Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2026-39883 (GCVE-0-2026-39883)
Vulnerability from cvelistv5 – Published: 2026-04-08 20:26 – Updated: 2026-04-10 20:52
VLAI
EPSS
Title
OpenTelemetry-Go has an incomplete fix for CVE-2026-24051: BSD kenv command not using absolute path enables PATH hijacking
Summary
OpenTelemetry-Go is the Go implementation of OpenTelemetry. From 1.15.0 to 1.42.0, the fix for CVE-2026-24051 changed the Darwin ioreg command to use an absolute path but left the BSD kenv command using a bare name, allowing the same PATH hijacking attack on BSD and Solaris platforms. This vulnerability is fixed in 1.43.0.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-426 - Untrusted Search Path
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/open-telemetry/opentelemetry-g… | x_refsource_CONFIRM |
| http://github.com/open-telemetry/opentelemetry-go… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| open-telemetry | opentelemetry-go |
Affected:
>= 1.15.0, < 1.43.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-39883",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-10T20:52:34.310842Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-10T20:52:54.819Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "opentelemetry-go",
"vendor": "open-telemetry",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.15.0, \u003c 1.43.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenTelemetry-Go is the Go implementation of OpenTelemetry. From 1.15.0 to 1.42.0, the fix for CVE-2026-24051 changed the Darwin ioreg command to use an absolute path but left the BSD kenv command using a bare name, allowing the same PATH hijacking attack on BSD and Solaris platforms. This vulnerability is fixed in 1.43.0."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-426",
"description": "CWE-426: Untrusted Search Path",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T20:26:41.731Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-hfvc-g4fc-pqhx",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-hfvc-g4fc-pqhx"
},
{
"name": "http://github.com/open-telemetry/opentelemetry-go/releases/tag/v1.43.0",
"tags": [
"x_refsource_MISC"
],
"url": "http://github.com/open-telemetry/opentelemetry-go/releases/tag/v1.43.0"
}
],
"source": {
"advisory": "GHSA-hfvc-g4fc-pqhx",
"discovery": "UNKNOWN"
},
"title": "OpenTelemetry-Go has an incomplete fix for CVE-2026-24051: BSD kenv command not using absolute path enables PATH hijacking"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-39883",
"datePublished": "2026-04-08T20:26:41.731Z",
"dateReserved": "2026-04-07T20:32:03.010Z",
"dateUpdated": "2026-04-10T20:52:54.819Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-39883",
"date": "2026-06-22",
"epss": "0.00196",
"percentile": "0.09406"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-39883\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-04-08T21:17:00.697\",\"lastModified\":\"2026-04-10T21:16:27.120\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"OpenTelemetry-Go is the Go implementation of OpenTelemetry. From 1.15.0 to 1.42.0, the fix for CVE-2026-24051 changed the Darwin ioreg command to use an absolute path but left the BSD kenv command using a bare name, allowing the same PATH hijacking attack on BSD and Solaris platforms. This vulnerability is fixed in 1.43.0.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":7.3,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"HIGH\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"HIGH\",\"vulnAvailabilityImpact\":\"HIGH\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.0,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.0,\"impactScore\":5.9},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.0,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.0,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-426\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:opentelemetry:opentelemetry:*:*:*:*:*:go:*:*\",\"versionStartIncluding\":\"1.15.0\",\"versionEndExcluding\":\"1.43.0\",\"matchCriteriaId\":\"4103FB9A-4AC6-4128-B55B-AEF0DACCC2D2\"}]}]}],\"references\":[{\"url\":\"http://github.com/open-telemetry/opentelemetry-go/releases/tag/v1.43.0\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-hfvc-g4fc-pqhx\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-39883\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-04-10T20:52:34.310842Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-04-10T20:52:50.295Z\"}}], \"cna\": {\"title\": \"OpenTelemetry-Go has an incomplete fix for CVE-2026-24051: BSD kenv command not using absolute path enables PATH hijacking\", \"source\": {\"advisory\": \"GHSA-hfvc-g4fc-pqhx\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 7.3, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"LOW\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"HIGH\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"HIGH\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"open-telemetry\", \"product\": \"opentelemetry-go\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 1.15.0, \u003c 1.43.0\"}]}], \"references\": [{\"url\": \"https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-hfvc-g4fc-pqhx\", \"name\": \"https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-hfvc-g4fc-pqhx\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"http://github.com/open-telemetry/opentelemetry-go/releases/tag/v1.43.0\", \"name\": \"http://github.com/open-telemetry/opentelemetry-go/releases/tag/v1.43.0\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"OpenTelemetry-Go is the Go implementation of OpenTelemetry. From 1.15.0 to 1.42.0, the fix for CVE-2026-24051 changed the Darwin ioreg command to use an absolute path but left the BSD kenv command using a bare name, allowing the same PATH hijacking attack on BSD and Solaris platforms. This vulnerability is fixed in 1.43.0.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-426\", \"description\": \"CWE-426: Untrusted Search Path\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-04-08T20:26:41.731Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-39883\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-04-10T20:52:54.819Z\", \"dateReserved\": \"2026-04-07T20:32:03.010Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-04-08T20:26:41.731Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
cleanstart-2026-vz08395
Vulnerability from cleanstart
Published
2026-05-18 13:47
Modified
2026-05-03 16:14
Summary
Security fixes for CVE-2026-24051, CVE-2026-27139, CVE-2026-27141, CVE-2026-32280, CVE-2026-32281, CVE-2026-32282, CVE-2026-32283, CVE-2026-32289, CVE-2026-33186, CVE-2026-33810, CVE-2026-39883, ghsa-9h8m-3fm2-qjrq, ghsa-p77j-4mvh-x3m3 applied in versions: 3.6.0-r3, 3.6.0-r4
Details
Multiple security vulnerabilities affect the fluent-operator-fips package. These issues are resolved in later releases. See references for individual vulnerability details.
References
{
"affected": [
{
"package": {
"ecosystem": "CleanStart",
"name": "fluent-operator-fips"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.6.0-r4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"credits": [],
"database_specific": {},
"details": "Multiple security vulnerabilities affect the fluent-operator-fips package. These issues are resolved in later releases. See references for individual vulnerability details.",
"id": "CLEANSTART-2026-VZ08395",
"modified": "2026-05-03T16:14:21Z",
"published": "2026-05-18T13:47:24.765586Z",
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/cleanstart-dev/cleanstart-security-advisories/tree/main/advisories/2026/CLEANSTART-2026-VZ08395.json"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-24051"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-27139"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-27141"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-32280"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-32281"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-32282"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-32283"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-32289"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-33186"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-33810"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-39883"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-9h8m-3fm2-qjrq"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-p77j-4mvh-x3m3"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24051"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27139"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27141"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32280"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32281"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32282"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32283"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32289"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33186"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33810"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39883"
}
],
"related": [],
"schema_version": "1.7.3",
"summary": "Security fixes for CVE-2026-24051, CVE-2026-27139, CVE-2026-27141, CVE-2026-32280, CVE-2026-32281, CVE-2026-32282, CVE-2026-32283, CVE-2026-32289, CVE-2026-33186, CVE-2026-33810, CVE-2026-39883, ghsa-9h8m-3fm2-qjrq, ghsa-p77j-4mvh-x3m3 applied in versions: 3.6.0-r3, 3.6.0-r4",
"upstream": [
"CVE-2026-24051",
"CVE-2026-27139",
"CVE-2026-27141",
"CVE-2026-32280",
"CVE-2026-32281",
"CVE-2026-32282",
"CVE-2026-32283",
"CVE-2026-32289",
"CVE-2026-33186",
"CVE-2026-33810",
"CVE-2026-39883",
"ghsa-9h8m-3fm2-qjrq",
"ghsa-p77j-4mvh-x3m3"
]
}
cleanstart-2026-wa14162
Vulnerability from cleanstart
Published
2026-04-14 00:42
Modified
2026-04-13 12:49
Summary
Delete function fails to properly validate offsets when processing malformed JSON input
Details
Multiple security vulnerabilities affect the prometheus package. The Delete function fails to properly validate offsets when processing malformed JSON input. See references for individual vulnerability details.
Severity
9.8 (Critical)
References
| URL | Type | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
{
"affected": [
{
"package": {
"ecosystem": "CleanStart",
"name": "prometheus"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.5.1-r1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"credits": [],
"database_specific": {},
"details": "Multiple security vulnerabilities affect the prometheus package. The Delete function fails to properly validate offsets when processing malformed JSON input. See references for individual vulnerability details.",
"id": "CLEANSTART-2026-WA14162",
"modified": "2026-04-13T12:49:18Z",
"published": "2026-04-14T00:42:42.057691Z",
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/cleanstart-dev/cleanstart-security-advisories/tree/main/advisories/2026/CLEANSTART-2026-WA14162.json"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-24051"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-32280"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-32281"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-32282"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-32283"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-32285"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-32289"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-33186"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-39882"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-39883"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24051"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32280"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32281"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32282"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32283"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32285"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32289"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33186"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39882"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39883"
}
],
"related": [],
"schema_version": "1.7.3",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Delete function fails to properly validate offsets when processing malformed JSON input",
"upstream": [
"CVE-2026-24051",
"CVE-2026-32280",
"CVE-2026-32281",
"CVE-2026-32282",
"CVE-2026-32283",
"CVE-2026-32285",
"CVE-2026-32289",
"CVE-2026-33186",
"CVE-2026-39882",
"CVE-2026-39883"
]
}
cleanstart-2026-wb89098
Vulnerability from cleanstart
Published
2026-04-30 00:58
Modified
2026-04-29 07:53
Summary
During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions
Details
Multiple security vulnerabilities affect the openbao-fips package. During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions. See references for individual vulnerability details.
Severity
9.8 (Critical)
References
| URL | Type | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
{
"affected": [
{
"package": {
"ecosystem": "CleanStart",
"name": "openbao-fips"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.5.2-r0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"credits": [],
"database_specific": {},
"details": "Multiple security vulnerabilities affect the openbao-fips package. During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions. See references for individual vulnerability details.",
"id": "CLEANSTART-2026-WB89098",
"modified": "2026-04-29T07:53:17Z",
"published": "2026-04-30T00:58:56.861710Z",
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/cleanstart-dev/cleanstart-security-advisories/tree/main/advisories/2026/CLEANSTART-2026-WB89098.json"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-61727"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-61729"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-68121"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-1229"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-25679"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-26958"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-27139"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-27142"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-32280"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-32281"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-32282"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-32283"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-32289"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-33186"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-33810"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-33816"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-34986"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-39883"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-78h2-9frx-2jm8"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-hfvc-g4fc-pqhx"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-j88v-2chj-qfwx"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61727"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61729"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68121"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1229"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25679"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26958"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27139"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27142"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32280"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32281"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32282"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32283"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32289"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33186"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33810"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33816"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34986"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39883"
}
],
"related": [],
"schema_version": "1.7.3",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions",
"upstream": [
"CVE-2025-61727",
"CVE-2025-61729",
"CVE-2025-68121",
"CVE-2026-1229",
"CVE-2026-25679",
"CVE-2026-26958",
"CVE-2026-27139",
"CVE-2026-27142",
"CVE-2026-32280",
"CVE-2026-32281",
"CVE-2026-32282",
"CVE-2026-32283",
"CVE-2026-32289",
"CVE-2026-33186",
"CVE-2026-33810",
"CVE-2026-33816",
"CVE-2026-34986",
"CVE-2026-39883",
"ghsa-78h2-9frx-2jm8",
"ghsa-hfvc-g4fc-pqhx",
"ghsa-j88v-2chj-qfwx"
]
}
cleanstart-2026-wl14185
Vulnerability from cleanstart
Published
2026-04-25 00:47
Modified
2026-04-24 13:02
Summary
spdystream is a Go library for multiplexing streams over SPDY connections
Details
Multiple security vulnerabilities affect the velero-fips package. spdystream is a Go library for multiplexing streams over SPDY connections. See references for individual vulnerability details.
