Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2025-47906 (GCVE-0-2025-47906)
Vulnerability from cvelistv5 – Published: 2025-09-18 18:41 – Updated: 2025-11-04 21:10
VLAI
EPSS
Title
Unexpected paths returned from LookPath in os/exec
Summary
If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath ("", ".", and ".."), can result in the binaries listed in the PATH being unexpectedly returned.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-115 - Misinterpretation of Input
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Go standard library | os/exec |
Affected:
0 , < 1.23.12
(semver)
Affected: 1.24.0 , < 1.24.6 (semver) |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-47906",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-18T20:42:17.936162Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-18T20:42:38.389Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-04T21:10:54.782Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/08/06/1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "os/exec",
"product": "os/exec",
"programRoutines": [
{
"name": "LookPath"
}
],
"vendor": "Go standard library",
"versions": [
{
"lessThan": "1.23.12",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "1.24.6",
"status": "affected",
"version": "1.24.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath (\"\", \".\", and \"..\"), can result in the binaries listed in the PATH being unexpectedly returned."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-115: Misinterpretation of Input",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-18T18:41:11.847Z",
"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"shortName": "Go"
},
"references": [
{
"url": "https://go.dev/cl/691775"
},
{
"url": "https://go.dev/issue/74466"
},
{
"url": "https://groups.google.com/g/golang-announce/c/x5MKroML2yM"
},
{
"url": "https://pkg.go.dev/vuln/GO-2025-3956"
}
],
"title": "Unexpected paths returned from LookPath in os/exec"
}
},
"cveMetadata": {
"assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"assignerShortName": "Go",
"cveId": "CVE-2025-47906",
"datePublished": "2025-09-18T18:41:11.847Z",
"dateReserved": "2025-05-13T23:31:29.596Z",
"dateUpdated": "2025-11-04T21:10:54.782Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2025-47906",
"date": "2026-06-07",
"epss": "0.00044",
"percentile": "0.14038"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2025-47906\",\"sourceIdentifier\":\"security@golang.org\",\"published\":\"2025-09-18T19:15:37.660\",\"lastModified\":\"2026-01-27T19:56:17.707\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath (\\\"\\\", \\\".\\\", and \\\"..\\\"), can result in the binaries listed in the PATH being unexpectedly returned.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":3.9,\"impactScore\":2.5}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-Other\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.23.12\",\"matchCriteriaId\":\"6B868FEB-2BCB-4816-B575-BEF1ADD15C5F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"1.24.0\",\"versionEndExcluding\":\"1.24.6\",\"matchCriteriaId\":\"21442DAA-1345-47FB-8DA6-2589ABB8CB08\"}]}]}],\"references\":[{\"url\":\"https://go.dev/cl/691775\",\"source\":\"security@golang.org\",\"tags\":[\"Patch\"]},{\"url\":\"https://go.dev/issue/74466\",\"source\":\"security@golang.org\",\"tags\":[\"Exploit\",\"Issue Tracking\",\"Third Party Advisory\"]},{\"url\":\"https://groups.google.com/g/golang-announce/c/x5MKroML2yM\",\"source\":\"security@golang.org\",\"tags\":[\"Mailing List\",\"Release Notes\"]},{\"url\":\"https://pkg.go.dev/vuln/GO-2025-3956\",\"source\":\"security@golang.org\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://www.openwall.com/lists/oss-security/2025/08/06/1\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Issue Tracking\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"http://www.openwall.com/lists/oss-security/2025/08/06/1\"}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2025-11-04T21:10:54.782Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 6.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-47906\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-09-18T20:42:17.936162Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-09-18T20:42:34.381Z\"}}], \"cna\": {\"title\": \"Unexpected paths returned from LookPath in os/exec\", \"affected\": [{\"vendor\": \"Go standard library\", \"product\": \"os/exec\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"1.23.12\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"1.24.0\", \"lessThan\": \"1.24.6\", \"versionType\": \"semver\"}], \"packageName\": \"os/exec\", \"collectionURL\": \"https://pkg.go.dev\", \"defaultStatus\": \"unaffected\", \"programRoutines\": [{\"name\": \"LookPath\"}]}], \"references\": [{\"url\": \"https://go.dev/cl/691775\"}, {\"url\": \"https://go.dev/issue/74466\"}, {\"url\": \"https://groups.google.com/g/golang-announce/c/x5MKroML2yM\"}, {\"url\": \"https://pkg.go.dev/vuln/GO-2025-3956\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath (\\\"\\\", \\\".\\\", and \\\"..\\\"), can result in the binaries listed in the PATH being unexpectedly returned.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"description\": \"CWE-115: Misinterpretation of Input\"}]}], \"providerMetadata\": {\"orgId\": \"1bb62c36-49e3-4200-9d77-64a1400537cc\", \"shortName\": \"Go\", \"dateUpdated\": \"2025-09-18T18:41:11.847Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-47906\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-11-04T21:10:54.782Z\", \"dateReserved\": \"2025-05-13T23:31:29.596Z\", \"assignerOrgId\": \"1bb62c36-49e3-4200-9d77-64a1400537cc\", \"datePublished\": \"2025-09-18T18:41:11.847Z\", \"assignerShortName\": \"Go\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
RHSA-2025:22935
Vulnerability from csaf_redhat - Published: 2025-12-09 14:40 - Updated: 2026-06-02 15:25Summary
Red Hat Security Advisory: Red Hat Update Infrastructure 5 security update
Severity
Important
Notes
Topic: The latest release of Red Hat Update Infrastructure. For more details, see the product documentation.
Details: Red Hat Update Infrastructure (RHUI) container images are based on the latest RHUI RPM packages and the ubi9 or ubi9-init base images.
This release updates to the latest version.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A path handling flaw has been discovered in the os/exec go package. If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath ("", ".", and ".."), can result in the binaries listed in the PATH being unexpectedly returned.
6.5 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Update Infrastructure 5:registry.redhat.io/rhui5/rhua-rhel9@sha256:72ac7afb81d57da7ee569790df6697785afe8f5b1379f3f6d3df5fc1ad741824_amd64 | — |
Vendor Fix
fix
Workaround
|
Known not affected
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Update Infrastructure 5:registry.redhat.io/rhui5/cds-rhel9@sha256:a71cf22ac5a6c6488f6fd261b37ed423fb7f8ae21716d57542cb964908e5dff6_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Update Infrastructure 5:registry.redhat.io/rhui5/haproxy-rhel9@sha256:67ea913cd9963ae2863633501da0fe05ddbdb6064d1f6ca9597649e44665f0ed_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Update Infrastructure 5:registry.redhat.io/rhui5/installer-rhel9@sha256:8641fa15608fbbb0d27c4b958cfaf52ca32f39f2b06b0b3e6d41c33ae902edbd_amd64 | — |
Workaround
|
Threats
Impact
Moderate
A memory amplification vulnerability in libexpat allows attackers to trigger excessive dynamic memory allocations by submitting specially crafted XML input. A small input (~250 KiB) can cause the parser to allocate hundreds of megabytes, leading to denial-of-service (DoS) through memory exhaustion.
