Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2025-61729 (GCVE-0-2025-61729)
Vulnerability from cvelistv5 – Published: 2025-12-02 18:54 – Updated: 2025-12-03 19:37- CWE-400 - Uncontrolled Resource Consumption
| Vendor | Product | Version | |
|---|---|---|---|
| Go standard library | crypto/x509 |
Affected:
0 , < 1.24.11
(semver)
Affected: 1.25.0 , < 1.25.5 (semver) |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-61729",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-02T21:52:36.341575Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-02T21:52:58.224Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "crypto/x509",
"product": "crypto/x509",
"programRoutines": [
{
"name": "Certificate.VerifyHostname"
},
{
"name": "Certificate.Verify"
}
],
"vendor": "Go standard library",
"versions": [
{
"lessThan": "1.24.11",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "1.25.5",
"status": "affected",
"version": "1.25.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Philippe Antoine (Catena cyber)"
}
],
"descriptions": [
{
"lang": "en",
"value": "Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a malicious actor can result in excessive resource consumption."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-03T19:37:14.903Z",
"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"shortName": "Go"
},
"references": [
{
"url": "https://go.dev/cl/725920"
},
{
"url": "https://go.dev/issue/76445"
},
{
"url": "https://groups.google.com/g/golang-announce/c/8FJoBkPddm4"
},
{
"url": "https://pkg.go.dev/vuln/GO-2025-4155"
}
],
"title": "Excessive resource consumption when printing error string for host certificate validation in crypto/x509"
}
},
"cveMetadata": {
"assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"assignerShortName": "Go",
"cveId": "CVE-2025-61729",
"datePublished": "2025-12-02T18:54:10.166Z",
"dateReserved": "2025-09-30T15:05:03.605Z",
"dateUpdated": "2025-12-03T19:37:14.903Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2025-61729",
"date": "2026-07-02",
"epss": "0.00459",
"percentile": "0.36574"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2025-61729\",\"sourceIdentifier\":\"security@golang.org\",\"published\":\"2025-12-02T19:15:51.447\",\"lastModified\":\"2026-06-17T09:50:48.507\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a malicious actor can result in excessive resource consumption.\"}],\"affected\":[{\"source\":\"security@golang.org\",\"affectedData\":[{\"vendor\":\"Go standard library\",\"product\":\"crypto/x509\",\"defaultStatus\":\"unaffected\",\"collectionURL\":\"https://pkg.go.dev\",\"packageName\":\"crypto/x509\",\"programRoutines\":[{\"name\":\"Certificate.VerifyHostname\"},{\"name\":\"Certificate.Verify\"}],\"versions\":[{\"version\":\"0\",\"lessThan\":\"1.24.11\",\"versionType\":\"semver\",\"status\":\"affected\"},{\"version\":\"1.25.0\",\"lessThan\":\"1.25.5\",\"versionType\":\"semver\",\"status\":\"affected\"}]}]}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}],\"ssvcV203\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"ssvcData\":{\"timestamp\":\"2025-12-02T21:52:36.341575Z\",\"id\":\"CVE-2025-61729\",\"options\":[{\"exploitation\":\"none\"},{\"automatable\":\"no\"},{\"technicalImpact\":\"partial\"}],\"role\":\"CISA Coordinator\",\"version\":\"2.0.3\"}}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-295\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.24.11\",\"matchCriteriaId\":\"F2E6FD2A-A487-4099-B91D-2429F286AC6D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"1.25.0\",\"versionEndExcluding\":\"1.25.5\",\"matchCriteriaId\":\"39C03A37-B94B-46E4-B1C2-A70A870F8E53\"}]}]}],\"references\":[{\"url\":\"https://go.dev/cl/725920\",\"source\":\"security@golang.org\",\"tags\":[\"Patch\"]},{\"url\":\"https://go.dev/issue/76445\",\"source\":\"security@golang.org\",\"tags\":[\"Issue Tracking\",\"Patch\"]},{\"url\":\"https://groups.google.com/g/golang-announce/c/8FJoBkPddm4\",\"source\":\"security@golang.org\",\"tags\":[\"Mailing List\",\"Release Notes\"]},{\"url\":\"https://pkg.go.dev/vuln/GO-2025-4155\",\"source\":\"security@golang.org\",\"tags\":[\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-61729\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-12-02T21:52:36.341575Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-12-02T21:52:53.822Z\"}}], \"cna\": {\"title\": \"Excessive resource consumption when printing error string for host certificate validation in crypto/x509\", \"credits\": [{\"lang\": \"en\", \"value\": \"Philippe Antoine (Catena cyber)\"}], \"affected\": [{\"vendor\": \"Go standard library\", \"product\": \"crypto/x509\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"1.24.11\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"1.25.0\", \"lessThan\": \"1.25.5\", \"versionType\": \"semver\"}], \"packageName\": \"crypto/x509\", \"collectionURL\": \"https://pkg.go.dev\", \"defaultStatus\": \"unaffected\", \"programRoutines\": [{\"name\": \"Certificate.VerifyHostname\"}, {\"name\": \"Certificate.Verify\"}]}], \"references\": [{\"url\": \"https://go.dev/cl/725920\"}, {\"url\": \"https://go.dev/issue/76445\"}, {\"url\": \"https://groups.google.com/g/golang-announce/c/8FJoBkPddm4\"}, {\"url\": \"https://pkg.go.dev/vuln/GO-2025-4155\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a malicious actor can result in excessive resource consumption.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"description\": \"CWE-400: Uncontrolled Resource Consumption\"}]}], \"providerMetadata\": {\"orgId\": \"1bb62c36-49e3-4200-9d77-64a1400537cc\", \"shortName\": \"Go\", \"dateUpdated\": \"2025-12-03T19:37:14.903Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-61729\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-12-03T19:37:14.903Z\", \"dateReserved\": \"2025-09-30T15:05:03.605Z\", \"assignerOrgId\": \"1bb62c36-49e3-4200-9d77-64a1400537cc\", \"datePublished\": \"2025-12-02T18:54:10.166Z\", \"assignerShortName\": \"Go\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
RHSA-2026:2148
Vulnerability from csaf_redhat - Published: 2026-02-05 15:58 - Updated: 2026-07-02 16:17A flaw was found in Lodash. A prototype pollution vulnerability in the _.unset and _.omit functions allows an attacker able to control property paths to delete methods from global prototypes. By removing essential functionalities, this can result in a denial of service.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:82e36c47f867ced806082b44fe357e70b07c72c4258c16af5a14f56fc040b534_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:84dfc3c35747d81138244b4aa9893f9f1d21775717a4014d328eb5701d832569_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:b6b13c0381b96b286fd04e777ae6801ad61e703b5484e9105b9fa0c5de587c29_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:e5a71ca768b96c827dd2fd860cbd739d7743f1eeb89b2e4c7cc9157941683626_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:2cdf4960ec57c4971d2f9ce92b07686831e6f55e24c9b1a2831470f8da05b598_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:a60d01bfe3bfa2dc484f9d940b71538f0b3732cb77db883edb7a93cf42f2992e_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ae9d275647749b591a1ab2e4e805904b02bf8af4265793120b5eb1065759fc13_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:d6aaf4ab035e7dfb136fd85f82fb10852e657e8fdae2281613258009bb26250e_amd64 | — |
Vendor Fix
fix
Workaround
|
A flaw was found in qs, a module used for parsing query strings. A remote attacker can exploit an improper input validation vulnerability by sending specially crafted HTTP requests that use bracket notation (e.g., `a[]=value`). This bypasses the `arrayLimit` option, which is designed to limit the size of parsed arrays and prevent resource exhaustion. Successful exploitation can lead to memory exhaustion, causing a Denial of Service (DoS) where the application crashes or becomes unresponsive, making the service unavailable to users.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:82e36c47f867ced806082b44fe357e70b07c72c4258c16af5a14f56fc040b534_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:84dfc3c35747d81138244b4aa9893f9f1d21775717a4014d328eb5701d832569_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:b6b13c0381b96b286fd04e777ae6801ad61e703b5484e9105b9fa0c5de587c29_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:e5a71ca768b96c827dd2fd860cbd739d7743f1eeb89b2e4c7cc9157941683626_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:2cdf4960ec57c4971d2f9ce92b07686831e6f55e24c9b1a2831470f8da05b598_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:a60d01bfe3bfa2dc484f9d940b71538f0b3732cb77db883edb7a93cf42f2992e_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ae9d275647749b591a1ab2e4e805904b02bf8af4265793120b5eb1065759fc13_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:d6aaf4ab035e7dfb136fd85f82fb10852e657e8fdae2281613258009bb26250e_amd64 | — |
Vendor Fix
fix
Workaround
|
A flaw was found in golang. A remote attacker could exploit this vulnerability by providing a specially crafted certificate during the error string construction process within the `HostnameError.Error()` function. This flaw, caused by unbounded string concatenation, leads to excessive resource consumption. Successful exploitation can result in a denial of service (DoS) for the affected system.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:2cdf4960ec57c4971d2f9ce92b07686831e6f55e24c9b1a2831470f8da05b598_s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:a60d01bfe3bfa2dc484f9d940b71538f0b3732cb77db883edb7a93cf42f2992e_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ae9d275647749b591a1ab2e4e805904b02bf8af4265793120b5eb1065759fc13_arm64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:d6aaf4ab035e7dfb136fd85f82fb10852e657e8fdae2281613258009bb26250e_amd64 | — |
Vendor Fix
fix
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:82e36c47f867ced806082b44fe357e70b07c72c4258c16af5a14f56fc040b534_arm64 | — | ||
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:84dfc3c35747d81138244b4aa9893f9f1d21775717a4014d328eb5701d832569_s390x | — | ||
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:b6b13c0381b96b286fd04e777ae6801ad61e703b5484e9105b9fa0c5de587c29_ppc64le | — | ||
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:e5a71ca768b96c827dd2fd860cbd739d7743f1eeb89b2e4c7cc9157941683626_amd64 | — |
A cross site scripting flaw has been discovered in the npm react-router and @remix-run/router packages. React Router (and Remix v1/v2) SPA open navigation redirects originating from loaders or actions in Framework Mode, Data Mode, or the unstable RSC modes can result in unsafe URLs causing unintended javascript execution on the client. This is only an issue if you are creating redirect paths from untrusted content or via an open redirect.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:82e36c47f867ced806082b44fe357e70b07c72c4258c16af5a14f56fc040b534_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:84dfc3c35747d81138244b4aa9893f9f1d21775717a4014d328eb5701d832569_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:b6b13c0381b96b286fd04e777ae6801ad61e703b5484e9105b9fa0c5de587c29_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:e5a71ca768b96c827dd2fd860cbd739d7743f1eeb89b2e4c7cc9157941683626_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:2cdf4960ec57c4971d2f9ce92b07686831e6f55e24c9b1a2831470f8da05b598_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:a60d01bfe3bfa2dc484f9d940b71538f0b3732cb77db883edb7a93cf42f2992e_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ae9d275647749b591a1ab2e4e805904b02bf8af4265793120b5eb1065759fc13_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:d6aaf4ab035e7dfb136fd85f82fb10852e657e8fdae2281613258009bb26250e_amd64 | — |
Vendor Fix
fix
Workaround
|
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Kiali 2.11.6 for Red Hat OpenShift Service Mesh 3.1\n\nThis update has a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Kiali 2.11.6, for Red Hat OpenShift Service Mesh 3.1, provides observability for the service mesh by offering a visual representation of the mesh topology and metrics, helping users monitor, trace, and manage efficiently.\n\nSecurity Fix(es):\n\n* kiali-ossmc-rhel9: qs: Denial of Service via improper input validation in array parsing (CVE-2025-15284 )\n\n* kiali-rhel9: qs: Denial of Service via improper input validation in array parsing (CVE-2025-15284 )\n\n* kiali-rhel9: Excessive resource consumption when printing error string for host certificate validation in crypto/x509 (CVE-2025-61729)\n\n* kiali-ossmc-rhel9: React Router vulnerable to XSS via Open Redirects (CVE-2026-22029)\n\n* kiali-rhel9: React Router vulnerable to XSS via Open Redirects (CVE-2026-22029)\n\n* kiali-ossmc-rhel9: prototype pollution in _.unset and _.omit functions (CVE-2025-13465)\n\n* kiali-rhel9: prototype pollution in _.unset and _.omit functions (CVE-2025-13465)",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:2148",
"url": "https://access.redhat.com/errata/RHSA-2026:2148"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-13465",
"url": "https://access.redhat.com/security/cve/CVE-2025-13465"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-15284",
"url": "https://access.redhat.com/security/cve/CVE-2025-15284"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-61729",
"url": "https://access.redhat.com/security/cve/CVE-2025-61729"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-22029",
"url": "https://access.redhat.com/security/cve/CVE-2026-22029"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/cve-2025-13465",
"url": "https://access.redhat.com/security/cve/cve-2025-13465"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/cve-2025-15284",
"url": "https://access.redhat.com/security/cve/cve-2025-15284"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/cve-2025-61729",
"url": "https://access.redhat.com/security/cve/cve-2025-61729"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/cve-2026-22029",
"url": "https://access.redhat.com/security/cve/cve-2026-22029"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/",
"url": "https://access.redhat.com/security/updates/classification/"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_2148.json"
}
],
"title": "Red Hat Security Advisory: Kiali 2.11.6 for Red Hat OpenShift Service Mesh 3.1",
"tracking": {
"current_release_date": "2026-07-02T16:17:03+00:00",
"generator": {
"date": "2026-07-02T16:17:03+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "5.3.1"
}
},
"id": "RHSA-2026:2148",
"initial_release_date": "2026-02-05T15:58:24+00:00",
"revision_history": [
{
"date": "2026-02-05T15:58:24+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-02-05T15:58:29+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-07-02T16:17:03+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat OpenShift Service Mesh 3.1",
"product": {
"name": "Red Hat OpenShift Service Mesh 3.1",
"product_id": "Red Hat OpenShift Service Mesh 3.1",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:service_mesh:3.1::el9"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenShift Service Mesh"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:d6aaf4ab035e7dfb136fd85f82fb10852e657e8fdae2281613258009bb26250e_amd64",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:d6aaf4ab035e7dfb136fd85f82fb10852e657e8fdae2281613258009bb26250e_amd64",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:d6aaf4ab035e7dfb136fd85f82fb10852e657e8fdae2281613258009bb26250e_amd64",
"product_identification_helper": {
"purl": "pkg:oci/kiali-rhel9@sha256%3Ad6aaf4ab035e7dfb136fd85f82fb10852e657e8fdae2281613258009bb26250e?arch=amd64\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=1770138727"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:e5a71ca768b96c827dd2fd860cbd739d7743f1eeb89b2e4c7cc9157941683626_amd64",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:e5a71ca768b96c827dd2fd860cbd739d7743f1eeb89b2e4c7cc9157941683626_amd64",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:e5a71ca768b96c827dd2fd860cbd739d7743f1eeb89b2e4c7cc9157941683626_amd64",
"product_identification_helper": {
"purl": "pkg:oci/kiali-ossmc-rhel9@sha256%3Ae5a71ca768b96c827dd2fd860cbd739d7743f1eeb89b2e4c7cc9157941683626?arch=amd64\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=1770140180"
}
}
}
],
"category": "architecture",
"name": "amd64"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ae9d275647749b591a1ab2e4e805904b02bf8af4265793120b5eb1065759fc13_arm64",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ae9d275647749b591a1ab2e4e805904b02bf8af4265793120b5eb1065759fc13_arm64",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ae9d275647749b591a1ab2e4e805904b02bf8af4265793120b5eb1065759fc13_arm64",
"product_identification_helper": {
"purl": "pkg:oci/kiali-rhel9@sha256%3Aae9d275647749b591a1ab2e4e805904b02bf8af4265793120b5eb1065759fc13?arch=arm64\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=1770138727"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:82e36c47f867ced806082b44fe357e70b07c72c4258c16af5a14f56fc040b534_arm64",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:82e36c47f867ced806082b44fe357e70b07c72c4258c16af5a14f56fc040b534_arm64",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:82e36c47f867ced806082b44fe357e70b07c72c4258c16af5a14f56fc040b534_arm64",
"product_identification_helper": {
"purl": "pkg:oci/kiali-ossmc-rhel9@sha256%3A82e36c47f867ced806082b44fe357e70b07c72c4258c16af5a14f56fc040b534?arch=arm64\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=1770140180"
}
}
}
],
"category": "architecture",
"name": "arm64"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:a60d01bfe3bfa2dc484f9d940b71538f0b3732cb77db883edb7a93cf42f2992e_ppc64le",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:a60d01bfe3bfa2dc484f9d940b71538f0b3732cb77db883edb7a93cf42f2992e_ppc64le",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:a60d01bfe3bfa2dc484f9d940b71538f0b3732cb77db883edb7a93cf42f2992e_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/kiali-rhel9@sha256%3Aa60d01bfe3bfa2dc484f9d940b71538f0b3732cb77db883edb7a93cf42f2992e?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=1770138727"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:b6b13c0381b96b286fd04e777ae6801ad61e703b5484e9105b9fa0c5de587c29_ppc64le",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:b6b13c0381b96b286fd04e777ae6801ad61e703b5484e9105b9fa0c5de587c29_ppc64le",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:b6b13c0381b96b286fd04e777ae6801ad61e703b5484e9105b9fa0c5de587c29_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/kiali-ossmc-rhel9@sha256%3Ab6b13c0381b96b286fd04e777ae6801ad61e703b5484e9105b9fa0c5de587c29?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=1770140180"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:2cdf4960ec57c4971d2f9ce92b07686831e6f55e24c9b1a2831470f8da05b598_s390x",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:2cdf4960ec57c4971d2f9ce92b07686831e6f55e24c9b1a2831470f8da05b598_s390x",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:2cdf4960ec57c4971d2f9ce92b07686831e6f55e24c9b1a2831470f8da05b598_s390x",
"product_identification_helper": {
"purl": "pkg:oci/kiali-rhel9@sha256%3A2cdf4960ec57c4971d2f9ce92b07686831e6f55e24c9b1a2831470f8da05b598?arch=s390x\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=1770138727"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:84dfc3c35747d81138244b4aa9893f9f1d21775717a4014d328eb5701d832569_s390x",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:84dfc3c35747d81138244b4aa9893f9f1d21775717a4014d328eb5701d832569_s390x",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:84dfc3c35747d81138244b4aa9893f9f1d21775717a4014d328eb5701d832569_s390x",
"product_identification_helper": {
"purl": "pkg:oci/kiali-ossmc-rhel9@sha256%3A84dfc3c35747d81138244b4aa9893f9f1d21775717a4014d328eb5701d832569?arch=s390x\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=1770140180"
}
}
}
],
"category": "architecture",
"name": "s390x"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:82e36c47f867ced806082b44fe357e70b07c72c4258c16af5a14f56fc040b534_arm64 as a component of Red Hat OpenShift Service Mesh 3.1",
"product_id": "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:82e36c47f867ced806082b44fe357e70b07c72c4258c16af5a14f56fc040b534_arm64"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:82e36c47f867ced806082b44fe357e70b07c72c4258c16af5a14f56fc040b534_arm64",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:84dfc3c35747d81138244b4aa9893f9f1d21775717a4014d328eb5701d832569_s390x as a component of Red Hat OpenShift Service Mesh 3.1",
"product_id": "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:84dfc3c35747d81138244b4aa9893f9f1d21775717a4014d328eb5701d832569_s390x"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:84dfc3c35747d81138244b4aa9893f9f1d21775717a4014d328eb5701d832569_s390x",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:b6b13c0381b96b286fd04e777ae6801ad61e703b5484e9105b9fa0c5de587c29_ppc64le as a component of Red Hat OpenShift Service Mesh 3.1",
"product_id": "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:b6b13c0381b96b286fd04e777ae6801ad61e703b5484e9105b9fa0c5de587c29_ppc64le"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:b6b13c0381b96b286fd04e777ae6801ad61e703b5484e9105b9fa0c5de587c29_ppc64le",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:e5a71ca768b96c827dd2fd860cbd739d7743f1eeb89b2e4c7cc9157941683626_amd64 as a component of Red Hat OpenShift Service Mesh 3.1",
"product_id": "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:e5a71ca768b96c827dd2fd860cbd739d7743f1eeb89b2e4c7cc9157941683626_amd64"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:e5a71ca768b96c827dd2fd860cbd739d7743f1eeb89b2e4c7cc9157941683626_amd64",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:2cdf4960ec57c4971d2f9ce92b07686831e6f55e24c9b1a2831470f8da05b598_s390x as a component of Red Hat OpenShift Service Mesh 3.1",
"product_id": "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:2cdf4960ec57c4971d2f9ce92b07686831e6f55e24c9b1a2831470f8da05b598_s390x"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:2cdf4960ec57c4971d2f9ce92b07686831e6f55e24c9b1a2831470f8da05b598_s390x",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:a60d01bfe3bfa2dc484f9d940b71538f0b3732cb77db883edb7a93cf42f2992e_ppc64le as a component of Red Hat OpenShift Service Mesh 3.1",
"product_id": "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:a60d01bfe3bfa2dc484f9d940b71538f0b3732cb77db883edb7a93cf42f2992e_ppc64le"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:a60d01bfe3bfa2dc484f9d940b71538f0b3732cb77db883edb7a93cf42f2992e_ppc64le",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ae9d275647749b591a1ab2e4e805904b02bf8af4265793120b5eb1065759fc13_arm64 as a component of Red Hat OpenShift Service Mesh 3.1",
"product_id": "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ae9d275647749b591a1ab2e4e805904b02bf8af4265793120b5eb1065759fc13_arm64"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ae9d275647749b591a1ab2e4e805904b02bf8af4265793120b5eb1065759fc13_arm64",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:d6aaf4ab035e7dfb136fd85f82fb10852e657e8fdae2281613258009bb26250e_amd64 as a component of Red Hat OpenShift Service Mesh 3.1",
"product_id": "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:d6aaf4ab035e7dfb136fd85f82fb10852e657e8fdae2281613258009bb26250e_amd64"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:d6aaf4ab035e7dfb136fd85f82fb10852e657e8fdae2281613258009bb26250e_amd64",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.1"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-13465",
"cwe": {
"id": "CWE-1321",
"name": "Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)"
},
"discovery_date": "2026-01-21T20:01:28.774829+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2431740"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Lodash. A prototype pollution vulnerability in the _.unset and _.omit functions allows an attacker able to control property paths to delete methods from global prototypes. By removing essential functionalities, this can result in a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "lodash: prototype pollution in _.unset and _.omit functions",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This issue is only exploitable by applications using the _.unset and _.omit functions on an object and allowing user input to determine the path of the property to be removed. This issue only allows the deletion of properties but does not allow overwriting their behavior, limiting the impact to a denial of service. Due to this reason, this vulnerability has been rated with an important severity.\n\nIn Grafana, JavaScript code runs only in the browser, while the server side is all Golang. Therefore, the worst-case scenario is a loss of functionality in the client application inside the browser. To reflect this, the CVSS availability metric and the severity of the Grafana and the Grafana-PCP component have been updated to low and moderate, respectively.\n\nThe lodash dependency is bundled and used by the pcs-web-ui component of the PCS package. In Red Hat Enterprise Linux 8.10, the pcs-web-ui component is no longer included in the PCS package. As a result, RHEL 8.10 does not ship the vulnerable lodash component within PCS and is therefore not-affected by this CVE.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:82e36c47f867ced806082b44fe357e70b07c72c4258c16af5a14f56fc040b534_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:84dfc3c35747d81138244b4aa9893f9f1d21775717a4014d328eb5701d832569_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:b6b13c0381b96b286fd04e777ae6801ad61e703b5484e9105b9fa0c5de587c29_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:e5a71ca768b96c827dd2fd860cbd739d7743f1eeb89b2e4c7cc9157941683626_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:2cdf4960ec57c4971d2f9ce92b07686831e6f55e24c9b1a2831470f8da05b598_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:a60d01bfe3bfa2dc484f9d940b71538f0b3732cb77db883edb7a93cf42f2992e_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ae9d275647749b591a1ab2e4e805904b02bf8af4265793120b5eb1065759fc13_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:d6aaf4ab035e7dfb136fd85f82fb10852e657e8fdae2281613258009bb26250e_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-13465"
},
{
"category": "external",
"summary": "RHBZ#2431740",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431740"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-13465",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-13465"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-13465",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13465"
},
{
"category": "external",
"summary": "https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg",
"url": "https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg"
}
],
"release_date": "2026-01-21T19:05:28.846000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-02-05T15:58:24+00:00",
"details": "See Kiali 2.11.6 documentation at https://docs.redhat.com/en/documentation/red_hat_openshift_service_mesh/3.1/html/observability/kiali-operator-provided-by-red-hat",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:82e36c47f867ced806082b44fe357e70b07c72c4258c16af5a14f56fc040b534_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:84dfc3c35747d81138244b4aa9893f9f1d21775717a4014d328eb5701d832569_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:b6b13c0381b96b286fd04e777ae6801ad61e703b5484e9105b9fa0c5de587c29_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:e5a71ca768b96c827dd2fd860cbd739d7743f1eeb89b2e4c7cc9157941683626_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:2cdf4960ec57c4971d2f9ce92b07686831e6f55e24c9b1a2831470f8da05b598_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:a60d01bfe3bfa2dc484f9d940b71538f0b3732cb77db883edb7a93cf42f2992e_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ae9d275647749b591a1ab2e4e805904b02bf8af4265793120b5eb1065759fc13_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:d6aaf4ab035e7dfb136fd85f82fb10852e657e8fdae2281613258009bb26250e_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:2148"
},
{
"category": "workaround",
"details": "To mitigate this issue, implement strict input validation before passing any property paths to the _.unset and _.omit functions to block attempts to access the prototype chain. Ensure that strings like __proto__, constructor and prototype are blocked, for example.",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:82e36c47f867ced806082b44fe357e70b07c72c4258c16af5a14f56fc040b534_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:84dfc3c35747d81138244b4aa9893f9f1d21775717a4014d328eb5701d832569_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:b6b13c0381b96b286fd04e777ae6801ad61e703b5484e9105b9fa0c5de587c29_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:e5a71ca768b96c827dd2fd860cbd739d7743f1eeb89b2e4c7cc9157941683626_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:2cdf4960ec57c4971d2f9ce92b07686831e6f55e24c9b1a2831470f8da05b598_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:a60d01bfe3bfa2dc484f9d940b71538f0b3732cb77db883edb7a93cf42f2992e_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ae9d275647749b591a1ab2e4e805904b02bf8af4265793120b5eb1065759fc13_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:d6aaf4ab035e7dfb136fd85f82fb10852e657e8fdae2281613258009bb26250e_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H",
"version": "3.1"
},
"products": [
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:82e36c47f867ced806082b44fe357e70b07c72c4258c16af5a14f56fc040b534_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:84dfc3c35747d81138244b4aa9893f9f1d21775717a4014d328eb5701d832569_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:b6b13c0381b96b286fd04e777ae6801ad61e703b5484e9105b9fa0c5de587c29_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:e5a71ca768b96c827dd2fd860cbd739d7743f1eeb89b2e4c7cc9157941683626_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:2cdf4960ec57c4971d2f9ce92b07686831e6f55e24c9b1a2831470f8da05b598_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:a60d01bfe3bfa2dc484f9d940b71538f0b3732cb77db883edb7a93cf42f2992e_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ae9d275647749b591a1ab2e4e805904b02bf8af4265793120b5eb1065759fc13_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:d6aaf4ab035e7dfb136fd85f82fb10852e657e8fdae2281613258009bb26250e_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "lodash: prototype pollution in _.unset and _.omit functions"
},
{
"cve": "CVE-2025-15284",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2025-12-29T23:00:58.541337+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2425946"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in qs, a module used for parsing query strings. A remote attacker can exploit an improper input validation vulnerability by sending specially crafted HTTP requests that use bracket notation (e.g., `a[]=value`). This bypasses the `arrayLimit` option, which is designed to limit the size of parsed arrays and prevent resource exhaustion. Successful exploitation can lead to memory exhaustion, causing a Denial of Service (DoS) where the application crashes or becomes unresponsive, making the service unavailable to users.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "qs: qs: Denial of Service via improper input validation in array parsing",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is rated Important for Red Hat products that utilize the `qs` module for parsing query strings, particularly when processing user-controlled input with bracket notation. The `arrayLimit` option, intended to prevent resource exhaustion, is bypassed when bracket notation (`a[]=value`) is used, allowing a remote attacker to cause a denial of service through memory exhaustion. This can lead to application crashes or unresponsiveness, making the service unavailable.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:82e36c47f867ced806082b44fe357e70b07c72c4258c16af5a14f56fc040b534_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:84dfc3c35747d81138244b4aa9893f9f1d21775717a4014d328eb5701d832569_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:b6b13c0381b96b286fd04e777ae6801ad61e703b5484e9105b9fa0c5de587c29_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:e5a71ca768b96c827dd2fd860cbd739d7743f1eeb89b2e4c7cc9157941683626_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:2cdf4960ec57c4971d2f9ce92b07686831e6f55e24c9b1a2831470f8da05b598_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:a60d01bfe3bfa2dc484f9d940b71538f0b3732cb77db883edb7a93cf42f2992e_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ae9d275647749b591a1ab2e4e805904b02bf8af4265793120b5eb1065759fc13_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:d6aaf4ab035e7dfb136fd85f82fb10852e657e8fdae2281613258009bb26250e_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-15284"
},
{
"category": "external",
"summary": "RHBZ#2425946",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2425946"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-15284",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-15284"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-15284",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-15284"
},
{
"category": "external",
"summary": "https://github.com/ljharb/qs/commit/3086902ecf7f088d0d1803887643ac6c03d415b9",
"url": "https://github.com/ljharb/qs/commit/3086902ecf7f088d0d1803887643ac6c03d415b9"
},
{
"category": "external",