Severity
9.8 (Critical)
References
| URL | Type | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
{
"affected": [
{
"package": {
"ecosystem": "CleanStart",
"name": "velero-fips"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.17.2-r6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"credits": [],
"database_specific": {},
"details": "Multiple security vulnerabilities affect the velero-fips package. spdystream is a Go library for multiplexing streams over SPDY connections. See references for individual vulnerability details.",
"id": "CLEANSTART-2026-WL14185",
"modified": "2026-04-24T13:02:31Z",
"published": "2026-04-25T00:47:05.458867Z",
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/cleanstart-dev/cleanstart-security-advisories/tree/main/advisories/2026/CLEANSTART-2026-WL14185.json"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-61726"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-61728"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-61729"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-61730"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-68119"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-68121"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-24051"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-25679"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-27139"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-27142"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-32280"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-32281"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-32282"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-32283"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-32289"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-33186"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-33810"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-34986"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-35469"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-39883"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-f6x5-jh6r-wrfv"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-hfvc-g4fc-pqhx"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-j5w8-q4qc-rx2x"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-pc3f-x583-g7j2"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-xmrv-pmrh-hhx2"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61726"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61728"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61729"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61730"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68119"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68121"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24051"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25679"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27139"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27142"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32280"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32281"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32282"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32283"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32289"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33186"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33810"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34986"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35469"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39883"
}
],
"related": [],
"schema_version": "1.7.3",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "spdystream is a Go library for multiplexing streams over SPDY connections",
"upstream": [
"CVE-2025-61726",
"CVE-2025-61728",
"CVE-2025-61729",
"CVE-2025-61730",
"CVE-2025-68119",
"CVE-2025-68121",
"CVE-2026-24051",
"CVE-2026-25679",
"CVE-2026-27139",
"CVE-2026-27142",
"CVE-2026-32280",
"CVE-2026-32281",
"CVE-2026-32282",
"CVE-2026-32283",
"CVE-2026-32289",
"CVE-2026-33186",
"CVE-2026-33810",
"CVE-2026-34986",
"CVE-2026-35469",
"CVE-2026-39883",
"ghsa-f6x5-jh6r-wrfv",
"ghsa-hfvc-g4fc-pqhx",
"ghsa-j5w8-q4qc-rx2x",
"ghsa-pc3f-x583-g7j2",
"ghsa-xmrv-pmrh-hhx2"
]
}
FKIE_CVE-2026-39883
Vulnerability from fkie_nvd - Published: 2026-04-08 21:17 - Updated: 2026-06-17 10:42
Severity
7.0 (High) - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
7.0 (High) - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
7.0 (High) - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
OpenTelemetry-Go is the Go implementation of OpenTelemetry. From 1.15.0 to 1.42.0, the fix for CVE-2026-24051 changed the Darwin ioreg command to use an absolute path but left the BSD kenv command using a bare name, allowing the same PATH hijacking attack on BSD and Solaris platforms. This vulnerability is fixed in 1.43.0.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| opentelemetry | opentelemetry | * |
{
"affected": [
{
"affectedData": [
{
"product": "opentelemetry-go",
"vendor": "open-telemetry",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.15.0, \u003c 1.43.0"
}
]
}
],
"source": "security-advisories@github.com"
}
],
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:opentelemetry:opentelemetry:*:*:*:*:*:go:*:*",
"matchCriteriaId": "4103FB9A-4AC6-4128-B55B-AEF0DACCC2D2",
"versionEndExcluding": "1.43.0",
"versionStartIncluding": "1.15.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "OpenTelemetry-Go is the Go implementation of OpenTelemetry. From 1.15.0 to 1.42.0, the fix for CVE-2026-24051 changed the Darwin ioreg command to use an absolute path but left the BSD kenv command using a bare name, allowing the same PATH hijacking attack on BSD and Solaris platforms. This vulnerability is fixed in 1.43.0."
}
],
"id": "CVE-2026-39883",
"lastModified": "2026-06-17T10:42:44.730",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.0,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.0,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.0,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.0,
"impactScore": 5.9,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "security-advisories@github.com",
"type": "Secondary"
}
],
"ssvcV203": [
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"ssvcData": {
"id": "CVE-2026-39883",
"options": [
{
"exploitation": "none"
},
{
"automatable": "no"
},
{
"technicalImpact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-10T20:52:34.310842Z",
"version": "2.0.3"
}
}
]
},
"published": "2026-04-08T21:17:00.697",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "http://github.com/open-telemetry/opentelemetry-go/releases/tag/v1.43.0"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-hfvc-g4fc-pqhx"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-426"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
GHSA-HFVC-G4FC-PQHX
Vulnerability from github – Published: 2026-04-08 19:22 – Updated: 2026-04-09 14:29
VLAI
Summary
opentelemetry-go: BSD kenv command not using absolute path enables PATH hijacking
Details
Summary
The fix for GHSA-9h8m-3fm2-qjrq (CVE-2026-24051) changed the Darwin ioreg command to use an absolute path but left the BSD kenv command using a bare name, allowing the same PATH hijacking attack on BSD and Solaris platforms.
Root Cause
sdk/resource/host_id.go line 42:
if result, err := r.execCommand("kenv", "-q", "smbios.system.uuid"); err == nil {
Compare with the fixed Darwin path at line 58:
result, err := r.execCommand("/usr/sbin/ioreg", "-rd1", "-c", "IOPlatformExpertDevice")
The execCommand helper at sdk/resource/host_id_exec.go uses exec.Command(name, arg...) which searches $PATH when the command name contains no path separator.
Affected platforms (per build tag in host_id_bsd.go:4): DragonFly BSD, FreeBSD, NetBSD, OpenBSD, Solaris.
The kenv path is reached when /etc/hostid does not exist (line 38-40), which is common on FreeBSD systems.
Attack
- Attacker has local access to a system running a Go application that imports
go.opentelemetry.io/otel/sdk - Attacker places a malicious
kenvbinary earlier in$PATH - Application initializes OpenTelemetry resource detection at startup
hostIDReaderBSD.read()callsexec.Command("kenv", ...)which resolves to the malicious binary- Arbitrary code executes in the context of the application
Same attack vector and impact as CVE-2026-24051.
Suggested Fix
Use the absolute path:
if result, err := r.execCommand("/bin/kenv", "-q", "smbios.system.uuid"); err == nil {
On FreeBSD, kenv is located at /bin/kenv.
Severity
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.42.0"
},
"package": {
"ecosystem": "Go",
"name": "go.opentelemetry.io/otel/sdk"
},
"ranges": [
{
"events": [
{
"introduced": "1.15.0"
},
{
"fixed": "1.43.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-39883"
],
"database_specific": {
"cwe_ids": [
"CWE-426"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-08T19:22:12Z",
"nvd_published_at": "2026-04-08T21:17:00Z",
"severity": "HIGH"
},
"details": "## Summary\n\nThe fix for GHSA-9h8m-3fm2-qjrq (CVE-2026-24051) changed the Darwin `ioreg` command to use an absolute path but left the BSD `kenv` command using a bare name, allowing the same PATH hijacking attack on BSD and Solaris platforms.\n\n## Root Cause\n\n`sdk/resource/host_id.go` line 42:\n\n if result, err := r.execCommand(\"kenv\", \"-q\", \"smbios.system.uuid\"); err == nil {\n\nCompare with the fixed Darwin path at line 58:\n\n result, err := r.execCommand(\"/usr/sbin/ioreg\", \"-rd1\", \"-c\", \"IOPlatformExpertDevice\")\n\nThe `execCommand` helper at `sdk/resource/host_id_exec.go` uses `exec.Command(name, arg...)` which searches `$PATH` when the command name contains no path separator.\n\nAffected platforms (per build tag in `host_id_bsd.go:4`): DragonFly BSD, FreeBSD, NetBSD, OpenBSD, Solaris.\n\nThe `kenv` path is reached when `/etc/hostid` does not exist (line 38-40), which is common on FreeBSD systems.\n\n## Attack\n\n1. Attacker has local access to a system running a Go application that imports `go.opentelemetry.io/otel/sdk`\n2. Attacker places a malicious `kenv` binary earlier in `$PATH`\n3. Application initializes OpenTelemetry resource detection at startup\n4. `hostIDReaderBSD.read()` calls `exec.Command(\"kenv\", ...)` which resolves to the malicious binary\n5. Arbitrary code executes in the context of the application\n\nSame attack vector and impact as CVE-2026-24051.\n\n## Suggested Fix\n\nUse the absolute path:\n\n if result, err := r.execCommand(\"/bin/kenv\", \"-q\", \"smbios.system.uuid\"); err == nil {\n\nOn FreeBSD, `kenv` is located at `/bin/kenv`.",
"id": "GHSA-hfvc-g4fc-pqhx",
"modified": "2026-04-09T14:29:41Z",
"published": "2026-04-08T19:22:12Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-hfvc-g4fc-pqhx"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39883"
},
{
"type": "PACKAGE",
"url": "https://github.com/open-telemetry/opentelemetry-go"
},
{
"type": "WEB",
"url": "http://github.com/open-telemetry/opentelemetry-go/releases/tag/v1.43.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "opentelemetry-go: BSD kenv command not using absolute path enables PATH hijacking"
}
RHSA-2026:26254
Vulnerability from csaf_redhat - Published: 2026-06-16 10:11 - Updated: 2026-06-16 10:23Summary
Red Hat Security Advisory: Assisted Installer RHEL 9 components for Multicluster Engine for Kubernetes 2.8.8
Severity
Important
Notes
Topic: Assisted installer RHEL 9 components for the multicluster engine for Kubernetes 2.8.8 General Availability release, with updates to container images.
Details: Assisted Installer RHEL 9 integrates components for the general multicluster engine
for Kubernetes 2.8.8 release that simplify the process of deploying OpenShift Container
Platform clusters.
The multicluster engine for Kubernetes provides the foundational components
that are necessary for the centralized management of multiple
Kubernetes-based clusters across data centers, public clouds, and private
clouds.
You can use the engine to create new Red Hat OpenShift Container Platform
clusters, or to import existing Kubernetes-based clusters for management.
After the clusters are managed, you can use the APIs that
are provided by the engine to distribute configuration based on placement
policy.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A memory leak flaw has been discovered in the golang github.com/ulikunitz/xz package. In affected versions, it is possible to put data in front of an LZMA-encoded byte stream without detecting the situation while reading the header. This can lead to increased memory consumption because the current implementation allocates the full decoding buffer directly after reading the header. The LZMA header doesn't include a magic number or has a checksum to detect such an issue according to the specification. Note that the code recognizes the issue later while reading the stream, but at this time the memory allocation has already been done.
5.3 (Medium)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:228e5cefc1e32500a2b244ebeaa4b700efed644c5e266a6b3d139e23a6d1113d_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:2b9e8ab86b77035917aaa673ecc311a0fe0be0687c65a3e000b9e3dfe3e02bb7_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:a11d75aec4913b0643f7e74d4138c9cfa19b6ab4c6280519948de935873b4570_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:bd04b7cfba87314171b1ce6113b0cc37b386a4bf30ae2f9020011ce002c6e933_arm64 | — |
Vendor Fix
fix
Workaround
|
Known not affected
16 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:5afcb0cd2a9c693cec0839deed6435c69abb50a4a50e5e55a69d3f553806bbd1_arm64 | — |
Workaround
|
|
| Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:6c5c5c4686bfc5cc9bbef1fcd990ee72af1080796cb0849ad006b6673a05859b_amd64 | — |
Workaround
|
|
| Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:bc2f8ee10452ea3e4841fb5c9acffbb820c53b329527c8580afccedb2a4bf37e_ppc64le | — |
Workaround
|
|
| Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:e9e0e699e9e9acf9645f1e38f71d08ba1711066c16d10f1b6475439c7661dcae_s390x | — |
Workaround
|
|
| Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:2b436e18e98a63c98ccd5aa4e5315a4e8d7f9c6f0d1ba7ce36cf1f445ba6b213_s390x | — |
Workaround
|
|
| Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:8bf11dabddf6d4784f1c397d300d953ffd762ef3db8b823971577fbef032a15b_ppc64le | — |
Workaround
|
|
| Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:c34bb03b1038bbed1e6f47c2105703ae2214c772467ac2cea733cf6b2bd5572f_arm64 | — |
Workaround
|
|
| Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:d040d471b0b65a4be2d71e519cdf05d9040865a0889960335709d7f10b504e59_amd64 | — |
Workaround
|
|
| Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:1aef2fa08a49510813e8cc149cc737c09570c4c94d4441e846d0abdbd97b434f_amd64 | — |
Workaround
|
|
| Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:b94a3f3ad45af3d4dd10498d5e6906947c72adc1361e50bda9482ba954e6567b_s390x | — |
Workaround
|
|
| Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:dfcd7d76bfa892b6be2c2abd99f13bd7e58d2ca82ea99bf2443cec9b888fd918_ppc64le | — |
Workaround
|
|
| Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:f3379b9e6c08cd00abcf7be97308b7ff2354697407a026d5f08e942b47ca7e08_arm64 | — |
Workaround
|
|
| Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:458a6eaf23dc717f6988c94556bbbc224dcd2bbaa7573aed6fa820086f9523fe_s390x | — |
Workaround
|
|
| Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:a382b267318a49d9dc29d704afb41f188edc15021d267d402203fcd10722dd5f_arm64 | — |
Workaround
|
|
| Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:ba3b4da8d399b387de1047cd7952224d0032c3748d12928a9b7eda776df8a38a_ppc64le | — |
Workaround
|
|
| Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:d301ef6d274f4127b4eaf7ae78d2dd8af51aeebf999dd8624d20cbf0ba05864b_amd64 | — |
Workaround
|
Threats
Impact
Moderate
A flaw was found in OpenTelemetry-Go. On BSD and Solaris platforms, a local attacker could exploit a vulnerability related to the `kenv` command. By manipulating the system's PATH environment variable, an attacker could achieve arbitrary code execution or privilege escalation, leading to a compromise of system integrity and confidentiality.