5.3 (Medium)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Update Infrastructure 5:registry.redhat.io/rhui5/cds-rhel9@sha256:a71cf22ac5a6c6488f6fd261b37ed423fb7f8ae21716d57542cb964908e5dff6_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Update Infrastructure 5:registry.redhat.io/rhui5/haproxy-rhel9@sha256:67ea913cd9963ae2863633501da0fe05ddbdb6064d1f6ca9597649e44665f0ed_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Update Infrastructure 5:registry.redhat.io/rhui5/installer-rhel9@sha256:8641fa15608fbbb0d27c4b958cfaf52ca32f39f2b06b0b3e6d41c33ae902edbd_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Update Infrastructure 5:registry.redhat.io/rhui5/rhua-rhel9@sha256:72ac7afb81d57da7ee569790df6697785afe8f5b1379f3f6d3df5fc1ad741824_amd64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
References
21 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "The latest release of Red Hat Update Infrastructure. For more details, see the product documentation.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat Update Infrastructure (RHUI) container images are based on the latest RHUI RPM packages and the ubi9 or ubi9-init base images.\nThis release updates to the latest version.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2025:22935",
"url": "https://access.redhat.com/errata/RHSA-2025:22935"
},
{
"category": "external",
"summary": "https://access.redhat.com/products/red-hat-update-infrastructure",
"url": "https://access.redhat.com/products/red-hat-update-infrastructure"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-47906",
"url": "https://access.redhat.com/security/cve/CVE-2025-47906"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-59375",
"url": "https://access.redhat.com/security/cve/CVE-2025-59375"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/",
"url": "https://access.redhat.com/security/updates/classification/"
},
{
"category": "external",
"summary": "https://docs.redhat.com/en/documentation/red_hat_update_infrastructure/5",
"url": "https://docs.redhat.com/en/documentation/red_hat_update_infrastructure/5"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_22935.json"
}
],
"title": "Red Hat Security Advisory: Red Hat Update Infrastructure 5 security update",
"tracking": {
"current_release_date": "2026-06-02T15:25:17+00:00",
"generator": {
"date": "2026-06-02T15:25:17+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.8.1"
}
},
"id": "RHSA-2025:22935",
"initial_release_date": "2025-12-09T14:40:14+00:00",
"revision_history": [
{
"date": "2025-12-09T14:40:14+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2025-12-09T14:40:23+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-06-02T15:25:17+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Update Infrastructure 5",
"product": {
"name": "Red Hat Update Infrastructure 5",
"product_id": "Red Hat Update Infrastructure 5",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhui:5::el9"
}
}
}
],
"category": "product_family",
"name": "Red Hat Update Infrastructure"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/rhui5/cds-rhel9@sha256:a71cf22ac5a6c6488f6fd261b37ed423fb7f8ae21716d57542cb964908e5dff6_amd64",
"product": {
"name": "registry.redhat.io/rhui5/cds-rhel9@sha256:a71cf22ac5a6c6488f6fd261b37ed423fb7f8ae21716d57542cb964908e5dff6_amd64",
"product_id": "registry.redhat.io/rhui5/cds-rhel9@sha256:a71cf22ac5a6c6488f6fd261b37ed423fb7f8ae21716d57542cb964908e5dff6_amd64",
"product_identification_helper": {
"purl": "pkg:oci/cds-rhel9@sha256%3Aa71cf22ac5a6c6488f6fd261b37ed423fb7f8ae21716d57542cb964908e5dff6?arch=amd64\u0026repository_url=registry.redhat.io/rhui5"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/rhui5/haproxy-rhel9@sha256:67ea913cd9963ae2863633501da0fe05ddbdb6064d1f6ca9597649e44665f0ed_amd64",
"product": {
"name": "registry.redhat.io/rhui5/haproxy-rhel9@sha256:67ea913cd9963ae2863633501da0fe05ddbdb6064d1f6ca9597649e44665f0ed_amd64",
"product_id": "registry.redhat.io/rhui5/haproxy-rhel9@sha256:67ea913cd9963ae2863633501da0fe05ddbdb6064d1f6ca9597649e44665f0ed_amd64",
"product_identification_helper": {
"purl": "pkg:oci/haproxy-rhel9@sha256%3A67ea913cd9963ae2863633501da0fe05ddbdb6064d1f6ca9597649e44665f0ed?arch=amd64\u0026repository_url=registry.redhat.io/rhui5"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/rhui5/installer-rhel9@sha256:8641fa15608fbbb0d27c4b958cfaf52ca32f39f2b06b0b3e6d41c33ae902edbd_amd64",
"product": {
"name": "registry.redhat.io/rhui5/installer-rhel9@sha256:8641fa15608fbbb0d27c4b958cfaf52ca32f39f2b06b0b3e6d41c33ae902edbd_amd64",
"product_id": "registry.redhat.io/rhui5/installer-rhel9@sha256:8641fa15608fbbb0d27c4b958cfaf52ca32f39f2b06b0b3e6d41c33ae902edbd_amd64",
"product_identification_helper": {
"purl": "pkg:oci/installer-rhel9@sha256%3A8641fa15608fbbb0d27c4b958cfaf52ca32f39f2b06b0b3e6d41c33ae902edbd?arch=amd64\u0026repository_url=registry.redhat.io/rhui5"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/rhui5/rhua-rhel9@sha256:72ac7afb81d57da7ee569790df6697785afe8f5b1379f3f6d3df5fc1ad741824_amd64",
"product": {
"name": "registry.redhat.io/rhui5/rhua-rhel9@sha256:72ac7afb81d57da7ee569790df6697785afe8f5b1379f3f6d3df5fc1ad741824_amd64",
"product_id": "registry.redhat.io/rhui5/rhua-rhel9@sha256:72ac7afb81d57da7ee569790df6697785afe8f5b1379f3f6d3df5fc1ad741824_amd64",
"product_identification_helper": {
"purl": "pkg:oci/rhua-rhel9@sha256%3A72ac7afb81d57da7ee569790df6697785afe8f5b1379f3f6d3df5fc1ad741824?arch=amd64\u0026repository_url=registry.redhat.io/rhui5"
}
}
}
],
"category": "architecture",
"name": "amd64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhui5/cds-rhel9@sha256:a71cf22ac5a6c6488f6fd261b37ed423fb7f8ae21716d57542cb964908e5dff6_amd64 as a component of Red Hat Update Infrastructure 5",
"product_id": "Red Hat Update Infrastructure 5:registry.redhat.io/rhui5/cds-rhel9@sha256:a71cf22ac5a6c6488f6fd261b37ed423fb7f8ae21716d57542cb964908e5dff6_amd64"
},
"product_reference": "registry.redhat.io/rhui5/cds-rhel9@sha256:a71cf22ac5a6c6488f6fd261b37ed423fb7f8ae21716d57542cb964908e5dff6_amd64",
"relates_to_product_reference": "Red Hat Update Infrastructure 5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhui5/haproxy-rhel9@sha256:67ea913cd9963ae2863633501da0fe05ddbdb6064d1f6ca9597649e44665f0ed_amd64 as a component of Red Hat Update Infrastructure 5",
"product_id": "Red Hat Update Infrastructure 5:registry.redhat.io/rhui5/haproxy-rhel9@sha256:67ea913cd9963ae2863633501da0fe05ddbdb6064d1f6ca9597649e44665f0ed_amd64"
},
"product_reference": "registry.redhat.io/rhui5/haproxy-rhel9@sha256:67ea913cd9963ae2863633501da0fe05ddbdb6064d1f6ca9597649e44665f0ed_amd64",
"relates_to_product_reference": "Red Hat Update Infrastructure 5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhui5/installer-rhel9@sha256:8641fa15608fbbb0d27c4b958cfaf52ca32f39f2b06b0b3e6d41c33ae902edbd_amd64 as a component of Red Hat Update Infrastructure 5",
"product_id": "Red Hat Update Infrastructure 5:registry.redhat.io/rhui5/installer-rhel9@sha256:8641fa15608fbbb0d27c4b958cfaf52ca32f39f2b06b0b3e6d41c33ae902edbd_amd64"
},
"product_reference": "registry.redhat.io/rhui5/installer-rhel9@sha256:8641fa15608fbbb0d27c4b958cfaf52ca32f39f2b06b0b3e6d41c33ae902edbd_amd64",
"relates_to_product_reference": "Red Hat Update Infrastructure 5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhui5/rhua-rhel9@sha256:72ac7afb81d57da7ee569790df6697785afe8f5b1379f3f6d3df5fc1ad741824_amd64 as a component of Red Hat Update Infrastructure 5",
"product_id": "Red Hat Update Infrastructure 5:registry.redhat.io/rhui5/rhua-rhel9@sha256:72ac7afb81d57da7ee569790df6697785afe8f5b1379f3f6d3df5fc1ad741824_amd64"
},
"product_reference": "registry.redhat.io/rhui5/rhua-rhel9@sha256:72ac7afb81d57da7ee569790df6697785afe8f5b1379f3f6d3df5fc1ad741824_amd64",
"relates_to_product_reference": "Red Hat Update Infrastructure 5"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-47906",
"cwe": {
"id": "CWE-440",
"name": "Expected Behavior Violation"
},
"discovery_date": "2025-09-18T19:00:47.541046+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Update Infrastructure 5:registry.redhat.io/rhui5/cds-rhel9@sha256:a71cf22ac5a6c6488f6fd261b37ed423fb7f8ae21716d57542cb964908e5dff6_amd64",
"Red Hat Update Infrastructure 5:registry.redhat.io/rhui5/haproxy-rhel9@sha256:67ea913cd9963ae2863633501da0fe05ddbdb6064d1f6ca9597649e44665f0ed_amd64",
"Red Hat Update Infrastructure 5:registry.redhat.io/rhui5/installer-rhel9@sha256:8641fa15608fbbb0d27c4b958cfaf52ca32f39f2b06b0b3e6d41c33ae902edbd_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2396546"
}
],
"notes": [
{
"category": "description",
"text": "A path handling flaw has been discovered in the os/exec go package. If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath (\"\", \".\", and \"..\"), can result in the binaries listed in the PATH being unexpectedly returned.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "os/exec: Unexpected paths returned from LookPath in os/exec",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Update Infrastructure 5:registry.redhat.io/rhui5/rhua-rhel9@sha256:72ac7afb81d57da7ee569790df6697785afe8f5b1379f3f6d3df5fc1ad741824_amd64"
],
"known_not_affected": [
"Red Hat Update Infrastructure 5:registry.redhat.io/rhui5/cds-rhel9@sha256:a71cf22ac5a6c6488f6fd261b37ed423fb7f8ae21716d57542cb964908e5dff6_amd64",
"Red Hat Update Infrastructure 5:registry.redhat.io/rhui5/haproxy-rhel9@sha256:67ea913cd9963ae2863633501da0fe05ddbdb6064d1f6ca9597649e44665f0ed_amd64",
