9_6.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:grafana-pcp-debugsource-0:5.1.1-14.el9_6.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:grafana-pcp-debugsource-0:5.1.1-14.el9_6.x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in the `crypto/tls` package within the Go (golang) standard library, specifically affecting TLS 1.3 connections. A remote attacker can exploit this vulnerability by sending multiple key update messages in a single record after the handshake. This can cause the connection to deadlock, leading to uncontrolled consumption of resources and ultimately a denial of service (DoS).
7.5 (High)
Affected products
Fixed
13 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.6.0.Z.EUS:grafana-pcp-0:5.1.1-14.el9_6.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:grafana-pcp-0:5.1.1-14.el9_6.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:grafana-pcp-0:5.1.1-14.el9_6.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:grafana-pcp-0:5.1.1-14.el9_6.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:grafana-pcp-0:5.1.1-14.el9_6.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:grafana-pcp-debuginfo-0:5.1.1-14.el9_6.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:grafana-pcp-debuginfo-0:5.1.1-14.el9_6.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:grafana-pcp-debuginfo-0:5.1.1-14.el9_6.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:grafana-pcp-debuginfo-0:5.1.1-14.el9_6.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:grafana-pcp-debugsource-0:5.1.1-14.el9_6.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:grafana-pcp-debugsource-0:5.1.1-14.el9_6.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:grafana-pcp-debugsource-0:5.1.1-14.el9_6.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:grafana-pcp-debugsource-0:5.1.1-14.el9_6.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Important
References
35 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for grafana-pcp is now available for Red Hat Enterprise Linux 9.6\nExtended Update Support.\n\nRed Hat Product Security has rated this update as having a security impact of\nImportant. A Common Vulnerability Scoring System (CVSS) base score, which gives\na detailed severity rating, is available for each vulnerability from the CVE\nlink(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "The Grafana plugin for Performance Co-Pilot includes datasources for scalable\ntime series from pmseries and Redis, live PCP metrics and bpftrace scripts from\npmdabpftrace, as well as several dashboards.\n\nSecurity Fix(es):\n\n* golang: internal/syscall/unix: Root.Chmod can follow symlinks out of the root\n(CVE-2026-32282)\n\n* crypto/tls: golang: Go crypto/tls: Denial of Service via multiple TLS 1.3 key\nupdate messages (CVE-2026-32283)\n\n* crypto/x509: crypto/tls: golang: Go: Denial of Service vulnerability in\ncertificate chain building (CVE-2026-32280)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE page(s)\nlisted in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:19839",
"url": "https://access.redhat.com/errata/RHSA-2026:19839"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "2456336",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456336"
},
{
"category": "external",
"summary": "2456338",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456338"
},
{
"category": "external",
"summary": "2456339",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456339"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_19839.json"
}
],
"title": "Red Hat Security Advisory: grafana-pcp security update",
"tracking": {
"current_release_date": "2026-06-30T02:58:13+00:00",
"generator": {
"date": "2026-06-30T02:58:13+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "5.3.0"
}
},
"id": "RHSA-2026:19839",
"initial_release_date": "2026-05-21T00:04:11+00:00",
"revision_history": [
{
"date": "2026-05-21T00:04:11+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-05-21T00:04:11+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-06-30T02:58:13+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"product": {
"name": "Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"product_id": "AppStream-9.6.0.Z.EUS",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_eus:9.6::appstream"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-pcp-0:5.1.1-14.el9_6.src",
"product": {
"name": "grafana-pcp-0:5.1.1-14.el9_6.src",
"product_id": "grafana-pcp-0:5.1.1-14.el9_6.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-pcp@5.1.1-14.el9_6?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-pcp-0:5.1.1-14.el9_6.aarch64",
"product": {
"name": "grafana-pcp-0:5.1.1-14.el9_6.aarch64",
"product_id": "grafana-pcp-0:5.1.1-14.el9_6.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-pcp@5.1.1-14.el9_6?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "grafana-pcp-debugsource-0:5.1.1-14.el9_6.aarch64",
"product": {
"name": "grafana-pcp-debugsource-0:5.1.1-14.el9_6.aarch64",
"product_id": "grafana-pcp-debugsource-0:5.1.1-14.el9_6.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-pcp-debugsource@5.1.1-14.el9_6?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "grafana-pcp-debuginfo-0:5.1.1-14.el9_6.aarch64",
"product": {
"name": "grafana-pcp-debuginfo-0:5.1.1-14.el9_6.aarch64",
"product_id": "grafana-pcp-debuginfo-0:5.1.1-14.el9_6.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-pcp-debuginfo@5.1.1-14.el9_6?arch=aarch64"
}
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-pcp-0:5.1.1-14.el9_6.ppc64le",
"product": {
"name": "grafana-pcp-0:5.1.1-14.el9_6.ppc64le",
"product_id": "grafana-pcp-0:5.1.1-14.el9_6.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-pcp@5.1.1-14.el9_6?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "grafana-pcp-debugsource-0:5.1.1-14.el9_6.ppc64le",
"product": {
"name": "grafana-pcp-debugsource-0:5.1.1-14.el9_6.ppc64le",
"product_id": "grafana-pcp-debugsource-0:5.1.1-14.el9_6.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-pcp-debugsource@5.1.1-14.el9_6?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "grafana-pcp-debuginfo-0:5.1.1-14.el9_6.ppc64le",
"product": {
"name": "grafana-pcp-debuginfo-0:5.1.1-14.el9_6.ppc64le",
"product_id": "grafana-pcp-debuginfo-0:5.1.1-14.el9_6.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-pcp-debuginfo@5.1.1-14.el9_6?arch=ppc64le"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-pcp-0:5.1.1-14.el9_6.s390x",
"product": {
"name": "grafana-pcp-0:5.1.1-14.el9_6.s390x",
"product_id": "grafana-pcp-0:5.1.1-14.el9_6.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-pcp@5.1.1-14.el9_6?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "grafana-pcp-debugsource-0:5.1.1-14.el9_6.s390x",
"product": {
"name": "grafana-pcp-debugsource-0:5.1.1-14.el9_6.s390x",
"product_id": "grafana-pcp-debugsource-0:5.1.1-14.el9_6.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-pcp-debugsource@5.1.1-14.el9_6?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "grafana-pcp-debuginfo-0:5.1.1-14.el9_6.s390x",
"product": {
"name": "grafana-pcp-debuginfo-0:5.1.1-14.el9_6.s390x",
"product_id": "grafana-pcp-debuginfo-0:5.1.1-14.el9_6.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-pcp-debuginfo@5.1.1-14.el9_6?arch=s390x"
}
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-pcp-0:5.1.1-14.el9_6.x86_64",
"product": {
"name": "grafana-pcp-0:5.1.1-14.el9_6.x86_64",
"product_id": "grafana-pcp-0:5.1.1-14.el9_6.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-pcp@5.1.1-14.el9_6?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "grafana-pcp-debugsource-0:5.1.1-14.el9_6.x86_64",
"product": {
"name": "grafana-pcp-debugsource-0:5.1.1-14.el9_6.x86_64",
"product_id": "grafana-pcp-debugsource-0:5.1.1-14.el9_6.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-pcp-debugsource@5.1.1-14.el9_6?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "grafana-pcp-debuginfo-0:5.1.1-14.el9_6.x86_64",
"product": {
"name": "grafana-pcp-debuginfo-0:5.1.1-14.el9_6.x86_64",
"product_id": "grafana-pcp-debuginfo-0:5.1.1-14.el9_6.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-pcp-debuginfo@5.1.1-14.el9_6?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-pcp-0:5.1.1-14.el9_6.aarch64 as a component of Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"product_id": "AppStream-9.6.0.Z.EUS:grafana-pcp-0:5.1.1-14.el9_6.aarch64"
},
"product_reference": "grafana-pcp-0:5.1.1-14.el9_6.aarch64",
"relates_to_product_reference": "AppStream-9.6.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-pcp-0:5.1.1-14.el9_6.ppc64le as a component of Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"product_id": "AppStream-9.6.0.Z.EUS:grafana-pcp-0:5.1.1-14.el9_6.ppc64le"
},
"product_reference": "grafana-pcp-0:5.1.1-14.el9_6.ppc64le",
"relates_to_product_reference": "AppStream-9.6.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-pcp-0:5.1.1-14.el9_6.s390x as a component of Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"product_id": "AppStream-9.6.0.Z.EUS:grafana-pcp-0:5.1.1-14.el9_6.s390x"
},
"product_reference": "grafana-pcp-0:5.1.1-14.el9_6.s390x",
"relates_to_product_reference": "AppStream-9.6.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-pcp-0:5.1.1-14.el9_6.src as a component of Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"product_id": "AppStream-9.6.0.Z.EUS:grafana-pcp-0:5.1.1-14.el9_6.src"
},
"product_reference": "grafana-pcp-0:5.1.1-14.el9_6.src",
"relates_to_product_reference": "AppStream-9.6.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-pcp-0:5.1.1-14.el9_6.x86_64 as a component of Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"product_id": "AppStream-9.6.0.Z.EUS:grafana-pcp-0:5.1.1-14.el9_6.x86_64"
},
"product_reference": "grafana-pcp-0:5.1.1-14.el9_6.x86_64",
"relates_to_product_reference": "AppStream-9.6.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-pcp-debuginfo-0:5.1.1-14.el9_6.aarch64 as a component of Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"product_id": "AppStream-9.6.0.Z.EUS:grafana-pcp-debuginfo-0:5.1.1-14.el9_6.aarch64"
},
"product_reference": "grafana-pcp-debuginfo-0:5.1.1-14.el9_6.aarch64",
"relates_to_product_reference": "AppStream-9.6.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-pcp-debuginfo-0:5.1.1-14.el9_6.ppc64le as a component of Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"product_id": "AppStream-9.6.0.Z.EUS:grafana-pcp-debuginfo-0:5.1.1-14.el9_6.ppc64le"
},
"product_reference": "grafana-pcp-debuginfo-0:5.1.1-14.el9_6.ppc64le",
"relates_to_product_reference": "AppStream-9.6.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-pcp-debuginfo-0:5.1.1-14.el9_6.s390x as a component of Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"product_id": "AppStream-9.6.0.Z.EUS:grafana-pcp-debuginfo-0:5.1.1-14.el9_6.s390x"
},
"product_reference": "grafana-pcp-debuginfo-0:5.1.1-14.el9_6.s390x",
"relates_to_product_reference": "AppStream-9.6.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-pcp-debuginfo-0:5.1.1-14.el9_6.x86_64 as a component of Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"product_id": "AppStream-9.6.0.Z.EUS:grafana-pcp-debuginfo-0:5.1.1-14.el9_6.x86_64"
},
"product_reference": "grafana-pcp-debuginfo-0:5.1.1-14.el9_6.x86_64",
"relates_to_product_reference": "AppStream-9.6.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-pcp-debugsource-0:5.1.1-14.el9_6.aarch64 as a component of Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"product_id": "AppStream-9.6.0.Z.EUS:grafana-pcp-debugsource-0:5.1.1-14.el9_6.aarch64"
},
"product_reference": "grafana-pcp-debugsource-0:5.1.1-14.el9_6.aarch64",
"relates_to_product_reference": "AppStream-9.6.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-pcp-debugsource-0:5.1.1-14.el9_6.ppc64le as a component of Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"product_id": "AppStream-9.6.0.Z.EUS:grafana-pcp-debugsource-0:5.1.1-14.el9_6.ppc64le"
},
"product_reference": "grafana-pcp-debugsource-0:5.1.1-14.el9_6.ppc64le",
"relates_to_product_reference": "AppStream-9.6.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-pcp-debugsource-0:5.1.1-14.el9_6.s390x as a component of Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"product_id": "AppStream-9.6.0.Z.EUS:grafana-pcp-debugsource-0:5.1.1-14.el9_6.s390x"
},
"product_reference": "grafana-pcp-debugsource-0:5.1.1-14.el9_6.s390x",
"relates_to_product_reference": "AppStream-9.6.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-pcp-debugsource-0:5.1.1-14.el9_6.x86_64 as a component of Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"product_id": "AppStream-9.6.0.Z.EUS:grafana-pcp-debugsource-0:5.1.1-14.el9_6.x86_64"
},
"product_reference": "grafana-pcp-debugsource-0:5.1.1-14.el9_6.x86_64",
"relates_to_product_reference": "AppStream-9.6.0.Z.EUS"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-32280",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2026-04-08T02:01:19.572351+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2456339"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the Go standard library packages `crypto/x509` and `crypto/tls`. During the process of building a certificate chain, an attacker can provide a large number of intermediate certificates. This excessive input is not properly limited, leading to an uncontrolled amount of work being performed. This can result in a denial of service (DoS) condition, making the affected system or application unavailable to legitimate users.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "crypto/x509: crypto/tls: golang: Go: Denial of Service vulnerability in certificate chain building",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.6.0.Z.EUS:grafana-pcp-0:5.1.1-14.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:grafana-pcp-0:5.1.1-14.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:grafana-pcp-0:5.1.1-14.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:grafana-pcp-0:5.1.1-14.el9_6.src",
"AppStream-9.6.0.Z.EUS:grafana-pcp-0:5.1.1-14.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:grafana-pcp-debuginfo-0:5.1.1-14.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:grafana-pcp-debuginfo-0:5.1.1-14.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:grafana-pcp-debuginfo-0:5.1.1-14.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:grafana-pcp-debuginfo-0:5.1.1-14.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:grafana-pcp-debugsource-0:5.1.1-14.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:grafana-pcp-debugsource-0:5.1.1-14.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:grafana-pcp-debugsource-0:5.1.1-14.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:grafana-pcp-debugsource-0:5.1.1-14.el9_6.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-32280"
},
{
"category": "external",
"summary": "RHBZ#2456339",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456339"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-32280",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-32280"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-32280",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32280"
},
{
"category": "external",
"summary": "https://go.dev/cl/758320",
"url": "https://go.dev/cl/758320"
},
{
"category": "external",
"summary": "https://go.dev/issue/78282",
"url": "https://go.dev/issue/78282"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU",
"url": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2026-4947",
"url": "https://pkg.go.dev/vuln/GO-2026-4947"
}
],
"release_date": "2026-04-08T01:06:58.595000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-05-21T00:04:11+00:00",
"details": "For details on how to apply this update, which includes the changes described in\nthis advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.6.0.Z.EUS:grafana-pcp-0:5.1.1-14.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:grafana-pcp-0:5.1.1-14.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:grafana-pcp-0:5.1.1-14.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:grafana-pcp-0:5.1.1-14.el9_6.src",
"AppStream-9.6.0.Z.EUS:grafana-pcp-0:5.1.1-14.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:grafana-pcp-debuginfo-0:5.1.1-14.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:grafana-pcp-debuginfo-0:5.1.1-14.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:grafana-pcp-debuginfo-0:5.1.1-14.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:grafana-pcp-debuginfo-0:5.1.1-14.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:grafana-pcp-debugsource-0:5.1.1-14.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:grafana-pcp-debugsource-0:5.1.1-14.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:grafana-pcp-debugsource-0:5.1.1-14.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:grafana-pcp-debugsource-0:5.1.1-14.el9_6.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:19839"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"AppStream-9.6.0.Z.EUS:grafana-pcp-0:5.1.1-14.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:grafana-pcp-0:5.1.1-14.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:grafana-pcp-0:5.1.1-14.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:grafana-pcp-0:5.1.1-14.el9_6.src",
"AppStream-9.6.0.Z.EUS:grafana-pcp-0:5.1.1-14.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:grafana-pcp-debuginfo-0:5.1.1-14.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:grafana-pcp-debuginfo-0:5.1.1-14.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:grafana-pcp-debuginfo-0:5.1.1-14.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:grafana-pcp-debuginfo-0:5.1.1-14.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:grafana-pcp-debugsource-0:5.1.1-14.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:grafana-pcp-debugsource-0:5.1.1-14.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:grafana-pcp-debugsource-0:5.1.1-14.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:grafana-pcp-debugsource-0:5.1.1-14.el9_6.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "crypto/x509: crypto/tls: golang: Go: Denial of Service vulnerability in certificate chain building"
},
{
"cve": "CVE-2026-32281",
"cwe": {
"id": "CWE-1050",
"name": "Excessive Platform Resource Consumption within a Loop"
},
"discovery_date": "2026-04-08T02:01:00.930989+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2456333"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Go\u0027s `crypto/x509` package. A remote attacker could exploit this by presenting a specially crafted certificate chain containing a large number of policy mappings. This inefficient validation process consumes excessive resources, which can lead to a denial of service (DoS) for applications or systems performing certificate validation.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "crypto/x509: golang: Go crypto/x509: Denial of Service via inefficient certificate chain validation",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This flaw occurs during the validation of otherwise trusted certificate chains that contain a large number of policy mappings, leading to excessive resource consumption. Exploitation requires an attacker to present a specially crafted, yet trusted, certificate chain which would require the attacker has already compromised a trusted certificate root. Red Hat continuously monitors certificate authorities and curates the set which is trusted by default for Red Hat products.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.6.0.Z.EUS:grafana-pcp-0:5.1.1-14.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:grafana-pcp-0:5.1.1-14.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:grafana-pcp-0:5.1.1-14.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:grafana-pcp-0:5.1.1-14.el9_6.src",
"AppStream-9.6.0.Z.EUS:grafana-pcp-0:5.1.1-14.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:grafana-pcp-debuginfo-0:5.1.1-14.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:grafana-pcp-debuginfo-0:5.1.1-14.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:grafana-pcp-debuginfo-0:5.1.1-14.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:grafana-pcp-debuginfo-0:5.1.1-14.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:grafana-pcp-debugsource-0:5.1.1-14.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:grafana-pcp-debugsource-0:5.1.1-14.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:grafana-pcp-debugsource-0:5.1.1-14.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:grafana-pcp-debugsource-0:5.1.1-14.el9_6.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-32281"
},
{
"category": "external",
"summary": "RHBZ#2456333",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456333"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-32281",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-32281"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-32281",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32281"
},
{
"category": "external",
"summary": "https://go.dev/cl/758061",
"url": "https://go.dev/cl/758061"
},
{
"category": "external",
"summary": "https://go.dev/issue/78281",
"url": "https://go.dev/issue/78281"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU",
"url": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2026-4946",
"url": "https://pkg.go.dev/vuln/GO-2026-4946"
}
],
"release_date": "2026-04-08T01:06:58.354000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-05-21T00:04:11+00:00",
"details": "For details on how to apply this update, which includes the changes described in\nthis advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.6.0.Z.EUS:grafana-pcp-0:5.1.1-14.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:grafana-pcp-0:5.1.1-14.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:grafana-pcp-0:5.1.1-14.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:grafana-pcp-0:5.1.1-14.el9_6.src",
"AppStream-9.6.0.Z.EUS:grafana-pcp-0:5.1.1-14.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:grafana-pcp-debuginfo-0:5.1.1-14.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:grafana-pcp-debuginfo-0:5.1.1-14.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:grafana-pcp-debuginfo-0:5.1.1-14.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:grafana-pcp-debuginfo-0:5.1.1-14.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:grafana-pcp-debugsource-0:5.1.1-14.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:grafana-pcp-debugsource-0:5.1.1-14.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:grafana-pcp-debugsource-0:5.1.1-14.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:grafana-pcp-debugsource-0:5.1.1-14.el9_6.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:19839"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"AppStream-9.6.0.Z.EUS:grafana-pcp-0:5.1.1-14.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:grafana-pcp-0:5.1.1-14.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:grafana-pcp-0:5.1.1-14.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:grafana-pcp-0:5.1.1-14.el9_6.src",
"AppStream-9.6.0.Z.EUS:grafana-pcp-0:5.1.1-14.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:grafana-pcp-debuginfo-0:5.1.1-14.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:grafana-pcp-debuginfo-0:5.1.1-14.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:grafana-pcp-debuginfo-0:5.1.1-14.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:grafana-pcp-debuginfo-0:5.1.1-14.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:grafana-pcp-debugsource-0:5.1.1-14.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:grafana-pcp-debugsource-0:5.1.1-14.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:grafana-pcp-debugsource-0:5.1.1-14.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:grafana-pcp-debugsource-0:5.1.1-14.el9_6.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"AppStream-9.6.0.Z.EUS:grafana-pcp-0:5.1.1-14.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:grafana-pcp-0:5.1.1-14.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:grafana-pcp-0:5.1.1-14.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:grafana-pcp-0:5.1.1-14.el9_6.src",
"AppStream-9.6.0.Z.EUS:grafana-pcp-0:5.1.1-14.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:grafana-pcp-debuginfo-0:5.1.1-14.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:grafana-pcp-debuginfo-0:5.1.1-14.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:grafana-pcp-debuginfo-0:5.1.1-14.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:grafana-pcp-debuginfo-0:5.1.1-14.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:grafana-pcp-debugsource-0:5.1.1-14.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:grafana-pcp-debugsource-0:5.1.1-14.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:grafana-pcp-debugsource-0:5.1.1-14.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:grafana-pcp-debugsource-0:5.1.1-14.el9_6.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "crypto/x509: golang: Go crypto/x509: Denial of Service via inefficient certificate chain validation"
},
{
"cve": "CVE-2026-32282",
"cwe": {
"id": "CWE-367",
"name": "Time-of-check Time-of-use (TOCTOU) Race Condition"
},
"discovery_date": "2026-04-08T02:01:12.683211+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2456336"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the internal/syscall/unix package in the Go standard library. If the target of the `Root.Chmod` function is replaced with a symbolic link during execution, specifically after `Root.Chmod` checks the target but before acting, the `chmod` operation will be performed on the file the symbolic link points to. This issue can bypass directory restrictions and lead to unauthorized permission changes on the filesystem.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: internal/syscall/unix: Root.Chmod can follow symlinks out of the root",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "To exploit this issue, an attacker needs access to the system and the required permissions to create a symbolic link. Additionally, the attacker must swap the target file with a symbolic link in the exact window after the `Root.Chmod` function checks its target but before acting. Due to these conditions, this flaw has been rated with a moderate severity.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.6.0.Z.EUS:grafana-pcp-0:5.1.1-14.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:grafana-pcp-0:5.1.1-14.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:grafana-pcp-0:5.1.1-14.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:grafana-pcp-0:5.1.1-14.el9_6.src",