8.8 (High)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:228e5cefc1e32500a2b244ebeaa4b700efed644c5e266a6b3d139e23a6d1113d_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:2b9e8ab86b77035917aaa673ecc311a0fe0be0687c65a3e000b9e3dfe3e02bb7_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:a11d75aec4913b0643f7e74d4138c9cfa19b6ab4c6280519948de935873b4570_s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:bd04b7cfba87314171b1ce6113b0cc37b386a4bf30ae2f9020011ce002c6e933_arm64 | — |
Vendor Fix
fix
|
Known not affected
16 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:5afcb0cd2a9c693cec0839deed6435c69abb50a4a50e5e55a69d3f553806bbd1_arm64 | — | ||
| Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:6c5c5c4686bfc5cc9bbef1fcd990ee72af1080796cb0849ad006b6673a05859b_amd64 | — | ||
| Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:bc2f8ee10452ea3e4841fb5c9acffbb820c53b329527c8580afccedb2a4bf37e_ppc64le | — | ||
| Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:e9e0e699e9e9acf9645f1e38f71d08ba1711066c16d10f1b6475439c7661dcae_s390x | — | ||
| Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:2b436e18e98a63c98ccd5aa4e5315a4e8d7f9c6f0d1ba7ce36cf1f445ba6b213_s390x | — | ||
| Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:8bf11dabddf6d4784f1c397d300d953ffd762ef3db8b823971577fbef032a15b_ppc64le | — | ||
| Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:c34bb03b1038bbed1e6f47c2105703ae2214c772467ac2cea733cf6b2bd5572f_arm64 | — | ||
| Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:d040d471b0b65a4be2d71e519cdf05d9040865a0889960335709d7f10b504e59_amd64 | — | ||
| Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:1aef2fa08a49510813e8cc149cc737c09570c4c94d4441e846d0abdbd97b434f_amd64 | — | ||
| Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:b94a3f3ad45af3d4dd10498d5e6906947c72adc1361e50bda9482ba954e6567b_s390x | — | ||
| Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:dfcd7d76bfa892b6be2c2abd99f13bd7e58d2ca82ea99bf2443cec9b888fd918_ppc64le | — | ||
| Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:f3379b9e6c08cd00abcf7be97308b7ff2354697407a026d5f08e942b47ca7e08_arm64 | — | ||
| Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:458a6eaf23dc717f6988c94556bbbc224dcd2bbaa7573aed6fa820086f9523fe_s390x | — | ||
| Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:a382b267318a49d9dc29d704afb41f188edc15021d267d402203fcd10722dd5f_arm64 | — | ||
| Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:ba3b4da8d399b387de1047cd7952224d0032c3748d12928a9b7eda776df8a38a_ppc64le | — | ||
| Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:d301ef6d274f4127b4eaf7ae78d2dd8af51aeebf999dd8624d20cbf0ba05864b_amd64 | — |
Threats
Impact
Important
References
17 references
| URL | Category |
|---|---|
| https://access.redhat.com/errata/RHSA-2026:26254 | self |
| https://access.redhat.com/security/cve/CVE-2025-58058 | external |
| https://access.redhat.com/security/cve/CVE-2026-39883 | external |
| https://access.redhat.com/security/updates/classi… | external |
| https://security.access.redhat.com/data/csaf/v2/a… | self |
| https://access.redhat.com/security/cve/CVE-2025-58058 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2391585 | external |
| https://www.cve.org/CVERecord?id=CVE-2025-58058 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2025-58058 | external |
| https://github.com/ulikunitz/xz/commit/88ddf1d0d9… | external |
| https://github.com/ulikunitz/xz/security/advisori… | external |
| https://access.redhat.com/security/cve/CVE-2026-39883 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2456718 | external |
| https://www.cve.org/CVERecord?id=CVE-2026-39883 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2026-39883 | external |
| http://github.com/open-telemetry/opentelemetry-go… | external |
| https://github.com/open-telemetry/opentelemetry-g… | external |
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Assisted installer RHEL 9 components for the multicluster engine for Kubernetes 2.8.8 General Availability release, with updates to container images.",
"title": "Topic"
},
{
"category": "general",
"text": "Assisted Installer RHEL 9 integrates components for the general multicluster engine\nfor Kubernetes 2.8.8 release that simplify the process of deploying OpenShift Container\nPlatform clusters.\n\nThe multicluster engine for Kubernetes provides the foundational components\nthat are necessary for the centralized management of multiple\nKubernetes-based clusters across data centers, public clouds, and private\nclouds.\n\nYou can use the engine to create new Red Hat OpenShift Container Platform\nclusters, or to import existing Kubernetes-based clusters for management.\n\nAfter the clusters are managed, you can use the APIs that\nare provided by the engine to distribute configuration based on placement\npolicy.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:26254",
"url": "https://access.redhat.com/errata/RHSA-2026:26254"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-58058",
"url": "https://access.redhat.com/security/cve/CVE-2025-58058"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-39883",
"url": "https://access.redhat.com/security/cve/CVE-2026-39883"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/",
"url": "https://access.redhat.com/security/updates/classification/"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_26254.json"
}
],
"title": "Red Hat Security Advisory: Assisted Installer RHEL 9 components for Multicluster Engine for Kubernetes 2.8.8",
"tracking": {
"current_release_date": "2026-06-16T10:23:19+00:00",
"generator": {
"date": "2026-06-16T10:23:19+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "5.0.0"
}
},
"id": "RHSA-2026:26254",
"initial_release_date": "2026-06-16T10:11:43+00:00",
"revision_history": [
{
"date": "2026-06-16T10:11:43+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-06-16T10:11:48+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-06-16T10:23:19+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "multicluster engine for Kubernetes 2.8",
"product": {
"name": "multicluster engine for Kubernetes 2.8",
"product_id": "multicluster engine for Kubernetes 2.8",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:multicluster_engine:2.8::el9"
}
}
}
],
"category": "product_family",
"name": "multicluster engine for Kubernetes"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:ba3b4da8d399b387de1047cd7952224d0032c3748d12928a9b7eda776df8a38a_ppc64le",
"product": {
"name": "registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:ba3b4da8d399b387de1047cd7952224d0032c3748d12928a9b7eda776df8a38a_ppc64le",
"product_id": "registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:ba3b4da8d399b387de1047cd7952224d0032c3748d12928a9b7eda776df8a38a_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/assisted-installer-rhel9@sha256%3Aba3b4da8d399b387de1047cd7952224d0032c3748d12928a9b7eda776df8a38a?arch=ppc64le\u0026repository_url=registry.redhat.io/multicluster-engine/assisted-installer-rhel9\u0026tag=1781593211"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:bc2f8ee10452ea3e4841fb5c9acffbb820c53b329527c8580afccedb2a4bf37e_ppc64le",
"product": {
"name": "registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:bc2f8ee10452ea3e4841fb5c9acffbb820c53b329527c8580afccedb2a4bf37e_ppc64le",
"product_id": "registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:bc2f8ee10452ea3e4841fb5c9acffbb820c53b329527c8580afccedb2a4bf37e_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/assisted-image-service-rhel9@sha256%3Abc2f8ee10452ea3e4841fb5c9acffbb820c53b329527c8580afccedb2a4bf37e?arch=ppc64le\u0026repository_url=registry.redhat.io/multicluster-engine/assisted-image-service-rhel9\u0026tag=1781592435"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:8bf11dabddf6d4784f1c397d300d953ffd762ef3db8b823971577fbef032a15b_ppc64le",
"product": {
"name": "registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:8bf11dabddf6d4784f1c397d300d953ffd762ef3db8b823971577fbef032a15b_ppc64le",
"product_id": "registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:8bf11dabddf6d4784f1c397d300d953ffd762ef3db8b823971577fbef032a15b_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/assisted-installer-agent-rhel9@sha256%3A8bf11dabddf6d4784f1c397d300d953ffd762ef3db8b823971577fbef032a15b?arch=ppc64le\u0026repository_url=registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9\u0026tag=1781592447"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:dfcd7d76bfa892b6be2c2abd99f13bd7e58d2ca82ea99bf2443cec9b888fd918_ppc64le",
"product": {
"name": "registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:dfcd7d76bfa892b6be2c2abd99f13bd7e58d2ca82ea99bf2443cec9b888fd918_ppc64le",
"product_id": "registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:dfcd7d76bfa892b6be2c2abd99f13bd7e58d2ca82ea99bf2443cec9b888fd918_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/assisted-installer-controller-rhel9@sha256%3Adfcd7d76bfa892b6be2c2abd99f13bd7e58d2ca82ea99bf2443cec9b888fd918?arch=ppc64le\u0026repository_url=registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9\u0026tag=1781592399"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:2b9e8ab86b77035917aaa673ecc311a0fe0be0687c65a3e000b9e3dfe3e02bb7_ppc64le",
"product": {
"name": "registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:2b9e8ab86b77035917aaa673ecc311a0fe0be0687c65a3e000b9e3dfe3e02bb7_ppc64le",
"product_id": "registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:2b9e8ab86b77035917aaa673ecc311a0fe0be0687c65a3e000b9e3dfe3e02bb7_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/assisted-service-9-rhel9@sha256%3A2b9e8ab86b77035917aaa673ecc311a0fe0be0687c65a3e000b9e3dfe3e02bb7?arch=ppc64le\u0026repository_url=registry.redhat.io/multicluster-engine/assisted-service-9-rhel9\u0026tag=1781539725"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:6c5c5c4686bfc5cc9bbef1fcd990ee72af1080796cb0849ad006b6673a05859b_amd64",
"product": {
"name": "registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:6c5c5c4686bfc5cc9bbef1fcd990ee72af1080796cb0849ad006b6673a05859b_amd64",
"product_id": "registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:6c5c5c4686bfc5cc9bbef1fcd990ee72af1080796cb0849ad006b6673a05859b_amd64",
"product_identification_helper": {
"purl": "pkg:oci/assisted-image-service-rhel9@sha256%3A6c5c5c4686bfc5cc9bbef1fcd990ee72af1080796cb0849ad006b6673a05859b?arch=amd64\u0026repository_url=registry.redhat.io/multicluster-engine/assisted-image-service-rhel9\u0026tag=1781592435"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:d301ef6d274f4127b4eaf7ae78d2dd8af51aeebf999dd8624d20cbf0ba05864b_amd64",
"product": {
"name": "registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:d301ef6d274f4127b4eaf7ae78d2dd8af51aeebf999dd8624d20cbf0ba05864b_amd64",
"product_id": "registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:d301ef6d274f4127b4eaf7ae78d2dd8af51aeebf999dd8624d20cbf0ba05864b_amd64",
"product_identification_helper": {
"purl": "pkg:oci/assisted-installer-rhel9@sha256%3Ad301ef6d274f4127b4eaf7ae78d2dd8af51aeebf999dd8624d20cbf0ba05864b?arch=amd64\u0026repository_url=registry.redhat.io/multicluster-engine/assisted-installer-rhel9\u0026tag=1781593211"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:d040d471b0b65a4be2d71e519cdf05d9040865a0889960335709d7f10b504e59_amd64",
"product": {
"name": "registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:d040d471b0b65a4be2d71e519cdf05d9040865a0889960335709d7f10b504e59_amd64",
"product_id": "registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:d040d471b0b65a4be2d71e519cdf05d9040865a0889960335709d7f10b504e59_amd64",
"product_identification_helper": {
"purl": "pkg:oci/assisted-installer-agent-rhel9@sha256%3Ad040d471b0b65a4be2d71e519cdf05d9040865a0889960335709d7f10b504e59?arch=amd64\u0026repository_url=registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9\u0026tag=1781592447"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:1aef2fa08a49510813e8cc149cc737c09570c4c94d4441e846d0abdbd97b434f_amd64",
"product": {
"name": "registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:1aef2fa08a49510813e8cc149cc737c09570c4c94d4441e846d0abdbd97b434f_amd64",
"product_id": "registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:1aef2fa08a49510813e8cc149cc737c09570c4c94d4441e846d0abdbd97b434f_amd64",
"product_identification_helper": {
"purl": "pkg:oci/assisted-installer-controller-rhel9@sha256%3A1aef2fa08a49510813e8cc149cc737c09570c4c94d4441e846d0abdbd97b434f?arch=amd64\u0026repository_url=registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9\u0026tag=1781592399"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:228e5cefc1e32500a2b244ebeaa4b700efed644c5e266a6b3d139e23a6d1113d_amd64",
