RHSA-2026:0527
Vulnerability from csaf_redhat - Published: 2026-01-13 16:52 - Updated: 2026-01-13 22:46Summary
Red Hat Security Advisory: VolSync v0.14 security fixes and container updates
Notes
Topic
VolSync v0.14 General Availability release images, which provide enhancements, security fixes, and updated container images.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE links in the References section.
Details
VolSync v0.14 is a Kubernetes operator that enables asynchronous
replication of persistent volumes within a cluster, or across clusters. After
deploying the VolSync operator, it can create and maintain copies of your
persistent data.
For more information about VolSync, see:
https://docs.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.15/html/business_continuity/business-cont-overview#volsync
or the VolSync open source community website at: https://volsync.readthedocs.io/en/stable/.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "VolSync v0.14 General Availability release images, which provide enhancements, security fixes, and updated container images.\n\nRed Hat Product Security has rated this update as having a security impact\nof Important. A Common Vulnerability Scoring System (CVSS) base score,\nwhich gives a detailed severity rating, is available for each vulnerability\nfrom the CVE links in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "VolSync v0.14 is a Kubernetes operator that enables asynchronous\nreplication of persistent volumes within a cluster, or across clusters. After\ndeploying the VolSync operator, it can create and maintain copies of your\npersistent data.\n\nFor more information about VolSync, see:\n\nhttps://docs.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.15/html/business_continuity/business-cont-overview#volsync\n\nor the VolSync open source community website at: https://volsync.readthedocs.io/en/stable/.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:0527",
"url": "https://access.redhat.com/errata/RHSA-2026:0527"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-47913",
"url": "https://access.redhat.com/security/cve/CVE-2025-47913"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-58183",
"url": "https://access.redhat.com/security/cve/CVE-2025-58183"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/",
"url": "https://access.redhat.com/security/updates/classification/"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_0527.json"
}
],
"title": "Red Hat Security Advisory: VolSync v0.14 security fixes and container updates",
"tracking": {
"current_release_date": "2026-01-13T22:46:39+00:00",
"generator": {
"date": "2026-01-13T22:46:39+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.15"
}
},
"id": "RHSA-2026:0527",
"initial_release_date": "2026-01-13T16:52:50+00:00",
"revision_history": [
{
"date": "2026-01-13T16:52:50+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-01-13T16:52:58+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-01-13T22:46:39+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Advanced Cluster Management for Kubernetes 2.15",
"product": {
"name": "Red Hat Advanced Cluster Management for Kubernetes 2.15",
"product_id": "Red Hat Advanced Cluster Management for Kubernetes 2.15",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:acm:2.15::el9"
}
}
}
],
"category": "product_family",
"name": "Red Hat Advanced Cluster Management for Kubernetes"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/rhacm2/volsync-rhel9@sha256:1e398c39bc39c754de8998eebc1f79127af95f5978cbe9c26034a95d10feb6df_amd64",
"product": {
"name": "registry.redhat.io/rhacm2/volsync-rhel9@sha256:1e398c39bc39c754de8998eebc1f79127af95f5978cbe9c26034a95d10feb6df_amd64",
"product_id": "registry.redhat.io/rhacm2/volsync-rhel9@sha256:1e398c39bc39c754de8998eebc1f79127af95f5978cbe9c26034a95d10feb6df_amd64",
"product_identification_helper": {