"AppStream-9.6.0.Z.EUS:grafana-pcp-0:5.1.1-14.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:grafana-pcp-debuginfo-0:5.1.1-14.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:grafana-pcp-debuginfo-0:5.1.1-14.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:grafana-pcp-debuginfo-0:5.1.1-14.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:grafana-pcp-debuginfo-0:5.1.1-14.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:grafana-pcp-debugsource-0:5.1.1-14.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:grafana-pcp-debugsource-0:5.1.1-14.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:grafana-pcp-debugsource-0:5.1.1-14.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:grafana-pcp-debugsource-0:5.1.1-14.el9_6.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-32282"
},
{
"category": "external",
"summary": "RHBZ#2456336",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456336"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-32282",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-32282"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-32282",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32282"
},
{
"category": "external",
"summary": "https://go.dev/cl/763761",
"url": "https://go.dev/cl/763761"
},
{
"category": "external",
"summary": "https://go.dev/issue/78293",
"url": "https://go.dev/issue/78293"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU",
"url": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2026-4864",
"url": "https://pkg.go.dev/vuln/GO-2026-4864"
}
],
"release_date": "2026-04-08T01:06:55.953000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-05-21T00:04:11+00:00",
"details": "For details on how to apply this update, which includes the changes described in\nthis advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.6.0.Z.EUS:grafana-pcp-0:5.1.1-14.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:grafana-pcp-0:5.1.1-14.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:grafana-pcp-0:5.1.1-14.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:grafana-pcp-0:5.1.1-14.el9_6.src",
"AppStream-9.6.0.Z.EUS:grafana-pcp-0:5.1.1-14.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:grafana-pcp-debuginfo-0:5.1.1-14.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:grafana-pcp-debuginfo-0:5.1.1-14.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:grafana-pcp-debuginfo-0:5.1.1-14.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:grafana-pcp-debuginfo-0:5.1.1-14.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:grafana-pcp-debugsource-0:5.1.1-14.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:grafana-pcp-debugsource-0:5.1.1-14.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:grafana-pcp-debugsource-0:5.1.1-14.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:grafana-pcp-debugsource-0:5.1.1-14.el9_6.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:19839"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"AppStream-9.6.0.Z.EUS:grafana-pcp-0:5.1.1-14.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:grafana-pcp-0:5.1.1-14.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:grafana-pcp-0:5.1.1-14.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:grafana-pcp-0:5.1.1-14.el9_6.src",
"AppStream-9.6.0.Z.EUS:grafana-pcp-0:5.1.1-14.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:grafana-pcp-debuginfo-0:5.1.1-14.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:grafana-pcp-debuginfo-0:5.1.1-14.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:grafana-pcp-debuginfo-0:5.1.1-14.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:grafana-pcp-debuginfo-0:5.1.1-14.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:grafana-pcp-debugsource-0:5.1.1-14.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:grafana-pcp-debugsource-0:5.1.1-14.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:grafana-pcp-debugsource-0:5.1.1-14.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:grafana-pcp-debugsource-0:5.1.1-14.el9_6.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"AppStream-9.6.0.Z.EUS:grafana-pcp-0:5.1.1-14.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:grafana-pcp-0:5.1.1-14.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:grafana-pcp-0:5.1.1-14.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:grafana-pcp-0:5.1.1-14.el9_6.src",
"AppStream-9.6.0.Z.EUS:grafana-pcp-0:5.1.1-14.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:grafana-pcp-debuginfo-0:5.1.1-14.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:grafana-pcp-debuginfo-0:5.1.1-14.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:grafana-pcp-debuginfo-0:5.1.1-14.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:grafana-pcp-debuginfo-0:5.1.1-14.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:grafana-pcp-debugsource-0:5.1.1-14.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:grafana-pcp-debugsource-0:5.1.1-14.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:grafana-pcp-debugsource-0:5.1.1-14.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:grafana-pcp-debugsource-0:5.1.1-14.el9_6.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang: internal/syscall/unix: Root.Chmod can follow symlinks out of the root"
},
{
"cve": "CVE-2026-32283",
"cwe": {
"id": "CWE-764",
"name": "Multiple Locks of a Critical Resource"
},
"discovery_date": "2026-04-08T02:01:16.213799+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2456338"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the `crypto/tls` package within the Go (golang) standard library, specifically affecting TLS 1.3 connections. A remote attacker can exploit this vulnerability by sending multiple key update messages in a single record after the handshake. This can cause the connection to deadlock, leading to uncontrolled consumption of resources and ultimately a denial of service (DoS).",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "crypto/tls: golang: Go crypto/tls: Denial of Service via multiple TLS 1.3 key update messages",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.6.0.Z.EUS:grafana-pcp-0:5.1.1-14.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:grafana-pcp-0:5.1.1-14.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:grafana-pcp-0:5.1.1-14.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:grafana-pcp-0:5.1.1-14.el9_6.src",
"AppStream-9.6.0.Z.EUS:grafana-pcp-0:5.1.1-14.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:grafana-pcp-debuginfo-0:5.1.1-14.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:grafana-pcp-debuginfo-0:5.1.1-14.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:grafana-pcp-debuginfo-0:5.1.1-14.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:grafana-pcp-debuginfo-0:5.1.1-14.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:grafana-pcp-debugsource-0:5.1.1-14.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:grafana-pcp-debugsource-0:5.1.1-14.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:grafana-pcp-debugsource-0:5.1.1-14.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:grafana-pcp-debugsource-0:5.1.1-14.el9_6.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-32283"
},
{
"category": "external",
"summary": "RHBZ#2456338",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456338"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-32283",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-32283"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-32283",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32283"
},
{
"category": "external",
"summary": "https://go.dev/cl/763767",
"url": "https://go.dev/cl/763767"
},
{
"category": "external",
"summary": "https://go.dev/issue/78334",
"url": "https://go.dev/issue/78334"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU",
"url": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2026-4870",
"url": "https://pkg.go.dev/vuln/GO-2026-4870"
}
],
"release_date": "2026-04-08T01:06:57.670000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-05-21T00:04:11+00:00",
"details": "For details on how to apply this update, which includes the changes described in\nthis advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.6.0.Z.EUS:grafana-pcp-0:5.1.1-14.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:grafana-pcp-0:5.1.1-14.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:grafana-pcp-0:5.1.1-14.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:grafana-pcp-0:5.1.1-14.el9_6.src",
"AppStream-9.6.0.Z.EUS:grafana-pcp-0:5.1.1-14.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:grafana-pcp-debuginfo-0:5.1.1-14.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:grafana-pcp-debuginfo-0:5.1.1-14.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:grafana-pcp-debuginfo-0:5.1.1-14.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:grafana-pcp-debuginfo-0:5.1.1-14.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:grafana-pcp-debugsource-0:5.1.1-14.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:grafana-pcp-debugsource-0:5.1.1-14.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:grafana-pcp-debugsource-0:5.1.1-14.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:grafana-pcp-debugsource-0:5.1.1-14.el9_6.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:19839"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"AppStream-9.6.0.Z.EUS:grafana-pcp-0:5.1.1-14.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:grafana-pcp-0:5.1.1-14.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:grafana-pcp-0:5.1.1-14.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:grafana-pcp-0:5.1.1-14.el9_6.src",
"AppStream-9.6.0.Z.EUS:grafana-pcp-0:5.1.1-14.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:grafana-pcp-debuginfo-0:5.1.1-14.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:grafana-pcp-debuginfo-0:5.1.1-14.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:grafana-pcp-debuginfo-0:5.1.1-14.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:grafana-pcp-debuginfo-0:5.1.1-14.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:grafana-pcp-debugsource-0:5.1.1-14.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:grafana-pcp-debugsource-0:5.1.1-14.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:grafana-pcp-debugsource-0:5.1.1-14.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:grafana-pcp-debugsource-0:5.1.1-14.el9_6.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "crypto/tls: golang: Go crypto/tls: Denial of Service via multiple TLS 1.3 key update messages"
}
]
}
RHSA-2026:20454
Vulnerability from csaf_redhat - Published: 2026-05-25 14:47 - Updated: 2026-06-30 04:24Summary
Red Hat Security Advisory: Kiali 1.73.31 for Red Hat OpenShift Service Mesh 2.6
Severity
Important
Notes
Topic: Kiali 1.73.31 for Red Hat OpenShift Service Mesh 2.6 is now available.
An update is now available for Red Hat OpenShift Service Mesh 2.6. This advisory contains the RPM packages for the Kiali component.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Kiali 1.73.31, for Red Hat OpenShift Service Mesh 2.6, provides observability for the service mesh by offering a visual representation of the mesh topology and metrics, helping users monitor, trace, and manage efficiently.
Security Fix(es):
* CVE-2026-32281 Go crypto/x509: Denial of Service via inefficient certificate chain validation (OSSM-13866)
* CVE-2026-42044 Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget (OSSM-13774, OSSM-13775)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in Go's `crypto/x509` package. A remote attacker could exploit this by presenting a specially crafted certificate chain containing a large number of policy mappings. This inefficient validation process consumes excessive resources, which can lead to a denial of service (DoS) for applications or systems performing certificate validation.
5.9 (Medium)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:2ad267b095e913752434847710a31f7371c72c93544e851e67416f63036197a3_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:7ddfc26f3c2ba2f8087dbb101128c98e7b651f5daf793b6a6e8aea69af677213_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:fa92ccdfd2ce5f20b93f6a1c8b249bab10f2d4624c3c5203eb74aa45c034cb3d_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:fba61b8ada52530ff0aadc5a33eb68fb05c0855413203b3981c7a0b914c71e00_s390x | — |
Vendor Fix
fix
Workaround
|
Known not affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:1910b9dac1f597a06e08a56291ecf035a73a1bf50fdde8b1d59e7b335e10fd79_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:20b3d236fd4adfe4e9f6cf3a156e775efc6123fdfe83c79f1656dff9ea50b785_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:5de8052e33e34de10c7441e08d8a9a095a77f8714a82820e84edf80fb5711ed7_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:887ae86218b2202438cdc88820b8530d4c85fe19d1c6b581e08364adb63a2b02_arm64 | — |
Workaround
|
Threats
Impact
Moderate
A flaw was found in Axios, a widely used HTTP client. This vulnerability, known as a Prototype Pollution "Gadget" attack, allows a remote attacker to subtly alter JSON API responses. By manipulating a specific function, an attacker can selectively modify data within these responses. This could lead to significant security breaches, including unauthorized privilege escalation, fraudulent balance manipulation, or bypassing critical authorization checks.
7.4 (High)
Affected products
Fixed
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:1910b9dac1f597a06e08a56291ecf035a73a1bf50fdde8b1d59e7b335e10fd79_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:20b3d236fd4adfe4e9f6cf3a156e775efc6123fdfe83c79f1656dff9ea50b785_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:5de8052e33e34de10c7441e08d8a9a095a77f8714a82820e84edf80fb5711ed7_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:887ae86218b2202438cdc88820b8530d4c85fe19d1c6b581e08364adb63a2b02_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:2ad267b095e913752434847710a31f7371c72c93544e851e67416f63036197a3_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:7ddfc26f3c2ba2f8087dbb101128c98e7b651f5daf793b6a6e8aea69af677213_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:fa92ccdfd2ce5f20b93f6a1c8b249bab10f2d4624c3c5203eb74aa45c034cb3d_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:fba61b8ada52530ff0aadc5a33eb68fb05c0855413203b3981c7a0b914c71e00_s390x | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
References
19 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Kiali 1.73.31 for Red Hat OpenShift Service Mesh 2.6 is now available.\nAn update is now available for Red Hat OpenShift Service Mesh 2.6. This advisory contains the RPM packages for the Kiali component.\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Kiali 1.73.31, for Red Hat OpenShift Service Mesh 2.6, provides observability for the service mesh by offering a visual representation of the mesh topology and metrics, helping users monitor, trace, and manage efficiently.\n\nSecurity Fix(es):\n\n* CVE-2026-32281 Go crypto/x509: Denial of Service via inefficient certificate chain validation (OSSM-13866)\n* CVE-2026-42044 Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget (OSSM-13774, OSSM-13775)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:20454",
"url": "https://access.redhat.com/errata/RHSA-2026:20454"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-32281",
"url": "https://access.redhat.com/security/cve/CVE-2026-32281"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-42044",
"url": "https://access.redhat.com/security/cve/CVE-2026-42044"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification",
"url": "https://access.redhat.com/security/updates/classification"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/",
"url": "https://access.redhat.com/security/updates/classification/"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_20454.json"
}
],
"title": "Red Hat Security Advisory: Kiali 1.73.31 for Red Hat OpenShift Service Mesh 2.6",
"tracking": {
"current_release_date": "2026-06-30T04:24:44+00:00",
"generator": {
"date": "2026-06-30T04:24:44+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "5.3.0"
}
},
"id": "RHSA-2026:20454",
"initial_release_date": "2026-05-25T14:47:42+00:00",
"revision_history": [
{
"date": "2026-05-25T14:47:42+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-05-25T14:47:52+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-06-30T04:24:44+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat OpenShift Service Mesh 2.6",
"product": {
"name": "Red Hat OpenShift Service Mesh 2.6",
"product_id": "Red Hat OpenShift Service Mesh 2.6",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:service_mesh:2.6::el8"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenShift Service Mesh"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:2ad267b095e913752434847710a31f7371c72c93544e851e67416f63036197a3_amd64",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:2ad267b095e913752434847710a31f7371c72c93544e851e67416f63036197a3_amd64",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:2ad267b095e913752434847710a31f7371c72c93544e851e67416f63036197a3_amd64",
"product_identification_helper": {
"purl": "pkg:oci/kiali-rhel8@sha256%3A2ad267b095e913752434847710a31f7371c72c93544e851e67416f63036197a3?arch=amd64\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=1779520348"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:5de8052e33e34de10c7441e08d8a9a095a77f8714a82820e84edf80fb5711ed7_amd64",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:5de8052e33e34de10c7441e08d8a9a095a77f8714a82820e84edf80fb5711ed7_amd64",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:5de8052e33e34de10c7441e08d8a9a095a77f8714a82820e84edf80fb5711ed7_amd64",
"product_identification_helper": {
"purl": "pkg:oci/kiali-ossmc-rhel8@sha256%3A5de8052e33e34de10c7441e08d8a9a095a77f8714a82820e84edf80fb5711ed7?arch=amd64\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=1779520355"
}
}
}
],
"category": "architecture",
"name": "amd64"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:fa92ccdfd2ce5f20b93f6a1c8b249bab10f2d4624c3c5203eb74aa45c034cb3d_arm64",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:fa92ccdfd2ce5f20b93f6a1c8b249bab10f2d4624c3c5203eb74aa45c034cb3d_arm64",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:fa92ccdfd2ce5f20b93f6a1c8b249bab10f2d4624c3c5203eb74aa45c034cb3d_arm64",
"product_identification_helper": {
"purl": "pkg:oci/kiali-rhel8@sha256%3Afa92ccdfd2ce5f20b93f6a1c8b249bab10f2d4624c3c5203eb74aa45c034cb3d?arch=arm64\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=1779520348"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:887ae86218b2202438cdc88820b8530d4c85fe19d1c6b581e08364adb63a2b02_arm64",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:887ae86218b2202438cdc88820b8530d4c85fe19d1c6b581e08364adb63a2b02_arm64",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:887ae86218b2202438cdc88820b8530d4c85fe19d1c6b581e08364adb63a2b02_arm64",
"product_identification_helper": {
"purl": "pkg:oci/kiali-ossmc-rhel8@sha256%3A887ae86218b2202438cdc88820b8530d4c85fe19d1c6b581e08364adb63a2b02?arch=arm64\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=1779520355"
}
}
}
],
"category": "architecture",
"name": "arm64"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:7ddfc26f3c2ba2f8087dbb101128c98e7b651f5daf793b6a6e8aea69af677213_ppc64le",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:7ddfc26f3c2ba2f8087dbb101128c98e7b651f5daf793b6a6e8aea69af677213_ppc64le",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:7ddfc26f3c2ba2f8087dbb101128c98e7b651f5daf793b6a6e8aea69af677213_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/kiali-rhel8@sha256%3A7ddfc26f3c2ba2f8087dbb101128c98e7b651f5daf793b6a6e8aea69af677213?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=1779520348"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:20b3d236fd4adfe4e9f6cf3a156e775efc6123fdfe83c79f1656dff9ea50b785_ppc64le",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:20b3d236fd4adfe4e9f6cf3a156e775efc6123fdfe83c79f1656dff9ea50b785_ppc64le",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:20b3d236fd4adfe4e9f6cf3a156e775efc6123fdfe83c79f1656dff9ea50b785_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/kiali-ossmc-rhel8@sha256%3A20b3d236fd4adfe4e9f6cf3a156e775efc6123fdfe83c79f1656dff9ea50b785?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=1779520355"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:fba61b8ada52530ff0aadc5a33eb68fb05c0855413203b3981c7a0b914c71e00_s390x",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:fba61b8ada52530ff0aadc5a33eb68fb05c0855413203b3981c7a0b914c71e00_s390x",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:fba61b8ada52530ff0aadc5a33eb68fb05c0855413203b3981c7a0b914c71e00_s390x",
"product_identification_helper": {
"purl": "pkg:oci/kiali-rhel8@sha256%3Afba61b8ada52530ff0aadc5a33eb68fb05c0855413203b3981c7a0b914c71e00?arch=s390x\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=1779520348"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:1910b9dac1f597a06e08a56291ecf035a73a1bf50fdde8b1d59e7b335e10fd79_s390x",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:1910b9dac1f597a06e08a56291ecf035a73a1bf50fdde8b1d59e7b335e10fd79_s390x",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:1910b9dac1f597a06e08a56291ecf035a73a1bf50fdde8b1d59e7b335e10fd79_s390x",
"product_identification_helper": {
"purl": "pkg:oci/kiali-ossmc-rhel8@sha256%3A1910b9dac1f597a06e08a56291ecf035a73a1bf50fdde8b1d59e7b335e10fd79?arch=s390x\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=1779520355"
}
}
}
],
"category": "architecture",
"name": "s390x"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:1910b9dac1f597a06e08a56291ecf035a73a1bf50fdde8b1d59e7b335e10fd79_s390x as a component of Red Hat OpenShift Service Mesh 2.6",
"product_id": "Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:1910b9dac1f597a06e08a56291ecf035a73a1bf50fdde8b1d59e7b335e10fd79_s390x"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:1910b9dac1f597a06e08a56291ecf035a73a1bf50fdde8b1d59e7b335e10fd79_s390x",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 2.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:20b3d236fd4adfe4e9f6cf3a156e775efc6123fdfe83c79f1656dff9ea50b785_ppc64le as a component of Red Hat OpenShift Service Mesh 2.6",
"product_id": "Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:20b3d236fd4adfe4e9f6cf3a156e775efc6123fdfe83c79f1656dff9ea50b785_ppc64le"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:20b3d236fd4adfe4e9f6cf3a156e775efc6123fdfe83c79f1656dff9ea50b785_ppc64le",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 2.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:5de8052e33e34de10c7441e08d8a9a095a77f8714a82820e84edf80fb5711ed7_amd64 as a component of Red Hat OpenShift Service Mesh 2.6",
"product_id": "Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:5de8052e33e34de10c7441e08d8a9a095a77f8714a82820e84edf80fb5711ed7_amd64"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:5de8052e33e34de10c7441e08d8a9a095a77f8714a82820e84edf80fb5711ed7_amd64",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 2.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:887ae86218b2202438cdc88820b8530d4c85fe19d1c6b581e08364adb63a2b02_arm64 as a component of Red Hat OpenShift Service Mesh 2.6",
"product_id": "Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:887ae86218b2202438cdc88820b8530d4c85fe19d1c6b581e08364adb63a2b02_arm64"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:887ae86218b2202438cdc88820b8530d4c85fe19d1c6b581e08364adb63a2b02_arm64",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 2.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:2ad267b095e913752434847710a31f7371c72c93544e851e67416f63036197a3_amd64 as a component of Red Hat OpenShift Service Mesh 2.6",
"product_id": "Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:2ad267b095e913752434847710a31f7371c72c93544e851e67416f63036197a3_amd64"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:2ad267b095e913752434847710a31f7371c72c93544e851e67416f63036197a3_amd64",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 2.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:7ddfc26f3c2ba2f8087dbb101128c98e7b651f5daf793b6a6e8aea69af677213_ppc64le as a component of Red Hat OpenShift Service Mesh 2.6",
"product_id": "Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:7ddfc26f3c2ba2f8087dbb101128c98e7b651f5daf793b6a6e8aea69af677213_ppc64le"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:7ddfc26f3c2ba2f8087dbb101128c98e7b651f5daf793b6a6e8aea69af677213_ppc64le",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 2.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:fa92ccdfd2ce5f20b93f6a1c8b249bab10f2d4624c3c5203eb74aa45c034cb3d_arm64 as a component of Red Hat OpenShift Service Mesh 2.6",
"product_id": "Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:fa92ccdfd2ce5f20b93f6a1c8b249bab10f2d4624c3c5203eb74aa45c034cb3d_arm64"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:fa92ccdfd2ce5f20b93f6a1c8b249bab10f2d4624c3c5203eb74aa45c034cb3d_arm64",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 2.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:fba61b8ada52530ff0aadc5a33eb68fb05c0855413203b3981c7a0b914c71e00_s390x as a component of Red Hat OpenShift Service Mesh 2.6",