"product": {
"name": "registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:228e5cefc1e32500a2b244ebeaa4b700efed644c5e266a6b3d139e23a6d1113d_amd64",
"product_id": "registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:228e5cefc1e32500a2b244ebeaa4b700efed644c5e266a6b3d139e23a6d1113d_amd64",
"product_identification_helper": {
"purl": "pkg:oci/assisted-service-9-rhel9@sha256%3A228e5cefc1e32500a2b244ebeaa4b700efed644c5e266a6b3d139e23a6d1113d?arch=amd64\u0026repository_url=registry.redhat.io/multicluster-engine/assisted-service-9-rhel9\u0026tag=1781539725"
}
}
}
],
"category": "architecture",
"name": "amd64"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:5afcb0cd2a9c693cec0839deed6435c69abb50a4a50e5e55a69d3f553806bbd1_arm64",
"product": {
"name": "registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:5afcb0cd2a9c693cec0839deed6435c69abb50a4a50e5e55a69d3f553806bbd1_arm64",
"product_id": "registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:5afcb0cd2a9c693cec0839deed6435c69abb50a4a50e5e55a69d3f553806bbd1_arm64",
"product_identification_helper": {
"purl": "pkg:oci/assisted-image-service-rhel9@sha256%3A5afcb0cd2a9c693cec0839deed6435c69abb50a4a50e5e55a69d3f553806bbd1?arch=arm64\u0026repository_url=registry.redhat.io/multicluster-engine/assisted-image-service-rhel9\u0026tag=1781592435"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:a382b267318a49d9dc29d704afb41f188edc15021d267d402203fcd10722dd5f_arm64",
"product": {
"name": "registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:a382b267318a49d9dc29d704afb41f188edc15021d267d402203fcd10722dd5f_arm64",
"product_id": "registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:a382b267318a49d9dc29d704afb41f188edc15021d267d402203fcd10722dd5f_arm64",
"product_identification_helper": {
"purl": "pkg:oci/assisted-installer-rhel9@sha256%3Aa382b267318a49d9dc29d704afb41f188edc15021d267d402203fcd10722dd5f?arch=arm64\u0026repository_url=registry.redhat.io/multicluster-engine/assisted-installer-rhel9\u0026tag=1781593211"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:c34bb03b1038bbed1e6f47c2105703ae2214c772467ac2cea733cf6b2bd5572f_arm64",
"product": {
"name": "registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:c34bb03b1038bbed1e6f47c2105703ae2214c772467ac2cea733cf6b2bd5572f_arm64",
"product_id": "registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:c34bb03b1038bbed1e6f47c2105703ae2214c772467ac2cea733cf6b2bd5572f_arm64",
"product_identification_helper": {
"purl": "pkg:oci/assisted-installer-agent-rhel9@sha256%3Ac34bb03b1038bbed1e6f47c2105703ae2214c772467ac2cea733cf6b2bd5572f?arch=arm64\u0026repository_url=registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9\u0026tag=1781592447"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:f3379b9e6c08cd00abcf7be97308b7ff2354697407a026d5f08e942b47ca7e08_arm64",
"product": {
"name": "registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:f3379b9e6c08cd00abcf7be97308b7ff2354697407a026d5f08e942b47ca7e08_arm64",
"product_id": "registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:f3379b9e6c08cd00abcf7be97308b7ff2354697407a026d5f08e942b47ca7e08_arm64",
"product_identification_helper": {
"purl": "pkg:oci/assisted-installer-controller-rhel9@sha256%3Af3379b9e6c08cd00abcf7be97308b7ff2354697407a026d5f08e942b47ca7e08?arch=arm64\u0026repository_url=registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9\u0026tag=1781592399"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:bd04b7cfba87314171b1ce6113b0cc37b386a4bf30ae2f9020011ce002c6e933_arm64",
"product": {
"name": "registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:bd04b7cfba87314171b1ce6113b0cc37b386a4bf30ae2f9020011ce002c6e933_arm64",
"product_id": "registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:bd04b7cfba87314171b1ce6113b0cc37b386a4bf30ae2f9020011ce002c6e933_arm64",
"product_identification_helper": {
"purl": "pkg:oci/assisted-service-9-rhel9@sha256%3Abd04b7cfba87314171b1ce6113b0cc37b386a4bf30ae2f9020011ce002c6e933?arch=arm64\u0026repository_url=registry.redhat.io/multicluster-engine/assisted-service-9-rhel9\u0026tag=1781539725"
}
}
}
],
"category": "architecture",
"name": "arm64"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:e9e0e699e9e9acf9645f1e38f71d08ba1711066c16d10f1b6475439c7661dcae_s390x",
"product": {
"name": "registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:e9e0e699e9e9acf9645f1e38f71d08ba1711066c16d10f1b6475439c7661dcae_s390x",
"product_id": "registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:e9e0e699e9e9acf9645f1e38f71d08ba1711066c16d10f1b6475439c7661dcae_s390x",
"product_identification_helper": {
"purl": "pkg:oci/assisted-image-service-rhel9@sha256%3Ae9e0e699e9e9acf9645f1e38f71d08ba1711066c16d10f1b6475439c7661dcae?arch=s390x\u0026repository_url=registry.redhat.io/multicluster-engine/assisted-image-service-rhel9\u0026tag=1781592435"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:458a6eaf23dc717f6988c94556bbbc224dcd2bbaa7573aed6fa820086f9523fe_s390x",
"product": {
"name": "registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:458a6eaf23dc717f6988c94556bbbc224dcd2bbaa7573aed6fa820086f9523fe_s390x",
"product_id": "registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:458a6eaf23dc717f6988c94556bbbc224dcd2bbaa7573aed6fa820086f9523fe_s390x",
"product_identification_helper": {
"purl": "pkg:oci/assisted-installer-rhel9@sha256%3A458a6eaf23dc717f6988c94556bbbc224dcd2bbaa7573aed6fa820086f9523fe?arch=s390x\u0026repository_url=registry.redhat.io/multicluster-engine/assisted-installer-rhel9\u0026tag=1781593211"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:2b436e18e98a63c98ccd5aa4e5315a4e8d7f9c6f0d1ba7ce36cf1f445ba6b213_s390x",
"product": {
"name": "registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:2b436e18e98a63c98ccd5aa4e5315a4e8d7f9c6f0d1ba7ce36cf1f445ba6b213_s390x",
"product_id": "registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:2b436e18e98a63c98ccd5aa4e5315a4e8d7f9c6f0d1ba7ce36cf1f445ba6b213_s390x",
"product_identification_helper": {
"purl": "pkg:oci/assisted-installer-agent-rhel9@sha256%3A2b436e18e98a63c98ccd5aa4e5315a4e8d7f9c6f0d1ba7ce36cf1f445ba6b213?arch=s390x\u0026repository_url=registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9\u0026tag=1781592447"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:b94a3f3ad45af3d4dd10498d5e6906947c72adc1361e50bda9482ba954e6567b_s390x",
"product": {
"name": "registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:b94a3f3ad45af3d4dd10498d5e6906947c72adc1361e50bda9482ba954e6567b_s390x",
"product_id": "registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:b94a3f3ad45af3d4dd10498d5e6906947c72adc1361e50bda9482ba954e6567b_s390x",
"product_identification_helper": {
"purl": "pkg:oci/assisted-installer-controller-rhel9@sha256%3Ab94a3f3ad45af3d4dd10498d5e6906947c72adc1361e50bda9482ba954e6567b?arch=s390x\u0026repository_url=registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9\u0026tag=1781592399"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:a11d75aec4913b0643f7e74d4138c9cfa19b6ab4c6280519948de935873b4570_s390x",
"product": {
"name": "registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:a11d75aec4913b0643f7e74d4138c9cfa19b6ab4c6280519948de935873b4570_s390x",
"product_id": "registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:a11d75aec4913b0643f7e74d4138c9cfa19b6ab4c6280519948de935873b4570_s390x",
"product_identification_helper": {
"purl": "pkg:oci/assisted-service-9-rhel9@sha256%3Aa11d75aec4913b0643f7e74d4138c9cfa19b6ab4c6280519948de935873b4570?arch=s390x\u0026repository_url=registry.redhat.io/multicluster-engine/assisted-service-9-rhel9\u0026tag=1781539725"
}
}
}
],
"category": "architecture",
"name": "s390x"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:5afcb0cd2a9c693cec0839deed6435c69abb50a4a50e5e55a69d3f553806bbd1_arm64 as a component of multicluster engine for Kubernetes 2.8",
"product_id": "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:5afcb0cd2a9c693cec0839deed6435c69abb50a4a50e5e55a69d3f553806bbd1_arm64"
},
"product_reference": "registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:5afcb0cd2a9c693cec0839deed6435c69abb50a4a50e5e55a69d3f553806bbd1_arm64",
"relates_to_product_reference": "multicluster engine for Kubernetes 2.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:6c5c5c4686bfc5cc9bbef1fcd990ee72af1080796cb0849ad006b6673a05859b_amd64 as a component of multicluster engine for Kubernetes 2.8",
"product_id": "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:6c5c5c4686bfc5cc9bbef1fcd990ee72af1080796cb0849ad006b6673a05859b_amd64"
},
"product_reference": "registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:6c5c5c4686bfc5cc9bbef1fcd990ee72af1080796cb0849ad006b6673a05859b_amd64",
"relates_to_product_reference": "multicluster engine for Kubernetes 2.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:bc2f8ee10452ea3e4841fb5c9acffbb820c53b329527c8580afccedb2a4bf37e_ppc64le as a component of multicluster engine for Kubernetes 2.8",
"product_id": "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:bc2f8ee10452ea3e4841fb5c9acffbb820c53b329527c8580afccedb2a4bf37e_ppc64le"
},
"product_reference": "registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:bc2f8ee10452ea3e4841fb5c9acffbb820c53b329527c8580afccedb2a4bf37e_ppc64le",
"relates_to_product_reference": "multicluster engine for Kubernetes 2.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:e9e0e699e9e9acf9645f1e38f71d08ba1711066c16d10f1b6475439c7661dcae_s390x as a component of multicluster engine for Kubernetes 2.8",
"product_id": "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:e9e0e699e9e9acf9645f1e38f71d08ba1711066c16d10f1b6475439c7661dcae_s390x"
},
"product_reference": "registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:e9e0e699e9e9acf9645f1e38f71d08ba1711066c16d10f1b6475439c7661dcae_s390x",
"relates_to_product_reference": "multicluster engine for Kubernetes 2.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:2b436e18e98a63c98ccd5aa4e5315a4e8d7f9c6f0d1ba7ce36cf1f445ba6b213_s390x as a component of multicluster engine for Kubernetes 2.8",
"product_id": "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:2b436e18e98a63c98ccd5aa4e5315a4e8d7f9c6f0d1ba7ce36cf1f445ba6b213_s390x"
},
"product_reference": "registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:2b436e18e98a63c98ccd5aa4e5315a4e8d7f9c6f0d1ba7ce36cf1f445ba6b213_s390x",
"relates_to_product_reference": "multicluster engine for Kubernetes 2.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:8bf11dabddf6d4784f1c397d300d953ffd762ef3db8b823971577fbef032a15b_ppc64le as a component of multicluster engine for Kubernetes 2.8",
"product_id": "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:8bf11dabddf6d4784f1c397d300d953ffd762ef3db8b823971577fbef032a15b_ppc64le"
},
"product_reference": "registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:8bf11dabddf6d4784f1c397d300d953ffd762ef3db8b823971577fbef032a15b_ppc64le",
"relates_to_product_reference": "multicluster engine for Kubernetes 2.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:c34bb03b1038bbed1e6f47c2105703ae2214c772467ac2cea733cf6b2bd5572f_arm64 as a component of multicluster engine for Kubernetes 2.8",
"product_id": "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:c34bb03b1038bbed1e6f47c2105703ae2214c772467ac2cea733cf6b2bd5572f_arm64"
},
"product_reference": "registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:c34bb03b1038bbed1e6f47c2105703ae2214c772467ac2cea733cf6b2bd5572f_arm64",
"relates_to_product_reference": "multicluster engine for Kubernetes 2.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:d040d471b0b65a4be2d71e519cdf05d9040865a0889960335709d7f10b504e59_amd64 as a component of multicluster engine for Kubernetes 2.8",
"product_id": "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:d040d471b0b65a4be2d71e519cdf05d9040865a0889960335709d7f10b504e59_amd64"
},
"product_reference": "registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:d040d471b0b65a4be2d71e519cdf05d9040865a0889960335709d7f10b504e59_amd64",
"relates_to_product_reference": "multicluster engine for Kubernetes 2.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:1aef2fa08a49510813e8cc149cc737c09570c4c94d4441e846d0abdbd97b434f_amd64 as a component of multicluster engine for Kubernetes 2.8",
"product_id": "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:1aef2fa08a49510813e8cc149cc737c09570c4c94d4441e846d0abdbd97b434f_amd64"