"purl": "pkg:oci/volsync-rhel9@sha256%3A1e398c39bc39c754de8998eebc1f79127af95f5978cbe9c26034a95d10feb6df?arch=amd64\u0026repository_url=registry.redhat.io/rhacm2\u0026tag=1767718573"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/rhacm2/volsync-operator-bundle@sha256:dada417982350c8f5b0ea5285d5568ac2ca23cba871de64fa80c9d2af43de48c_amd64",
"product": {
"name": "registry.redhat.io/rhacm2/volsync-operator-bundle@sha256:dada417982350c8f5b0ea5285d5568ac2ca23cba871de64fa80c9d2af43de48c_amd64",
"product_id": "registry.redhat.io/rhacm2/volsync-operator-bundle@sha256:dada417982350c8f5b0ea5285d5568ac2ca23cba871de64fa80c9d2af43de48c_amd64",
"product_identification_helper": {
"purl": "pkg:oci/volsync-operator-bundle@sha256%3Adada417982350c8f5b0ea5285d5568ac2ca23cba871de64fa80c9d2af43de48c?arch=amd64\u0026repository_url=registry.redhat.io/rhacm2\u0026tag=1767723076"
}
}
}
],
"category": "architecture",
"name": "amd64"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/rhacm2/volsync-rhel9@sha256:a90157ccc6fafba463ccc0b4dc7ec9911909152dbe7efed9d794da65ccc76050_ppc64le",
"product": {
"name": "registry.redhat.io/rhacm2/volsync-rhel9@sha256:a90157ccc6fafba463ccc0b4dc7ec9911909152dbe7efed9d794da65ccc76050_ppc64le",
"product_id": "registry.redhat.io/rhacm2/volsync-rhel9@sha256:a90157ccc6fafba463ccc0b4dc7ec9911909152dbe7efed9d794da65ccc76050_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/volsync-rhel9@sha256%3Aa90157ccc6fafba463ccc0b4dc7ec9911909152dbe7efed9d794da65ccc76050?arch=ppc64le\u0026repository_url=registry.redhat.io/rhacm2\u0026tag=1767718573"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/rhacm2/volsync-rhel9@sha256:21a637e366f145dfc0f8ab1ed2e7bda009e0403561502d54f18ef3257392777c_s390x",
"product": {
"name": "registry.redhat.io/rhacm2/volsync-rhel9@sha256:21a637e366f145dfc0f8ab1ed2e7bda009e0403561502d54f18ef3257392777c_s390x",
"product_id": "registry.redhat.io/rhacm2/volsync-rhel9@sha256:21a637e366f145dfc0f8ab1ed2e7bda009e0403561502d54f18ef3257392777c_s390x",
"product_identification_helper": {
"purl": "pkg:oci/volsync-rhel9@sha256%3A21a637e366f145dfc0f8ab1ed2e7bda009e0403561502d54f18ef3257392777c?arch=s390x\u0026repository_url=registry.redhat.io/rhacm2\u0026tag=1767718573"
}
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/rhacm2/volsync-rhel9@sha256:087a7ad5462d1867c1b1fb18c3f20c8a3864aaa1bc5bc0a227efb6c862c9f851_arm64",
"product": {
"name": "registry.redhat.io/rhacm2/volsync-rhel9@sha256:087a7ad5462d1867c1b1fb18c3f20c8a3864aaa1bc5bc0a227efb6c862c9f851_arm64",
"product_id": "registry.redhat.io/rhacm2/volsync-rhel9@sha256:087a7ad5462d1867c1b1fb18c3f20c8a3864aaa1bc5bc0a227efb6c862c9f851_arm64",
"product_identification_helper": {
"purl": "pkg:oci/volsync-rhel9@sha256%3A087a7ad5462d1867c1b1fb18c3f20c8a3864aaa1bc5bc0a227efb6c862c9f851?arch=arm64\u0026repository_url=registry.redhat.io/rhacm2\u0026tag=1767718573"
}
}
}
],
"category": "architecture",
"name": "arm64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhacm2/volsync-operator-bundle@sha256:dada417982350c8f5b0ea5285d5568ac2ca23cba871de64fa80c9d2af43de48c_amd64 as a component of Red Hat Advanced Cluster Management for Kubernetes 2.15",
"product_id": "Red Hat Advanced Cluster Management for Kubernetes 2.15:registry.redhat.io/rhacm2/volsync-operator-bundle@sha256:dada417982350c8f5b0ea5285d5568ac2ca23cba871de64fa80c9d2af43de48c_amd64"
},
"product_reference": "registry.redhat.io/rhacm2/volsync-operator-bundle@sha256:dada417982350c8f5b0ea5285d5568ac2ca23cba871de64fa80c9d2af43de48c_amd64",
"relates_to_product_reference": "Red Hat Advanced Cluster Management for Kubernetes 2.15"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhacm2/volsync-rhel9@sha256:087a7ad5462d1867c1b1fb18c3f20c8a3864aaa1bc5bc0a227efb6c862c9f851_arm64 as a component of Red Hat Advanced Cluster Management for Kubernetes 2.15",
"product_id": "Red Hat Advanced Cluster Management for Kubernetes 2.15:registry.redhat.io/rhacm2/volsync-rhel9@sha256:087a7ad5462d1867c1b1fb18c3f20c8a3864aaa1bc5bc0a227efb6c862c9f851_arm64"
},
