RHSA-2026:14100
Vulnerability from csaf_redhat - Published: 2026-05-08 12:20 - Updated: 2026-05-09 08:54Summary
Red Hat Security Advisory: OpenShift Container Platform 4.12.89 bug fix and security update
Severity
Important
Notes
Topic: Red Hat OpenShift Container Platform release 4.12.89 is now available with updates to packages and images that fix several bugs and add enhancements.
This release includes a security update for Red Hat OpenShift Container Platform 4.12.
Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.
This advisory contains the container images for Red Hat OpenShift Container Platform 4.12.89. See the following advisory for the RPM packages for this release:
https://access.redhat.com/errata/RHBA-2026:14096
Space precludes documenting all of the container images in this advisory. See the following Release Notes documentation, which will be updated shortly for this release, for details about these changes:
https://docs.redhat.com/en/documentation/openshift_container_platform/4.12/html/release_notes
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in the net/url package in the Go standard library. The package does not enforce a limit on the number of unique query parameters it parses. A Go application using the net/http.Request.ParseForm method will try to process all parameters provided in the request. A specially crafted HTTP request containing a massive number of query parameters will cause the application to consume an excessive amount of memory, eventually causing the application to crash or become unresponsive, resulting in a denial of service.
7.5 (High)
Vendor Fix
For OpenShift Container Platform 4.12 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:
https://docs.redhat.com/en/documentation/openshift_container_platform/4.12/html/release_notes
You may download the oc tool and use it to inspect release image metadata for x86_64 architecture. The image digest may be found at https://quay.io/repository/openshift-release-dev/ocp-release?tab=tags.
The sha value for the release is as follows:
(For x86_64 architecture)
The image digest is sha256:594f7c90eeb3e7540444a5c023fd50d83dd436153c96b01c178ea2ebeb32560a
All OpenShift Container Platform 4.12 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.redhat.com/en/documentation/openshift_container_platform/4.12/html-single/updating_clusters/index#updating-cluster-within-minor.
https://access.redhat.com/errata/RHSA-2026:14100
Workaround
Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.
A flaw was found in the archive/zip package in the Go standard library. A super-linear file name indexing algorithm is used in the first time a file in an archive is opened. A crafted zip archive containing a specific arrangement of file names can cause an excessive CPU and memory consumption. A Go application processing a malicious archive can become unresponsive or crash, resulting in a denial of service.
7.5 (High)
Vendor Fix
For OpenShift Container Platform 4.12 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:
https://docs.redhat.com/en/documentation/openshift_container_platform/4.12/html/release_notes
You may download the oc tool and use it to inspect release image metadata for x86_64 architecture. The image digest may be found at https://quay.io/repository/openshift-release-dev/ocp-release?tab=tags.
The sha value for the release is as follows:
(For x86_64 architecture)
The image digest is sha256:594f7c90eeb3e7540444a5c023fd50d83dd436153c96b01c178ea2ebeb32560a
All OpenShift Container Platform 4.12 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.redhat.com/en/documentation/openshift_container_platform/4.12/html-single/updating_clusters/index#updating-cluster-within-minor.
https://access.redhat.com/errata/RHSA-2026:14100
Workaround
To mitigate this vulnerability, implement a timeout in your archive/zip processing logic to abort the operation if it exceeds a few seconds, preventing the application from consuming an excessive amount of resources.
A flaw was found in cmd/go. An attacker can exploit this by building a malicious Go source file that uses the '#cgo pkg-config:' directive. This allows the attacker to write to an arbitrary file with partial control over its content, by providing a '--log-file' argument to the pkg-config command. This vulnerability can lead to arbitrary file write.
8.6 (High)
Vendor Fix
For OpenShift Container Platform 4.12 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:
https://docs.redhat.com/en/documentation/openshift_container_platform/4.12/html/release_notes
You may download the oc tool and use it to inspect release image metadata for x86_64 architecture. The image digest may be found at https://quay.io/repository/openshift-release-dev/ocp-release?tab=tags.
The sha value for the release is as follows:
(For x86_64 architecture)
The image digest is sha256:594f7c90eeb3e7540444a5c023fd50d83dd436153c96b01c178ea2ebeb32560a
All OpenShift Container Platform 4.12 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.redhat.com/en/documentation/openshift_container_platform/4.12/html-single/updating_clusters/index#updating-cluster-within-minor.
https://access.redhat.com/errata/RHSA-2026:14100
Workaround
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
A flaw was found in Go's 'cgo tool'. This vulnerability arises from a discrepancy in how Go and C/C++ comments are parsed, which allows for malicious code to be hidden within comments and then "smuggled" into the compiled `cgo` binary. An attacker could exploit this to embed and execute arbitrary code, potentially leading to significant system compromise.