"Red Hat Update Infrastructure 5:registry.redhat.io/rhui5/installer-rhel9@sha256:8641fa15608fbbb0d27c4b958cfaf52ca32f39f2b06b0b3e6d41c33ae902edbd_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-47906"
},
{
"category": "external",
"summary": "RHBZ#2396546",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2396546"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-47906",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-47906"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-47906",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47906"
},
{
"category": "external",
"summary": "https://go.dev/cl/691775",
"url": "https://go.dev/cl/691775"
},
{
"category": "external",
"summary": "https://go.dev/issue/74466",
"url": "https://go.dev/issue/74466"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/x5MKroML2yM",
"url": "https://groups.google.com/g/golang-announce/c/x5MKroML2yM"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2025-3956",
"url": "https://pkg.go.dev/vuln/GO-2025-3956"
}
],
"release_date": "2025-09-18T18:41:11.847000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-12-09T14:40:14+00:00",
"details": "The container images provided by this release, apart from the installer, should be deployed using rhui-installer utility.\nSee the official documentation for more details.",
"product_ids": [
"Red Hat Update Infrastructure 5:registry.redhat.io/rhui5/rhua-rhel9@sha256:72ac7afb81d57da7ee569790df6697785afe8f5b1379f3f6d3df5fc1ad741824_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:22935"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Update Infrastructure 5:registry.redhat.io/rhui5/cds-rhel9@sha256:a71cf22ac5a6c6488f6fd261b37ed423fb7f8ae21716d57542cb964908e5dff6_amd64",
"Red Hat Update Infrastructure 5:registry.redhat.io/rhui5/haproxy-rhel9@sha256:67ea913cd9963ae2863633501da0fe05ddbdb6064d1f6ca9597649e44665f0ed_amd64",
"Red Hat Update Infrastructure 5:registry.redhat.io/rhui5/installer-rhel9@sha256:8641fa15608fbbb0d27c4b958cfaf52ca32f39f2b06b0b3e6d41c33ae902edbd_amd64",
"Red Hat Update Infrastructure 5:registry.redhat.io/rhui5/rhua-rhel9@sha256:72ac7afb81d57da7ee569790df6697785afe8f5b1379f3f6d3df5fc1ad741824_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L",
"version": "3.1"
},
"products": [
"Red Hat Update Infrastructure 5:registry.redhat.io/rhui5/cds-rhel9@sha256:a71cf22ac5a6c6488f6fd261b37ed423fb7f8ae21716d57542cb964908e5dff6_amd64",
"Red Hat Update Infrastructure 5:registry.redhat.io/rhui5/haproxy-rhel9@sha256:67ea913cd9963ae2863633501da0fe05ddbdb6064d1f6ca9597649e44665f0ed_amd64",
"Red Hat Update Infrastructure 5:registry.redhat.io/rhui5/installer-rhel9@sha256:8641fa15608fbbb0d27c4b958cfaf52ca32f39f2b06b0b3e6d41c33ae902edbd_amd64",
"Red Hat Update Infrastructure 5:registry.redhat.io/rhui5/rhua-rhel9@sha256:72ac7afb81d57da7ee569790df6697785afe8f5b1379f3f6d3df5fc1ad741824_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "os/exec: Unexpected paths returned from LookPath in os/exec"
},
{
"cve": "CVE-2025-59375",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2025-09-15T03:00:59.775098+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2395108"
}
],
"notes": [
{
"category": "description",
"text": "A memory amplification vulnerability in libexpat allows attackers to trigger excessive dynamic memory allocations by submitting specially crafted XML input. A small input (~250 KiB) can cause the parser to allocate hundreds of megabytes, leading to denial-of-service (DoS) through memory exhaustion.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "firefox: thunderbird: expat: libexpat in Expat allows attackers to trigger large dynamic memory allocations via a small document that is submitted for parsing",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This issue is Important rather than Critical because, while it allows for significant resource exhaustion leading to denial-of-service (DoS), it does not enable arbitrary code execution, data leakage, or privilege escalation. The vulnerability stems from an uncontrolled memory amplification behavior in libexpat\u2019s parser, where a relatively small XML payload can cause disproportionately large heap allocations. However, the flaw is limited in scope to service disruption and requires the attacker to submit a crafted XML document\u2014something that can be mitigated with proper input validation and memory usage limits. Therefore, while the exploitability is high, the impact is confined to availability, not confidentiality or integrity, making it a high-severity but not critical flaw.\n\nIn Firefox and Thunderbird, where libexpat is a transitive userspace dependency, exploitation usually just crashes the application (app-level DoS), so it is classified as Moderate instead of Important.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Update Infrastructure 5:registry.redhat.io/rhui5/cds-rhel9@sha256:a71cf22ac5a6c6488f6fd261b37ed423fb7f8ae21716d57542cb964908e5dff6_amd64",
"Red Hat Update Infrastructure 5:registry.redhat.io/rhui5/haproxy-rhel9@sha256:67ea913cd9963ae2863633501da0fe05ddbdb6064d1f6ca9597649e44665f0ed_amd64",
"Red Hat Update Infrastructure 5:registry.redhat.io/rhui5/installer-rhel9@sha256:8641fa15608fbbb0d27c4b958cfaf52ca32f39f2b06b0b3e6d41c33ae902edbd_amd64",
"Red Hat Update Infrastructure 5:registry.redhat.io/rhui5/rhua-rhel9@sha256:72ac7afb81d57da7ee569790df6697785afe8f5b1379f3f6d3df5fc1ad741824_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-59375"
},
{
"category": "external",
"summary": "RHBZ#2395108",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2395108"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-59375",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-59375"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-59375",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59375"
},
{
"category": "external",
"summary": "https://www.mozilla.org/security/advisories/mfsa2026-22/#CVE-2025-59375",
"url": "https://www.mozilla.org/security/advisories/mfsa2026-22/#CVE-2025-59375"
},
{
"category": "external",
"summary": "https://www.mozilla.org/security/advisories/mfsa2026-24/#CVE-2025-59375",
"url": "https://www.mozilla.org/security/advisories/mfsa2026-24/#CVE-2025-59375"
}
],
"release_date": "2025-09-15T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-12-09T14:40:14+00:00",
"details": "The container images provided by this release, apart from the installer, should be deployed using rhui-installer utility.\nSee the official documentation for more details.",
"product_ids": [
"Red Hat Update Infrastructure 5:registry.redhat.io/rhui5/cds-rhel9@sha256:a71cf22ac5a6c6488f6fd261b37ed423fb7f8ae21716d57542cb964908e5dff6_amd64",
"Red Hat Update Infrastructure 5:registry.redhat.io/rhui5/haproxy-rhel9@sha256:67ea913cd9963ae2863633501da0fe05ddbdb6064d1f6ca9597649e44665f0ed_amd64",
"Red Hat Update Infrastructure 5:registry.redhat.io/rhui5/installer-rhel9@sha256:8641fa15608fbbb0d27c4b958cfaf52ca32f39f2b06b0b3e6d41c33ae902edbd_amd64",
"Red Hat Update Infrastructure 5:registry.redhat.io/rhui5/rhua-rhel9@sha256:72ac7afb81d57da7ee569790df6697785afe8f5b1379f3f6d3df5fc1ad741824_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:22935"
},
{
"category": "workaround",
"details": "To mitigate the issue, limit XML input size and complexity before parsing, and avoid accepting compressed or deeply nested XML. Use OS-level resource controls (like ulimit or setrlimit()) to cap memory usage, or run the parser in a sandboxed or isolated process with strict memory and CPU limits. This helps prevent denial-of-service by containing excessive resource consumption.",
"product_ids": [
"Red Hat Update Infrastructure 5:registry.redhat.io/rhui5/cds-rhel9@sha256:a71cf22ac5a6c6488f6fd261b37ed423fb7f8ae21716d57542cb964908e5dff6_amd64",
"Red Hat Update Infrastructure 5:registry.redhat.io/rhui5/haproxy-rhel9@sha256:67ea913cd9963ae2863633501da0fe05ddbdb6064d1f6ca9597649e44665f0ed_amd64",
"Red Hat Update Infrastructure 5:registry.redhat.io/rhui5/installer-rhel9@sha256:8641fa15608fbbb0d27c4b958cfaf52ca32f39f2b06b0b3e6d41c33ae902edbd_amd64",
"Red Hat Update Infrastructure 5:registry.redhat.io/rhui5/rhua-rhel9@sha256:72ac7afb81d57da7ee569790df6697785afe8f5b1379f3f6d3df5fc1ad741824_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"Red Hat Update Infrastructure 5:registry.redhat.io/rhui5/cds-rhel9@sha256:a71cf22ac5a6c6488f6fd261b37ed423fb7f8ae21716d57542cb964908e5dff6_amd64",
"Red Hat Update Infrastructure 5:registry.redhat.io/rhui5/haproxy-rhel9@sha256:67ea913cd9963ae2863633501da0fe05ddbdb6064d1f6ca9597649e44665f0ed_amd64",
"Red Hat Update Infrastructure 5:registry.redhat.io/rhui5/installer-rhel9@sha256:8641fa15608fbbb0d27c4b958cfaf52ca32f39f2b06b0b3e6d41c33ae902edbd_amd64",
"Red Hat Update Infrastructure 5:registry.redhat.io/rhui5/rhua-rhel9@sha256:72ac7afb81d57da7ee569790df6697785afe8f5b1379f3f6d3df5fc1ad741824_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "firefox: thunderbird: expat: libexpat in Expat allows attackers to trigger large dynamic memory allocations via a small document that is submitted for parsing"
}
]
}
RHSA-2025:23205
Vulnerability from csaf_redhat - Published: 2025-12-15 15:38 - Updated: 2026-06-07 15:33Summary
Red Hat Security Advisory: Red Hat AI Inference Server 3.2.5 (ROCm)
Severity
Important
Notes
Topic: Red Hat AI Inference Server 3.2.5 (ROCm) is now available.
