RHSA-2026:9388
Vulnerability from csaf_redhat - Published: 2026-04-21 15:19 - Updated: 2026-05-02 03:27Summary
Red Hat Security Advisory: Red Hat build of OpenTelemetry 3.9.2 release
Severity
Important
Notes
Topic: Red Hat build of OpenTelemetry 3.9.2 has been released
Details: This release of the Red Hat build of OpenTelemetry provides security improvements.
Breaking changes:
* None
Deprecations:
* None
Technology Preview features:
* None
Enhancements:
* None
Bug fixes:
* XPath library vulnerability is fixed: Previously, the 'github.com/antchfx/xpath' library was vulnerable to a denial of service (DoS) attack. This issue occurred because specially crafted boolean XPath expressions that evaluated to true caused an infinite loop in the 'logicalQuery.Select' function, leading to 100% CPU utilization. With this update, the XPath library properly handles these expressions and prevents infinite loops. As a result, the system is no longer vulnerable to this DoS condition. For more information, see https://access.redhat.com/security/cve/cve-2026-32287.
* gRPC-Go authorization bypass vulnerability is fixed: Previously, gRPC-Go was vulnerable to an authorization bypass attack. This issue occurred because the HTTP/2 ':path' pseudo-header was not properly validated. Remote attackers could send raw HTTP/2 frames with a malformed ':path' that omitted the mandatory leading slash to bypass defined security policies. With this update, gRPC-Go properly validates the ':path' pseudo-header and rejects malformed requests. As a result, attackers can no longer bypass security policies to gain unauthorized access to services or disclose information. For more information, see https://access.redhat.com/security/cve/cve-2026-33186.
* Go JOSE denial of service vulnerability is fixed: Previously, the Go JOSE library for handling JSON Web Encryption (JWE) objects was vulnerable to a denial of service (DoS) attack. This issue occurred because the application failed when decrypting a specially crafted JWE object that specified a key wrapping algorithm but contained an empty encrypted key field. With this update, Go JOSE properly validates the encrypted key field before decryption. As a result, the application no longer crashes when processing malformed JWE objects, and the service remains available to legitimate users. For more information, see https://access.redhat.com/security/cve/cve-2026-34986.
Known issues:
* The filesystem scraper does not produce the `system.filesystem.inodes.usage` and `system.filesystem.usage` metrics in the Host Metrics Receiver after upgrading from Collector version 0.142.0 to 0.143.0 or later. No known workaround exists. For more information, see https://issues.redhat.com/browse/TRACING-5963.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in github.com/antchfx/xpath. An attacker could exploit this vulnerability by providing specially crafted boolean XPath expressions that evaluate to true. This can cause an infinite loop within the logicalQuery.Select function, leading to 100% CPU utilization. The consequence is a Denial of Service (DoS) condition, making the affected system unresponsive.
6.2 (Medium)
Vendor Fix
For details on how to apply this update, refer to:
https://docs.redhat.com/en/documentation/openshift_container_platform/latest/html/operators/administrator-tasks#olm-upgrading-operators
https://access.redhat.com/errata/RHSA-2026:9388
A flaw was found in gRPC-Go, the Go language implementation of gRPC. This vulnerability, an authorization bypass, is caused by improper input validation of the HTTP/2 `:path` pseudo-header. A remote attacker can exploit this by sending raw HTTP/2 frames with a malformed `:path` that omits the mandatory leading slash. This allows the attacker to bypass defined security policies, potentially leading to unauthorized access to services or information disclosure.
9.1 (Critical)
Vendor Fix
For details on how to apply this update, refer to:
https://docs.redhat.com/en/documentation/openshift_container_platform/latest/html/operators/administrator-tasks#olm-upgrading-operators
https://access.redhat.com/errata/RHSA-2026:9388
Workaround
To mitigate this issue, implement infrastructure-level normalization to ensure all incoming HTTP/2 `:path` headers are properly formatted with a leading slash before reaching the gRPC-Go server. This can be achieved by configuring a reverse proxy or API gateway to validate and normalize the `:path` header. Ensure that any such intermediary is properly configured and restarted to apply the changes, which may temporarily impact service availability.
A flaw was found in Go JOSE, a library for handling JSON Web Encryption (JWE) objects. A remote attacker could exploit this vulnerability by providing a specially crafted JWE object. When decrypting such an object, if a key wrapping algorithm is specified but the encrypted key field is empty, the application can crash. This leads to a denial of service (DoS), making the affected service unavailable to legitimate users.
7.5 (High)
Vendor Fix
For details on how to apply this update, refer to:
https://docs.redhat.com/en/documentation/openshift_container_platform/latest/html/operators/administrator-tasks#olm-upgrading-operators
https://access.redhat.com/errata/RHSA-2026:9388
Workaround
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
References
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Red Hat build of OpenTelemetry 3.9.2 has been released",
"title": "Topic"
},
{
"category": "general",
"text": "This release of the Red Hat build of OpenTelemetry provides security improvements.\n\n\nBreaking changes:\n\n* None\n\n\nDeprecations:\n\n* None\n\n\nTechnology Preview features:\n\n* None\n\n\nEnhancements:\n\n* None\n\n\nBug fixes:\n\n* XPath library vulnerability is fixed: Previously, the \u0027github.com/antchfx/xpath\u0027 library was vulnerable to a denial of service (DoS) attack. This issue occurred because specially crafted boolean XPath expressions that evaluated to true caused an infinite loop in the \u0027logicalQuery.Select\u0027 function, leading to 100% CPU utilization. With this update, the XPath library properly handles these expressions and prevents infinite loops. As a result, the system is no longer vulnerable to this DoS condition. For more information, see https://access.redhat.com/security/cve/cve-2026-32287.\n\n* gRPC-Go authorization bypass vulnerability is fixed: Previously, gRPC-Go was vulnerable to an authorization bypass attack. This issue occurred because the HTTP/2 \u0027:path\u0027 pseudo-header was not properly validated. Remote attackers could send raw HTTP/2 frames with a malformed \u0027:path\u0027 that omitted the mandatory leading slash to bypass defined security policies. With this update, gRPC-Go properly validates the \u0027:path\u0027 pseudo-header and rejects malformed requests. As a result, attackers can no longer bypass security policies to gain unauthorized access to services or disclose information. For more information, see https://access.redhat.com/security/cve/cve-2026-33186.