7.4 (High)
Vendor Fix
For OpenShift Container Platform 4.12 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:
https://docs.redhat.com/en/documentation/openshift_container_platform/4.12/html/release_notes
You may download the oc tool and use it to inspect release image metadata for x86_64 architecture. The image digest may be found at https://quay.io/repository/openshift-release-dev/ocp-release?tab=tags.
The sha value for the release is as follows:
(For x86_64 architecture)
The image digest is sha256:594f7c90eeb3e7540444a5c023fd50d83dd436153c96b01c178ea2ebeb32560a
All OpenShift Container Platform 4.12 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.redhat.com/en/documentation/openshift_container_platform/4.12/html-single/updating_clusters/index#updating-cluster-within-minor.
https://access.redhat.com/errata/RHSA-2026:14100
A flaw was found in the crypto/tls component. This vulnerability occurs during Transport Layer Security (TLS) session resumption when certificate authority (CA) settings are modified between the initial and resumed handshakes. An attacker could exploit this to bypass certificate validation, allowing a client or server to establish a connection that should have been rejected. This could lead to an authentication bypass under specific conditions.
7.4 (High)
Vendor Fix
For OpenShift Container Platform 4.12 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:
https://docs.redhat.com/en/documentation/openshift_container_platform/4.12/html/release_notes
You may download the oc tool and use it to inspect release image metadata for x86_64 architecture. The image digest may be found at https://quay.io/repository/openshift-release-dev/ocp-release?tab=tags.
The sha value for the release is as follows:
(For x86_64 architecture)
The image digest is sha256:594f7c90eeb3e7540444a5c023fd50d83dd436153c96b01c178ea2ebeb32560a
All OpenShift Container Platform 4.12 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.redhat.com/en/documentation/openshift_container_platform/4.12/html-single/updating_clusters/index#updating-cluster-within-minor.
https://access.redhat.com/errata/RHSA-2026:14100
The Go standard library function net/url.Parse insufficiently validated the host/authority component and accepted some invalid URLs by effectively treating garbage before an IP-literal as ignorable. The function should have rejected this as invalid.
7.5 (High)
Vendor Fix
For OpenShift Container Platform 4.12 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:
https://docs.redhat.com/en/documentation/openshift_container_platform/4.12/html/release_notes
You may download the oc tool and use it to inspect release image metadata for x86_64 architecture. The image digest may be found at https://quay.io/repository/openshift-release-dev/ocp-release?tab=tags.
The sha value for the release is as follows:
(For x86_64 architecture)
The image digest is sha256:594f7c90eeb3e7540444a5c023fd50d83dd436153c96b01c178ea2ebeb32560a
All OpenShift Container Platform 4.12 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.redhat.com/en/documentation/openshift_container_platform/4.12/html-single/updating_clusters/index#updating-cluster-within-minor.
https://access.redhat.com/errata/RHSA-2026:14100
Workaround
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
References
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Red Hat OpenShift Container Platform release 4.12.89 is now available with updates to packages and images that fix several bugs and add enhancements.\n\nThis release includes a security update for Red Hat OpenShift Container Platform 4.12.\n\nRed Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat OpenShift Container Platform is Red Hat\u0027s cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.\n\nThis advisory contains the container images for Red Hat OpenShift Container Platform 4.12.89. See the following advisory for the RPM packages for this release:\n\nhttps://access.redhat.com/errata/RHBA-2026:14096\n\nSpace precludes documenting all of the container images in this advisory. See the following Release Notes documentation, which will be updated shortly for this release, for details about these changes:\n\nhttps://docs.redhat.com/en/documentation/openshift_container_platform/4.12/html/release_notes",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:14100",
"url": "https://access.redhat.com/errata/RHSA-2026:14100"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-61726",
"url": "https://access.redhat.com/security/cve/CVE-2025-61726"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-61728",
"url": "https://access.redhat.com/security/cve/CVE-2025-61728"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-61731",
"url": "https://access.redhat.com/security/cve/CVE-2025-61731"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-61732",
"url": "https://access.redhat.com/security/cve/CVE-2025-61732"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-68121",
"url": "https://access.redhat.com/security/cve/CVE-2025-68121"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-25679",
"url": "https://access.redhat.com/security/cve/CVE-2026-25679"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/",