"product_reference": "registry.redhat.io/rhacm2/volsync-rhel9@sha256:087a7ad5462d1867c1b1fb18c3f20c8a3864aaa1bc5bc0a227efb6c862c9f851_arm64",
"relates_to_product_reference": "Red Hat Advanced Cluster Management for Kubernetes 2.15"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhacm2/volsync-rhel9@sha256:1e398c39bc39c754de8998eebc1f79127af95f5978cbe9c26034a95d10feb6df_amd64 as a component of Red Hat Advanced Cluster Management for Kubernetes 2.15",
"product_id": "Red Hat Advanced Cluster Management for Kubernetes 2.15:registry.redhat.io/rhacm2/volsync-rhel9@sha256:1e398c39bc39c754de8998eebc1f79127af95f5978cbe9c26034a95d10feb6df_amd64"
},
"product_reference": "registry.redhat.io/rhacm2/volsync-rhel9@sha256:1e398c39bc39c754de8998eebc1f79127af95f5978cbe9c26034a95d10feb6df_amd64",
"relates_to_product_reference": "Red Hat Advanced Cluster Management for Kubernetes 2.15"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhacm2/volsync-rhel9@sha256:21a637e366f145dfc0f8ab1ed2e7bda009e0403561502d54f18ef3257392777c_s390x as a component of Red Hat Advanced Cluster Management for Kubernetes 2.15",
"product_id": "Red Hat Advanced Cluster Management for Kubernetes 2.15:registry.redhat.io/rhacm2/volsync-rhel9@sha256:21a637e366f145dfc0f8ab1ed2e7bda009e0403561502d54f18ef3257392777c_s390x"
},
"product_reference": "registry.redhat.io/rhacm2/volsync-rhel9@sha256:21a637e366f145dfc0f8ab1ed2e7bda009e0403561502d54f18ef3257392777c_s390x",
"relates_to_product_reference": "Red Hat Advanced Cluster Management for Kubernetes 2.15"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhacm2/volsync-rhel9@sha256:a90157ccc6fafba463ccc0b4dc7ec9911909152dbe7efed9d794da65ccc76050_ppc64le as a component of Red Hat Advanced Cluster Management for Kubernetes 2.15",
"product_id": "Red Hat Advanced Cluster Management for Kubernetes 2.15:registry.redhat.io/rhacm2/volsync-rhel9@sha256:a90157ccc6fafba463ccc0b4dc7ec9911909152dbe7efed9d794da65ccc76050_ppc64le"
},
"product_reference": "registry.redhat.io/rhacm2/volsync-rhel9@sha256:a90157ccc6fafba463ccc0b4dc7ec9911909152dbe7efed9d794da65ccc76050_ppc64le",
"relates_to_product_reference": "Red Hat Advanced Cluster Management for Kubernetes 2.15"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-47913",
"discovery_date": "2025-11-13T22:01:26.092452+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Advanced Cluster Management for Kubernetes 2.15:registry.redhat.io/rhacm2/volsync-operator-bundle@sha256:dada417982350c8f5b0ea5285d5568ac2ca23cba871de64fa80c9d2af43de48c_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2414943"
}
],
"notes": [
{
"category": "description",
"text": "A flaw in golang.org/x/crypto/ssh/agent causes the SSH agent client to panic when a peer responds with the generic SSH_AGENT_SUCCESS (0x06) message to requests expecting typed replies (e.g., List, Sign). The unmarshal layer produces an unexpected message type, which the client code does not handle, leading to panic(\"unreachable\") or a nil-pointer dereference. A malicious agent or forwarded connection can exploit this to terminate the client process.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang.org/x/crypto/ssh/agent: golang.org/x/crypto/ssh/agent: SSH client panic due to unexpected SSH_AGENT_SUCCESS",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability was marked as Important because it allows any malicious or misbehaving SSH agent to force a crash in the client process using a single valid protocol byte. The panic occurs before the client has a chance to validate message structure or recover, which means an attacker controlling\u2014or intercepting\u2014SSH agent traffic can reliably terminate processes that rely on agent interactions. In environments where SSH agents operate over forwarded sockets, shared workspaces, or CI/CD runners, this turns into a reliable, unauthenticated remote denial of service against critical automation or developer tooling. The flaw also stems from unsafe assumptions in the unmarshalling logic, where unexpected but protocol-legal message types drop into \u201cunreachable\u201d code paths instead of being handled gracefully\u2014making it a design-level reliability break rather than a simple error-handling bug. For this reason, it is rated as an important availability-impacting vulnerability rather than a moderate issue.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Advanced Cluster Management for Kubernetes 2.15:registry.redhat.io/rhacm2/volsync-rhel9@sha256:087a7ad5462d1867c1b1fb18c3f20c8a3864aaa1bc5bc0a227efb6c862c9f851_arm64",