\n\n* Go JOSE denial of service vulnerability is fixed: Previously, the Go JOSE library for handling JSON Web Encryption (JWE) objects was vulnerable to a denial of service (DoS) attack. This issue occurred because the application failed when decrypting a specially crafted JWE object that specified a key wrapping algorithm but contained an empty encrypted key field. With this update, Go JOSE properly validates the encrypted key field before decryption. As a result, the application no longer crashes when processing malformed JWE objects, and the service remains available to legitimate users. For more information, see https://access.redhat.com/security/cve/cve-2026-34986.\n\n\nKnown issues:\n\n* The filesystem scraper does not produce the `system.filesystem.inodes.usage` and `system.filesystem.usage` metrics in the Host Metrics Receiver after upgrading from Collector version 0.142.0 to 0.143.0 or later. No known workaround exists. For more information, see https://issues.redhat.com/browse/TRACING-5963.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:9388",
"url": "https://access.redhat.com/errata/RHSA-2026:9388"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-32287",
"url": "https://access.redhat.com/security/cve/CVE-2026-32287"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-33186",
"url": "https://access.redhat.com/security/cve/CVE-2026-33186"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-34986",
"url": "https://access.redhat.com/security/cve/CVE-2026-34986"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/",
"url": "https://access.redhat.com/security/updates/classification/"
},
{
"category": "external",
"summary": "https://docs.redhat.com/en/documentation/openshift_container_platform/latest/html/red_hat_build_of_opentelemetry",
"url": "https://docs.redhat.com/en/documentation/openshift_container_platform/latest/html/red_hat_build_of_opentelemetry"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_9388.json"
}
],
"title": "Red Hat Security Advisory: Red Hat build of OpenTelemetry 3.9.2 release",
"tracking": {
"current_release_date": "2026-05-02T03:27:56+00:00",
"generator": {
"date": "2026-05-02T03:27:56+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.7.7"
}
},
"id": "RHSA-2026:9388",
"initial_release_date": "2026-04-21T15:19:05+00:00",
"revision_history": [
{
"date": "2026-04-21T15:19:05+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-04-21T15:19:07+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-05-02T03:27:56+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat OpenShift distributed tracing 3.9.2",
"product": {
"name": "Red Hat OpenShift distributed tracing 3.9.2",
"product_id": "Red Hat OpenShift distributed tracing 3.9.2",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openshift_distributed_tracing:3.9::el9"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenShift distributed tracing"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/rhosdt/opentelemetry-operator-bundle@sha256:333a0122b7f40e70c2fa34b7045cd119b2887612e247346a6f344bc998e363ea_amd64",
"product": {
"name": "registry.redhat.io/rhosdt/opentelemetry-operator-bundle@sha256:333a0122b7f40e70c2fa34b7045cd119b2887612e247346a6f344bc998e363ea_amd64",
"product_id": "registry.redhat.io/rhosdt/opentelemetry-operator-bundle@sha256:333a0122b7f40e70c2fa34b7045cd119b2887612e247346a6f344bc998e363ea_amd64",
"product_identification_helper": {
"purl": "pkg:oci/opentelemetry-operator-bundle@sha256%3A333a0122b7f40e70c2fa34b7045cd119b2887612e247346a6f344bc998e363ea?arch=amd64\u0026repository_url=registry.redhat.io/rhosdt\u0026tag=1776245088"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/rhosdt/opentelemetry-collector-rhel9@sha256:7c84cdf31817fe4584a5e8a1589f4c0f09f22aed8f75e6d694143c6a6065d330_amd64",
"product": {
"name": "registry.redhat.io/rhosdt/opentelemetry-collector-rhel9@sha256:7c84cdf31817fe4584a5e8a1589f4c0f09f22aed8f75e6d694143c6a6065d330_amd64",
"product_id": "registry.redhat.io/rhosdt/opentelemetry-collector-rhel9@sha256:7c84cdf31817fe4584a5e8a1589f4c0f09f22aed8f75e6d694143c6a6065d330_amd64",
"product_identification_helper": {
"purl": "pkg:oci/opentelemetry-collector-rhel9@sha256%3A7c84cdf31817fe4584a5e8a1589f4c0f09f22aed8f75e6d694143c6a6065d330?arch=amd64\u0026repository_url=registry.redhat.io/rhosdt\u0026tag=1776185379"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/rhosdt/opentelemetry-rhel9-operator@sha256:5496393c7ed9c8f47de5817bf7f2432608b07342e5bfa4f30f4974d1e2a160fd_amd64",
"product": {
"name": "registry.redhat.io/rhosdt/opentelemetry-rhel9-operator@sha256:5496393c7ed9c8f47de5817bf7f2432608b07342e5bfa4f30f4974d1e2a160fd_amd64",
"product_id": "registry.redhat.io/rhosdt/opentelemetry-rhel9-operator@sha256:5496393c7ed9c8f47de5817bf7f2432608b07342e5bfa4f30f4974d1e2a160fd_amd64",
"product_identification_helper": {
"purl": "pkg:oci/opentelemetry-rhel9-operator@sha256%3A5496393c7ed9c8f47de5817bf7f2432608b07342e5bfa4f30f4974d1e2a160fd?arch=amd64\u0026repository_url=registry.redhat.io/rhosdt\u0026tag=1776185352"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel9@sha256:bcbe4340cb78e1bf4452f398f879ddb77a0bd18da35c4780f178887828152497_amd64",
"product": {
"name": "registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel9@sha256:bcbe4340cb78e1bf4452f398f879ddb77a0bd18da35c4780f178887828152497_amd64",
"product_id": "registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel9@sha256:bcbe4340cb78e1bf4452f398f879ddb77a0bd18da35c4780f178887828152497_amd64",
"product_identification_helper": {
"purl": "pkg:oci/opentelemetry-target-allocator-rhel9@sha256%3Abcbe4340cb78e1bf4452f398f879ddb77a0bd18da35c4780f178887828152497?arch=amd64\u0026repository_url=registry.redhat.io/rhosdt\u0026tag=1776185328"
}
}
}
],
"category": "architecture",
"name": "amd64"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/rhosdt/opentelemetry-collector-rhel9@sha256:ff8b32e89a8550c5fac876f5869df8e93ba99b44e49d079a3375f638bc47dfd6_arm64",
"product": {
"name": "registry.redhat.io/rhosdt/opentelemetry-collector-rhel9@sha256:ff8b32e89a8550c5fac876f5869df8e93ba99b44e49d079a3375f638bc47dfd6_arm64",
"product_id": "registry.redhat.io/rhosdt/opentelemetry-collector-rhel9@sha256:ff8b32e89a8550c5fac876f5869df8e93ba99b44e49d079a3375f638bc47dfd6_arm64",
"product_identification_helper": {
"purl": "pkg:oci/opentelemetry-collector-rhel9@sha256%3Aff8b32e89a8550c5fac876f5869df8e93ba99b44e49d079a3375f638bc47dfd6?arch=arm64\u0026repository_url=registry.redhat.io/rhosdt\u0026tag=1776185379"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/rhosdt/opentelemetry-rhel9-operator@sha256:529bf355324a078400ca9e9a2dca7b641656cf7b5e735469c5253a2633bf1857_arm64",
"product": {
"name": "registry.redhat.io/rhosdt/opentelemetry-rhel9-operator@sha256:529bf355324a078400ca9e9a2dca7b641656cf7b5e735469c5253a2633bf1857_arm64",