"url": "https://access.redhat.com/security/updates/classification/"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_14100.json"
}
],
"title": "Red Hat Security Advisory: OpenShift Container Platform 4.12.89 bug fix and security update",
"tracking": {
"current_release_date": "2026-05-09T08:54:47+00:00",
"generator": {
"date": "2026-05-09T08:54:47+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.7.9"
}
},
"id": "RHSA-2026:14100",
"initial_release_date": "2026-05-08T12:20:25+00:00",
"revision_history": [
{
"date": "2026-05-08T12:20:25+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-05-08T12:20:44+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-05-09T08:54:47+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat OpenShift Container Platform 4.12",
"product": {
"name": "Red Hat OpenShift Container Platform 4.12",
"product_id": "Red Hat OpenShift Container Platform 4.12",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openshift:4.12::el9"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenShift Container Platform"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/openshift4/driver-toolkit-rhel8@sha256:39b0f5b85e8cccc7ad9a6f9d555a9135cdfd1bc7ee80a9c66611bc389f10bca1_amd64",
"product": {
"name": "registry.redhat.io/openshift4/driver-toolkit-rhel8@sha256:39b0f5b85e8cccc7ad9a6f9d555a9135cdfd1bc7ee80a9c66611bc389f10bca1_amd64",
"product_id": "registry.redhat.io/openshift4/driver-toolkit-rhel8@sha256:39b0f5b85e8cccc7ad9a6f9d555a9135cdfd1bc7ee80a9c66611bc389f10bca1_amd64",
"product_identification_helper": {
"purl": "pkg:oci/openshift/driver-toolkit-rhel8@sha256%3A39b0f5b85e8cccc7ad9a6f9d555a9135cdfd1bc7ee80a9c66611bc389f10bca1?arch=amd64\u0026repository_url=registry.redhat.io/openshift4\u0026tag=1778037510"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift4/ose-tests@sha256:1e9eba414d5564aff8ef7ba80306354f4aea72845a93a36f35dd74fbec101748_amd64",
"product": {
"name": "registry.redhat.io/openshift4/ose-tests@sha256:1e9eba414d5564aff8ef7ba80306354f4aea72845a93a36f35dd74fbec101748_amd64",
"product_id": "registry.redhat.io/openshift4/ose-tests@sha256:1e9eba414d5564aff8ef7ba80306354f4aea72845a93a36f35dd74fbec101748_amd64",
"product_identification_helper": {
"purl": "pkg:oci/openshift/ose-tests@sha256%3A1e9eba414d5564aff8ef7ba80306354f4aea72845a93a36f35dd74fbec101748?arch=amd64\u0026repository_url=registry.redhat.io/openshift4\u0026tag=1778173182"
}
}
}
],
"category": "architecture",
"name": "amd64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift4/driver-toolkit-rhel8@sha256:39b0f5b85e8cccc7ad9a6f9d555a9135cdfd1bc7ee80a9c66611bc389f10bca1_amd64 as a component of Red Hat OpenShift Container Platform 4.12",
"product_id": "Red Hat OpenShift Container Platform 4.12:registry.redhat.io/openshift4/driver-toolkit-rhel8@sha256:39b0f5b85e8cccc7ad9a6f9d555a9135cdfd1bc7ee80a9c66611bc389f10bca1_amd64"
},
"product_reference": "registry.redhat.io/openshift4/driver-toolkit-rhel8@sha256:39b0f5b85e8cccc7ad9a6f9d555a9135cdfd1bc7ee80a9c66611bc389f10bca1_amd64",
"relates_to_product_reference": "Red Hat OpenShift Container Platform 4.12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift4/ose-tests@sha256:1e9eba414d5564aff8ef7ba80306354f4aea72845a93a36f35dd74fbec101748_amd64 as a component of Red Hat OpenShift Container Platform 4.12",
"product_id": "Red Hat OpenShift Container Platform 4.12:registry.redhat.io/openshift4/ose-tests@sha256:1e9eba414d5564aff8ef7ba80306354f4aea72845a93a36f35dd74fbec101748_amd64"
},
"product_reference": "registry.redhat.io/openshift4/ose-tests@sha256:1e9eba414d5564aff8ef7ba80306354f4aea72845a93a36f35dd74fbec101748_amd64",
"relates_to_product_reference": "Red Hat OpenShift Container Platform 4.12"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-61726",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2026-01-28T20:01:42.791305+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat OpenShift Container Platform 4.12:registry.redhat.io/openshift4/driver-toolkit-rhel8@sha256:39b0f5b85e8cccc7ad9a6f9d555a9135cdfd1bc7ee80a9c66611bc389f10bca1_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2434432"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the net/url package in the Go standard library. The package does not enforce a limit on the number of unique query parameters it parses. A Go application using the net/http.Request.ParseForm method will try to process all parameters provided in the request. A specially crafted HTTP request containing a massive number of query parameters will cause the application to consume an excessive amount of memory, eventually causing the application to crash or become unresponsive, resulting in a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: net/url: Memory exhaustion in query parameter parsing in net/url",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "To exploit this flaw, an attacker must be able to send a specially crafted HTTP request to an application parsing URL-encoded forms with net/url, specifically a request containing a large number of unique query parameters. The request will cause the application to consume an excessive amount of memory and eventually result in a denial of service, with no impact to confidentiality or integrity. Due to this reason, this vulnerability has been rated with an important severity.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat OpenShift Container Platform 4.12:registry.redhat.io/openshift4/ose-tests@sha256:1e9eba414d5564aff8ef7ba80306354f4aea72845a93a36f35dd74fbec101748_amd64"