"Red Hat Advanced Cluster Management for Kubernetes 2.15:registry.redhat.io/rhacm2/volsync-rhel9@sha256:1e398c39bc39c754de8998eebc1f79127af95f5978cbe9c26034a95d10feb6df_amd64",
"Red Hat Advanced Cluster Management for Kubernetes 2.15:registry.redhat.io/rhacm2/volsync-rhel9@sha256:21a637e366f145dfc0f8ab1ed2e7bda009e0403561502d54f18ef3257392777c_s390x",
"Red Hat Advanced Cluster Management for Kubernetes 2.15:registry.redhat.io/rhacm2/volsync-rhel9@sha256:a90157ccc6fafba463ccc0b4dc7ec9911909152dbe7efed9d794da65ccc76050_ppc64le"
],
"known_not_affected": [
"Red Hat Advanced Cluster Management for Kubernetes 2.15:registry.redhat.io/rhacm2/volsync-operator-bundle@sha256:dada417982350c8f5b0ea5285d5568ac2ca23cba871de64fa80c9d2af43de48c_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-47913"
},
{
"category": "external",
"summary": "RHBZ#2414943",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2414943"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-47913",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-47913"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-47913",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47913"
},
{
"category": "external",
"summary": "https://github.com/advisories/GHSA-hcg3-q754-cr77",
"url": "https://github.com/advisories/GHSA-hcg3-q754-cr77"
},
{
"category": "external",
"summary": "https://go.dev/cl/700295",
"url": "https://go.dev/cl/700295"
},
{
"category": "external",
"summary": "https://go.dev/issue/75178",
"url": "https://go.dev/issue/75178"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2025-4116",
"url": "https://pkg.go.dev/vuln/GO-2025-4116"
}
],
"release_date": "2025-11-13T21:29:39.907000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-01-13T16:52:50+00:00",
"details": "For more details, see the Red Hat Advanced Cluster Management for Kubernetes documentation:\n\nhttps://docs.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.15/html/business_continuity/business-cont-overview#volsync",
"product_ids": [
"Red Hat Advanced Cluster Management for Kubernetes 2.15:registry.redhat.io/rhacm2/volsync-rhel9@sha256:087a7ad5462d1867c1b1fb18c3f20c8a3864aaa1bc5bc0a227efb6c862c9f851_arm64",
"Red Hat Advanced Cluster Management for Kubernetes 2.15:registry.redhat.io/rhacm2/volsync-rhel9@sha256:1e398c39bc39c754de8998eebc1f79127af95f5978cbe9c26034a95d10feb6df_amd64",
"Red Hat Advanced Cluster Management for Kubernetes 2.15:registry.redhat.io/rhacm2/volsync-rhel9@sha256:21a637e366f145dfc0f8ab1ed2e7bda009e0403561502d54f18ef3257392777c_s390x",
"Red Hat Advanced Cluster Management for Kubernetes 2.15:registry.redhat.io/rhacm2/volsync-rhel9@sha256:a90157ccc6fafba463ccc0b4dc7ec9911909152dbe7efed9d794da65ccc76050_ppc64le"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:0527"
},
{
"category": "workaround",
"details": "No mitigation is currently available that meets Red Hat Product Security\u2019s standards for usability, deployment, applicability, or stability.",
"product_ids": [
"Red Hat Advanced Cluster Management for Kubernetes 2.15:registry.redhat.io/rhacm2/volsync-operator-bundle@sha256:dada417982350c8f5b0ea5285d5568ac2ca23cba871de64fa80c9d2af43de48c_amd64",
"Red Hat Advanced Cluster Management for Kubernetes 2.15:registry.redhat.io/rhacm2/volsync-rhel9@sha256:087a7ad5462d1867c1b1fb18c3f20c8a3864aaa1bc5bc0a227efb6c862c9f851_arm64",
"Red Hat Advanced Cluster Management for Kubernetes 2.15:registry.redhat.io/rhacm2/volsync-rhel9@sha256:1e398c39bc39c754de8998eebc1f79127af95f5978cbe9c26034a95d10feb6df_amd64",