Details: Red Hat® AI Inference Server
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in the OpenSSL CMS implementation (RFC 3211 KEK Unwrap). This vulnerability allows memory corruption, an application level denial of service, or potential execution of attacker-supplied code via crafted CMS messages using password-based encryption (PWRI).
5.6 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/vllm-rocm-rhel9@sha256:e3b3efcdd86f60b90664a249d45918b2ac5f45bae5eed5399e310d63e878b287_amd64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in libxstl/libxml2. The 'exsltDynMapFunction' function in libexslt/dynamic.c does not contain a recursion depth check, which may cause an infinite loop via a specially crafted XSLT document while handling 'dyn:map()', leading to stack exhaustion and a local denial of service.
6.2 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/vllm-rocm-rhel9@sha256:e3b3efcdd86f60b90664a249d45918b2ac5f45bae5eed5399e310d63e878b287_amd64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in the `golang.org/x/oauth2/jws` package in the token parsing component. This vulnerability is made possible because of the use of `strings.Split(token, ".")` to split JWT tokens, which can lead to excessive memory consumption when processing maliciously crafted tokens with a large number of `.` characters. An attacker could exploit this functionality by sending numerous malformed tokens and can trigger memory exhaustion and a Denial of Service.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/vllm-rocm-rhel9@sha256:e3b3efcdd86f60b90664a249d45918b2ac5f45bae5eed5399e310d63e878b287_amd64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A flaw was found in the golang.org/x/crypto/ssh package. SSH clients and servers are vulnerable to increased resource consumption, possibly leading to memory exhaustion and a DoS. This can occur during key exchange when the other party is slow to respond during key exchange.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/vllm-rocm-rhel9@sha256:e3b3efcdd86f60b90664a249d45918b2ac5f45bae5eed5399e310d63e878b287_amd64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A path handling flaw has been discovered in the os/exec go package. If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath ("", ".", and ".."), can result in the binaries listed in the PATH being unexpectedly returned.
6.5 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/vllm-rocm-rhel9@sha256:e3b3efcdd86f60b90664a249d45918b2ac5f45bae5eed5399e310d63e878b287_amd64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in runc. CVE-2025-52565 is very similar in concept and application toCVE-2025-31133, except that it exploits a flaw in /dev/console bind-mounts. When creating the /dev/console bind-mount (to /dev/pts/$n), if an attacker replaces /dev/pts/$n with a symlink then runc will bind-mount the symlink target over /dev/console.
8.2 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/vllm-rocm-rhel9@sha256:e3b3efcdd86f60b90664a249d45918b2ac5f45bae5eed5399e310d63e878b287_amd64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A memory amplification vulnerability in libexpat allows attackers to trigger excessive dynamic memory allocations by submitting specially crafted XML input. A small input (~250 KiB) can cause the parser to allocate hundreds of megabytes, leading to denial-of-service (DoS) through memory exhaustion.
5.3 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/vllm-rocm-rhel9@sha256:e3b3efcdd86f60b90664a249d45918b2ac5f45bae5eed5399e310d63e878b287_amd64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A vulnerability in vLLM allows attackers to supply malicious serialized prompt-embedding tensors that are deserialized using torch.load() without validation. Due to PyTorch 2.8.0 disabling sparse-tensor integrity checks by default, a crafted tensor can bypass bounds checks and cause an out-of-bounds write during to_dense(), leading to a crash (DoS) and potentially remote code execution on the vLLM server.
8.8 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/vllm-rocm-rhel9@sha256:e3b3efcdd86f60b90664a249d45918b2ac5f45bae5eed5399e310d63e878b287_amd64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A denial-of-service vulnerability in vLLM allows an attacker with API access to crash the engine by submitting multimodal embedding tensors that have the correct number of dimensions but an invalid internal shape. Because vLLM validates only the tensor’s ndim and not the full expected shape, malformed embeddings trigger shape mismatches or validation failures during processing, causing the inference engine to terminate.
6.5 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/vllm-rocm-rhel9@sha256:e3b3efcdd86f60b90664a249d45918b2ac5f45bae5eed5399e310d63e878b287_amd64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A remote code execution vulnerability has been identified in vLLM. An attacker can exploit a weakness in the model loading process to silently fetch and run unauthorized, malicious Python code on the host system. This happens because the engine mistakenly executes code from a remote repository referenced in a model's configuration, even when explicit security measures are set to prevent it.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/vllm-rocm-rhel9@sha256:e3b3efcdd86f60b90664a249d45918b2ac5f45bae5eed5399e310d63e878b287_amd64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A flaw was found in Fulcio, a free-to-use certificate authority. This vulnerability allows a denial of service (DoS) due to excessive memory allocation when processing a malicious OpenID Connect (OIDC) identity token containing numerous period characters.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/vllm-rocm-rhel9@sha256:e3b3efcdd86f60b90664a249d45918b2ac5f45bae5eed5399e310d63e878b287_amd64 | — |
Vendor Fix
fix
|
Threats
Impact
Important
References
84 references
Acknowledgments
jub0bs
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Red Hat AI Inference Server 3.2.5 (ROCm) is now available.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat\u00ae AI Inference Server",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2025:23205",
"url": "https://access.redhat.com/errata/RHSA-2025:23205"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-22868",
"url": "https://access.redhat.com/security/cve/CVE-2025-22868"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-22869",
"url": "https://access.redhat.com/security/cve/CVE-2025-22869"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-47906",
"url": "https://access.redhat.com/security/cve/CVE-2025-47906"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-52565",
"url": "https://access.redhat.com/security/cve/CVE-2025-52565"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-59375",
"url": "https://access.redhat.com/security/cve/CVE-2025-59375"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-62164",
"url": "https://access.redhat.com/security/cve/CVE-2025-62164"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-62372",
"url": "https://access.redhat.com/security/cve/CVE-2025-62372"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-66448",
"url": "https://access.redhat.com/security/cve/CVE-2025-66448"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-66506",
"url": "https://access.redhat.com/security/cve/CVE-2025-66506"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-9230",
"url": "https://access.redhat.com/security/cve/CVE-2025-9230"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-9714",
"url": "https://access.redhat.com/security/cve/CVE-2025-9714"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/",
"url": "https://access.redhat.com/security/updates/classification/"
},
{
"category": "external",
"summary": "https://www.redhat.com/en/products/ai/inference-server",
"url": "https://www.redhat.com/en/products/ai/inference-server"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_23205.json"
}
],
"title": "Red Hat Security Advisory: Red Hat AI Inference Server 3.2.5 (ROCm)",
"tracking": {
"current_release_date": "2026-06-07T15:33:30+00:00",
"generator": {
"date": "2026-06-07T15:33:30+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.8.2"
}
},
"id": "RHSA-2025:23205",
"initial_release_date": "2025-12-15T15:38:07+00:00",
"revision_history": [
{
"date": "2025-12-15T15:38:07+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2025-12-15T15:38:16+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-06-07T15:33:30+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat AI Inference Server 3.2",
"product": {
"name": "Red Hat AI Inference Server 3.2",
"product_id": "Red Hat AI Inference Server 3.2",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:ai_inference_server:3.2::el9"
}
}
}
],
"category": "product_family",
"name": "Red Hat AI Inference Server"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/rhaiis/vllm-rocm-rhel9@sha256:e3b3efcdd86f60b90664a249d45918b2ac5f45bae5eed5399e310d63e878b287_amd64",
"product": {
"name": "registry.redhat.io/rhaiis/vllm-rocm-rhel9@sha256:e3b3efcdd86f60b90664a249d45918b2ac5f45bae5eed5399e310d63e878b287_amd64",
"product_id": "registry.redhat.io/rhaiis/vllm-rocm-rhel9@sha256:e3b3efcdd86f60b90664a249d45918b2ac5f45bae5eed5399e310d63e878b287_amd64",
"product_identification_helper": {
"purl": "pkg:oci/vllm-rocm-rhel9@sha256%3Ae3b3efcdd86f60b90664a249d45918b2ac5f45bae5eed5399e310d63e878b287?arch=amd64\u0026repository_url=registry.redhat.io/rhaiis\u0026tag=3.2.5-1765361180"
}
}
}
],
"category": "architecture",
"name": "amd64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhaiis/vllm-rocm-rhel9@sha256:e3b3efcdd86f60b90664a249d45918b2ac5f45bae5eed5399e310d63e878b287_amd64 as a component of Red Hat AI Inference Server 3.2",
"product_id": "Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/vllm-rocm-rhel9@sha256:e3b3efcdd86f60b90664a249d45918b2ac5f45bae5eed5399e310d63e878b287_amd64"