],
"known_not_affected": [
"Red Hat OpenShift Container Platform 4.12:registry.redhat.io/openshift4/driver-toolkit-rhel8@sha256:39b0f5b85e8cccc7ad9a6f9d555a9135cdfd1bc7ee80a9c66611bc389f10bca1_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-61726"
},
{
"category": "external",
"summary": "RHBZ#2434432",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2434432"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-61726",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-61726"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-61726",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61726"
},
{
"category": "external",
"summary": "https://go.dev/cl/736712",
"url": "https://go.dev/cl/736712"
},
{
"category": "external",
"summary": "https://go.dev/issue/77101",
"url": "https://go.dev/issue/77101"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc",
"url": "https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2026-4341",
"url": "https://pkg.go.dev/vuln/GO-2026-4341"
}
],
"release_date": "2026-01-28T19:30:31.215000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-05-08T12:20:25+00:00",
"details": "For OpenShift Container Platform 4.12 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.redhat.com/en/documentation/openshift_container_platform/4.12/html/release_notes\n\nYou may download the oc tool and use it to inspect release image metadata for x86_64 architecture. The image digest may be found at https://quay.io/repository/openshift-release-dev/ocp-release?tab=tags.\n\n The sha value for the release is as follows:\n\n (For x86_64 architecture)\n The image digest is sha256:594f7c90eeb3e7540444a5c023fd50d83dd436153c96b01c178ea2ebeb32560a\n\nAll OpenShift Container Platform 4.12 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.redhat.com/en/documentation/openshift_container_platform/4.12/html-single/updating_clusters/index#updating-cluster-within-minor.",
"product_ids": [
"Red Hat OpenShift Container Platform 4.12:registry.redhat.io/openshift4/ose-tests@sha256:1e9eba414d5564aff8ef7ba80306354f4aea72845a93a36f35dd74fbec101748_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:14100"
},
{
"category": "workaround",
"details": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.",
"product_ids": [
"Red Hat OpenShift Container Platform 4.12:registry.redhat.io/openshift4/driver-toolkit-rhel8@sha256:39b0f5b85e8cccc7ad9a6f9d555a9135cdfd1bc7ee80a9c66611bc389f10bca1_amd64",
"Red Hat OpenShift Container Platform 4.12:registry.redhat.io/openshift4/ose-tests@sha256:1e9eba414d5564aff8ef7ba80306354f4aea72845a93a36f35dd74fbec101748_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat OpenShift Container Platform 4.12:registry.redhat.io/openshift4/driver-toolkit-rhel8@sha256:39b0f5b85e8cccc7ad9a6f9d555a9135cdfd1bc7ee80a9c66611bc389f10bca1_amd64",
"Red Hat OpenShift Container Platform 4.12:registry.redhat.io/openshift4/ose-tests@sha256:1e9eba414d5564aff8ef7ba80306354f4aea72845a93a36f35dd74fbec101748_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "golang: net/url: Memory exhaustion in query parameter parsing in net/url"
},
{
"cve": "CVE-2025-61728",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2026-01-28T20:01:39.965024+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat OpenShift Container Platform 4.12:registry.redhat.io/openshift4/driver-toolkit-rhel8@sha256:39b0f5b85e8cccc7ad9a6f9d555a9135cdfd1bc7ee80a9c66611bc389f10bca1_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2434431"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the archive/zip package in the Go standard library. A super-linear file name indexing algorithm is used in the first time a file in an archive is opened. A crafted zip archive containing a specific arrangement of file names can cause an excessive CPU and memory consumption. A Go application processing a malicious archive can become unresponsive or crash, resulting in a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: archive/zip: Excessive CPU consumption when building archive index in archive/zip",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "To exploit this flaw, an attacker needs to be able to process a malicious zip archive with an application using the archive/zip package. Additionally, this vulnerability can cause a Go application to consume an excessive amount of CPU and memory, eventually resulting in a denial of service with no other security impact. Due to these reasons, this flaw has been rated with a moderate severity.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat OpenShift Container Platform 4.12:registry.redhat.io/openshift4/ose-tests@sha256:1e9eba414d5564aff8ef7ba80306354f4aea72845a93a36f35dd74fbec101748_amd64"
],
"known_not_affected": [