"summary": "https://github.com/ljharb/qs/security/advisories/GHSA-6rw7-vpxm-498p",
"url": "https://github.com/ljharb/qs/security/advisories/GHSA-6rw7-vpxm-498p"
}
],
"release_date": "2025-12-29T22:56:45.240000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-02-05T15:58:24+00:00",
"details": "See Kiali 2.11.6 documentation at https://docs.redhat.com/en/documentation/red_hat_openshift_service_mesh/3.1/html/observability/kiali-operator-provided-by-red-hat",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:82e36c47f867ced806082b44fe357e70b07c72c4258c16af5a14f56fc040b534_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:84dfc3c35747d81138244b4aa9893f9f1d21775717a4014d328eb5701d832569_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:b6b13c0381b96b286fd04e777ae6801ad61e703b5484e9105b9fa0c5de587c29_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:e5a71ca768b96c827dd2fd860cbd739d7743f1eeb89b2e4c7cc9157941683626_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:2cdf4960ec57c4971d2f9ce92b07686831e6f55e24c9b1a2831470f8da05b598_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:a60d01bfe3bfa2dc484f9d940b71538f0b3732cb77db883edb7a93cf42f2992e_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ae9d275647749b591a1ab2e4e805904b02bf8af4265793120b5eb1065759fc13_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:d6aaf4ab035e7dfb136fd85f82fb10852e657e8fdae2281613258009bb26250e_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:2148"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:82e36c47f867ced806082b44fe357e70b07c72c4258c16af5a14f56fc040b534_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:84dfc3c35747d81138244b4aa9893f9f1d21775717a4014d328eb5701d832569_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:b6b13c0381b96b286fd04e777ae6801ad61e703b5484e9105b9fa0c5de587c29_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:e5a71ca768b96c827dd2fd860cbd739d7743f1eeb89b2e4c7cc9157941683626_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:2cdf4960ec57c4971d2f9ce92b07686831e6f55e24c9b1a2831470f8da05b598_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:a60d01bfe3bfa2dc484f9d940b71538f0b3732cb77db883edb7a93cf42f2992e_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ae9d275647749b591a1ab2e4e805904b02bf8af4265793120b5eb1065759fc13_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:d6aaf4ab035e7dfb136fd85f82fb10852e657e8fdae2281613258009bb26250e_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:82e36c47f867ced806082b44fe357e70b07c72c4258c16af5a14f56fc040b534_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:84dfc3c35747d81138244b4aa9893f9f1d21775717a4014d328eb5701d832569_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:b6b13c0381b96b286fd04e777ae6801ad61e703b5484e9105b9fa0c5de587c29_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:e5a71ca768b96c827dd2fd860cbd739d7743f1eeb89b2e4c7cc9157941683626_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:2cdf4960ec57c4971d2f9ce92b07686831e6f55e24c9b1a2831470f8da05b598_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:a60d01bfe3bfa2dc484f9d940b71538f0b3732cb77db883edb7a93cf42f2992e_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ae9d275647749b591a1ab2e4e805904b02bf8af4265793120b5eb1065759fc13_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:d6aaf4ab035e7dfb136fd85f82fb10852e657e8fdae2281613258009bb26250e_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "qs: qs: Denial of Service via improper input validation in array parsing"
},
{
"cve": "CVE-2025-61729",
"cwe": {
"id": "CWE-1050",
"name": "Excessive Platform Resource Consumption within a Loop"
},
"discovery_date": "2025-12-02T20:01:45.330964+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:82e36c47f867ced806082b44fe357e70b07c72c4258c16af5a14f56fc040b534_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:84dfc3c35747d81138244b4aa9893f9f1d21775717a4014d328eb5701d832569_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:b6b13c0381b96b286fd04e777ae6801ad61e703b5484e9105b9fa0c5de587c29_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:e5a71ca768b96c827dd2fd860cbd739d7743f1eeb89b2e4c7cc9157941683626_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2418462"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in golang. A remote attacker could exploit this vulnerability by providing a specially crafted certificate during the error string construction process within the `HostnameError.Error()` function. This flaw, caused by unbounded string concatenation, leads to excessive resource consumption. Successful exploitation can result in a denial of service (DoS) for the affected system.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "crypto/x509: golang: Denial of Service due to excessive resource consumption via crafted certificate",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:2cdf4960ec57c4971d2f9ce92b07686831e6f55e24c9b1a2831470f8da05b598_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:a60d01bfe3bfa2dc484f9d940b71538f0b3732cb77db883edb7a93cf42f2992e_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ae9d275647749b591a1ab2e4e805904b02bf8af4265793120b5eb1065759fc13_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:d6aaf4ab035e7dfb136fd85f82fb10852e657e8fdae2281613258009bb26250e_amd64"
],
"known_not_affected": [
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:82e36c47f867ced806082b44fe357e70b07c72c4258c16af5a14f56fc040b534_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:84dfc3c35747d81138244b4aa9893f9f1d21775717a4014d328eb5701d832569_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:b6b13c0381b96b286fd04e777ae6801ad61e703b5484e9105b9fa0c5de587c29_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:e5a71ca768b96c827dd2fd860cbd739d7743f1eeb89b2e4c7cc9157941683626_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-61729"
},
{
"category": "external",
"summary": "RHBZ#2418462",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2418462"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-61729",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-61729"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-61729",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61729"
},
{
"category": "external",
"summary": "https://go.dev/cl/725920",
"url": "https://go.dev/cl/725920"
},
{
"category": "external",
"summary": "https://go.dev/issue/76445",
"url": "https://go.dev/issue/76445"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/8FJoBkPddm4",
"url": "https://groups.google.com/g/golang-announce/c/8FJoBkPddm4"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2025-4155",
"url": "https://pkg.go.dev/vuln/GO-2025-4155"
}
],
"release_date": "2025-12-02T18:54:10.166000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-02-05T15:58:24+00:00",
"details": "See Kiali 2.11.6 documentation at https://docs.redhat.com/en/documentation/red_hat_openshift_service_mesh/3.1/html/observability/kiali-operator-provided-by-red-hat",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:2cdf4960ec57c4971d2f9ce92b07686831e6f55e24c9b1a2831470f8da05b598_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:a60d01bfe3bfa2dc484f9d940b71538f0b3732cb77db883edb7a93cf42f2992e_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ae9d275647749b591a1ab2e4e805904b02bf8af4265793120b5eb1065759fc13_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:d6aaf4ab035e7dfb136fd85f82fb10852e657e8fdae2281613258009bb26250e_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:2148"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:82e36c47f867ced806082b44fe357e70b07c72c4258c16af5a14f56fc040b534_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:84dfc3c35747d81138244b4aa9893f9f1d21775717a4014d328eb5701d832569_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:b6b13c0381b96b286fd04e777ae6801ad61e703b5484e9105b9fa0c5de587c29_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:e5a71ca768b96c827dd2fd860cbd739d7743f1eeb89b2e4c7cc9157941683626_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:2cdf4960ec57c4971d2f9ce92b07686831e6f55e24c9b1a2831470f8da05b598_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:a60d01bfe3bfa2dc484f9d940b71538f0b3732cb77db883edb7a93cf42f2992e_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ae9d275647749b591a1ab2e4e805904b02bf8af4265793120b5eb1065759fc13_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:d6aaf4ab035e7dfb136fd85f82fb10852e657e8fdae2281613258009bb26250e_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "crypto/x509: golang: Denial of Service due to excessive resource consumption via crafted certificate"
},
{
"cve": "CVE-2026-22029",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2026-01-10T04:01:03.694749+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2428412"
}
],
"notes": [
{
"category": "description",
"text": "A cross site scripting flaw has been discovered in the npm react-router and @remix-run/router packages. React Router (and Remix v1/v2) SPA open navigation redirects originating from loaders or actions in Framework Mode, Data Mode, or the unstable RSC modes can result in unsafe URLs causing unintended javascript execution on the client. This is only an issue if you are creating redirect paths from untrusted content or via an open redirect.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "@remix-run/router: react-router: React Router vulnerable to XSS via Open Redirects",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:82e36c47f867ced806082b44fe357e70b07c72c4258c16af5a14f56fc040b534_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:84dfc3c35747d81138244b4aa9893f9f1d21775717a4014d328eb5701d832569_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:b6b13c0381b96b286fd04e777ae6801ad61e703b5484e9105b9fa0c5de587c29_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:e5a71ca768b96c827dd2fd860cbd739d7743f1eeb89b2e4c7cc9157941683626_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:2cdf4960ec57c4971d2f9ce92b07686831e6f55e24c9b1a2831470f8da05b598_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:a60d01bfe3bfa2dc484f9d940b71538f0b3732cb77db883edb7a93cf42f2992e_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ae9d275647749b591a1ab2e4e805904b02bf8af4265793120b5eb1065759fc13_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:d6aaf4ab035e7dfb136fd85f82fb10852e657e8fdae2281613258009bb26250e_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-22029"
},
{
"category": "external",
"summary": "RHBZ#2428412",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2428412"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-22029",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-22029"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-22029",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22029"
},
{
"category": "external",
"summary": "https://github.com/remix-run/react-router/security/advisories/GHSA-2w69-qvjg-hvjx",
"url": "https://github.com/remix-run/react-router/security/advisories/GHSA-2w69-qvjg-hvjx"
}
],
"release_date": "2026-01-10T02:42:32.736000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-02-05T15:58:24+00:00",
"details": "See Kiali 2.11.6 documentation at https://docs.redhat.com/en/documentation/red_hat_openshift_service_mesh/3.1/html/observability/kiali-operator-provided-by-red-hat",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:82e36c47f867ced806082b44fe357e70b07c72c4258c16af5a14f56fc040b534_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:84dfc3c35747d81138244b4aa9893f9f1d21775717a4014d328eb5701d832569_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:b6b13c0381b96b286fd04e777ae6801ad61e703b5484e9105b9fa0c5de587c29_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:e5a71ca768b96c827dd2fd860cbd739d7743f1eeb89b2e4c7cc9157941683626_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:2cdf4960ec57c4971d2f9ce92b07686831e6f55e24c9b1a2831470f8da05b598_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:a60d01bfe3bfa2dc484f9d940b71538f0b3732cb77db883edb7a93cf42f2992e_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ae9d275647749b591a1ab2e4e805904b02bf8af4265793120b5eb1065759fc13_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:d6aaf4ab035e7dfb136fd85f82fb10852e657e8fdae2281613258009bb26250e_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:2148"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:82e36c47f867ced806082b44fe357e70b07c72c4258c16af5a14f56fc040b534_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:84dfc3c35747d81138244b4aa9893f9f1d21775717a4014d328eb5701d832569_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:b6b13c0381b96b286fd04e777ae6801ad61e703b5484e9105b9fa0c5de587c29_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:e5a71ca768b96c827dd2fd860cbd739d7743f1eeb89b2e4c7cc9157941683626_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:2cdf4960ec57c4971d2f9ce92b07686831e6f55e24c9b1a2831470f8da05b598_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:a60d01bfe3bfa2dc484f9d940b71538f0b3732cb77db883edb7a93cf42f2992e_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ae9d275647749b591a1ab2e4e805904b02bf8af4265793120b5eb1065759fc13_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:d6aaf4ab035e7dfb136fd85f82fb10852e657e8fdae2281613258009bb26250e_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.0,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:82e36c47f867ced806082b44fe357e70b07c72c4258c16af5a14f56fc040b534_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:84dfc3c35747d81138244b4aa9893f9f1d21775717a4014d328eb5701d832569_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:b6b13c0381b96b286fd04e777ae6801ad61e703b5484e9105b9fa0c5de587c29_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:e5a71ca768b96c827dd2fd860cbd739d7743f1eeb89b2e4c7cc9157941683626_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:2cdf4960ec57c4971d2f9ce92b07686831e6f55e24c9b1a2831470f8da05b598_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:a60d01bfe3bfa2dc484f9d940b71538f0b3732cb77db883edb7a93cf42f2992e_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ae9d275647749b591a1ab2e4e805904b02bf8af4265793120b5eb1065759fc13_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:d6aaf4ab035e7dfb136fd85f82fb10852e657e8fdae2281613258009bb26250e_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "@remix-run/router: react-router: React Router vulnerable to XSS via Open Redirects"
}
]
}
RHSA-2026:2149
Vulnerability from csaf_redhat - Published: 2026-02-05 16:16 - Updated: 2026-07-02 16:17A flaw was found in Lodash. A prototype pollution vulnerability in the _.unset and _.omit functions allows an attacker able to control property paths to delete methods from global prototypes. By removing essential functionalities, this can result in a denial of service.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:700c2524c0def53bf8e5f7832c27496a3e9ff5c9d939d38c59a7fae167418e16_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:c602eca72f7b82ac6431748219e88eb0500f5aaedd446ffacbce982cdb7321f1_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:d2d862c021ddcd974a12d63ea6c270e2de651201182c16baa3e24f7ce8985daf_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:fcb5d2c8e4ae372cb0009dc15d46eb5a10163139b61b063115c3d3fce90265e1_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:a97c82b48b920f1d3843d08dbe55d3759b237365e2b97501a640a1c0bd08d5ca_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ced99993701c64b69f412c0ef9991a8d6d38ee1c8520330c4ac999addbb3bbbe_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:d9c852cf7f5f21374f8ae2e31692fa30090dbe13fa66b3a608fc07d0a5e8ae2c_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ef18675f445508d01ae56ef59709b70d4b69187bb03425061cac62998f643fe5_ppc64le | — |
Vendor Fix
fix
Workaround
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-operator-bundle@sha256:f3a430fc3f2bc6d3c66ea3ae3871987e3f5e8a17dd756008593ac5e7b48da289_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:22a68e23c1b378898676346df798973f60c1784f93fcbcca713d1b09f19d251f_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:447415cd243bbab90dc1c472f0acc5249b01a83eb7473934fc3bcbcf2c77d107_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:46a3b372f155663da9a5caac4ee601ba834e35c129cbf144d28aab641b4cc7ca_arm64 | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:d1b7f45b075f779df79d659fd07a3bfbb85a47468d6d856a2738d312a3d67e7d_ppc64le | — |
Workaround
|
A flaw was found in qs, a module used for parsing query strings. A remote attacker can exploit an improper input validation vulnerability by sending specially crafted HTTP requests that use bracket notation (e.g., `a[]=value`). This bypasses the `arrayLimit` option, which is designed to limit the size of parsed arrays and prevent resource exhaustion. Successful exploitation can lead to memory exhaustion, causing a Denial of Service (DoS) where the application crashes or becomes unresponsive, making the service unavailable to users.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:700c2524c0def53bf8e5f7832c27496a3e9ff5c9d939d38c59a7fae167418e16_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:c602eca72f7b82ac6431748219e88eb0500f5aaedd446ffacbce982cdb7321f1_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:d2d862c021ddcd974a12d63ea6c270e2de651201182c16baa3e24f7ce8985daf_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:fcb5d2c8e4ae372cb0009dc15d46eb5a10163139b61b063115c3d3fce90265e1_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:a97c82b48b920f1d3843d08dbe55d3759b237365e2b97501a640a1c0bd08d5ca_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ced99993701c64b69f412c0ef9991a8d6d38ee1c8520330c4ac999addbb3bbbe_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:d9c852cf7f5f21374f8ae2e31692fa30090dbe13fa66b3a608fc07d0a5e8ae2c_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ef18675f445508d01ae56ef59709b70d4b69187bb03425061cac62998f643fe5_ppc64le | — |
Vendor Fix
fix
Workaround
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-operator-bundle@sha256:f3a430fc3f2bc6d3c66ea3ae3871987e3f5e8a17dd756008593ac5e7b48da289_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:22a68e23c1b378898676346df798973f60c1784f93fcbcca713d1b09f19d251f_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:447415cd243bbab90dc1c472f0acc5249b01a83eb7473934fc3bcbcf2c77d107_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:46a3b372f155663da9a5caac4ee601ba834e35c129cbf144d28aab641b4cc7ca_arm64 | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:d1b7f45b075f779df79d659fd07a3bfbb85a47468d6d856a2738d312a3d67e7d_ppc64le | — |
Workaround
|
A flaw was found in golang. A remote attacker could exploit this vulnerability by providing a specially crafted certificate during the error string construction process within the `HostnameError.Error()` function. This flaw, caused by unbounded string concatenation, leads to excessive resource consumption. Successful exploitation can result in a denial of service (DoS) for the affected system.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:a97c82b48b920f1d3843d08dbe55d3759b237365e2b97501a640a1c0bd08d5ca_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ced99993701c64b69f412c0ef9991a8d6d38ee1c8520330c4ac999addbb3bbbe_s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:d9c852cf7f5f21374f8ae2e31692fa30090dbe13fa66b3a608fc07d0a5e8ae2c_arm64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ef18675f445508d01ae56ef59709b70d4b69187bb03425061cac62998f643fe5_ppc64le | — |
Vendor Fix
fix
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-operator-bundle@sha256:f3a430fc3f2bc6d3c66ea3ae3871987e3f5e8a17dd756008593ac5e7b48da289_amd64 | — | ||
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:700c2524c0def53bf8e5f7832c27496a3e9ff5c9d939d38c59a7fae167418e16_ppc64le | — | ||
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:c602eca72f7b82ac6431748219e88eb0500f5aaedd446ffacbce982cdb7321f1_amd64 | — | ||
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:d2d862c021ddcd974a12d63ea6c270e2de651201182c16baa3e24f7ce8985daf_s390x | — | ||
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:fcb5d2c8e4ae372cb0009dc15d46eb5a10163139b61b063115c3d3fce90265e1_arm64 | — | ||
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:22a68e23c1b378898676346df798973f60c1784f93fcbcca713d1b09f19d251f_s390x | — | ||
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:447415cd243bbab90dc1c472f0acc5249b01a83eb7473934fc3bcbcf2c77d107_amd64 | — | ||
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:46a3b372f155663da9a5caac4ee601ba834e35c129cbf144d28aab641b4cc7ca_arm64 | — | ||
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:d1b7f45b075f779df79d659fd07a3bfbb85a47468d6d856a2738d312a3d67e7d_ppc64le | — |
A cross site scripting flaw has been discovered in the npm react-router and @remix-run/router packages. React Router (and Remix v1/v2) SPA open navigation redirects originating from loaders or actions in Framework Mode, Data Mode, or the unstable RSC modes can result in unsafe URLs causing unintended javascript execution on the client. This is only an issue if you are creating redirect paths from untrusted content or via an open redirect.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:700c2524c0def53bf8e5f7832c27496a3e9ff5c9d939d38c59a7fae167418e16_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:c602eca72f7b82ac6431748219e88eb0500f5aaedd446ffacbce982cdb7321f1_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:d2d862c021ddcd974a12d63ea6c270e2de651201182c16baa3e24f7ce8985daf_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:fcb5d2c8e4ae372cb0009dc15d46eb5a10163139b61b063115c3d3fce90265e1_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:a97c82b48b920f1d3843d08dbe55d3759b237365e2b97501a640a1c0bd08d5ca_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ced99993701c64b69f412c0ef9991a8d6d38ee1c8520330c4ac999addbb3bbbe_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:d9c852cf7f5f21374f8ae2e31692fa30090dbe13fa66b3a608fc07d0a5e8ae2c_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ef18675f445508d01ae56ef59709b70d4b69187bb03425061cac62998f643fe5_ppc64le | — |
Vendor Fix
fix
Workaround
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-operator-bundle@sha256:f3a430fc3f2bc6d3c66ea3ae3871987e3f5e8a17dd756008593ac5e7b48da289_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:22a68e23c1b378898676346df798973f60c1784f93fcbcca713d1b09f19d251f_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:447415cd243bbab90dc1c472f0acc5249b01a83eb7473934fc3bcbcf2c77d107_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:46a3b372f155663da9a5caac4ee601ba834e35c129cbf144d28aab641b4cc7ca_arm64 | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:d1b7f45b075f779df79d659fd07a3bfbb85a47468d6d856a2738d312a3d67e7d_ppc64le | — |
Workaround
|
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Kiali 2.17.3 for Red Hat OpenShift Service Mesh 3.2\n\nThis update has a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Kiali 2.17.3, for Red Hat OpenShift Service Mesh 3.2, provides observability for the service mesh by offering a visual representation of the mesh topology and metrics, helping users monitor, trace, and manage efficiently.\n\nSecurity Fix(es):\n\n* kiali-ossmc-rhel9: qs: Denial of Service via improper input validation in array parsing (CVE-2025-15284)\n\n* kiali-rhel9: qs: Denial of Service via improper input validation in array parsing (CVE-2025-15284)\n\n* kiali-rhel9: Excessive resource consumption when printing error string for host certificate validation in crypto/x509 (CVE-2025-61729)\n\n* kiali-ossmc-rhel9: React Router vulnerable to XSS via Open Redirects (CVE-2026-22029)\n\n* kiali-rhel9: React Router vulnerable to XSS via Open Redirects (CVE-2026-22029)\n\n* kiali-ossmc-rhel9: prototype pollution in _.unset and _.omit functions (CVE-2025-13465)\n\n* kiali-rhel9: prototype pollution in _.unset and _.omit functions (CVE-2025-13465)",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:2149",
"url": "https://access.redhat.com/errata/RHSA-2026:2149"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-13465",
"url": "https://access.redhat.com/security/cve/CVE-2025-13465"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-15284",
"url": "https://access.redhat.com/security/cve/CVE-2025-15284"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-61729",
"url": "https://access.redhat.com/security/cve/CVE-2025-61729"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-22029",
"url": "https://access.redhat.com/security/cve/CVE-2026-22029"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/cve-2025-13465",
"url": "https://access.redhat.com/security/cve/cve-2025-13465"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/cve-2025-15284",
"url": "https://access.redhat.com/security/cve/cve-2025-15284"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/cve-2025-61729",
"url": "https://access.redhat.com/security/cve/cve-2025-61729"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/cve-2026-22029",
"url": "https://access.redhat.com/security/cve/cve-2026-22029"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification",
"url": "https://access.redhat.com/security/updates/classification"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/",
"url": "https://access.redhat.com/security/updates/classification/"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_2149.json"
}
],
"title": "Red Hat Security Advisory: Kiali 2.17.3 for Red Hat OpenShift Service Mesh 3.2",
"tracking": {
"current_release_date": "2026-07-02T16:17:03+00:00",
"generator": {
"date": "2026-07-02T16:17:03+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "5.3.1"
}
},
"id": "RHSA-2026:2149",
"initial_release_date": "2026-02-05T16:16:04+00:00",
"revision_history": [
{
"date": "2026-02-05T16:16:04+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-02-05T16:16:11+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-07-02T16:17:03+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat OpenShift Service Mesh 3.2",
"product": {
"name": "Red Hat OpenShift Service Mesh 3.2",
"product_id": "Red Hat OpenShift Service Mesh 3.2",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:service_mesh:3.2::el9"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenShift Service Mesh"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:a97c82b48b920f1d3843d08dbe55d3759b237365e2b97501a640a1c0bd08d5ca_amd64",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:a97c82b48b920f1d3843d08dbe55d3759b237365e2b97501a640a1c0bd08d5ca_amd64",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:a97c82b48b920f1d3843d08dbe55d3759b237365e2b97501a640a1c0bd08d5ca_amd64",
"product_identification_helper": {
"purl": "pkg:oci/kiali-rhel9@sha256%3Aa97c82b48b920f1d3843d08dbe55d3759b237365e2b97501a640a1c0bd08d5ca?arch=amd64\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=1770138513"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-operator-bundle@sha256:f3a430fc3f2bc6d3c66ea3ae3871987e3f5e8a17dd756008593ac5e7b48da289_amd64",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-operator-bundle@sha256:f3a430fc3f2bc6d3c66ea3ae3871987e3f5e8a17dd756008593ac5e7b48da289_amd64",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-operator-bundle@sha256:f3a430fc3f2bc6d3c66ea3ae3871987e3f5e8a17dd756008593ac5e7b48da289_amd64",
"product_identification_helper": {
"purl": "pkg:oci/kiali-operator-bundle@sha256%3Af3a430fc3f2bc6d3c66ea3ae3871987e3f5e8a17dd756008593ac5e7b48da289?arch=amd64\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=1770146001"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:447415cd243bbab90dc1c472f0acc5249b01a83eb7473934fc3bcbcf2c77d107_amd64",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:447415cd243bbab90dc1c472f0acc5249b01a83eb7473934fc3bcbcf2c77d107_amd64",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:447415cd243bbab90dc1c472f0acc5249b01a83eb7473934fc3bcbcf2c77d107_amd64",
"product_identification_helper": {
"purl": "pkg:oci/kiali-rhel9-operator@sha256%3A447415cd243bbab90dc1c472f0acc5249b01a83eb7473934fc3bcbcf2c77d107?arch=amd64\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=1770140298"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:c602eca72f7b82ac6431748219e88eb0500f5aaedd446ffacbce982cdb7321f1_amd64",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:c602eca72f7b82ac6431748219e88eb0500f5aaedd446ffacbce982cdb7321f1_amd64",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:c602eca72f7b82ac6431748219e88eb0500f5aaedd446ffacbce982cdb7321f1_amd64",
"product_identification_helper": {
"purl": "pkg:oci/kiali-ossmc-rhel9@sha256%3Ac602eca72f7b82ac6431748219e88eb0500f5aaedd446ffacbce982cdb7321f1?arch=amd64\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=1770142326"
}
}
}
],
"category": "architecture",
"name": "amd64"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:d9c852cf7f5f21374f8ae2e31692fa30090dbe13fa66b3a608fc07d0a5e8ae2c_arm64",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:d9c852cf7f5f21374f8ae2e31692fa30090dbe13fa66b3a608fc07d0a5e8ae2c_arm64",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:d9c852cf7f5f21374f8ae2e31692fa30090dbe13fa66b3a608fc07d0a5e8ae2c_arm64",
"product_identification_helper": {
"purl": "pkg:oci/kiali-rhel9@sha256%3Ad9c852cf7f5f21374f8ae2e31692fa30090dbe13fa66b3a608fc07d0a5e8ae2c?arch=arm64\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=1770138513"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:46a3b372f155663da9a5caac4ee601ba834e35c129cbf144d28aab641b4cc7ca_arm64",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:46a3b372f155663da9a5caac4ee601ba834e35c129cbf144d28aab641b4cc7ca_arm64",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:46a3b372f155663da9a5caac4ee601ba834e35c129cbf144d28aab641b4cc7ca_arm64",
"product_identification_helper": {
"purl": "pkg:oci/kiali-rhel9-operator@sha256%3A46a3b372f155663da9a5caac4ee601ba834e35c129cbf144d28aab641b4cc7ca?arch=arm64\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=1770140298"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:fcb5d2c8e4ae372cb0009dc15d46eb5a10163139b61b063115c3d3fce90265e1_arm64",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:fcb5d2c8e4ae372cb0009dc15d46eb5a10163139b61b063115c3d3fce90265e1_arm64",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:fcb5d2c8e4ae372cb0009dc15d46eb5a10163139b61b063115c3d3fce90265e1_arm64",
"product_identification_helper": {
"purl": "pkg:oci/kiali-ossmc-rhel9@sha256%3Afcb5d2c8e4ae372cb0009dc15d46eb5a10163139b61b063115c3d3fce90265e1?arch=arm64\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=1770142326"
}
}
}
],
"category": "architecture",
"name": "arm64"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ef18675f445508d01ae56ef59709b70d4b69187bb03425061cac62998f643fe5_ppc64le",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ef18675f445508d01ae56ef59709b70d4b69187bb03425061cac62998f643fe5_ppc64le",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ef18675f445508d01ae56ef59709b70d4b69187bb03425061cac62998f643fe5_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/kiali-rhel9@sha256%3Aef18675f445508d01ae56ef59709b70d4b69187bb03425061cac62998f643fe5?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=1770138513"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:d1b7f45b075f779df79d659fd07a3bfbb85a47468d6d856a2738d312a3d67e7d_ppc64le",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:d1b7f45b075f779df79d659fd07a3bfbb85a47468d6d856a2738d312a3d67e7d_ppc64le",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:d1b7f45b075f779df79d659fd07a3bfbb85a47468d6d856a2738d312a3d67e7d_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/kiali-rhel9-operator@sha256%3Ad1b7f45b075f779df79d659fd07a3bfbb85a47468d6d856a2738d312a3d67e7d?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=1770140298"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:700c2524c0def53bf8e5f7832c27496a3e9ff5c9d939d38c59a7fae167418e16_ppc64le",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:700c2524c0def53bf8e5f7832c27496a3e9ff5c9d939d38c59a7fae167418e16_ppc64le",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:700c2524c0def53bf8e5f7832c27496a3e9ff5c9d939d38c59a7fae167418e16_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/kiali-ossmc-rhel9@sha256%3A700c2524c0def53bf8e5f7832c27496a3e9ff5c9d939d38c59a7fae167418e16?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=1770142326"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ced99993701c64b69f412c0ef9991a8d6d38ee1c8520330c4ac999addbb3bbbe_s390x",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ced99993701c64b69f412c0ef9991a8d6d38ee1c8520330c4ac999addbb3bbbe_s390x",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ced99993701c64b69f412c0ef9991a8d6d38ee1c8520330c4ac999addbb3bbbe_s390x",
"product_identification_helper": {
"purl": "pkg:oci/kiali-rhel9@sha256%3Aced99993701c64b69f412c0ef9991a8d6d38ee1c8520330c4ac999addbb3bbbe?arch=s390x\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=1770138513"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:22a68e23c1b378898676346df798973f60c1784f93fcbcca713d1b09f19d251f_s390x",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:22a68e23c1b378898676346df798973f60c1784f93fcbcca713d1b09f19d251f_s390x",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:22a68e23c1b378898676346df798973f60c1784f93fcbcca713d1b09f19d251f_s390x",
"product_identification_helper": {
"purl": "pkg:oci/kiali-rhel9-operator@sha256%3A22a68e23c1b378898676346df798973f60c1784f93fcbcca713d1b09f19d251f?arch=s390x\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=1770140298"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:d2d862c021ddcd974a12d63ea6c270e2de651201182c16baa3e24f7ce8985daf_s390x",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:d2d862c021ddcd974a12d63ea6c270e2de651201182c16baa3e24f7ce8985daf_s390x",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:d2d862c021ddcd974a12d63ea6c270e2de651201182c16baa3e24f7ce8985daf_s390x",