},
"product_reference": "registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:1aef2fa08a49510813e8cc149cc737c09570c4c94d4441e846d0abdbd97b434f_amd64",
"relates_to_product_reference": "multicluster engine for Kubernetes 2.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:b94a3f3ad45af3d4dd10498d5e6906947c72adc1361e50bda9482ba954e6567b_s390x as a component of multicluster engine for Kubernetes 2.8",
"product_id": "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:b94a3f3ad45af3d4dd10498d5e6906947c72adc1361e50bda9482ba954e6567b_s390x"
},
"product_reference": "registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:b94a3f3ad45af3d4dd10498d5e6906947c72adc1361e50bda9482ba954e6567b_s390x",
"relates_to_product_reference": "multicluster engine for Kubernetes 2.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:dfcd7d76bfa892b6be2c2abd99f13bd7e58d2ca82ea99bf2443cec9b888fd918_ppc64le as a component of multicluster engine for Kubernetes 2.8",
"product_id": "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:dfcd7d76bfa892b6be2c2abd99f13bd7e58d2ca82ea99bf2443cec9b888fd918_ppc64le"
},
"product_reference": "registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:dfcd7d76bfa892b6be2c2abd99f13bd7e58d2ca82ea99bf2443cec9b888fd918_ppc64le",
"relates_to_product_reference": "multicluster engine for Kubernetes 2.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:f3379b9e6c08cd00abcf7be97308b7ff2354697407a026d5f08e942b47ca7e08_arm64 as a component of multicluster engine for Kubernetes 2.8",
"product_id": "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:f3379b9e6c08cd00abcf7be97308b7ff2354697407a026d5f08e942b47ca7e08_arm64"
},
"product_reference": "registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:f3379b9e6c08cd00abcf7be97308b7ff2354697407a026d5f08e942b47ca7e08_arm64",
"relates_to_product_reference": "multicluster engine for Kubernetes 2.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:458a6eaf23dc717f6988c94556bbbc224dcd2bbaa7573aed6fa820086f9523fe_s390x as a component of multicluster engine for Kubernetes 2.8",
"product_id": "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:458a6eaf23dc717f6988c94556bbbc224dcd2bbaa7573aed6fa820086f9523fe_s390x"
},
"product_reference": "registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:458a6eaf23dc717f6988c94556bbbc224dcd2bbaa7573aed6fa820086f9523fe_s390x",
"relates_to_product_reference": "multicluster engine for Kubernetes 2.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:a382b267318a49d9dc29d704afb41f188edc15021d267d402203fcd10722dd5f_arm64 as a component of multicluster engine for Kubernetes 2.8",
"product_id": "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:a382b267318a49d9dc29d704afb41f188edc15021d267d402203fcd10722dd5f_arm64"
},
"product_reference": "registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:a382b267318a49d9dc29d704afb41f188edc15021d267d402203fcd10722dd5f_arm64",
"relates_to_product_reference": "multicluster engine for Kubernetes 2.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:ba3b4da8d399b387de1047cd7952224d0032c3748d12928a9b7eda776df8a38a_ppc64le as a component of multicluster engine for Kubernetes 2.8",
"product_id": "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:ba3b4da8d399b387de1047cd7952224d0032c3748d12928a9b7eda776df8a38a_ppc64le"
},
"product_reference": "registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:ba3b4da8d399b387de1047cd7952224d0032c3748d12928a9b7eda776df8a38a_ppc64le",
"relates_to_product_reference": "multicluster engine for Kubernetes 2.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:d301ef6d274f4127b4eaf7ae78d2dd8af51aeebf999dd8624d20cbf0ba05864b_amd64 as a component of multicluster engine for Kubernetes 2.8",
"product_id": "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:d301ef6d274f4127b4eaf7ae78d2dd8af51aeebf999dd8624d20cbf0ba05864b_amd64"
},
"product_reference": "registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:d301ef6d274f4127b4eaf7ae78d2dd8af51aeebf999dd8624d20cbf0ba05864b_amd64",
"relates_to_product_reference": "multicluster engine for Kubernetes 2.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:228e5cefc1e32500a2b244ebeaa4b700efed644c5e266a6b3d139e23a6d1113d_amd64 as a component of multicluster engine for Kubernetes 2.8",
"product_id": "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:228e5cefc1e32500a2b244ebeaa4b700efed644c5e266a6b3d139e23a6d1113d_amd64"
},
"product_reference": "registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:228e5cefc1e32500a2b244ebeaa4b700efed644c5e266a6b3d139e23a6d1113d_amd64",
"relates_to_product_reference": "multicluster engine for Kubernetes 2.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:2b9e8ab86b77035917aaa673ecc311a0fe0be0687c65a3e000b9e3dfe3e02bb7_ppc64le as a component of multicluster engine for Kubernetes 2.8",
"product_id": "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:2b9e8ab86b77035917aaa673ecc311a0fe0be0687c65a3e000b9e3dfe3e02bb7_ppc64le"
},
"product_reference": "registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:2b9e8ab86b77035917aaa673ecc311a0fe0be0687c65a3e000b9e3dfe3e02bb7_ppc64le",
"relates_to_product_reference": "multicluster engine for Kubernetes 2.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:a11d75aec4913b0643f7e74d4138c9cfa19b6ab4c6280519948de935873b4570_s390x as a component of multicluster engine for Kubernetes 2.8",
"product_id": "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:a11d75aec4913b0643f7e74d4138c9cfa19b6ab4c6280519948de935873b4570_s390x"
},
"product_reference": "registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:a11d75aec4913b0643f7e74d4138c9cfa19b6ab4c6280519948de935873b4570_s390x",
"relates_to_product_reference": "multicluster engine for Kubernetes 2.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:bd04b7cfba87314171b1ce6113b0cc37b386a4bf30ae2f9020011ce002c6e933_arm64 as a component of multicluster engine for Kubernetes 2.8",
"product_id": "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:bd04b7cfba87314171b1ce6113b0cc37b386a4bf30ae2f9020011ce002c6e933_arm64"
},
"product_reference": "registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:bd04b7cfba87314171b1ce6113b0cc37b386a4bf30ae2f9020011ce002c6e933_arm64",
"relates_to_product_reference": "multicluster engine for Kubernetes 2.8"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-58058",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2025-08-28T22:00:45.848319+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:5afcb0cd2a9c693cec0839deed6435c69abb50a4a50e5e55a69d3f553806bbd1_arm64",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:6c5c5c4686bfc5cc9bbef1fcd990ee72af1080796cb0849ad006b6673a05859b_amd64",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:bc2f8ee10452ea3e4841fb5c9acffbb820c53b329527c8580afccedb2a4bf37e_ppc64le",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:e9e0e699e9e9acf9645f1e38f71d08ba1711066c16d10f1b6475439c7661dcae_s390x",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:2b436e18e98a63c98ccd5aa4e5315a4e8d7f9c6f0d1ba7ce36cf1f445ba6b213_s390x",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:8bf11dabddf6d4784f1c397d300d953ffd762ef3db8b823971577fbef032a15b_ppc64le",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:c34bb03b1038bbed1e6f47c2105703ae2214c772467ac2cea733cf6b2bd5572f_arm64",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:d040d471b0b65a4be2d71e519cdf05d9040865a0889960335709d7f10b504e59_amd64",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:1aef2fa08a49510813e8cc149cc737c09570c4c94d4441e846d0abdbd97b434f_amd64",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:b94a3f3ad45af3d4dd10498d5e6906947c72adc1361e50bda9482ba954e6567b_s390x",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:dfcd7d76bfa892b6be2c2abd99f13bd7e58d2ca82ea99bf2443cec9b888fd918_ppc64le",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:f3379b9e6c08cd00abcf7be97308b7ff2354697407a026d5f08e942b47ca7e08_arm64",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:458a6eaf23dc717f6988c94556bbbc224dcd2bbaa7573aed6fa820086f9523fe_s390x",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:a382b267318a49d9dc29d704afb41f188edc15021d267d402203fcd10722dd5f_arm64",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:ba3b4da8d399b387de1047cd7952224d0032c3748d12928a9b7eda776df8a38a_ppc64le",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:d301ef6d274f4127b4eaf7ae78d2dd8af51aeebf999dd8624d20cbf0ba05864b_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2391585"
}
],
"notes": [
{
"category": "description",
"text": "A memory leak flaw has been discovered in the golang github.com/ulikunitz/xz package. In affected versions, it is possible to put data in front of an LZMA-encoded byte stream without detecting the situation while reading the header. This can lead to increased memory consumption because the current implementation allocates the full decoding buffer directly after reading the header. The LZMA header doesn\u0027t include a magic number or has a checksum to detect such an issue according to the specification. Note that the code recognizes the issue later while reading the stream, but at this time the memory allocation has already been done.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "github.com/ulikunitz/xz: github.com/ulikunitz/xz leaks memory",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:228e5cefc1e32500a2b244ebeaa4b700efed644c5e266a6b3d139e23a6d1113d_amd64",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:2b9e8ab86b77035917aaa673ecc311a0fe0be0687c65a3e000b9e3dfe3e02bb7_ppc64le",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:a11d75aec4913b0643f7e74d4138c9cfa19b6ab4c6280519948de935873b4570_s390x",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:bd04b7cfba87314171b1ce6113b0cc37b386a4bf30ae2f9020011ce002c6e933_arm64"
],
"known_not_affected": [
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:5afcb0cd2a9c693cec0839deed6435c69abb50a4a50e5e55a69d3f553806bbd1_arm64",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:6c5c5c4686bfc5cc9bbef1fcd990ee72af1080796cb0849ad006b6673a05859b_amd64",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:bc2f8ee10452ea3e4841fb5c9acffbb820c53b329527c8580afccedb2a4bf37e_ppc64le",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:e9e0e699e9e9acf9645f1e38f71d08ba1711066c16d10f1b6475439c7661dcae_s390x",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:2b436e18e98a63c98ccd5aa4e5315a4e8d7f9c6f0d1ba7ce36cf1f445ba6b213_s390x",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:8bf11dabddf6d4784f1c397d300d953ffd762ef3db8b823971577fbef032a15b_ppc64le",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:c34bb03b1038bbed1e6f47c2105703ae2214c772467ac2cea733cf6b2bd5572f_arm64",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:d040d471b0b65a4be2d71e519cdf05d9040865a0889960335709d7f10b504e59_amd64",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:1aef2fa08a49510813e8cc149cc737c09570c4c94d4441e846d0abdbd97b434f_amd64",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:b94a3f3ad45af3d4dd10498d5e6906947c72adc1361e50bda9482ba954e6567b_s390x",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:dfcd7d76bfa892b6be2c2abd99f13bd7e58d2ca82ea99bf2443cec9b888fd918_ppc64le",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:f3379b9e6c08cd00abcf7be97308b7ff2354697407a026d5f08e942b47ca7e08_arm64",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:458a6eaf23dc717f6988c94556bbbc224dcd2bbaa7573aed6fa820086f9523fe_s390x",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:a382b267318a49d9dc29d704afb41f188edc15021d267d402203fcd10722dd5f_arm64",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:ba3b4da8d399b387de1047cd7952224d0032c3748d12928a9b7eda776df8a38a_ppc64le",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:d301ef6d274f4127b4eaf7ae78d2dd8af51aeebf999dd8624d20cbf0ba05864b_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-58058"
},
{
"category": "external",
"summary": "RHBZ#2391585",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2391585"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-58058",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-58058"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-58058",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58058"
},
{
"category": "external",
"summary": "https://github.com/ulikunitz/xz/commit/88ddf1d0d98d688db65de034f48960b2760d2ae2",
"url": "https://github.com/ulikunitz/xz/commit/88ddf1d0d98d688db65de034f48960b2760d2ae2"
},
{
"category": "external",