"Red Hat OpenShift Container Platform 4.12:registry.redhat.io/openshift4/driver-toolkit-rhel8@sha256:39b0f5b85e8cccc7ad9a6f9d555a9135cdfd1bc7ee80a9c66611bc389f10bca1_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-61728"
},
{
"category": "external",
"summary": "RHBZ#2434431",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2434431"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-61728",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-61728"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-61728",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61728"
},
{
"category": "external",
"summary": "https://go.dev/cl/736713",
"url": "https://go.dev/cl/736713"
},
{
"category": "external",
"summary": "https://go.dev/issue/77102",
"url": "https://go.dev/issue/77102"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc",
"url": "https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2026-4342",
"url": "https://pkg.go.dev/vuln/GO-2026-4342"
}
],
"release_date": "2026-01-28T19:30:31.354000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-05-08T12:20:25+00:00",
"details": "For OpenShift Container Platform 4.12 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.redhat.com/en/documentation/openshift_container_platform/4.12/html/release_notes\n\nYou may download the oc tool and use it to inspect release image metadata for x86_64 architecture. The image digest may be found at https://quay.io/repository/openshift-release-dev/ocp-release?tab=tags.\n\n The sha value for the release is as follows:\n\n (For x86_64 architecture)\n The image digest is sha256:594f7c90eeb3e7540444a5c023fd50d83dd436153c96b01c178ea2ebeb32560a\n\nAll OpenShift Container Platform 4.12 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.redhat.com/en/documentation/openshift_container_platform/4.12/html-single/updating_clusters/index#updating-cluster-within-minor.",
"product_ids": [
"Red Hat OpenShift Container Platform 4.12:registry.redhat.io/openshift4/ose-tests@sha256:1e9eba414d5564aff8ef7ba80306354f4aea72845a93a36f35dd74fbec101748_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:14100"
},
{
"category": "workaround",
"details": "To mitigate this vulnerability, implement a timeout in your archive/zip processing logic to abort the operation if it exceeds a few seconds, preventing the application from consuming an excessive amount of resources.",
"product_ids": [
"Red Hat OpenShift Container Platform 4.12:registry.redhat.io/openshift4/driver-toolkit-rhel8@sha256:39b0f5b85e8cccc7ad9a6f9d555a9135cdfd1bc7ee80a9c66611bc389f10bca1_amd64",
"Red Hat OpenShift Container Platform 4.12:registry.redhat.io/openshift4/ose-tests@sha256:1e9eba414d5564aff8ef7ba80306354f4aea72845a93a36f35dd74fbec101748_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat OpenShift Container Platform 4.12:registry.redhat.io/openshift4/driver-toolkit-rhel8@sha256:39b0f5b85e8cccc7ad9a6f9d555a9135cdfd1bc7ee80a9c66611bc389f10bca1_amd64",
"Red Hat OpenShift Container Platform 4.12:registry.redhat.io/openshift4/ose-tests@sha256:1e9eba414d5564aff8ef7ba80306354f4aea72845a93a36f35dd74fbec101748_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang: archive/zip: Excessive CPU consumption when building archive index in archive/zip"
},
{
"cve": "CVE-2025-61731",
"cwe": {
"id": "CWE-88",
"name": "Improper Neutralization of Argument Delimiters in a Command (\u0027Argument Injection\u0027)"
},
"discovery_date": "2026-01-28T20:01:45.587773+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat OpenShift Container Platform 4.12:registry.redhat.io/openshift4/driver-toolkit-rhel8@sha256:39b0f5b85e8cccc7ad9a6f9d555a9135cdfd1bc7ee80a9c66611bc389f10bca1_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2434433"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in cmd/go. An attacker can exploit this by building a malicious Go source file that uses the \u0027#cgo pkg-config:\u0027 directive. This allows the attacker to write to an arbitrary file with partial control over its content, by providing a \u0027--log-file\u0027 argument to the pkg-config command. This vulnerability can lead to arbitrary file write.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "cmd/go: cmd/go: Arbitrary file write via malicious pkg-config directive",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is Important rather than Moderate because compiling a malicious Go source file can cause `pkg-config` to create or append data to files at attacker-chosen locations, subject to the permissions of the build user. This can enable unintended filesystem modifications during the build process, which can lead to broken builds, alter tool behavior, and poison caches or artifacts, even without direct code execution.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat OpenShift Container Platform 4.12:registry.redhat.io/openshift4/ose-tests@sha256:1e9eba414d5564aff8ef7ba80306354f4aea72845a93a36f35dd74fbec101748_amd64"
],
"known_not_affected": [
"Red Hat OpenShift Container Platform 4.12:registry.redhat.io/openshift4/driver-toolkit-rhel8@sha256:39b0f5b85e8cccc7ad9a6f9d555a9135cdfd1bc7ee80a9c66611bc389f10bca1_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-61731"
},
{