"product_identification_helper": {
"purl": "pkg:oci/kiali-ossmc-rhel9@sha256%3Ad2d862c021ddcd974a12d63ea6c270e2de651201182c16baa3e24f7ce8985daf?arch=s390x\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=1770142326"
}
}
}
],
"category": "architecture",
"name": "s390x"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-operator-bundle@sha256:f3a430fc3f2bc6d3c66ea3ae3871987e3f5e8a17dd756008593ac5e7b48da289_amd64 as a component of Red Hat OpenShift Service Mesh 3.2",
"product_id": "Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-operator-bundle@sha256:f3a430fc3f2bc6d3c66ea3ae3871987e3f5e8a17dd756008593ac5e7b48da289_amd64"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-operator-bundle@sha256:f3a430fc3f2bc6d3c66ea3ae3871987e3f5e8a17dd756008593ac5e7b48da289_amd64",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:700c2524c0def53bf8e5f7832c27496a3e9ff5c9d939d38c59a7fae167418e16_ppc64le as a component of Red Hat OpenShift Service Mesh 3.2",
"product_id": "Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:700c2524c0def53bf8e5f7832c27496a3e9ff5c9d939d38c59a7fae167418e16_ppc64le"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:700c2524c0def53bf8e5f7832c27496a3e9ff5c9d939d38c59a7fae167418e16_ppc64le",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:c602eca72f7b82ac6431748219e88eb0500f5aaedd446ffacbce982cdb7321f1_amd64 as a component of Red Hat OpenShift Service Mesh 3.2",
"product_id": "Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:c602eca72f7b82ac6431748219e88eb0500f5aaedd446ffacbce982cdb7321f1_amd64"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:c602eca72f7b82ac6431748219e88eb0500f5aaedd446ffacbce982cdb7321f1_amd64",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:d2d862c021ddcd974a12d63ea6c270e2de651201182c16baa3e24f7ce8985daf_s390x as a component of Red Hat OpenShift Service Mesh 3.2",
"product_id": "Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:d2d862c021ddcd974a12d63ea6c270e2de651201182c16baa3e24f7ce8985daf_s390x"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:d2d862c021ddcd974a12d63ea6c270e2de651201182c16baa3e24f7ce8985daf_s390x",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:fcb5d2c8e4ae372cb0009dc15d46eb5a10163139b61b063115c3d3fce90265e1_arm64 as a component of Red Hat OpenShift Service Mesh 3.2",
"product_id": "Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:fcb5d2c8e4ae372cb0009dc15d46eb5a10163139b61b063115c3d3fce90265e1_arm64"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:fcb5d2c8e4ae372cb0009dc15d46eb5a10163139b61b063115c3d3fce90265e1_arm64",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:22a68e23c1b378898676346df798973f60c1784f93fcbcca713d1b09f19d251f_s390x as a component of Red Hat OpenShift Service Mesh 3.2",
"product_id": "Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:22a68e23c1b378898676346df798973f60c1784f93fcbcca713d1b09f19d251f_s390x"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:22a68e23c1b378898676346df798973f60c1784f93fcbcca713d1b09f19d251f_s390x",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:447415cd243bbab90dc1c472f0acc5249b01a83eb7473934fc3bcbcf2c77d107_amd64 as a component of Red Hat OpenShift Service Mesh 3.2",
"product_id": "Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:447415cd243bbab90dc1c472f0acc5249b01a83eb7473934fc3bcbcf2c77d107_amd64"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:447415cd243bbab90dc1c472f0acc5249b01a83eb7473934fc3bcbcf2c77d107_amd64",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:46a3b372f155663da9a5caac4ee601ba834e35c129cbf144d28aab641b4cc7ca_arm64 as a component of Red Hat OpenShift Service Mesh 3.2",
"product_id": "Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:46a3b372f155663da9a5caac4ee601ba834e35c129cbf144d28aab641b4cc7ca_arm64"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:46a3b372f155663da9a5caac4ee601ba834e35c129cbf144d28aab641b4cc7ca_arm64",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:d1b7f45b075f779df79d659fd07a3bfbb85a47468d6d856a2738d312a3d67e7d_ppc64le as a component of Red Hat OpenShift Service Mesh 3.2",
"product_id": "Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:d1b7f45b075f779df79d659fd07a3bfbb85a47468d6d856a2738d312a3d67e7d_ppc64le"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:d1b7f45b075f779df79d659fd07a3bfbb85a47468d6d856a2738d312a3d67e7d_ppc64le",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:a97c82b48b920f1d3843d08dbe55d3759b237365e2b97501a640a1c0bd08d5ca_amd64 as a component of Red Hat OpenShift Service Mesh 3.2",
"product_id": "Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:a97c82b48b920f1d3843d08dbe55d3759b237365e2b97501a640a1c0bd08d5ca_amd64"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:a97c82b48b920f1d3843d08dbe55d3759b237365e2b97501a640a1c0bd08d5ca_amd64",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ced99993701c64b69f412c0ef9991a8d6d38ee1c8520330c4ac999addbb3bbbe_s390x as a component of Red Hat OpenShift Service Mesh 3.2",
"product_id": "Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ced99993701c64b69f412c0ef9991a8d6d38ee1c8520330c4ac999addbb3bbbe_s390x"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ced99993701c64b69f412c0ef9991a8d6d38ee1c8520330c4ac999addbb3bbbe_s390x",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:d9c852cf7f5f21374f8ae2e31692fa30090dbe13fa66b3a608fc07d0a5e8ae2c_arm64 as a component of Red Hat OpenShift Service Mesh 3.2",
"product_id": "Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:d9c852cf7f5f21374f8ae2e31692fa30090dbe13fa66b3a608fc07d0a5e8ae2c_arm64"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:d9c852cf7f5f21374f8ae2e31692fa30090dbe13fa66b3a608fc07d0a5e8ae2c_arm64",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ef18675f445508d01ae56ef59709b70d4b69187bb03425061cac62998f643fe5_ppc64le as a component of Red Hat OpenShift Service Mesh 3.2",
"product_id": "Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ef18675f445508d01ae56ef59709b70d4b69187bb03425061cac62998f643fe5_ppc64le"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ef18675f445508d01ae56ef59709b70d4b69187bb03425061cac62998f643fe5_ppc64le",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.2"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-13465",
"cwe": {
"id": "CWE-1321",
"name": "Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)"
},
"discovery_date": "2026-01-21T20:01:28.774829+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-operator-bundle@sha256:f3a430fc3f2bc6d3c66ea3ae3871987e3f5e8a17dd756008593ac5e7b48da289_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:22a68e23c1b378898676346df798973f60c1784f93fcbcca713d1b09f19d251f_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:447415cd243bbab90dc1c472f0acc5249b01a83eb7473934fc3bcbcf2c77d107_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:46a3b372f155663da9a5caac4ee601ba834e35c129cbf144d28aab641b4cc7ca_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:d1b7f45b075f779df79d659fd07a3bfbb85a47468d6d856a2738d312a3d67e7d_ppc64le"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2431740"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Lodash. A prototype pollution vulnerability in the _.unset and _.omit functions allows an attacker able to control property paths to delete methods from global prototypes. By removing essential functionalities, this can result in a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "lodash: prototype pollution in _.unset and _.omit functions",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This issue is only exploitable by applications using the _.unset and _.omit functions on an object and allowing user input to determine the path of the property to be removed. This issue only allows the deletion of properties but does not allow overwriting their behavior, limiting the impact to a denial of service. Due to this reason, this vulnerability has been rated with an important severity.\n\nIn Grafana, JavaScript code runs only in the browser, while the server side is all Golang. Therefore, the worst-case scenario is a loss of functionality in the client application inside the browser. To reflect this, the CVSS availability metric and the severity of the Grafana and the Grafana-PCP component have been updated to low and moderate, respectively.\n\nThe lodash dependency is bundled and used by the pcs-web-ui component of the PCS package. In Red Hat Enterprise Linux 8.10, the pcs-web-ui component is no longer included in the PCS package. As a result, RHEL 8.10 does not ship the vulnerable lodash component within PCS and is therefore not-affected by this CVE.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:700c2524c0def53bf8e5f7832c27496a3e9ff5c9d939d38c59a7fae167418e16_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:c602eca72f7b82ac6431748219e88eb0500f5aaedd446ffacbce982cdb7321f1_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:d2d862c021ddcd974a12d63ea6c270e2de651201182c16baa3e24f7ce8985daf_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:fcb5d2c8e4ae372cb0009dc15d46eb5a10163139b61b063115c3d3fce90265e1_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:a97c82b48b920f1d3843d08dbe55d3759b237365e2b97501a640a1c0bd08d5ca_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ced99993701c64b69f412c0ef9991a8d6d38ee1c8520330c4ac999addbb3bbbe_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:d9c852cf7f5f21374f8ae2e31692fa30090dbe13fa66b3a608fc07d0a5e8ae2c_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ef18675f445508d01ae56ef59709b70d4b69187bb03425061cac62998f643fe5_ppc64le"
],
"known_not_affected": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-operator-bundle@sha256:f3a430fc3f2bc6d3c66ea3ae3871987e3f5e8a17dd756008593ac5e7b48da289_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:22a68e23c1b378898676346df798973f60c1784f93fcbcca713d1b09f19d251f_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:447415cd243bbab90dc1c472f0acc5249b01a83eb7473934fc3bcbcf2c77d107_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:46a3b372f155663da9a5caac4ee601ba834e35c129cbf144d28aab641b4cc7ca_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:d1b7f45b075f779df79d659fd07a3bfbb85a47468d6d856a2738d312a3d67e7d_ppc64le"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-13465"
},
{
"category": "external",
"summary": "RHBZ#2431740",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431740"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-13465",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-13465"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-13465",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13465"
},
{
"category": "external",
"summary": "https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg",
"url": "https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg"
}
],
"release_date": "2026-01-21T19:05:28.846000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-02-05T16:16:04+00:00",
"details": "See Kiali 2.17.3 documentation at https://docs.redhat.com/en/documentation/red_hat_openshift_service_mesh/3.2/html/observability/kiali-operator-provided-by-red-hat",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:700c2524c0def53bf8e5f7832c27496a3e9ff5c9d939d38c59a7fae167418e16_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:c602eca72f7b82ac6431748219e88eb0500f5aaedd446ffacbce982cdb7321f1_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:d2d862c021ddcd974a12d63ea6c270e2de651201182c16baa3e24f7ce8985daf_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:fcb5d2c8e4ae372cb0009dc15d46eb5a10163139b61b063115c3d3fce90265e1_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:a97c82b48b920f1d3843d08dbe55d3759b237365e2b97501a640a1c0bd08d5ca_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ced99993701c64b69f412c0ef9991a8d6d38ee1c8520330c4ac999addbb3bbbe_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:d9c852cf7f5f21374f8ae2e31692fa30090dbe13fa66b3a608fc07d0a5e8ae2c_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ef18675f445508d01ae56ef59709b70d4b69187bb03425061cac62998f643fe5_ppc64le"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:2149"
},
{
"category": "workaround",
"details": "To mitigate this issue, implement strict input validation before passing any property paths to the _.unset and _.omit functions to block attempts to access the prototype chain. Ensure that strings like __proto__, constructor and prototype are blocked, for example.",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-operator-bundle@sha256:f3a430fc3f2bc6d3c66ea3ae3871987e3f5e8a17dd756008593ac5e7b48da289_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:700c2524c0def53bf8e5f7832c27496a3e9ff5c9d939d38c59a7fae167418e16_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:c602eca72f7b82ac6431748219e88eb0500f5aaedd446ffacbce982cdb7321f1_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:d2d862c021ddcd974a12d63ea6c270e2de651201182c16baa3e24f7ce8985daf_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:fcb5d2c8e4ae372cb0009dc15d46eb5a10163139b61b063115c3d3fce90265e1_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:22a68e23c1b378898676346df798973f60c1784f93fcbcca713d1b09f19d251f_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:447415cd243bbab90dc1c472f0acc5249b01a83eb7473934fc3bcbcf2c77d107_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:46a3b372f155663da9a5caac4ee601ba834e35c129cbf144d28aab641b4cc7ca_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:d1b7f45b075f779df79d659fd07a3bfbb85a47468d6d856a2738d312a3d67e7d_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:a97c82b48b920f1d3843d08dbe55d3759b237365e2b97501a640a1c0bd08d5ca_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ced99993701c64b69f412c0ef9991a8d6d38ee1c8520330c4ac999addbb3bbbe_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:d9c852cf7f5f21374f8ae2e31692fa30090dbe13fa66b3a608fc07d0a5e8ae2c_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ef18675f445508d01ae56ef59709b70d4b69187bb03425061cac62998f643fe5_ppc64le"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H",
"version": "3.1"
},
"products": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-operator-bundle@sha256:f3a430fc3f2bc6d3c66ea3ae3871987e3f5e8a17dd756008593ac5e7b48da289_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:700c2524c0def53bf8e5f7832c27496a3e9ff5c9d939d38c59a7fae167418e16_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:c602eca72f7b82ac6431748219e88eb0500f5aaedd446ffacbce982cdb7321f1_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:d2d862c021ddcd974a12d63ea6c270e2de651201182c16baa3e24f7ce8985daf_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:fcb5d2c8e4ae372cb0009dc15d46eb5a10163139b61b063115c3d3fce90265e1_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:22a68e23c1b378898676346df798973f60c1784f93fcbcca713d1b09f19d251f_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:447415cd243bbab90dc1c472f0acc5249b01a83eb7473934fc3bcbcf2c77d107_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:46a3b372f155663da9a5caac4ee601ba834e35c129cbf144d28aab641b4cc7ca_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:d1b7f45b075f779df79d659fd07a3bfbb85a47468d6d856a2738d312a3d67e7d_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:a97c82b48b920f1d3843d08dbe55d3759b237365e2b97501a640a1c0bd08d5ca_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ced99993701c64b69f412c0ef9991a8d6d38ee1c8520330c4ac999addbb3bbbe_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:d9c852cf7f5f21374f8ae2e31692fa30090dbe13fa66b3a608fc07d0a5e8ae2c_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ef18675f445508d01ae56ef59709b70d4b69187bb03425061cac62998f643fe5_ppc64le"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "lodash: prototype pollution in _.unset and _.omit functions"
},
{
"cve": "CVE-2025-15284",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2025-12-29T23:00:58.541337+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-operator-bundle@sha256:f3a430fc3f2bc6d3c66ea3ae3871987e3f5e8a17dd756008593ac5e7b48da289_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:22a68e23c1b378898676346df798973f60c1784f93fcbcca713d1b09f19d251f_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:447415cd243bbab90dc1c472f0acc5249b01a83eb7473934fc3bcbcf2c77d107_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:46a3b372f155663da9a5caac4ee601ba834e35c129cbf144d28aab641b4cc7ca_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:d1b7f45b075f779df79d659fd07a3bfbb85a47468d6d856a2738d312a3d67e7d_ppc64le"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2425946"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in qs, a module used for parsing query strings. A remote attacker can exploit an improper input validation vulnerability by sending specially crafted HTTP requests that use bracket notation (e.g., `a[]=value`). This bypasses the `arrayLimit` option, which is designed to limit the size of parsed arrays and prevent resource exhaustion. Successful exploitation can lead to memory exhaustion, causing a Denial of Service (DoS) where the application crashes or becomes unresponsive, making the service unavailable to users.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "qs: qs: Denial of Service via improper input validation in array parsing",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is rated Important for Red Hat products that utilize the `qs` module for parsing query strings, particularly when processing user-controlled input with bracket notation. The `arrayLimit` option, intended to prevent resource exhaustion, is bypassed when bracket notation (`a[]=value`) is used, allowing a remote attacker to cause a denial of service through memory exhaustion. This can lead to application crashes or unresponsiveness, making the service unavailable.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:700c2524c0def53bf8e5f7832c27496a3e9ff5c9d939d38c59a7fae167418e16_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:c602eca72f7b82ac6431748219e88eb0500f5aaedd446ffacbce982cdb7321f1_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:d2d862c021ddcd974a12d63ea6c270e2de651201182c16baa3e24f7ce8985daf_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:fcb5d2c8e4ae372cb0009dc15d46eb5a10163139b61b063115c3d3fce90265e1_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:a97c82b48b920f1d3843d08dbe55d3759b237365e2b97501a640a1c0bd08d5ca_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ced99993701c64b69f412c0ef9991a8d6d38ee1c8520330c4ac999addbb3bbbe_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:d9c852cf7f5f21374f8ae2e31692fa30090dbe13fa66b3a608fc07d0a5e8ae2c_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ef18675f445508d01ae56ef59709b70d4b69187bb03425061cac62998f643fe5_ppc64le"
],
"known_not_affected": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-operator-bundle@sha256:f3a430fc3f2bc6d3c66ea3ae3871987e3f5e8a17dd756008593ac5e7b48da289_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:22a68e23c1b378898676346df798973f60c1784f93fcbcca713d1b09f19d251f_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:447415cd243bbab90dc1c472f0acc5249b01a83eb7473934fc3bcbcf2c77d107_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:46a3b372f155663da9a5caac4ee601ba834e35c129cbf144d28aab641b4cc7ca_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:d1b7f45b075f779df79d659fd07a3bfbb85a47468d6d856a2738d312a3d67e7d_ppc64le"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-15284"
},
{
"category": "external",
"summary": "RHBZ#2425946",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2425946"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-15284",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-15284"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-15284",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-15284"
},
{
"category": "external",
"summary": "https://github.com/ljharb/qs/commit/3086902ecf7f088d0d1803887643ac6c03d415b9",
"url": "https://github.com/ljharb/qs/commit/3086902ecf7f088d0d1803887643ac6c03d415b9"
},
{
"category": "external",
"summary": "https://github.com/ljharb/qs/security/advisories/GHSA-6rw7-vpxm-498p",
"url": "https://github.com/ljharb/qs/security/advisories/GHSA-6rw7-vpxm-498p"
}
],
"release_date": "2025-12-29T22:56:45.240000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-02-05T16:16:04+00:00",
"details": "See Kiali 2.17.3 documentation at https://docs.redhat.com/en/documentation/red_hat_openshift_service_mesh/3.2/html/observability/kiali-operator-provided-by-red-hat",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:700c2524c0def53bf8e5f7832c27496a3e9ff5c9d939d38c59a7fae167418e16_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:c602eca72f7b82ac6431748219e88eb0500f5aaedd446ffacbce982cdb7321f1_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:d2d862c021ddcd974a12d63ea6c270e2de651201182c16baa3e24f7ce8985daf_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:fcb5d2c8e4ae372cb0009dc15d46eb5a10163139b61b063115c3d3fce90265e1_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:a97c82b48b920f1d3843d08dbe55d3759b237365e2b97501a640a1c0bd08d5ca_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ced99993701c64b69f412c0ef9991a8d6d38ee1c8520330c4ac999addbb3bbbe_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:d9c852cf7f5f21374f8ae2e31692fa30090dbe13fa66b3a608fc07d0a5e8ae2c_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ef18675f445508d01ae56ef59709b70d4b69187bb03425061cac62998f643fe5_ppc64le"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:2149"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-operator-bundle@sha256:f3a430fc3f2bc6d3c66ea3ae3871987e3f5e8a17dd756008593ac5e7b48da289_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:700c2524c0def53bf8e5f7832c27496a3e9ff5c9d939d38c59a7fae167418e16_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:c602eca72f7b82ac6431748219e88eb0500f5aaedd446ffacbce982cdb7321f1_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:d2d862c021ddcd974a12d63ea6c270e2de651201182c16baa3e24f7ce8985daf_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:fcb5d2c8e4ae372cb0009dc15d46eb5a10163139b61b063115c3d3fce90265e1_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:22a68e23c1b378898676346df798973f60c1784f93fcbcca713d1b09f19d251f_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:447415cd243bbab90dc1c472f0acc5249b01a83eb7473934fc3bcbcf2c77d107_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:46a3b372f155663da9a5caac4ee601ba834e35c129cbf144d28aab641b4cc7ca_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:d1b7f45b075f779df79d659fd07a3bfbb85a47468d6d856a2738d312a3d67e7d_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:a97c82b48b920f1d3843d08dbe55d3759b237365e2b97501a640a1c0bd08d5ca_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ced99993701c64b69f412c0ef9991a8d6d38ee1c8520330c4ac999addbb3bbbe_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:d9c852cf7f5f21374f8ae2e31692fa30090dbe13fa66b3a608fc07d0a5e8ae2c_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ef18675f445508d01ae56ef59709b70d4b69187bb03425061cac62998f643fe5_ppc64le"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-operator-bundle@sha256:f3a430fc3f2bc6d3c66ea3ae3871987e3f5e8a17dd756008593ac5e7b48da289_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:700c2524c0def53bf8e5f7832c27496a3e9ff5c9d939d38c59a7fae167418e16_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:c602eca72f7b82ac6431748219e88eb0500f5aaedd446ffacbce982cdb7321f1_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:d2d862c021ddcd974a12d63ea6c270e2de651201182c16baa3e24f7ce8985daf_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:fcb5d2c8e4ae372cb0009dc15d46eb5a10163139b61b063115c3d3fce90265e1_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:22a68e23c1b378898676346df798973f60c1784f93fcbcca713d1b09f19d251f_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:447415cd243bbab90dc1c472f0acc5249b01a83eb7473934fc3bcbcf2c77d107_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:46a3b372f155663da9a5caac4ee601ba834e35c129cbf144d28aab641b4cc7ca_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:d1b7f45b075f779df79d659fd07a3bfbb85a47468d6d856a2738d312a3d67e7d_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:a97c82b48b920f1d3843d08dbe55d3759b237365e2b97501a640a1c0bd08d5ca_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ced99993701c64b69f412c0ef9991a8d6d38ee1c8520330c4ac999addbb3bbbe_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:d9c852cf7f5f21374f8ae2e31692fa30090dbe13fa66b3a608fc07d0a5e8ae2c_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ef18675f445508d01ae56ef59709b70d4b69187bb03425061cac62998f643fe5_ppc64le"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "qs: qs: Denial of Service via improper input validation in array parsing"
},
{
"cve": "CVE-2025-61729",
"cwe": {
"id": "CWE-1050",
"name": "Excessive Platform Resource Consumption within a Loop"
},
"discovery_date": "2025-12-02T20:01:45.330964+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-operator-bundle@sha256:f3a430fc3f2bc6d3c66ea3ae3871987e3f5e8a17dd756008593ac5e7b48da289_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:700c2524c0def53bf8e5f7832c27496a3e9ff5c9d939d38c59a7fae167418e16_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:c602eca72f7b82ac6431748219e88eb0500f5aaedd446ffacbce982cdb7321f1_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:d2d862c021ddcd974a12d63ea6c270e2de651201182c16baa3e24f7ce8985daf_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:fcb5d2c8e4ae372cb0009dc15d46eb5a10163139b61b063115c3d3fce90265e1_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:22a68e23c1b378898676346df798973f60c1784f93fcbcca713d1b09f19d251f_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:447415cd243bbab90dc1c472f0acc5249b01a83eb7473934fc3bcbcf2c77d107_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:46a3b372f155663da9a5caac4ee601ba834e35c129cbf144d28aab641b4cc7ca_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:d1b7f45b075f779df79d659fd07a3bfbb85a47468d6d856a2738d312a3d67e7d_ppc64le"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2418462"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in golang. A remote attacker could exploit this vulnerability by providing a specially crafted certificate during the error string construction process within the `HostnameError.Error()` function. This flaw, caused by unbounded string concatenation, leads to excessive resource consumption. Successful exploitation can result in a denial of service (DoS) for the affected system.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "crypto/x509: golang: Denial of Service due to excessive resource consumption via crafted certificate",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:a97c82b48b920f1d3843d08dbe55d3759b237365e2b97501a640a1c0bd08d5ca_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ced99993701c64b69f412c0ef9991a8d6d38ee1c8520330c4ac999addbb3bbbe_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:d9c852cf7f5f21374f8ae2e31692fa30090dbe13fa66b3a608fc07d0a5e8ae2c_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ef18675f445508d01ae56ef59709b70d4b69187bb03425061cac62998f643fe5_ppc64le"
],
"known_not_affected": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-operator-bundle@sha256:f3a430fc3f2bc6d3c66ea3ae3871987e3f5e8a17dd756008593ac5e7b48da289_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:700c2524c0def53bf8e5f7832c27496a3e9ff5c9d939d38c59a7fae167418e16_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:c602eca72f7b82ac6431748219e88eb0500f5aaedd446ffacbce982cdb7321f1_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:d2d862c021ddcd974a12d63ea6c270e2de651201182c16baa3e24f7ce8985daf_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:fcb5d2c8e4ae372cb0009dc15d46eb5a10163139b61b063115c3d3fce90265e1_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:22a68e23c1b378898676346df798973f60c1784f93fcbcca713d1b09f19d251f_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:447415cd243bbab90dc1c472f0acc5249b01a83eb7473934fc3bcbcf2c77d107_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:46a3b372f155663da9a5caac4ee601ba834e35c129cbf144d28aab641b4cc7ca_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:d1b7f45b075f779df79d659fd07a3bfbb85a47468d6d856a2738d312a3d67e7d_ppc64le"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-61729"
},
{
"category": "external",
"summary": "RHBZ#2418462",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2418462"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-61729",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-61729"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-61729",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61729"
},
{
"category": "external",
"summary": "https://go.dev/cl/725920",
"url": "https://go.dev/cl/725920"
},
{
"category": "external",
"summary": "https://go.dev/issue/76445",
"url": "https://go.dev/issue/76445"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/8FJoBkPddm4",
"url": "https://groups.google.com/g/golang-announce/c/8FJoBkPddm4"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2025-4155",
"url": "https://pkg.go.dev/vuln/GO-2025-4155"
}
],
"release_date": "2025-12-02T18:54:10.166000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-02-05T16:16:04+00:00",
"details": "See Kiali 2.17.3 documentation at https://docs.redhat.com/en/documentation/red_hat_openshift_service_mesh/3.2/html/observability/kiali-operator-provided-by-red-hat",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:a97c82b48b920f1d3843d08dbe55d3759b237365e2b97501a640a1c0bd08d5ca_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ced99993701c64b69f412c0ef9991a8d6d38ee1c8520330c4ac999addbb3bbbe_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:d9c852cf7f5f21374f8ae2e31692fa30090dbe13fa66b3a608fc07d0a5e8ae2c_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ef18675f445508d01ae56ef59709b70d4b69187bb03425061cac62998f643fe5_ppc64le"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:2149"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-operator-bundle@sha256:f3a430fc3f2bc6d3c66ea3ae3871987e3f5e8a17dd756008593ac5e7b48da289_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:700c2524c0def53bf8e5f7832c27496a3e9ff5c9d939d38c59a7fae167418e16_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:c602eca72f7b82ac6431748219e88eb0500f5aaedd446ffacbce982cdb7321f1_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:d2d862c021ddcd974a12d63ea6c270e2de651201182c16baa3e24f7ce8985daf_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:fcb5d2c8e4ae372cb0009dc15d46eb5a10163139b61b063115c3d3fce90265e1_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:22a68e23c1b378898676346df798973f60c1784f93fcbcca713d1b09f19d251f_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:447415cd243bbab90dc1c472f0acc5249b01a83eb7473934fc3bcbcf2c77d107_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:46a3b372f155663da9a5caac4ee601ba834e35c129cbf144d28aab641b4cc7ca_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:d1b7f45b075f779df79d659fd07a3bfbb85a47468d6d856a2738d312a3d67e7d_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:a97c82b48b920f1d3843d08dbe55d3759b237365e2b97501a640a1c0bd08d5ca_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ced99993701c64b69f412c0ef9991a8d6d38ee1c8520330c4ac999addbb3bbbe_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:d9c852cf7f5f21374f8ae2e31692fa30090dbe13fa66b3a608fc07d0a5e8ae2c_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ef18675f445508d01ae56ef59709b70d4b69187bb03425061cac62998f643fe5_ppc64le"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "crypto/x509: golang: Denial of Service due to excessive resource consumption via crafted certificate"
},
{
"cve": "CVE-2026-22029",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2026-01-10T04:01:03.694749+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-operator-bundle@sha256:f3a430fc3f2bc6d3c66ea3ae3871987e3f5e8a17dd756008593ac5e7b48da289_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:22a68e23c1b378898676346df798973f60c1784f93fcbcca713d1b09f19d251f_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:447415cd243bbab90dc1c472f0acc5249b01a83eb7473934fc3bcbcf2c77d107_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:46a3b372f155663da9a5caac4ee601ba834e35c129cbf144d28aab641b4cc7ca_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:d1b7f45b075f779df79d659fd07a3bfbb85a47468d6d856a2738d312a3d67e7d_ppc64le"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2428412"
}
],
"notes": [
{
"category": "description",
"text": "A cross site scripting flaw has been discovered in the npm react-router and @remix-run/router packages. React Router (and Remix v1/v2) SPA open navigation redirects originating from loaders or actions in Framework Mode, Data Mode, or the unstable RSC modes can result in unsafe URLs causing unintended javascript execution on the client. This is only an issue if you are creating redirect paths from untrusted content or via an open redirect.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "@remix-run/router: react-router: React Router vulnerable to XSS via Open Redirects",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:700c2524c0def53bf8e5f7832c27496a3e9ff5c9d939d38c59a7fae167418e16_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:c602eca72f7b82ac6431748219e88eb0500f5aaedd446ffacbce982cdb7321f1_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:d2d862c021ddcd974a12d63ea6c270e2de651201182c16baa3e24f7ce8985daf_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:fcb5d2c8e4ae372cb0009dc15d46eb5a10163139b61b063115c3d3fce90265e1_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:a97c82b48b920f1d3843d08dbe55d3759b237365e2b97501a640a1c0bd08d5ca_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ced99993701c64b69f412c0ef9991a8d6d38ee1c8520330c4ac999addbb3bbbe_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:d9c852cf7f5f21374f8ae2e31692fa30090dbe13fa66b3a608fc07d0a5e8ae2c_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ef18675f445508d01ae56ef59709b70d4b69187bb03425061cac62998f643fe5_ppc64le"