"product_id": "registry.redhat.io/rhosdt/opentelemetry-rhel9-operator@sha256:529bf355324a078400ca9e9a2dca7b641656cf7b5e735469c5253a2633bf1857_arm64",
"product_identification_helper": {
"purl": "pkg:oci/opentelemetry-rhel9-operator@sha256%3A529bf355324a078400ca9e9a2dca7b641656cf7b5e735469c5253a2633bf1857?arch=arm64\u0026repository_url=registry.redhat.io/rhosdt\u0026tag=1776185352"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel9@sha256:28a837153e4b73c79ee93082656410084dee8d2a2a52146ad9a41d6fc8623dcb_arm64",
"product": {
"name": "registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel9@sha256:28a837153e4b73c79ee93082656410084dee8d2a2a52146ad9a41d6fc8623dcb_arm64",
"product_id": "registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel9@sha256:28a837153e4b73c79ee93082656410084dee8d2a2a52146ad9a41d6fc8623dcb_arm64",
"product_identification_helper": {
"purl": "pkg:oci/opentelemetry-target-allocator-rhel9@sha256%3A28a837153e4b73c79ee93082656410084dee8d2a2a52146ad9a41d6fc8623dcb?arch=arm64\u0026repository_url=registry.redhat.io/rhosdt\u0026tag=1776185328"
}
}
}
],
"category": "architecture",
"name": "arm64"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/rhosdt/opentelemetry-collector-rhel9@sha256:0174a3a6a65cac3b13423b903c9038baaa37c6c3d6dbeee9918c5f576b4f5d7d_ppc64le",
"product": {
"name": "registry.redhat.io/rhosdt/opentelemetry-collector-rhel9@sha256:0174a3a6a65cac3b13423b903c9038baaa37c6c3d6dbeee9918c5f576b4f5d7d_ppc64le",
"product_id": "registry.redhat.io/rhosdt/opentelemetry-collector-rhel9@sha256:0174a3a6a65cac3b13423b903c9038baaa37c6c3d6dbeee9918c5f576b4f5d7d_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/opentelemetry-collector-rhel9@sha256%3A0174a3a6a65cac3b13423b903c9038baaa37c6c3d6dbeee9918c5f576b4f5d7d?arch=ppc64le\u0026repository_url=registry.redhat.io/rhosdt\u0026tag=1776185379"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/rhosdt/opentelemetry-rhel9-operator@sha256:5bfd16612872059e740b630ad3aee5bcad70e91ff197df32fd04c437cc2e3506_ppc64le",
"product": {
"name": "registry.redhat.io/rhosdt/opentelemetry-rhel9-operator@sha256:5bfd16612872059e740b630ad3aee5bcad70e91ff197df32fd04c437cc2e3506_ppc64le",
"product_id": "registry.redhat.io/rhosdt/opentelemetry-rhel9-operator@sha256:5bfd16612872059e740b630ad3aee5bcad70e91ff197df32fd04c437cc2e3506_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/opentelemetry-rhel9-operator@sha256%3A5bfd16612872059e740b630ad3aee5bcad70e91ff197df32fd04c437cc2e3506?arch=ppc64le\u0026repository_url=registry.redhat.io/rhosdt\u0026tag=1776185352"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel9@sha256:9c862dc8f1ec9c5c2ae2e636a52e62c119e27ce4496343ce07d45e431c93cf99_ppc64le",
"product": {
"name": "registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel9@sha256:9c862dc8f1ec9c5c2ae2e636a52e62c119e27ce4496343ce07d45e431c93cf99_ppc64le",
"product_id": "registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel9@sha256:9c862dc8f1ec9c5c2ae2e636a52e62c119e27ce4496343ce07d45e431c93cf99_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/opentelemetry-target-allocator-rhel9@sha256%3A9c862dc8f1ec9c5c2ae2e636a52e62c119e27ce4496343ce07d45e431c93cf99?arch=ppc64le\u0026repository_url=registry.redhat.io/rhosdt\u0026tag=1776185328"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/rhosdt/opentelemetry-collector-rhel9@sha256:9ef57417e79d78ca1a623357b5a58c384fdf3a2c954c3587b76cce8983a725e4_s390x",
"product": {
"name": "registry.redhat.io/rhosdt/opentelemetry-collector-rhel9@sha256:9ef57417e79d78ca1a623357b5a58c384fdf3a2c954c3587b76cce8983a725e4_s390x",
"product_id": "registry.redhat.io/rhosdt/opentelemetry-collector-rhel9@sha256:9ef57417e79d78ca1a623357b5a58c384fdf3a2c954c3587b76cce8983a725e4_s390x",
"product_identification_helper": {
"purl": "pkg:oci/opentelemetry-collector-rhel9@sha256%3A9ef57417e79d78ca1a623357b5a58c384fdf3a2c954c3587b76cce8983a725e4?arch=s390x\u0026repository_url=registry.redhat.io/rhosdt\u0026tag=1776185379"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/rhosdt/opentelemetry-rhel9-operator@sha256:270839ae96516ba23c72b7e9edd00df35c675e9043382233119b7f516cad858c_s390x",
"product": {
"name": "registry.redhat.io/rhosdt/opentelemetry-rhel9-operator@sha256:270839ae96516ba23c72b7e9edd00df35c675e9043382233119b7f516cad858c_s390x",
"product_id": "registry.redhat.io/rhosdt/opentelemetry-rhel9-operator@sha256:270839ae96516ba23c72b7e9edd00df35c675e9043382233119b7f516cad858c_s390x",
"product_identification_helper": {
"purl": "pkg:oci/opentelemetry-rhel9-operator@sha256%3A270839ae96516ba23c72b7e9edd00df35c675e9043382233119b7f516cad858c?arch=s390x\u0026repository_url=registry.redhat.io/rhosdt\u0026tag=1776185352"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel9@sha256:ca369b5151f39ae58f0ad3a27722cbf2abda1fffa68176b0075695f583de7ba1_s390x",
"product": {
"name": "registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel9@sha256:ca369b5151f39ae58f0ad3a27722cbf2abda1fffa68176b0075695f583de7ba1_s390x",
"product_id": "registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel9@sha256:ca369b5151f39ae58f0ad3a27722cbf2abda1fffa68176b0075695f583de7ba1_s390x",
"product_identification_helper": {
"purl": "pkg:oci/opentelemetry-target-allocator-rhel9@sha256%3Aca369b5151f39ae58f0ad3a27722cbf2abda1fffa68176b0075695f583de7ba1?arch=s390x\u0026repository_url=registry.redhat.io/rhosdt\u0026tag=1776185328"
}
}
}
],
"category": "architecture",
"name": "s390x"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhosdt/opentelemetry-collector-rhel9@sha256:0174a3a6a65cac3b13423b903c9038baaa37c6c3d6dbeee9918c5f576b4f5d7d_ppc64le as a component of Red Hat OpenShift distributed tracing 3.9.2",
"product_id": "Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-collector-rhel9@sha256:0174a3a6a65cac3b13423b903c9038baaa37c6c3d6dbeee9918c5f576b4f5d7d_ppc64le"
},
"product_reference": "registry.redhat.io/rhosdt/opentelemetry-collector-rhel9@sha256:0174a3a6a65cac3b13423b903c9038baaa37c6c3d6dbeee9918c5f576b4f5d7d_ppc64le",
"relates_to_product_reference": "Red Hat OpenShift distributed tracing 3.9.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhosdt/opentelemetry-collector-rhel9@sha256:7c84cdf31817fe4584a5e8a1589f4c0f09f22aed8f75e6d694143c6a6065d330_amd64 as a component of Red Hat OpenShift distributed tracing 3.9.2",
"product_id": "Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-collector-rhel9@sha256:7c84cdf31817fe4584a5e8a1589f4c0f09f22aed8f75e6d694143c6a6065d330_amd64"
},
"product_reference": "registry.redhat.io/rhosdt/opentelemetry-collector-rhel9@sha256:7c84cdf31817fe4584a5e8a1589f4c0f09f22aed8f75e6d694143c6a6065d330_amd64",
"relates_to_product_reference": "Red Hat OpenShift distributed tracing 3.9.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhosdt/opentelemetry-collector-rhel9@sha256:9ef57417e79d78ca1a623357b5a58c384fdf3a2c954c3587b76cce8983a725e4_s390x as a component of Red Hat OpenShift distributed tracing 3.9.2",