"summary": "https://github.com/ulikunitz/xz/security/advisories/GHSA-jc7w-c686-c4v9",
"url": "https://github.com/ulikunitz/xz/security/advisories/GHSA-jc7w-c686-c4v9"
}
],
"release_date": "2025-08-28T21:54:05.561000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-16T10:11:43+00:00",
"details": "For more information about Assisted Installer, see the following documentation:\n\nhttps://docs.redhat.com/en/documentation/red_hat_advanced_cluster_management_for_kubernetes/2.13/html/clusters/cluster_mce_overview#cim-intro\n\nFor multicluster engine for Kubernetes, see the following documentation for\ndetails on how to install the images:\n\nhttps://docs.redhat.com/en/documentation/red_hat_advanced_cluster_management_for_kubernetes/2.13/html/clusters/cluster_mce_overview#mce-install-intro\n\nThis documentation will be available after the general availability release of Red Hat Advanced Cluster Management 2.13.",
"product_ids": [
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:228e5cefc1e32500a2b244ebeaa4b700efed644c5e266a6b3d139e23a6d1113d_amd64",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:2b9e8ab86b77035917aaa673ecc311a0fe0be0687c65a3e000b9e3dfe3e02bb7_ppc64le",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:a11d75aec4913b0643f7e74d4138c9cfa19b6ab4c6280519948de935873b4570_s390x",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:bd04b7cfba87314171b1ce6113b0cc37b386a4bf30ae2f9020011ce002c6e933_arm64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:26254"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:5afcb0cd2a9c693cec0839deed6435c69abb50a4a50e5e55a69d3f553806bbd1_arm64",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:6c5c5c4686bfc5cc9bbef1fcd990ee72af1080796cb0849ad006b6673a05859b_amd64",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:bc2f8ee10452ea3e4841fb5c9acffbb820c53b329527c8580afccedb2a4bf37e_ppc64le",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:e9e0e699e9e9acf9645f1e38f71d08ba1711066c16d10f1b6475439c7661dcae_s390x",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:2b436e18e98a63c98ccd5aa4e5315a4e8d7f9c6f0d1ba7ce36cf1f445ba6b213_s390x",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:8bf11dabddf6d4784f1c397d300d953ffd762ef3db8b823971577fbef032a15b_ppc64le",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:c34bb03b1038bbed1e6f47c2105703ae2214c772467ac2cea733cf6b2bd5572f_arm64",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:d040d471b0b65a4be2d71e519cdf05d9040865a0889960335709d7f10b504e59_amd64",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:1aef2fa08a49510813e8cc149cc737c09570c4c94d4441e846d0abdbd97b434f_amd64",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:b94a3f3ad45af3d4dd10498d5e6906947c72adc1361e50bda9482ba954e6567b_s390x",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:dfcd7d76bfa892b6be2c2abd99f13bd7e58d2ca82ea99bf2443cec9b888fd918_ppc64le",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:f3379b9e6c08cd00abcf7be97308b7ff2354697407a026d5f08e942b47ca7e08_arm64",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:458a6eaf23dc717f6988c94556bbbc224dcd2bbaa7573aed6fa820086f9523fe_s390x",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:a382b267318a49d9dc29d704afb41f188edc15021d267d402203fcd10722dd5f_arm64",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:ba3b4da8d399b387de1047cd7952224d0032c3748d12928a9b7eda776df8a38a_ppc64le",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:d301ef6d274f4127b4eaf7ae78d2dd8af51aeebf999dd8624d20cbf0ba05864b_amd64",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:228e5cefc1e32500a2b244ebeaa4b700efed644c5e266a6b3d139e23a6d1113d_amd64",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:2b9e8ab86b77035917aaa673ecc311a0fe0be0687c65a3e000b9e3dfe3e02bb7_ppc64le",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:a11d75aec4913b0643f7e74d4138c9cfa19b6ab4c6280519948de935873b4570_s390x",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:bd04b7cfba87314171b1ce6113b0cc37b386a4bf30ae2f9020011ce002c6e933_arm64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:5afcb0cd2a9c693cec0839deed6435c69abb50a4a50e5e55a69d3f553806bbd1_arm64",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:6c5c5c4686bfc5cc9bbef1fcd990ee72af1080796cb0849ad006b6673a05859b_amd64",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:bc2f8ee10452ea3e4841fb5c9acffbb820c53b329527c8580afccedb2a4bf37e_ppc64le",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:e9e0e699e9e9acf9645f1e38f71d08ba1711066c16d10f1b6475439c7661dcae_s390x",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:2b436e18e98a63c98ccd5aa4e5315a4e8d7f9c6f0d1ba7ce36cf1f445ba6b213_s390x",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:8bf11dabddf6d4784f1c397d300d953ffd762ef3db8b823971577fbef032a15b_ppc64le",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:c34bb03b1038bbed1e6f47c2105703ae2214c772467ac2cea733cf6b2bd5572f_arm64",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:d040d471b0b65a4be2d71e519cdf05d9040865a0889960335709d7f10b504e59_amd64",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:1aef2fa08a49510813e8cc149cc737c09570c4c94d4441e846d0abdbd97b434f_amd64",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:b94a3f3ad45af3d4dd10498d5e6906947c72adc1361e50bda9482ba954e6567b_s390x",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:dfcd7d76bfa892b6be2c2abd99f13bd7e58d2ca82ea99bf2443cec9b888fd918_ppc64le",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:f3379b9e6c08cd00abcf7be97308b7ff2354697407a026d5f08e942b47ca7e08_arm64",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:458a6eaf23dc717f6988c94556bbbc224dcd2bbaa7573aed6fa820086f9523fe_s390x",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:a382b267318a49d9dc29d704afb41f188edc15021d267d402203fcd10722dd5f_arm64",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:ba3b4da8d399b387de1047cd7952224d0032c3748d12928a9b7eda776df8a38a_ppc64le",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:d301ef6d274f4127b4eaf7ae78d2dd8af51aeebf999dd8624d20cbf0ba05864b_amd64",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:228e5cefc1e32500a2b244ebeaa4b700efed644c5e266a6b3d139e23a6d1113d_amd64",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:2b9e8ab86b77035917aaa673ecc311a0fe0be0687c65a3e000b9e3dfe3e02bb7_ppc64le",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:a11d75aec4913b0643f7e74d4138c9cfa19b6ab4c6280519948de935873b4570_s390x",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:bd04b7cfba87314171b1ce6113b0cc37b386a4bf30ae2f9020011ce002c6e933_arm64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "github.com/ulikunitz/xz: github.com/ulikunitz/xz leaks memory"
},
{
"cve": "CVE-2026-39883",
"cwe": {
"id": "CWE-426",
"name": "Untrusted Search Path"
},
"discovery_date": "2026-04-08T21:01:31.690577+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:5afcb0cd2a9c693cec0839deed6435c69abb50a4a50e5e55a69d3f553806bbd1_arm64",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:6c5c5c4686bfc5cc9bbef1fcd990ee72af1080796cb0849ad006b6673a05859b_amd64",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:bc2f8ee10452ea3e4841fb5c9acffbb820c53b329527c8580afccedb2a4bf37e_ppc64le",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:e9e0e699e9e9acf9645f1e38f71d08ba1711066c16d10f1b6475439c7661dcae_s390x",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:2b436e18e98a63c98ccd5aa4e5315a4e8d7f9c6f0d1ba7ce36cf1f445ba6b213_s390x",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:8bf11dabddf6d4784f1c397d300d953ffd762ef3db8b823971577fbef032a15b_ppc64le",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:c34bb03b1038bbed1e6f47c2105703ae2214c772467ac2cea733cf6b2bd5572f_arm64",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:d040d471b0b65a4be2d71e519cdf05d9040865a0889960335709d7f10b504e59_amd64",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:1aef2fa08a49510813e8cc149cc737c09570c4c94d4441e846d0abdbd97b434f_amd64",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:b94a3f3ad45af3d4dd10498d5e6906947c72adc1361e50bda9482ba954e6567b_s390x",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:dfcd7d76bfa892b6be2c2abd99f13bd7e58d2ca82ea99bf2443cec9b888fd918_ppc64le",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:f3379b9e6c08cd00abcf7be97308b7ff2354697407a026d5f08e942b47ca7e08_arm64",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:458a6eaf23dc717f6988c94556bbbc224dcd2bbaa7573aed6fa820086f9523fe_s390x",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:a382b267318a49d9dc29d704afb41f188edc15021d267d402203fcd10722dd5f_arm64",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:ba3b4da8d399b387de1047cd7952224d0032c3748d12928a9b7eda776df8a38a_ppc64le",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:d301ef6d274f4127b4eaf7ae78d2dd8af51aeebf999dd8624d20cbf0ba05864b_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2456718"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in OpenTelemetry-Go. On BSD and Solaris platforms, a local attacker could exploit a vulnerability related to the `kenv` command. By manipulating the system\u0027s PATH environment variable, an attacker could achieve arbitrary code execution or privilege escalation, leading to a compromise of system integrity and confidentiality.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "github.com/open-telemetry/opentelemetry-go: OpenTelemetry-Go: Arbitrary code execution via PATH hijacking on BSD/Solaris",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:228e5cefc1e32500a2b244ebeaa4b700efed644c5e266a6b3d139e23a6d1113d_amd64",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:2b9e8ab86b77035917aaa673ecc311a0fe0be0687c65a3e000b9e3dfe3e02bb7_ppc64le",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:a11d75aec4913b0643f7e74d4138c9cfa19b6ab4c6280519948de935873b4570_s390x",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:bd04b7cfba87314171b1ce6113b0cc37b386a4bf30ae2f9020011ce002c6e933_arm64"
],
"known_not_affected": [
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:5afcb0cd2a9c693cec0839deed6435c69abb50a4a50e5e55a69d3f553806bbd1_arm64",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:6c5c5c4686bfc5cc9bbef1fcd990ee72af1080796cb0849ad006b6673a05859b_amd64",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:bc2f8ee10452ea3e4841fb5c9acffbb820c53b329527c8580afccedb2a4bf37e_ppc64le",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:e9e0e699e9e9acf9645f1e38f71d08ba1711066c16d10f1b6475439c7661dcae_s390x",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:2b436e18e98a63c98ccd5aa4e5315a4e8d7f9c6f0d1ba7ce36cf1f445ba6b213_s390x",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:8bf11dabddf6d4784f1c397d300d953ffd762ef3db8b823971577fbef032a15b_ppc64le",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:c34bb03b1038bbed1e6f47c2105703ae2214c772467ac2cea733cf6b2bd5572f_arm64",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:d040d471b0b65a4be2d71e519cdf05d9040865a0889960335709d7f10b504e59_amd64",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:1aef2fa08a49510813e8cc149cc737c09570c4c94d4441e846d0abdbd97b434f_amd64",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:b94a3f3ad45af3d4dd10498d5e6906947c72adc1361e50bda9482ba954e6567b_s390x",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:dfcd7d76bfa892b6be2c2abd99f13bd7e58d2ca82ea99bf2443cec9b888fd918_ppc64le",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:f3379b9e6c08cd00abcf7be97308b7ff2354697407a026d5f08e942b47ca7e08_arm64",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:458a6eaf23dc717f6988c94556bbbc224dcd2bbaa7573aed6fa820086f9523fe_s390x",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:a382b267318a49d9dc29d704afb41f188edc15021d267d402203fcd10722dd5f_arm64",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:ba3b4da8d399b387de1047cd7952224d0032c3748d12928a9b7eda776df8a38a_ppc64le",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:d301ef6d274f4127b4eaf7ae78d2dd8af51aeebf999dd8624d20cbf0ba05864b_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-39883"
},
{
"category": "external",
"summary": "RHBZ#2456718",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456718"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-39883",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-39883"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-39883",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39883"
},
{
"category": "external",
"summary": "http://github.com/open-telemetry/opentelemetry-go/releases/tag/v1.43.0",
"url": "http://github.com/open-telemetry/opentelemetry-go/releases/tag/v1.43.0"