"product_id": "Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:fba61b8ada52530ff0aadc5a33eb68fb05c0855413203b3981c7a0b914c71e00_s390x"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:fba61b8ada52530ff0aadc5a33eb68fb05c0855413203b3981c7a0b914c71e00_s390x",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 2.6"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-32281",
"cwe": {
"id": "CWE-1050",
"name": "Excessive Platform Resource Consumption within a Loop"
},
"discovery_date": "2026-04-08T02:01:00.930989+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:1910b9dac1f597a06e08a56291ecf035a73a1bf50fdde8b1d59e7b335e10fd79_s390x",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:20b3d236fd4adfe4e9f6cf3a156e775efc6123fdfe83c79f1656dff9ea50b785_ppc64le",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:5de8052e33e34de10c7441e08d8a9a095a77f8714a82820e84edf80fb5711ed7_amd64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:887ae86218b2202438cdc88820b8530d4c85fe19d1c6b581e08364adb63a2b02_arm64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2456333"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Go\u0027s `crypto/x509` package. A remote attacker could exploit this by presenting a specially crafted certificate chain containing a large number of policy mappings. This inefficient validation process consumes excessive resources, which can lead to a denial of service (DoS) for applications or systems performing certificate validation.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "crypto/x509: golang: Go crypto/x509: Denial of Service via inefficient certificate chain validation",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This flaw occurs during the validation of otherwise trusted certificate chains that contain a large number of policy mappings, leading to excessive resource consumption. Exploitation requires an attacker to present a specially crafted, yet trusted, certificate chain which would require the attacker has already compromised a trusted certificate root. Red Hat continuously monitors certificate authorities and curates the set which is trusted by default for Red Hat products.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:2ad267b095e913752434847710a31f7371c72c93544e851e67416f63036197a3_amd64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:7ddfc26f3c2ba2f8087dbb101128c98e7b651f5daf793b6a6e8aea69af677213_ppc64le",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:fa92ccdfd2ce5f20b93f6a1c8b249bab10f2d4624c3c5203eb74aa45c034cb3d_arm64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:fba61b8ada52530ff0aadc5a33eb68fb05c0855413203b3981c7a0b914c71e00_s390x"
],
"known_not_affected": [
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:1910b9dac1f597a06e08a56291ecf035a73a1bf50fdde8b1d59e7b335e10fd79_s390x",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:20b3d236fd4adfe4e9f6cf3a156e775efc6123fdfe83c79f1656dff9ea50b785_ppc64le",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:5de8052e33e34de10c7441e08d8a9a095a77f8714a82820e84edf80fb5711ed7_amd64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:887ae86218b2202438cdc88820b8530d4c85fe19d1c6b581e08364adb63a2b02_arm64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-32281"
},
{
"category": "external",
"summary": "RHBZ#2456333",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456333"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-32281",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-32281"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-32281",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32281"
},
{
"category": "external",
"summary": "https://go.dev/cl/758061",
"url": "https://go.dev/cl/758061"
},
{
"category": "external",
"summary": "https://go.dev/issue/78281",
"url": "https://go.dev/issue/78281"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU",
"url": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2026-4946",
"url": "https://pkg.go.dev/vuln/GO-2026-4946"
}
],
"release_date": "2026-04-08T01:06:58.354000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-05-25T14:47:42+00:00",
"details": "See Kiali 1.73.31 documentation at https://docs.redhat.com/en/documentation/openshift_container_platform/4.18/html/service_mesh/service-mesh-2-x",
"product_ids": [
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:2ad267b095e913752434847710a31f7371c72c93544e851e67416f63036197a3_amd64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:7ddfc26f3c2ba2f8087dbb101128c98e7b651f5daf793b6a6e8aea69af677213_ppc64le",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:fa92ccdfd2ce5f20b93f6a1c8b249bab10f2d4624c3c5203eb74aa45c034cb3d_arm64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:fba61b8ada52530ff0aadc5a33eb68fb05c0855413203b3981c7a0b914c71e00_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:20454"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:1910b9dac1f597a06e08a56291ecf035a73a1bf50fdde8b1d59e7b335e10fd79_s390x",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:20b3d236fd4adfe4e9f6cf3a156e775efc6123fdfe83c79f1656dff9ea50b785_ppc64le",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:5de8052e33e34de10c7441e08d8a9a095a77f8714a82820e84edf80fb5711ed7_amd64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:887ae86218b2202438cdc88820b8530d4c85fe19d1c6b581e08364adb63a2b02_arm64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:2ad267b095e913752434847710a31f7371c72c93544e851e67416f63036197a3_amd64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:7ddfc26f3c2ba2f8087dbb101128c98e7b651f5daf793b6a6e8aea69af677213_ppc64le",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:fa92ccdfd2ce5f20b93f6a1c8b249bab10f2d4624c3c5203eb74aa45c034cb3d_arm64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:fba61b8ada52530ff0aadc5a33eb68fb05c0855413203b3981c7a0b914c71e00_s390x"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:1910b9dac1f597a06e08a56291ecf035a73a1bf50fdde8b1d59e7b335e10fd79_s390x",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:20b3d236fd4adfe4e9f6cf3a156e775efc6123fdfe83c79f1656dff9ea50b785_ppc64le",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:5de8052e33e34de10c7441e08d8a9a095a77f8714a82820e84edf80fb5711ed7_amd64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:887ae86218b2202438cdc88820b8530d4c85fe19d1c6b581e08364adb63a2b02_arm64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:2ad267b095e913752434847710a31f7371c72c93544e851e67416f63036197a3_amd64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:7ddfc26f3c2ba2f8087dbb101128c98e7b651f5daf793b6a6e8aea69af677213_ppc64le",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:fa92ccdfd2ce5f20b93f6a1c8b249bab10f2d4624c3c5203eb74aa45c034cb3d_arm64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:fba61b8ada52530ff0aadc5a33eb68fb05c0855413203b3981c7a0b914c71e00_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "crypto/x509: golang: Go crypto/x509: Denial of Service via inefficient certificate chain validation"
},
{
"cve": "CVE-2026-42044",
"cwe": {
"id": "CWE-915",
"name": "Improperly Controlled Modification of Dynamically-Determined Object Attributes"
},
"discovery_date": "2026-04-24T19:01:13.418725+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2461624"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Axios, a widely used HTTP client. This vulnerability, known as a Prototype Pollution \"Gadget\" attack, allows a remote attacker to subtly alter JSON API responses. By manipulating a specific function, an attacker can selectively modify data within these responses. This could lead to significant security breaches, including unauthorized privilege escalation, fraudulent balance manipulation, or bypassing critical authorization checks.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "axios: Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:1910b9dac1f597a06e08a56291ecf035a73a1bf50fdde8b1d59e7b335e10fd79_s390x",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:20b3d236fd4adfe4e9f6cf3a156e775efc6123fdfe83c79f1656dff9ea50b785_ppc64le",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:5de8052e33e34de10c7441e08d8a9a095a77f8714a82820e84edf80fb5711ed7_amd64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:887ae86218b2202438cdc88820b8530d4c85fe19d1c6b581e08364adb63a2b02_arm64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:2ad267b095e913752434847710a31f7371c72c93544e851e67416f63036197a3_amd64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:7ddfc26f3c2ba2f8087dbb101128c98e7b651f5daf793b6a6e8aea69af677213_ppc64le",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:fa92ccdfd2ce5f20b93f6a1c8b249bab10f2d4624c3c5203eb74aa45c034cb3d_arm64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:fba61b8ada52530ff0aadc5a33eb68fb05c0855413203b3981c7a0b914c71e00_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-42044"
},
{
"category": "external",
"summary": "RHBZ#2461624",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2461624"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-42044",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-42044"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-42044",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42044"
},
{
"category": "external",
"summary": "https://github.com/axios/axios/security/advisories/GHSA-3w6x-2g7m-8v23",
"url": "https://github.com/axios/axios/security/advisories/GHSA-3w6x-2g7m-8v23"
}
],
"release_date": "2026-04-24T17:49:49.517000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-05-25T14:47:42+00:00",
"details": "See Kiali 1.73.31 documentation at https://docs.redhat.com/en/documentation/openshift_container_platform/4.18/html/service_mesh/service-mesh-2-x",
"product_ids": [
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:1910b9dac1f597a06e08a56291ecf035a73a1bf50fdde8b1d59e7b335e10fd79_s390x",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:20b3d236fd4adfe4e9f6cf3a156e775efc6123fdfe83c79f1656dff9ea50b785_ppc64le",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:5de8052e33e34de10c7441e08d8a9a095a77f8714a82820e84edf80fb5711ed7_amd64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:887ae86218b2202438cdc88820b8530d4c85fe19d1c6b581e08364adb63a2b02_arm64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:2ad267b095e913752434847710a31f7371c72c93544e851e67416f63036197a3_amd64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:7ddfc26f3c2ba2f8087dbb101128c98e7b651f5daf793b6a6e8aea69af677213_ppc64le",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:fa92ccdfd2ce5f20b93f6a1c8b249bab10f2d4624c3c5203eb74aa45c034cb3d_arm64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:fba61b8ada52530ff0aadc5a33eb68fb05c0855413203b3981c7a0b914c71e00_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:20454"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:1910b9dac1f597a06e08a56291ecf035a73a1bf50fdde8b1d59e7b335e10fd79_s390x",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:20b3d236fd4adfe4e9f6cf3a156e775efc6123fdfe83c79f1656dff9ea50b785_ppc64le",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:5de8052e33e34de10c7441e08d8a9a095a77f8714a82820e84edf80fb5711ed7_amd64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:887ae86218b2202438cdc88820b8530d4c85fe19d1c6b581e08364adb63a2b02_arm64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:2ad267b095e913752434847710a31f7371c72c93544e851e67416f63036197a3_amd64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:7ddfc26f3c2ba2f8087dbb101128c98e7b651f5daf793b6a6e8aea69af677213_ppc64le",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:fa92ccdfd2ce5f20b93f6a1c8b249bab10f2d4624c3c5203eb74aa45c034cb3d_arm64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:fba61b8ada52530ff0aadc5a33eb68fb05c0855413203b3981c7a0b914c71e00_s390x"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:1910b9dac1f597a06e08a56291ecf035a73a1bf50fdde8b1d59e7b335e10fd79_s390x",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:20b3d236fd4adfe4e9f6cf3a156e775efc6123fdfe83c79f1656dff9ea50b785_ppc64le",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:5de8052e33e34de10c7441e08d8a9a095a77f8714a82820e84edf80fb5711ed7_amd64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:887ae86218b2202438cdc88820b8530d4c85fe19d1c6b581e08364adb63a2b02_arm64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:2ad267b095e913752434847710a31f7371c72c93544e851e67416f63036197a3_amd64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:7ddfc26f3c2ba2f8087dbb101128c98e7b651f5daf793b6a6e8aea69af677213_ppc64le",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:fa92ccdfd2ce5f20b93f6a1c8b249bab10f2d4624c3c5203eb74aa45c034cb3d_arm64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:fba61b8ada52530ff0aadc5a33eb68fb05c0855413203b3981c7a0b914c71e00_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "axios: Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget"
}
]
}
RHSA-2026:20455
Vulnerability from csaf_redhat - Published: 2026-05-25 14:47 - Updated: 2026-06-30 02:58Summary
Red Hat Security Advisory: Kiali 2.17.8 for Red Hat OpenShift Service Mesh 3.2
Severity
Moderate
Notes
Topic: Kiali 2.17.8 for Red Hat OpenShift Service Mesh 3.2 is now available.
An update is now available for Red Hat OpenShift Service Mesh 3.2. This advisory contains the RPM packages for the Kiali component.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Kiali 2.17.8, for Red Hat OpenShift Service Mesh 3.2, provides observability for the service mesh by offering a visual representation of the mesh topology and metrics, helping users monitor, trace, and manage efficiently.
Security Fix(es):
* CVE-2026-32281 Go crypto/x509: Denial of Service via inefficient certificate chain validation (OSSM-13869)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in Go's `crypto/x509` package. A remote attacker could exploit this by presenting a specially crafted certificate chain containing a large number of policy mappings. This inefficient validation process consumes excessive resources, which can lead to a denial of service (DoS) for applications or systems performing certificate validation.
5.9 (Medium)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:37054f2e44514d5419af8381123d7ae81000e7e34fdb99472e965f843340c427_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:482cbad61e21f9ef5ccc074b798ad422f341ae17f1f7281947721f7280c0d9a7_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:7852143b4d381db16057dd3e440e5ae9c4e10995753618472e5e42baa7f1586c_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:af88ffb1e47738702d8e84c0111ada77697f06d8b5baca25dbfda806add3c1f7_ppc64le | — |
Vendor Fix
fix
Workaround
|
Known not affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:849f91f2cb0d582e1cc5497f491ff6549ed40ad9edb58f3b17cea5674a3e51cd_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:904b844d6a7fae4f41543d8700a0a53959aab343aa0016bc3ad9cdd867888fb4_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:97108094c210987dd296c844f823a0c5c80d14c5a06dac046ca9d4496b90977c_arm64 | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:ca0320cd135ea6bb92c923c58c84b17ae4f121a5fd0145062a9008f339dadace_ppc64le | — |
Workaround
|
Threats
Impact
Moderate
References
13 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Kiali 2.17.8 for Red Hat OpenShift Service Mesh 3.2 is now available.\nAn update is now available for Red Hat OpenShift Service Mesh 3.2. This advisory contains the RPM packages for the Kiali component.\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Kiali 2.17.8, for Red Hat OpenShift Service Mesh 3.2, provides observability for the service mesh by offering a visual representation of the mesh topology and metrics, helping users monitor, trace, and manage efficiently.\n\nSecurity Fix(es):\n\n* CVE-2026-32281 Go crypto/x509: Denial of Service via inefficient certificate chain validation (OSSM-13869)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:20455",
"url": "https://access.redhat.com/errata/RHSA-2026:20455"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-32281",
"url": "https://access.redhat.com/security/cve/CVE-2026-32281"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification",
"url": "https://access.redhat.com/security/updates/classification"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/",
"url": "https://access.redhat.com/security/updates/classification/"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_20455.json"
}
],
"title": "Red Hat Security Advisory: Kiali 2.17.8 for Red Hat OpenShift Service Mesh 3.2",
"tracking": {
"current_release_date": "2026-06-30T02:58:13+00:00",
"generator": {
"date": "2026-06-30T02:58:13+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "5.3.0"
}
},
"id": "RHSA-2026:20455",
"initial_release_date": "2026-05-25T14:47:57+00:00",
"revision_history": [
{
"date": "2026-05-25T14:47:57+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-05-25T14:48:05+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-06-30T02:58:13+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat OpenShift Service Mesh 3.2",
"product": {
"name": "Red Hat OpenShift Service Mesh 3.2",
"product_id": "Red Hat OpenShift Service Mesh 3.2",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:service_mesh:3.2::el9"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenShift Service Mesh"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:7852143b4d381db16057dd3e440e5ae9c4e10995753618472e5e42baa7f1586c_amd64",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:7852143b4d381db16057dd3e440e5ae9c4e10995753618472e5e42baa7f1586c_amd64",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:7852143b4d381db16057dd3e440e5ae9c4e10995753618472e5e42baa7f1586c_amd64",
"product_identification_helper": {
"purl": "pkg:oci/kiali-rhel9@sha256%3A7852143b4d381db16057dd3e440e5ae9c4e10995753618472e5e42baa7f1586c?arch=amd64\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=1779520857"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:849f91f2cb0d582e1cc5497f491ff6549ed40ad9edb58f3b17cea5674a3e51cd_amd64",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:849f91f2cb0d582e1cc5497f491ff6549ed40ad9edb58f3b17cea5674a3e51cd_amd64",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:849f91f2cb0d582e1cc5497f491ff6549ed40ad9edb58f3b17cea5674a3e51cd_amd64",
"product_identification_helper": {
"purl": "pkg:oci/kiali-ossmc-rhel9@sha256%3A849f91f2cb0d582e1cc5497f491ff6549ed40ad9edb58f3b17cea5674a3e51cd?arch=amd64\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=1779520851"
}
}
}
],
"category": "architecture",
"name": "amd64"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:37054f2e44514d5419af8381123d7ae81000e7e34fdb99472e965f843340c427_arm64",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:37054f2e44514d5419af8381123d7ae81000e7e34fdb99472e965f843340c427_arm64",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:37054f2e44514d5419af8381123d7ae81000e7e34fdb99472e965f843340c427_arm64",
"product_identification_helper": {
"purl": "pkg:oci/kiali-rhel9@sha256%3A37054f2e44514d5419af8381123d7ae81000e7e34fdb99472e965f843340c427?arch=arm64\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=1779520857"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:97108094c210987dd296c844f823a0c5c80d14c5a06dac046ca9d4496b90977c_arm64",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:97108094c210987dd296c844f823a0c5c80d14c5a06dac046ca9d4496b90977c_arm64",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:97108094c210987dd296c844f823a0c5c80d14c5a06dac046ca9d4496b90977c_arm64",
"product_identification_helper": {
"purl": "pkg:oci/kiali-ossmc-rhel9@sha256%3A97108094c210987dd296c844f823a0c5c80d14c5a06dac046ca9d4496b90977c?arch=arm64\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=1779520851"
}
}
}
],
"category": "architecture",
"name": "arm64"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:af88ffb1e47738702d8e84c0111ada77697f06d8b5baca25dbfda806add3c1f7_ppc64le",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:af88ffb1e47738702d8e84c0111ada77697f06d8b5baca25dbfda806add3c1f7_ppc64le",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:af88ffb1e47738702d8e84c0111ada77697f06d8b5baca25dbfda806add3c1f7_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/kiali-rhel9@sha256%3Aaf88ffb1e47738702d8e84c0111ada77697f06d8b5baca25dbfda806add3c1f7?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=1779520857"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:ca0320cd135ea6bb92c923c58c84b17ae4f121a5fd0145062a9008f339dadace_ppc64le",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:ca0320cd135ea6bb92c923c58c84b17ae4f121a5fd0145062a9008f339dadace_ppc64le",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:ca0320cd135ea6bb92c923c58c84b17ae4f121a5fd0145062a9008f339dadace_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/kiali-ossmc-rhel9@sha256%3Aca0320cd135ea6bb92c923c58c84b17ae4f121a5fd0145062a9008f339dadace?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=1779520851"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:482cbad61e21f9ef5ccc074b798ad422f341ae17f1f7281947721f7280c0d9a7_s390x",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:482cbad61e21f9ef5ccc074b798ad422f341ae17f1f7281947721f7280c0d9a7_s390x",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:482cbad61e21f9ef5ccc074b798ad422f341ae17f1f7281947721f7280c0d9a7_s390x",
"product_identification_helper": {
"purl": "pkg:oci/kiali-rhel9@sha256%3A482cbad61e21f9ef5ccc074b798ad422f341ae17f1f7281947721f7280c0d9a7?arch=s390x\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=1779520857"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:904b844d6a7fae4f41543d8700a0a53959aab343aa0016bc3ad9cdd867888fb4_s390x",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:904b844d6a7fae4f41543d8700a0a53959aab343aa0016bc3ad9cdd867888fb4_s390x",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:904b844d6a7fae4f41543d8700a0a53959aab343aa0016bc3ad9cdd867888fb4_s390x",
"product_identification_helper": {
"purl": "pkg:oci/kiali-ossmc-rhel9@sha256%3A904b844d6a7fae4f41543d8700a0a53959aab343aa0016bc3ad9cdd867888fb4?arch=s390x\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=1779520851"
}
}
}
],
"category": "architecture",
"name": "s390x"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:849f91f2cb0d582e1cc5497f491ff6549ed40ad9edb58f3b17cea5674a3e51cd_amd64 as a component of Red Hat OpenShift Service Mesh 3.2",
"product_id": "Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:849f91f2cb0d582e1cc5497f491ff6549ed40ad9edb58f3b17cea5674a3e51cd_amd64"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:849f91f2cb0d582e1cc5497f491ff6549ed40ad9edb58f3b17cea5674a3e51cd_amd64",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:904b844d6a7fae4f41543d8700a0a53959aab343aa0016bc3ad9cdd867888fb4_s390x as a component of Red Hat OpenShift Service Mesh 3.2",
"product_id": "Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:904b844d6a7fae4f41543d8700a0a53959aab343aa0016bc3ad9cdd867888fb4_s390x"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:904b844d6a7fae4f41543d8700a0a53959aab343aa0016bc3ad9cdd867888fb4_s390x",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:97108094c210987dd296c844f823a0c5c80d14c5a06dac046ca9d4496b90977c_arm64 as a component of Red Hat OpenShift Service Mesh 3.2",
"product_id": "Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:97108094c210987dd296c844f823a0c5c80d14c5a06dac046ca9d4496b90977c_arm64"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:97108094c210987dd296c844f823a0c5c80d14c5a06dac046ca9d4496b90977c_arm64",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:ca0320cd135ea6bb92c923c58c84b17ae4f121a5fd0145062a9008f339dadace_ppc64le as a component of Red Hat OpenShift Service Mesh 3.2",
"product_id": "Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:ca0320cd135ea6bb92c923c58c84b17ae4f121a5fd0145062a9008f339dadace_ppc64le"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:ca0320cd135ea6bb92c923c58c84b17ae4f121a5fd0145062a9008f339dadace_ppc64le",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:37054f2e44514d5419af8381123d7ae81000e7e34fdb99472e965f843340c427_arm64 as a component of Red Hat OpenShift Service Mesh 3.2",
"product_id": "Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:37054f2e44514d5419af8381123d7ae81000e7e34fdb99472e965f843340c427_arm64"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:37054f2e44514d5419af8381123d7ae81000e7e34fdb99472e965f843340c427_arm64",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:482cbad61e21f9ef5ccc074b798ad422f341ae17f1f7281947721f7280c0d9a7_s390x as a component of Red Hat OpenShift Service Mesh 3.2",
"product_id": "Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:482cbad61e21f9ef5ccc074b798ad422f341ae17f1f7281947721f7280c0d9a7_s390x"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:482cbad61e21f9ef5ccc074b798ad422f341ae17f1f7281947721f7280c0d9a7_s390x",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:7852143b4d381db16057dd3e440e5ae9c4e10995753618472e5e42baa7f1586c_amd64 as a component of Red Hat OpenShift Service Mesh 3.2",
"product_id": "Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:7852143b4d381db16057dd3e440e5ae9c4e10995753618472e5e42baa7f1586c_amd64"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:7852143b4d381db16057dd3e440e5ae9c4e10995753618472e5e42baa7f1586c_amd64",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:af88ffb1e47738702d8e84c0111ada77697f06d8b5baca25dbfda806add3c1f7_ppc64le as a component of Red Hat OpenShift Service Mesh 3.2",
"product_id": "Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:af88ffb1e47738702d8e84c0111ada77697f06d8b5baca25dbfda806add3c1f7_ppc64le"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:af88ffb1e47738702d8e84c0111ada77697f06d8b5baca25dbfda806add3c1f7_ppc64le",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.2"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-32281",
"cwe": {
"id": "CWE-1050",
"name": "Excessive Platform Resource Consumption within a Loop"
},