"Red Hat Advanced Cluster Management for Kubernetes 2.15:registry.redhat.io/rhacm2/volsync-rhel9@sha256:21a637e366f145dfc0f8ab1ed2e7bda009e0403561502d54f18ef3257392777c_s390x",
"Red Hat Advanced Cluster Management for Kubernetes 2.15:registry.redhat.io/rhacm2/volsync-rhel9@sha256:a90157ccc6fafba463ccc0b4dc7ec9911909152dbe7efed9d794da65ccc76050_ppc64le"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Advanced Cluster Management for Kubernetes 2.15:registry.redhat.io/rhacm2/volsync-operator-bundle@sha256:dada417982350c8f5b0ea5285d5568ac2ca23cba871de64fa80c9d2af43de48c_amd64",
"Red Hat Advanced Cluster Management for Kubernetes 2.15:registry.redhat.io/rhacm2/volsync-rhel9@sha256:087a7ad5462d1867c1b1fb18c3f20c8a3864aaa1bc5bc0a227efb6c862c9f851_arm64",
"Red Hat Advanced Cluster Management for Kubernetes 2.15:registry.redhat.io/rhacm2/volsync-rhel9@sha256:1e398c39bc39c754de8998eebc1f79127af95f5978cbe9c26034a95d10feb6df_amd64",
"Red Hat Advanced Cluster Management for Kubernetes 2.15:registry.redhat.io/rhacm2/volsync-rhel9@sha256:21a637e366f145dfc0f8ab1ed2e7bda009e0403561502d54f18ef3257392777c_s390x",
"Red Hat Advanced Cluster Management for Kubernetes 2.15:registry.redhat.io/rhacm2/volsync-rhel9@sha256:a90157ccc6fafba463ccc0b4dc7ec9911909152dbe7efed9d794da65ccc76050_ppc64le"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "golang.org/x/crypto/ssh/agent: golang.org/x/crypto/ssh/agent: SSH client panic due to unexpected SSH_AGENT_SUCCESS"
},
{
"cve": "CVE-2025-58183",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2025-10-29T23:01:50.573951+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Advanced Cluster Management for Kubernetes 2.15:registry.redhat.io/rhacm2/volsync-operator-bundle@sha256:dada417982350c8f5b0ea5285d5568ac2ca23cba871de64fa80c9d2af43de48c_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2407258"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the archive/tar package in the Go standard library. tar.Reader does not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A specially crafted tar archive with a pax header indicating a big number of sparse regions can cause a Go program to try to allocate a large amount of memory, causing an out-of-memory condition and resulting in a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: archive/tar: Unbounded allocation when parsing GNU sparse map",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "To exploit this issue, an attacker needs to be able to process a specially crafted GNU tar pax 1.0 archive with the application using the archive/tar package. Additionally, this issue can cause the Go application to allocate a large amount of memory, eventually leading to an out-of-memory condition and resulting in a denial of service with no other security impact. Due to these reasons, this flaw has been rated with a moderate severity.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Advanced Cluster Management for Kubernetes 2.15:registry.redhat.io/rhacm2/volsync-rhel9@sha256:087a7ad5462d1867c1b1fb18c3f20c8a3864aaa1bc5bc0a227efb6c862c9f851_arm64",
"Red Hat Advanced Cluster Management for Kubernetes 2.15:registry.redhat.io/rhacm2/volsync-rhel9@sha256:1e398c39bc39c754de8998eebc1f79127af95f5978cbe9c26034a95d10feb6df_amd64",
"Red Hat Advanced Cluster Management for Kubernetes 2.15:registry.redhat.io/rhacm2/volsync-rhel9@sha256:21a637e366f145dfc0f8ab1ed2e7bda009e0403561502d54f18ef3257392777c_s390x",
"Red Hat Advanced Cluster Management for Kubernetes 2.15:registry.redhat.io/rhacm2/volsync-rhel9@sha256:a90157ccc6fafba463ccc0b4dc7ec9911909152dbe7efed9d794da65ccc76050_ppc64le"
],
"known_not_affected": [
"Red Hat Advanced Cluster Management for Kubernetes 2.15:registry.redhat.io/rhacm2/volsync-operator-bundle@sha256:dada417982350c8f5b0ea5285d5568ac2ca23cba871de64fa80c9d2af43de48c_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-58183"
},
{
"category": "external",