"product_id": "Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-collector-rhel9@sha256:9ef57417e79d78ca1a623357b5a58c384fdf3a2c954c3587b76cce8983a725e4_s390x"
},
"product_reference": "registry.redhat.io/rhosdt/opentelemetry-collector-rhel9@sha256:9ef57417e79d78ca1a623357b5a58c384fdf3a2c954c3587b76cce8983a725e4_s390x",
"relates_to_product_reference": "Red Hat OpenShift distributed tracing 3.9.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhosdt/opentelemetry-collector-rhel9@sha256:ff8b32e89a8550c5fac876f5869df8e93ba99b44e49d079a3375f638bc47dfd6_arm64 as a component of Red Hat OpenShift distributed tracing 3.9.2",
"product_id": "Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-collector-rhel9@sha256:ff8b32e89a8550c5fac876f5869df8e93ba99b44e49d079a3375f638bc47dfd6_arm64"
},
"product_reference": "registry.redhat.io/rhosdt/opentelemetry-collector-rhel9@sha256:ff8b32e89a8550c5fac876f5869df8e93ba99b44e49d079a3375f638bc47dfd6_arm64",
"relates_to_product_reference": "Red Hat OpenShift distributed tracing 3.9.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhosdt/opentelemetry-operator-bundle@sha256:333a0122b7f40e70c2fa34b7045cd119b2887612e247346a6f344bc998e363ea_amd64 as a component of Red Hat OpenShift distributed tracing 3.9.2",
"product_id": "Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-operator-bundle@sha256:333a0122b7f40e70c2fa34b7045cd119b2887612e247346a6f344bc998e363ea_amd64"
},
"product_reference": "registry.redhat.io/rhosdt/opentelemetry-operator-bundle@sha256:333a0122b7f40e70c2fa34b7045cd119b2887612e247346a6f344bc998e363ea_amd64",
"relates_to_product_reference": "Red Hat OpenShift distributed tracing 3.9.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhosdt/opentelemetry-rhel9-operator@sha256:270839ae96516ba23c72b7e9edd00df35c675e9043382233119b7f516cad858c_s390x as a component of Red Hat OpenShift distributed tracing 3.9.2",
"product_id": "Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-rhel9-operator@sha256:270839ae96516ba23c72b7e9edd00df35c675e9043382233119b7f516cad858c_s390x"
},
"product_reference": "registry.redhat.io/rhosdt/opentelemetry-rhel9-operator@sha256:270839ae96516ba23c72b7e9edd00df35c675e9043382233119b7f516cad858c_s390x",
"relates_to_product_reference": "Red Hat OpenShift distributed tracing 3.9.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhosdt/opentelemetry-rhel9-operator@sha256:529bf355324a078400ca9e9a2dca7b641656cf7b5e735469c5253a2633bf1857_arm64 as a component of Red Hat OpenShift distributed tracing 3.9.2",
"product_id": "Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-rhel9-operator@sha256:529bf355324a078400ca9e9a2dca7b641656cf7b5e735469c5253a2633bf1857_arm64"
},
"product_reference": "registry.redhat.io/rhosdt/opentelemetry-rhel9-operator@sha256:529bf355324a078400ca9e9a2dca7b641656cf7b5e735469c5253a2633bf1857_arm64",
"relates_to_product_reference": "Red Hat OpenShift distributed tracing 3.9.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhosdt/opentelemetry-rhel9-operator@sha256:5496393c7ed9c8f47de5817bf7f2432608b07342e5bfa4f30f4974d1e2a160fd_amd64 as a component of Red Hat OpenShift distributed tracing 3.9.2",
"product_id": "Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-rhel9-operator@sha256:5496393c7ed9c8f47de5817bf7f2432608b07342e5bfa4f30f4974d1e2a160fd_amd64"
},
"product_reference": "registry.redhat.io/rhosdt/opentelemetry-rhel9-operator@sha256:5496393c7ed9c8f47de5817bf7f2432608b07342e5bfa4f30f4974d1e2a160fd_amd64",
"relates_to_product_reference": "Red Hat OpenShift distributed tracing 3.9.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhosdt/opentelemetry-rhel9-operator@sha256:5bfd16612872059e740b630ad3aee5bcad70e91ff197df32fd04c437cc2e3506_ppc64le as a component of Red Hat OpenShift distributed tracing 3.9.2",
"product_id": "Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-rhel9-operator@sha256:5bfd16612872059e740b630ad3aee5bcad70e91ff197df32fd04c437cc2e3506_ppc64le"
},
"product_reference": "registry.redhat.io/rhosdt/opentelemetry-rhel9-operator@sha256:5bfd16612872059e740b630ad3aee5bcad70e91ff197df32fd04c437cc2e3506_ppc64le",
"relates_to_product_reference": "Red Hat OpenShift distributed tracing 3.9.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel9@sha256:28a837153e4b73c79ee93082656410084dee8d2a2a52146ad9a41d6fc8623dcb_arm64 as a component of Red Hat OpenShift distributed tracing 3.9.2",
"product_id": "Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel9@sha256:28a837153e4b73c79ee93082656410084dee8d2a2a52146ad9a41d6fc8623dcb_arm64"
},
"product_reference": "registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel9@sha256:28a837153e4b73c79ee93082656410084dee8d2a2a52146ad9a41d6fc8623dcb_arm64",
"relates_to_product_reference": "Red Hat OpenShift distributed tracing 3.9.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel9@sha256:9c862dc8f1ec9c5c2ae2e636a52e62c119e27ce4496343ce07d45e431c93cf99_ppc64le as a component of Red Hat OpenShift distributed tracing 3.9.2",
"product_id": "Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel9@sha256:9c862dc8f1ec9c5c2ae2e636a52e62c119e27ce4496343ce07d45e431c93cf99_ppc64le"
},
"product_reference": "registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel9@sha256:9c862dc8f1ec9c5c2ae2e636a52e62c119e27ce4496343ce07d45e431c93cf99_ppc64le",
"relates_to_product_reference": "Red Hat OpenShift distributed tracing 3.9.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel9@sha256:bcbe4340cb78e1bf4452f398f879ddb77a0bd18da35c4780f178887828152497_amd64 as a component of Red Hat OpenShift distributed tracing 3.9.2",
"product_id": "Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel9@sha256:bcbe4340cb78e1bf4452f398f879ddb77a0bd18da35c4780f178887828152497_amd64"
},
"product_reference": "registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel9@sha256:bcbe4340cb78e1bf4452f398f879ddb77a0bd18da35c4780f178887828152497_amd64",
"relates_to_product_reference": "Red Hat OpenShift distributed tracing 3.9.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel9@sha256:ca369b5151f39ae58f0ad3a27722cbf2abda1fffa68176b0075695f583de7ba1_s390x as a component of Red Hat OpenShift distributed tracing 3.9.2",
"product_id": "Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel9@sha256:ca369b5151f39ae58f0ad3a27722cbf2abda1fffa68176b0075695f583de7ba1_s390x"
},
"product_reference": "registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel9@sha256:ca369b5151f39ae58f0ad3a27722cbf2abda1fffa68176b0075695f583de7ba1_s390x",
"relates_to_product_reference": "Red Hat OpenShift distributed tracing 3.9.2"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-32287",
"cwe": {
"id": "CWE-606",
"name": "Unchecked Input for Loop Condition"
},
"discovery_date": "2026-03-26T20:02:37.779428+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-operator-bundle@sha256:333a0122b7f40e70c2fa34b7045cd119b2887612e247346a6f344bc998e363ea_amd64",
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-rhel9-operator@sha256:270839ae96516ba23c72b7e9edd00df35c675e9043382233119b7f516cad858c_s390x",