"discovery_date": "2026-04-08T02:01:00.930989+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:849f91f2cb0d582e1cc5497f491ff6549ed40ad9edb58f3b17cea5674a3e51cd_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:904b844d6a7fae4f41543d8700a0a53959aab343aa0016bc3ad9cdd867888fb4_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:97108094c210987dd296c844f823a0c5c80d14c5a06dac046ca9d4496b90977c_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:ca0320cd135ea6bb92c923c58c84b17ae4f121a5fd0145062a9008f339dadace_ppc64le"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2456333"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Go\u0027s `crypto/x509` package. A remote attacker could exploit this by presenting a specially crafted certificate chain containing a large number of policy mappings. This inefficient validation process consumes excessive resources, which can lead to a denial of service (DoS) for applications or systems performing certificate validation.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "crypto/x509: golang: Go crypto/x509: Denial of Service via inefficient certificate chain validation",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This flaw occurs during the validation of otherwise trusted certificate chains that contain a large number of policy mappings, leading to excessive resource consumption. Exploitation requires an attacker to present a specially crafted, yet trusted, certificate chain which would require the attacker has already compromised a trusted certificate root. Red Hat continuously monitors certificate authorities and curates the set which is trusted by default for Red Hat products.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:37054f2e44514d5419af8381123d7ae81000e7e34fdb99472e965f843340c427_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:482cbad61e21f9ef5ccc074b798ad422f341ae17f1f7281947721f7280c0d9a7_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:7852143b4d381db16057dd3e440e5ae9c4e10995753618472e5e42baa7f1586c_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:af88ffb1e47738702d8e84c0111ada77697f06d8b5baca25dbfda806add3c1f7_ppc64le"
],
"known_not_affected": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:849f91f2cb0d582e1cc5497f491ff6549ed40ad9edb58f3b17cea5674a3e51cd_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:904b844d6a7fae4f41543d8700a0a53959aab343aa0016bc3ad9cdd867888fb4_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:97108094c210987dd296c844f823a0c5c80d14c5a06dac046ca9d4496b90977c_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:ca0320cd135ea6bb92c923c58c84b17ae4f121a5fd0145062a9008f339dadace_ppc64le"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-32281"
},
{
"category": "external",
"summary": "RHBZ#2456333",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456333"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-32281",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-32281"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-32281",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32281"
},
{
"category": "external",
"summary": "https://go.dev/cl/758061",
"url": "https://go.dev/cl/758061"
},
{
"category": "external",
"summary": "https://go.dev/issue/78281",
"url": "https://go.dev/issue/78281"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU",
"url": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2026-4946",
"url": "https://pkg.go.dev/vuln/GO-2026-4946"
}
],
"release_date": "2026-04-08T01:06:58.354000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-05-25T14:47:57+00:00",
"details": "See Kiali 2.17.8 documentation at https://docs.redhat.com/en/documentation/red_hat_openshift_service_mesh/3.2/html/observability/kiali-operator-provided-by-red-hat",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:37054f2e44514d5419af8381123d7ae81000e7e34fdb99472e965f843340c427_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:482cbad61e21f9ef5ccc074b798ad422f341ae17f1f7281947721f7280c0d9a7_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:7852143b4d381db16057dd3e440e5ae9c4e10995753618472e5e42baa7f1586c_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:af88ffb1e47738702d8e84c0111ada77697f06d8b5baca25dbfda806add3c1f7_ppc64le"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:20455"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:849f91f2cb0d582e1cc5497f491ff6549ed40ad9edb58f3b17cea5674a3e51cd_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:904b844d6a7fae4f41543d8700a0a53959aab343aa0016bc3ad9cdd867888fb4_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:97108094c210987dd296c844f823a0c5c80d14c5a06dac046ca9d4496b90977c_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:ca0320cd135ea6bb92c923c58c84b17ae4f121a5fd0145062a9008f339dadace_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:37054f2e44514d5419af8381123d7ae81000e7e34fdb99472e965f843340c427_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:482cbad61e21f9ef5ccc074b798ad422f341ae17f1f7281947721f7280c0d9a7_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:7852143b4d381db16057dd3e440e5ae9c4e10995753618472e5e42baa7f1586c_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:af88ffb1e47738702d8e84c0111ada77697f06d8b5baca25dbfda806add3c1f7_ppc64le"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:849f91f2cb0d582e1cc5497f491ff6549ed40ad9edb58f3b17cea5674a3e51cd_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:904b844d6a7fae4f41543d8700a0a53959aab343aa0016bc3ad9cdd867888fb4_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:97108094c210987dd296c844f823a0c5c80d14c5a06dac046ca9d4496b90977c_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:ca0320cd135ea6bb92c923c58c84b17ae4f121a5fd0145062a9008f339dadace_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:37054f2e44514d5419af8381123d7ae81000e7e34fdb99472e965f843340c427_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:482cbad61e21f9ef5ccc074b798ad422f341ae17f1f7281947721f7280c0d9a7_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:7852143b4d381db16057dd3e440e5ae9c4e10995753618472e5e42baa7f1586c_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:af88ffb1e47738702d8e84c0111ada77697f06d8b5baca25dbfda806add3c1f7_ppc64le"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "crypto/x509: golang: Go crypto/x509: Denial of Service via inefficient certificate chain validation"
}
]
}
RHSA-2026:20456
Vulnerability from csaf_redhat - Published: 2026-05-25 14:48 - Updated: 2026-06-30 02:58Summary
Red Hat Security Advisory: Kiali 2.4.17 for Red Hat OpenShift Service Mesh 3.0
Severity
Moderate
Notes
Topic: Kiali 2.4.17 for Red Hat OpenShift Service Mesh 3.0 is now available.
An update is now available for Red Hat OpenShift Service Mesh 3.0. This advisory contains the RPM packages for the Kiali component.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Kiali 2.4.17, for Red Hat OpenShift Service Mesh 3.0, provides observability for the service mesh by offering a visual representation of the mesh topology and metrics, helping users monitor, trace, and manage efficiently.
Security Fix(es):
* CVE-2026-32281 Go crypto/x509: Denial of Service via inefficient certificate chain validation (OSSM-13867)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in Go's `crypto/x509` package. A remote attacker could exploit this by presenting a specially crafted certificate chain containing a large number of policy mappings. This inefficient validation process consumes excessive resources, which can lead to a denial of service (DoS) for applications or systems performing certificate validation.
5.9 (Medium)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:075ca2039b54596754e028706abc0b4e719cfb6a1adc7dd0a512f1cf06adc3d0_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:196394c3907ff6ed0849a8086256265708256a80c2f3b47029cf902f2ee801df_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:3aa2d2ff20f790e03eec33d5501552b0c874bf40097f1486282811f34fcf7139_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ca9ef5694c6fb038a38b7f76f03501e5d094af381fad483d49518dd156a001d7_amd64 | — |
Vendor Fix
fix
Workaround
|
Known not affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:4c1c113b5359d8bb7b99d26731156eb7523df3c3e46a301b37c638e821883a01_arm64 | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:4ce77d0a83c4b01ac1638c372360be8d970fd5c667749d133c9437d30cb206b3_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:61fbdc44a87c1484e5081345e767000895801ea55a8c6e1344bded1836d44729_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:9368c09b14d1743451257f901ec8e4b5d50f7343a2bbaf723aa6a7f9cb586882_s390x | — |
Workaround
|
Threats
Impact
Moderate
References
13 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Kiali 2.4.17 for Red Hat OpenShift Service Mesh 3.0 is now available.\nAn update is now available for Red Hat OpenShift Service Mesh 3.0. This advisory contains the RPM packages for the Kiali component.\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Kiali 2.4.17, for Red Hat OpenShift Service Mesh 3.0, provides observability for the service mesh by offering a visual representation of the mesh topology and metrics, helping users monitor, trace, and manage efficiently.\n\nSecurity Fix(es):\n\n* CVE-2026-32281 Go crypto/x509: Denial of Service via inefficient certificate chain validation (OSSM-13867)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:20456",
"url": "https://access.redhat.com/errata/RHSA-2026:20456"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-32281",
"url": "https://access.redhat.com/security/cve/CVE-2026-32281"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification",
"url": "https://access.redhat.com/security/updates/classification"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/",
"url": "https://access.redhat.com/security/updates/classification/"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_20456.json"
}
],
"title": "Red Hat Security Advisory: Kiali 2.4.17 for Red Hat OpenShift Service Mesh 3.0",
"tracking": {
"current_release_date": "2026-06-30T02:58:13+00:00",
"generator": {
"date": "2026-06-30T02:58:13+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "5.3.0"
}
},
"id": "RHSA-2026:20456",
"initial_release_date": "2026-05-25T14:48:15+00:00",
"revision_history": [
{
"date": "2026-05-25T14:48:15+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-05-25T14:48:22+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-06-30T02:58:13+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat OpenShift Service Mesh 3.0",
"product": {
"name": "Red Hat OpenShift Service Mesh 3.0",
"product_id": "Red Hat OpenShift Service Mesh 3.0",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:service_mesh:3.0::el9"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenShift Service Mesh"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ca9ef5694c6fb038a38b7f76f03501e5d094af381fad483d49518dd156a001d7_amd64",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ca9ef5694c6fb038a38b7f76f03501e5d094af381fad483d49518dd156a001d7_amd64",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ca9ef5694c6fb038a38b7f76f03501e5d094af381fad483d49518dd156a001d7_amd64",
"product_identification_helper": {
"purl": "pkg:oci/kiali-rhel9@sha256%3Aca9ef5694c6fb038a38b7f76f03501e5d094af381fad483d49518dd156a001d7?arch=amd64\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=1779520253"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:61fbdc44a87c1484e5081345e767000895801ea55a8c6e1344bded1836d44729_amd64",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:61fbdc44a87c1484e5081345e767000895801ea55a8c6e1344bded1836d44729_amd64",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:61fbdc44a87c1484e5081345e767000895801ea55a8c6e1344bded1836d44729_amd64",
"product_identification_helper": {
"purl": "pkg:oci/kiali-ossmc-rhel9@sha256%3A61fbdc44a87c1484e5081345e767000895801ea55a8c6e1344bded1836d44729?arch=amd64\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=1779520118"
}
}
}
],
"category": "architecture",
"name": "amd64"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:196394c3907ff6ed0849a8086256265708256a80c2f3b47029cf902f2ee801df_arm64",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:196394c3907ff6ed0849a8086256265708256a80c2f3b47029cf902f2ee801df_arm64",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:196394c3907ff6ed0849a8086256265708256a80c2f3b47029cf902f2ee801df_arm64",
"product_identification_helper": {
"purl": "pkg:oci/kiali-rhel9@sha256%3A196394c3907ff6ed0849a8086256265708256a80c2f3b47029cf902f2ee801df?arch=arm64\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=1779520253"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:4c1c113b5359d8bb7b99d26731156eb7523df3c3e46a301b37c638e821883a01_arm64",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:4c1c113b5359d8bb7b99d26731156eb7523df3c3e46a301b37c638e821883a01_arm64",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:4c1c113b5359d8bb7b99d26731156eb7523df3c3e46a301b37c638e821883a01_arm64",
"product_identification_helper": {
"purl": "pkg:oci/kiali-ossmc-rhel9@sha256%3A4c1c113b5359d8bb7b99d26731156eb7523df3c3e46a301b37c638e821883a01?arch=arm64\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=1779520118"
}
}
}
],
"category": "architecture",
"name": "arm64"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:3aa2d2ff20f790e03eec33d5501552b0c874bf40097f1486282811f34fcf7139_ppc64le",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:3aa2d2ff20f790e03eec33d5501552b0c874bf40097f1486282811f34fcf7139_ppc64le",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:3aa2d2ff20f790e03eec33d5501552b0c874bf40097f1486282811f34fcf7139_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/kiali-rhel9@sha256%3A3aa2d2ff20f790e03eec33d5501552b0c874bf40097f1486282811f34fcf7139?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=1779520253"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:4ce77d0a83c4b01ac1638c372360be8d970fd5c667749d133c9437d30cb206b3_ppc64le",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:4ce77d0a83c4b01ac1638c372360be8d970fd5c667749d133c9437d30cb206b3_ppc64le",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:4ce77d0a83c4b01ac1638c372360be8d970fd5c667749d133c9437d30cb206b3_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/kiali-ossmc-rhel9@sha256%3A4ce77d0a83c4b01ac1638c372360be8d970fd5c667749d133c9437d30cb206b3?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=1779520118"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:075ca2039b54596754e028706abc0b4e719cfb6a1adc7dd0a512f1cf06adc3d0_s390x",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:075ca2039b54596754e028706abc0b4e719cfb6a1adc7dd0a512f1cf06adc3d0_s390x",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:075ca2039b54596754e028706abc0b4e719cfb6a1adc7dd0a512f1cf06adc3d0_s390x",
"product_identification_helper": {
"purl": "pkg:oci/kiali-rhel9@sha256%3A075ca2039b54596754e028706abc0b4e719cfb6a1adc7dd0a512f1cf06adc3d0?arch=s390x\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=1779520253"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:9368c09b14d1743451257f901ec8e4b5d50f7343a2bbaf723aa6a7f9cb586882_s390x",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:9368c09b14d1743451257f901ec8e4b5d50f7343a2bbaf723aa6a7f9cb586882_s390x",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:9368c09b14d1743451257f901ec8e4b5d50f7343a2bbaf723aa6a7f9cb586882_s390x",
"product_identification_helper": {
"purl": "pkg:oci/kiali-ossmc-rhel9@sha256%3A9368c09b14d1743451257f901ec8e4b5d50f7343a2bbaf723aa6a7f9cb586882?arch=s390x\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=1779520118"
}
}
}
],
"category": "architecture",
"name": "s390x"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:4c1c113b5359d8bb7b99d26731156eb7523df3c3e46a301b37c638e821883a01_arm64 as a component of Red Hat OpenShift Service Mesh 3.0",
"product_id": "Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:4c1c113b5359d8bb7b99d26731156eb7523df3c3e46a301b37c638e821883a01_arm64"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:4c1c113b5359d8bb7b99d26731156eb7523df3c3e46a301b37c638e821883a01_arm64",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:4ce77d0a83c4b01ac1638c372360be8d970fd5c667749d133c9437d30cb206b3_ppc64le as a component of Red Hat OpenShift Service Mesh 3.0",
"product_id": "Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:4ce77d0a83c4b01ac1638c372360be8d970fd5c667749d133c9437d30cb206b3_ppc64le"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:4ce77d0a83c4b01ac1638c372360be8d970fd5c667749d133c9437d30cb206b3_ppc64le",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:61fbdc44a87c1484e5081345e767000895801ea55a8c6e1344bded1836d44729_amd64 as a component of Red Hat OpenShift Service Mesh 3.0",
"product_id": "Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:61fbdc44a87c1484e5081345e767000895801ea55a8c6e1344bded1836d44729_amd64"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:61fbdc44a87c1484e5081345e767000895801ea55a8c6e1344bded1836d44729_amd64",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:9368c09b14d1743451257f901ec8e4b5d50f7343a2bbaf723aa6a7f9cb586882_s390x as a component of Red Hat OpenShift Service Mesh 3.0",
"product_id": "Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:9368c09b14d1743451257f901ec8e4b5d50f7343a2bbaf723aa6a7f9cb586882_s390x"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:9368c09b14d1743451257f901ec8e4b5d50f7343a2bbaf723aa6a7f9cb586882_s390x",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:075ca2039b54596754e028706abc0b4e719cfb6a1adc7dd0a512f1cf06adc3d0_s390x as a component of Red Hat OpenShift Service Mesh 3.0",
"product_id": "Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:075ca2039b54596754e028706abc0b4e719cfb6a1adc7dd0a512f1cf06adc3d0_s390x"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:075ca2039b54596754e028706abc0b4e719cfb6a1adc7dd0a512f1cf06adc3d0_s390x",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:196394c3907ff6ed0849a8086256265708256a80c2f3b47029cf902f2ee801df_arm64 as a component of Red Hat OpenShift Service Mesh 3.0",
"product_id": "Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:196394c3907ff6ed0849a8086256265708256a80c2f3b47029cf902f2ee801df_arm64"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:196394c3907ff6ed0849a8086256265708256a80c2f3b47029cf902f2ee801df_arm64",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:3aa2d2ff20f790e03eec33d5501552b0c874bf40097f1486282811f34fcf7139_ppc64le as a component of Red Hat OpenShift Service Mesh 3.0",
"product_id": "Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:3aa2d2ff20f790e03eec33d5501552b0c874bf40097f1486282811f34fcf7139_ppc64le"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:3aa2d2ff20f790e03eec33d5501552b0c874bf40097f1486282811f34fcf7139_ppc64le",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ca9ef5694c6fb038a38b7f76f03501e5d094af381fad483d49518dd156a001d7_amd64 as a component of Red Hat OpenShift Service Mesh 3.0",
"product_id": "Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ca9ef5694c6fb038a38b7f76f03501e5d094af381fad483d49518dd156a001d7_amd64"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ca9ef5694c6fb038a38b7f76f03501e5d094af381fad483d49518dd156a001d7_amd64",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.0"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-32281",
"cwe": {
"id": "CWE-1050",
"name": "Excessive Platform Resource Consumption within a Loop"
},
"discovery_date": "2026-04-08T02:01:00.930989+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:4c1c113b5359d8bb7b99d26731156eb7523df3c3e46a301b37c638e821883a01_arm64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:4ce77d0a83c4b01ac1638c372360be8d970fd5c667749d133c9437d30cb206b3_ppc64le",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:61fbdc44a87c1484e5081345e767000895801ea55a8c6e1344bded1836d44729_amd64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:9368c09b14d1743451257f901ec8e4b5d50f7343a2bbaf723aa6a7f9cb586882_s390x"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2456333"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Go\u0027s `crypto/x509` package. A remote attacker could exploit this by presenting a specially crafted certificate chain containing a large number of policy mappings. This inefficient validation process consumes excessive resources, which can lead to a denial of service (DoS) for applications or systems performing certificate validation.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "crypto/x509: golang: Go crypto/x509: Denial of Service via inefficient certificate chain validation",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This flaw occurs during the validation of otherwise trusted certificate chains that contain a large number of policy mappings, leading to excessive resource consumption. Exploitation requires an attacker to present a specially crafted, yet trusted, certificate chain which would require the attacker has already compromised a trusted certificate root. Red Hat continuously monitors certificate authorities and curates the set which is trusted by default for Red Hat products.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:075ca2039b54596754e028706abc0b4e719cfb6a1adc7dd0a512f1cf06adc3d0_s390x",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:196394c3907ff6ed0849a8086256265708256a80c2f3b47029cf902f2ee801df_arm64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:3aa2d2ff20f790e03eec33d5501552b0c874bf40097f1486282811f34fcf7139_ppc64le",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ca9ef5694c6fb038a38b7f76f03501e5d094af381fad483d49518dd156a001d7_amd64"
],
"known_not_affected": [
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:4c1c113b5359d8bb7b99d26731156eb7523df3c3e46a301b37c638e821883a01_arm64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:4ce77d0a83c4b01ac1638c372360be8d970fd5c667749d133c9437d30cb206b3_ppc64le",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:61fbdc44a87c1484e5081345e767000895801ea55a8c6e1344bded1836d44729_amd64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:9368c09b14d1743451257f901ec8e4b5d50f7343a2bbaf723aa6a7f9cb586882_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-32281"
},
{
"category": "external",
"summary": "RHBZ#2456333",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456333"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-32281",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-32281"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-32281",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32281"
},
{
"category": "external",
"summary": "https://go.dev/cl/758061",
"url": "https://go.dev/cl/758061"
},
{
"category": "external",
"summary": "https://go.dev/issue/78281",
"url": "https://go.dev/issue/78281"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU",
"url": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2026-4946",
"url": "https://pkg.go.dev/vuln/GO-2026-4946"
}
],
"release_date": "2026-04-08T01:06:58.354000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-05-25T14:48:15+00:00",
"details": "See Kiali 2.4.17 documentation at https://docs.redhat.com/en/documentation/red_hat_openshift_service_mesh/3.0/html/observability/kiali-operator-provided-by-red-hat",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:075ca2039b54596754e028706abc0b4e719cfb6a1adc7dd0a512f1cf06adc3d0_s390x",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:196394c3907ff6ed0849a8086256265708256a80c2f3b47029cf902f2ee801df_arm64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:3aa2d2ff20f790e03eec33d5501552b0c874bf40097f1486282811f34fcf7139_ppc64le",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ca9ef5694c6fb038a38b7f76f03501e5d094af381fad483d49518dd156a001d7_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:20456"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:4c1c113b5359d8bb7b99d26731156eb7523df3c3e46a301b37c638e821883a01_arm64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:4ce77d0a83c4b01ac1638c372360be8d970fd5c667749d133c9437d30cb206b3_ppc64le",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:61fbdc44a87c1484e5081345e767000895801ea55a8c6e1344bded1836d44729_amd64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:9368c09b14d1743451257f901ec8e4b5d50f7343a2bbaf723aa6a7f9cb586882_s390x",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:075ca2039b54596754e028706abc0b4e719cfb6a1adc7dd0a512f1cf06adc3d0_s390x",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:196394c3907ff6ed0849a8086256265708256a80c2f3b47029cf902f2ee801df_arm64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:3aa2d2ff20f790e03eec33d5501552b0c874bf40097f1486282811f34fcf7139_ppc64le",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ca9ef5694c6fb038a38b7f76f03501e5d094af381fad483d49518dd156a001d7_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:4c1c113b5359d8bb7b99d26731156eb7523df3c3e46a301b37c638e821883a01_arm64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:4ce77d0a83c4b01ac1638c372360be8d970fd5c667749d133c9437d30cb206b3_ppc64le",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:61fbdc44a87c1484e5081345e767000895801ea55a8c6e1344bded1836d44729_amd64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:9368c09b14d1743451257f901ec8e4b5d50f7343a2bbaf723aa6a7f9cb586882_s390x",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:075ca2039b54596754e028706abc0b4e719cfb6a1adc7dd0a512f1cf06adc3d0_s390x",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:196394c3907ff6ed0849a8086256265708256a80c2f3b47029cf902f2ee801df_arm64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:3aa2d2ff20f790e03eec33d5501552b0c874bf40097f1486282811f34fcf7139_ppc64le",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ca9ef5694c6fb038a38b7f76f03501e5d094af381fad483d49518dd156a001d7_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "crypto/x509: golang: Go crypto/x509: Denial of Service via inefficient certificate chain validation"
}
]
}
RHSA-2026:20457
Vulnerability from csaf_redhat - Published: 2026-05-25 14:48 - Updated: 2026-06-30 02:58Summary
Red Hat Security Advisory: Kiali 2.11.11 for Red Hat OpenShift Service Mesh 3.1
Severity
Moderate
Notes
Topic: Kiali 2.11.11 for Red Hat OpenShift Service Mesh 3.1 is now available.