],
"known_not_affected": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-operator-bundle@sha256:f3a430fc3f2bc6d3c66ea3ae3871987e3f5e8a17dd756008593ac5e7b48da289_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:22a68e23c1b378898676346df798973f60c1784f93fcbcca713d1b09f19d251f_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:447415cd243bbab90dc1c472f0acc5249b01a83eb7473934fc3bcbcf2c77d107_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:46a3b372f155663da9a5caac4ee601ba834e35c129cbf144d28aab641b4cc7ca_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:d1b7f45b075f779df79d659fd07a3bfbb85a47468d6d856a2738d312a3d67e7d_ppc64le"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-22029"
},
{
"category": "external",
"summary": "RHBZ#2428412",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2428412"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-22029",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-22029"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-22029",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22029"
},
{
"category": "external",
"summary": "https://github.com/remix-run/react-router/security/advisories/GHSA-2w69-qvjg-hvjx",
"url": "https://github.com/remix-run/react-router/security/advisories/GHSA-2w69-qvjg-hvjx"
}
],
"release_date": "2026-01-10T02:42:32.736000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-02-05T16:16:04+00:00",
"details": "See Kiali 2.17.3 documentation at https://docs.redhat.com/en/documentation/red_hat_openshift_service_mesh/3.2/html/observability/kiali-operator-provided-by-red-hat",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:700c2524c0def53bf8e5f7832c27496a3e9ff5c9d939d38c59a7fae167418e16_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:c602eca72f7b82ac6431748219e88eb0500f5aaedd446ffacbce982cdb7321f1_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:d2d862c021ddcd974a12d63ea6c270e2de651201182c16baa3e24f7ce8985daf_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:fcb5d2c8e4ae372cb0009dc15d46eb5a10163139b61b063115c3d3fce90265e1_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:a97c82b48b920f1d3843d08dbe55d3759b237365e2b97501a640a1c0bd08d5ca_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ced99993701c64b69f412c0ef9991a8d6d38ee1c8520330c4ac999addbb3bbbe_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:d9c852cf7f5f21374f8ae2e31692fa30090dbe13fa66b3a608fc07d0a5e8ae2c_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ef18675f445508d01ae56ef59709b70d4b69187bb03425061cac62998f643fe5_ppc64le"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:2149"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-operator-bundle@sha256:f3a430fc3f2bc6d3c66ea3ae3871987e3f5e8a17dd756008593ac5e7b48da289_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:700c2524c0def53bf8e5f7832c27496a3e9ff5c9d939d38c59a7fae167418e16_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:c602eca72f7b82ac6431748219e88eb0500f5aaedd446ffacbce982cdb7321f1_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:d2d862c021ddcd974a12d63ea6c270e2de651201182c16baa3e24f7ce8985daf_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:fcb5d2c8e4ae372cb0009dc15d46eb5a10163139b61b063115c3d3fce90265e1_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:22a68e23c1b378898676346df798973f60c1784f93fcbcca713d1b09f19d251f_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:447415cd243bbab90dc1c472f0acc5249b01a83eb7473934fc3bcbcf2c77d107_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:46a3b372f155663da9a5caac4ee601ba834e35c129cbf144d28aab641b4cc7ca_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:d1b7f45b075f779df79d659fd07a3bfbb85a47468d6d856a2738d312a3d67e7d_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:a97c82b48b920f1d3843d08dbe55d3759b237365e2b97501a640a1c0bd08d5ca_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ced99993701c64b69f412c0ef9991a8d6d38ee1c8520330c4ac999addbb3bbbe_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:d9c852cf7f5f21374f8ae2e31692fa30090dbe13fa66b3a608fc07d0a5e8ae2c_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ef18675f445508d01ae56ef59709b70d4b69187bb03425061cac62998f643fe5_ppc64le"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.0,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-operator-bundle@sha256:f3a430fc3f2bc6d3c66ea3ae3871987e3f5e8a17dd756008593ac5e7b48da289_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:700c2524c0def53bf8e5f7832c27496a3e9ff5c9d939d38c59a7fae167418e16_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:c602eca72f7b82ac6431748219e88eb0500f5aaedd446ffacbce982cdb7321f1_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:d2d862c021ddcd974a12d63ea6c270e2de651201182c16baa3e24f7ce8985daf_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:fcb5d2c8e4ae372cb0009dc15d46eb5a10163139b61b063115c3d3fce90265e1_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:22a68e23c1b378898676346df798973f60c1784f93fcbcca713d1b09f19d251f_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:447415cd243bbab90dc1c472f0acc5249b01a83eb7473934fc3bcbcf2c77d107_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:46a3b372f155663da9a5caac4ee601ba834e35c129cbf144d28aab641b4cc7ca_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:d1b7f45b075f779df79d659fd07a3bfbb85a47468d6d856a2738d312a3d67e7d_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:a97c82b48b920f1d3843d08dbe55d3759b237365e2b97501a640a1c0bd08d5ca_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ced99993701c64b69f412c0ef9991a8d6d38ee1c8520330c4ac999addbb3bbbe_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:d9c852cf7f5f21374f8ae2e31692fa30090dbe13fa66b3a608fc07d0a5e8ae2c_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ef18675f445508d01ae56ef59709b70d4b69187bb03425061cac62998f643fe5_ppc64le"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "@remix-run/router: react-router: React Router vulnerable to XSS via Open Redirects"
}
]
}
RHSA-2026:2201
Vulnerability from csaf_redhat - Published: 2026-02-05 22:10 - Updated: 2026-07-02 16:17A flaw was found in golang. A remote attacker could exploit this vulnerability by providing a specially crafted certificate during the error string construction process within the `HostnameError.Error()` function. This flaw, caused by unbounded string concatenation, leads to excessive resource consumption. Successful exploitation can result in a denial of service (DoS) for the affected system.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Lightspeed (formerly Insights) for Runtimes 1:registry.redhat.io/rh-lightspeed-runtimes/runtimes-inventory-rhel9-operator@sha256:8e161ba88509d7757f7984f59638a55826d8cbb5985f42b07a139e7d2010934a_arm64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat Lightspeed (formerly Insights) for Runtimes 1:registry.redhat.io/rh-lightspeed-runtimes/runtimes-inventory-rhel9-operator@sha256:9782b38d317f3bd46c4b312e98ddd845f900bf3dc17d89954e2fc0693d35a363_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat Lightspeed (formerly Insights) for Runtimes 1:registry.redhat.io/rh-lightspeed-runtimes/runtimes-inventory-rhel9-operator@sha256:a4e92b34cc470c81c2bdf31e7e1c0a14cc1ed50947ebadf27cfc29bbe632cc11_s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat Lightspeed (formerly Insights) for Runtimes 1:registry.redhat.io/rh-lightspeed-runtimes/runtimes-inventory-rhel9-operator@sha256:efa869209e9675e3dcc1ae35f6fd59218f36573dbb87467be82123c625270573_ppc64le | — |
Vendor Fix
fix
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Lightspeed (formerly Insights) for Runtimes 1:registry.redhat.io/rh-lightspeed-runtimes/runtimes-inventory-operator-bundle@sha256:215ffb659953b515a6ae4e4162bb641eaa0d7dd548a0d8487b8bce0cc77e07d3_amd64 | — |
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update is now available for Red Hat Lightspeed (formerly Insights) for Runtimes on RHEL 9.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "An update is now available for Red Hat Lightspeed (formerly Insights) for Runtimes on RHEL 9.\n\nSecurity fix(es):\n\n* crypto/x509: golang: Denial of Service due to excessive resource consumption via crafted certificate (CVE-2025-61729)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:2201",
"url": "https://access.redhat.com/errata/RHSA-2026:2201"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-61729",
"url": "https://access.redhat.com/security/cve/CVE-2025-61729"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/",
"url": "https://access.redhat.com/security/updates/classification/"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_2201.json"
}
],
"title": "Red Hat Security Advisory: Red Hat Lightspeed (formerly Insights) for Runtimes security update",
"tracking": {
"current_release_date": "2026-07-02T16:17:03+00:00",
"generator": {
"date": "2026-07-02T16:17:03+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "5.3.1"
}
},
"id": "RHSA-2026:2201",
"initial_release_date": "2026-02-05T22:10:05+00:00",
"revision_history": [
{
"date": "2026-02-05T22:10:05+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-02-05T22:10:13+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-07-02T16:17:03+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Lightspeed (formerly Insights) for Runtimes 1",
"product": {
"name": "Red Hat Lightspeed (formerly Insights) for Runtimes 1",
"product_id": "Red Hat Lightspeed (formerly Insights) for Runtimes 1",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:lightspeed_for_runtimes:1.0::el9"
}
}
}
],
"category": "product_family",
"name": "Red Hat Lightspeed (formerly Insights) for Runtimes"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/rh-lightspeed-runtimes/runtimes-inventory-rhel9-operator@sha256:9782b38d317f3bd46c4b312e98ddd845f900bf3dc17d89954e2fc0693d35a363_amd64",
"product": {
"name": "registry.redhat.io/rh-lightspeed-runtimes/runtimes-inventory-rhel9-operator@sha256:9782b38d317f3bd46c4b312e98ddd845f900bf3dc17d89954e2fc0693d35a363_amd64",
"product_id": "registry.redhat.io/rh-lightspeed-runtimes/runtimes-inventory-rhel9-operator@sha256:9782b38d317f3bd46c4b312e98ddd845f900bf3dc17d89954e2fc0693d35a363_amd64",
"product_identification_helper": {
"purl": "pkg:oci/runtimes-inventory-rhel9-operator@sha256%3A9782b38d317f3bd46c4b312e98ddd845f900bf3dc17d89954e2fc0693d35a363?arch=amd64\u0026repository_url=registry.redhat.io/rh-lightspeed-runtimes\u0026tag=1.0.0-1770223260"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/rh-lightspeed-runtimes/runtimes-inventory-operator-bundle@sha256:215ffb659953b515a6ae4e4162bb641eaa0d7dd548a0d8487b8bce0cc77e07d3_amd64",
"product": {
"name": "registry.redhat.io/rh-lightspeed-runtimes/runtimes-inventory-operator-bundle@sha256:215ffb659953b515a6ae4e4162bb641eaa0d7dd548a0d8487b8bce0cc77e07d3_amd64",
"product_id": "registry.redhat.io/rh-lightspeed-runtimes/runtimes-inventory-operator-bundle@sha256:215ffb659953b515a6ae4e4162bb641eaa0d7dd548a0d8487b8bce0cc77e07d3_amd64",
"product_identification_helper": {
"purl": "pkg:oci/runtimes-inventory-operator-bundle@sha256%3A215ffb659953b515a6ae4e4162bb641eaa0d7dd548a0d8487b8bce0cc77e07d3?arch=amd64\u0026repository_url=registry.redhat.io/rh-lightspeed-runtimes\u0026tag=1.0.0-1770229956"
}
}
}
],
"category": "architecture",
"name": "amd64"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/rh-lightspeed-runtimes/runtimes-inventory-rhel9-operator@sha256:8e161ba88509d7757f7984f59638a55826d8cbb5985f42b07a139e7d2010934a_arm64",
"product": {
"name": "registry.redhat.io/rh-lightspeed-runtimes/runtimes-inventory-rhel9-operator@sha256:8e161ba88509d7757f7984f59638a55826d8cbb5985f42b07a139e7d2010934a_arm64",
"product_id": "registry.redhat.io/rh-lightspeed-runtimes/runtimes-inventory-rhel9-operator@sha256:8e161ba88509d7757f7984f59638a55826d8cbb5985f42b07a139e7d2010934a_arm64",
"product_identification_helper": {
"purl": "pkg:oci/runtimes-inventory-rhel9-operator@sha256%3A8e161ba88509d7757f7984f59638a55826d8cbb5985f42b07a139e7d2010934a?arch=arm64\u0026repository_url=registry.redhat.io/rh-lightspeed-runtimes\u0026tag=1.0.0-1770223260"
}
}
}
],
"category": "architecture",
"name": "arm64"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/rh-lightspeed-runtimes/runtimes-inventory-rhel9-operator@sha256:efa869209e9675e3dcc1ae35f6fd59218f36573dbb87467be82123c625270573_ppc64le",
"product": {
"name": "registry.redhat.io/rh-lightspeed-runtimes/runtimes-inventory-rhel9-operator@sha256:efa869209e9675e3dcc1ae35f6fd59218f36573dbb87467be82123c625270573_ppc64le",
"product_id": "registry.redhat.io/rh-lightspeed-runtimes/runtimes-inventory-rhel9-operator@sha256:efa869209e9675e3dcc1ae35f6fd59218f36573dbb87467be82123c625270573_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/runtimes-inventory-rhel9-operator@sha256%3Aefa869209e9675e3dcc1ae35f6fd59218f36573dbb87467be82123c625270573?arch=ppc64le\u0026repository_url=registry.redhat.io/rh-lightspeed-runtimes\u0026tag=1.0.0-1770223260"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/rh-lightspeed-runtimes/runtimes-inventory-rhel9-operator@sha256:a4e92b34cc470c81c2bdf31e7e1c0a14cc1ed50947ebadf27cfc29bbe632cc11_s390x",
"product": {
"name": "registry.redhat.io/rh-lightspeed-runtimes/runtimes-inventory-rhel9-operator@sha256:a4e92b34cc470c81c2bdf31e7e1c0a14cc1ed50947ebadf27cfc29bbe632cc11_s390x",
"product_id": "registry.redhat.io/rh-lightspeed-runtimes/runtimes-inventory-rhel9-operator@sha256:a4e92b34cc470c81c2bdf31e7e1c0a14cc1ed50947ebadf27cfc29bbe632cc11_s390x",
"product_identification_helper": {
"purl": "pkg:oci/runtimes-inventory-rhel9-operator@sha256%3Aa4e92b34cc470c81c2bdf31e7e1c0a14cc1ed50947ebadf27cfc29bbe632cc11?arch=s390x\u0026repository_url=registry.redhat.io/rh-lightspeed-runtimes\u0026tag=1.0.0-1770223260"
}
}
}
],
"category": "architecture",
"name": "s390x"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rh-lightspeed-runtimes/runtimes-inventory-operator-bundle@sha256:215ffb659953b515a6ae4e4162bb641eaa0d7dd548a0d8487b8bce0cc77e07d3_amd64 as a component of Red Hat Lightspeed (formerly Insights) for Runtimes 1",
"product_id": "Red Hat Lightspeed (formerly Insights) for Runtimes 1:registry.redhat.io/rh-lightspeed-runtimes/runtimes-inventory-operator-bundle@sha256:215ffb659953b515a6ae4e4162bb641eaa0d7dd548a0d8487b8bce0cc77e07d3_amd64"
},
"product_reference": "registry.redhat.io/rh-lightspeed-runtimes/runtimes-inventory-operator-bundle@sha256:215ffb659953b515a6ae4e4162bb641eaa0d7dd548a0d8487b8bce0cc77e07d3_amd64",
"relates_to_product_reference": "Red Hat Lightspeed (formerly Insights) for Runtimes 1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rh-lightspeed-runtimes/runtimes-inventory-rhel9-operator@sha256:8e161ba88509d7757f7984f59638a55826d8cbb5985f42b07a139e7d2010934a_arm64 as a component of Red Hat Lightspeed (formerly Insights) for Runtimes 1",
"product_id": "Red Hat Lightspeed (formerly Insights) for Runtimes 1:registry.redhat.io/rh-lightspeed-runtimes/runtimes-inventory-rhel9-operator@sha256:8e161ba88509d7757f7984f59638a55826d8cbb5985f42b07a139e7d2010934a_arm64"
},
"product_reference": "registry.redhat.io/rh-lightspeed-runtimes/runtimes-inventory-rhel9-operator@sha256:8e161ba88509d7757f7984f59638a55826d8cbb5985f42b07a139e7d2010934a_arm64",
"relates_to_product_reference": "Red Hat Lightspeed (formerly Insights) for Runtimes 1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rh-lightspeed-runtimes/runtimes-inventory-rhel9-operator@sha256:9782b38d317f3bd46c4b312e98ddd845f900bf3dc17d89954e2fc0693d35a363_amd64 as a component of Red Hat Lightspeed (formerly Insights) for Runtimes 1",
"product_id": "Red Hat Lightspeed (formerly Insights) for Runtimes 1:registry.redhat.io/rh-lightspeed-runtimes/runtimes-inventory-rhel9-operator@sha256:9782b38d317f3bd46c4b312e98ddd845f900bf3dc17d89954e2fc0693d35a363_amd64"
},
"product_reference": "registry.redhat.io/rh-lightspeed-runtimes/runtimes-inventory-rhel9-operator@sha256:9782b38d317f3bd46c4b312e98ddd845f900bf3dc17d89954e2fc0693d35a363_amd64",
"relates_to_product_reference": "Red Hat Lightspeed (formerly Insights) for Runtimes 1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rh-lightspeed-runtimes/runtimes-inventory-rhel9-operator@sha256:a4e92b34cc470c81c2bdf31e7e1c0a14cc1ed50947ebadf27cfc29bbe632cc11_s390x as a component of Red Hat Lightspeed (formerly Insights) for Runtimes 1",
"product_id": "Red Hat Lightspeed (formerly Insights) for Runtimes 1:registry.redhat.io/rh-lightspeed-runtimes/runtimes-inventory-rhel9-operator@sha256:a4e92b34cc470c81c2bdf31e7e1c0a14cc1ed50947ebadf27cfc29bbe632cc11_s390x"
},
"product_reference": "registry.redhat.io/rh-lightspeed-runtimes/runtimes-inventory-rhel9-operator@sha256:a4e92b34cc470c81c2bdf31e7e1c0a14cc1ed50947ebadf27cfc29bbe632cc11_s390x",
"relates_to_product_reference": "Red Hat Lightspeed (formerly Insights) for Runtimes 1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rh-lightspeed-runtimes/runtimes-inventory-rhel9-operator@sha256:efa869209e9675e3dcc1ae35f6fd59218f36573dbb87467be82123c625270573_ppc64le as a component of Red Hat Lightspeed (formerly Insights) for Runtimes 1",
"product_id": "Red Hat Lightspeed (formerly Insights) for Runtimes 1:registry.redhat.io/rh-lightspeed-runtimes/runtimes-inventory-rhel9-operator@sha256:efa869209e9675e3dcc1ae35f6fd59218f36573dbb87467be82123c625270573_ppc64le"
},
"product_reference": "registry.redhat.io/rh-lightspeed-runtimes/runtimes-inventory-rhel9-operator@sha256:efa869209e9675e3dcc1ae35f6fd59218f36573dbb87467be82123c625270573_ppc64le",
"relates_to_product_reference": "Red Hat Lightspeed (formerly Insights) for Runtimes 1"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-61729",
"cwe": {
"id": "CWE-1050",
"name": "Excessive Platform Resource Consumption within a Loop"
},
"discovery_date": "2025-12-02T20:01:45.330964+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Lightspeed (formerly Insights) for Runtimes 1:registry.redhat.io/rh-lightspeed-runtimes/runtimes-inventory-operator-bundle@sha256:215ffb659953b515a6ae4e4162bb641eaa0d7dd548a0d8487b8bce0cc77e07d3_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2418462"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in golang. A remote attacker could exploit this vulnerability by providing a specially crafted certificate during the error string construction process within the `HostnameError.Error()` function. This flaw, caused by unbounded string concatenation, leads to excessive resource consumption. Successful exploitation can result in a denial of service (DoS) for the affected system.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "crypto/x509: golang: Denial of Service due to excessive resource consumption via crafted certificate",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Lightspeed (formerly Insights) for Runtimes 1:registry.redhat.io/rh-lightspeed-runtimes/runtimes-inventory-rhel9-operator@sha256:8e161ba88509d7757f7984f59638a55826d8cbb5985f42b07a139e7d2010934a_arm64",
"Red Hat Lightspeed (formerly Insights) for Runtimes 1:registry.redhat.io/rh-lightspeed-runtimes/runtimes-inventory-rhel9-operator@sha256:9782b38d317f3bd46c4b312e98ddd845f900bf3dc17d89954e2fc0693d35a363_amd64",
"Red Hat Lightspeed (formerly Insights) for Runtimes 1:registry.redhat.io/rh-lightspeed-runtimes/runtimes-inventory-rhel9-operator@sha256:a4e92b34cc470c81c2bdf31e7e1c0a14cc1ed50947ebadf27cfc29bbe632cc11_s390x",
"Red Hat Lightspeed (formerly Insights) for Runtimes 1:registry.redhat.io/rh-lightspeed-runtimes/runtimes-inventory-rhel9-operator@sha256:efa869209e9675e3dcc1ae35f6fd59218f36573dbb87467be82123c625270573_ppc64le"
],
"known_not_affected": [
"Red Hat Lightspeed (formerly Insights) for Runtimes 1:registry.redhat.io/rh-lightspeed-runtimes/runtimes-inventory-operator-bundle@sha256:215ffb659953b515a6ae4e4162bb641eaa0d7dd548a0d8487b8bce0cc77e07d3_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-61729"
},
{
"category": "external",
"summary": "RHBZ#2418462",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2418462"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-61729",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-61729"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-61729",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61729"
},
{
"category": "external",
"summary": "https://go.dev/cl/725920",
"url": "https://go.dev/cl/725920"
},
{
"category": "external",
"summary": "https://go.dev/issue/76445",
"url": "https://go.dev/issue/76445"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/8FJoBkPddm4",
"url": "https://groups.google.com/g/golang-announce/c/8FJoBkPddm4"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2025-4155",
"url": "https://pkg.go.dev/vuln/GO-2025-4155"
}
],
"release_date": "2025-12-02T18:54:10.166000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-02-05T22:10:05+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Lightspeed (formerly Insights) for Runtimes 1:registry.redhat.io/rh-lightspeed-runtimes/runtimes-inventory-rhel9-operator@sha256:8e161ba88509d7757f7984f59638a55826d8cbb5985f42b07a139e7d2010934a_arm64",
"Red Hat Lightspeed (formerly Insights) for Runtimes 1:registry.redhat.io/rh-lightspeed-runtimes/runtimes-inventory-rhel9-operator@sha256:9782b38d317f3bd46c4b312e98ddd845f900bf3dc17d89954e2fc0693d35a363_amd64",
"Red Hat Lightspeed (formerly Insights) for Runtimes 1:registry.redhat.io/rh-lightspeed-runtimes/runtimes-inventory-rhel9-operator@sha256:a4e92b34cc470c81c2bdf31e7e1c0a14cc1ed50947ebadf27cfc29bbe632cc11_s390x",
"Red Hat Lightspeed (formerly Insights) for Runtimes 1:registry.redhat.io/rh-lightspeed-runtimes/runtimes-inventory-rhel9-operator@sha256:efa869209e9675e3dcc1ae35f6fd59218f36573dbb87467be82123c625270573_ppc64le"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:2201"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Lightspeed (formerly Insights) for Runtimes 1:registry.redhat.io/rh-lightspeed-runtimes/runtimes-inventory-operator-bundle@sha256:215ffb659953b515a6ae4e4162bb641eaa0d7dd548a0d8487b8bce0cc77e07d3_amd64",
"Red Hat Lightspeed (formerly Insights) for Runtimes 1:registry.redhat.io/rh-lightspeed-runtimes/runtimes-inventory-rhel9-operator@sha256:8e161ba88509d7757f7984f59638a55826d8cbb5985f42b07a139e7d2010934a_arm64",
"Red Hat Lightspeed (formerly Insights) for Runtimes 1:registry.redhat.io/rh-lightspeed-runtimes/runtimes-inventory-rhel9-operator@sha256:9782b38d317f3bd46c4b312e98ddd845f900bf3dc17d89954e2fc0693d35a363_amd64",
"Red Hat Lightspeed (formerly Insights) for Runtimes 1:registry.redhat.io/rh-lightspeed-runtimes/runtimes-inventory-rhel9-operator@sha256:a4e92b34cc470c81c2bdf31e7e1c0a14cc1ed50947ebadf27cfc29bbe632cc11_s390x",
"Red Hat Lightspeed (formerly Insights) for Runtimes 1:registry.redhat.io/rh-lightspeed-runtimes/runtimes-inventory-rhel9-operator@sha256:efa869209e9675e3dcc1ae35f6fd59218f36573dbb87467be82123c625270573_ppc64le"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "crypto/x509: golang: Denial of Service due to excessive resource consumption via crafted certificate"
}
]
}
RHSA-2026:2217
Vulnerability from csaf_redhat - Published: 2026-02-09 01:27 - Updated: 2026-07-02 16:17A flaw was found in golang. A remote attacker could exploit this vulnerability by providing a specially crafted certificate during the error string construction process within the `HostnameError.Error()` function. This flaw, caused by unbounded string concatenation, leads to excessive resource consumption. Successful exploitation can result in a denial of service (DoS) for the affected system.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-8.4.0.Z.AUS:delve-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.src::go-toolset:rhel8 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.AUS:delve-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.AUS:delve-debuginfo-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.AUS:delve-debugsource-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.AUS:go-toolset-0:1.15.14-3.module+el8.4.0+22765+91da4d3f.src::go-toolset:rhel8 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.AUS:go-toolset-0:1.15.14-3.module+el8.4.0+22765+91da4d3f.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.AUS:golang-0:1.15.14-18.module+el8.4.0+23967+1519124e.src::go-toolset:rhel8 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.AUS:golang-0:1.15.14-18.module+el8.4.0+23967+1519124e.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.AUS:golang-bin-0:1.15.14-18.module+el8.4.0+23967+1519124e.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.AUS:golang-docs-0:1.15.14-18.module+el8.4.0+23967+1519124e.noarch::go-toolset:rhel8 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.AUS:golang-misc-0:1.15.14-18.module+el8.4.0+23967+1519124e.noarch::go-toolset:rhel8 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.AUS:golang-race-0:1.15.14-18.module+el8.4.0+23967+1519124e.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.AUS:golang-src-0:1.15.14-18.module+el8.4.0+23967+1519124e.noarch::go-toolset:rhel8 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.AUS:golang-tests-0:1.15.14-18.module+el8.4.0+23967+1519124e.noarch::go-toolset:rhel8 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS.EXTENSION:delve-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.src::go-toolset:rhel8 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS.EXTENSION:delve-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS.EXTENSION:delve-debuginfo-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS.EXTENSION:delve-debugsource-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS.EXTENSION:go-toolset-0:1.15.14-3.module+el8.4.0+22765+91da4d3f.src::go-toolset:rhel8 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS.EXTENSION:go-toolset-0:1.15.14-3.module+el8.4.0+22765+91da4d3f.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS.EXTENSION:golang-0:1.15.14-18.module+el8.4.0+23967+1519124e.src::go-toolset:rhel8 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS.EXTENSION:golang-0:1.15.14-18.module+el8.4.0+23967+1519124e.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS.EXTENSION:golang-bin-0:1.15.14-18.module+el8.4.0+23967+1519124e.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS.EXTENSION:golang-docs-0:1.15.14-18.module+el8.4.0+23967+1519124e.noarch::go-toolset:rhel8 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS.EXTENSION:golang-misc-0:1.15.14-18.module+el8.4.0+23967+1519124e.noarch::go-toolset:rhel8 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS.EXTENSION:golang-race-0:1.15.14-18.module+el8.4.0+23967+1519124e.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS.EXTENSION:golang-src-0:1.15.14-18.module+el8.4.0+23967+1519124e.noarch::go-toolset:rhel8 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS.EXTENSION:golang-tests-0:1.15.14-18.module+el8.4.0+23967+1519124e.noarch::go-toolset:rhel8 | — |
Vendor Fix
fix
|
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for the go-toolset:rhel8 module is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support and Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Go Toolset provides the Go programming language tools and libraries. Go is alternatively known as golang. \n\nSecurity Fix(es):\n\n* crypto/x509: golang: Denial of Service due to excessive resource consumption via crafted certificate (CVE-2025-61729)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:2217",
"url": "https://access.redhat.com/errata/RHSA-2026:2217"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "2418462",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2418462"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_2217.json"
}
],
"title": "Red Hat Security Advisory: go-toolset:rhel8 security update",
"tracking": {
"current_release_date": "2026-07-02T16:17:04+00:00",
"generator": {
"date": "2026-07-02T16:17:04+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "5.3.1"
}
},
"id": "RHSA-2026:2217",
"initial_release_date": "2026-02-09T01:27:56+00:00",
"revision_history": [
{
"date": "2026-02-09T01:27:56+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-02-09T01:27:56+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-07-02T16:17:04+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AppStream AUS (v.8.4)",
"product": {
"name": "Red Hat Enterprise Linux AppStream AUS (v.8.4)",
"product_id": "AppStream-8.4.0.Z.AUS",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_aus:8.4::appstream"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.4)",
"product": {
"name": "Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.4)",
"product_id": "AppStream-8.4.0.Z.EUS.EXTENSION",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_eus_long_life:8.4::appstream"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "delve-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.src::go-toolset:rhel8",
"product": {
"name": "delve-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.src (go-toolset:rhel8)",
"product_id": "delve-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.src::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/delve@1.5.0-2.module%2Bel8.4.0%2B8864%2B58b0fcdb?arch=src\u0026rpmmod=go-toolset:rhel8:8040020260205134630:5081a262"
}
}
},
{
"category": "product_version",
"name": "go-toolset-0:1.15.14-3.module+el8.4.0+22765+91da4d3f.src::go-toolset:rhel8",
"product": {
"name": "go-toolset-0:1.15.14-3.module+el8.4.0+22765+91da4d3f.src (go-toolset:rhel8)",
"product_id": "go-toolset-0:1.15.14-3.module+el8.4.0+22765+91da4d3f.src::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-toolset@1.15.14-3.module%2Bel8.4.0%2B22765%2B91da4d3f?arch=src\u0026rpmmod=go-toolset:rhel8:8040020260205134630:5081a262"
}
}
},
{
"category": "product_version",
"name": "golang-0:1.15.14-18.module+el8.4.0+23967+1519124e.src::go-toolset:rhel8",
"product": {
"name": "golang-0:1.15.14-18.module+el8.4.0+23967+1519124e.src (go-toolset:rhel8)",
"product_id": "golang-0:1.15.14-18.module+el8.4.0+23967+1519124e.src::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang@1.15.14-18.module%2Bel8.4.0%2B23967%2B1519124e?arch=src\u0026rpmmod=go-toolset:rhel8:8040020260205134630:5081a262"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "delve-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8",
"product": {
"name": "delve-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64 (go-toolset:rhel8)",
"product_id": "delve-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/delve@1.5.0-2.module%2Bel8.4.0%2B8864%2B58b0fcdb?arch=x86_64\u0026rpmmod=go-toolset:rhel8:8040020260205134630:5081a262"
}
}
},
{
"category": "product_version",
"name": "delve-debuginfo-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8",
"product": {
"name": "delve-debuginfo-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64 (go-toolset:rhel8)",
"product_id": "delve-debuginfo-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/delve-debuginfo@1.5.0-2.module%2Bel8.4.0%2B8864%2B58b0fcdb?arch=x86_64\u0026rpmmod=go-toolset:rhel8:8040020260205134630:5081a262"
}
}
},
{
"category": "product_version",
"name": "delve-debugsource-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8",
"product": {
"name": "delve-debugsource-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64 (go-toolset:rhel8)",
"product_id": "delve-debugsource-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/delve-debugsource@1.5.0-2.module%2Bel8.4.0%2B8864%2B58b0fcdb?arch=x86_64\u0026rpmmod=go-toolset:rhel8:8040020260205134630:5081a262"
}
}
},
{
"category": "product_version",
"name": "go-toolset-0:1.15.14-3.module+el8.4.0+22765+91da4d3f.x86_64::go-toolset:rhel8",
"product": {
"name": "go-toolset-0:1.15.14-3.module+el8.4.0+22765+91da4d3f.x86_64 (go-toolset:rhel8)",
"product_id": "go-toolset-0:1.15.14-3.module+el8.4.0+22765+91da4d3f.x86_64::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-toolset@1.15.14-3.module%2Bel8.4.0%2B22765%2B91da4d3f?arch=x86_64\u0026rpmmod=go-toolset:rhel8:8040020260205134630:5081a262"
}
}
},
{
"category": "product_version",
"name": "golang-0:1.15.14-18.module+el8.4.0+23967+1519124e.x86_64::go-toolset:rhel8",
"product": {
"name": "golang-0:1.15.14-18.module+el8.4.0+23967+1519124e.x86_64 (go-toolset:rhel8)",
"product_id": "golang-0:1.15.14-18.module+el8.4.0+23967+1519124e.x86_64::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang@1.15.14-18.module%2Bel8.4.0%2B23967%2B1519124e?arch=x86_64\u0026rpmmod=go-toolset:rhel8:8040020260205134630:5081a262"
}
}
},
{
"category": "product_version",
"name": "golang-bin-0:1.15.14-18.module+el8.4.0+23967+1519124e.x86_64::go-toolset:rhel8",
"product": {
"name": "golang-bin-0:1.15.14-18.module+el8.4.0+23967+1519124e.x86_64 (go-toolset:rhel8)",
"product_id": "golang-bin-0:1.15.14-18.module+el8.4.0+23967+1519124e.x86_64::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-bin@1.15.14-18.module%2Bel8.4.0%2B23967%2B1519124e?arch=x86_64\u0026rpmmod=go-toolset:rhel8:8040020260205134630:5081a262"
}
}
},
{
"category": "product_version",
"name": "golang-race-0:1.15.14-18.module+el8.4.0+23967+1519124e.x86_64::go-toolset:rhel8",
"product": {
"name": "golang-race-0:1.15.14-18.module+el8.4.0+23967+1519124e.x86_64 (go-toolset:rhel8)",