"summary": "RHBZ#2407258",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2407258"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-58183",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-58183"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-58183",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58183"
},
{
"category": "external",
"summary": "https://go.dev/cl/709861",
"url": "https://go.dev/cl/709861"
},
{
"category": "external",
"summary": "https://go.dev/issue/75677",
"url": "https://go.dev/issue/75677"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/4Emdl2iQ_bI",
"url": "https://groups.google.com/g/golang-announce/c/4Emdl2iQ_bI"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2025-4014",
"url": "https://pkg.go.dev/vuln/GO-2025-4014"
}
],
"release_date": "2025-10-29T22:10:14.376000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-01-13T16:52:50+00:00",
"details": "For more details, see the Red Hat Advanced Cluster Management for Kubernetes documentation:\n\nhttps://docs.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.15/html/business_continuity/business-cont-overview#volsync",
"product_ids": [
"Red Hat Advanced Cluster Management for Kubernetes 2.15:registry.redhat.io/rhacm2/volsync-rhel9@sha256:087a7ad5462d1867c1b1fb18c3f20c8a3864aaa1bc5bc0a227efb6c862c9f851_arm64",
"Red Hat Advanced Cluster Management for Kubernetes 2.15:registry.redhat.io/rhacm2/volsync-rhel9@sha256:1e398c39bc39c754de8998eebc1f79127af95f5978cbe9c26034a95d10feb6df_amd64",
"Red Hat Advanced Cluster Management for Kubernetes 2.15:registry.redhat.io/rhacm2/volsync-rhel9@sha256:21a637e366f145dfc0f8ab1ed2e7bda009e0403561502d54f18ef3257392777c_s390x",
"Red Hat Advanced Cluster Management for Kubernetes 2.15:registry.redhat.io/rhacm2/volsync-rhel9@sha256:a90157ccc6fafba463ccc0b4dc7ec9911909152dbe7efed9d794da65ccc76050_ppc64le"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:0527"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Advanced Cluster Management for Kubernetes 2.15:registry.redhat.io/rhacm2/volsync-operator-bundle@sha256:dada417982350c8f5b0ea5285d5568ac2ca23cba871de64fa80c9d2af43de48c_amd64",
"Red Hat Advanced Cluster Management for Kubernetes 2.15:registry.redhat.io/rhacm2/volsync-rhel9@sha256:087a7ad5462d1867c1b1fb18c3f20c8a3864aaa1bc5bc0a227efb6c862c9f851_arm64",
"Red Hat Advanced Cluster Management for Kubernetes 2.15:registry.redhat.io/rhacm2/volsync-rhel9@sha256:1e398c39bc39c754de8998eebc1f79127af95f5978cbe9c26034a95d10feb6df_amd64",
"Red Hat Advanced Cluster Management for Kubernetes 2.15:registry.redhat.io/rhacm2/volsync-rhel9@sha256:21a637e366f145dfc0f8ab1ed2e7bda009e0403561502d54f18ef3257392777c_s390x",
"Red Hat Advanced Cluster Management for Kubernetes 2.15:registry.redhat.io/rhacm2/volsync-rhel9@sha256:a90157ccc6fafba463ccc0b4dc7ec9911909152dbe7efed9d794da65ccc76050_ppc64le"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Advanced Cluster Management for Kubernetes 2.15:registry.redhat.io/rhacm2/volsync-operator-bundle@sha256:dada417982350c8f5b0ea5285d5568ac2ca23cba871de64fa80c9d2af43de48c_amd64",
"Red Hat Advanced Cluster Management for Kubernetes 2.15:registry.redhat.io/rhacm2/volsync-rhel9@sha256:087a7ad5462d1867c1b1fb18c3f20c8a3864aaa1bc5bc0a227efb6c862c9f851_arm64",
"Red Hat Advanced Cluster Management for Kubernetes 2.15:registry.redhat.io/rhacm2/volsync-rhel9@sha256:1e398c39bc39c754de8998eebc1f79127af95f5978cbe9c26034a95d10feb6df_amd64",
"Red Hat Advanced Cluster Management for Kubernetes 2.15:registry.redhat.io/rhacm2/volsync-rhel9@sha256:21a637e366f145dfc0f8ab1ed2e7bda009e0403561502d54f18ef3257392777c_s390x",
"Red Hat Advanced Cluster Management for Kubernetes 2.15:registry.redhat.io/rhacm2/volsync-rhel9@sha256:a90157ccc6fafba463ccc0b4dc7ec9911909152dbe7efed9d794da65ccc76050_ppc64le"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang: archive/tar: Unbounded allocation when parsing GNU sparse map"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…