An update is now available for Red Hat OpenShift Service Mesh 3.1. This advisory contains the RPM packages for the Kiali component.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Kiali 2.11.11, for Red Hat OpenShift Service Mesh 3.1, provides observability for the service mesh by offering a visual representation of the mesh topology and metrics, helping users monitor, trace, and manage efficiently.
Security Fix(es):
* CVE-2026-32281 Go crypto/x509: Denial of Service via inefficient certificate chain validation (OSSM-13868)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in Go's `crypto/x509` package. A remote attacker could exploit this by presenting a specially crafted certificate chain containing a large number of policy mappings. This inefficient validation process consumes excessive resources, which can lead to a denial of service (DoS) for applications or systems performing certificate validation.
5.9 (Medium)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:7206679dbbf3986f2fbb728e69ecd61da448e5c3c3b2e4dcd97ea1bd4fc6e5fa_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:862990dfcd46dc345215fc27a1d0b9670b8f31c83fe9e2b19d8ed813a9338d31_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:918dc1bb66e24f9c8a56e32c6dfb4dabbd596565ca6025c1e0306ec9a1353912_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:e8f30f6ec276865a6ef570eb9a2f96cc9589518aff5e254f39a79229fa61f52a_arm64 | — |
Vendor Fix
fix
Workaround
|
Known not affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:9874be237b24e860768f2d7ea9074ee225e64c363181b1cfd8c9cc37cca018f3_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cb2642232c7b80ff411b2ff03b3e1ad05f01bd073587ebdd2bb6561a7757bfbe_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:ccd47034fb55a8ff312039213bf137e10f38449f935040679ac13f7d78f2e142_arm64 | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:f177998fa5c4abaa2edc2caac1d4a8f5f0777b48ff3eaf6ac61bebecc3370a42_s390x | — |
Workaround
|
Threats
Impact
Moderate
References
13 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Kiali 2.11.11 for Red Hat OpenShift Service Mesh 3.1 is now available.\nAn update is now available for Red Hat OpenShift Service Mesh 3.1. This advisory contains the RPM packages for the Kiali component.\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Kiali 2.11.11, for Red Hat OpenShift Service Mesh 3.1, provides observability for the service mesh by offering a visual representation of the mesh topology and metrics, helping users monitor, trace, and manage efficiently.\n\nSecurity Fix(es):\n\n* CVE-2026-32281 Go crypto/x509: Denial of Service via inefficient certificate chain validation (OSSM-13868)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:20457",
"url": "https://access.redhat.com/errata/RHSA-2026:20457"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-32281",
"url": "https://access.redhat.com/security/cve/CVE-2026-32281"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification",
"url": "https://access.redhat.com/security/updates/classification"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/",
"url": "https://access.redhat.com/security/updates/classification/"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_20457.json"
}
],
"title": "Red Hat Security Advisory: Kiali 2.11.11 for Red Hat OpenShift Service Mesh 3.1",
"tracking": {
"current_release_date": "2026-06-30T02:58:13+00:00",
"generator": {
"date": "2026-06-30T02:58:13+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "5.3.0"
}
},
"id": "RHSA-2026:20457",
"initial_release_date": "2026-05-25T14:48:14+00:00",
"revision_history": [
{
"date": "2026-05-25T14:48:14+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-05-25T14:48:24+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-06-30T02:58:13+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat OpenShift Service Mesh 3.1",
"product": {
"name": "Red Hat OpenShift Service Mesh 3.1",
"product_id": "Red Hat OpenShift Service Mesh 3.1",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:service_mesh:3.1::el9"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenShift Service Mesh"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:918dc1bb66e24f9c8a56e32c6dfb4dabbd596565ca6025c1e0306ec9a1353912_amd64",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:918dc1bb66e24f9c8a56e32c6dfb4dabbd596565ca6025c1e0306ec9a1353912_amd64",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:918dc1bb66e24f9c8a56e32c6dfb4dabbd596565ca6025c1e0306ec9a1353912_amd64",
"product_identification_helper": {
"purl": "pkg:oci/kiali-rhel9@sha256%3A918dc1bb66e24f9c8a56e32c6dfb4dabbd596565ca6025c1e0306ec9a1353912?arch=amd64\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=1779520433"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cb2642232c7b80ff411b2ff03b3e1ad05f01bd073587ebdd2bb6561a7757bfbe_amd64",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cb2642232c7b80ff411b2ff03b3e1ad05f01bd073587ebdd2bb6561a7757bfbe_amd64",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cb2642232c7b80ff411b2ff03b3e1ad05f01bd073587ebdd2bb6561a7757bfbe_amd64",
"product_identification_helper": {
"purl": "pkg:oci/kiali-ossmc-rhel9@sha256%3Acb2642232c7b80ff411b2ff03b3e1ad05f01bd073587ebdd2bb6561a7757bfbe?arch=amd64\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=1779520365"
}
}
}
],
"category": "architecture",
"name": "amd64"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:e8f30f6ec276865a6ef570eb9a2f96cc9589518aff5e254f39a79229fa61f52a_arm64",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:e8f30f6ec276865a6ef570eb9a2f96cc9589518aff5e254f39a79229fa61f52a_arm64",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:e8f30f6ec276865a6ef570eb9a2f96cc9589518aff5e254f39a79229fa61f52a_arm64",
"product_identification_helper": {
"purl": "pkg:oci/kiali-rhel9@sha256%3Ae8f30f6ec276865a6ef570eb9a2f96cc9589518aff5e254f39a79229fa61f52a?arch=arm64\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=1779520433"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:ccd47034fb55a8ff312039213bf137e10f38449f935040679ac13f7d78f2e142_arm64",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:ccd47034fb55a8ff312039213bf137e10f38449f935040679ac13f7d78f2e142_arm64",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:ccd47034fb55a8ff312039213bf137e10f38449f935040679ac13f7d78f2e142_arm64",
"product_identification_helper": {
"purl": "pkg:oci/kiali-ossmc-rhel9@sha256%3Accd47034fb55a8ff312039213bf137e10f38449f935040679ac13f7d78f2e142?arch=arm64\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=1779520365"
}
}
}
],
"category": "architecture",
"name": "arm64"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:862990dfcd46dc345215fc27a1d0b9670b8f31c83fe9e2b19d8ed813a9338d31_ppc64le",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:862990dfcd46dc345215fc27a1d0b9670b8f31c83fe9e2b19d8ed813a9338d31_ppc64le",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:862990dfcd46dc345215fc27a1d0b9670b8f31c83fe9e2b19d8ed813a9338d31_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/kiali-rhel9@sha256%3A862990dfcd46dc345215fc27a1d0b9670b8f31c83fe9e2b19d8ed813a9338d31?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=1779520433"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:9874be237b24e860768f2d7ea9074ee225e64c363181b1cfd8c9cc37cca018f3_ppc64le",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:9874be237b24e860768f2d7ea9074ee225e64c363181b1cfd8c9cc37cca018f3_ppc64le",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:9874be237b24e860768f2d7ea9074ee225e64c363181b1cfd8c9cc37cca018f3_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/kiali-ossmc-rhel9@sha256%3A9874be237b24e860768f2d7ea9074ee225e64c363181b1cfd8c9cc37cca018f3?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=1779520365"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:7206679dbbf3986f2fbb728e69ecd61da448e5c3c3b2e4dcd97ea1bd4fc6e5fa_s390x",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:7206679dbbf3986f2fbb728e69ecd61da448e5c3c3b2e4dcd97ea1bd4fc6e5fa_s390x",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:7206679dbbf3986f2fbb728e69ecd61da448e5c3c3b2e4dcd97ea1bd4fc6e5fa_s390x",
"product_identification_helper": {
"purl": "pkg:oci/kiali-rhel9@sha256%3A7206679dbbf3986f2fbb728e69ecd61da448e5c3c3b2e4dcd97ea1bd4fc6e5fa?arch=s390x\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=1779520433"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:f177998fa5c4abaa2edc2caac1d4a8f5f0777b48ff3eaf6ac61bebecc3370a42_s390x",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:f177998fa5c4abaa2edc2caac1d4a8f5f0777b48ff3eaf6ac61bebecc3370a42_s390x",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:f177998fa5c4abaa2edc2caac1d4a8f5f0777b48ff3eaf6ac61bebecc3370a42_s390x",
"product_identification_helper": {
"purl": "pkg:oci/kiali-ossmc-rhel9@sha256%3Af177998fa5c4abaa2edc2caac1d4a8f5f0777b48ff3eaf6ac61bebecc3370a42?arch=s390x\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=1779520365"
}
}
}
],
"category": "architecture",
"name": "s390x"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:9874be237b24e860768f2d7ea9074ee225e64c363181b1cfd8c9cc37cca018f3_ppc64le as a component of Red Hat OpenShift Service Mesh 3.1",
"product_id": "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:9874be237b24e860768f2d7ea9074ee225e64c363181b1cfd8c9cc37cca018f3_ppc64le"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:9874be237b24e860768f2d7ea9074ee225e64c363181b1cfd8c9cc37cca018f3_ppc64le",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cb2642232c7b80ff411b2ff03b3e1ad05f01bd073587ebdd2bb6561a7757bfbe_amd64 as a component of Red Hat OpenShift Service Mesh 3.1",
"product_id": "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cb2642232c7b80ff411b2ff03b3e1ad05f01bd073587ebdd2bb6561a7757bfbe_amd64"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cb2642232c7b80ff411b2ff03b3e1ad05f01bd073587ebdd2bb6561a7757bfbe_amd64",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:ccd47034fb55a8ff312039213bf137e10f38449f935040679ac13f7d78f2e142_arm64 as a component of Red Hat OpenShift Service Mesh 3.1",
"product_id": "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:ccd47034fb55a8ff312039213bf137e10f38449f935040679ac13f7d78f2e142_arm64"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:ccd47034fb55a8ff312039213bf137e10f38449f935040679ac13f7d78f2e142_arm64",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:f177998fa5c4abaa2edc2caac1d4a8f5f0777b48ff3eaf6ac61bebecc3370a42_s390x as a component of Red Hat OpenShift Service Mesh 3.1",
"product_id": "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:f177998fa5c4abaa2edc2caac1d4a8f5f0777b48ff3eaf6ac61bebecc3370a42_s390x"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:f177998fa5c4abaa2edc2caac1d4a8f5f0777b48ff3eaf6ac61bebecc3370a42_s390x",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:7206679dbbf3986f2fbb728e69ecd61da448e5c3c3b2e4dcd97ea1bd4fc6e5fa_s390x as a component of Red Hat OpenShift Service Mesh 3.1",
"product_id": "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:7206679dbbf3986f2fbb728e69ecd61da448e5c3c3b2e4dcd97ea1bd4fc6e5fa_s390x"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:7206679dbbf3986f2fbb728e69ecd61da448e5c3c3b2e4dcd97ea1bd4fc6e5fa_s390x",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:862990dfcd46dc345215fc27a1d0b9670b8f31c83fe9e2b19d8ed813a9338d31_ppc64le as a component of Red Hat OpenShift Service Mesh 3.1",
"product_id": "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:862990dfcd46dc345215fc27a1d0b9670b8f31c83fe9e2b19d8ed813a9338d31_ppc64le"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:862990dfcd46dc345215fc27a1d0b9670b8f31c83fe9e2b19d8ed813a9338d31_ppc64le",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:918dc1bb66e24f9c8a56e32c6dfb4dabbd596565ca6025c1e0306ec9a1353912_amd64 as a component of Red Hat OpenShift Service Mesh 3.1",
"product_id": "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:918dc1bb66e24f9c8a56e32c6dfb4dabbd596565ca6025c1e0306ec9a1353912_amd64"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:918dc1bb66e24f9c8a56e32c6dfb4dabbd596565ca6025c1e0306ec9a1353912_amd64",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:e8f30f6ec276865a6ef570eb9a2f96cc9589518aff5e254f39a79229fa61f52a_arm64 as a component of Red Hat OpenShift Service Mesh 3.1",
"product_id": "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:e8f30f6ec276865a6ef570eb9a2f96cc9589518aff5e254f39a79229fa61f52a_arm64"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:e8f30f6ec276865a6ef570eb9a2f96cc9589518aff5e254f39a79229fa61f52a_arm64",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.1"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-32281",
"cwe": {
"id": "CWE-1050",
"name": "Excessive Platform Resource Consumption within a Loop"
},
"discovery_date": "2026-04-08T02:01:00.930989+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:9874be237b24e860768f2d7ea9074ee225e64c363181b1cfd8c9cc37cca018f3_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cb2642232c7b80ff411b2ff03b3e1ad05f01bd073587ebdd2bb6561a7757bfbe_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:ccd47034fb55a8ff312039213bf137e10f38449f935040679ac13f7d78f2e142_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:f177998fa5c4abaa2edc2caac1d4a8f5f0777b48ff3eaf6ac61bebecc3370a42_s390x"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2456333"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Go\u0027s `crypto/x509` package. A remote attacker could exploit this by presenting a specially crafted certificate chain containing a large number of policy mappings. This inefficient validation process consumes excessive resources, which can lead to a denial of service (DoS) for applications or systems performing certificate validation.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "crypto/x509: golang: Go crypto/x509: Denial of Service via inefficient certificate chain validation",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This flaw occurs during the validation of otherwise trusted certificate chains that contain a large number of policy mappings, leading to excessive resource consumption. Exploitation requires an attacker to present a specially crafted, yet trusted, certificate chain which would require the attacker has already compromised a trusted certificate root. Red Hat continuously monitors certificate authorities and curates the set which is trusted by default for Red Hat products.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:7206679dbbf3986f2fbb728e69ecd61da448e5c3c3b2e4dcd97ea1bd4fc6e5fa_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:862990dfcd46dc345215fc27a1d0b9670b8f31c83fe9e2b19d8ed813a9338d31_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:918dc1bb66e24f9c8a56e32c6dfb4dabbd596565ca6025c1e0306ec9a1353912_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:e8f30f6ec276865a6ef570eb9a2f96cc9589518aff5e254f39a79229fa61f52a_arm64"
],
"known_not_affected": [
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:9874be237b24e860768f2d7ea9074ee225e64c363181b1cfd8c9cc37cca018f3_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cb2642232c7b80ff411b2ff03b3e1ad05f01bd073587ebdd2bb6561a7757bfbe_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:ccd47034fb55a8ff312039213bf137e10f38449f935040679ac13f7d78f2e142_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:f177998fa5c4abaa2edc2caac1d4a8f5f0777b48ff3eaf6ac61bebecc3370a42_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-32281"
},
{
"category": "external",
"summary": "RHBZ#2456333",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456333"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-32281",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-32281"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-32281",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32281"
},
{
"category": "external",
"summary": "https://go.dev/cl/758061",
"url": "https://go.dev/cl/758061"
},
{
"category": "external",
"summary": "https://go.dev/issue/78281",
"url": "https://go.dev/issue/78281"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU",
"url": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2026-4946",
"url": "https://pkg.go.dev/vuln/GO-2026-4946"
}
],
"release_date": "2026-04-08T01:06:58.354000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-05-25T14:48:14+00:00",
"details": "See Kiali 2.11.11 documentation at https://docs.redhat.com/en/documentation/red_hat_openshift_service_mesh/3.1/html/observability/kiali-operator-provided-by-red-hat",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:7206679dbbf3986f2fbb728e69ecd61da448e5c3c3b2e4dcd97ea1bd4fc6e5fa_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:862990dfcd46dc345215fc27a1d0b9670b8f31c83fe9e2b19d8ed813a9338d31_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:918dc1bb66e24f9c8a56e32c6dfb4dabbd596565ca6025c1e0306ec9a1353912_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:e8f30f6ec276865a6ef570eb9a2f96cc9589518aff5e254f39a79229fa61f52a_arm64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:20457"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:9874be237b24e860768f2d7ea9074ee225e64c363181b1cfd8c9cc37cca018f3_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cb2642232c7b80ff411b2ff03b3e1ad05f01bd073587ebdd2bb6561a7757bfbe_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:ccd47034fb55a8ff312039213bf137e10f38449f935040679ac13f7d78f2e142_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:f177998fa5c4abaa2edc2caac1d4a8f5f0777b48ff3eaf6ac61bebecc3370a42_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:7206679dbbf3986f2fbb728e69ecd61da448e5c3c3b2e4dcd97ea1bd4fc6e5fa_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:862990dfcd46dc345215fc27a1d0b9670b8f31c83fe9e2b19d8ed813a9338d31_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:918dc1bb66e24f9c8a56e32c6dfb4dabbd596565ca6025c1e0306ec9a1353912_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:e8f30f6ec276865a6ef570eb9a2f96cc9589518aff5e254f39a79229fa61f52a_arm64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:9874be237b24e860768f2d7ea9074ee225e64c363181b1cfd8c9cc37cca018f3_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cb2642232c7b80ff411b2ff03b3e1ad05f01bd073587ebdd2bb6561a7757bfbe_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:ccd47034fb55a8ff312039213bf137e10f38449f935040679ac13f7d78f2e142_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:f177998fa5c4abaa2edc2caac1d4a8f5f0777b48ff3eaf6ac61bebecc3370a42_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:7206679dbbf3986f2fbb728e69ecd61da448e5c3c3b2e4dcd97ea1bd4fc6e5fa_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:862990dfcd46dc345215fc27a1d0b9670b8f31c83fe9e2b19d8ed813a9338d31_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:918dc1bb66e24f9c8a56e32c6dfb4dabbd596565ca6025c1e0306ec9a1353912_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:e8f30f6ec276865a6ef570eb9a2f96cc9589518aff5e254f39a79229fa61f52a_arm64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "crypto/x509: golang: Go crypto/x509: Denial of Service via inefficient certificate chain validation"
}
]
}
RHSA-2026:20460
Vulnerability from csaf_redhat - Published: 2026-05-25 15:04 - Updated: 2026-06-30 02:58Summary
Red Hat Security Advisory: Kiali 2.22.4 for Red Hat OpenShift Service Mesh 3.3
Severity
Moderate
Notes
Topic: Kiali 2.22.4 for Red Hat OpenShift Service Mesh 3.3 is now available.