"product_id": "golang-race-0:1.15.14-18.module+el8.4.0+23967+1519124e.x86_64::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-race@1.15.14-18.module%2Bel8.4.0%2B23967%2B1519124e?arch=x86_64\u0026rpmmod=go-toolset:rhel8:8040020260205134630:5081a262"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "golang-docs-0:1.15.14-18.module+el8.4.0+23967+1519124e.noarch::go-toolset:rhel8",
"product": {
"name": "golang-docs-0:1.15.14-18.module+el8.4.0+23967+1519124e.noarch (go-toolset:rhel8)",
"product_id": "golang-docs-0:1.15.14-18.module+el8.4.0+23967+1519124e.noarch::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-docs@1.15.14-18.module%2Bel8.4.0%2B23967%2B1519124e?arch=noarch\u0026rpmmod=go-toolset:rhel8:8040020260205134630:5081a262"
}
}
},
{
"category": "product_version",
"name": "golang-misc-0:1.15.14-18.module+el8.4.0+23967+1519124e.noarch::go-toolset:rhel8",
"product": {
"name": "golang-misc-0:1.15.14-18.module+el8.4.0+23967+1519124e.noarch (go-toolset:rhel8)",
"product_id": "golang-misc-0:1.15.14-18.module+el8.4.0+23967+1519124e.noarch::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-misc@1.15.14-18.module%2Bel8.4.0%2B23967%2B1519124e?arch=noarch\u0026rpmmod=go-toolset:rhel8:8040020260205134630:5081a262"
}
}
},
{
"category": "product_version",
"name": "golang-src-0:1.15.14-18.module+el8.4.0+23967+1519124e.noarch::go-toolset:rhel8",
"product": {
"name": "golang-src-0:1.15.14-18.module+el8.4.0+23967+1519124e.noarch (go-toolset:rhel8)",
"product_id": "golang-src-0:1.15.14-18.module+el8.4.0+23967+1519124e.noarch::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-src@1.15.14-18.module%2Bel8.4.0%2B23967%2B1519124e?arch=noarch\u0026rpmmod=go-toolset:rhel8:8040020260205134630:5081a262"
}
}
},
{
"category": "product_version",
"name": "golang-tests-0:1.15.14-18.module+el8.4.0+23967+1519124e.noarch::go-toolset:rhel8",
"product": {
"name": "golang-tests-0:1.15.14-18.module+el8.4.0+23967+1519124e.noarch (go-toolset:rhel8)",
"product_id": "golang-tests-0:1.15.14-18.module+el8.4.0+23967+1519124e.noarch::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-tests@1.15.14-18.module%2Bel8.4.0%2B23967%2B1519124e?arch=noarch\u0026rpmmod=go-toolset:rhel8:8040020260205134630:5081a262"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "delve-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.src (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream AUS (v.8.4)",
"product_id": "AppStream-8.4.0.Z.AUS:delve-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.src::go-toolset:rhel8"
},
"product_reference": "delve-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.src::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.4.0.Z.AUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "delve-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64 (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream AUS (v.8.4)",
"product_id": "AppStream-8.4.0.Z.AUS:delve-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8"
},
"product_reference": "delve-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.4.0.Z.AUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "delve-debuginfo-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64 (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream AUS (v.8.4)",
"product_id": "AppStream-8.4.0.Z.AUS:delve-debuginfo-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8"
},
"product_reference": "delve-debuginfo-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.4.0.Z.AUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "delve-debugsource-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64 (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream AUS (v.8.4)",
"product_id": "AppStream-8.4.0.Z.AUS:delve-debugsource-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8"
},
"product_reference": "delve-debugsource-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.4.0.Z.AUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-toolset-0:1.15.14-3.module+el8.4.0+22765+91da4d3f.src (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream AUS (v.8.4)",
"product_id": "AppStream-8.4.0.Z.AUS:go-toolset-0:1.15.14-3.module+el8.4.0+22765+91da4d3f.src::go-toolset:rhel8"
},
"product_reference": "go-toolset-0:1.15.14-3.module+el8.4.0+22765+91da4d3f.src::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.4.0.Z.AUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-toolset-0:1.15.14-3.module+el8.4.0+22765+91da4d3f.x86_64 (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream AUS (v.8.4)",
"product_id": "AppStream-8.4.0.Z.AUS:go-toolset-0:1.15.14-3.module+el8.4.0+22765+91da4d3f.x86_64::go-toolset:rhel8"
},
"product_reference": "go-toolset-0:1.15.14-3.module+el8.4.0+22765+91da4d3f.x86_64::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.4.0.Z.AUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-0:1.15.14-18.module+el8.4.0+23967+1519124e.src (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream AUS (v.8.4)",
"product_id": "AppStream-8.4.0.Z.AUS:golang-0:1.15.14-18.module+el8.4.0+23967+1519124e.src::go-toolset:rhel8"
},
"product_reference": "golang-0:1.15.14-18.module+el8.4.0+23967+1519124e.src::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.4.0.Z.AUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-0:1.15.14-18.module+el8.4.0+23967+1519124e.x86_64 (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream AUS (v.8.4)",
"product_id": "AppStream-8.4.0.Z.AUS:golang-0:1.15.14-18.module+el8.4.0+23967+1519124e.x86_64::go-toolset:rhel8"
},
"product_reference": "golang-0:1.15.14-18.module+el8.4.0+23967+1519124e.x86_64::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.4.0.Z.AUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-bin-0:1.15.14-18.module+el8.4.0+23967+1519124e.x86_64 (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream AUS (v.8.4)",
"product_id": "AppStream-8.4.0.Z.AUS:golang-bin-0:1.15.14-18.module+el8.4.0+23967+1519124e.x86_64::go-toolset:rhel8"
},
"product_reference": "golang-bin-0:1.15.14-18.module+el8.4.0+23967+1519124e.x86_64::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.4.0.Z.AUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-docs-0:1.15.14-18.module+el8.4.0+23967+1519124e.noarch (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream AUS (v.8.4)",
"product_id": "AppStream-8.4.0.Z.AUS:golang-docs-0:1.15.14-18.module+el8.4.0+23967+1519124e.noarch::go-toolset:rhel8"
},
"product_reference": "golang-docs-0:1.15.14-18.module+el8.4.0+23967+1519124e.noarch::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.4.0.Z.AUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-misc-0:1.15.14-18.module+el8.4.0+23967+1519124e.noarch (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream AUS (v.8.4)",
"product_id": "AppStream-8.4.0.Z.AUS:golang-misc-0:1.15.14-18.module+el8.4.0+23967+1519124e.noarch::go-toolset:rhel8"
},
"product_reference": "golang-misc-0:1.15.14-18.module+el8.4.0+23967+1519124e.noarch::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.4.0.Z.AUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-race-0:1.15.14-18.module+el8.4.0+23967+1519124e.x86_64 (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream AUS (v.8.4)",
"product_id": "AppStream-8.4.0.Z.AUS:golang-race-0:1.15.14-18.module+el8.4.0+23967+1519124e.x86_64::go-toolset:rhel8"
},
"product_reference": "golang-race-0:1.15.14-18.module+el8.4.0+23967+1519124e.x86_64::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.4.0.Z.AUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-src-0:1.15.14-18.module+el8.4.0+23967+1519124e.noarch (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream AUS (v.8.4)",
"product_id": "AppStream-8.4.0.Z.AUS:golang-src-0:1.15.14-18.module+el8.4.0+23967+1519124e.noarch::go-toolset:rhel8"
},
"product_reference": "golang-src-0:1.15.14-18.module+el8.4.0+23967+1519124e.noarch::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.4.0.Z.AUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-tests-0:1.15.14-18.module+el8.4.0+23967+1519124e.noarch (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream AUS (v.8.4)",
"product_id": "AppStream-8.4.0.Z.AUS:golang-tests-0:1.15.14-18.module+el8.4.0+23967+1519124e.noarch::go-toolset:rhel8"
},
"product_reference": "golang-tests-0:1.15.14-18.module+el8.4.0+23967+1519124e.noarch::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.4.0.Z.AUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "delve-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.src (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.4)",
"product_id": "AppStream-8.4.0.Z.EUS.EXTENSION:delve-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.src::go-toolset:rhel8"
},
"product_reference": "delve-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.src::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.4.0.Z.EUS.EXTENSION"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "delve-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64 (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.4)",
"product_id": "AppStream-8.4.0.Z.EUS.EXTENSION:delve-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8"
},
"product_reference": "delve-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.4.0.Z.EUS.EXTENSION"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "delve-debuginfo-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64 (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.4)",
"product_id": "AppStream-8.4.0.Z.EUS.EXTENSION:delve-debuginfo-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8"
},
"product_reference": "delve-debuginfo-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.4.0.Z.EUS.EXTENSION"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "delve-debugsource-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64 (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.4)",
"product_id": "AppStream-8.4.0.Z.EUS.EXTENSION:delve-debugsource-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8"
},
"product_reference": "delve-debugsource-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.4.0.Z.EUS.EXTENSION"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-toolset-0:1.15.14-3.module+el8.4.0+22765+91da4d3f.src (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.4)",
"product_id": "AppStream-8.4.0.Z.EUS.EXTENSION:go-toolset-0:1.15.14-3.module+el8.4.0+22765+91da4d3f.src::go-toolset:rhel8"
},
"product_reference": "go-toolset-0:1.15.14-3.module+el8.4.0+22765+91da4d3f.src::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.4.0.Z.EUS.EXTENSION"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-toolset-0:1.15.14-3.module+el8.4.0+22765+91da4d3f.x86_64 (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.4)",
"product_id": "AppStream-8.4.0.Z.EUS.EXTENSION:go-toolset-0:1.15.14-3.module+el8.4.0+22765+91da4d3f.x86_64::go-toolset:rhel8"
},
"product_reference": "go-toolset-0:1.15.14-3.module+el8.4.0+22765+91da4d3f.x86_64::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.4.0.Z.EUS.EXTENSION"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-0:1.15.14-18.module+el8.4.0+23967+1519124e.src (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.4)",
"product_id": "AppStream-8.4.0.Z.EUS.EXTENSION:golang-0:1.15.14-18.module+el8.4.0+23967+1519124e.src::go-toolset:rhel8"
},
"product_reference": "golang-0:1.15.14-18.module+el8.4.0+23967+1519124e.src::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.4.0.Z.EUS.EXTENSION"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-0:1.15.14-18.module+el8.4.0+23967+1519124e.x86_64 (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.4)",
"product_id": "AppStream-8.4.0.Z.EUS.EXTENSION:golang-0:1.15.14-18.module+el8.4.0+23967+1519124e.x86_64::go-toolset:rhel8"
},
"product_reference": "golang-0:1.15.14-18.module+el8.4.0+23967+1519124e.x86_64::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.4.0.Z.EUS.EXTENSION"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-bin-0:1.15.14-18.module+el8.4.0+23967+1519124e.x86_64 (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.4)",
"product_id": "AppStream-8.4.0.Z.EUS.EXTENSION:golang-bin-0:1.15.14-18.module+el8.4.0+23967+1519124e.x86_64::go-toolset:rhel8"
},
"product_reference": "golang-bin-0:1.15.14-18.module+el8.4.0+23967+1519124e.x86_64::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.4.0.Z.EUS.EXTENSION"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-docs-0:1.15.14-18.module+el8.4.0+23967+1519124e.noarch (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.4)",
"product_id": "AppStream-8.4.0.Z.EUS.EXTENSION:golang-docs-0:1.15.14-18.module+el8.4.0+23967+1519124e.noarch::go-toolset:rhel8"
},
"product_reference": "golang-docs-0:1.15.14-18.module+el8.4.0+23967+1519124e.noarch::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.4.0.Z.EUS.EXTENSION"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-misc-0:1.15.14-18.module+el8.4.0+23967+1519124e.noarch (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.4)",
"product_id": "AppStream-8.4.0.Z.EUS.EXTENSION:golang-misc-0:1.15.14-18.module+el8.4.0+23967+1519124e.noarch::go-toolset:rhel8"
},
"product_reference": "golang-misc-0:1.15.14-18.module+el8.4.0+23967+1519124e.noarch::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.4.0.Z.EUS.EXTENSION"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-race-0:1.15.14-18.module+el8.4.0+23967+1519124e.x86_64 (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.4)",
"product_id": "AppStream-8.4.0.Z.EUS.EXTENSION:golang-race-0:1.15.14-18.module+el8.4.0+23967+1519124e.x86_64::go-toolset:rhel8"
},
"product_reference": "golang-race-0:1.15.14-18.module+el8.4.0+23967+1519124e.x86_64::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.4.0.Z.EUS.EXTENSION"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-src-0:1.15.14-18.module+el8.4.0+23967+1519124e.noarch (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.4)",
"product_id": "AppStream-8.4.0.Z.EUS.EXTENSION:golang-src-0:1.15.14-18.module+el8.4.0+23967+1519124e.noarch::go-toolset:rhel8"
},
"product_reference": "golang-src-0:1.15.14-18.module+el8.4.0+23967+1519124e.noarch::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.4.0.Z.EUS.EXTENSION"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-tests-0:1.15.14-18.module+el8.4.0+23967+1519124e.noarch (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.4)",
"product_id": "AppStream-8.4.0.Z.EUS.EXTENSION:golang-tests-0:1.15.14-18.module+el8.4.0+23967+1519124e.noarch::go-toolset:rhel8"
},
"product_reference": "golang-tests-0:1.15.14-18.module+el8.4.0+23967+1519124e.noarch::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.4.0.Z.EUS.EXTENSION"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-61729",
"cwe": {
"id": "CWE-1050",
"name": "Excessive Platform Resource Consumption within a Loop"
},
"discovery_date": "2025-12-02T20:01:45.330964+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2418462"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in golang. A remote attacker could exploit this vulnerability by providing a specially crafted certificate during the error string construction process within the `HostnameError.Error()` function. This flaw, caused by unbounded string concatenation, leads to excessive resource consumption. Successful exploitation can result in a denial of service (DoS) for the affected system.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "crypto/x509: golang: Denial of Service due to excessive resource consumption via crafted certificate",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-8.4.0.Z.AUS:delve-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.src::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:delve-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:delve-debuginfo-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:delve-debugsource-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:go-toolset-0:1.15.14-3.module+el8.4.0+22765+91da4d3f.src::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:go-toolset-0:1.15.14-3.module+el8.4.0+22765+91da4d3f.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:golang-0:1.15.14-18.module+el8.4.0+23967+1519124e.src::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:golang-0:1.15.14-18.module+el8.4.0+23967+1519124e.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:golang-bin-0:1.15.14-18.module+el8.4.0+23967+1519124e.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:golang-docs-0:1.15.14-18.module+el8.4.0+23967+1519124e.noarch::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:golang-misc-0:1.15.14-18.module+el8.4.0+23967+1519124e.noarch::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:golang-race-0:1.15.14-18.module+el8.4.0+23967+1519124e.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:golang-src-0:1.15.14-18.module+el8.4.0+23967+1519124e.noarch::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:golang-tests-0:1.15.14-18.module+el8.4.0+23967+1519124e.noarch::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:delve-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.src::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:delve-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:delve-debuginfo-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:delve-debugsource-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:go-toolset-0:1.15.14-3.module+el8.4.0+22765+91da4d3f.src::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:go-toolset-0:1.15.14-3.module+el8.4.0+22765+91da4d3f.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:golang-0:1.15.14-18.module+el8.4.0+23967+1519124e.src::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:golang-0:1.15.14-18.module+el8.4.0+23967+1519124e.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:golang-bin-0:1.15.14-18.module+el8.4.0+23967+1519124e.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:golang-docs-0:1.15.14-18.module+el8.4.0+23967+1519124e.noarch::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:golang-misc-0:1.15.14-18.module+el8.4.0+23967+1519124e.noarch::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:golang-race-0:1.15.14-18.module+el8.4.0+23967+1519124e.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:golang-src-0:1.15.14-18.module+el8.4.0+23967+1519124e.noarch::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:golang-tests-0:1.15.14-18.module+el8.4.0+23967+1519124e.noarch::go-toolset:rhel8"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-61729"
},
{
"category": "external",
"summary": "RHBZ#2418462",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2418462"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-61729",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-61729"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-61729",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61729"
},
{
"category": "external",
"summary": "https://go.dev/cl/725920",
"url": "https://go.dev/cl/725920"
},
{
"category": "external",
"summary": "https://go.dev/issue/76445",
"url": "https://go.dev/issue/76445"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/8FJoBkPddm4",
"url": "https://groups.google.com/g/golang-announce/c/8FJoBkPddm4"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2025-4155",
"url": "https://pkg.go.dev/vuln/GO-2025-4155"
}
],
"release_date": "2025-12-02T18:54:10.166000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-02-09T01:27:56+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-8.4.0.Z.AUS:delve-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.src::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:delve-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:delve-debuginfo-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:delve-debugsource-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:go-toolset-0:1.15.14-3.module+el8.4.0+22765+91da4d3f.src::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:go-toolset-0:1.15.14-3.module+el8.4.0+22765+91da4d3f.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:golang-0:1.15.14-18.module+el8.4.0+23967+1519124e.src::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:golang-0:1.15.14-18.module+el8.4.0+23967+1519124e.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:golang-bin-0:1.15.14-18.module+el8.4.0+23967+1519124e.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:golang-docs-0:1.15.14-18.module+el8.4.0+23967+1519124e.noarch::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:golang-misc-0:1.15.14-18.module+el8.4.0+23967+1519124e.noarch::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:golang-race-0:1.15.14-18.module+el8.4.0+23967+1519124e.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:golang-src-0:1.15.14-18.module+el8.4.0+23967+1519124e.noarch::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:golang-tests-0:1.15.14-18.module+el8.4.0+23967+1519124e.noarch::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:delve-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.src::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:delve-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:delve-debuginfo-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:delve-debugsource-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:go-toolset-0:1.15.14-3.module+el8.4.0+22765+91da4d3f.src::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:go-toolset-0:1.15.14-3.module+el8.4.0+22765+91da4d3f.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:golang-0:1.15.14-18.module+el8.4.0+23967+1519124e.src::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:golang-0:1.15.14-18.module+el8.4.0+23967+1519124e.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:golang-bin-0:1.15.14-18.module+el8.4.0+23967+1519124e.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:golang-docs-0:1.15.14-18.module+el8.4.0+23967+1519124e.noarch::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:golang-misc-0:1.15.14-18.module+el8.4.0+23967+1519124e.noarch::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:golang-race-0:1.15.14-18.module+el8.4.0+23967+1519124e.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:golang-src-0:1.15.14-18.module+el8.4.0+23967+1519124e.noarch::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:golang-tests-0:1.15.14-18.module+el8.4.0+23967+1519124e.noarch::go-toolset:rhel8"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:2217"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"AppStream-8.4.0.Z.AUS:delve-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.src::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:delve-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:delve-debuginfo-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:delve-debugsource-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:go-toolset-0:1.15.14-3.module+el8.4.0+22765+91da4d3f.src::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:go-toolset-0:1.15.14-3.module+el8.4.0+22765+91da4d3f.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:golang-0:1.15.14-18.module+el8.4.0+23967+1519124e.src::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:golang-0:1.15.14-18.module+el8.4.0+23967+1519124e.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:golang-bin-0:1.15.14-18.module+el8.4.0+23967+1519124e.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:golang-docs-0:1.15.14-18.module+el8.4.0+23967+1519124e.noarch::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:golang-misc-0:1.15.14-18.module+el8.4.0+23967+1519124e.noarch::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:golang-race-0:1.15.14-18.module+el8.4.0+23967+1519124e.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:golang-src-0:1.15.14-18.module+el8.4.0+23967+1519124e.noarch::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:golang-tests-0:1.15.14-18.module+el8.4.0+23967+1519124e.noarch::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:delve-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.src::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:delve-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:delve-debuginfo-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:delve-debugsource-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:go-toolset-0:1.15.14-3.module+el8.4.0+22765+91da4d3f.src::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:go-toolset-0:1.15.14-3.module+el8.4.0+22765+91da4d3f.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:golang-0:1.15.14-18.module+el8.4.0+23967+1519124e.src::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:golang-0:1.15.14-18.module+el8.4.0+23967+1519124e.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:golang-bin-0:1.15.14-18.module+el8.4.0+23967+1519124e.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:golang-docs-0:1.15.14-18.module+el8.4.0+23967+1519124e.noarch::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:golang-misc-0:1.15.14-18.module+el8.4.0+23967+1519124e.noarch::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:golang-race-0:1.15.14-18.module+el8.4.0+23967+1519124e.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:golang-src-0:1.15.14-18.module+el8.4.0+23967+1519124e.noarch::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:golang-tests-0:1.15.14-18.module+el8.4.0+23967+1519124e.noarch::go-toolset:rhel8"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "crypto/x509: golang: Denial of Service due to excessive resource consumption via crafted certificate"
}
]
}
RHSA-2026:2218
Vulnerability from csaf_redhat - Published: 2026-02-09 01:55 - Updated: 2026-07-02 16:17A flaw was found in golang. A remote attacker could exploit this vulnerability by providing a specially crafted certificate during the error string construction process within the `HostnameError.Error()` function. This flaw, caused by unbounded string concatenation, leads to excessive resource consumption. Successful exploitation can result in a denial of service (DoS) for the affected system.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.4.0.Z.EUS:go-toolset-0:1.21.13-13.el9_4.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.4.0.Z.EUS:go-toolset-0:1.21.13-13.el9_4.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.4.0.Z.EUS:go-toolset-0:1.21.13-13.el9_4.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.4.0.Z.EUS:go-toolset-0:1.21.13-13.el9_4.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.4.0.Z.EUS:golang-0:1.21.13-13.el9_4.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.4.0.Z.EUS:golang-0:1.21.13-13.el9_4.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.4.0.Z.EUS:golang-0:1.21.13-13.el9_4.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.4.0.Z.EUS:golang-0:1.21.13-13.el9_4.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.4.0.Z.EUS:golang-0:1.21.13-13.el9_4.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.4.0.Z.EUS:golang-bin-0:1.21.13-13.el9_4.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.4.0.Z.EUS:golang-bin-0:1.21.13-13.el9_4.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.4.0.Z.EUS:golang-bin-0:1.21.13-13.el9_4.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.4.0.Z.EUS:golang-bin-0:1.21.13-13.el9_4.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.4.0.Z.EUS:golang-docs-0:1.21.13-13.el9_4.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.4.0.Z.EUS:golang-misc-0:1.21.13-13.el9_4.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.4.0.Z.EUS:golang-src-0:1.21.13-13.el9_4.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.4.0.Z.EUS:golang-tests-0:1.21.13-13.el9_4.noarch | — |
Vendor Fix
fix
|
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for golang is now available for Red Hat Enterprise Linux 9.4 Extended Update Support.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "The golang packages provide the Go programming language compiler.\n\nSecurity Fix(es):\n\n* crypto/x509: golang: Denial of Service due to excessive resource consumption via crafted certificate (CVE-2025-61729)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:2218",
"url": "https://access.redhat.com/errata/RHSA-2026:2218"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "2418462",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2418462"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_2218.json"
}
],
"title": "Red Hat Security Advisory: golang security update",
"tracking": {
"current_release_date": "2026-07-02T16:17:04+00:00",
"generator": {
"date": "2026-07-02T16:17:04+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "5.3.1"
}
},
"id": "RHSA-2026:2218",
"initial_release_date": "2026-02-09T01:55:26+00:00",
"revision_history": [
{
"date": "2026-02-09T01:55:26+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-02-09T01:55:26+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-07-02T16:17:04+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product": {
"name": "Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_eus:9.4::appstream"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "go-toolset-0:1.21.13-13.el9_4.aarch64",
"product": {
"name": "go-toolset-0:1.21.13-13.el9_4.aarch64",
"product_id": "go-toolset-0:1.21.13-13.el9_4.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-toolset@1.21.13-13.el9_4?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "golang-0:1.21.13-13.el9_4.aarch64",
"product": {
"name": "golang-0:1.21.13-13.el9_4.aarch64",
"product_id": "golang-0:1.21.13-13.el9_4.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang@1.21.13-13.el9_4?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "golang-bin-0:1.21.13-13.el9_4.aarch64",
"product": {
"name": "golang-bin-0:1.21.13-13.el9_4.aarch64",
"product_id": "golang-bin-0:1.21.13-13.el9_4.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-bin@1.21.13-13.el9_4?arch=aarch64"
}
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "go-toolset-0:1.21.13-13.el9_4.ppc64le",
"product": {
"name": "go-toolset-0:1.21.13-13.el9_4.ppc64le",
"product_id": "go-toolset-0:1.21.13-13.el9_4.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-toolset@1.21.13-13.el9_4?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "golang-0:1.21.13-13.el9_4.ppc64le",
"product": {
"name": "golang-0:1.21.13-13.el9_4.ppc64le",
"product_id": "golang-0:1.21.13-13.el9_4.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang@1.21.13-13.el9_4?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "golang-bin-0:1.21.13-13.el9_4.ppc64le",
"product": {
"name": "golang-bin-0:1.21.13-13.el9_4.ppc64le",
"product_id": "golang-bin-0:1.21.13-13.el9_4.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-bin@1.21.13-13.el9_4?arch=ppc64le"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "go-toolset-0:1.21.13-13.el9_4.x86_64",
"product": {
"name": "go-toolset-0:1.21.13-13.el9_4.x86_64",
"product_id": "go-toolset-0:1.21.13-13.el9_4.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-toolset@1.21.13-13.el9_4?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "golang-0:1.21.13-13.el9_4.x86_64",
"product": {
"name": "golang-0:1.21.13-13.el9_4.x86_64",
"product_id": "golang-0:1.21.13-13.el9_4.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang@1.21.13-13.el9_4?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "golang-bin-0:1.21.13-13.el9_4.x86_64",
"product": {
"name": "golang-bin-0:1.21.13-13.el9_4.x86_64",
"product_id": "golang-bin-0:1.21.13-13.el9_4.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-bin@1.21.13-13.el9_4?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "go-toolset-0:1.21.13-13.el9_4.s390x",
"product": {
"name": "go-toolset-0:1.21.13-13.el9_4.s390x",
"product_id": "go-toolset-0:1.21.13-13.el9_4.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-toolset@1.21.13-13.el9_4?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "golang-0:1.21.13-13.el9_4.s390x",
"product": {
"name": "golang-0:1.21.13-13.el9_4.s390x",
"product_id": "golang-0:1.21.13-13.el9_4.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang@1.21.13-13.el9_4?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "golang-bin-0:1.21.13-13.el9_4.s390x",
"product": {
"name": "golang-bin-0:1.21.13-13.el9_4.s390x",
"product_id": "golang-bin-0:1.21.13-13.el9_4.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-bin@1.21.13-13.el9_4?arch=s390x"
}
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "golang-0:1.21.13-13.el9_4.src",
"product": {
"name": "golang-0:1.21.13-13.el9_4.src",
"product_id": "golang-0:1.21.13-13.el9_4.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang@1.21.13-13.el9_4?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "golang-docs-0:1.21.13-13.el9_4.noarch",
"product": {
"name": "golang-docs-0:1.21.13-13.el9_4.noarch",
"product_id": "golang-docs-0:1.21.13-13.el9_4.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-docs@1.21.13-13.el9_4?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "golang-misc-0:1.21.13-13.el9_4.noarch",
"product": {
"name": "golang-misc-0:1.21.13-13.el9_4.noarch",
"product_id": "golang-misc-0:1.21.13-13.el9_4.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-misc@1.21.13-13.el9_4?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "golang-src-0:1.21.13-13.el9_4.noarch",
"product": {
"name": "golang-src-0:1.21.13-13.el9_4.noarch",
"product_id": "golang-src-0:1.21.13-13.el9_4.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-src@1.21.13-13.el9_4?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "golang-tests-0:1.21.13-13.el9_4.noarch",
"product": {
"name": "golang-tests-0:1.21.13-13.el9_4.noarch",
"product_id": "golang-tests-0:1.21.13-13.el9_4.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-tests@1.21.13-13.el9_4?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "go-toolset-0:1.21.13-13.el9_4.aarch64 as a component of Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS:go-toolset-0:1.21.13-13.el9_4.aarch64"