"category": "external",
"summary": "RHBZ#2434433",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2434433"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-61731",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-61731"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-61731",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61731"
},
{
"category": "external",
"summary": "https://go.dev/cl/736711",
"url": "https://go.dev/cl/736711"
},
{
"category": "external",
"summary": "https://go.dev/issue/77100",
"url": "https://go.dev/issue/77100"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc",
"url": "https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2026-4339",
"url": "https://pkg.go.dev/vuln/GO-2026-4339"
}
],
"release_date": "2026-01-28T19:30:30.844000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-05-08T12:20:25+00:00",
"details": "For OpenShift Container Platform 4.12 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.redhat.com/en/documentation/openshift_container_platform/4.12/html/release_notes\n\nYou may download the oc tool and use it to inspect release image metadata for x86_64 architecture. The image digest may be found at https://quay.io/repository/openshift-release-dev/ocp-release?tab=tags.\n\n The sha value for the release is as follows:\n\n (For x86_64 architecture)\n The image digest is sha256:594f7c90eeb3e7540444a5c023fd50d83dd436153c96b01c178ea2ebeb32560a\n\nAll OpenShift Container Platform 4.12 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.redhat.com/en/documentation/openshift_container_platform/4.12/html-single/updating_clusters/index#updating-cluster-within-minor.",
"product_ids": [
"Red Hat OpenShift Container Platform 4.12:registry.redhat.io/openshift4/ose-tests@sha256:1e9eba414d5564aff8ef7ba80306354f4aea72845a93a36f35dd74fbec101748_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:14100"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat OpenShift Container Platform 4.12:registry.redhat.io/openshift4/driver-toolkit-rhel8@sha256:39b0f5b85e8cccc7ad9a6f9d555a9135cdfd1bc7ee80a9c66611bc389f10bca1_amd64",
"Red Hat OpenShift Container Platform 4.12:registry.redhat.io/openshift4/ose-tests@sha256:1e9eba414d5564aff8ef7ba80306354f4aea72845a93a36f35dd74fbec101748_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Red Hat OpenShift Container Platform 4.12:registry.redhat.io/openshift4/driver-toolkit-rhel8@sha256:39b0f5b85e8cccc7ad9a6f9d555a9135cdfd1bc7ee80a9c66611bc389f10bca1_amd64",
"Red Hat OpenShift Container Platform 4.12:registry.redhat.io/openshift4/ose-tests@sha256:1e9eba414d5564aff8ef7ba80306354f4aea72845a93a36f35dd74fbec101748_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "cmd/go: cmd/go: Arbitrary file write via malicious pkg-config directive"
},
{
"cve": "CVE-2025-61732",
"discovery_date": "2026-02-05T05:00:47.678207+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat OpenShift Container Platform 4.12:registry.redhat.io/openshift4/driver-toolkit-rhel8@sha256:39b0f5b85e8cccc7ad9a6f9d555a9135cdfd1bc7ee80a9c66611bc389f10bca1_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2437016"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Go\u0027s \u0027cgo tool\u0027. This vulnerability arises from a discrepancy in how Go and C/C++ comments are parsed, which allows for malicious code to be hidden within comments and then \"smuggled\" into the compiled `cgo` binary. An attacker could exploit this to embed and execute arbitrary code, potentially leading to significant system compromise.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "cmd/cgo: Go cgo: Code smuggling due to comment parsing discrepancy",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This is an Important vulnerability in the `cmd/cgo` component of the Go toolchain. A parsing discrepancy between Go and C/C++ comments could allow for code smuggling into the resulting `cgo` binary. This primarily affects systems where untrusted Go modules utilizing `cgo` are built, impacting Red Hat Enterprise Linux and OpenShift Container Platform.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat OpenShift Container Platform 4.12:registry.redhat.io/openshift4/ose-tests@sha256:1e9eba414d5564aff8ef7ba80306354f4aea72845a93a36f35dd74fbec101748_amd64"
],
"known_not_affected": [
"Red Hat OpenShift Container Platform 4.12:registry.redhat.io/openshift4/driver-toolkit-rhel8@sha256:39b0f5b85e8cccc7ad9a6f9d555a9135cdfd1bc7ee80a9c66611bc389f10bca1_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-61732"
},
{
"category": "external",
"summary": "RHBZ#2437016",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2437016"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-61732",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-61732"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-61732",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61732"
},
{
"category": "external",
"summary": "https://go.dev/cl/734220",
"url": "https://go.dev/cl/734220"
},
{
"category": "external",
"summary": "https://go.dev/issue/76697",
"url": "https://go.dev/issue/76697"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/K09ubi9FQFk",