An update is now available for Red Hat OpenShift Service Mesh 3.3. This advisory contains the RPM packages for the Kiali component.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Kiali 2.22.4, for Red Hat OpenShift Service Mesh 3.3, provides observability for the service mesh by offering a visual representation of the mesh topology and metrics, helping users monitor, trace, and manage efficiently.
Security Fix(es):
* CVE-2026-32281 Go crypto/x509: Denial of Service via inefficient certificate chain validation (OSSM-13870)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in Go's `crypto/x509` package. A remote attacker could exploit this by presenting a specially crafted certificate chain containing a large number of policy mappings. This inefficient validation process consumes excessive resources, which can lead to a denial of service (DoS) for applications or systems performing certificate validation.
5.9 (Medium)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:801430f3d82d109bfecd3d1e1703200dc98a6c35eee0330b1c90d0fb4804ae11_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:a4dc7862130d17dd424af3b3e285850448a7c85bfcc191bce9afa42d9f5c71f7_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:e4e55c3b1e398a962cbde38dd30260c77514d97e558028e0991f4a57bcb8d0be_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:f588d5d77bb0b4efdfca01f1ca7414fcadc90a97b165628b8f99bdd4df80c8a7_s390x | — |
Vendor Fix
fix
Workaround
|
Known not affected
9 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-operator-bundle@sha256:5f0d9c37da0df2e01de1965b121a0beffd3a4a61b29f317058eee3ed48a5411c_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:0cd332b82542de28dc6d2dd7e955924fe3de35a5206bc2e9f4d4e2bd9a591148_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:625caa76382f8236b0ae5c1c438008a61f64a7b1497f861fef475f7428da477c_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:6395e4a973d90ebb1250a4f7aa131ab812eb5d9d3bc5900ccb329e87b8f1c9ea_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:b5a4fd9b6ec6eef405c167cbe70fde3c2618f26fb7ce837bf1d56c36e6064e1f_arm64 | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:5bc3aab90ba7a7b6c1971110f235b67bbc3e1bcfa5c312b7cc7cfcd81d25912c_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:b136ce6fcc852f6af963c35f1a39bfecb942b0189a26e22b9e404b5ceca0be13_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:daa5ce7c32434365161ed729a6fdb88587e658347e368e143b2338285bf44a29_arm64 | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:f43ad850d505a0cd2ce61970413389c5ac2e23edba4891e3977e5d541a09b33b_s390x | — |
Workaround
|
Threats
Impact
Moderate
References
13 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Kiali 2.22.4 for Red Hat OpenShift Service Mesh 3.3 is now available.\nAn update is now available for Red Hat OpenShift Service Mesh 3.3. This advisory contains the RPM packages for the Kiali component.\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Kiali 2.22.4, for Red Hat OpenShift Service Mesh 3.3, provides observability for the service mesh by offering a visual representation of the mesh topology and metrics, helping users monitor, trace, and manage efficiently.\n\nSecurity Fix(es):\n\n* CVE-2026-32281 Go crypto/x509: Denial of Service via inefficient certificate chain validation (OSSM-13870)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:20460",
"url": "https://access.redhat.com/errata/RHSA-2026:20460"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-32281",
"url": "https://access.redhat.com/security/cve/CVE-2026-32281"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification",
"url": "https://access.redhat.com/security/updates/classification"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/",
"url": "https://access.redhat.com/security/updates/classification/"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_20460.json"
}
],
"title": "Red Hat Security Advisory: Kiali 2.22.4 for Red Hat OpenShift Service Mesh 3.3",
"tracking": {
"current_release_date": "2026-06-30T02:58:17+00:00",
"generator": {
"date": "2026-06-30T02:58:17+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "5.3.0"
}
},
"id": "RHSA-2026:20460",
"initial_release_date": "2026-05-25T15:04:34+00:00",
"revision_history": [
{
"date": "2026-05-25T15:04:34+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-05-25T15:04:44+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-06-30T02:58:17+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat OpenShift Service Mesh 3.3",
"product": {
"name": "Red Hat OpenShift Service Mesh 3.3",
"product_id": "Red Hat OpenShift Service Mesh 3.3",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:service_mesh:3.3::el9"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenShift Service Mesh"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:e4e55c3b1e398a962cbde38dd30260c77514d97e558028e0991f4a57bcb8d0be_amd64",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:e4e55c3b1e398a962cbde38dd30260c77514d97e558028e0991f4a57bcb8d0be_amd64",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:e4e55c3b1e398a962cbde38dd30260c77514d97e558028e0991f4a57bcb8d0be_amd64",
"product_identification_helper": {
"purl": "pkg:oci/kiali-rhel9@sha256%3Ae4e55c3b1e398a962cbde38dd30260c77514d97e558028e0991f4a57bcb8d0be?arch=amd64\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=1779520708"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-operator-bundle@sha256:5f0d9c37da0df2e01de1965b121a0beffd3a4a61b29f317058eee3ed48a5411c_amd64",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-operator-bundle@sha256:5f0d9c37da0df2e01de1965b121a0beffd3a4a61b29f317058eee3ed48a5411c_amd64",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-operator-bundle@sha256:5f0d9c37da0df2e01de1965b121a0beffd3a4a61b29f317058eee3ed48a5411c_amd64",
"product_identification_helper": {
"purl": "pkg:oci/kiali-operator-bundle@sha256%3A5f0d9c37da0df2e01de1965b121a0beffd3a4a61b29f317058eee3ed48a5411c?arch=amd64\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=1779522281"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:b136ce6fcc852f6af963c35f1a39bfecb942b0189a26e22b9e404b5ceca0be13_amd64",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:b136ce6fcc852f6af963c35f1a39bfecb942b0189a26e22b9e404b5ceca0be13_amd64",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:b136ce6fcc852f6af963c35f1a39bfecb942b0189a26e22b9e404b5ceca0be13_amd64",
"product_identification_helper": {
"purl": "pkg:oci/kiali-rhel9-operator@sha256%3Ab136ce6fcc852f6af963c35f1a39bfecb942b0189a26e22b9e404b5ceca0be13?arch=amd64\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=1779520538"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:0cd332b82542de28dc6d2dd7e955924fe3de35a5206bc2e9f4d4e2bd9a591148_amd64",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:0cd332b82542de28dc6d2dd7e955924fe3de35a5206bc2e9f4d4e2bd9a591148_amd64",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:0cd332b82542de28dc6d2dd7e955924fe3de35a5206bc2e9f4d4e2bd9a591148_amd64",
"product_identification_helper": {
"purl": "pkg:oci/kiali-ossmc-rhel9@sha256%3A0cd332b82542de28dc6d2dd7e955924fe3de35a5206bc2e9f4d4e2bd9a591148?arch=amd64\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=1779520828"
}
}
}
],
"category": "architecture",
"name": "amd64"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:a4dc7862130d17dd424af3b3e285850448a7c85bfcc191bce9afa42d9f5c71f7_arm64",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:a4dc7862130d17dd424af3b3e285850448a7c85bfcc191bce9afa42d9f5c71f7_arm64",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:a4dc7862130d17dd424af3b3e285850448a7c85bfcc191bce9afa42d9f5c71f7_arm64",
"product_identification_helper": {
"purl": "pkg:oci/kiali-rhel9@sha256%3Aa4dc7862130d17dd424af3b3e285850448a7c85bfcc191bce9afa42d9f5c71f7?arch=arm64\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=1779520708"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:daa5ce7c32434365161ed729a6fdb88587e658347e368e143b2338285bf44a29_arm64",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:daa5ce7c32434365161ed729a6fdb88587e658347e368e143b2338285bf44a29_arm64",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:daa5ce7c32434365161ed729a6fdb88587e658347e368e143b2338285bf44a29_arm64",
"product_identification_helper": {
"purl": "pkg:oci/kiali-rhel9-operator@sha256%3Adaa5ce7c32434365161ed729a6fdb88587e658347e368e143b2338285bf44a29?arch=arm64\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=1779520538"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:b5a4fd9b6ec6eef405c167cbe70fde3c2618f26fb7ce837bf1d56c36e6064e1f_arm64",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:b5a4fd9b6ec6eef405c167cbe70fde3c2618f26fb7ce837bf1d56c36e6064e1f_arm64",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:b5a4fd9b6ec6eef405c167cbe70fde3c2618f26fb7ce837bf1d56c36e6064e1f_arm64",
"product_identification_helper": {
"purl": "pkg:oci/kiali-ossmc-rhel9@sha256%3Ab5a4fd9b6ec6eef405c167cbe70fde3c2618f26fb7ce837bf1d56c36e6064e1f?arch=arm64\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=1779520828"
}
}
}
],
"category": "architecture",
"name": "arm64"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:801430f3d82d109bfecd3d1e1703200dc98a6c35eee0330b1c90d0fb4804ae11_ppc64le",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:801430f3d82d109bfecd3d1e1703200dc98a6c35eee0330b1c90d0fb4804ae11_ppc64le",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:801430f3d82d109bfecd3d1e1703200dc98a6c35eee0330b1c90d0fb4804ae11_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/kiali-rhel9@sha256%3A801430f3d82d109bfecd3d1e1703200dc98a6c35eee0330b1c90d0fb4804ae11?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=1779520708"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:5bc3aab90ba7a7b6c1971110f235b67bbc3e1bcfa5c312b7cc7cfcd81d25912c_ppc64le",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:5bc3aab90ba7a7b6c1971110f235b67bbc3e1bcfa5c312b7cc7cfcd81d25912c_ppc64le",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:5bc3aab90ba7a7b6c1971110f235b67bbc3e1bcfa5c312b7cc7cfcd81d25912c_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/kiali-rhel9-operator@sha256%3A5bc3aab90ba7a7b6c1971110f235b67bbc3e1bcfa5c312b7cc7cfcd81d25912c?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=1779520538"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:625caa76382f8236b0ae5c1c438008a61f64a7b1497f861fef475f7428da477c_ppc64le",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:625caa76382f8236b0ae5c1c438008a61f64a7b1497f861fef475f7428da477c_ppc64le",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:625caa76382f8236b0ae5c1c438008a61f64a7b1497f861fef475f7428da477c_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/kiali-ossmc-rhel9@sha256%3A625caa76382f8236b0ae5c1c438008a61f64a7b1497f861fef475f7428da477c?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=1779520828"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:f588d5d77bb0b4efdfca01f1ca7414fcadc90a97b165628b8f99bdd4df80c8a7_s390x",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:f588d5d77bb0b4efdfca01f1ca7414fcadc90a97b165628b8f99bdd4df80c8a7_s390x",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:f588d5d77bb0b4efdfca01f1ca7414fcadc90a97b165628b8f99bdd4df80c8a7_s390x",
"product_identification_helper": {
"purl": "pkg:oci/kiali-rhel9@sha256%3Af588d5d77bb0b4efdfca01f1ca7414fcadc90a97b165628b8f99bdd4df80c8a7?arch=s390x\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=1779520708"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:f43ad850d505a0cd2ce61970413389c5ac2e23edba4891e3977e5d541a09b33b_s390x",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:f43ad850d505a0cd2ce61970413389c5ac2e23edba4891e3977e5d541a09b33b_s390x",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:f43ad850d505a0cd2ce61970413389c5ac2e23edba4891e3977e5d541a09b33b_s390x",
"product_identification_helper": {
"purl": "pkg:oci/kiali-rhel9-operator@sha256%3Af43ad850d505a0cd2ce61970413389c5ac2e23edba4891e3977e5d541a09b33b?arch=s390x\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=1779520538"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:6395e4a973d90ebb1250a4f7aa131ab812eb5d9d3bc5900ccb329e87b8f1c9ea_s390x",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:6395e4a973d90ebb1250a4f7aa131ab812eb5d9d3bc5900ccb329e87b8f1c9ea_s390x",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:6395e4a973d90ebb1250a4f7aa131ab812eb5d9d3bc5900ccb329e87b8f1c9ea_s390x",
"product_identification_helper": {
"purl": "pkg:oci/kiali-ossmc-rhel9@sha256%3A6395e4a973d90ebb1250a4f7aa131ab812eb5d9d3bc5900ccb329e87b8f1c9ea?arch=s390x\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=1779520828"
}
}
}
],
"category": "architecture",
"name": "s390x"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-operator-bundle@sha256:5f0d9c37da0df2e01de1965b121a0beffd3a4a61b29f317058eee3ed48a5411c_amd64 as a component of Red Hat OpenShift Service Mesh 3.3",
"product_id": "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-operator-bundle@sha256:5f0d9c37da0df2e01de1965b121a0beffd3a4a61b29f317058eee3ed48a5411c_amd64"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-operator-bundle@sha256:5f0d9c37da0df2e01de1965b121a0beffd3a4a61b29f317058eee3ed48a5411c_amd64",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:0cd332b82542de28dc6d2dd7e955924fe3de35a5206bc2e9f4d4e2bd9a591148_amd64 as a component of Red Hat OpenShift Service Mesh 3.3",
"product_id": "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:0cd332b82542de28dc6d2dd7e955924fe3de35a5206bc2e9f4d4e2bd9a591148_amd64"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:0cd332b82542de28dc6d2dd7e955924fe3de35a5206bc2e9f4d4e2bd9a591148_amd64",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:625caa76382f8236b0ae5c1c438008a61f64a7b1497f861fef475f7428da477c_ppc64le as a component of Red Hat OpenShift Service Mesh 3.3",
"product_id": "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:625caa76382f8236b0ae5c1c438008a61f64a7b1497f861fef475f7428da477c_ppc64le"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:625caa76382f8236b0ae5c1c438008a61f64a7b1497f861fef475f7428da477c_ppc64le",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:6395e4a973d90ebb1250a4f7aa131ab812eb5d9d3bc5900ccb329e87b8f1c9ea_s390x as a component of Red Hat OpenShift Service Mesh 3.3",
"product_id": "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:6395e4a973d90ebb1250a4f7aa131ab812eb5d9d3bc5900ccb329e87b8f1c9ea_s390x"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:6395e4a973d90ebb1250a4f7aa131ab812eb5d9d3bc5900ccb329e87b8f1c9ea_s390x",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:b5a4fd9b6ec6eef405c167cbe70fde3c2618f26fb7ce837bf1d56c36e6064e1f_arm64 as a component of Red Hat OpenShift Service Mesh 3.3",
"product_id": "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:b5a4fd9b6ec6eef405c167cbe70fde3c2618f26fb7ce837bf1d56c36e6064e1f_arm64"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:b5a4fd9b6ec6eef405c167cbe70fde3c2618f26fb7ce837bf1d56c36e6064e1f_arm64",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:5bc3aab90ba7a7b6c1971110f235b67bbc3e1bcfa5c312b7cc7cfcd81d25912c_ppc64le as a component of Red Hat OpenShift Service Mesh 3.3",
"product_id": "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:5bc3aab90ba7a7b6c1971110f235b67bbc3e1bcfa5c312b7cc7cfcd81d25912c_ppc64le"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:5bc3aab90ba7a7b6c1971110f235b67bbc3e1bcfa5c312b7cc7cfcd81d25912c_ppc64le",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:b136ce6fcc852f6af963c35f1a39bfecb942b0189a26e22b9e404b5ceca0be13_amd64 as a component of Red Hat OpenShift Service Mesh 3.3",
"product_id": "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:b136ce6fcc852f6af963c35f1a39bfecb942b0189a26e22b9e404b5ceca0be13_amd64"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:b136ce6fcc852f6af963c35f1a39bfecb942b0189a26e22b9e404b5ceca0be13_amd64",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:daa5ce7c32434365161ed729a6fdb88587e658347e368e143b2338285bf44a29_arm64 as a component of Red Hat OpenShift Service Mesh 3.3",
"product_id": "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:daa5ce7c32434365161ed729a6fdb88587e658347e368e143b2338285bf44a29_arm64"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:daa5ce7c32434365161ed729a6fdb88587e658347e368e143b2338285bf44a29_arm64",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:f43ad850d505a0cd2ce61970413389c5ac2e23edba4891e3977e5d541a09b33b_s390x as a component of Red Hat OpenShift Service Mesh 3.3",
"product_id": "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:f43ad850d505a0cd2ce61970413389c5ac2e23edba4891e3977e5d541a09b33b_s390x"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:f43ad850d505a0cd2ce61970413389c5ac2e23edba4891e3977e5d541a09b33b_s390x",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:801430f3d82d109bfecd3d1e1703200dc98a6c35eee0330b1c90d0fb4804ae11_ppc64le as a component of Red Hat OpenShift Service Mesh 3.3",
"product_id": "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:801430f3d82d109bfecd3d1e1703200dc98a6c35eee0330b1c90d0fb4804ae11_ppc64le"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:801430f3d82d109bfecd3d1e1703200dc98a6c35eee0330b1c90d0fb4804ae11_ppc64le",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:a4dc7862130d17dd424af3b3e285850448a7c85bfcc191bce9afa42d9f5c71f7_arm64 as a component of Red Hat OpenShift Service Mesh 3.3",
"product_id": "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:a4dc7862130d17dd424af3b3e285850448a7c85bfcc191bce9afa42d9f5c71f7_arm64"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:a4dc7862130d17dd424af3b3e285850448a7c85bfcc191bce9afa42d9f5c71f7_arm64",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:e4e55c3b1e398a962cbde38dd30260c77514d97e558028e0991f4a57bcb8d0be_amd64 as a component of Red Hat OpenShift Service Mesh 3.3",
"product_id": "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:e4e55c3b1e398a962cbde38dd30260c77514d97e558028e0991f4a57bcb8d0be_amd64"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:e4e55c3b1e398a962cbde38dd30260c77514d97e558028e0991f4a57bcb8d0be_amd64",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:f588d5d77bb0b4efdfca01f1ca7414fcadc90a97b165628b8f99bdd4df80c8a7_s390x as a component of Red Hat OpenShift Service Mesh 3.3",
"product_id": "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:f588d5d77bb0b4efdfca01f1ca7414fcadc90a97b165628b8f99bdd4df80c8a7_s390x"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:f588d5d77bb0b4efdfca01f1ca7414fcadc90a97b165628b8f99bdd4df80c8a7_s390x",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.3"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-32281",
"cwe": {
"id": "CWE-1050",
"name": "Excessive Platform Resource Consumption within a Loop"
},
"discovery_date": "2026-04-08T02:01:00.930989+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-operator-bundle@sha256:5f0d9c37da0df2e01de1965b121a0beffd3a4a61b29f317058eee3ed48a5411c_amd64",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:0cd332b82542de28dc6d2dd7e955924fe3de35a5206bc2e9f4d4e2bd9a591148_amd64",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:625caa76382f8236b0ae5c1c438008a61f64a7b1497f861fef475f7428da477c_ppc64le",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:6395e4a973d90ebb1250a4f7aa131ab812eb5d9d3bc5900ccb329e87b8f1c9ea_s390x",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:b5a4fd9b6ec6eef405c167cbe70fde3c2618f26fb7ce837bf1d56c36e6064e1f_arm64",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:5bc3aab90ba7a7b6c1971110f235b67bbc3e1bcfa5c312b7cc7cfcd81d25912c_ppc64le",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:b136ce6fcc852f6af963c35f1a39bfecb942b0189a26e22b9e404b5ceca0be13_amd64",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:daa5ce7c32434365161ed729a6fdb88587e658347e368e143b2338285bf44a29_arm64",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:f43ad850d505a0cd2ce61970413389c5ac2e23edba4891e3977e5d541a09b33b_s390x"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2456333"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Go\u0027s `crypto/x509` package. A remote attacker could exploit this by presenting a specially crafted certificate chain containing a large number of policy mappings. This inefficient validation process consumes excessive resources, which can lead to a denial of service (DoS) for applications or systems performing certificate validation.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "crypto/x509: golang: Go crypto/x509: Denial of Service via inefficient certificate chain validation",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This flaw occurs during the validation of otherwise trusted certificate chains that contain a large number of policy mappings, leading to excessive resource consumption. Exploitation requires an attacker to present a specially crafted, yet trusted, certificate chain which would require the attacker has already compromised a trusted certificate root. Red Hat continuously monitors certificate authorities and curates the set which is trusted by default for Red Hat products.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:801430f3d82d109bfecd3d1e1703200dc98a6c35eee0330b1c90d0fb4804ae11_ppc64le",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:a4dc7862130d17dd424af3b3e285850448a7c85bfcc191bce9afa42d9f5c71f7_arm64",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:e4e55c3b1e398a962cbde38dd30260c77514d97e558028e0991f4a57bcb8d0be_amd64",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:f588d5d77bb0b4efdfca01f1ca7414fcadc90a97b165628b8f99bdd4df80c8a7_s390x"
],
"known_not_affected": [
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-operator-bundle@sha256:5f0d9c37da0df2e01de1965b121a0beffd3a4a61b29f317058eee3ed48a5411c_amd64",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:0cd332b82542de28dc6d2dd7e955924fe3de35a5206bc2e9f4d4e2bd9a591148_amd64",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:625caa76382f8236b0ae5c1c438008a61f64a7b1497f861fef475f7428da477c_ppc64le",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:6395e4a973d90ebb1250a4f7aa131ab812eb5d9d3bc5900ccb329e87b8f1c9ea_s390x",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:b5a4fd9b6ec6eef405c167cbe70fde3c2618f26fb7ce837bf1d56c36e6064e1f_arm64",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:5bc3aab90ba7a7b6c1971110f235b67bbc3e1bcfa5c312b7cc7cfcd81d25912c_ppc64le",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:b136ce6fcc852f6af963c35f1a39bfecb942b0189a26e22b9e404b5ceca0be13_amd64",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:daa5ce7c32434365161ed729a6fdb88587e658347e368e143b2338285bf44a29_arm64",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:f43ad850d505a0cd2ce61970413389c5ac2e23edba4891e3977e5d541a09b33b_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-32281"
},
{
"category": "external",
"summary": "RHBZ#2456333",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456333"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-32281",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-32281"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-32281",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32281"
},
{
"category": "external",
"summary": "https://go.dev/cl/758061",
"url": "https://go.dev/cl/758061"
},
{
"category": "external",
"summary": "https://go.dev/issue/78281",
"url": "https://go.dev/issue/78281"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU",
"url": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2026-4946",
"url": "https://pkg.go.dev/vuln/GO-2026-4946"
}
],
"release_date": "2026-04-08T01:06:58.354000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-05-25T15:04:34+00:00",
"details": "See Kiali 2.22.4 documentation at https://docs.redhat.com/en/documentation/red_hat_openshift_service_mesh/3.3/html/observability/kiali-operator-provided-by-red-hat",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:801430f3d82d109bfecd3d1e1703200dc98a6c35eee0330b1c90d0fb4804ae11_ppc64le",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:a4dc7862130d17dd424af3b3e285850448a7c85bfcc191bce9afa42d9f5c71f7_arm64",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:e4e55c3b1e398a962cbde38dd30260c77514d97e558028e0991f4a57bcb8d0be_amd64",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:f588d5d77bb0b4efdfca01f1ca7414fcadc90a97b165628b8f99bdd4df80c8a7_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:20460"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-operator-bundle@sha256:5f0d9c37da0df2e01de1965b121a0beffd3a4a61b29f317058eee3ed48a5411c_amd64",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:0cd332b82542de28dc6d2dd7e955924fe3de35a5206bc2e9f4d4e2bd9a591148_amd64",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:625caa76382f8236b0ae5c1c438008a61f64a7b1497f861fef475f7428da477c_ppc64le",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:6395e4a973d90ebb1250a4f7aa131ab812eb5d9d3bc5900ccb329e87b8f1c9ea_s390x",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:b5a4fd9b6ec6eef405c167cbe70fde3c2618f26fb7ce837bf1d56c36e6064e1f_arm64",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:5bc3aab90ba7a7b6c1971110f235b67bbc3e1bcfa5c312b7cc7cfcd81d25912c_ppc64le",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:b136ce6fcc852f6af963c35f1a39bfecb942b0189a26e22b9e404b5ceca0be13_amd64",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:daa5ce7c32434365161ed729a6fdb88587e658347e368e143b2338285bf44a29_arm64",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:f43ad850d505a0cd2ce61970413389c5ac2e23edba4891e3977e5d541a09b33b_s390x",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:801430f3d82d109bfecd3d1e1703200dc98a6c35eee0330b1c90d0fb4804ae11_ppc64le",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:a4dc7862130d17dd424af3b3e285850448a7c85bfcc191bce9afa42d9f5c71f7_arm64",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:e4e55c3b1e398a962cbde38dd30260c77514d97e558028e0991f4a57bcb8d0be_amd64",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:f588d5d77bb0b4efdfca01f1ca7414fcadc90a97b165628b8f99bdd4df80c8a7_s390x"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-operator-bundle@sha256:5f0d9c37da0df2e01de1965b121a0beffd3a4a61b29f317058eee3ed48a5411c_amd64",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:0cd332b82542de28dc6d2dd7e955924fe3de35a5206bc2e9f4d4e2bd9a591148_amd64",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:625caa76382f8236b0ae5c1c438008a61f64a7b1497f861fef475f7428da477c_ppc64le",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:6395e4a973d90ebb1250a4f7aa131ab812eb5d9d3bc5900ccb329e87b8f1c9ea_s390x",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:b5a4fd9b6ec6eef405c167cbe70fde3c2618f26fb7ce837bf1d56c36e6064e1f_arm64",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:5bc3aab90ba7a7b6c1971110f235b67bbc3e1bcfa5c312b7cc7cfcd81d25912c_ppc64le",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:b136ce6fcc852f6af963c35f1a39bfecb942b0189a26e22b9e404b5ceca0be13_amd64",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:daa5ce7c32434365161ed729a6fdb88587e658347e368e143b2338285bf44a29_arm64",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:f43ad850d505a0cd2ce61970413389c5ac2e23edba4891e3977e5d541a09b33b_s390x",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:801430f3d82d109bfecd3d1e1703200dc98a6c35eee0330b1c90d0fb4804ae11_ppc64le",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:a4dc7862130d17dd424af3b3e285850448a7c85bfcc191bce9afa42d9f5c71f7_arm64",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:e4e55c3b1e398a962cbde38dd30260c77514d97e558028e0991f4a57bcb8d0be_amd64",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:f588d5d77bb0b4efdfca01f1ca7414fcadc90a97b165628b8f99bdd4df80c8a7_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "crypto/x509: golang: Go crypto/x509: Denial of Service via inefficient certificate chain validation"
}
]
}
RHSA-2026:20556
Vulnerability from csaf_redhat - Published: 2026-05-26 03:55 - Updated: 2026-06-30 02:58Summary
Red Hat Security Advisory: grafana security update
Severity
Important
Notes
Topic: An update for grafana is now available for Red Hat Enterprise Linux 9.6 Extended Update Support.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB & OpenTSDB.