},
"product_reference": "go-toolset-0:1.21.13-13.el9_4.aarch64",
"relates_to_product_reference": "AppStream-9.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-toolset-0:1.21.13-13.el9_4.ppc64le as a component of Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS:go-toolset-0:1.21.13-13.el9_4.ppc64le"
},
"product_reference": "go-toolset-0:1.21.13-13.el9_4.ppc64le",
"relates_to_product_reference": "AppStream-9.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-toolset-0:1.21.13-13.el9_4.s390x as a component of Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS:go-toolset-0:1.21.13-13.el9_4.s390x"
},
"product_reference": "go-toolset-0:1.21.13-13.el9_4.s390x",
"relates_to_product_reference": "AppStream-9.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-toolset-0:1.21.13-13.el9_4.x86_64 as a component of Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS:go-toolset-0:1.21.13-13.el9_4.x86_64"
},
"product_reference": "go-toolset-0:1.21.13-13.el9_4.x86_64",
"relates_to_product_reference": "AppStream-9.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-0:1.21.13-13.el9_4.aarch64 as a component of Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS:golang-0:1.21.13-13.el9_4.aarch64"
},
"product_reference": "golang-0:1.21.13-13.el9_4.aarch64",
"relates_to_product_reference": "AppStream-9.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-0:1.21.13-13.el9_4.ppc64le as a component of Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS:golang-0:1.21.13-13.el9_4.ppc64le"
},
"product_reference": "golang-0:1.21.13-13.el9_4.ppc64le",
"relates_to_product_reference": "AppStream-9.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-0:1.21.13-13.el9_4.s390x as a component of Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS:golang-0:1.21.13-13.el9_4.s390x"
},
"product_reference": "golang-0:1.21.13-13.el9_4.s390x",
"relates_to_product_reference": "AppStream-9.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-0:1.21.13-13.el9_4.src as a component of Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS:golang-0:1.21.13-13.el9_4.src"
},
"product_reference": "golang-0:1.21.13-13.el9_4.src",
"relates_to_product_reference": "AppStream-9.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-0:1.21.13-13.el9_4.x86_64 as a component of Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS:golang-0:1.21.13-13.el9_4.x86_64"
},
"product_reference": "golang-0:1.21.13-13.el9_4.x86_64",
"relates_to_product_reference": "AppStream-9.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-bin-0:1.21.13-13.el9_4.aarch64 as a component of Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS:golang-bin-0:1.21.13-13.el9_4.aarch64"
},
"product_reference": "golang-bin-0:1.21.13-13.el9_4.aarch64",
"relates_to_product_reference": "AppStream-9.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-bin-0:1.21.13-13.el9_4.ppc64le as a component of Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS:golang-bin-0:1.21.13-13.el9_4.ppc64le"
},
"product_reference": "golang-bin-0:1.21.13-13.el9_4.ppc64le",
"relates_to_product_reference": "AppStream-9.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-bin-0:1.21.13-13.el9_4.s390x as a component of Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS:golang-bin-0:1.21.13-13.el9_4.s390x"
},
"product_reference": "golang-bin-0:1.21.13-13.el9_4.s390x",
"relates_to_product_reference": "AppStream-9.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-bin-0:1.21.13-13.el9_4.x86_64 as a component of Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS:golang-bin-0:1.21.13-13.el9_4.x86_64"
},
"product_reference": "golang-bin-0:1.21.13-13.el9_4.x86_64",
"relates_to_product_reference": "AppStream-9.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-docs-0:1.21.13-13.el9_4.noarch as a component of Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS:golang-docs-0:1.21.13-13.el9_4.noarch"
},
"product_reference": "golang-docs-0:1.21.13-13.el9_4.noarch",
"relates_to_product_reference": "AppStream-9.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-misc-0:1.21.13-13.el9_4.noarch as a component of Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS:golang-misc-0:1.21.13-13.el9_4.noarch"
},
"product_reference": "golang-misc-0:1.21.13-13.el9_4.noarch",
"relates_to_product_reference": "AppStream-9.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-src-0:1.21.13-13.el9_4.noarch as a component of Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS:golang-src-0:1.21.13-13.el9_4.noarch"
},
"product_reference": "golang-src-0:1.21.13-13.el9_4.noarch",
"relates_to_product_reference": "AppStream-9.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-tests-0:1.21.13-13.el9_4.noarch as a component of Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS:golang-tests-0:1.21.13-13.el9_4.noarch"
},
"product_reference": "golang-tests-0:1.21.13-13.el9_4.noarch",
"relates_to_product_reference": "AppStream-9.4.0.Z.EUS"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-61729",
"cwe": {
"id": "CWE-1050",
"name": "Excessive Platform Resource Consumption within a Loop"
},
"discovery_date": "2025-12-02T20:01:45.330964+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2418462"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in golang. A remote attacker could exploit this vulnerability by providing a specially crafted certificate during the error string construction process within the `HostnameError.Error()` function. This flaw, caused by unbounded string concatenation, leads to excessive resource consumption. Successful exploitation can result in a denial of service (DoS) for the affected system.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "crypto/x509: golang: Denial of Service due to excessive resource consumption via crafted certificate",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.4.0.Z.EUS:go-toolset-0:1.21.13-13.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:go-toolset-0:1.21.13-13.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:go-toolset-0:1.21.13-13.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:go-toolset-0:1.21.13-13.el9_4.x86_64",
"AppStream-9.4.0.Z.EUS:golang-0:1.21.13-13.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:golang-0:1.21.13-13.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:golang-0:1.21.13-13.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:golang-0:1.21.13-13.el9_4.src",
"AppStream-9.4.0.Z.EUS:golang-0:1.21.13-13.el9_4.x86_64",
"AppStream-9.4.0.Z.EUS:golang-bin-0:1.21.13-13.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:golang-bin-0:1.21.13-13.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:golang-bin-0:1.21.13-13.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:golang-bin-0:1.21.13-13.el9_4.x86_64",
"AppStream-9.4.0.Z.EUS:golang-docs-0:1.21.13-13.el9_4.noarch",
"AppStream-9.4.0.Z.EUS:golang-misc-0:1.21.13-13.el9_4.noarch",
"AppStream-9.4.0.Z.EUS:golang-src-0:1.21.13-13.el9_4.noarch",
"AppStream-9.4.0.Z.EUS:golang-tests-0:1.21.13-13.el9_4.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-61729"
},
{
"category": "external",
"summary": "RHBZ#2418462",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2418462"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-61729",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-61729"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-61729",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61729"
},
{
"category": "external",
"summary": "https://go.dev/cl/725920",
"url": "https://go.dev/cl/725920"
},
{
"category": "external",
"summary": "https://go.dev/issue/76445",
"url": "https://go.dev/issue/76445"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/8FJoBkPddm4",
"url": "https://groups.google.com/g/golang-announce/c/8FJoBkPddm4"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2025-4155",
"url": "https://pkg.go.dev/vuln/GO-2025-4155"
}
],
"release_date": "2025-12-02T18:54:10.166000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-02-09T01:55:26+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.4.0.Z.EUS:go-toolset-0:1.21.13-13.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:go-toolset-0:1.21.13-13.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:go-toolset-0:1.21.13-13.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:go-toolset-0:1.21.13-13.el9_4.x86_64",
"AppStream-9.4.0.Z.EUS:golang-0:1.21.13-13.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:golang-0:1.21.13-13.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:golang-0:1.21.13-13.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:golang-0:1.21.13-13.el9_4.src",
"AppStream-9.4.0.Z.EUS:golang-0:1.21.13-13.el9_4.x86_64",
"AppStream-9.4.0.Z.EUS:golang-bin-0:1.21.13-13.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:golang-bin-0:1.21.13-13.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:golang-bin-0:1.21.13-13.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:golang-bin-0:1.21.13-13.el9_4.x86_64",
"AppStream-9.4.0.Z.EUS:golang-docs-0:1.21.13-13.el9_4.noarch",
"AppStream-9.4.0.Z.EUS:golang-misc-0:1.21.13-13.el9_4.noarch",
"AppStream-9.4.0.Z.EUS:golang-src-0:1.21.13-13.el9_4.noarch",
"AppStream-9.4.0.Z.EUS:golang-tests-0:1.21.13-13.el9_4.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:2218"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"AppStream-9.4.0.Z.EUS:go-toolset-0:1.21.13-13.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:go-toolset-0:1.21.13-13.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:go-toolset-0:1.21.13-13.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:go-toolset-0:1.21.13-13.el9_4.x86_64",
"AppStream-9.4.0.Z.EUS:golang-0:1.21.13-13.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:golang-0:1.21.13-13.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:golang-0:1.21.13-13.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:golang-0:1.21.13-13.el9_4.src",
"AppStream-9.4.0.Z.EUS:golang-0:1.21.13-13.el9_4.x86_64",
"AppStream-9.4.0.Z.EUS:golang-bin-0:1.21.13-13.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:golang-bin-0:1.21.13-13.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:golang-bin-0:1.21.13-13.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:golang-bin-0:1.21.13-13.el9_4.x86_64",
"AppStream-9.4.0.Z.EUS:golang-docs-0:1.21.13-13.el9_4.noarch",
"AppStream-9.4.0.Z.EUS:golang-misc-0:1.21.13-13.el9_4.noarch",
"AppStream-9.4.0.Z.EUS:golang-src-0:1.21.13-13.el9_4.noarch",
"AppStream-9.4.0.Z.EUS:golang-tests-0:1.21.13-13.el9_4.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "crypto/x509: golang: Denial of Service due to excessive resource consumption via crafted certificate"
}
]
}
RHSA-2026:2219
Vulnerability from csaf_redhat - Published: 2026-02-09 01:48 - Updated: 2026-07-02 16:17A flaw was found in golang. A remote attacker could exploit this vulnerability by providing a specially crafted certificate during the error string construction process within the `HostnameError.Error()` function. This flaw, caused by unbounded string concatenation, leads to excessive resource consumption. Successful exploitation can result in a denial of service (DoS) for the affected system.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.2.0.Z.E4S:golang-0:1.19.13-21.el9_2.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:golang-0:1.19.13-21.el9_2.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:golang-0:1.19.13-21.el9_2.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:golang-0:1.19.13-21.el9_2.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:golang-0:1.19.13-21.el9_2.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:golang-bin-0:1.19.13-21.el9_2.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:golang-bin-0:1.19.13-21.el9_2.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:golang-bin-0:1.19.13-21.el9_2.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:golang-bin-0:1.19.13-21.el9_2.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:golang-docs-0:1.19.13-21.el9_2.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:golang-misc-0:1.19.13-21.el9_2.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:golang-race-0:1.19.13-21.el9_2.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:golang-src-0:1.19.13-21.el9_2.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:golang-tests-0:1.19.13-21.el9_2.noarch | — |
Vendor Fix
fix
|
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for golang is now available for Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "The golang packages provide the Go programming language compiler.\n\nSecurity Fix(es):\n\n* crypto/x509: golang: Denial of Service due to excessive resource consumption via crafted certificate (CVE-2025-61729)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:2219",
"url": "https://access.redhat.com/errata/RHSA-2026:2219"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "2418462",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2418462"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_2219.json"
}
],
"title": "Red Hat Security Advisory: golang security update",
"tracking": {
"current_release_date": "2026-07-02T16:17:05+00:00",
"generator": {
"date": "2026-07-02T16:17:05+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "5.3.1"
}
},
"id": "RHSA-2026:2219",
"initial_release_date": "2026-02-09T01:48:16+00:00",
"revision_history": [
{
"date": "2026-02-09T01:48:16+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-02-09T01:48:16+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-07-02T16:17:05+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AppStream E4S (v.9.2)",
"product": {
"name": "Red Hat Enterprise Linux AppStream E4S (v.9.2)",
"product_id": "AppStream-9.2.0.Z.E4S",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_e4s:9.2::appstream"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "golang-0:1.19.13-21.el9_2.src",
"product": {
"name": "golang-0:1.19.13-21.el9_2.src",
"product_id": "golang-0:1.19.13-21.el9_2.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang@1.19.13-21.el9_2?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "golang-0:1.19.13-21.el9_2.aarch64",
"product": {
"name": "golang-0:1.19.13-21.el9_2.aarch64",
"product_id": "golang-0:1.19.13-21.el9_2.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang@1.19.13-21.el9_2?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "golang-bin-0:1.19.13-21.el9_2.aarch64",
"product": {
"name": "golang-bin-0:1.19.13-21.el9_2.aarch64",
"product_id": "golang-bin-0:1.19.13-21.el9_2.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-bin@1.19.13-21.el9_2?arch=aarch64"
}
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "golang-0:1.19.13-21.el9_2.ppc64le",
"product": {
"name": "golang-0:1.19.13-21.el9_2.ppc64le",
"product_id": "golang-0:1.19.13-21.el9_2.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang@1.19.13-21.el9_2?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "golang-bin-0:1.19.13-21.el9_2.ppc64le",
"product": {
"name": "golang-bin-0:1.19.13-21.el9_2.ppc64le",
"product_id": "golang-bin-0:1.19.13-21.el9_2.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-bin@1.19.13-21.el9_2?arch=ppc64le"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "golang-0:1.19.13-21.el9_2.x86_64",
"product": {
"name": "golang-0:1.19.13-21.el9_2.x86_64",
"product_id": "golang-0:1.19.13-21.el9_2.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang@1.19.13-21.el9_2?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "golang-bin-0:1.19.13-21.el9_2.x86_64",
"product": {
"name": "golang-bin-0:1.19.13-21.el9_2.x86_64",
"product_id": "golang-bin-0:1.19.13-21.el9_2.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-bin@1.19.13-21.el9_2?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "golang-race-0:1.19.13-21.el9_2.x86_64",
"product": {
"name": "golang-race-0:1.19.13-21.el9_2.x86_64",
"product_id": "golang-race-0:1.19.13-21.el9_2.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-race@1.19.13-21.el9_2?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "golang-0:1.19.13-21.el9_2.s390x",
"product": {
"name": "golang-0:1.19.13-21.el9_2.s390x",
"product_id": "golang-0:1.19.13-21.el9_2.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang@1.19.13-21.el9_2?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "golang-bin-0:1.19.13-21.el9_2.s390x",
"product": {
"name": "golang-bin-0:1.19.13-21.el9_2.s390x",
"product_id": "golang-bin-0:1.19.13-21.el9_2.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-bin@1.19.13-21.el9_2?arch=s390x"
}
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "golang-docs-0:1.19.13-21.el9_2.noarch",
"product": {
"name": "golang-docs-0:1.19.13-21.el9_2.noarch",
"product_id": "golang-docs-0:1.19.13-21.el9_2.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-docs@1.19.13-21.el9_2?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "golang-misc-0:1.19.13-21.el9_2.noarch",
"product": {
"name": "golang-misc-0:1.19.13-21.el9_2.noarch",
"product_id": "golang-misc-0:1.19.13-21.el9_2.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-misc@1.19.13-21.el9_2?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "golang-src-0:1.19.13-21.el9_2.noarch",
"product": {
"name": "golang-src-0:1.19.13-21.el9_2.noarch",
"product_id": "golang-src-0:1.19.13-21.el9_2.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-src@1.19.13-21.el9_2?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "golang-tests-0:1.19.13-21.el9_2.noarch",
"product": {
"name": "golang-tests-0:1.19.13-21.el9_2.noarch",
"product_id": "golang-tests-0:1.19.13-21.el9_2.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-tests@1.19.13-21.el9_2?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-0:1.19.13-21.el9_2.aarch64 as a component of Red Hat Enterprise Linux AppStream E4S (v.9.2)",
"product_id": "AppStream-9.2.0.Z.E4S:golang-0:1.19.13-21.el9_2.aarch64"
},
"product_reference": "golang-0:1.19.13-21.el9_2.aarch64",
"relates_to_product_reference": "AppStream-9.2.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-0:1.19.13-21.el9_2.ppc64le as a component of Red Hat Enterprise Linux AppStream E4S (v.9.2)",
"product_id": "AppStream-9.2.0.Z.E4S:golang-0:1.19.13-21.el9_2.ppc64le"
},
"product_reference": "golang-0:1.19.13-21.el9_2.ppc64le",
"relates_to_product_reference": "AppStream-9.2.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-0:1.19.13-21.el9_2.s390x as a component of Red Hat Enterprise Linux AppStream E4S (v.9.2)",
"product_id": "AppStream-9.2.0.Z.E4S:golang-0:1.19.13-21.el9_2.s390x"
},
"product_reference": "golang-0:1.19.13-21.el9_2.s390x",
"relates_to_product_reference": "AppStream-9.2.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-0:1.19.13-21.el9_2.src as a component of Red Hat Enterprise Linux AppStream E4S (v.9.2)",
"product_id": "AppStream-9.2.0.Z.E4S:golang-0:1.19.13-21.el9_2.src"
},
"product_reference": "golang-0:1.19.13-21.el9_2.src",
"relates_to_product_reference": "AppStream-9.2.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-0:1.19.13-21.el9_2.x86_64 as a component of Red Hat Enterprise Linux AppStream E4S (v.9.2)",
"product_id": "AppStream-9.2.0.Z.E4S:golang-0:1.19.13-21.el9_2.x86_64"
},
"product_reference": "golang-0:1.19.13-21.el9_2.x86_64",
"relates_to_product_reference": "AppStream-9.2.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-bin-0:1.19.13-21.el9_2.aarch64 as a component of Red Hat Enterprise Linux AppStream E4S (v.9.2)",
"product_id": "AppStream-9.2.0.Z.E4S:golang-bin-0:1.19.13-21.el9_2.aarch64"
},
"product_reference": "golang-bin-0:1.19.13-21.el9_2.aarch64",
"relates_to_product_reference": "AppStream-9.2.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-bin-0:1.19.13-21.el9_2.ppc64le as a component of Red Hat Enterprise Linux AppStream E4S (v.9.2)",
"product_id": "AppStream-9.2.0.Z.E4S:golang-bin-0:1.19.13-21.el9_2.ppc64le"
},
"product_reference": "golang-bin-0:1.19.13-21.el9_2.ppc64le",
"relates_to_product_reference": "AppStream-9.2.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-bin-0:1.19.13-21.el9_2.s390x as a component of Red Hat Enterprise Linux AppStream E4S (v.9.2)",
"product_id": "AppStream-9.2.0.Z.E4S:golang-bin-0:1.19.13-21.el9_2.s390x"
},
"product_reference": "golang-bin-0:1.19.13-21.el9_2.s390x",
"relates_to_product_reference": "AppStream-9.2.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-bin-0:1.19.13-21.el9_2.x86_64 as a component of Red Hat Enterprise Linux AppStream E4S (v.9.2)",
"product_id": "AppStream-9.2.0.Z.E4S:golang-bin-0:1.19.13-21.el9_2.x86_64"
},
"product_reference": "golang-bin-0:1.19.13-21.el9_2.x86_64",
"relates_to_product_reference": "AppStream-9.2.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-docs-0:1.19.13-21.el9_2.noarch as a component of Red Hat Enterprise Linux AppStream E4S (v.9.2)",
"product_id": "AppStream-9.2.0.Z.E4S:golang-docs-0:1.19.13-21.el9_2.noarch"
},
"product_reference": "golang-docs-0:1.19.13-21.el9_2.noarch",
"relates_to_product_reference": "AppStream-9.2.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-misc-0:1.19.13-21.el9_2.noarch as a component of Red Hat Enterprise Linux AppStream E4S (v.9.2)",
"product_id": "AppStream-9.2.0.Z.E4S:golang-misc-0:1.19.13-21.el9_2.noarch"
},
"product_reference": "golang-misc-0:1.19.13-21.el9_2.noarch",
"relates_to_product_reference": "AppStream-9.2.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-race-0:1.19.13-21.el9_2.x86_64 as a component of Red Hat Enterprise Linux AppStream E4S (v.9.2)",
"product_id": "AppStream-9.2.0.Z.E4S:golang-race-0:1.19.13-21.el9_2.x86_64"
},
"product_reference": "golang-race-0:1.19.13-21.el9_2.x86_64",
"relates_to_product_reference": "AppStream-9.2.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-src-0:1.19.13-21.el9_2.noarch as a component of Red Hat Enterprise Linux AppStream E4S (v.9.2)",
"product_id": "AppStream-9.2.0.Z.E4S:golang-src-0:1.19.13-21.el9_2.noarch"
},
"product_reference": "golang-src-0:1.19.13-21.el9_2.noarch",
"relates_to_product_reference": "AppStream-9.2.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-tests-0:1.19.13-21.el9_2.noarch as a component of Red Hat Enterprise Linux AppStream E4S (v.9.2)",
"product_id": "AppStream-9.2.0.Z.E4S:golang-tests-0:1.19.13-21.el9_2.noarch"
},
"product_reference": "golang-tests-0:1.19.13-21.el9_2.noarch",
"relates_to_product_reference": "AppStream-9.2.0.Z.E4S"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-61729",
"cwe": {
"id": "CWE-1050",
"name": "Excessive Platform Resource Consumption within a Loop"
},
"discovery_date": "2025-12-02T20:01:45.330964+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2418462"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in golang. A remote attacker could exploit this vulnerability by providing a specially crafted certificate during the error string construction process within the `HostnameError.Error()` function. This flaw, caused by unbounded string concatenation, leads to excessive resource consumption. Successful exploitation can result in a denial of service (DoS) for the affected system.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "crypto/x509: golang: Denial of Service due to excessive resource consumption via crafted certificate",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.2.0.Z.E4S:golang-0:1.19.13-21.el9_2.aarch64",
"AppStream-9.2.0.Z.E4S:golang-0:1.19.13-21.el9_2.ppc64le",
"AppStream-9.2.0.Z.E4S:golang-0:1.19.13-21.el9_2.s390x",
"AppStream-9.2.0.Z.E4S:golang-0:1.19.13-21.el9_2.src",
"AppStream-9.2.0.Z.E4S:golang-0:1.19.13-21.el9_2.x86_64",
"AppStream-9.2.0.Z.E4S:golang-bin-0:1.19.13-21.el9_2.aarch64",
"AppStream-9.2.0.Z.E4S:golang-bin-0:1.19.13-21.el9_2.ppc64le",
"AppStream-9.2.0.Z.E4S:golang-bin-0:1.19.13-21.el9_2.s390x",
"AppStream-9.2.0.Z.E4S:golang-bin-0:1.19.13-21.el9_2.x86_64",
"AppStream-9.2.0.Z.E4S:golang-docs-0:1.19.13-21.el9_2.noarch",
"AppStream-9.2.0.Z.E4S:golang-misc-0:1.19.13-21.el9_2.noarch",
"AppStream-9.2.0.Z.E4S:golang-race-0:1.19.13-21.el9_2.x86_64",
"AppStream-9.2.0.Z.E4S:golang-src-0:1.19.13-21.el9_2.noarch",
"AppStream-9.2.0.Z.E4S:golang-tests-0:1.19.13-21.el9_2.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-61729"
},
{
"category": "external",
"summary": "RHBZ#2418462",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2418462"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-61729",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-61729"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-61729",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61729"
},
{
"category": "external",
"summary": "https://go.dev/cl/725920",
"url": "https://go.dev/cl/725920"
},
{
"category": "external",
"summary": "https://go.dev/issue/76445",
"url": "https://go.dev/issue/76445"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/8FJoBkPddm4",
"url": "https://groups.google.com/g/golang-announce/c/8FJoBkPddm4"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2025-4155",
"url": "https://pkg.go.dev/vuln/GO-2025-4155"
}
],
"release_date": "2025-12-02T18:54:10.166000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-02-09T01:48:16+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.2.0.Z.E4S:golang-0:1.19.13-21.el9_2.aarch64",
"AppStream-9.2.0.Z.E4S:golang-0:1.19.13-21.el9_2.ppc64le",
"AppStream-9.2.0.Z.E4S:golang-0:1.19.13-21.el9_2.s390x",
"AppStream-9.2.0.Z.E4S:golang-0:1.19.13-21.el9_2.src",
"AppStream-9.2.0.Z.E4S:golang-0:1.19.13-21.el9_2.x86_64",
"AppStream-9.2.0.Z.E4S:golang-bin-0:1.19.13-21.el9_2.aarch64",
"AppStream-9.2.0.Z.E4S:golang-bin-0:1.19.13-21.el9_2.ppc64le",
"AppStream-9.2.0.Z.E4S:golang-bin-0:1.19.13-21.el9_2.s390x",
"AppStream-9.2.0.Z.E4S:golang-bin-0:1.19.13-21.el9_2.x86_64",
"AppStream-9.2.0.Z.E4S:golang-docs-0:1.19.13-21.el9_2.noarch",
"AppStream-9.2.0.Z.E4S:golang-misc-0:1.19.13-21.el9_2.noarch",
"AppStream-9.2.0.Z.E4S:golang-race-0:1.19.13-21.el9_2.x86_64",
"AppStream-9.2.0.Z.E4S:golang-src-0:1.19.13-21.el9_2.noarch",
"AppStream-9.2.0.Z.E4S:golang-tests-0:1.19.13-21.el9_2.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:2219"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"AppStream-9.2.0.Z.E4S:golang-0:1.19.13-21.el9_2.aarch64",
"AppStream-9.2.0.Z.E4S:golang-0:1.19.13-21.el9_2.ppc64le",
"AppStream-9.2.0.Z.E4S:golang-0:1.19.13-21.el9_2.s390x",
"AppStream-9.2.0.Z.E4S:golang-0:1.19.13-21.el9_2.src",
"AppStream-9.2.0.Z.E4S:golang-0:1.19.13-21.el9_2.x86_64",
"AppStream-9.2.0.Z.E4S:golang-bin-0:1.19.13-21.el9_2.aarch64",
"AppStream-9.2.0.Z.E4S:golang-bin-0:1.19.13-21.el9_2.ppc64le",
"AppStream-9.2.0.Z.E4S:golang-bin-0:1.19.13-21.el9_2.s390x",
"AppStream-9.2.0.Z.E4S:golang-bin-0:1.19.13-21.el9_2.x86_64",
"AppStream-9.2.0.Z.E4S:golang-docs-0:1.19.13-21.el9_2.noarch",
"AppStream-9.2.0.Z.E4S:golang-misc-0:1.19.13-21.el9_2.noarch",
"AppStream-9.2.0.Z.E4S:golang-race-0:1.19.13-21.el9_2.x86_64",
"AppStream-9.2.0.Z.E4S:golang-src-0:1.19.13-21.el9_2.noarch",
"AppStream-9.2.0.Z.E4S:golang-tests-0:1.19.13-21.el9_2.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "crypto/x509: golang: Denial of Service due to excessive resource consumption via crafted certificate"
}
]
}
RHSA-2026:2223
Vulnerability from csaf_redhat - Published: 2026-02-09 01:34 - Updated: 2026-07-02 16:17A flaw was found in golang. A remote attacker could exploit this vulnerability by providing a specially crafted certificate during the error string construction process within the `HostnameError.Error()` function. This flaw, caused by unbounded string concatenation, leads to excessive resource consumption. Successful exploitation can result in a denial of service (DoS) for the affected system.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-8.2.0.Z.AUS:delve-0:1.3.2-3.module+el8.2.0+5581+896cb53e.src::go-toolset:rhel8 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.AUS:delve-0:1.3.2-3.module+el8.2.0+5581+896cb53e.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.AUS:delve-debuginfo-0:1.3.2-3.module+el8.2.0+5581+896cb53e.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.AUS:delve-debugsource-0:1.3.2-3.module+el8.2.0+5581+896cb53e.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.AUS:go-toolset-0:1.13.15-1.module+el8.2.0+7662+fa98b974.src::go-toolset:rhel8 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.AUS:go-toolset-0:1.13.15-1.module+el8.2.0+7662+fa98b974.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.AUS:golang-0:1.13.15-13.module+el8.2.0+23958+12140f3a.src::go-toolset:rhel8 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.AUS:golang-0:1.13.15-13.module+el8.2.0+23958+12140f3a.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.AUS:golang-bin-0:1.13.15-13.module+el8.2.0+23958+12140f3a.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.AUS:golang-docs-0:1.13.15-13.module+el8.2.0+23958+12140f3a.noarch::go-toolset:rhel8 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.AUS:golang-misc-0:1.13.15-13.module+el8.2.0+23958+12140f3a.noarch::go-toolset:rhel8 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.AUS:golang-race-0:1.13.15-13.module+el8.2.0+23958+12140f3a.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.AUS:golang-src-0:1.13.15-13.module+el8.2.0+23958+12140f3a.noarch::go-toolset:rhel8 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.AUS:golang-tests-0:1.13.15-13.module+el8.2.0+23958+12140f3a.noarch::go-toolset:rhel8 | — |
Vendor Fix
fix
|
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for the go-toolset:rhel8 module is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Go Toolset provides the Go programming language tools and libraries. Go is alternatively known as golang. \n\nSecurity Fix(es):\n\n* crypto/x509: golang: Denial of Service due to excessive resource consumption via crafted certificate (CVE-2025-61729)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:2223",
"url": "https://access.redhat.com/errata/RHSA-2026:2223"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "2418462",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2418462"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_2223.json"
}
],
"title": "Red Hat Security Advisory: go-toolset:rhel8 security update",
"tracking": {
"current_release_date": "2026-07-02T16:17:05+00:00",
"generator": {
"date": "2026-07-02T16:17:05+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "5.3.1"
}
},
"id": "RHSA-2026:2223",
"initial_release_date": "2026-02-09T01:34:56+00:00",
"revision_history": [
{
"date": "2026-02-09T01:34:56+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-02-09T01:34:56+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-07-02T16:17:05+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AppStream AUS (v. 8.2)",
"product": {
"name": "Red Hat Enterprise Linux AppStream AUS (v. 8.2)",
"product_id": "AppStream-8.2.0.Z.AUS",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_aus:8.2::appstream"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "delve-0:1.3.2-3.module+el8.2.0+5581+896cb53e.src::go-toolset:rhel8",
"product": {
"name": "delve-0:1.3.2-3.module+el8.2.0+5581+896cb53e.src (go-toolset:rhel8)",
"product_id": "delve-0:1.3.2-3.module+el8.2.0+5581+896cb53e.src::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/delve@1.3.2-3.module%2Bel8.2.0%2B5581%2B896cb53e?arch=src\u0026rpmmod=go-toolset:rhel8:8020020260203092300:02f7cb7a"
}
}
},
{
"category": "product_version",
"name": "go-toolset-0:1.13.15-1.module+el8.2.0+7662+fa98b974.src::go-toolset:rhel8",
"product": {
"name": "go-toolset-0:1.13.15-1.module+el8.2.0+7662+fa98b974.src (go-toolset:rhel8)",
"product_id": "go-toolset-0:1.13.15-1.module+el8.2.0+7662+fa98b974.src::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-toolset@1.13.15-1.module%2Bel8.2.0%2B7662%2Bfa98b974?arch=src\u0026rpmmod=go-toolset:rhel8:8020020260203092300:02f7cb7a"
}
}
},
{
"category": "product_version",
"name": "golang-0:1.13.15-13.module+el8.2.0+23958+12140f3a.src::go-toolset:rhel8",
"product": {
"name": "golang-0:1.13.15-13.module+el8.2.0+23958+12140f3a.src (go-toolset:rhel8)",
"product_id": "golang-0:1.13.15-13.module+el8.2.0+23958+12140f3a.src::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang@1.13.15-13.module%2Bel8.2.0%2B23958%2B12140f3a?arch=src\u0026rpmmod=go-toolset:rhel8:8020020260203092300:02f7cb7a"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "delve-0:1.3.2-3.module+el8.2.0+5581+896cb53e.x86_64::go-toolset:rhel8",
"product": {
"name": "delve-0:1.3.2-3.module+el8.2.0+5581+896cb53e.x86_64 (go-toolset:rhel8)",
"product_id": "delve-0:1.3.2-3.module+el8.2.0+5581+896cb53e.x86_64::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/delve@1.3.2-3.module%2Bel8.2.0%2B5581%2B896cb53e?arch=x86_64\u0026rpmmod=go-toolset:rhel8:8020020260203092300:02f7cb7a"
}
}
},
{
"category": "product_version",
"name": "delve-debuginfo-0:1.3.2-3.module+el8.2.0+5581+896cb53e.x86_64::go-toolset:rhel8",
"product": {
"name": "delve-debuginfo-0:1.3.2-3.module+el8.2.0+5581+896cb53e.x86_64 (go-toolset:rhel8)",
"product_id": "delve-debuginfo-0:1.3.2-3.module+el8.2.0+5581+896cb53e.x86_64::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/delve-debuginfo@1.3.2-3.module%2Bel8.2.0%2B5581%2B896cb53e?arch=x86_64\u0026rpmmod=go-toolset:rhel8:8020020260203092300:02f7cb7a"
}
}
},
{
"category": "product_version",
"name": "delve-debugsource-0:1.3.2-3.module+el8.2.0+5581+896cb53e.x86_64::go-toolset:rhel8",
"product": {
"name": "delve-debugsource-0:1.3.2-3.module+el8.2.0+5581+896cb53e.x86_64 (go-toolset:rhel8)",
"product_id": "delve-debugsource-0:1.3.2-3.module+el8.2.0+5581+896cb53e.x86_64::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/delve-debugsource@1.3.2-3.module%2Bel8.2.0%2B5581%2B896cb53e?arch=x86_64\u0026rpmmod=go-toolset:rhel8:8020020260203092300:02f7cb7a"
}
}
},
{
"category": "product_version",
"name": "go-toolset-0:1.13.15-1.module+el8.2.0+7662+fa98b974.x86_64::go-toolset:rhel8",
"product": {