},
"product_reference": "registry.redhat.io/rhaiis/vllm-rocm-rhel9@sha256:e3b3efcdd86f60b90664a249d45918b2ac5f45bae5eed5399e310d63e878b287_amd64",
"relates_to_product_reference": "Red Hat AI Inference Server 3.2"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-9230",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2025-09-17T12:15:34.387000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2396054"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the OpenSSL CMS implementation (RFC 3211 KEK Unwrap). This vulnerability allows memory corruption, an application level denial of service, or potential execution of attacker-supplied code via crafted CMS messages using password-based encryption (PWRI).",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "openssl: Out-of-bounds read \u0026 write in RFC 3211 KEK Unwrap",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The vulnerability was rated as Moderate because, while the potential impact includes an application level denial of service and possible arbitrary code execution, successful exploitation is considered unlikely due to the high attack complexity and the fact that password-based CMS encryption (PWRI) is rarely used in real-world deployments.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/vllm-rocm-rhel9@sha256:e3b3efcdd86f60b90664a249d45918b2ac5f45bae5eed5399e310d63e878b287_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-9230"
},
{
"category": "external",
"summary": "RHBZ#2396054",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2396054"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-9230",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-9230"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-9230",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-9230"
}
],
"release_date": "2025-09-30T23:59:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-12-15T15:38:07+00:00",
"details": "For more information visit https://access.redhat.com/errata/RHSA-2025:23205",
"product_ids": [
"Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/vllm-rocm-rhel9@sha256:e3b3efcdd86f60b90664a249d45918b2ac5f45bae5eed5399e310d63e878b287_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:23205"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/vllm-rocm-rhel9@sha256:e3b3efcdd86f60b90664a249d45918b2ac5f45bae5eed5399e310d63e878b287_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/vllm-rocm-rhel9@sha256:e3b3efcdd86f60b90664a249d45918b2ac5f45bae5eed5399e310d63e878b287_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "openssl: Out-of-bounds read \u0026 write in RFC 3211 KEK Unwrap"
},
{
"cve": "CVE-2025-9714",
"cwe": {
"id": "CWE-606",
"name": "Unchecked Input for Loop Condition"
},
"discovery_date": "2025-09-02T13:03:56.452000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2392605"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in libxstl/libxml2. The \u0027exsltDynMapFunction\u0027 function in libexslt/dynamic.c does not contain a recursion depth check, which may cause an infinite loop via a specially crafted XSLT document while handling \u0027dyn:map()\u0027, leading to stack exhaustion and a local denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "libxslt: libxml2: Inifinite recursion at exsltDynMapFunction function in libexslt/dynamic.c",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "No evidence was found for arbitrary memory corruption through this flaw, limiting its impact to Availability only, and reducing its severity to Moderate.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/vllm-rocm-rhel9@sha256:e3b3efcdd86f60b90664a249d45918b2ac5f45bae5eed5399e310d63e878b287_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-9714"
},
{
"category": "external",
"summary": "RHBZ#2392605",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2392605"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-9714",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-9714"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-9714",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-9714"
},
{
"category": "external",
"summary": "https://gitlab.gnome.org/GNOME/libxml2/-/commit/677a42645ef22b5a50741bad5facf9d8a8bc6d21",
"url": "https://gitlab.gnome.org/GNOME/libxml2/-/commit/677a42645ef22b5a50741bad5facf9d8a8bc6d21"
},
{
"category": "external",
"summary": "https://gitlab.gnome.org/GNOME/libxslt/-/issues/148",
"url": "https://gitlab.gnome.org/GNOME/libxslt/-/issues/148"
}
],
"release_date": "2025-09-02T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-12-15T15:38:07+00:00",
"details": "For more information visit https://access.redhat.com/errata/RHSA-2025:23205",
"product_ids": [
"Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/vllm-rocm-rhel9@sha256:e3b3efcdd86f60b90664a249d45918b2ac5f45bae5eed5399e310d63e878b287_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:23205"
},
{
"category": "workaround",
"details": "The impact of this flaw may be reduced by setting strict resource limits to the stack size of processes at the operational system level. This can be achieved either through the \u0027ulimit\u0027 shell built-in or the \u0027limits.conf\u0027 file.",
"product_ids": [
"Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/vllm-rocm-rhel9@sha256:e3b3efcdd86f60b90664a249d45918b2ac5f45bae5eed5399e310d63e878b287_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/vllm-rocm-rhel9@sha256:e3b3efcdd86f60b90664a249d45918b2ac5f45bae5eed5399e310d63e878b287_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "libxslt: libxml2: Inifinite recursion at exsltDynMapFunction function in libexslt/dynamic.c"
},
{
"acknowledgments": [
{
"names": [
"jub0bs"
]
}
],
"cve": "CVE-2025-22868",
"cwe": {
"id": "CWE-1286",
"name": "Improper Validation of Syntactic Correctness of Input"
},
"discovery_date": "2025-02-26T04:00:44.350024+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2348366"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the `golang.org/x/oauth2/jws` package in the token parsing component. This vulnerability is made possible because of the use of `strings.Split(token, \".\")` to split JWT tokens, which can lead to excessive memory consumption when processing maliciously crafted tokens with a large number of `.` characters. An attacker could exploit this functionality by sending numerous malformed tokens and can trigger memory exhaustion and a Denial of Service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang.org/x/oauth2/jws: Unexpected memory consumption during token parsing in golang.org/x/oauth2/jws",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/vllm-rocm-rhel9@sha256:e3b3efcdd86f60b90664a249d45918b2ac5f45bae5eed5399e310d63e878b287_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-22868"
},
{
"category": "external",
"summary": "RHBZ#2348366",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2348366"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-22868",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22868"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-22868",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-22868"
},
{
"category": "external",
"summary": "https://go.dev/cl/652155",
"url": "https://go.dev/cl/652155"
},
{
"category": "external",
"summary": "https://go.dev/issue/71490",
"url": "https://go.dev/issue/71490"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2025-3488",
"url": "https://pkg.go.dev/vuln/GO-2025-3488"
}
],
"release_date": "2025-02-26T03:07:49.012000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-12-15T15:38:07+00:00",
"details": "For more information visit https://access.redhat.com/errata/RHSA-2025:23205",
"product_ids": [
"Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/vllm-rocm-rhel9@sha256:e3b3efcdd86f60b90664a249d45918b2ac5f45bae5eed5399e310d63e878b287_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:23205"
},
{
"category": "workaround",
"details": "To mitigate this vulnerability, it is recommended to pre-validate any payloads passed to `go-jose` to check that they do not contain an excessive amount of `.` characters.",
"product_ids": [
"Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/vllm-rocm-rhel9@sha256:e3b3efcdd86f60b90664a249d45918b2ac5f45bae5eed5399e310d63e878b287_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/vllm-rocm-rhel9@sha256:e3b3efcdd86f60b90664a249d45918b2ac5f45bae5eed5399e310d63e878b287_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "golang.org/x/oauth2/jws: Unexpected memory consumption during token parsing in golang.org/x/oauth2/jws"
},
{
"cve": "CVE-2025-22869",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2025-02-26T04:00:47.683125+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2348367"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the golang.org/x/crypto/ssh package. SSH clients and servers are vulnerable to increased resource consumption, possibly leading to memory exhaustion and a DoS. This can occur during key exchange when the other party is slow to respond during key exchange.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang.org/x/crypto/ssh: Denial of Service in the Key Exchange of golang.org/x/crypto/ssh",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "While this flaw affects both SSH clients and servers implemented with golang.org/x/crypto/ssh, realistically the flaw will only lead to a DoS when transferring large files, greatly reducing the likelihood of exploitation.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/vllm-rocm-rhel9@sha256:e3b3efcdd86f60b90664a249d45918b2ac5f45bae5eed5399e310d63e878b287_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-22869"
},
{
"category": "external",
"summary": "RHBZ#2348367",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2348367"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-22869",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22869"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-22869",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-22869"