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-rhel9-operator@sha256:529bf355324a078400ca9e9a2dca7b641656cf7b5e735469c5253a2633bf1857_arm64",
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-rhel9-operator@sha256:5496393c7ed9c8f47de5817bf7f2432608b07342e5bfa4f30f4974d1e2a160fd_amd64",
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-rhel9-operator@sha256:5bfd16612872059e740b630ad3aee5bcad70e91ff197df32fd04c437cc2e3506_ppc64le",
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel9@sha256:28a837153e4b73c79ee93082656410084dee8d2a2a52146ad9a41d6fc8623dcb_arm64",
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel9@sha256:9c862dc8f1ec9c5c2ae2e636a52e62c119e27ce4496343ce07d45e431c93cf99_ppc64le",
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel9@sha256:bcbe4340cb78e1bf4452f398f879ddb77a0bd18da35c4780f178887828152497_amd64",
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel9@sha256:ca369b5151f39ae58f0ad3a27722cbf2abda1fffa68176b0075695f583de7ba1_s390x"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2451856"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in github.com/antchfx/xpath. An attacker could exploit this vulnerability by providing specially crafted boolean XPath expressions that evaluate to true. This can cause an infinite loop within the logicalQuery.Select function, leading to 100% CPU utilization. The consequence is a Denial of Service (DoS) condition, making the affected system unresponsive.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "github.com/antchfx/xpath: github.com/antchfx/xpath: Denial of Service due to infinite loop via boolean XPath expressions",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-collector-rhel9@sha256:0174a3a6a65cac3b13423b903c9038baaa37c6c3d6dbeee9918c5f576b4f5d7d_ppc64le",
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-collector-rhel9@sha256:7c84cdf31817fe4584a5e8a1589f4c0f09f22aed8f75e6d694143c6a6065d330_amd64",
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-collector-rhel9@sha256:9ef57417e79d78ca1a623357b5a58c384fdf3a2c954c3587b76cce8983a725e4_s390x",
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-collector-rhel9@sha256:ff8b32e89a8550c5fac876f5869df8e93ba99b44e49d079a3375f638bc47dfd6_arm64"
],
"known_not_affected": [
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-operator-bundle@sha256:333a0122b7f40e70c2fa34b7045cd119b2887612e247346a6f344bc998e363ea_amd64",
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-rhel9-operator@sha256:270839ae96516ba23c72b7e9edd00df35c675e9043382233119b7f516cad858c_s390x",
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-rhel9-operator@sha256:529bf355324a078400ca9e9a2dca7b641656cf7b5e735469c5253a2633bf1857_arm64",
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-rhel9-operator@sha256:5496393c7ed9c8f47de5817bf7f2432608b07342e5bfa4f30f4974d1e2a160fd_amd64",
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-rhel9-operator@sha256:5bfd16612872059e740b630ad3aee5bcad70e91ff197df32fd04c437cc2e3506_ppc64le",
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel9@sha256:28a837153e4b73c79ee93082656410084dee8d2a2a52146ad9a41d6fc8623dcb_arm64",
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel9@sha256:9c862dc8f1ec9c5c2ae2e636a52e62c119e27ce4496343ce07d45e431c93cf99_ppc64le",
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel9@sha256:bcbe4340cb78e1bf4452f398f879ddb77a0bd18da35c4780f178887828152497_amd64",
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel9@sha256:ca369b5151f39ae58f0ad3a27722cbf2abda1fffa68176b0075695f583de7ba1_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-32287"
},
{
"category": "external",
"summary": "RHBZ#2451856",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451856"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-32287",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-32287"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-32287",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32287"
},
{
"category": "external",
"summary": "https://github.com/antchfx/xpath/commit/afd4762cc342af56345a3fb4002a59281fcab494",
"url": "https://github.com/antchfx/xpath/commit/afd4762cc342af56345a3fb4002a59281fcab494"
},
{
"category": "external",
"summary": "https://github.com/antchfx/xpath/issues/121",
"url": "https://github.com/antchfx/xpath/issues/121"
},
{
"category": "external",
"summary": "https://github.com/golang/vulndb/issues/4526",
"url": "https://github.com/golang/vulndb/issues/4526"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2026-4526",
"url": "https://pkg.go.dev/vuln/GO-2026-4526"
}
],
"release_date": "2026-03-26T19:40:52.142000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-21T15:19:05+00:00",
"details": "For details on how to apply this update, refer to:\n\nhttps://docs.redhat.com/en/documentation/openshift_container_platform/latest/html/operators/administrator-tasks#olm-upgrading-operators",
"product_ids": [
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-collector-rhel9@sha256:0174a3a6a65cac3b13423b903c9038baaa37c6c3d6dbeee9918c5f576b4f5d7d_ppc64le",
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-collector-rhel9@sha256:7c84cdf31817fe4584a5e8a1589f4c0f09f22aed8f75e6d694143c6a6065d330_amd64",
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-collector-rhel9@sha256:9ef57417e79d78ca1a623357b5a58c384fdf3a2c954c3587b76cce8983a725e4_s390x",
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-collector-rhel9@sha256:ff8b32e89a8550c5fac876f5869df8e93ba99b44e49d079a3375f638bc47dfd6_arm64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:9388"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-collector-rhel9@sha256:0174a3a6a65cac3b13423b903c9038baaa37c6c3d6dbeee9918c5f576b4f5d7d_ppc64le",
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-collector-rhel9@sha256:7c84cdf31817fe4584a5e8a1589f4c0f09f22aed8f75e6d694143c6a6065d330_amd64",
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-collector-rhel9@sha256:9ef57417e79d78ca1a623357b5a58c384fdf3a2c954c3587b76cce8983a725e4_s390x",
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-collector-rhel9@sha256:ff8b32e89a8550c5fac876f5869df8e93ba99b44e49d079a3375f638bc47dfd6_arm64",
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-operator-bundle@sha256:333a0122b7f40e70c2fa34b7045cd119b2887612e247346a6f344bc998e363ea_amd64",
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-rhel9-operator@sha256:270839ae96516ba23c72b7e9edd00df35c675e9043382233119b7f516cad858c_s390x",
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-rhel9-operator@sha256:529bf355324a078400ca9e9a2dca7b641656cf7b5e735469c5253a2633bf1857_arm64",
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-rhel9-operator@sha256:5496393c7ed9c8f47de5817bf7f2432608b07342e5bfa4f30f4974d1e2a160fd_amd64",
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-rhel9-operator@sha256:5bfd16612872059e740b630ad3aee5bcad70e91ff197df32fd04c437cc2e3506_ppc64le",