"url": "https://groups.google.com/g/golang-announce/c/K09ubi9FQFk"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2026-4433",
"url": "https://pkg.go.dev/vuln/GO-2026-4433"
}
],
"release_date": "2026-02-05T03:42:26.392000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-05-08T12:20:25+00:00",
"details": "For OpenShift Container Platform 4.12 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.redhat.com/en/documentation/openshift_container_platform/4.12/html/release_notes\n\nYou may download the oc tool and use it to inspect release image metadata for x86_64 architecture. The image digest may be found at https://quay.io/repository/openshift-release-dev/ocp-release?tab=tags.\n\n The sha value for the release is as follows:\n\n (For x86_64 architecture)\n The image digest is sha256:594f7c90eeb3e7540444a5c023fd50d83dd436153c96b01c178ea2ebeb32560a\n\nAll OpenShift Container Platform 4.12 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.redhat.com/en/documentation/openshift_container_platform/4.12/html-single/updating_clusters/index#updating-cluster-within-minor.",
"product_ids": [
"Red Hat OpenShift Container Platform 4.12:registry.redhat.io/openshift4/ose-tests@sha256:1e9eba414d5564aff8ef7ba80306354f4aea72845a93a36f35dd74fbec101748_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:14100"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat OpenShift Container Platform 4.12:registry.redhat.io/openshift4/driver-toolkit-rhel8@sha256:39b0f5b85e8cccc7ad9a6f9d555a9135cdfd1bc7ee80a9c66611bc389f10bca1_amd64",
"Red Hat OpenShift Container Platform 4.12:registry.redhat.io/openshift4/ose-tests@sha256:1e9eba414d5564aff8ef7ba80306354f4aea72845a93a36f35dd74fbec101748_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "cmd/cgo: Go cgo: Code smuggling due to comment parsing discrepancy"
},
{
"cve": "CVE-2025-68121",
"discovery_date": "2026-02-05T18:01:30.086058+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat OpenShift Container Platform 4.12:registry.redhat.io/openshift4/driver-toolkit-rhel8@sha256:39b0f5b85e8cccc7ad9a6f9d555a9135cdfd1bc7ee80a9c66611bc389f10bca1_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2437111"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the crypto/tls component. This vulnerability occurs during Transport Layer Security (TLS) session resumption when certificate authority (CA) settings are modified between the initial and resumed handshakes. An attacker could exploit this to bypass certificate validation, allowing a client or server to establish a connection that should have been rejected. This could lead to an authentication bypass under specific conditions.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "crypto/tls: crypto/tls: Incorrect certificate validation during TLS session resumption",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This is a moderate flaw because it only occurs under specific conditions, such as TLS session resumption with runtime changes to certificate authority settings. Exploitation is not straightforward and requires a controlled setup. The impact is limited to certificate validation within the same component and does not affect system availability.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat OpenShift Container Platform 4.12:registry.redhat.io/openshift4/ose-tests@sha256:1e9eba414d5564aff8ef7ba80306354f4aea72845a93a36f35dd74fbec101748_amd64"
],
"known_not_affected": [
"Red Hat OpenShift Container Platform 4.12:registry.redhat.io/openshift4/driver-toolkit-rhel8@sha256:39b0f5b85e8cccc7ad9a6f9d555a9135cdfd1bc7ee80a9c66611bc389f10bca1_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-68121"
},
{
"category": "external",
"summary": "RHBZ#2437111",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2437111"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-68121",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68121"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-68121",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68121"
},
{
"category": "external",
"summary": "https://go.dev/cl/737700",
"url": "https://go.dev/cl/737700"
},
{
"category": "external",
"summary": "https://go.dev/issue/77217",
"url": "https://go.dev/issue/77217"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/K09ubi9FQFk",
"url": "https://groups.google.com/g/golang-announce/c/K09ubi9FQFk"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2026-4337",
"url": "https://pkg.go.dev/vuln/GO-2026-4337"
}
],
"release_date": "2026-02-05T17:48:44.141000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-05-08T12:20:25+00:00",
"details": "For OpenShift Container Platform 4.12 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.redhat.com/en/documentation/openshift_container_platform/4.12/html/release_notes\n\nYou may download the oc tool and use it to inspect release image metadata for x86_64 architecture. The image digest may be found at https://quay.io/repository/openshift-release-dev/ocp-release?tab=tags.\n\n The sha value for the release is as follows:\n\n (For x86_64 architecture)\n The image digest is sha256:594f7c90eeb3e7540444a5c023fd50d83dd436153c96b01c178ea2ebeb32560a\n\nAll OpenShift Container Platform 4.12 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.redhat.com/en/documentation/openshift_container_platform/4.12/html-single/updating_clusters/index#updating-cluster-within-minor.",