Security Fix(es):
* golang: internal/syscall/unix: Root.Chmod can follow symlinks out of the root (CVE-2026-32282)
* crypto/tls: golang: Go crypto/tls: Denial of Service via multiple TLS 1.3 key update messages (CVE-2026-32283)
* crypto/x509: crypto/tls: golang: Go: Denial of Service vulnerability in certificate chain building (CVE-2026-32280)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in the Go standard library packages `crypto/x509` and `crypto/tls`. During the process of building a certificate chain, an attacker can provide a large number of intermediate certificates. This excessive input is not properly limited, leading to an uncontrolled amount of work being performed. This can result in a denial of service (DoS) condition, making the affected system or application unavailable to legitimate users.
7.5 (High)
Affected products
Fixed
17 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.6.0.Z.EUS:grafana-0:10.2.6-21.el9_6.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:grafana-0:10.2.6-21.el9_6.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:grafana-0:10.2.6-21.el9_6.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:grafana-0:10.2.6-21.el9_6.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:grafana-0:10.2.6-21.el9_6.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:grafana-debuginfo-0:10.2.6-21.el9_6.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:grafana-debuginfo-0:10.2.6-21.el9_6.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:grafana-debuginfo-0:10.2.6-21.el9_6.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:grafana-debuginfo-0:10.2.6-21.el9_6.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:grafana-debugsource-0:10.2.6-21.el9_6.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:grafana-debugsource-0:10.2.6-21.el9_6.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:grafana-debugsource-0:10.2.6-21.el9_6.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:grafana-debugsource-0:10.2.6-21.el9_6.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:grafana-selinux-0:10.2.6-21.el9_6.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:grafana-selinux-0:10.2.6-21.el9_6.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:grafana-selinux-0:10.2.6-21.el9_6.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:grafana-selinux-0:10.2.6-21.el9_6.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Important
A flaw was found in Go's `crypto/x509` package. A remote attacker could exploit this by presenting a specially crafted certificate chain containing a large number of policy mappings. This inefficient validation process consumes excessive resources, which can lead to a denial of service (DoS) for applications or systems performing certificate validation.
5.9 (Medium)
Affected products
Fixed
17 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.6.0.Z.EUS:grafana-0:10.2.6-21.el9_6.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:grafana-0:10.2.6-21.el9_6.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:grafana-0:10.2.6-21.el9_6.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:grafana-0:10.2.6-21.el9_6.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:grafana-0:10.2.6-21.el9_6.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:grafana-debuginfo-0:10.2.6-21.el9_6.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:grafana-debuginfo-0:10.2.6-21.el9_6.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:grafana-debuginfo-0:10.2.6-21.el9_6.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:grafana-debuginfo-0:10.2.6-21.el9_6.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:grafana-debugsource-0:10.2.6-21.el9_6.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:grafana-debugsource-0:10.2.6-21.el9_6.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:grafana-debugsource-0:10.2.6-21.el9_6.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:grafana-debugsource-0:10.2.6-21.el9_6.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:grafana-selinux-0:10.2.6-21.el9_6.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:grafana-selinux-0:10.2.6-21.el9_6.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:grafana-selinux-0:10.2.6-21.el9_6.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:grafana-selinux-0:10.2.6-21.el9_6.x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in the internal/syscall/unix package in the Go standard library. If the target of the `Root.Chmod` function is replaced with a symbolic link during execution, specifically after `Root.Chmod` checks the target but before acting, the `chmod` operation will be performed on the file the symbolic link points to. This issue can bypass directory restrictions and lead to unauthorized permission changes on the filesystem.
7.8 (High)
Affected products
Fixed
17 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.6.0.Z.EUS:grafana-0:10.2.6-21.el9_6.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:grafana-0:10.2.6-21.el9_6.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:grafana-0:10.2.6-21.el9_6.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:grafana-0:10.2.6-21.el9_6.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:grafana-0:10.2.6-21.el9_6.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:grafana-debuginfo-0:10.2.6-21.el9_6.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:grafana-debuginfo-0:10.2.6-21.el9_6.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:grafana-debuginfo-0:10.2.6-21.el9_6.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:grafana-debuginfo-0:10.2.6-21.el9_6.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:grafana-debugsource-0:10.2.6-21.el9_6.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:grafana-debugsource-0:10.2.6-21.el9_6.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:grafana-debugsource-0:10.2.6-21.el9_6.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:grafana-debugsource-0:10.2.6-21.el9_6.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:grafana-selinux-0:10.2.6-21.el9_6.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:grafana-selinux-0:10.2.6-21.el9_6.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:grafana-selinux-0:10.2.6-21.el9_6.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:grafana-selinux-0:10.2.6-21.el9_6.x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in the `crypto/tls` package within the Go (golang) standard library, specifically affecting TLS 1.3 connections. A remote attacker can exploit this vulnerability by sending multiple key update messages in a single record after the handshake. This can cause the connection to deadlock, leading to uncontrolled consumption of resources and ultimately a denial of service (DoS).
7.5 (High)
Affected products
Fixed
17 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.6.0.Z.EUS:grafana-0:10.2.6-21.el9_6.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:grafana-0:10.2.6-21.el9_6.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:grafana-0:10.2.6-21.el9_6.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:grafana-0:10.2.6-21.el9_6.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:grafana-0:10.2.6-21.el9_6.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:grafana-debuginfo-0:10.2.6-21.el9_6.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:grafana-debuginfo-0:10.2.6-21.el9_6.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:grafana-debuginfo-0:10.2.6-21.el9_6.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:grafana-debuginfo-0:10.2.6-21.el9_6.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:grafana-debugsource-0:10.2.6-21.el9_6.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:grafana-debugsource-0:10.2.6-21.el9_6.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:grafana-debugsource-0:10.2.6-21.el9_6.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:grafana-debugsource-0:10.2.6-21.el9_6.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:grafana-selinux-0:10.2.6-21.el9_6.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:grafana-selinux-0:10.2.6-21.el9_6.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:grafana-selinux-0:10.2.6-21.el9_6.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:grafana-selinux-0:10.2.6-21.el9_6.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Important
References
35 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for grafana is now available for Red Hat Enterprise Linux 9.6 Extended Update Support.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB \u0026 OpenTSDB. \n\nSecurity Fix(es):\n\n* golang: internal/syscall/unix: Root.Chmod can follow symlinks out of the root (CVE-2026-32282)\n\n* crypto/tls: golang: Go crypto/tls: Denial of Service via multiple TLS 1.3 key update messages (CVE-2026-32283)\n\n* crypto/x509: crypto/tls: golang: Go: Denial of Service vulnerability in certificate chain building (CVE-2026-32280)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:20556",
"url": "https://access.redhat.com/errata/RHSA-2026:20556"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "2456336",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456336"
},
{
"category": "external",
"summary": "2456338",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456338"
},
{
"category": "external",
"summary": "2456339",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456339"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_20556.json"
}
],
"title": "Red Hat Security Advisory: grafana security update",
"tracking": {
"current_release_date": "2026-06-30T02:58:14+00:00",
"generator": {
"date": "2026-06-30T02:58:14+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "5.3.0"
}
},
"id": "RHSA-2026:20556",
"initial_release_date": "2026-05-26T03:55:05+00:00",
"revision_history": [
{
"date": "2026-05-26T03:55:05+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-05-26T03:55:05+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-06-30T02:58:14+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"product": {
"name": "Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"product_id": "AppStream-9.6.0.Z.EUS",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_eus:9.6::appstream"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-0:10.2.6-21.el9_6.src",
"product": {
"name": "grafana-0:10.2.6-21.el9_6.src",
"product_id": "grafana-0:10.2.6-21.el9_6.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana@10.2.6-21.el9_6?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-0:10.2.6-21.el9_6.aarch64",
"product": {
"name": "grafana-0:10.2.6-21.el9_6.aarch64",
"product_id": "grafana-0:10.2.6-21.el9_6.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana@10.2.6-21.el9_6?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "grafana-selinux-0:10.2.6-21.el9_6.aarch64",
"product": {
"name": "grafana-selinux-0:10.2.6-21.el9_6.aarch64",
"product_id": "grafana-selinux-0:10.2.6-21.el9_6.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-selinux@10.2.6-21.el9_6?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "grafana-debugsource-0:10.2.6-21.el9_6.aarch64",
"product": {
"name": "grafana-debugsource-0:10.2.6-21.el9_6.aarch64",
"product_id": "grafana-debugsource-0:10.2.6-21.el9_6.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-debugsource@10.2.6-21.el9_6?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "grafana-debuginfo-0:10.2.6-21.el9_6.aarch64",
"product": {
"name": "grafana-debuginfo-0:10.2.6-21.el9_6.aarch64",
"product_id": "grafana-debuginfo-0:10.2.6-21.el9_6.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-debuginfo@10.2.6-21.el9_6?arch=aarch64"
}
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-0:10.2.6-21.el9_6.ppc64le",
"product": {
"name": "grafana-0:10.2.6-21.el9_6.ppc64le",
"product_id": "grafana-0:10.2.6-21.el9_6.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana@10.2.6-21.el9_6?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "grafana-selinux-0:10.2.6-21.el9_6.ppc64le",
"product": {
"name": "grafana-selinux-0:10.2.6-21.el9_6.ppc64le",
"product_id": "grafana-selinux-0:10.2.6-21.el9_6.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-selinux@10.2.6-21.el9_6?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "grafana-debugsource-0:10.2.6-21.el9_6.ppc64le",
"product": {
"name": "grafana-debugsource-0:10.2.6-21.el9_6.ppc64le",
"product_id": "grafana-debugsource-0:10.2.6-21.el9_6.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-debugsource@10.2.6-21.el9_6?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "grafana-debuginfo-0:10.2.6-21.el9_6.ppc64le",
"product": {
"name": "grafana-debuginfo-0:10.2.6-21.el9_6.ppc64le",
"product_id": "grafana-debuginfo-0:10.2.6-21.el9_6.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-debuginfo@10.2.6-21.el9_6?arch=ppc64le"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-0:10.2.6-21.el9_6.s390x",
"product": {
"name": "grafana-0:10.2.6-21.el9_6.s390x",
"product_id": "grafana-0:10.2.6-21.el9_6.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana@10.2.6-21.el9_6?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "grafana-selinux-0:10.2.6-21.el9_6.s390x",
"product": {
"name": "grafana-selinux-0:10.2.6-21.el9_6.s390x",
"product_id": "grafana-selinux-0:10.2.6-21.el9_6.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-selinux@10.2.6-21.el9_6?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "grafana-debugsource-0:10.2.6-21.el9_6.s390x",
"product": {
"name": "grafana-debugsource-0:10.2.6-21.el9_6.s390x",
"product_id": "grafana-debugsource-0:10.2.6-21.el9_6.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-debugsource@10.2.6-21.el9_6?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "grafana-debuginfo-0:10.2.6-21.el9_6.s390x",
"product": {
"name": "grafana-debuginfo-0:10.2.6-21.el9_6.s390x",
"product_id": "grafana-debuginfo-0:10.2.6-21.el9_6.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-debuginfo@10.2.6-21.el9_6?arch=s390x"
}
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-0:10.2.6-21.el9_6.x86_64",
"product": {
"name": "grafana-0:10.2.6-21.el9_6.x86_64",
"product_id": "grafana-0:10.2.6-21.el9_6.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana@10.2.6-21.el9_6?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "grafana-selinux-0:10.2.6-21.el9_6.x86_64",
"product": {
"name": "grafana-selinux-0:10.2.6-21.el9_6.x86_64",
"product_id": "grafana-selinux-0:10.2.6-21.el9_6.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-selinux@10.2.6-21.el9_6?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "grafana-debugsource-0:10.2.6-21.el9_6.x86_64",
"product": {
"name": "grafana-debugsource-0:10.2.6-21.el9_6.x86_64",
"product_id": "grafana-debugsource-0:10.2.6-21.el9_6.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-debugsource@10.2.6-21.el9_6?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "grafana-debuginfo-0:10.2.6-21.el9_6.x86_64",
"product": {
"name": "grafana-debuginfo-0:10.2.6-21.el9_6.x86_64",
"product_id": "grafana-debuginfo-0:10.2.6-21.el9_6.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-debuginfo@10.2.6-21.el9_6?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-0:10.2.6-21.el9_6.aarch64 as a component of Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"product_id": "AppStream-9.6.0.Z.EUS:grafana-0:10.2.6-21.el9_6.aarch64"
},
"product_reference": "grafana-0:10.2.6-21.el9_6.aarch64",
"relates_to_product_reference": "AppStream-9.6.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-0:10.2.6-21.el9_6.ppc64le as a component of Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"product_id": "AppStream-9.6.0.Z.EUS:grafana-0:10.2.6-21.el9_6.ppc64le"
},
"product_reference": "grafana-0:10.2.6-21.el9_6.ppc64le",
"relates_to_product_reference": "AppStream-9.6.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-0:10.2.6-21.el9_6.s390x as a component of Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"product_id": "AppStream-9.6.0.Z.EUS:grafana-0:10.2.6-21.el9_6.s390x"
},
"product_reference": "grafana-0:10.2.6-21.el9_6.s390x",
"relates_to_product_reference": "AppStream-9.6.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-0:10.2.6-21.el9_6.src as a component of Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"product_id": "AppStream-9.6.0.Z.EUS:grafana-0:10.2.6-21.el9_6.src"
},
"product_reference": "grafana-0:10.2.6-21.el9_6.src",
"relates_to_product_reference": "AppStream-9.6.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-0:10.2.6-21.el9_6.x86_64 as a component of Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"product_id": "AppStream-9.6.0.Z.EUS:grafana-0:10.2.6-21.el9_6.x86_64"
},
"product_reference": "grafana-0:10.2.6-21.el9_6.x86_64",
"relates_to_product_reference": "AppStream-9.6.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-debuginfo-0:10.2.6-21.el9_6.aarch64 as a component of Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"product_id": "AppStream-9.6.0.Z.EUS:grafana-debuginfo-0:10.2.6-21.el9_6.aarch64"
},
"product_reference": "grafana-debuginfo-0:10.2.6-21.el9_6.aarch64",
"relates_to_product_reference": "AppStream-9.6.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-debuginfo-0:10.2.6-21.el9_6.ppc64le as a component of Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"product_id": "AppStream-9.6.0.Z.EUS:grafana-debuginfo-0:10.2.6-21.el9_6.ppc64le"
},
"product_reference": "grafana-debuginfo-0:10.2.6-21.el9_6.ppc64le",
"relates_to_product_reference": "AppStream-9.6.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-debuginfo-0:10.2.6-21.el9_6.s390x as a component of Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"product_id": "AppStream-9.6.0.Z.EUS:grafana-debuginfo-0:10.2.6-21.el9_6.s390x"
},
"product_reference": "grafana-debuginfo-0:10.2.6-21.el9_6.s390x",
"relates_to_product_reference": "AppStream-9.6.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-debuginfo-0:10.2.6-21.el9_6.x86_64 as a component of Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"product_id": "AppStream-9.6.0.Z.EUS:grafana-debuginfo-0:10.2.6-21.el9_6.x86_64"
},
"product_reference": "grafana-debuginfo-0:10.2.6-21.el9_6.x86_64",
"relates_to_product_reference": "AppStream-9.6.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-debugsource-0:10.2.6-21.el9_6.aarch64 as a component of Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"product_id": "AppStream-9.6.0.Z.EUS:grafana-debugsource-0:10.2.6-21.el9_6.aarch64"
},
"product_reference": "grafana-debugsource-0:10.2.6-21.el9_6.aarch64",
"relates_to_product_reference": "AppStream-9.6.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-debugsource-0:10.2.6-21.el9_6.ppc64le as a component of Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"product_id": "AppStream-9.6.0.Z.EUS:grafana-debugsource-0:10.2.6-21.el9_6.ppc64le"
},
"product_reference": "grafana-debugsource-0:10.2.6-21.el9_6.ppc64le",
"relates_to_product_reference": "AppStream-9.6.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-debugsource-0:10.2.6-21.el9_6.s390x as a component of Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"product_id": "AppStream-9.6.0.Z.EUS:grafana-debugsource-0:10.2.6-21.el9_6.s390x"
},
"product_reference": "grafana-debugsource-0:10.2.6-21.el9_6.s390x",
"relates_to_product_reference": "AppStream-9.6.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-debugsource-0:10.2.6-21.el9_6.x86_64 as a component of Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"product_id": "AppStream-9.6.0.Z.EUS:grafana-debugsource-0:10.2.6-21.el9_6.x86_64"
},
"product_reference": "grafana-debugsource-0:10.2.6-21.el9_6.x86_64",
"relates_to_product_reference": "AppStream-9.6.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-selinux-0:10.2.6-21.el9_6.aarch64 as a component of Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"product_id": "AppStream-9.6.0.Z.EUS:grafana-selinux-0:10.2.6-21.el9_6.aarch64"
},
"product_reference": "grafana-selinux-0:10.2.6-21.el9_6.aarch64",
"relates_to_product_reference": "AppStream-9.6.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-selinux-0:10.2.6-21.el9_6.ppc64le as a component of Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"product_id": "AppStream-9.6.0.Z.EUS:grafana-selinux-0:10.2.6-21.el9_6.ppc64le"
},
"product_reference": "grafana-selinux-0:10.2.6-21.el9_6.ppc64le",
"relates_to_product_reference": "AppStream-9.6.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-selinux-0:10.2.6-21.el9_6.s390x as a component of Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"product_id": "AppStream-9.6.0.Z.EUS:grafana-selinux-0:10.2.6-21.el9_6.s390x"
},
"product_reference": "grafana-selinux-0:10.2.6-21.el9_6.s390x",
"relates_to_product_reference": "AppStream-9.6.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-selinux-0:10.2.6-21.el9_6.x86_64 as a component of Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"product_id": "AppStream-9.6.0.Z.EUS:grafana-selinux-0:10.2.6-21.el9_6.x86_64"
},
"product_reference": "grafana-selinux-0:10.2.6-21.el9_6.x86_64",
"relates_to_product_reference": "AppStream-9.6.0.Z.EUS"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-32280",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2026-04-08T02:01:19.572351+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2456339"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the Go standard library packages `crypto/x509` and `crypto/tls`. During the process of building a certificate chain, an attacker can provide a large number of intermediate certificates. This excessive input is not properly limited, leading to an uncontrolled amount of work being performed. This can result in a denial of service (DoS) condition, making the affected system or application unavailable to legitimate users.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "crypto/x509: crypto/tls: golang: Go: Denial of Service vulnerability in certificate chain building",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.6.0.Z.EUS:grafana-0:10.2.6-21.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:grafana-0:10.2.6-21.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:grafana-0:10.2.6-21.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:grafana-0:10.2.6-21.el9_6.src",
"AppStream-9.6.0.Z.EUS:grafana-0:10.2.6-21.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:grafana-debuginfo-0:10.2.6-21.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:grafana-debuginfo-0:10.2.6-21.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:grafana-debuginfo-0:10.2.6-21.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:grafana-debuginfo-0:10.2.6-21.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:grafana-debugsource-0:10.2.6-21.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:grafana-debugsource-0:10.2.6-21.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:grafana-debugsource-0:10.2.6-21.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:grafana-debugsource-0:10.2.6-21.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:grafana-selinux-0:10.2.6-21.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:grafana-selinux-0:10.2.6-21.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:grafana-selinux-0:10.2.6-21.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:grafana-selinux-0:10.2.6-21.el9_6.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-32280"
},
{
"category": "external",
"summary": "RHBZ#2456339",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456339"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-32280",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-32280"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-32280",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32280"
},
{
"category": "external",
"summary": "https://go.dev/cl/758320",
"url": "https://go.dev/cl/758320"
},
{
"category": "external",
"summary": "https://go.dev/issue/78282",
"url": "https://go.dev/issue/78282"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU",
"url": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2026-4947",
"url": "https://pkg.go.dev/vuln/GO-2026-4947"
}
],
"release_date": "2026-04-08T01:06:58.595000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-05-26T03:55:05+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.6.0.Z.EUS:grafana-0:10.2.6-21.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:grafana-0:10.2.6-21.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:grafana-0:10.2.6-21.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:grafana-0:10.2.6-21.el9_6.src",