},
{
"category": "external",
"summary": "https://go.dev/cl/652135",
"url": "https://go.dev/cl/652135"
},
{
"category": "external",
"summary": "https://go.dev/issue/71931",
"url": "https://go.dev/issue/71931"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2025-3487",
"url": "https://pkg.go.dev/vuln/GO-2025-3487"
}
],
"release_date": "2025-02-26T03:07:48.855000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-12-15T15:38:07+00:00",
"details": "For more information visit https://access.redhat.com/errata/RHSA-2025:23205",
"product_ids": [
"Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/vllm-rocm-rhel9@sha256:e3b3efcdd86f60b90664a249d45918b2ac5f45bae5eed5399e310d63e878b287_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:23205"
},
{
"category": "workaround",
"details": "This flaw can be mitigated when using the client only connecting to trusted servers.",
"product_ids": [
"Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/vllm-rocm-rhel9@sha256:e3b3efcdd86f60b90664a249d45918b2ac5f45bae5eed5399e310d63e878b287_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/vllm-rocm-rhel9@sha256:e3b3efcdd86f60b90664a249d45918b2ac5f45bae5eed5399e310d63e878b287_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "golang.org/x/crypto/ssh: Denial of Service in the Key Exchange of golang.org/x/crypto/ssh"
},
{
"cve": "CVE-2025-47906",
"cwe": {
"id": "CWE-440",
"name": "Expected Behavior Violation"
},
"discovery_date": "2025-09-18T19:00:47.541046+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2396546"
}
],
"notes": [
{
"category": "description",
"text": "A path handling flaw has been discovered in the os/exec go package. If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath (\"\", \".\", and \"..\"), can result in the binaries listed in the PATH being unexpectedly returned.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "os/exec: Unexpected paths returned from LookPath in os/exec",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/vllm-rocm-rhel9@sha256:e3b3efcdd86f60b90664a249d45918b2ac5f45bae5eed5399e310d63e878b287_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-47906"
},
{
"category": "external",
"summary": "RHBZ#2396546",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2396546"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-47906",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-47906"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-47906",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47906"
},
{
"category": "external",
"summary": "https://go.dev/cl/691775",
"url": "https://go.dev/cl/691775"
},
{
"category": "external",
"summary": "https://go.dev/issue/74466",
"url": "https://go.dev/issue/74466"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/x5MKroML2yM",
"url": "https://groups.google.com/g/golang-announce/c/x5MKroML2yM"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2025-3956",
"url": "https://pkg.go.dev/vuln/GO-2025-3956"
}
],
"release_date": "2025-09-18T18:41:11.847000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-12-15T15:38:07+00:00",
"details": "For more information visit https://access.redhat.com/errata/RHSA-2025:23205",
"product_ids": [
"Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/vllm-rocm-rhel9@sha256:e3b3efcdd86f60b90664a249d45918b2ac5f45bae5eed5399e310d63e878b287_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:23205"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/vllm-rocm-rhel9@sha256:e3b3efcdd86f60b90664a249d45918b2ac5f45bae5eed5399e310d63e878b287_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L",
"version": "3.1"
},
"products": [
"Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/vllm-rocm-rhel9@sha256:e3b3efcdd86f60b90664a249d45918b2ac5f45bae5eed5399e310d63e878b287_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "os/exec: Unexpected paths returned from LookPath in os/exec"
},
{
"cve": "CVE-2025-52565",
"cwe": {
"id": "CWE-59",
"name": "Improper Link Resolution Before File Access (\u0027Link Following\u0027)"
},
"discovery_date": "2025-10-17T14:19:18.653000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2404708"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in runc. CVE-2025-52565 is very similar in concept and application toCVE-2025-31133, except that it exploits a flaw in /dev/console\nbind-mounts. When creating the /dev/console bind-mount (to /dev/pts/$n), if an attacker replaces /dev/pts/$n with a symlink then runc will bind-mount the symlink target over /dev/console.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "runc: container escape with malicious config due to /dev/console mount and related races",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat considers this as an Important flaw since the impact is limited to local attack with minimal privileges in order to jeopardize the environment.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/vllm-rocm-rhel9@sha256:e3b3efcdd86f60b90664a249d45918b2ac5f45bae5eed5399e310d63e878b287_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-52565"
},
{
"category": "external",
"summary": "RHBZ#2404708",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2404708"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-52565",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-52565"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-52565",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-52565"
},
{
"category": "external",
"summary": "https://github.com/opencontainers/runc/security/advisories/GHSA-qw9x-cqr3-wc7r",
"url": "https://github.com/opencontainers/runc/security/advisories/GHSA-qw9x-cqr3-wc7r"
}
],
"release_date": "2025-11-05T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-12-15T15:38:07+00:00",
"details": "For more information visit https://access.redhat.com/errata/RHSA-2025:23205",
"product_ids": [
"Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/vllm-rocm-rhel9@sha256:e3b3efcdd86f60b90664a249d45918b2ac5f45bae5eed5399e310d63e878b287_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:23205"
},
{
"category": "workaround",
"details": "Potential mitigations for this issue include:\n\n* Using user namespaces, with the host root user not mapped into the container\u0027s namespace. procfs file permissions are managed using Unix DAC and thus user namespaces stop a container process from being able to write to them.\n* Not running as a root user in the container (this includes disabling setuid binaries with noNewPrivileges). As above, procfs file permissions are managed using Unix DAC and thus non-root users cannot write to them.\n* The default SELinux policy should mitigate this issue, as the /dev/console bind-mount does not re-label the mount and so the container process should not be able to write to unsafe procfs files. However, CVE-2025-52881 allows an attacker to bypass LSM labels, and so this mitigation is not helpful when considered in combination with CVE-2025-52881.\n* The default AppArmor profile used by most runtimes will NOT help mitigate this issue, as /dev/console access is permitted. You could create a custom profile that blocks access to /dev/console, but such a profile might break regular containers. In addition, CVE-2025-52881 allows an attacker to bypass LSM labels, and so that mitigation is not helpful when considered in combination with CVE-2025-52881.",
"product_ids": [
"Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/vllm-rocm-rhel9@sha256:e3b3efcdd86f60b90664a249d45918b2ac5f45bae5eed5399e310d63e878b287_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/vllm-rocm-rhel9@sha256:e3b3efcdd86f60b90664a249d45918b2ac5f45bae5eed5399e310d63e878b287_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "runc: container escape with malicious config due to /dev/console mount and related races"
},
{
"cve": "CVE-2025-59375",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2025-09-15T03:00:59.775098+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2395108"
}
],
"notes": [
{
"category": "description",
"text": "A memory amplification vulnerability in libexpat allows attackers to trigger excessive dynamic memory allocations by submitting specially crafted XML input. A small input (~250 KiB) can cause the parser to allocate hundreds of megabytes, leading to denial-of-service (DoS) through memory exhaustion.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "firefox: thunderbird: expat: libexpat in Expat allows attackers to trigger large dynamic memory allocations via a small document that is submitted for parsing",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This issue is Important rather than Critical because, while it allows for significant resource exhaustion leading to denial-of-service (DoS), it does not enable arbitrary code execution, data leakage, or privilege escalation. The vulnerability stems from an uncontrolled memory amplification behavior in libexpat\u2019s parser, where a relatively small XML payload can cause disproportionately large heap allocations. However, the flaw is limited in scope to service disruption and requires the attacker to submit a crafted XML document\u2014something that can be mitigated with proper input validation and memory usage limits. Therefore, while the exploitability is high, the impact is confined to availability, not confidentiality or integrity, making it a high-severity but not critical flaw.\n\nIn Firefox and Thunderbird, where libexpat is a transitive userspace dependency, exploitation usually just crashes the application (app-level DoS), so it is classified as Moderate instead of Important.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/vllm-rocm-rhel9@sha256:e3b3efcdd86f60b90664a249d45918b2ac5f45bae5eed5399e310d63e878b287_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-59375"
},
{