},
{
"category": "external",
"summary": "https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-hfvc-g4fc-pqhx",
"url": "https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-hfvc-g4fc-pqhx"
}
],
"release_date": "2026-04-08T20:26:41.731000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-16T10:11:43+00:00",
"details": "For more information about Assisted Installer, see the following documentation:\n\nhttps://docs.redhat.com/en/documentation/red_hat_advanced_cluster_management_for_kubernetes/2.13/html/clusters/cluster_mce_overview#cim-intro\n\nFor multicluster engine for Kubernetes, see the following documentation for\ndetails on how to install the images:\n\nhttps://docs.redhat.com/en/documentation/red_hat_advanced_cluster_management_for_kubernetes/2.13/html/clusters/cluster_mce_overview#mce-install-intro\n\nThis documentation will be available after the general availability release of Red Hat Advanced Cluster Management 2.13.",
"product_ids": [
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:228e5cefc1e32500a2b244ebeaa4b700efed644c5e266a6b3d139e23a6d1113d_amd64",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:2b9e8ab86b77035917aaa673ecc311a0fe0be0687c65a3e000b9e3dfe3e02bb7_ppc64le",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:a11d75aec4913b0643f7e74d4138c9cfa19b6ab4c6280519948de935873b4570_s390x",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:bd04b7cfba87314171b1ce6113b0cc37b386a4bf30ae2f9020011ce002c6e933_arm64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:26254"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:5afcb0cd2a9c693cec0839deed6435c69abb50a4a50e5e55a69d3f553806bbd1_arm64",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:6c5c5c4686bfc5cc9bbef1fcd990ee72af1080796cb0849ad006b6673a05859b_amd64",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:bc2f8ee10452ea3e4841fb5c9acffbb820c53b329527c8580afccedb2a4bf37e_ppc64le",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:e9e0e699e9e9acf9645f1e38f71d08ba1711066c16d10f1b6475439c7661dcae_s390x",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:2b436e18e98a63c98ccd5aa4e5315a4e8d7f9c6f0d1ba7ce36cf1f445ba6b213_s390x",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:8bf11dabddf6d4784f1c397d300d953ffd762ef3db8b823971577fbef032a15b_ppc64le",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:c34bb03b1038bbed1e6f47c2105703ae2214c772467ac2cea733cf6b2bd5572f_arm64",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:d040d471b0b65a4be2d71e519cdf05d9040865a0889960335709d7f10b504e59_amd64",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:1aef2fa08a49510813e8cc149cc737c09570c4c94d4441e846d0abdbd97b434f_amd64",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:b94a3f3ad45af3d4dd10498d5e6906947c72adc1361e50bda9482ba954e6567b_s390x",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:dfcd7d76bfa892b6be2c2abd99f13bd7e58d2ca82ea99bf2443cec9b888fd918_ppc64le",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:f3379b9e6c08cd00abcf7be97308b7ff2354697407a026d5f08e942b47ca7e08_arm64",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:458a6eaf23dc717f6988c94556bbbc224dcd2bbaa7573aed6fa820086f9523fe_s390x",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:a382b267318a49d9dc29d704afb41f188edc15021d267d402203fcd10722dd5f_arm64",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:ba3b4da8d399b387de1047cd7952224d0032c3748d12928a9b7eda776df8a38a_ppc64le",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:d301ef6d274f4127b4eaf7ae78d2dd8af51aeebf999dd8624d20cbf0ba05864b_amd64",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:228e5cefc1e32500a2b244ebeaa4b700efed644c5e266a6b3d139e23a6d1113d_amd64",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:2b9e8ab86b77035917aaa673ecc311a0fe0be0687c65a3e000b9e3dfe3e02bb7_ppc64le",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:a11d75aec4913b0643f7e74d4138c9cfa19b6ab4c6280519948de935873b4570_s390x",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:bd04b7cfba87314171b1ce6113b0cc37b386a4bf30ae2f9020011ce002c6e933_arm64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "github.com/open-telemetry/opentelemetry-go: OpenTelemetry-Go: Arbitrary code execution via PATH hijacking on BSD/Solaris"
}
]
}
RHSA-2026:26257
Vulnerability from csaf_redhat - Published: 2026-06-16 10:21 - Updated: 2026-06-16 10:23Summary
Red Hat Security Advisory: Assisted Installer RHEL 8 components for Multicluster Engine for Kubernetes 2.8.8
Severity
Important
Notes
Topic: Assisted installer RHEL 8 components for the multicluster engine for Kubernetes 2.8.8 General Availability release, with updates to container images.
Details: Assisted Installer RHEL 8 integrates components for the general multicluster engine
for Kubernetes 2.8.8 release that simplify the process of deploying OpenShift Container
Platform clusters.
The multicluster engine for Kubernetes provides the foundational components
that are necessary for the centralized management of multiple
Kubernetes-based clusters across data centers, public clouds, and private
clouds.
You can use the engine to create new Red Hat OpenShift Container Platform
clusters, or to import existing Kubernetes-based clusters for management.
After the clusters are managed, you can use the APIs that
are provided by the engine to distribute configuration based on placement
policy.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A memory leak flaw has been discovered in the golang github.com/ulikunitz/xz package. In affected versions, it is possible to put data in front of an LZMA-encoded byte stream without detecting the situation while reading the header. This can lead to increased memory consumption because the current implementation allocates the full decoding buffer directly after reading the header. The LZMA header doesn't include a magic number or has a checksum to detect such an issue according to the specification. Note that the code recognizes the issue later while reading the stream, but at this time the memory allocation has already been done.
5.3 (Medium)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:2c6a0275687920af7a4852828689429b54fc89f5f6d457fc5b00e6300bef47ff_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:78857cf0c460c7639b30bcee92cff7e5e2c8d0423e42522267c4d9ace96ad1b9_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:96d38a23205177fb651c7eac72711143cdbc847d29d26d60e1b364e3dd969f25_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:aa1b61f73bdfc1b60d1fa100e2b060eca0ef578c69a681f7603b49d81fc273ce_arm64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in OpenTelemetry-Go. On BSD and Solaris platforms, a local attacker could exploit a vulnerability related to the `kenv` command. By manipulating the system's PATH environment variable, an attacker could achieve arbitrary code execution or privilege escalation, leading to a compromise of system integrity and confidentiality.
8.8 (High)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:2c6a0275687920af7a4852828689429b54fc89f5f6d457fc5b00e6300bef47ff_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:78857cf0c460c7639b30bcee92cff7e5e2c8d0423e42522267c4d9ace96ad1b9_s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:96d38a23205177fb651c7eac72711143cdbc847d29d26d60e1b364e3dd969f25_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:aa1b61f73bdfc1b60d1fa100e2b060eca0ef578c69a681f7603b49d81fc273ce_arm64 | — |
Vendor Fix
fix
|
Threats
Impact
Important
References
17 references
| URL | Category |
|---|---|
| https://access.redhat.com/errata/RHSA-2026:26257 | self |
| https://access.redhat.com/security/cve/CVE-2025-58058 | external |
| https://access.redhat.com/security/cve/CVE-2026-39883 | external |
| https://access.redhat.com/security/updates/classi… | external |
| https://security.access.redhat.com/data/csaf/v2/a… | self |
| https://access.redhat.com/security/cve/CVE-2025-58058 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2391585 | external |
| https://www.cve.org/CVERecord?id=CVE-2025-58058 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2025-58058 | external |
| https://github.com/ulikunitz/xz/commit/88ddf1d0d9… | external |
| https://github.com/ulikunitz/xz/security/advisori… | external |
| https://access.redhat.com/security/cve/CVE-2026-39883 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2456718 | external |
| https://www.cve.org/CVERecord?id=CVE-2026-39883 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2026-39883 | external |
| http://github.com/open-telemetry/opentelemetry-go… | external |
| https://github.com/open-telemetry/opentelemetry-g… | external |
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Assisted installer RHEL 8 components for the multicluster engine for Kubernetes 2.8.8 General Availability release, with updates to container images.",
"title": "Topic"
},
{
"category": "general",
"text": "Assisted Installer RHEL 8 integrates components for the general multicluster engine\nfor Kubernetes 2.8.8 release that simplify the process of deploying OpenShift Container\nPlatform clusters.\n\nThe multicluster engine for Kubernetes provides the foundational components\nthat are necessary for the centralized management of multiple\nKubernetes-based clusters across data centers, public clouds, and private\nclouds.\n\nYou can use the engine to create new Red Hat OpenShift Container Platform\nclusters, or to import existing Kubernetes-based clusters for management.\n\nAfter the clusters are managed, you can use the APIs that\nare provided by the engine to distribute configuration based on placement\npolicy.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:26257",
"url": "https://access.redhat.com/errata/RHSA-2026:26257"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-58058",
"url": "https://access.redhat.com/security/cve/CVE-2025-58058"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-39883",
"url": "https://access.redhat.com/security/cve/CVE-2026-39883"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/",
"url": "https://access.redhat.com/security/updates/classification/"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_26257.json"
}
],
"title": "Red Hat Security Advisory: Assisted Installer RHEL 8 components for Multicluster Engine for Kubernetes 2.8.8",
"tracking": {
"current_release_date": "2026-06-16T10:23:19+00:00",
"generator": {
"date": "2026-06-16T10:23:19+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "5.0.0"
}
},
"id": "RHSA-2026:26257",
"initial_release_date": "2026-06-16T10:21:48+00:00",
"revision_history": [
{
"date": "2026-06-16T10:21:48+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-06-16T10:21:53+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-06-16T10:23:19+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "multicluster engine for Kubernetes 2.8",
"product": {
"name": "multicluster engine for Kubernetes 2.8",
"product_id": "multicluster engine for Kubernetes 2.8",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:multicluster_engine:2.8::el8"
}
}
}
],
"category": "product_family",
"name": "multicluster engine for Kubernetes"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:96d38a23205177fb651c7eac72711143cdbc847d29d26d60e1b364e3dd969f25_amd64",
"product": {
"name": "registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:96d38a23205177fb651c7eac72711143cdbc847d29d26d60e1b364e3dd969f25_amd64",
"product_id": "registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:96d38a23205177fb651c7eac72711143cdbc847d29d26d60e1b364e3dd969f25_amd64",
"product_identification_helper": {
"purl": "pkg:oci/assisted-service-8-rhel8@sha256%3A96d38a23205177fb651c7eac72711143cdbc847d29d26d60e1b364e3dd969f25?arch=amd64\u0026repository_url=registry.redhat.io/multicluster-engine/assisted-service-8-rhel8\u0026tag=1781539691"
}
}
}
],
"category": "architecture",
"name": "amd64"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:aa1b61f73bdfc1b60d1fa100e2b060eca0ef578c69a681f7603b49d81fc273ce_arm64",
"product": {
"name": "registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:aa1b61f73bdfc1b60d1fa100e2b060eca0ef578c69a681f7603b49d81fc273ce_arm64",
"product_id": "registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:aa1b61f73bdfc1b60d1fa100e2b060eca0ef578c69a681f7603b49d81fc273ce_arm64",
"product_identification_helper": {
"purl": "pkg:oci/assisted-service-8-rhel8@sha256%3Aaa1b61f73bdfc1b60d1fa100e2b060eca0ef578c69a681f7603b49d81fc273ce?arch=arm64\u0026repository_url=registry.redhat.io/multicluster-engine/assisted-service-8-rhel8\u0026tag=1781539691"
}
}
}
],
"category": "architecture",