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel9@sha256:28a837153e4b73c79ee93082656410084dee8d2a2a52146ad9a41d6fc8623dcb_arm64",
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel9@sha256:9c862dc8f1ec9c5c2ae2e636a52e62c119e27ce4496343ce07d45e431c93cf99_ppc64le",
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel9@sha256:bcbe4340cb78e1bf4452f398f879ddb77a0bd18da35c4780f178887828152497_amd64",
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel9@sha256:ca369b5151f39ae58f0ad3a27722cbf2abda1fffa68176b0075695f583de7ba1_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "github.com/antchfx/xpath: github.com/antchfx/xpath: Denial of Service due to infinite loop via boolean XPath expressions"
},
{
"cve": "CVE-2026-33186",
"cwe": {
"id": "CWE-551",
"name": "Incorrect Behavior Order: Authorization Before Parsing and Canonicalization"
},
"discovery_date": "2026-03-20T23:02:27.802640+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-operator-bundle@sha256:333a0122b7f40e70c2fa34b7045cd119b2887612e247346a6f344bc998e363ea_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2449833"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in gRPC-Go, the Go language implementation of gRPC. This vulnerability, an authorization bypass, is caused by improper input validation of the HTTP/2 `:path` pseudo-header. A remote attacker can exploit this by sending raw HTTP/2 frames with a malformed `:path` that omits the mandatory leading slash. This allows the attacker to bypass defined security policies, potentially leading to unauthorized access to services or information disclosure.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "google.golang.org/grpc/grpc-go: google.golang.org/grpc/authz: gRPC-Go: Authorization bypass due to improper HTTP/2 path validation",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-collector-rhel9@sha256:0174a3a6a65cac3b13423b903c9038baaa37c6c3d6dbeee9918c5f576b4f5d7d_ppc64le",
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-collector-rhel9@sha256:7c84cdf31817fe4584a5e8a1589f4c0f09f22aed8f75e6d694143c6a6065d330_amd64",
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-collector-rhel9@sha256:9ef57417e79d78ca1a623357b5a58c384fdf3a2c954c3587b76cce8983a725e4_s390x",
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-collector-rhel9@sha256:ff8b32e89a8550c5fac876f5869df8e93ba99b44e49d079a3375f638bc47dfd6_arm64",
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-rhel9-operator@sha256:270839ae96516ba23c72b7e9edd00df35c675e9043382233119b7f516cad858c_s390x",
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-rhel9-operator@sha256:529bf355324a078400ca9e9a2dca7b641656cf7b5e735469c5253a2633bf1857_arm64",
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-rhel9-operator@sha256:5496393c7ed9c8f47de5817bf7f2432608b07342e5bfa4f30f4974d1e2a160fd_amd64",
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-rhel9-operator@sha256:5bfd16612872059e740b630ad3aee5bcad70e91ff197df32fd04c437cc2e3506_ppc64le",
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel9@sha256:28a837153e4b73c79ee93082656410084dee8d2a2a52146ad9a41d6fc8623dcb_arm64",
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel9@sha256:9c862dc8f1ec9c5c2ae2e636a52e62c119e27ce4496343ce07d45e431c93cf99_ppc64le",
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel9@sha256:bcbe4340cb78e1bf4452f398f879ddb77a0bd18da35c4780f178887828152497_amd64",
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel9@sha256:ca369b5151f39ae58f0ad3a27722cbf2abda1fffa68176b0075695f583de7ba1_s390x"
],
"known_not_affected": [
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-operator-bundle@sha256:333a0122b7f40e70c2fa34b7045cd119b2887612e247346a6f344bc998e363ea_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-33186"
},
{
"category": "external",
"summary": "RHBZ#2449833",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2449833"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-33186",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-33186"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-33186",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33186"
},
{
"category": "external",
"summary": "https://github.com/grpc/grpc-go/security/advisories/GHSA-p77j-4mvh-x3m3",
"url": "https://github.com/grpc/grpc-go/security/advisories/GHSA-p77j-4mvh-x3m3"
}
],
"release_date": "2026-03-20T22:23:32.147000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-21T15:19:05+00:00",
"details": "For details on how to apply this update, refer to:\n\nhttps://docs.redhat.com/en/documentation/openshift_container_platform/latest/html/operators/administrator-tasks#olm-upgrading-operators",
"product_ids": [
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-collector-rhel9@sha256:0174a3a6a65cac3b13423b903c9038baaa37c6c3d6dbeee9918c5f576b4f5d7d_ppc64le",
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-collector-rhel9@sha256:7c84cdf31817fe4584a5e8a1589f4c0f09f22aed8f75e6d694143c6a6065d330_amd64",
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-collector-rhel9@sha256:9ef57417e79d78ca1a623357b5a58c384fdf3a2c954c3587b76cce8983a725e4_s390x",
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-collector-rhel9@sha256:ff8b32e89a8550c5fac876f5869df8e93ba99b44e49d079a3375f638bc47dfd6_arm64",
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-rhel9-operator@sha256:270839ae96516ba23c72b7e9edd00df35c675e9043382233119b7f516cad858c_s390x",
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-rhel9-operator@sha256:529bf355324a078400ca9e9a2dca7b641656cf7b5e735469c5253a2633bf1857_arm64",
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-rhel9-operator@sha256:5496393c7ed9c8f47de5817bf7f2432608b07342e5bfa4f30f4974d1e2a160fd_amd64",
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-rhel9-operator@sha256:5bfd16612872059e740b630ad3aee5bcad70e91ff197df32fd04c437cc2e3506_ppc64le",
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel9@sha256:28a837153e4b73c79ee93082656410084dee8d2a2a52146ad9a41d6fc8623dcb_arm64",
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel9@sha256:9c862dc8f1ec9c5c2ae2e636a52e62c119e27ce4496343ce07d45e431c93cf99_ppc64le",
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel9@sha256:bcbe4340cb78e1bf4452f398f879ddb77a0bd18da35c4780f178887828152497_amd64",
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel9@sha256:ca369b5151f39ae58f0ad3a27722cbf2abda1fffa68176b0075695f583de7ba1_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:9388"
},
{
"category": "workaround",
"details": "To mitigate this issue, implement infrastructure-level normalization to ensure all incoming HTTP/2 `:path` headers are properly formatted with a leading slash before reaching the gRPC-Go server. This can be achieved by configuring a reverse proxy or API gateway to validate and normalize the `:path` header. Ensure that any such intermediary is properly configured and restarted to apply the changes, which may temporarily impact service availability.",
"product_ids": [