"name": "go-toolset-0:1.13.15-1.module+el8.2.0+7662+fa98b974.x86_64 (go-toolset:rhel8)",
"product_id": "go-toolset-0:1.13.15-1.module+el8.2.0+7662+fa98b974.x86_64::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-toolset@1.13.15-1.module%2Bel8.2.0%2B7662%2Bfa98b974?arch=x86_64\u0026rpmmod=go-toolset:rhel8:8020020260203092300:02f7cb7a"
}
}
},
{
"category": "product_version",
"name": "golang-0:1.13.15-13.module+el8.2.0+23958+12140f3a.x86_64::go-toolset:rhel8",
"product": {
"name": "golang-0:1.13.15-13.module+el8.2.0+23958+12140f3a.x86_64 (go-toolset:rhel8)",
"product_id": "golang-0:1.13.15-13.module+el8.2.0+23958+12140f3a.x86_64::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang@1.13.15-13.module%2Bel8.2.0%2B23958%2B12140f3a?arch=x86_64\u0026rpmmod=go-toolset:rhel8:8020020260203092300:02f7cb7a"
}
}
},
{
"category": "product_version",
"name": "golang-bin-0:1.13.15-13.module+el8.2.0+23958+12140f3a.x86_64::go-toolset:rhel8",
"product": {
"name": "golang-bin-0:1.13.15-13.module+el8.2.0+23958+12140f3a.x86_64 (go-toolset:rhel8)",
"product_id": "golang-bin-0:1.13.15-13.module+el8.2.0+23958+12140f3a.x86_64::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-bin@1.13.15-13.module%2Bel8.2.0%2B23958%2B12140f3a?arch=x86_64\u0026rpmmod=go-toolset:rhel8:8020020260203092300:02f7cb7a"
}
}
},
{
"category": "product_version",
"name": "golang-race-0:1.13.15-13.module+el8.2.0+23958+12140f3a.x86_64::go-toolset:rhel8",
"product": {
"name": "golang-race-0:1.13.15-13.module+el8.2.0+23958+12140f3a.x86_64 (go-toolset:rhel8)",
"product_id": "golang-race-0:1.13.15-13.module+el8.2.0+23958+12140f3a.x86_64::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-race@1.13.15-13.module%2Bel8.2.0%2B23958%2B12140f3a?arch=x86_64\u0026rpmmod=go-toolset:rhel8:8020020260203092300:02f7cb7a"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "golang-docs-0:1.13.15-13.module+el8.2.0+23958+12140f3a.noarch::go-toolset:rhel8",
"product": {
"name": "golang-docs-0:1.13.15-13.module+el8.2.0+23958+12140f3a.noarch (go-toolset:rhel8)",
"product_id": "golang-docs-0:1.13.15-13.module+el8.2.0+23958+12140f3a.noarch::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-docs@1.13.15-13.module%2Bel8.2.0%2B23958%2B12140f3a?arch=noarch\u0026rpmmod=go-toolset:rhel8:8020020260203092300:02f7cb7a"
}
}
},
{
"category": "product_version",
"name": "golang-misc-0:1.13.15-13.module+el8.2.0+23958+12140f3a.noarch::go-toolset:rhel8",
"product": {
"name": "golang-misc-0:1.13.15-13.module+el8.2.0+23958+12140f3a.noarch (go-toolset:rhel8)",
"product_id": "golang-misc-0:1.13.15-13.module+el8.2.0+23958+12140f3a.noarch::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-misc@1.13.15-13.module%2Bel8.2.0%2B23958%2B12140f3a?arch=noarch\u0026rpmmod=go-toolset:rhel8:8020020260203092300:02f7cb7a"
}
}
},
{
"category": "product_version",
"name": "golang-src-0:1.13.15-13.module+el8.2.0+23958+12140f3a.noarch::go-toolset:rhel8",
"product": {
"name": "golang-src-0:1.13.15-13.module+el8.2.0+23958+12140f3a.noarch (go-toolset:rhel8)",
"product_id": "golang-src-0:1.13.15-13.module+el8.2.0+23958+12140f3a.noarch::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-src@1.13.15-13.module%2Bel8.2.0%2B23958%2B12140f3a?arch=noarch\u0026rpmmod=go-toolset:rhel8:8020020260203092300:02f7cb7a"
}
}
},
{
"category": "product_version",
"name": "golang-tests-0:1.13.15-13.module+el8.2.0+23958+12140f3a.noarch::go-toolset:rhel8",
"product": {
"name": "golang-tests-0:1.13.15-13.module+el8.2.0+23958+12140f3a.noarch (go-toolset:rhel8)",
"product_id": "golang-tests-0:1.13.15-13.module+el8.2.0+23958+12140f3a.noarch::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-tests@1.13.15-13.module%2Bel8.2.0%2B23958%2B12140f3a?arch=noarch\u0026rpmmod=go-toolset:rhel8:8020020260203092300:02f7cb7a"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "delve-0:1.3.2-3.module+el8.2.0+5581+896cb53e.src (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream AUS (v. 8.2)",
"product_id": "AppStream-8.2.0.Z.AUS:delve-0:1.3.2-3.module+el8.2.0+5581+896cb53e.src::go-toolset:rhel8"
},
"product_reference": "delve-0:1.3.2-3.module+el8.2.0+5581+896cb53e.src::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.2.0.Z.AUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "delve-0:1.3.2-3.module+el8.2.0+5581+896cb53e.x86_64 (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream AUS (v. 8.2)",
"product_id": "AppStream-8.2.0.Z.AUS:delve-0:1.3.2-3.module+el8.2.0+5581+896cb53e.x86_64::go-toolset:rhel8"
},
"product_reference": "delve-0:1.3.2-3.module+el8.2.0+5581+896cb53e.x86_64::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.2.0.Z.AUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "delve-debuginfo-0:1.3.2-3.module+el8.2.0+5581+896cb53e.x86_64 (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream AUS (v. 8.2)",
"product_id": "AppStream-8.2.0.Z.AUS:delve-debuginfo-0:1.3.2-3.module+el8.2.0+5581+896cb53e.x86_64::go-toolset:rhel8"
},
"product_reference": "delve-debuginfo-0:1.3.2-3.module+el8.2.0+5581+896cb53e.x86_64::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.2.0.Z.AUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "delve-debugsource-0:1.3.2-3.module+el8.2.0+5581+896cb53e.x86_64 (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream AUS (v. 8.2)",
"product_id": "AppStream-8.2.0.Z.AUS:delve-debugsource-0:1.3.2-3.module+el8.2.0+5581+896cb53e.x86_64::go-toolset:rhel8"
},
"product_reference": "delve-debugsource-0:1.3.2-3.module+el8.2.0+5581+896cb53e.x86_64::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.2.0.Z.AUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-toolset-0:1.13.15-1.module+el8.2.0+7662+fa98b974.src (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream AUS (v. 8.2)",
"product_id": "AppStream-8.2.0.Z.AUS:go-toolset-0:1.13.15-1.module+el8.2.0+7662+fa98b974.src::go-toolset:rhel8"
},
"product_reference": "go-toolset-0:1.13.15-1.module+el8.2.0+7662+fa98b974.src::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.2.0.Z.AUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-toolset-0:1.13.15-1.module+el8.2.0+7662+fa98b974.x86_64 (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream AUS (v. 8.2)",
"product_id": "AppStream-8.2.0.Z.AUS:go-toolset-0:1.13.15-1.module+el8.2.0+7662+fa98b974.x86_64::go-toolset:rhel8"
},
"product_reference": "go-toolset-0:1.13.15-1.module+el8.2.0+7662+fa98b974.x86_64::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.2.0.Z.AUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-0:1.13.15-13.module+el8.2.0+23958+12140f3a.src (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream AUS (v. 8.2)",
"product_id": "AppStream-8.2.0.Z.AUS:golang-0:1.13.15-13.module+el8.2.0+23958+12140f3a.src::go-toolset:rhel8"
},
"product_reference": "golang-0:1.13.15-13.module+el8.2.0+23958+12140f3a.src::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.2.0.Z.AUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-0:1.13.15-13.module+el8.2.0+23958+12140f3a.x86_64 (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream AUS (v. 8.2)",
"product_id": "AppStream-8.2.0.Z.AUS:golang-0:1.13.15-13.module+el8.2.0+23958+12140f3a.x86_64::go-toolset:rhel8"
},
"product_reference": "golang-0:1.13.15-13.module+el8.2.0+23958+12140f3a.x86_64::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.2.0.Z.AUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-bin-0:1.13.15-13.module+el8.2.0+23958+12140f3a.x86_64 (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream AUS (v. 8.2)",
"product_id": "AppStream-8.2.0.Z.AUS:golang-bin-0:1.13.15-13.module+el8.2.0+23958+12140f3a.x86_64::go-toolset:rhel8"
},
"product_reference": "golang-bin-0:1.13.15-13.module+el8.2.0+23958+12140f3a.x86_64::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.2.0.Z.AUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-docs-0:1.13.15-13.module+el8.2.0+23958+12140f3a.noarch (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream AUS (v. 8.2)",
"product_id": "AppStream-8.2.0.Z.AUS:golang-docs-0:1.13.15-13.module+el8.2.0+23958+12140f3a.noarch::go-toolset:rhel8"
},
"product_reference": "golang-docs-0:1.13.15-13.module+el8.2.0+23958+12140f3a.noarch::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.2.0.Z.AUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-misc-0:1.13.15-13.module+el8.2.0+23958+12140f3a.noarch (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream AUS (v. 8.2)",
"product_id": "AppStream-8.2.0.Z.AUS:golang-misc-0:1.13.15-13.module+el8.2.0+23958+12140f3a.noarch::go-toolset:rhel8"
},
"product_reference": "golang-misc-0:1.13.15-13.module+el8.2.0+23958+12140f3a.noarch::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.2.0.Z.AUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-race-0:1.13.15-13.module+el8.2.0+23958+12140f3a.x86_64 (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream AUS (v. 8.2)",
"product_id": "AppStream-8.2.0.Z.AUS:golang-race-0:1.13.15-13.module+el8.2.0+23958+12140f3a.x86_64::go-toolset:rhel8"
},
"product_reference": "golang-race-0:1.13.15-13.module+el8.2.0+23958+12140f3a.x86_64::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.2.0.Z.AUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-src-0:1.13.15-13.module+el8.2.0+23958+12140f3a.noarch (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream AUS (v. 8.2)",
"product_id": "AppStream-8.2.0.Z.AUS:golang-src-0:1.13.15-13.module+el8.2.0+23958+12140f3a.noarch::go-toolset:rhel8"
},
"product_reference": "golang-src-0:1.13.15-13.module+el8.2.0+23958+12140f3a.noarch::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.2.0.Z.AUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-tests-0:1.13.15-13.module+el8.2.0+23958+12140f3a.noarch (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream AUS (v. 8.2)",
"product_id": "AppStream-8.2.0.Z.AUS:golang-tests-0:1.13.15-13.module+el8.2.0+23958+12140f3a.noarch::go-toolset:rhel8"
},
"product_reference": "golang-tests-0:1.13.15-13.module+el8.2.0+23958+12140f3a.noarch::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.2.0.Z.AUS"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-61729",
"cwe": {
"id": "CWE-1050",
"name": "Excessive Platform Resource Consumption within a Loop"
},
"discovery_date": "2025-12-02T20:01:45.330964+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2418462"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in golang. A remote attacker could exploit this vulnerability by providing a specially crafted certificate during the error string construction process within the `HostnameError.Error()` function. This flaw, caused by unbounded string concatenation, leads to excessive resource consumption. Successful exploitation can result in a denial of service (DoS) for the affected system.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "crypto/x509: golang: Denial of Service due to excessive resource consumption via crafted certificate",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-8.2.0.Z.AUS:delve-0:1.3.2-3.module+el8.2.0+5581+896cb53e.src::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:delve-0:1.3.2-3.module+el8.2.0+5581+896cb53e.x86_64::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:delve-debuginfo-0:1.3.2-3.module+el8.2.0+5581+896cb53e.x86_64::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:delve-debugsource-0:1.3.2-3.module+el8.2.0+5581+896cb53e.x86_64::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:go-toolset-0:1.13.15-1.module+el8.2.0+7662+fa98b974.src::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:go-toolset-0:1.13.15-1.module+el8.2.0+7662+fa98b974.x86_64::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:golang-0:1.13.15-13.module+el8.2.0+23958+12140f3a.src::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:golang-0:1.13.15-13.module+el8.2.0+23958+12140f3a.x86_64::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:golang-bin-0:1.13.15-13.module+el8.2.0+23958+12140f3a.x86_64::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:golang-docs-0:1.13.15-13.module+el8.2.0+23958+12140f3a.noarch::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:golang-misc-0:1.13.15-13.module+el8.2.0+23958+12140f3a.noarch::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:golang-race-0:1.13.15-13.module+el8.2.0+23958+12140f3a.x86_64::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:golang-src-0:1.13.15-13.module+el8.2.0+23958+12140f3a.noarch::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:golang-tests-0:1.13.15-13.module+el8.2.0+23958+12140f3a.noarch::go-toolset:rhel8"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-61729"
},
{
"category": "external",
"summary": "RHBZ#2418462",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2418462"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-61729",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-61729"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-61729",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61729"
},
{
"category": "external",
"summary": "https://go.dev/cl/725920",
"url": "https://go.dev/cl/725920"
},
{
"category": "external",
"summary": "https://go.dev/issue/76445",
"url": "https://go.dev/issue/76445"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/8FJoBkPddm4",
"url": "https://groups.google.com/g/golang-announce/c/8FJoBkPddm4"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2025-4155",
"url": "https://pkg.go.dev/vuln/GO-2025-4155"
}
],
"release_date": "2025-12-02T18:54:10.166000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-02-09T01:34:56+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-8.2.0.Z.AUS:delve-0:1.3.2-3.module+el8.2.0+5581+896cb53e.src::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:delve-0:1.3.2-3.module+el8.2.0+5581+896cb53e.x86_64::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:delve-debuginfo-0:1.3.2-3.module+el8.2.0+5581+896cb53e.x86_64::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:delve-debugsource-0:1.3.2-3.module+el8.2.0+5581+896cb53e.x86_64::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:go-toolset-0:1.13.15-1.module+el8.2.0+7662+fa98b974.src::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:go-toolset-0:1.13.15-1.module+el8.2.0+7662+fa98b974.x86_64::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:golang-0:1.13.15-13.module+el8.2.0+23958+12140f3a.src::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:golang-0:1.13.15-13.module+el8.2.0+23958+12140f3a.x86_64::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:golang-bin-0:1.13.15-13.module+el8.2.0+23958+12140f3a.x86_64::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:golang-docs-0:1.13.15-13.module+el8.2.0+23958+12140f3a.noarch::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:golang-misc-0:1.13.15-13.module+el8.2.0+23958+12140f3a.noarch::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:golang-race-0:1.13.15-13.module+el8.2.0+23958+12140f3a.x86_64::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:golang-src-0:1.13.15-13.module+el8.2.0+23958+12140f3a.noarch::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:golang-tests-0:1.13.15-13.module+el8.2.0+23958+12140f3a.noarch::go-toolset:rhel8"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:2223"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"AppStream-8.2.0.Z.AUS:delve-0:1.3.2-3.module+el8.2.0+5581+896cb53e.src::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:delve-0:1.3.2-3.module+el8.2.0+5581+896cb53e.x86_64::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:delve-debuginfo-0:1.3.2-3.module+el8.2.0+5581+896cb53e.x86_64::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:delve-debugsource-0:1.3.2-3.module+el8.2.0+5581+896cb53e.x86_64::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:go-toolset-0:1.13.15-1.module+el8.2.0+7662+fa98b974.src::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:go-toolset-0:1.13.15-1.module+el8.2.0+7662+fa98b974.x86_64::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:golang-0:1.13.15-13.module+el8.2.0+23958+12140f3a.src::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:golang-0:1.13.15-13.module+el8.2.0+23958+12140f3a.x86_64::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:golang-bin-0:1.13.15-13.module+el8.2.0+23958+12140f3a.x86_64::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:golang-docs-0:1.13.15-13.module+el8.2.0+23958+12140f3a.noarch::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:golang-misc-0:1.13.15-13.module+el8.2.0+23958+12140f3a.noarch::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:golang-race-0:1.13.15-13.module+el8.2.0+23958+12140f3a.x86_64::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:golang-src-0:1.13.15-13.module+el8.2.0+23958+12140f3a.noarch::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:golang-tests-0:1.13.15-13.module+el8.2.0+23958+12140f3a.noarch::go-toolset:rhel8"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "crypto/x509: golang: Denial of Service due to excessive resource consumption via crafted certificate"
}
]
}
RHSA-2026:2265
Vulnerability from csaf_redhat - Published: 2026-02-09 05:56 - Updated: 2026-07-02 16:17A flaw was found in golang. A remote attacker could exploit this vulnerability by providing a specially crafted certificate during the error string construction process within the `HostnameError.Error()` function. This flaw, caused by unbounded string concatenation, leads to excessive resource consumption. Successful exploitation can result in a denial of service (DoS) for the affected system.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-10.0.Z.E2S:golang-github-openprinting-ipp-usb-0:0.9.27-3.el10_0.1.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.0.Z.E2S:golang-github-openprinting-ipp-usb-debugsource-0:0.9.27-3.el10_0.1.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.0.Z.E2S:golang-github-openprinting-ipp-usb-debugsource-0:0.9.27-3.el10_0.1.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.0.Z.E2S:golang-github-openprinting-ipp-usb-debugsource-0:0.9.27-3.el10_0.1.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.0.Z.E2S:golang-github-openprinting-ipp-usb-debugsource-0:0.9.27-3.el10_0.1.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.0.Z.E2S:ipp-usb-0:0.9.27-3.el10_0.1.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.0.Z.E2S:ipp-usb-0:0.9.27-3.el10_0.1.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.0.Z.E2S:ipp-usb-0:0.9.27-3.el10_0.1.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.0.Z.E2S:ipp-usb-0:0.9.27-3.el10_0.1.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.0.Z.E2S:ipp-usb-debuginfo-0:0.9.27-3.el10_0.1.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.0.Z.E2S:ipp-usb-debuginfo-0:0.9.27-3.el10_0.1.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.0.Z.E2S:ipp-usb-debuginfo-0:0.9.27-3.el10_0.1.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.0.Z.E2S:ipp-usb-debuginfo-0:0.9.27-3.el10_0.1.x86_64 | — |
Vendor Fix
fix
|
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for golang-github-openprinting-ipp-usb is now available for Red Hat Enterprise Linux 10.0 Extended Update Support.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "HTTP reverse proxy, backed by IPP-over-USB connection to device. It enables\n driverless support for USB devices capable of using IPP-over-USB protocol.\n\nSecurity Fix(es):\n\n* crypto/x509: golang: Denial of Service due to excessive resource consumption via crafted certificate (CVE-2025-61729)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:2265",
"url": "https://access.redhat.com/errata/RHSA-2026:2265"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "2418462",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2418462"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_2265.json"
}
],
"title": "Red Hat Security Advisory: golang-github-openprinting-ipp-usb security update",
"tracking": {
"current_release_date": "2026-07-02T16:17:05+00:00",
"generator": {
"date": "2026-07-02T16:17:05+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "5.3.1"
}
},
"id": "RHSA-2026:2265",
"initial_release_date": "2026-02-09T05:56:42+00:00",
"revision_history": [
{
"date": "2026-02-09T05:56:42+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-02-09T05:56:42+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-07-02T16:17:05+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AppStream EUS (v. 10.0)",
"product": {
"name": "Red Hat Enterprise Linux AppStream EUS (v. 10.0)",
"product_id": "AppStream-10.0.Z.E2S",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux_eus:10.0"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "golang-github-openprinting-ipp-usb-0:0.9.27-3.el10_0.1.src",
"product": {
"name": "golang-github-openprinting-ipp-usb-0:0.9.27-3.el10_0.1.src",
"product_id": "golang-github-openprinting-ipp-usb-0:0.9.27-3.el10_0.1.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-github-openprinting-ipp-usb@0.9.27-3.el10_0.1?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "ipp-usb-0:0.9.27-3.el10_0.1.aarch64",
"product": {
"name": "ipp-usb-0:0.9.27-3.el10_0.1.aarch64",
"product_id": "ipp-usb-0:0.9.27-3.el10_0.1.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ipp-usb@0.9.27-3.el10_0.1?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "golang-github-openprinting-ipp-usb-debugsource-0:0.9.27-3.el10_0.1.aarch64",
"product": {
"name": "golang-github-openprinting-ipp-usb-debugsource-0:0.9.27-3.el10_0.1.aarch64",
"product_id": "golang-github-openprinting-ipp-usb-debugsource-0:0.9.27-3.el10_0.1.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-github-openprinting-ipp-usb-debugsource@0.9.27-3.el10_0.1?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "ipp-usb-debuginfo-0:0.9.27-3.el10_0.1.aarch64",
"product": {
"name": "ipp-usb-debuginfo-0:0.9.27-3.el10_0.1.aarch64",
"product_id": "ipp-usb-debuginfo-0:0.9.27-3.el10_0.1.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ipp-usb-debuginfo@0.9.27-3.el10_0.1?arch=aarch64"
}
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "ipp-usb-0:0.9.27-3.el10_0.1.ppc64le",
"product": {
"name": "ipp-usb-0:0.9.27-3.el10_0.1.ppc64le",
"product_id": "ipp-usb-0:0.9.27-3.el10_0.1.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ipp-usb@0.9.27-3.el10_0.1?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "golang-github-openprinting-ipp-usb-debugsource-0:0.9.27-3.el10_0.1.ppc64le",
"product": {
"name": "golang-github-openprinting-ipp-usb-debugsource-0:0.9.27-3.el10_0.1.ppc64le",
"product_id": "golang-github-openprinting-ipp-usb-debugsource-0:0.9.27-3.el10_0.1.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-github-openprinting-ipp-usb-debugsource@0.9.27-3.el10_0.1?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "ipp-usb-debuginfo-0:0.9.27-3.el10_0.1.ppc64le",
"product": {
"name": "ipp-usb-debuginfo-0:0.9.27-3.el10_0.1.ppc64le",
"product_id": "ipp-usb-debuginfo-0:0.9.27-3.el10_0.1.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ipp-usb-debuginfo@0.9.27-3.el10_0.1?arch=ppc64le"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "ipp-usb-0:0.9.27-3.el10_0.1.s390x",
"product": {
"name": "ipp-usb-0:0.9.27-3.el10_0.1.s390x",
"product_id": "ipp-usb-0:0.9.27-3.el10_0.1.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ipp-usb@0.9.27-3.el10_0.1?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "golang-github-openprinting-ipp-usb-debugsource-0:0.9.27-3.el10_0.1.s390x",
"product": {
"name": "golang-github-openprinting-ipp-usb-debugsource-0:0.9.27-3.el10_0.1.s390x",
"product_id": "golang-github-openprinting-ipp-usb-debugsource-0:0.9.27-3.el10_0.1.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-github-openprinting-ipp-usb-debugsource@0.9.27-3.el10_0.1?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "ipp-usb-debuginfo-0:0.9.27-3.el10_0.1.s390x",
"product": {
"name": "ipp-usb-debuginfo-0:0.9.27-3.el10_0.1.s390x",
"product_id": "ipp-usb-debuginfo-0:0.9.27-3.el10_0.1.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ipp-usb-debuginfo@0.9.27-3.el10_0.1?arch=s390x"
}
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "ipp-usb-0:0.9.27-3.el10_0.1.x86_64",
"product": {
"name": "ipp-usb-0:0.9.27-3.el10_0.1.x86_64",
"product_id": "ipp-usb-0:0.9.27-3.el10_0.1.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ipp-usb@0.9.27-3.el10_0.1?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "golang-github-openprinting-ipp-usb-debugsource-0:0.9.27-3.el10_0.1.x86_64",
"product": {
"name": "golang-github-openprinting-ipp-usb-debugsource-0:0.9.27-3.el10_0.1.x86_64",
"product_id": "golang-github-openprinting-ipp-usb-debugsource-0:0.9.27-3.el10_0.1.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-github-openprinting-ipp-usb-debugsource@0.9.27-3.el10_0.1?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "ipp-usb-debuginfo-0:0.9.27-3.el10_0.1.x86_64",
"product": {
"name": "ipp-usb-debuginfo-0:0.9.27-3.el10_0.1.x86_64",
"product_id": "ipp-usb-debuginfo-0:0.9.27-3.el10_0.1.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ipp-usb-debuginfo@0.9.27-3.el10_0.1?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-github-openprinting-ipp-usb-0:0.9.27-3.el10_0.1.src as a component of Red Hat Enterprise Linux AppStream EUS (v. 10.0)",
"product_id": "AppStream-10.0.Z.E2S:golang-github-openprinting-ipp-usb-0:0.9.27-3.el10_0.1.src"
},
"product_reference": "golang-github-openprinting-ipp-usb-0:0.9.27-3.el10_0.1.src",
"relates_to_product_reference": "AppStream-10.0.Z.E2S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-github-openprinting-ipp-usb-debugsource-0:0.9.27-3.el10_0.1.aarch64 as a component of Red Hat Enterprise Linux AppStream EUS (v. 10.0)",
"product_id": "AppStream-10.0.Z.E2S:golang-github-openprinting-ipp-usb-debugsource-0:0.9.27-3.el10_0.1.aarch64"
},
"product_reference": "golang-github-openprinting-ipp-usb-debugsource-0:0.9.27-3.el10_0.1.aarch64",
"relates_to_product_reference": "AppStream-10.0.Z.E2S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-github-openprinting-ipp-usb-debugsource-0:0.9.27-3.el10_0.1.ppc64le as a component of Red Hat Enterprise Linux AppStream EUS (v. 10.0)",
"product_id": "AppStream-10.0.Z.E2S:golang-github-openprinting-ipp-usb-debugsource-0:0.9.27-3.el10_0.1.ppc64le"
},
"product_reference": "golang-github-openprinting-ipp-usb-debugsource-0:0.9.27-3.el10_0.1.ppc64le",
"relates_to_product_reference": "AppStream-10.0.Z.E2S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-github-openprinting-ipp-usb-debugsource-0:0.9.27-3.el10_0.1.s390x as a component of Red Hat Enterprise Linux AppStream EUS (v. 10.0)",
"product_id": "AppStream-10.0.Z.E2S:golang-github-openprinting-ipp-usb-debugsource-0:0.9.27-3.el10_0.1.s390x"
},
"product_reference": "golang-github-openprinting-ipp-usb-debugsource-0:0.9.27-3.el10_0.1.s390x",
"relates_to_product_reference": "AppStream-10.0.Z.E2S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-github-openprinting-ipp-usb-debugsource-0:0.9.27-3.el10_0.1.x86_64 as a component of Red Hat Enterprise Linux AppStream EUS (v. 10.0)",
"product_id": "AppStream-10.0.Z.E2S:golang-github-openprinting-ipp-usb-debugsource-0:0.9.27-3.el10_0.1.x86_64"
},
"product_reference": "golang-github-openprinting-ipp-usb-debugsource-0:0.9.27-3.el10_0.1.x86_64",
"relates_to_product_reference": "AppStream-10.0.Z.E2S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ipp-usb-0:0.9.27-3.el10_0.1.aarch64 as a component of Red Hat Enterprise Linux AppStream EUS (v. 10.0)",
"product_id": "AppStream-10.0.Z.E2S:ipp-usb-0:0.9.27-3.el10_0.1.aarch64"
},
"product_reference": "ipp-usb-0:0.9.27-3.el10_0.1.aarch64",
"relates_to_product_reference": "AppStream-10.0.Z.E2S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ipp-usb-0:0.9.27-3.el10_0.1.ppc64le as a component of Red Hat Enterprise Linux AppStream EUS (v. 10.0)",
"product_id": "AppStream-10.0.Z.E2S:ipp-usb-0:0.9.27-3.el10_0.1.ppc64le"
},
"product_reference": "ipp-usb-0:0.9.27-3.el10_0.1.ppc64le",
"relates_to_product_reference": "AppStream-10.0.Z.E2S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ipp-usb-0:0.9.27-3.el10_0.1.s390x as a component of Red Hat Enterprise Linux AppStream EUS (v. 10.0)",
"product_id": "AppStream-10.0.Z.E2S:ipp-usb-0:0.9.27-3.el10_0.1.s390x"
},
"product_reference": "ipp-usb-0:0.9.27-3.el10_0.1.s390x",
"relates_to_product_reference": "AppStream-10.0.Z.E2S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ipp-usb-0:0.9.27-3.el10_0.1.x86_64 as a component of Red Hat Enterprise Linux AppStream EUS (v. 10.0)",
"product_id": "AppStream-10.0.Z.E2S:ipp-usb-0:0.9.27-3.el10_0.1.x86_64"
},
"product_reference": "ipp-usb-0:0.9.27-3.el10_0.1.x86_64",
"relates_to_product_reference": "AppStream-10.0.Z.E2S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ipp-usb-debuginfo-0:0.9.27-3.el10_0.1.aarch64 as a component of Red Hat Enterprise Linux AppStream EUS (v. 10.0)",
"product_id": "AppStream-10.0.Z.E2S:ipp-usb-debuginfo-0:0.9.27-3.el10_0.1.aarch64"
},
"product_reference": "ipp-usb-debuginfo-0:0.9.27-3.el10_0.1.aarch64",
"relates_to_product_reference": "AppStream-10.0.Z.E2S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ipp-usb-debuginfo-0:0.9.27-3.el10_0.1.ppc64le as a component of Red Hat Enterprise Linux AppStream EUS (v. 10.0)",
"product_id": "AppStream-10.0.Z.E2S:ipp-usb-debuginfo-0:0.9.27-3.el10_0.1.ppc64le"
},
"product_reference": "ipp-usb-debuginfo-0:0.9.27-3.el10_0.1.ppc64le",
"relates_to_product_reference": "AppStream-10.0.Z.E2S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ipp-usb-debuginfo-0:0.9.27-3.el10_0.1.s390x as a component of Red Hat Enterprise Linux AppStream EUS (v. 10.0)",
"product_id": "AppStream-10.0.Z.E2S:ipp-usb-debuginfo-0:0.9.27-3.el10_0.1.s390x"
},
"product_reference": "ipp-usb-debuginfo-0:0.9.27-3.el10_0.1.s390x",
"relates_to_product_reference": "AppStream-10.0.Z.E2S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ipp-usb-debuginfo-0:0.9.27-3.el10_0.1.x86_64 as a component of Red Hat Enterprise Linux AppStream EUS (v. 10.0)",
"product_id": "AppStream-10.0.Z.E2S:ipp-usb-debuginfo-0:0.9.27-3.el10_0.1.x86_64"
},
"product_reference": "ipp-usb-debuginfo-0:0.9.27-3.el10_0.1.x86_64",
"relates_to_product_reference": "AppStream-10.0.Z.E2S"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-61729",
"cwe": {
"id": "CWE-1050",
"name": "Excessive Platform Resource Consumption within a Loop"
},
"discovery_date": "2025-12-02T20:01:45.330964+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2418462"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in golang. A remote attacker could exploit this vulnerability by providing a specially crafted certificate during the error string construction process within the `HostnameError.Error()` function. This flaw, caused by unbounded string concatenation, leads to excessive resource consumption. Successful exploitation can result in a denial of service (DoS) for the affected system.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "crypto/x509: golang: Denial of Service due to excessive resource consumption via crafted certificate",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-10.0.Z.E2S:golang-github-openprinting-ipp-usb-0:0.9.27-3.el10_0.1.src",
"AppStream-10.0.Z.E2S:golang-github-openprinting-ipp-usb-debugsource-0:0.9.27-3.el10_0.1.aarch64",
"AppStream-10.0.Z.E2S:golang-github-openprinting-ipp-usb-debugsource-0:0.9.27-3.el10_0.1.ppc64le",
"AppStream-10.0.Z.E2S:golang-github-openprinting-ipp-usb-debugsource-0:0.9.27-3.el10_0.1.s390x",
"AppStream-10.0.Z.E2S:golang-github-openprinting-ipp-usb-debugsource-0:0.9.27-3.el10_0.1.x86_64",
"AppStream-10.0.Z.E2S:ipp-usb-0:0.9.27-3.el10_0.1.aarch64",
"AppStream-10.0.Z.E2S:ipp-usb-0:0.9.27-3.el10_0.1.ppc64le",
"AppStream-10.0.Z.E2S:ipp-usb-0:0.9.27-3.el10_0.1.s390x",
"AppStream-10.0.Z.E2S:ipp-usb-0:0.9.27-3.el10_0.1.x86_64",
"AppStream-10.0.Z.E2S:ipp-usb-debuginfo-0:0.9.27-3.el10_0.1.aarch64",
"AppStream-10.0.Z.E2S:ipp-usb-debuginfo-0:0.9.27-3.el10_0.1.ppc64le",
"AppStream-10.0.Z.E2S:ipp-usb-debuginfo-0:0.9.27-3.el10_0.1.s390x",
"AppStream-10.0.Z.E2S:ipp-usb-debuginfo-0:0.9.27-3.el10_0.1.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-61729"
},
{
"category": "external",
"summary": "RHBZ#2418462",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2418462"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-61729",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-61729"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-61729",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61729"
},
{
"category": "external",
"summary": "https://go.dev/cl/725920",
"url": "https://go.dev/cl/725920"
},
{
"category": "external",
"summary": "https://go.dev/issue/76445",
"url": "https://go.dev/issue/76445"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/8FJoBkPddm4",
"url": "https://groups.google.com/g/golang-announce/c/8FJoBkPddm4"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2025-4155",
"url": "https://pkg.go.dev/vuln/GO-2025-4155"
}
],
"release_date": "2025-12-02T18:54:10.166000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-02-09T05:56:42+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-10.0.Z.E2S:golang-github-openprinting-ipp-usb-0:0.9.27-3.el10_0.1.src",
"AppStream-10.0.Z.E2S:golang-github-openprinting-ipp-usb-debugsource-0:0.9.27-3.el10_0.1.aarch64",
"AppStream-10.0.Z.E2S:golang-github-openprinting-ipp-usb-debugsource-0:0.9.27-3.el10_0.1.ppc64le",
"AppStream-10.0.Z.E2S:golang-github-openprinting-ipp-usb-debugsource-0:0.9.27-3.el10_0.1.s390x",
"AppStream-10.0.Z.E2S:golang-github-openprinting-ipp-usb-debugsource-0:0.9.27-3.el10_0.1.x86_64",
"AppStream-10.0.Z.E2S:ipp-usb-0:0.9.27-3.el10_0.1.aarch64",
"AppStream-10.0.Z.E2S:ipp-usb-0:0.9.27-3.el10_0.1.ppc64le",
"AppStream-10.0.Z.E2S:ipp-usb-0:0.9.27-3.el10_0.1.s390x",
"AppStream-10.0.Z.E2S:ipp-usb-0:0.9.27-3.el10_0.1.x86_64",
"AppStream-10.0.Z.E2S:ipp-usb-debuginfo-0:0.9.27-3.el10_0.1.aarch64",