"name": "arm64"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:2c6a0275687920af7a4852828689429b54fc89f5f6d457fc5b00e6300bef47ff_ppc64le",
"product": {
"name": "registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:2c6a0275687920af7a4852828689429b54fc89f5f6d457fc5b00e6300bef47ff_ppc64le",
"product_id": "registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:2c6a0275687920af7a4852828689429b54fc89f5f6d457fc5b00e6300bef47ff_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/assisted-service-8-rhel8@sha256%3A2c6a0275687920af7a4852828689429b54fc89f5f6d457fc5b00e6300bef47ff?arch=ppc64le\u0026repository_url=registry.redhat.io/multicluster-engine/assisted-service-8-rhel8\u0026tag=1781539691"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:78857cf0c460c7639b30bcee92cff7e5e2c8d0423e42522267c4d9ace96ad1b9_s390x",
"product": {
"name": "registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:78857cf0c460c7639b30bcee92cff7e5e2c8d0423e42522267c4d9ace96ad1b9_s390x",
"product_id": "registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:78857cf0c460c7639b30bcee92cff7e5e2c8d0423e42522267c4d9ace96ad1b9_s390x",
"product_identification_helper": {
"purl": "pkg:oci/assisted-service-8-rhel8@sha256%3A78857cf0c460c7639b30bcee92cff7e5e2c8d0423e42522267c4d9ace96ad1b9?arch=s390x\u0026repository_url=registry.redhat.io/multicluster-engine/assisted-service-8-rhel8\u0026tag=1781539691"
}
}
}
],
"category": "architecture",
"name": "s390x"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:2c6a0275687920af7a4852828689429b54fc89f5f6d457fc5b00e6300bef47ff_ppc64le as a component of multicluster engine for Kubernetes 2.8",
"product_id": "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:2c6a0275687920af7a4852828689429b54fc89f5f6d457fc5b00e6300bef47ff_ppc64le"
},
"product_reference": "registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:2c6a0275687920af7a4852828689429b54fc89f5f6d457fc5b00e6300bef47ff_ppc64le",
"relates_to_product_reference": "multicluster engine for Kubernetes 2.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:78857cf0c460c7639b30bcee92cff7e5e2c8d0423e42522267c4d9ace96ad1b9_s390x as a component of multicluster engine for Kubernetes 2.8",
"product_id": "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:78857cf0c460c7639b30bcee92cff7e5e2c8d0423e42522267c4d9ace96ad1b9_s390x"
},
"product_reference": "registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:78857cf0c460c7639b30bcee92cff7e5e2c8d0423e42522267c4d9ace96ad1b9_s390x",
"relates_to_product_reference": "multicluster engine for Kubernetes 2.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:96d38a23205177fb651c7eac72711143cdbc847d29d26d60e1b364e3dd969f25_amd64 as a component of multicluster engine for Kubernetes 2.8",
"product_id": "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:96d38a23205177fb651c7eac72711143cdbc847d29d26d60e1b364e3dd969f25_amd64"
},
"product_reference": "registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:96d38a23205177fb651c7eac72711143cdbc847d29d26d60e1b364e3dd969f25_amd64",
"relates_to_product_reference": "multicluster engine for Kubernetes 2.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:aa1b61f73bdfc1b60d1fa100e2b060eca0ef578c69a681f7603b49d81fc273ce_arm64 as a component of multicluster engine for Kubernetes 2.8",
"product_id": "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:aa1b61f73bdfc1b60d1fa100e2b060eca0ef578c69a681f7603b49d81fc273ce_arm64"
},
"product_reference": "registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:aa1b61f73bdfc1b60d1fa100e2b060eca0ef578c69a681f7603b49d81fc273ce_arm64",
"relates_to_product_reference": "multicluster engine for Kubernetes 2.8"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-58058",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2025-08-28T22:00:45.848319+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2391585"
}
],
"notes": [
{
"category": "description",
"text": "A memory leak flaw has been discovered in the golang github.com/ulikunitz/xz package. In affected versions, it is possible to put data in front of an LZMA-encoded byte stream without detecting the situation while reading the header. This can lead to increased memory consumption because the current implementation allocates the full decoding buffer directly after reading the header. The LZMA header doesn\u0027t include a magic number or has a checksum to detect such an issue according to the specification. Note that the code recognizes the issue later while reading the stream, but at this time the memory allocation has already been done.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "github.com/ulikunitz/xz: github.com/ulikunitz/xz leaks memory",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:2c6a0275687920af7a4852828689429b54fc89f5f6d457fc5b00e6300bef47ff_ppc64le",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:78857cf0c460c7639b30bcee92cff7e5e2c8d0423e42522267c4d9ace96ad1b9_s390x",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:96d38a23205177fb651c7eac72711143cdbc847d29d26d60e1b364e3dd969f25_amd64",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:aa1b61f73bdfc1b60d1fa100e2b060eca0ef578c69a681f7603b49d81fc273ce_arm64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-58058"
},
{
"category": "external",
"summary": "RHBZ#2391585",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2391585"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-58058",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-58058"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-58058",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58058"
},
{
"category": "external",
"summary": "https://github.com/ulikunitz/xz/commit/88ddf1d0d98d688db65de034f48960b2760d2ae2",
"url": "https://github.com/ulikunitz/xz/commit/88ddf1d0d98d688db65de034f48960b2760d2ae2"
},
{
"category": "external",
"summary": "https://github.com/ulikunitz/xz/security/advisories/GHSA-jc7w-c686-c4v9",
"url": "https://github.com/ulikunitz/xz/security/advisories/GHSA-jc7w-c686-c4v9"
}
],
"release_date": "2025-08-28T21:54:05.561000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-16T10:21:48+00:00",
"details": "For more information about Assisted Installer, see the following documentation:\n\nhttps://docs.redhat.com/en/documentation/red_hat_advanced_cluster_management_for_kubernetes/2.13/html/clusters/cluster_mce_overview#cim-intro\n\nFor multicluster engine for Kubernetes, see the following documentation for\ndetails on how to install the images:\n\nhttps://docs.redhat.com/en/documentation/red_hat_advanced_cluster_management_for_kubernetes/2.13/html/clusters/cluster_mce_overview#mce-install-intro\n\nThis documentation will be available after the general availability release of Red Hat Advanced Cluster Management 2.13.",
"product_ids": [
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:2c6a0275687920af7a4852828689429b54fc89f5f6d457fc5b00e6300bef47ff_ppc64le",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:78857cf0c460c7639b30bcee92cff7e5e2c8d0423e42522267c4d9ace96ad1b9_s390x",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:96d38a23205177fb651c7eac72711143cdbc847d29d26d60e1b364e3dd969f25_amd64",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:aa1b61f73bdfc1b60d1fa100e2b060eca0ef578c69a681f7603b49d81fc273ce_arm64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:26257"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:2c6a0275687920af7a4852828689429b54fc89f5f6d457fc5b00e6300bef47ff_ppc64le",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:78857cf0c460c7639b30bcee92cff7e5e2c8d0423e42522267c4d9ace96ad1b9_s390x",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:96d38a23205177fb651c7eac72711143cdbc847d29d26d60e1b364e3dd969f25_amd64",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:aa1b61f73bdfc1b60d1fa100e2b060eca0ef578c69a681f7603b49d81fc273ce_arm64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:2c6a0275687920af7a4852828689429b54fc89f5f6d457fc5b00e6300bef47ff_ppc64le",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:78857cf0c460c7639b30bcee92cff7e5e2c8d0423e42522267c4d9ace96ad1b9_s390x",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:96d38a23205177fb651c7eac72711143cdbc847d29d26d60e1b364e3dd969f25_amd64",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:aa1b61f73bdfc1b60d1fa100e2b060eca0ef578c69a681f7603b49d81fc273ce_arm64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "github.com/ulikunitz/xz: github.com/ulikunitz/xz leaks memory"
},
{
"cve": "CVE-2026-39883",
"cwe": {
"id": "CWE-426",
"name": "Untrusted Search Path"
},
"discovery_date": "2026-04-08T21:01:31.690577+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2456718"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in OpenTelemetry-Go. On BSD and Solaris platforms, a local attacker could exploit a vulnerability related to the `kenv` command. By manipulating the system\u0027s PATH environment variable, an attacker could achieve arbitrary code execution or privilege escalation, leading to a compromise of system integrity and confidentiality.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "github.com/open-telemetry/opentelemetry-go: OpenTelemetry-Go: Arbitrary code execution via PATH hijacking on BSD/Solaris",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:2c6a0275687920af7a4852828689429b54fc89f5f6d457fc5b00e6300bef47ff_ppc64le",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:78857cf0c460c7639b30bcee92cff7e5e2c8d0423e42522267c4d9ace96ad1b9_s390x",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:96d38a23205177fb651c7eac72711143cdbc847d29d26d60e1b364e3dd969f25_amd64",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:aa1b61f73bdfc1b60d1fa100e2b060eca0ef578c69a681f7603b49d81fc273ce_arm64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-39883"
},
{
"category": "external",
"summary": "RHBZ#2456718",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456718"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-39883",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-39883"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-39883",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39883"
},
{
"category": "external",
"summary": "http://github.com/open-telemetry/opentelemetry-go/releases/tag/v1.43.0",
"url": "http://github.com/open-telemetry/opentelemetry-go/releases/tag/v1.43.0"
},
{
"category": "external",
"summary": "https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-hfvc-g4fc-pqhx",
"url": "https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-hfvc-g4fc-pqhx"
}
],
"release_date": "2026-04-08T20:26:41.731000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-16T10:21:48+00:00",
"details": "For more information about Assisted Installer, see the following documentation:\n\nhttps://docs.redhat.com/en/documentation/red_hat_advanced_cluster_management_for_kubernetes/2.13/html/clusters/cluster_mce_overview#cim-intro\n\nFor multicluster engine for Kubernetes, see the following documentation for\ndetails on how to install the images:\n\nhttps://docs.redhat.com/en/documentation/red_hat_advanced_cluster_management_for_kubernetes/2.13/html/clusters/cluster_mce_overview#mce-install-intro\n\nThis documentation will be available after the general availability release of Red Hat Advanced Cluster Management 2.13.",
"product_ids": [
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:2c6a0275687920af7a4852828689429b54fc89f5f6d457fc5b00e6300bef47ff_ppc64le",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:78857cf0c460c7639b30bcee92cff7e5e2c8d0423e42522267c4d9ace96ad1b9_s390x",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:96d38a23205177fb651c7eac72711143cdbc847d29d26d60e1b364e3dd969f25_amd64",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:aa1b61f73bdfc1b60d1fa100e2b060eca0ef578c69a681f7603b49d81fc273ce_arm64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:26257"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:2c6a0275687920af7a4852828689429b54fc89f5f6d457fc5b00e6300bef47ff_ppc64le",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:78857cf0c460c7639b30bcee92cff7e5e2c8d0423e42522267c4d9ace96ad1b9_s390x",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:96d38a23205177fb651c7eac72711143cdbc847d29d26d60e1b364e3dd969f25_amd64",
"multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:aa1b61f73bdfc1b60d1fa100e2b060eca0ef578c69a681f7603b49d81fc273ce_arm64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "github.com/open-telemetry/opentelemetry-go: OpenTelemetry-Go: Arbitrary code execution via PATH hijacking on BSD/Solaris"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…