"product_ids": [
"Red Hat OpenShift Container Platform 4.12:registry.redhat.io/openshift4/ose-tests@sha256:1e9eba414d5564aff8ef7ba80306354f4aea72845a93a36f35dd74fbec101748_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:14100"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat OpenShift Container Platform 4.12:registry.redhat.io/openshift4/driver-toolkit-rhel8@sha256:39b0f5b85e8cccc7ad9a6f9d555a9135cdfd1bc7ee80a9c66611bc389f10bca1_amd64",
"Red Hat OpenShift Container Platform 4.12:registry.redhat.io/openshift4/ose-tests@sha256:1e9eba414d5564aff8ef7ba80306354f4aea72845a93a36f35dd74fbec101748_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "crypto/tls: crypto/tls: Incorrect certificate validation during TLS session resumption"
},
{
"cve": "CVE-2026-25679",
"cwe": {
"id": "CWE-1286",
"name": "Improper Validation of Syntactic Correctness of Input"
},
"discovery_date": "2026-03-06T22:02:11.567841+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat OpenShift Container Platform 4.12:registry.redhat.io/openshift4/driver-toolkit-rhel8@sha256:39b0f5b85e8cccc7ad9a6f9d555a9135cdfd1bc7ee80a9c66611bc389f10bca1_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2445356"
}
],
"notes": [
{
"category": "description",
"text": "The Go standard library function net/url.Parse insufficiently validated the host/authority component and accepted some invalid URLs by effectively treating garbage before an IP-literal as ignorable. The function should have rejected this as invalid.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "net/url: Incorrect parsing of IPv6 host literals in net/url",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat OpenShift Container Platform 4.12:registry.redhat.io/openshift4/ose-tests@sha256:1e9eba414d5564aff8ef7ba80306354f4aea72845a93a36f35dd74fbec101748_amd64"
],
"known_not_affected": [
"Red Hat OpenShift Container Platform 4.12:registry.redhat.io/openshift4/driver-toolkit-rhel8@sha256:39b0f5b85e8cccc7ad9a6f9d555a9135cdfd1bc7ee80a9c66611bc389f10bca1_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-25679"
},
{
"category": "external",
"summary": "RHBZ#2445356",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2445356"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-25679",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-25679"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-25679",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25679"
},
{
"category": "external",
"summary": "https://go.dev/cl/752180",
"url": "https://go.dev/cl/752180"
},
{
"category": "external",
"summary": "https://go.dev/issue/77578",
"url": "https://go.dev/issue/77578"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/EdhZqrQ98hk",
"url": "https://groups.google.com/g/golang-announce/c/EdhZqrQ98hk"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2026-4601",
"url": "https://pkg.go.dev/vuln/GO-2026-4601"
}
],
"release_date": "2026-03-06T21:28:14.211000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-05-08T12:20:25+00:00",
"details": "For OpenShift Container Platform 4.12 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.redhat.com/en/documentation/openshift_container_platform/4.12/html/release_notes\n\nYou may download the oc tool and use it to inspect release image metadata for x86_64 architecture. The image digest may be found at https://quay.io/repository/openshift-release-dev/ocp-release?tab=tags.\n\n The sha value for the release is as follows:\n\n (For x86_64 architecture)\n The image digest is sha256:594f7c90eeb3e7540444a5c023fd50d83dd436153c96b01c178ea2ebeb32560a\n\nAll OpenShift Container Platform 4.12 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.redhat.com/en/documentation/openshift_container_platform/4.12/html-single/updating_clusters/index#updating-cluster-within-minor.",
"product_ids": [
"Red Hat OpenShift Container Platform 4.12:registry.redhat.io/openshift4/ose-tests@sha256:1e9eba414d5564aff8ef7ba80306354f4aea72845a93a36f35dd74fbec101748_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:14100"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat OpenShift Container Platform 4.12:registry.redhat.io/openshift4/driver-toolkit-rhel8@sha256:39b0f5b85e8cccc7ad9a6f9d555a9135cdfd1bc7ee80a9c66611bc389f10bca1_amd64",
"Red Hat OpenShift Container Platform 4.12:registry.redhat.io/openshift4/ose-tests@sha256:1e9eba414d5564aff8ef7ba80306354f4aea72845a93a36f35dd74fbec101748_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat OpenShift Container Platform 4.12:registry.redhat.io/openshift4/driver-toolkit-rhel8@sha256:39b0f5b85e8cccc7ad9a6f9d555a9135cdfd1bc7ee80a9c66611bc389f10bca1_amd64",
"Red Hat OpenShift Container Platform 4.12:registry.redhat.io/openshift4/ose-tests@sha256:1e9eba414d5564aff8ef7ba80306354f4aea72845a93a36f35dd74fbec101748_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "net/url: Incorrect parsing of IPv6 host literals in net/url"
}
]
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…