"AppStream-10.0.Z.E2S:ipp-usb-debuginfo-0:0.9.27-3.el10_0.1.ppc64le",
"AppStream-10.0.Z.E2S:ipp-usb-debuginfo-0:0.9.27-3.el10_0.1.s390x",
"AppStream-10.0.Z.E2S:ipp-usb-debuginfo-0:0.9.27-3.el10_0.1.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:2265"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"AppStream-10.0.Z.E2S:golang-github-openprinting-ipp-usb-0:0.9.27-3.el10_0.1.src",
"AppStream-10.0.Z.E2S:golang-github-openprinting-ipp-usb-debugsource-0:0.9.27-3.el10_0.1.aarch64",
"AppStream-10.0.Z.E2S:golang-github-openprinting-ipp-usb-debugsource-0:0.9.27-3.el10_0.1.ppc64le",
"AppStream-10.0.Z.E2S:golang-github-openprinting-ipp-usb-debugsource-0:0.9.27-3.el10_0.1.s390x",
"AppStream-10.0.Z.E2S:golang-github-openprinting-ipp-usb-debugsource-0:0.9.27-3.el10_0.1.x86_64",
"AppStream-10.0.Z.E2S:ipp-usb-0:0.9.27-3.el10_0.1.aarch64",
"AppStream-10.0.Z.E2S:ipp-usb-0:0.9.27-3.el10_0.1.ppc64le",
"AppStream-10.0.Z.E2S:ipp-usb-0:0.9.27-3.el10_0.1.s390x",
"AppStream-10.0.Z.E2S:ipp-usb-0:0.9.27-3.el10_0.1.x86_64",
"AppStream-10.0.Z.E2S:ipp-usb-debuginfo-0:0.9.27-3.el10_0.1.aarch64",
"AppStream-10.0.Z.E2S:ipp-usb-debuginfo-0:0.9.27-3.el10_0.1.ppc64le",
"AppStream-10.0.Z.E2S:ipp-usb-debuginfo-0:0.9.27-3.el10_0.1.s390x",
"AppStream-10.0.Z.E2S:ipp-usb-debuginfo-0:0.9.27-3.el10_0.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "crypto/x509: golang: Denial of Service due to excessive resource consumption via crafted certificate"
}
]
}
RHSA-2026:2320
Vulnerability from csaf_redhat - Published: 2026-02-09 11:08 - Updated: 2026-07-02 16:17A flaw was found in golang. A remote attacker could exploit this vulnerability by providing a specially crafted certificate during the error string construction process within the `HostnameError.Error()` function. This flaw, caused by unbounded string concatenation, leads to excessive resource consumption. Successful exploitation can result in a denial of service (DoS) for the affected system.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.0.0.Z.E4S:golang-0:1.17.13-9.el9_0.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.E4S:golang-0:1.17.13-9.el9_0.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.E4S:golang-0:1.17.13-9.el9_0.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.E4S:golang-0:1.17.13-9.el9_0.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.E4S:golang-0:1.17.13-9.el9_0.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.E4S:golang-bin-0:1.17.13-9.el9_0.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.E4S:golang-bin-0:1.17.13-9.el9_0.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.E4S:golang-bin-0:1.17.13-9.el9_0.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.E4S:golang-bin-0:1.17.13-9.el9_0.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.E4S:golang-docs-0:1.17.13-9.el9_0.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.E4S:golang-misc-0:1.17.13-9.el9_0.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.E4S:golang-race-0:1.17.13-9.el9_0.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.E4S:golang-src-0:1.17.13-9.el9_0.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.0.0.Z.E4S:golang-tests-0:1.17.13-9.el9_0.noarch | — |
Vendor Fix
fix
|
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for golang is now available for Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "The golang packages provide the Go programming language compiler.\n\nSecurity Fix(es):\n\n* crypto/x509: golang: Denial of Service due to excessive resource consumption via crafted certificate (CVE-2025-61729)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:2320",
"url": "https://access.redhat.com/errata/RHSA-2026:2320"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "2418462",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2418462"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_2320.json"
}
],
"title": "Red Hat Security Advisory: golang security update",
"tracking": {
"current_release_date": "2026-07-02T16:17:06+00:00",
"generator": {
"date": "2026-07-02T16:17:06+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "5.3.1"
}
},
"id": "RHSA-2026:2320",
"initial_release_date": "2026-02-09T11:08:53+00:00",
"revision_history": [
{
"date": "2026-02-09T11:08:53+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-02-09T11:08:53+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-07-02T16:17:06+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AppStream E4S (v.9.0)",
"product": {
"name": "Red Hat Enterprise Linux AppStream E4S (v.9.0)",
"product_id": "AppStream-9.0.0.Z.E4S",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_e4s:9.0::appstream"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "golang-0:1.17.13-9.el9_0.src",
"product": {
"name": "golang-0:1.17.13-9.el9_0.src",
"product_id": "golang-0:1.17.13-9.el9_0.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang@1.17.13-9.el9_0?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "golang-0:1.17.13-9.el9_0.aarch64",
"product": {
"name": "golang-0:1.17.13-9.el9_0.aarch64",
"product_id": "golang-0:1.17.13-9.el9_0.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang@1.17.13-9.el9_0?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "golang-bin-0:1.17.13-9.el9_0.aarch64",
"product": {
"name": "golang-bin-0:1.17.13-9.el9_0.aarch64",
"product_id": "golang-bin-0:1.17.13-9.el9_0.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-bin@1.17.13-9.el9_0?arch=aarch64"
}
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "golang-0:1.17.13-9.el9_0.ppc64le",
"product": {
"name": "golang-0:1.17.13-9.el9_0.ppc64le",
"product_id": "golang-0:1.17.13-9.el9_0.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang@1.17.13-9.el9_0?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "golang-bin-0:1.17.13-9.el9_0.ppc64le",
"product": {
"name": "golang-bin-0:1.17.13-9.el9_0.ppc64le",
"product_id": "golang-bin-0:1.17.13-9.el9_0.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-bin@1.17.13-9.el9_0?arch=ppc64le"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "golang-0:1.17.13-9.el9_0.x86_64",
"product": {
"name": "golang-0:1.17.13-9.el9_0.x86_64",
"product_id": "golang-0:1.17.13-9.el9_0.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang@1.17.13-9.el9_0?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "golang-bin-0:1.17.13-9.el9_0.x86_64",
"product": {
"name": "golang-bin-0:1.17.13-9.el9_0.x86_64",
"product_id": "golang-bin-0:1.17.13-9.el9_0.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-bin@1.17.13-9.el9_0?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "golang-race-0:1.17.13-9.el9_0.x86_64",
"product": {
"name": "golang-race-0:1.17.13-9.el9_0.x86_64",
"product_id": "golang-race-0:1.17.13-9.el9_0.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-race@1.17.13-9.el9_0?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "golang-0:1.17.13-9.el9_0.s390x",
"product": {
"name": "golang-0:1.17.13-9.el9_0.s390x",
"product_id": "golang-0:1.17.13-9.el9_0.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang@1.17.13-9.el9_0?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "golang-bin-0:1.17.13-9.el9_0.s390x",
"product": {
"name": "golang-bin-0:1.17.13-9.el9_0.s390x",
"product_id": "golang-bin-0:1.17.13-9.el9_0.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-bin@1.17.13-9.el9_0?arch=s390x"
}
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "golang-docs-0:1.17.13-9.el9_0.noarch",
"product": {
"name": "golang-docs-0:1.17.13-9.el9_0.noarch",
"product_id": "golang-docs-0:1.17.13-9.el9_0.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-docs@1.17.13-9.el9_0?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "golang-misc-0:1.17.13-9.el9_0.noarch",
"product": {
"name": "golang-misc-0:1.17.13-9.el9_0.noarch",
"product_id": "golang-misc-0:1.17.13-9.el9_0.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-misc@1.17.13-9.el9_0?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "golang-src-0:1.17.13-9.el9_0.noarch",
"product": {
"name": "golang-src-0:1.17.13-9.el9_0.noarch",
"product_id": "golang-src-0:1.17.13-9.el9_0.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-src@1.17.13-9.el9_0?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "golang-tests-0:1.17.13-9.el9_0.noarch",
"product": {
"name": "golang-tests-0:1.17.13-9.el9_0.noarch",
"product_id": "golang-tests-0:1.17.13-9.el9_0.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-tests@1.17.13-9.el9_0?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-0:1.17.13-9.el9_0.aarch64 as a component of Red Hat Enterprise Linux AppStream E4S (v.9.0)",
"product_id": "AppStream-9.0.0.Z.E4S:golang-0:1.17.13-9.el9_0.aarch64"
},
"product_reference": "golang-0:1.17.13-9.el9_0.aarch64",
"relates_to_product_reference": "AppStream-9.0.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-0:1.17.13-9.el9_0.ppc64le as a component of Red Hat Enterprise Linux AppStream E4S (v.9.0)",
"product_id": "AppStream-9.0.0.Z.E4S:golang-0:1.17.13-9.el9_0.ppc64le"
},
"product_reference": "golang-0:1.17.13-9.el9_0.ppc64le",
"relates_to_product_reference": "AppStream-9.0.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-0:1.17.13-9.el9_0.s390x as a component of Red Hat Enterprise Linux AppStream E4S (v.9.0)",
"product_id": "AppStream-9.0.0.Z.E4S:golang-0:1.17.13-9.el9_0.s390x"
},
"product_reference": "golang-0:1.17.13-9.el9_0.s390x",
"relates_to_product_reference": "AppStream-9.0.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-0:1.17.13-9.el9_0.src as a component of Red Hat Enterprise Linux AppStream E4S (v.9.0)",
"product_id": "AppStream-9.0.0.Z.E4S:golang-0:1.17.13-9.el9_0.src"
},
"product_reference": "golang-0:1.17.13-9.el9_0.src",
"relates_to_product_reference": "AppStream-9.0.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-0:1.17.13-9.el9_0.x86_64 as a component of Red Hat Enterprise Linux AppStream E4S (v.9.0)",
"product_id": "AppStream-9.0.0.Z.E4S:golang-0:1.17.13-9.el9_0.x86_64"
},
"product_reference": "golang-0:1.17.13-9.el9_0.x86_64",
"relates_to_product_reference": "AppStream-9.0.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-bin-0:1.17.13-9.el9_0.aarch64 as a component of Red Hat Enterprise Linux AppStream E4S (v.9.0)",
"product_id": "AppStream-9.0.0.Z.E4S:golang-bin-0:1.17.13-9.el9_0.aarch64"
},
"product_reference": "golang-bin-0:1.17.13-9.el9_0.aarch64",
"relates_to_product_reference": "AppStream-9.0.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-bin-0:1.17.13-9.el9_0.ppc64le as a component of Red Hat Enterprise Linux AppStream E4S (v.9.0)",
"product_id": "AppStream-9.0.0.Z.E4S:golang-bin-0:1.17.13-9.el9_0.ppc64le"
},
"product_reference": "golang-bin-0:1.17.13-9.el9_0.ppc64le",
"relates_to_product_reference": "AppStream-9.0.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-bin-0:1.17.13-9.el9_0.s390x as a component of Red Hat Enterprise Linux AppStream E4S (v.9.0)",
"product_id": "AppStream-9.0.0.Z.E4S:golang-bin-0:1.17.13-9.el9_0.s390x"
},
"product_reference": "golang-bin-0:1.17.13-9.el9_0.s390x",
"relates_to_product_reference": "AppStream-9.0.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-bin-0:1.17.13-9.el9_0.x86_64 as a component of Red Hat Enterprise Linux AppStream E4S (v.9.0)",
"product_id": "AppStream-9.0.0.Z.E4S:golang-bin-0:1.17.13-9.el9_0.x86_64"
},
"product_reference": "golang-bin-0:1.17.13-9.el9_0.x86_64",
"relates_to_product_reference": "AppStream-9.0.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-docs-0:1.17.13-9.el9_0.noarch as a component of Red Hat Enterprise Linux AppStream E4S (v.9.0)",
"product_id": "AppStream-9.0.0.Z.E4S:golang-docs-0:1.17.13-9.el9_0.noarch"
},
"product_reference": "golang-docs-0:1.17.13-9.el9_0.noarch",
"relates_to_product_reference": "AppStream-9.0.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-misc-0:1.17.13-9.el9_0.noarch as a component of Red Hat Enterprise Linux AppStream E4S (v.9.0)",
"product_id": "AppStream-9.0.0.Z.E4S:golang-misc-0:1.17.13-9.el9_0.noarch"
},
"product_reference": "golang-misc-0:1.17.13-9.el9_0.noarch",
"relates_to_product_reference": "AppStream-9.0.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-race-0:1.17.13-9.el9_0.x86_64 as a component of Red Hat Enterprise Linux AppStream E4S (v.9.0)",
"product_id": "AppStream-9.0.0.Z.E4S:golang-race-0:1.17.13-9.el9_0.x86_64"
},
"product_reference": "golang-race-0:1.17.13-9.el9_0.x86_64",
"relates_to_product_reference": "AppStream-9.0.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-src-0:1.17.13-9.el9_0.noarch as a component of Red Hat Enterprise Linux AppStream E4S (v.9.0)",
"product_id": "AppStream-9.0.0.Z.E4S:golang-src-0:1.17.13-9.el9_0.noarch"
},
"product_reference": "golang-src-0:1.17.13-9.el9_0.noarch",
"relates_to_product_reference": "AppStream-9.0.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-tests-0:1.17.13-9.el9_0.noarch as a component of Red Hat Enterprise Linux AppStream E4S (v.9.0)",
"product_id": "AppStream-9.0.0.Z.E4S:golang-tests-0:1.17.13-9.el9_0.noarch"
},
"product_reference": "golang-tests-0:1.17.13-9.el9_0.noarch",
"relates_to_product_reference": "AppStream-9.0.0.Z.E4S"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-61729",
"cwe": {
"id": "CWE-1050",
"name": "Excessive Platform Resource Consumption within a Loop"
},
"discovery_date": "2025-12-02T20:01:45.330964+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2418462"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in golang. A remote attacker could exploit this vulnerability by providing a specially crafted certificate during the error string construction process within the `HostnameError.Error()` function. This flaw, caused by unbounded string concatenation, leads to excessive resource consumption. Successful exploitation can result in a denial of service (DoS) for the affected system.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "crypto/x509: golang: Denial of Service due to excessive resource consumption via crafted certificate",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.0.0.Z.E4S:golang-0:1.17.13-9.el9_0.aarch64",
"AppStream-9.0.0.Z.E4S:golang-0:1.17.13-9.el9_0.ppc64le",
"AppStream-9.0.0.Z.E4S:golang-0:1.17.13-9.el9_0.s390x",
"AppStream-9.0.0.Z.E4S:golang-0:1.17.13-9.el9_0.src",
"AppStream-9.0.0.Z.E4S:golang-0:1.17.13-9.el9_0.x86_64",
"AppStream-9.0.0.Z.E4S:golang-bin-0:1.17.13-9.el9_0.aarch64",
"AppStream-9.0.0.Z.E4S:golang-bin-0:1.17.13-9.el9_0.ppc64le",
"AppStream-9.0.0.Z.E4S:golang-bin-0:1.17.13-9.el9_0.s390x",
"AppStream-9.0.0.Z.E4S:golang-bin-0:1.17.13-9.el9_0.x86_64",
"AppStream-9.0.0.Z.E4S:golang-docs-0:1.17.13-9.el9_0.noarch",
"AppStream-9.0.0.Z.E4S:golang-misc-0:1.17.13-9.el9_0.noarch",
"AppStream-9.0.0.Z.E4S:golang-race-0:1.17.13-9.el9_0.x86_64",
"AppStream-9.0.0.Z.E4S:golang-src-0:1.17.13-9.el9_0.noarch",
"AppStream-9.0.0.Z.E4S:golang-tests-0:1.17.13-9.el9_0.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-61729"
},
{
"category": "external",
"summary": "RHBZ#2418462",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2418462"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-61729",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-61729"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-61729",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61729"
},
{
"category": "external",
"summary": "https://go.dev/cl/725920",
"url": "https://go.dev/cl/725920"
},
{
"category": "external",
"summary": "https://go.dev/issue/76445",
"url": "https://go.dev/issue/76445"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/8FJoBkPddm4",
"url": "https://groups.google.com/g/golang-announce/c/8FJoBkPddm4"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2025-4155",
"url": "https://pkg.go.dev/vuln/GO-2025-4155"
}
],
"release_date": "2025-12-02T18:54:10.166000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-02-09T11:08:53+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.0.0.Z.E4S:golang-0:1.17.13-9.el9_0.aarch64",
"AppStream-9.0.0.Z.E4S:golang-0:1.17.13-9.el9_0.ppc64le",
"AppStream-9.0.0.Z.E4S:golang-0:1.17.13-9.el9_0.s390x",
"AppStream-9.0.0.Z.E4S:golang-0:1.17.13-9.el9_0.src",
"AppStream-9.0.0.Z.E4S:golang-0:1.17.13-9.el9_0.x86_64",
"AppStream-9.0.0.Z.E4S:golang-bin-0:1.17.13-9.el9_0.aarch64",
"AppStream-9.0.0.Z.E4S:golang-bin-0:1.17.13-9.el9_0.ppc64le",
"AppStream-9.0.0.Z.E4S:golang-bin-0:1.17.13-9.el9_0.s390x",
"AppStream-9.0.0.Z.E4S:golang-bin-0:1.17.13-9.el9_0.x86_64",
"AppStream-9.0.0.Z.E4S:golang-docs-0:1.17.13-9.el9_0.noarch",
"AppStream-9.0.0.Z.E4S:golang-misc-0:1.17.13-9.el9_0.noarch",
"AppStream-9.0.0.Z.E4S:golang-race-0:1.17.13-9.el9_0.x86_64",
"AppStream-9.0.0.Z.E4S:golang-src-0:1.17.13-9.el9_0.noarch",
"AppStream-9.0.0.Z.E4S:golang-tests-0:1.17.13-9.el9_0.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:2320"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"AppStream-9.0.0.Z.E4S:golang-0:1.17.13-9.el9_0.aarch64",
"AppStream-9.0.0.Z.E4S:golang-0:1.17.13-9.el9_0.ppc64le",
"AppStream-9.0.0.Z.E4S:golang-0:1.17.13-9.el9_0.s390x",
"AppStream-9.0.0.Z.E4S:golang-0:1.17.13-9.el9_0.src",
"AppStream-9.0.0.Z.E4S:golang-0:1.17.13-9.el9_0.x86_64",
"AppStream-9.0.0.Z.E4S:golang-bin-0:1.17.13-9.el9_0.aarch64",
"AppStream-9.0.0.Z.E4S:golang-bin-0:1.17.13-9.el9_0.ppc64le",
"AppStream-9.0.0.Z.E4S:golang-bin-0:1.17.13-9.el9_0.s390x",
"AppStream-9.0.0.Z.E4S:golang-bin-0:1.17.13-9.el9_0.x86_64",
"AppStream-9.0.0.Z.E4S:golang-docs-0:1.17.13-9.el9_0.noarch",
"AppStream-9.0.0.Z.E4S:golang-misc-0:1.17.13-9.el9_0.noarch",
"AppStream-9.0.0.Z.E4S:golang-race-0:1.17.13-9.el9_0.x86_64",
"AppStream-9.0.0.Z.E4S:golang-src-0:1.17.13-9.el9_0.noarch",
"AppStream-9.0.0.Z.E4S:golang-tests-0:1.17.13-9.el9_0.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "crypto/x509: golang: Denial of Service due to excessive resource consumption via crafted certificate"
}
]
}
RHSA-2026:2323
Vulnerability from csaf_redhat - Published: 2026-02-09 11:51 - Updated: 2026-07-02 16:17A flaw was found in golang. A remote attacker could exploit this vulnerability by providing a specially crafted certificate during the error string construction process within the `HostnameError.Error()` function. This flaw, caused by unbounded string concatenation, leads to excessive resource consumption. Successful exploitation can result in a denial of service (DoS) for the affected system.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:git-lfs-0:3.4.1-7.el8_10.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:git-lfs-0:3.4.1-7.el8_10.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:git-lfs-0:3.4.1-7.el8_10.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:git-lfs-0:3.4.1-7.el8_10.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:git-lfs-0:3.4.1-7.el8_10.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:git-lfs-debuginfo-0:3.4.1-7.el8_10.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:git-lfs-debuginfo-0:3.4.1-7.el8_10.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:git-lfs-debuginfo-0:3.4.1-7.el8_10.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:git-lfs-debuginfo-0:3.4.1-7.el8_10.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:git-lfs-debugsource-0:3.4.1-7.el8_10.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:git-lfs-debugsource-0:3.4.1-7.el8_10.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:git-lfs-debugsource-0:3.4.1-7.el8_10.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:git-lfs-debugsource-0:3.4.1-7.el8_10.x86_64 | — |
Vendor Fix
fix
|
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for git-lfs is now available for Red Hat Enterprise Linux 8.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Git Large File Storage (LFS) replaces large files such as audio samples, videos, datasets, and graphics with text pointers inside Git, while storing the file contents on a remote server.\n\nSecurity Fix(es):\n\n* crypto/x509: golang: Denial of Service due to excessive resource consumption via crafted certificate (CVE-2025-61729)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:2323",
"url": "https://access.redhat.com/errata/RHSA-2026:2323"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "2418462",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2418462"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_2323.json"
}
],
"title": "Red Hat Security Advisory: git-lfs security update",
"tracking": {
"current_release_date": "2026-07-02T16:17:06+00:00",
"generator": {
"date": "2026-07-02T16:17:06+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "5.3.1"
}
},
"id": "RHSA-2026:2323",
"initial_release_date": "2026-02-09T11:51:28+00:00",
"revision_history": [
{
"date": "2026-02-09T11:51:28+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-02-09T11:51:28+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-07-02T16:17:06+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AppStream (v. 8)",
"product": {
"name": "Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.10.0.Z.MAIN.EUS",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:enterprise_linux:8::appstream"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "git-lfs-0:3.4.1-7.el8_10.ppc64le",
"product": {
"name": "git-lfs-0:3.4.1-7.el8_10.ppc64le",
"product_id": "git-lfs-0:3.4.1-7.el8_10.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/git-lfs@3.4.1-7.el8_10?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "git-lfs-debugsource-0:3.4.1-7.el8_10.ppc64le",
"product": {
"name": "git-lfs-debugsource-0:3.4.1-7.el8_10.ppc64le",
"product_id": "git-lfs-debugsource-0:3.4.1-7.el8_10.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/git-lfs-debugsource@3.4.1-7.el8_10?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "git-lfs-debuginfo-0:3.4.1-7.el8_10.ppc64le",
"product": {
"name": "git-lfs-debuginfo-0:3.4.1-7.el8_10.ppc64le",
"product_id": "git-lfs-debuginfo-0:3.4.1-7.el8_10.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/git-lfs-debuginfo@3.4.1-7.el8_10?arch=ppc64le"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "git-lfs-0:3.4.1-7.el8_10.x86_64",
"product": {
"name": "git-lfs-0:3.4.1-7.el8_10.x86_64",
"product_id": "git-lfs-0:3.4.1-7.el8_10.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/git-lfs@3.4.1-7.el8_10?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "git-lfs-debugsource-0:3.4.1-7.el8_10.x86_64",
"product": {
"name": "git-lfs-debugsource-0:3.4.1-7.el8_10.x86_64",
"product_id": "git-lfs-debugsource-0:3.4.1-7.el8_10.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/git-lfs-debugsource@3.4.1-7.el8_10?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "git-lfs-debuginfo-0:3.4.1-7.el8_10.x86_64",
"product": {
"name": "git-lfs-debuginfo-0:3.4.1-7.el8_10.x86_64",
"product_id": "git-lfs-debuginfo-0:3.4.1-7.el8_10.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/git-lfs-debuginfo@3.4.1-7.el8_10?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "git-lfs-0:3.4.1-7.el8_10.s390x",
"product": {
"name": "git-lfs-0:3.4.1-7.el8_10.s390x",
"product_id": "git-lfs-0:3.4.1-7.el8_10.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/git-lfs@3.4.1-7.el8_10?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "git-lfs-debugsource-0:3.4.1-7.el8_10.s390x",
"product": {
"name": "git-lfs-debugsource-0:3.4.1-7.el8_10.s390x",
"product_id": "git-lfs-debugsource-0:3.4.1-7.el8_10.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/git-lfs-debugsource@3.4.1-7.el8_10?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "git-lfs-debuginfo-0:3.4.1-7.el8_10.s390x",
"product": {
"name": "git-lfs-debuginfo-0:3.4.1-7.el8_10.s390x",
"product_id": "git-lfs-debuginfo-0:3.4.1-7.el8_10.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/git-lfs-debuginfo@3.4.1-7.el8_10?arch=s390x"
}
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "git-lfs-0:3.4.1-7.el8_10.src",
"product": {
"name": "git-lfs-0:3.4.1-7.el8_10.src",
"product_id": "git-lfs-0:3.4.1-7.el8_10.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/git-lfs@3.4.1-7.el8_10?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "git-lfs-0:3.4.1-7.el8_10.aarch64",
"product": {
"name": "git-lfs-0:3.4.1-7.el8_10.aarch64",
"product_id": "git-lfs-0:3.4.1-7.el8_10.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/git-lfs@3.4.1-7.el8_10?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "git-lfs-debugsource-0:3.4.1-7.el8_10.aarch64",
"product": {
"name": "git-lfs-debugsource-0:3.4.1-7.el8_10.aarch64",
"product_id": "git-lfs-debugsource-0:3.4.1-7.el8_10.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/git-lfs-debugsource@3.4.1-7.el8_10?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "git-lfs-debuginfo-0:3.4.1-7.el8_10.aarch64",
"product": {
"name": "git-lfs-debuginfo-0:3.4.1-7.el8_10.aarch64",
"product_id": "git-lfs-debuginfo-0:3.4.1-7.el8_10.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/git-lfs-debuginfo@3.4.1-7.el8_10?arch=aarch64"
}
}
}
],
"category": "architecture",
"name": "aarch64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "git-lfs-0:3.4.1-7.el8_10.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.10.0.Z.MAIN.EUS:git-lfs-0:3.4.1-7.el8_10.aarch64"
},
"product_reference": "git-lfs-0:3.4.1-7.el8_10.aarch64",
"relates_to_product_reference": "AppStream-8.10.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "git-lfs-0:3.4.1-7.el8_10.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.10.0.Z.MAIN.EUS:git-lfs-0:3.4.1-7.el8_10.ppc64le"
},
"product_reference": "git-lfs-0:3.4.1-7.el8_10.ppc64le",
"relates_to_product_reference": "AppStream-8.10.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "git-lfs-0:3.4.1-7.el8_10.s390x as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.10.0.Z.MAIN.EUS:git-lfs-0:3.4.1-7.el8_10.s390x"
},
"product_reference": "git-lfs-0:3.4.1-7.el8_10.s390x",
"relates_to_product_reference": "AppStream-8.10.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "git-lfs-0:3.4.1-7.el8_10.src as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.10.0.Z.MAIN.EUS:git-lfs-0:3.4.1-7.el8_10.src"
},
"product_reference": "git-lfs-0:3.4.1-7.el8_10.src",
"relates_to_product_reference": "AppStream-8.10.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "git-lfs-0:3.4.1-7.el8_10.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.10.0.Z.MAIN.EUS:git-lfs-0:3.4.1-7.el8_10.x86_64"
},
"product_reference": "git-lfs-0:3.4.1-7.el8_10.x86_64",
"relates_to_product_reference": "AppStream-8.10.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "git-lfs-debuginfo-0:3.4.1-7.el8_10.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.10.0.Z.MAIN.EUS:git-lfs-debuginfo-0:3.4.1-7.el8_10.aarch64"
},
"product_reference": "git-lfs-debuginfo-0:3.4.1-7.el8_10.aarch64",
"relates_to_product_reference": "AppStream-8.10.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "git-lfs-debuginfo-0:3.4.1-7.el8_10.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.10.0.Z.MAIN.EUS:git-lfs-debuginfo-0:3.4.1-7.el8_10.ppc64le"
},
"product_reference": "git-lfs-debuginfo-0:3.4.1-7.el8_10.ppc64le",
"relates_to_product_reference": "AppStream-8.10.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "git-lfs-debuginfo-0:3.4.1-7.el8_10.s390x as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.10.0.Z.MAIN.EUS:git-lfs-debuginfo-0:3.4.1-7.el8_10.s390x"
},
"product_reference": "git-lfs-debuginfo-0:3.4.1-7.el8_10.s390x",
"relates_to_product_reference": "AppStream-8.10.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "git-lfs-debuginfo-0:3.4.1-7.el8_10.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.10.0.Z.MAIN.EUS:git-lfs-debuginfo-0:3.4.1-7.el8_10.x86_64"
},
"product_reference": "git-lfs-debuginfo-0:3.4.1-7.el8_10.x86_64",
"relates_to_product_reference": "AppStream-8.10.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "git-lfs-debugsource-0:3.4.1-7.el8_10.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.10.0.Z.MAIN.EUS:git-lfs-debugsource-0:3.4.1-7.el8_10.aarch64"
},
"product_reference": "git-lfs-debugsource-0:3.4.1-7.el8_10.aarch64",
"relates_to_product_reference": "AppStream-8.10.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "git-lfs-debugsource-0:3.4.1-7.el8_10.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.10.0.Z.MAIN.EUS:git-lfs-debugsource-0:3.4.1-7.el8_10.ppc64le"
},
"product_reference": "git-lfs-debugsource-0:3.4.1-7.el8_10.ppc64le",
"relates_to_product_reference": "AppStream-8.10.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "git-lfs-debugsource-0:3.4.1-7.el8_10.s390x as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.10.0.Z.MAIN.EUS:git-lfs-debugsource-0:3.4.1-7.el8_10.s390x"
},
"product_reference": "git-lfs-debugsource-0:3.4.1-7.el8_10.s390x",
"relates_to_product_reference": "AppStream-8.10.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "git-lfs-debugsource-0:3.4.1-7.el8_10.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.10.0.Z.MAIN.EUS:git-lfs-debugsource-0:3.4.1-7.el8_10.x86_64"
},
"product_reference": "git-lfs-debugsource-0:3.4.1-7.el8_10.x86_64",
"relates_to_product_reference": "AppStream-8.10.0.Z.MAIN.EUS"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-61729",
"cwe": {
"id": "CWE-1050",
"name": "Excessive Platform Resource Consumption within a Loop"
},
"discovery_date": "2025-12-02T20:01:45.330964+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2418462"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in golang. A remote attacker could exploit this vulnerability by providing a specially crafted certificate during the error string construction process within the `HostnameError.Error()` function. This flaw, caused by unbounded string concatenation, leads to excessive resource consumption. Successful exploitation can result in a denial of service (DoS) for the affected system.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "crypto/x509: golang: Denial of Service due to excessive resource consumption via crafted certificate",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-8.10.0.Z.MAIN.EUS:git-lfs-0:3.4.1-7.el8_10.aarch64",
"AppStream-8.10.0.Z.MAIN.EUS:git-lfs-0:3.4.1-7.el8_10.ppc64le",
"AppStream-8.10.0.Z.MAIN.EUS:git-lfs-0:3.4.1-7.el8_10.s390x",
"AppStream-8.10.0.Z.MAIN.EUS:git-lfs-0:3.4.1-7.el8_10.src",
"AppStream-8.10.0.Z.MAIN.EUS:git-lfs-0:3.4.1-7.el8_10.x86_64",
"AppStream-8.10.0.Z.MAIN.EUS:git-lfs-debuginfo-0:3.4.1-7.el8_10.aarch64",
"AppStream-8.10.0.Z.MAIN.EUS:git-lfs-debuginfo-0:3.4.1-7.el8_10.ppc64le",
"AppStream-8.10.0.Z.MAIN.EUS:git-lfs-debuginfo-0:3.4.1-7.el8_10.s390x",
"AppStream-8.10.0.Z.MAIN.EUS:git-lfs-debuginfo-0:3.4.1-7.el8_10.x86_64",
"AppStream-8.10.0.Z.MAIN.EUS:git-lfs-debugsource-0:3.4.1-7.el8_10.aarch64",
"AppStream-8.10.0.Z.MAIN.EUS:git-lfs-debugsource-0:3.4.1-7.el8_10.ppc64le",
"AppStream-8.10.0.Z.MAIN.EUS:git-lfs-debugsource-0:3.4.1-7.el8_10.s390x",
"AppStream-8.10.0.Z.MAIN.EUS:git-lfs-debugsource-0:3.4.1-7.el8_10.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-61729"
},
{
"category": "external",
"summary": "RHBZ#2418462",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2418462"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-61729",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-61729"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-61729",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61729"
},
{
"category": "external",
"summary": "https://go.dev/cl/725920",
"url": "https://go.dev/cl/725920"
},
{
"category": "external",
"summary": "https://go.dev/issue/76445",
"url": "https://go.dev/issue/76445"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/8FJoBkPddm4",
"url": "https://groups.google.com/g/golang-announce/c/8FJoBkPddm4"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2025-4155",
"url": "https://pkg.go.dev/vuln/GO-2025-4155"
}
],
"release_date": "2025-12-02T18:54:10.166000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-02-09T11:51:28+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-8.10.0.Z.MAIN.EUS:git-lfs-0:3.4.1-7.el8_10.aarch64",
"AppStream-8.10.0.Z.MAIN.EUS:git-lfs-0:3.4.1-7.el8_10.ppc64le",
"AppStream-8.10.0.Z.MAIN.EUS:git-lfs-0:3.4.1-7.el8_10.s390x",
"AppStream-8.10.0.Z.MAIN.EUS:git-lfs-0:3.4.1-7.el8_10.src",
"AppStream-8.10.0.Z.MAIN.EUS:git-lfs-0:3.4.1-7.el8_10.x86_64",
"AppStream-8.10.0.Z.MAIN.EUS:git-lfs-debuginfo-0:3.4.1-7.el8_10.aarch64",
"AppStream-8.10.0.Z.MAIN.EUS:git-lfs-debuginfo-0:3.4.1-7.el8_10.ppc64le",
"AppStream-8.10.0.Z.MAIN.EUS:git-lfs-debuginfo-0:3.4.1-7.el8_10.s390x",
"AppStream-8.10.0.Z.MAIN.EUS:git-lfs-debuginfo-0:3.4.1-7.el8_10.x86_64",
"AppStream-8.10.0.Z.MAIN.EUS:git-lfs-debugsource-0:3.4.1-7.el8_10.aarch64",
"AppStream-8.10.0.Z.MAIN.EUS:git-lfs-debugsource-0:3.4.1-7.el8_10.ppc64le",
"AppStream-8.10.0.Z.MAIN.EUS:git-lfs-debugsource-0:3.4.1-7.el8_10.s390x",
"AppStream-8.10.0.Z.MAIN.EUS:git-lfs-debugsource-0:3.4.1-7.el8_10.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:2323"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"AppStream-8.10.0.Z.MAIN.EUS:git-lfs-0:3.4.1-7.el8_10.aarch64",
"AppStream-8.10.0.Z.MAIN.EUS:git-lfs-0:3.4.1-7.el8_10.ppc64le",
"AppStream-8.10.0.Z.MAIN.EUS:git-lfs-0:3.4.1-7.el8_10.s390x",
"AppStream-8.10.0.Z.MAIN.EUS:git-lfs-0:3.4.1-7.el8_10.src",
"AppStream-8.10.0.Z.MAIN.EUS:git-lfs-0:3.4.1-7.el8_10.x86_64",
"AppStream-8.10.0.Z.MAIN.EUS:git-lfs-debuginfo-0:3.4.1-7.el8_10.aarch64",
"AppStream-8.10.0.Z.MAIN.EUS:git-lfs-debuginfo-0:3.4.1-7.el8_10.ppc64le",
"AppStream-8.10.0.Z.MAIN.EUS:git-lfs-debuginfo-0:3.4.1-7.el8_10.s390x",
"AppStream-8.10.0.Z.MAIN.EUS:git-lfs-debuginfo-0:3.4.1-7.el8_10.x86_64",
"AppStream-8.10.0.Z.MAIN.EUS:git-lfs-debugsource-0:3.4.1-7.el8_10.aarch64",
"AppStream-8.10.0.Z.MAIN.EUS:git-lfs-debugsource-0:3.4.1-7.el8_10.ppc64le",
"AppStream-8.10.0.Z.MAIN.EUS:git-lfs-debugsource-0:3.4.1-7.el8_10.s390x",
"AppStream-8.10.0.Z.MAIN.EUS:git-lfs-debugsource-0:3.4.1-7.el8_10.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "crypto/x509: golang: Denial of Service due to excessive resource consumption via crafted certificate"
}
]
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.