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-collector-rhel9@sha256:0174a3a6a65cac3b13423b903c9038baaa37c6c3d6dbeee9918c5f576b4f5d7d_ppc64le",
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-collector-rhel9@sha256:7c84cdf31817fe4584a5e8a1589f4c0f09f22aed8f75e6d694143c6a6065d330_amd64",
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-collector-rhel9@sha256:9ef57417e79d78ca1a623357b5a58c384fdf3a2c954c3587b76cce8983a725e4_s390x",
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-collector-rhel9@sha256:ff8b32e89a8550c5fac876f5869df8e93ba99b44e49d079a3375f638bc47dfd6_arm64",
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-operator-bundle@sha256:333a0122b7f40e70c2fa34b7045cd119b2887612e247346a6f344bc998e363ea_amd64",
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-rhel9-operator@sha256:270839ae96516ba23c72b7e9edd00df35c675e9043382233119b7f516cad858c_s390x",
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-rhel9-operator@sha256:529bf355324a078400ca9e9a2dca7b641656cf7b5e735469c5253a2633bf1857_arm64",
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-rhel9-operator@sha256:5496393c7ed9c8f47de5817bf7f2432608b07342e5bfa4f30f4974d1e2a160fd_amd64",
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-rhel9-operator@sha256:5bfd16612872059e740b630ad3aee5bcad70e91ff197df32fd04c437cc2e3506_ppc64le",
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel9@sha256:28a837153e4b73c79ee93082656410084dee8d2a2a52146ad9a41d6fc8623dcb_arm64",
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel9@sha256:9c862dc8f1ec9c5c2ae2e636a52e62c119e27ce4496343ce07d45e431c93cf99_ppc64le",
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel9@sha256:bcbe4340cb78e1bf4452f398f879ddb77a0bd18da35c4780f178887828152497_amd64",
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel9@sha256:ca369b5151f39ae58f0ad3a27722cbf2abda1fffa68176b0075695f583de7ba1_s390x"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-collector-rhel9@sha256:0174a3a6a65cac3b13423b903c9038baaa37c6c3d6dbeee9918c5f576b4f5d7d_ppc64le",
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-collector-rhel9@sha256:7c84cdf31817fe4584a5e8a1589f4c0f09f22aed8f75e6d694143c6a6065d330_amd64",
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-collector-rhel9@sha256:9ef57417e79d78ca1a623357b5a58c384fdf3a2c954c3587b76cce8983a725e4_s390x",
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-collector-rhel9@sha256:ff8b32e89a8550c5fac876f5869df8e93ba99b44e49d079a3375f638bc47dfd6_arm64",
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-operator-bundle@sha256:333a0122b7f40e70c2fa34b7045cd119b2887612e247346a6f344bc998e363ea_amd64",
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-rhel9-operator@sha256:270839ae96516ba23c72b7e9edd00df35c675e9043382233119b7f516cad858c_s390x",
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-rhel9-operator@sha256:529bf355324a078400ca9e9a2dca7b641656cf7b5e735469c5253a2633bf1857_arm64",
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-rhel9-operator@sha256:5496393c7ed9c8f47de5817bf7f2432608b07342e5bfa4f30f4974d1e2a160fd_amd64",
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-rhel9-operator@sha256:5bfd16612872059e740b630ad3aee5bcad70e91ff197df32fd04c437cc2e3506_ppc64le",
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel9@sha256:28a837153e4b73c79ee93082656410084dee8d2a2a52146ad9a41d6fc8623dcb_arm64",
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel9@sha256:9c862dc8f1ec9c5c2ae2e636a52e62c119e27ce4496343ce07d45e431c93cf99_ppc64le",
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel9@sha256:bcbe4340cb78e1bf4452f398f879ddb77a0bd18da35c4780f178887828152497_amd64",
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel9@sha256:ca369b5151f39ae58f0ad3a27722cbf2abda1fffa68176b0075695f583de7ba1_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "google.golang.org/grpc/grpc-go: google.golang.org/grpc/authz: gRPC-Go: Authorization bypass due to improper HTTP/2 path validation"
},
{
"cve": "CVE-2026-34986",
"cwe": {
"id": "CWE-131",
"name": "Incorrect Calculation of Buffer Size"
},
"discovery_date": "2026-04-06T17:01:34.639203+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-operator-bundle@sha256:333a0122b7f40e70c2fa34b7045cd119b2887612e247346a6f344bc998e363ea_amd64",
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-rhel9-operator@sha256:270839ae96516ba23c72b7e9edd00df35c675e9043382233119b7f516cad858c_s390x",
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-rhel9-operator@sha256:529bf355324a078400ca9e9a2dca7b641656cf7b5e735469c5253a2633bf1857_arm64",
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-rhel9-operator@sha256:5496393c7ed9c8f47de5817bf7f2432608b07342e5bfa4f30f4974d1e2a160fd_amd64",
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-rhel9-operator@sha256:5bfd16612872059e740b630ad3aee5bcad70e91ff197df32fd04c437cc2e3506_ppc64le",
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel9@sha256:28a837153e4b73c79ee93082656410084dee8d2a2a52146ad9a41d6fc8623dcb_arm64",
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel9@sha256:9c862dc8f1ec9c5c2ae2e636a52e62c119e27ce4496343ce07d45e431c93cf99_ppc64le",
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel9@sha256:bcbe4340cb78e1bf4452f398f879ddb77a0bd18da35c4780f178887828152497_amd64",
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel9@sha256:ca369b5151f39ae58f0ad3a27722cbf2abda1fffa68176b0075695f583de7ba1_s390x"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2455470"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Go JOSE, a library for handling JSON Web Encryption (JWE) objects. A remote attacker could exploit this vulnerability by providing a specially crafted JWE object. When decrypting such an object, if a key wrapping algorithm is specified but the encrypted key field is empty, the application can crash. This leads to a denial of service (DoS), making the affected service unavailable to legitimate users.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "github.com/go-jose/go-jose/v3: github.com/go-jose/go-jose/v4: Go JOSE: Denial of Service via crafted JSON Web Encryption (JWE) object",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-collector-rhel9@sha256:0174a3a6a65cac3b13423b903c9038baaa37c6c3d6dbeee9918c5f576b4f5d7d_ppc64le",
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-collector-rhel9@sha256:7c84cdf31817fe4584a5e8a1589f4c0f09f22aed8f75e6d694143c6a6065d330_amd64",
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-collector-rhel9@sha256:9ef57417e79d78ca1a623357b5a58c384fdf3a2c954c3587b76cce8983a725e4_s390x",
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-collector-rhel9@sha256:ff8b32e89a8550c5fac876f5869df8e93ba99b44e49d079a3375f638bc47dfd6_arm64"
],
"known_not_affected": [
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-operator-bundle@sha256:333a0122b7f40e70c2fa34b7045cd119b2887612e247346a6f344bc998e363ea_amd64",