"AppStream-9.6.0.Z.EUS:grafana-0:10.2.6-21.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:grafana-debuginfo-0:10.2.6-21.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:grafana-debuginfo-0:10.2.6-21.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:grafana-debuginfo-0:10.2.6-21.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:grafana-debuginfo-0:10.2.6-21.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:grafana-debugsource-0:10.2.6-21.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:grafana-debugsource-0:10.2.6-21.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:grafana-debugsource-0:10.2.6-21.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:grafana-debugsource-0:10.2.6-21.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:grafana-selinux-0:10.2.6-21.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:grafana-selinux-0:10.2.6-21.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:grafana-selinux-0:10.2.6-21.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:grafana-selinux-0:10.2.6-21.el9_6.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:20556"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"AppStream-9.6.0.Z.EUS:grafana-0:10.2.6-21.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:grafana-0:10.2.6-21.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:grafana-0:10.2.6-21.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:grafana-0:10.2.6-21.el9_6.src",
"AppStream-9.6.0.Z.EUS:grafana-0:10.2.6-21.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:grafana-debuginfo-0:10.2.6-21.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:grafana-debuginfo-0:10.2.6-21.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:grafana-debuginfo-0:10.2.6-21.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:grafana-debuginfo-0:10.2.6-21.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:grafana-debugsource-0:10.2.6-21.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:grafana-debugsource-0:10.2.6-21.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:grafana-debugsource-0:10.2.6-21.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:grafana-debugsource-0:10.2.6-21.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:grafana-selinux-0:10.2.6-21.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:grafana-selinux-0:10.2.6-21.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:grafana-selinux-0:10.2.6-21.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:grafana-selinux-0:10.2.6-21.el9_6.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "crypto/x509: crypto/tls: golang: Go: Denial of Service vulnerability in certificate chain building"
},
{
"cve": "CVE-2026-32281",
"cwe": {
"id": "CWE-1050",
"name": "Excessive Platform Resource Consumption within a Loop"
},
"discovery_date": "2026-04-08T02:01:00.930989+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2456333"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Go\u0027s `crypto/x509` package. A remote attacker could exploit this by presenting a specially crafted certificate chain containing a large number of policy mappings. This inefficient validation process consumes excessive resources, which can lead to a denial of service (DoS) for applications or systems performing certificate validation.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "crypto/x509: golang: Go crypto/x509: Denial of Service via inefficient certificate chain validation",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This flaw occurs during the validation of otherwise trusted certificate chains that contain a large number of policy mappings, leading to excessive resource consumption. Exploitation requires an attacker to present a specially crafted, yet trusted, certificate chain which would require the attacker has already compromised a trusted certificate root. Red Hat continuously monitors certificate authorities and curates the set which is trusted by default for Red Hat products.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.6.0.Z.EUS:grafana-0:10.2.6-21.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:grafana-0:10.2.6-21.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:grafana-0:10.2.6-21.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:grafana-0:10.2.6-21.el9_6.src",
"AppStream-9.6.0.Z.EUS:grafana-0:10.2.6-21.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:grafana-debuginfo-0:10.2.6-21.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:grafana-debuginfo-0:10.2.6-21.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:grafana-debuginfo-0:10.2.6-21.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:grafana-debuginfo-0:10.2.6-21.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:grafana-debugsource-0:10.2.6-21.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:grafana-debugsource-0:10.2.6-21.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:grafana-debugsource-0:10.2.6-21.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:grafana-debugsource-0:10.2.6-21.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:grafana-selinux-0:10.2.6-21.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:grafana-selinux-0:10.2.6-21.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:grafana-selinux-0:10.2.6-21.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:grafana-selinux-0:10.2.6-21.el9_6.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-32281"
},
{
"category": "external",
"summary": "RHBZ#2456333",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456333"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-32281",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-32281"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-32281",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32281"
},
{
"category": "external",
"summary": "https://go.dev/cl/758061",
"url": "https://go.dev/cl/758061"
},
{
"category": "external",
"summary": "https://go.dev/issue/78281",
"url": "https://go.dev/issue/78281"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU",
"url": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2026-4946",
"url": "https://pkg.go.dev/vuln/GO-2026-4946"
}
],
"release_date": "2026-04-08T01:06:58.354000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-05-26T03:55:05+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.6.0.Z.EUS:grafana-0:10.2.6-21.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:grafana-0:10.2.6-21.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:grafana-0:10.2.6-21.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:grafana-0:10.2.6-21.el9_6.src",
"AppStream-9.6.0.Z.EUS:grafana-0:10.2.6-21.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:grafana-debuginfo-0:10.2.6-21.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:grafana-debuginfo-0:10.2.6-21.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:grafana-debuginfo-0:10.2.6-21.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:grafana-debuginfo-0:10.2.6-21.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:grafana-debugsource-0:10.2.6-21.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:grafana-debugsource-0:10.2.6-21.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:grafana-debugsource-0:10.2.6-21.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:grafana-debugsource-0:10.2.6-21.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:grafana-selinux-0:10.2.6-21.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:grafana-selinux-0:10.2.6-21.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:grafana-selinux-0:10.2.6-21.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:grafana-selinux-0:10.2.6-21.el9_6.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:20556"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"AppStream-9.6.0.Z.EUS:grafana-0:10.2.6-21.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:grafana-0:10.2.6-21.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:grafana-0:10.2.6-21.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:grafana-0:10.2.6-21.el9_6.src",
"AppStream-9.6.0.Z.EUS:grafana-0:10.2.6-21.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:grafana-debuginfo-0:10.2.6-21.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:grafana-debuginfo-0:10.2.6-21.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:grafana-debuginfo-0:10.2.6-21.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:grafana-debuginfo-0:10.2.6-21.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:grafana-debugsource-0:10.2.6-21.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:grafana-debugsource-0:10.2.6-21.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:grafana-debugsource-0:10.2.6-21.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:grafana-debugsource-0:10.2.6-21.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:grafana-selinux-0:10.2.6-21.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:grafana-selinux-0:10.2.6-21.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:grafana-selinux-0:10.2.6-21.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:grafana-selinux-0:10.2.6-21.el9_6.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"AppStream-9.6.0.Z.EUS:grafana-0:10.2.6-21.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:grafana-0:10.2.6-21.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:grafana-0:10.2.6-21.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:grafana-0:10.2.6-21.el9_6.src",
"AppStream-9.6.0.Z.EUS:grafana-0:10.2.6-21.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:grafana-debuginfo-0:10.2.6-21.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:grafana-debuginfo-0:10.2.6-21.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:grafana-debuginfo-0:10.2.6-21.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:grafana-debuginfo-0:10.2.6-21.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:grafana-debugsource-0:10.2.6-21.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:grafana-debugsource-0:10.2.6-21.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:grafana-debugsource-0:10.2.6-21.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:grafana-debugsource-0:10.2.6-21.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:grafana-selinux-0:10.2.6-21.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:grafana-selinux-0:10.2.6-21.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:grafana-selinux-0:10.2.6-21.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:grafana-selinux-0:10.2.6-21.el9_6.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "crypto/x509: golang: Go crypto/x509: Denial of Service via inefficient certificate chain validation"
},
{
"cve": "CVE-2026-32282",
"cwe": {
"id": "CWE-367",
"name": "Time-of-check Time-of-use (TOCTOU) Race Condition"
},
"discovery_date": "2026-04-08T02:01:12.683211+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2456336"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the internal/syscall/unix package in the Go standard library. If the target of the `Root.Chmod` function is replaced with a symbolic link during execution, specifically after `Root.Chmod` checks the target but before acting, the `chmod` operation will be performed on the file the symbolic link points to. This issue can bypass directory restrictions and lead to unauthorized permission changes on the filesystem.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: internal/syscall/unix: Root.Chmod can follow symlinks out of the root",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "To exploit this issue, an attacker needs access to the system and the required permissions to create a symbolic link. Additionally, the attacker must swap the target file with a symbolic link in the exact window after the `Root.Chmod` function checks its target but before acting. Due to these conditions, this flaw has been rated with a moderate severity.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.6.0.Z.EUS:grafana-0:10.2.6-21.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:grafana-0:10.2.6-21.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:grafana-0:10.2.6-21.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:grafana-0:10.2.6-21.el9_6.src",
"AppStream-9.6.0.Z.EUS:grafana-0:10.2.6-21.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:grafana-debuginfo-0:10.2.6-21.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:grafana-debuginfo-0:10.2.6-21.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:grafana-debuginfo-0:10.2.6-21.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:grafana-debuginfo-0:10.2.6-21.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:grafana-debugsource-0:10.2.6-21.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:grafana-debugsource-0:10.2.6-21.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:grafana-debugsource-0:10.2.6-21.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:grafana-debugsource-0:10.2.6-21.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:grafana-selinux-0:10.2.6-21.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:grafana-selinux-0:10.2.6-21.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:grafana-selinux-0:10.2.6-21.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:grafana-selinux-0:10.2.6-21.el9_6.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-32282"
},
{
"category": "external",
"summary": "RHBZ#2456336",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456336"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-32282",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-32282"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-32282",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32282"
},
{
"category": "external",
"summary": "https://go.dev/cl/763761",
"url": "https://go.dev/cl/763761"
},
{
"category": "external",
"summary": "https://go.dev/issue/78293",
"url": "https://go.dev/issue/78293"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU",
"url": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2026-4864",
"url": "https://pkg.go.dev/vuln/GO-2026-4864"
}
],
"release_date": "2026-04-08T01:06:55.953000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-05-26T03:55:05+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.6.0.Z.EUS:grafana-0:10.2.6-21.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:grafana-0:10.2.6-21.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:grafana-0:10.2.6-21.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:grafana-0:10.2.6-21.el9_6.src",
"AppStream-9.6.0.Z.EUS:grafana-0:10.2.6-21.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:grafana-debuginfo-0:10.2.6-21.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:grafana-debuginfo-0:10.2.6-21.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:grafana-debuginfo-0:10.2.6-21.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:grafana-debuginfo-0:10.2.6-21.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:grafana-debugsource-0:10.2.6-21.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:grafana-debugsource-0:10.2.6-21.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:grafana-debugsource-0:10.2.6-21.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:grafana-debugsource-0:10.2.6-21.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:grafana-selinux-0:10.2.6-21.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:grafana-selinux-0:10.2.6-21.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:grafana-selinux-0:10.2.6-21.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:grafana-selinux-0:10.2.6-21.el9_6.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:20556"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"AppStream-9.6.0.Z.EUS:grafana-0:10.2.6-21.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:grafana-0:10.2.6-21.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:grafana-0:10.2.6-21.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:grafana-0:10.2.6-21.el9_6.src",
"AppStream-9.6.0.Z.EUS:grafana-0:10.2.6-21.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:grafana-debuginfo-0:10.2.6-21.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:grafana-debuginfo-0:10.2.6-21.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:grafana-debuginfo-0:10.2.6-21.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:grafana-debuginfo-0:10.2.6-21.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:grafana-debugsource-0:10.2.6-21.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:grafana-debugsource-0:10.2.6-21.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:grafana-debugsource-0:10.2.6-21.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:grafana-debugsource-0:10.2.6-21.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:grafana-selinux-0:10.2.6-21.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:grafana-selinux-0:10.2.6-21.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:grafana-selinux-0:10.2.6-21.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:grafana-selinux-0:10.2.6-21.el9_6.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"AppStream-9.6.0.Z.EUS:grafana-0:10.2.6-21.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:grafana-0:10.2.6-21.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:grafana-0:10.2.6-21.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:grafana-0:10.2.6-21.el9_6.src",
"AppStream-9.6.0.Z.EUS:grafana-0:10.2.6-21.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:grafana-debuginfo-0:10.2.6-21.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:grafana-debuginfo-0:10.2.6-21.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:grafana-debuginfo-0:10.2.6-21.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:grafana-debuginfo-0:10.2.6-21.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:grafana-debugsource-0:10.2.6-21.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:grafana-debugsource-0:10.2.6-21.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:grafana-debugsource-0:10.2.6-21.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:grafana-debugsource-0:10.2.6-21.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:grafana-selinux-0:10.2.6-21.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:grafana-selinux-0:10.2.6-21.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:grafana-selinux-0:10.2.6-21.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:grafana-selinux-0:10.2.6-21.el9_6.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang: internal/syscall/unix: Root.Chmod can follow symlinks out of the root"
},
{
"cve": "CVE-2026-32283",
"cwe": {
"id": "CWE-764",
"name": "Multiple Locks of a Critical Resource"
},
"discovery_date": "2026-04-08T02:01:16.213799+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2456338"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the `crypto/tls` package within the Go (golang) standard library, specifically affecting TLS 1.3 connections. A remote attacker can exploit this vulnerability by sending multiple key update messages in a single record after the handshake. This can cause the connection to deadlock, leading to uncontrolled consumption of resources and ultimately a denial of service (DoS).",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "crypto/tls: golang: Go crypto/tls: Denial of Service via multiple TLS 1.3 key update messages",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.6.0.Z.EUS:grafana-0:10.2.6-21.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:grafana-0:10.2.6-21.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:grafana-0:10.2.6-21.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:grafana-0:10.2.6-21.el9_6.src",
"AppStream-9.6.0.Z.EUS:grafana-0:10.2.6-21.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:grafana-debuginfo-0:10.2.6-21.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:grafana-debuginfo-0:10.2.6-21.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:grafana-debuginfo-0:10.2.6-21.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:grafana-debuginfo-0:10.2.6-21.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:grafana-debugsource-0:10.2.6-21.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:grafana-debugsource-0:10.2.6-21.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:grafana-debugsource-0:10.2.6-21.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:grafana-debugsource-0:10.2.6-21.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:grafana-selinux-0:10.2.6-21.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:grafana-selinux-0:10.2.6-21.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:grafana-selinux-0:10.2.6-21.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:grafana-selinux-0:10.2.6-21.el9_6.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-32283"
},
{
"category": "external",
"summary": "RHBZ#2456338",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456338"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-32283",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-32283"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-32283",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32283"
},
{
"category": "external",
"summary": "https://go.dev/cl/763767",
"url": "https://go.dev/cl/763767"
},
{
"category": "external",
"summary": "https://go.dev/issue/78334",
"url": "https://go.dev/issue/78334"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU",
"url": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2026-4870",
"url": "https://pkg.go.dev/vuln/GO-2026-4870"
}
],
"release_date": "2026-04-08T01:06:57.670000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-05-26T03:55:05+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.6.0.Z.EUS:grafana-0:10.2.6-21.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:grafana-0:10.2.6-21.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:grafana-0:10.2.6-21.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:grafana-0:10.2.6-21.el9_6.src",
"AppStream-9.6.0.Z.EUS:grafana-0:10.2.6-21.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:grafana-debuginfo-0:10.2.6-21.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:grafana-debuginfo-0:10.2.6-21.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:grafana-debuginfo-0:10.2.6-21.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:grafana-debuginfo-0:10.2.6-21.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:grafana-debugsource-0:10.2.6-21.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:grafana-debugsource-0:10.2.6-21.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:grafana-debugsource-0:10.2.6-21.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:grafana-debugsource-0:10.2.6-21.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:grafana-selinux-0:10.2.6-21.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:grafana-selinux-0:10.2.6-21.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:grafana-selinux-0:10.2.6-21.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:grafana-selinux-0:10.2.6-21.el9_6.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:20556"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"AppStream-9.6.0.Z.EUS:grafana-0:10.2.6-21.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:grafana-0:10.2.6-21.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:grafana-0:10.2.6-21.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:grafana-0:10.2.6-21.el9_6.src",
"AppStream-9.6.0.Z.EUS:grafana-0:10.2.6-21.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:grafana-debuginfo-0:10.2.6-21.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:grafana-debuginfo-0:10.2.6-21.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:grafana-debuginfo-0:10.2.6-21.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:grafana-debuginfo-0:10.2.6-21.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:grafana-debugsource-0:10.2.6-21.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:grafana-debugsource-0:10.2.6-21.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:grafana-debugsource-0:10.2.6-21.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:grafana-debugsource-0:10.2.6-21.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:grafana-selinux-0:10.2.6-21.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:grafana-selinux-0:10.2.6-21.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:grafana-selinux-0:10.2.6-21.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:grafana-selinux-0:10.2.6-21.el9_6.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "crypto/tls: golang: Go crypto/tls: Denial of Service via multiple TLS 1.3 key update messages"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…