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-rhel9-operator@sha256:270839ae96516ba23c72b7e9edd00df35c675e9043382233119b7f516cad858c_s390x",
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-rhel9-operator@sha256:529bf355324a078400ca9e9a2dca7b641656cf7b5e735469c5253a2633bf1857_arm64",
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-rhel9-operator@sha256:5496393c7ed9c8f47de5817bf7f2432608b07342e5bfa4f30f4974d1e2a160fd_amd64",
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-rhel9-operator@sha256:5bfd16612872059e740b630ad3aee5bcad70e91ff197df32fd04c437cc2e3506_ppc64le",
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel9@sha256:28a837153e4b73c79ee93082656410084dee8d2a2a52146ad9a41d6fc8623dcb_arm64",
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel9@sha256:9c862dc8f1ec9c5c2ae2e636a52e62c119e27ce4496343ce07d45e431c93cf99_ppc64le",
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel9@sha256:bcbe4340cb78e1bf4452f398f879ddb77a0bd18da35c4780f178887828152497_amd64",
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel9@sha256:ca369b5151f39ae58f0ad3a27722cbf2abda1fffa68176b0075695f583de7ba1_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-34986"
},
{
"category": "external",
"summary": "RHBZ#2455470",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2455470"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-34986",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-34986"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-34986",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34986"
},
{
"category": "external",
"summary": "https://github.com/go-jose/go-jose/security/advisories/GHSA-78h2-9frx-2jm8",
"url": "https://github.com/go-jose/go-jose/security/advisories/GHSA-78h2-9frx-2jm8"
},
{
"category": "external",
"summary": "https://pkg.go.dev/github.com/go-jose/go-jose/v4#pkg-constants",
"url": "https://pkg.go.dev/github.com/go-jose/go-jose/v4#pkg-constants"
}
],
"release_date": "2026-04-06T16:22:45.353000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-21T15:19:05+00:00",
"details": "For details on how to apply this update, refer to:\n\nhttps://docs.redhat.com/en/documentation/openshift_container_platform/latest/html/operators/administrator-tasks#olm-upgrading-operators",
"product_ids": [
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-collector-rhel9@sha256:0174a3a6a65cac3b13423b903c9038baaa37c6c3d6dbeee9918c5f576b4f5d7d_ppc64le",
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-collector-rhel9@sha256:7c84cdf31817fe4584a5e8a1589f4c0f09f22aed8f75e6d694143c6a6065d330_amd64",
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-collector-rhel9@sha256:9ef57417e79d78ca1a623357b5a58c384fdf3a2c954c3587b76cce8983a725e4_s390x",
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-collector-rhel9@sha256:ff8b32e89a8550c5fac876f5869df8e93ba99b44e49d079a3375f638bc47dfd6_arm64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:9388"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-collector-rhel9@sha256:0174a3a6a65cac3b13423b903c9038baaa37c6c3d6dbeee9918c5f576b4f5d7d_ppc64le",
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-collector-rhel9@sha256:7c84cdf31817fe4584a5e8a1589f4c0f09f22aed8f75e6d694143c6a6065d330_amd64",
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-collector-rhel9@sha256:9ef57417e79d78ca1a623357b5a58c384fdf3a2c954c3587b76cce8983a725e4_s390x",
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-collector-rhel9@sha256:ff8b32e89a8550c5fac876f5869df8e93ba99b44e49d079a3375f638bc47dfd6_arm64",
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-operator-bundle@sha256:333a0122b7f40e70c2fa34b7045cd119b2887612e247346a6f344bc998e363ea_amd64",
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-rhel9-operator@sha256:270839ae96516ba23c72b7e9edd00df35c675e9043382233119b7f516cad858c_s390x",
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-rhel9-operator@sha256:529bf355324a078400ca9e9a2dca7b641656cf7b5e735469c5253a2633bf1857_arm64",
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-rhel9-operator@sha256:5496393c7ed9c8f47de5817bf7f2432608b07342e5bfa4f30f4974d1e2a160fd_amd64",
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-rhel9-operator@sha256:5bfd16612872059e740b630ad3aee5bcad70e91ff197df32fd04c437cc2e3506_ppc64le",
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel9@sha256:28a837153e4b73c79ee93082656410084dee8d2a2a52146ad9a41d6fc8623dcb_arm64",
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel9@sha256:9c862dc8f1ec9c5c2ae2e636a52e62c119e27ce4496343ce07d45e431c93cf99_ppc64le",
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel9@sha256:bcbe4340cb78e1bf4452f398f879ddb77a0bd18da35c4780f178887828152497_amd64",
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel9@sha256:ca369b5151f39ae58f0ad3a27722cbf2abda1fffa68176b0075695f583de7ba1_s390x"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-collector-rhel9@sha256:0174a3a6a65cac3b13423b903c9038baaa37c6c3d6dbeee9918c5f576b4f5d7d_ppc64le",
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-collector-rhel9@sha256:7c84cdf31817fe4584a5e8a1589f4c0f09f22aed8f75e6d694143c6a6065d330_amd64",
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-collector-rhel9@sha256:9ef57417e79d78ca1a623357b5a58c384fdf3a2c954c3587b76cce8983a725e4_s390x",
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-collector-rhel9@sha256:ff8b32e89a8550c5fac876f5869df8e93ba99b44e49d079a3375f638bc47dfd6_arm64",
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-operator-bundle@sha256:333a0122b7f40e70c2fa34b7045cd119b2887612e247346a6f344bc998e363ea_amd64",
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-rhel9-operator@sha256:270839ae96516ba23c72b7e9edd00df35c675e9043382233119b7f516cad858c_s390x",
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-rhel9-operator@sha256:529bf355324a078400ca9e9a2dca7b641656cf7b5e735469c5253a2633bf1857_arm64",
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-rhel9-operator@sha256:5496393c7ed9c8f47de5817bf7f2432608b07342e5bfa4f30f4974d1e2a160fd_amd64",
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-rhel9-operator@sha256:5bfd16612872059e740b630ad3aee5bcad70e91ff197df32fd04c437cc2e3506_ppc64le",
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel9@sha256:28a837153e4b73c79ee93082656410084dee8d2a2a52146ad9a41d6fc8623dcb_arm64",
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel9@sha256:9c862dc8f1ec9c5c2ae2e636a52e62c119e27ce4496343ce07d45e431c93cf99_ppc64le",
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel9@sha256:bcbe4340cb78e1bf4452f398f879ddb77a0bd18da35c4780f178887828152497_amd64",
"Red Hat OpenShift distributed tracing 3.9.2:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel9@sha256:ca369b5151f39ae58f0ad3a27722cbf2abda1fffa68176b0075695f583de7ba1_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "github.com/go-jose/go-jose/v3: github.com/go-jose/go-jose/v4: Go JOSE: Denial of Service via crafted JSON Web Encryption (JWE) object"
}
]
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…