"category": "external",
"summary": "RHBZ#2395108",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2395108"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-59375",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-59375"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-59375",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59375"
},
{
"category": "external",
"summary": "https://www.mozilla.org/security/advisories/mfsa2026-22/#CVE-2025-59375",
"url": "https://www.mozilla.org/security/advisories/mfsa2026-22/#CVE-2025-59375"
},
{
"category": "external",
"summary": "https://www.mozilla.org/security/advisories/mfsa2026-24/#CVE-2025-59375",
"url": "https://www.mozilla.org/security/advisories/mfsa2026-24/#CVE-2025-59375"
}
],
"release_date": "2025-09-15T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-12-15T15:38:07+00:00",
"details": "For more information visit https://access.redhat.com/errata/RHSA-2025:23205",
"product_ids": [
"Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/vllm-rocm-rhel9@sha256:e3b3efcdd86f60b90664a249d45918b2ac5f45bae5eed5399e310d63e878b287_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:23205"
},
{
"category": "workaround",
"details": "To mitigate the issue, limit XML input size and complexity before parsing, and avoid accepting compressed or deeply nested XML. Use OS-level resource controls (like ulimit or setrlimit()) to cap memory usage, or run the parser in a sandboxed or isolated process with strict memory and CPU limits. This helps prevent denial-of-service by containing excessive resource consumption.",
"product_ids": [
"Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/vllm-rocm-rhel9@sha256:e3b3efcdd86f60b90664a249d45918b2ac5f45bae5eed5399e310d63e878b287_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/vllm-rocm-rhel9@sha256:e3b3efcdd86f60b90664a249d45918b2ac5f45bae5eed5399e310d63e878b287_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "firefox: thunderbird: expat: libexpat in Expat allows attackers to trigger large dynamic memory allocations via a small document that is submitted for parsing"
},
{
"cve": "CVE-2025-62164",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2025-11-21T02:01:11.280042+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2416282"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability in vLLM allows attackers to supply malicious serialized prompt-embedding tensors that are deserialized using torch.load() without validation. Due to PyTorch 2.8.0 disabling sparse-tensor integrity checks by default, a crafted tensor can bypass bounds checks and cause an out-of-bounds write during to_dense(), leading to a crash (DoS) and potentially remote code execution on the vLLM server.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "vllm: VLLM deserialization vulnerability leading to DoS and potential RCE",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is considered important rather than moderate because it involves unsafe deserialization leading to memory corruption in a network-reachable, unauthenticated API path. Unlike typical moderate flaws that may only allow limited DoS or require specific conditions, this issue allows an attacker to supply a crafted sparse tensor that triggers an out-of-bounds memory write during PyTorch\u2019s to_dense() conversion. Memory corruption in a server process handling untrusted input significantly elevates security risk because it can lead not only to a reliable crash but also to potential remote code execution, enabling full compromise of the vLLM service. Additionally, the affected code path is part of the standard Completions API workflow, making the attack surface broadly exposed in real deployments. The combination of remote exploitability, unauthenticated access, memory corruption, and potential RCE clearly positions this issue above a moderate classification and into an important severity level.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/vllm-rocm-rhel9@sha256:e3b3efcdd86f60b90664a249d45918b2ac5f45bae5eed5399e310d63e878b287_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-62164"
},
{
"category": "external",
"summary": "RHBZ#2416282",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2416282"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-62164",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-62164"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-62164",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62164"
},
{
"category": "external",
"summary": "https://github.com/vllm-project/vllm/commit/58fab50d82838d5014f4a14d991fdb9352c9c84b",
"url": "https://github.com/vllm-project/vllm/commit/58fab50d82838d5014f4a14d991fdb9352c9c84b"
},
{
"category": "external",
"summary": "https://github.com/vllm-project/vllm/pull/27204",
"url": "https://github.com/vllm-project/vllm/pull/27204"
},
{
"category": "external",
"summary": "https://github.com/vllm-project/vllm/security/advisories/GHSA-mrw7-hf4f-83pf",
"url": "https://github.com/vllm-project/vllm/security/advisories/GHSA-mrw7-hf4f-83pf"
}
],
"release_date": "2025-11-21T01:18:38.803000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-12-15T15:38:07+00:00",
"details": "For more information visit https://access.redhat.com/errata/RHSA-2025:23205",
"product_ids": [
"Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/vllm-rocm-rhel9@sha256:e3b3efcdd86f60b90664a249d45918b2ac5f45bae5eed5399e310d63e878b287_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:23205"
},
{
"category": "workaround",
"details": "No mitigation is currently available that meets Red Hat Product Security\u2019s standards for usability, deployment, applicability, or stability.",
"product_ids": [
"Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/vllm-rocm-rhel9@sha256:e3b3efcdd86f60b90664a249d45918b2ac5f45bae5eed5399e310d63e878b287_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/vllm-rocm-rhel9@sha256:e3b3efcdd86f60b90664a249d45918b2ac5f45bae5eed5399e310d63e878b287_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "vllm: VLLM deserialization vulnerability leading to DoS and potential RCE"
},
{
"cve": "CVE-2025-62372",
"cwe": {
"id": "CWE-129",
"name": "Improper Validation of Array Index"
},
"discovery_date": "2025-11-21T02:00:57.180567+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2416280"
}
],
"notes": [
{
"category": "description",
"text": "A denial-of-service vulnerability in vLLM allows an attacker with API access to crash the engine by submitting multimodal embedding tensors that have the correct number of dimensions but an invalid internal shape. Because vLLM validates only the tensor\u2019s ndim and not the full expected shape, malformed embeddings trigger shape mismatches or validation failures during processing, causing the inference engine to terminate.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "vllm: vLLM vulnerable to DoS with incorrect shape of multimodal embedding inputs",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This flaw is rated Moderate rather than Important because its impact is strictly limited to availability and requires low but existing privileges to exploit. The issue arises from incomplete shape validation of multimodal embedding tensors, which can cause deterministic crashes in the inference engine, but it does not enable memory corruption, data leakage, integrity compromise, or execution of arbitrary code. Exploitation requires an authenticated or API-key-holding user to submit malformed multimodal inputs, meaning it cannot be triggered by an unauthenticated attacker on an exposed endpoint. Additionally, the failure mode is a clean crash rather than undefined behavior, so the blast radius is constrained to service interruption rather than broader systemic compromise. These factors\u2014PR:L requirement, no confidentiality/integrity impact, deterministic failure mode, and scoped DoS only\u2014technically align the issue with Moderate severity instead of an Important flaw.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/vllm-rocm-rhel9@sha256:e3b3efcdd86f60b90664a249d45918b2ac5f45bae5eed5399e310d63e878b287_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-62372"
},
{
"category": "external",
"summary": "RHBZ#2416280",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2416280"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-62372",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-62372"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-62372",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62372"
},
{
"category": "external",
"summary": "https://github.com/vllm-project/vllm/commit/58fab50d82838d5014f4a14d991fdb9352c9c84b",
"url": "https://github.com/vllm-project/vllm/commit/58fab50d82838d5014f4a14d991fdb9352c9c84b"
},
{
"category": "external",
"summary": "https://github.com/vllm-project/vllm/pull/27204",
"url": "https://github.com/vllm-project/vllm/pull/27204"
},
{
"category": "external",
"summary": "https://github.com/vllm-project/vllm/pull/6613",
"url": "https://github.com/vllm-project/vllm/pull/6613"
},
{
"category": "external",
"summary": "https://github.com/vllm-project/vllm/security/advisories/GHSA-pmqf-x6x8-p7qw",
"url": "https://github.com/vllm-project/vllm/security/advisories/GHSA-pmqf-x6x8-p7qw"
}
],
"release_date": "2025-11-21T01:22:37.121000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-12-15T15:38:07+00:00",
"details": "For more information visit https://access.redhat.com/errata/RHSA-2025:23205",
"product_ids": [
"Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/vllm-rocm-rhel9@sha256:e3b3efcdd86f60b90664a249d45918b2ac5f45bae5eed5399e310d63e878b287_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:23205"
},
{
"category": "workaround",
"details": "No mitigation is currently available that meets Red Hat Product Security\u2019s standards for usability, deployment, applicability, or stability.",
"product_ids": [
"Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/vllm-rocm-rhel9@sha256:e3b3efcdd86f60b90664a249d45918b2ac5f45bae5eed5399e310d63e878b287_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/vllm-rocm-rhel9@sha256:e3b3efcdd86f60b90664a249d45918b2ac5f45bae5eed5399e310d63e878b287_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "vllm: vLLM vulnerable to DoS with incorrect shape of multimodal embedding inputs"
},
{
"cve": "CVE-2025-66448",
"cwe": {
"id": "CWE-94",
"name": "Improper Control of Generation of Code (\u0027Code Injection\u0027)"
},
"discovery_date": "2025-12-01T23:01:07.198041+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2418152"
}
],
"notes": [
{
"category": "description",
"text": "A remote code execution vulnerability has been identified in vLLM. An attacker can exploit a weakness in the model loading process to silently fetch and run unauthorized, malicious Python code on the host system. This happens because the engine mistakenly executes code from a remote repository referenced in a model\u0027s configuration, even when explicit security measures are set to prevent it.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "vllm: vLLM: Remote Code Execution via malicious model configuration",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is rated Important for Red Hat because vLLM, when deployed in a Red Hat environment, is susceptible to remote code execution. An attacker can craft a malicious model configuration that, when loaded, fetches and executes arbitrary Python code from a remote repository, even if `trust_remote_code` is explicitly set to `False`.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/vllm-rocm-rhel9@sha256:e3b3efcdd86f60b90664a249d45918b2ac5f45bae5eed5399e310d63e878b287_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-66448"
},
{
"category": "external",
"summary": "RHBZ#2418152",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2418152"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-66448",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-66448"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-66448",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66448"
},
{
"category": "external",
"summary": "https://github.com/vllm-project/vllm/commit/ffb08379d8870a1a81ba82b72797f196838d0c86",
"url": "https://github.com/vllm-project/vllm/commit/ffb08379d8870a1a81ba82b72797f196838d0c86"
},
{
"category": "external",
"summary": "https://github.com/vllm-project/vllm/pull/28126",
"url": "https://github.com/vllm-project/vllm/pull/28126"
},
{
"category": "external",
"summary": "https://github.com/vllm-project/vllm/security/advisories/GHSA-8fr4-5q9j-m8gm",
"url": "https://github.com/vllm-project/vllm/security/advisories/GHSA-8fr4-5q9j-m8gm"
}
],
"release_date": "2025-12-01T22:45:42.566000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-12-15T15:38:07+00:00",
"details": "For more information visit https://access.redhat.com/errata/RHSA-2025:23205",
"product_ids": [
"Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/vllm-rocm-rhel9@sha256:e3b3efcdd86f60b90664a249d45918b2ac5f45bae5eed5399e310d63e878b287_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:23205"
},
{
"category": "workaround",
"details": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.",
"product_ids": [
"Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/vllm-rocm-rhel9@sha256:e3b3efcdd86f60b90664a249d45918b2ac5f45bae5eed5399e310d63e878b287_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/vllm-rocm-rhel9@sha256:e3b3efcdd86f60b90664a249d45918b2ac5f45bae5eed5399e310d63e878b287_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "vllm: vLLM: Remote Code Execution via malicious model configuration"
},
{
"cve": "CVE-2025-66506",
"cwe": {
"id": "CWE-405",
"name": "Asymmetric Resource Consumption (Amplification)"
},
"discovery_date": "2025-12-04T23:01:20.507333+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2419056"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Fulcio, a free-to-use certificate authority. This vulnerability allows a denial of service (DoS) due to excessive memory allocation when processing a malicious OpenID Connect (OIDC) identity token containing numerous period characters.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "github.com/sigstore/fulcio: Fulcio: Denial of Service via crafted OpenID Connect (OIDC) token",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is rated Important for Red Hat as Fulcio, a certificate authority used for issuing code signing certificates, is susceptible to a denial of service when processing a specially crafted OpenID Connect (OIDC) token. This could lead to resource exhaustion and service unavailability in affected Red Hat products that utilize Fulcio.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/vllm-rocm-rhel9@sha256:e3b3efcdd86f60b90664a249d45918b2ac5f45bae5eed5399e310d63e878b287_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-66506"
},
{
"category": "external",
"summary": "RHBZ#2419056",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2419056"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-66506",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-66506"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-66506",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66506"
},
{
"category": "external",
"summary": "https://github.com/sigstore/fulcio/commit/765a0e57608b9ef390e1eeeea8595b9054c63a5a",
"url": "https://github.com/sigstore/fulcio/commit/765a0e57608b9ef390e1eeeea8595b9054c63a5a"
},
{
"category": "external",
"summary": "https://github.com/sigstore/fulcio/security/advisories/GHSA-f83f-xpx7-ffpw",
"url": "https://github.com/sigstore/fulcio/security/advisories/GHSA-f83f-xpx7-ffpw"
}
],
"release_date": "2025-12-04T22:04:41.637000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-12-15T15:38:07+00:00",
"details": "For more information visit https://access.redhat.com/errata/RHSA-2025:23205",
"product_ids": [
"Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/vllm-rocm-rhel9@sha256:e3b3efcdd86f60b90664a249d45918b2ac5f45bae5eed5399e310d63e878b287_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:23205"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/vllm-rocm-rhel9@sha256:e3b3efcdd86f60b90664a249d45918b2ac5f45bae5eed5399e310d63e878b287_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "github.com/sigstore/fulcio: Fulcio: Denial of Service via crafted OpenID Connect (OIDC) token"
}
]
}
RHSA-2025:23449
Vulnerability from csaf_redhat - Published: 2025-12-17 08:22 - Updated: 2026-06-07 15:33Summary
Red Hat Security Advisory: Red Hat AI Inference Server 3.2.5 (ROCm)
Severity
Important
Notes
Topic: Red Hat AI Inference Server 3.2.5 (ROCm) is now available.
Details: Red Hat® AI Inference Server
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in the OpenSSL CMS implementation (RFC 3211 KEK Unwrap). This vulnerability allows memory corruption, an application level denial of service, or potential execution of attacker-supplied code via crafted CMS messages using password-based encryption (PWRI).
5.6 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/vllm-rocm-rhel9@sha256:c5efe40fa2a6e98d7d3d6676befff0dbbd87b2887769bb7e5856c5b0b0ada125_amd64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in libxstl/libxml2. The 'exsltDynMapFunction' function in libexslt/dynamic.c does not contain a recursion depth check, which may cause an infinite loop via a specially crafted XSLT document while handling 'dyn:map()', leading to stack exhaustion and a local denial of service.
6.2 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/vllm-rocm-rhel9@sha256:c5efe40fa2a6e98d7d3d6676befff0dbbd87b2887769bb7e5856c5b0b0ada125_amd64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in the `golang.org/x/oauth2/jws` package in the token parsing component. This vulnerability is made possible because of the use of `strings.Split(token, ".")` to split JWT tokens, which can lead to excessive memory consumption when processing maliciously crafted tokens with a large number of `.` characters. An attacker could exploit this functionality by sending numerous malformed tokens and can trigger memory exhaustion and a Denial of Service.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/vllm-rocm-rhel9@sha256:c5efe40fa2a6e98d7d3d6676befff0dbbd87b2887769bb7e5856c5b0b0ada125_amd64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A flaw was found in the golang.org/x/crypto/ssh package. SSH clients and servers are vulnerable to increased resource consumption, possibly leading to memory exhaustion and a DoS. This can occur during key exchange when the other party is slow to respond during key exchange.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/vllm-rocm-rhel9@sha256:c5efe40fa2a6e98d7d3d6676befff0dbbd87b2887769bb7e5856c5b0b0ada125_amd64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A path handling flaw has been discovered in the os/exec go package. If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath ("", ".", and ".."), can result in the binaries listed in the PATH being unexpectedly returned.
6.5 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/vllm-rocm-rhel9@sha256:c5efe40fa2a6e98d7d3d6676befff0dbbd87b2887769bb7e5856c5b0b0ada125_amd64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in runc. CVE-2025-52565 is very similar in concept and application toCVE-2025-31133, except that it exploits a flaw in /dev/console bind-mounts. When creating the /dev/console bind-mount (to /dev/pts/$n), if an attacker replaces /dev/pts/$n with a symlink then runc will bind-mount the symlink target over /dev/console.
8.2 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/vllm-rocm-rhel9@sha256:c5efe40fa2a6e98d7d3d6676befff0dbbd87b2887769bb7e5856c5b0b0ada125_amd64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A memory amplification vulnerability in libexpat allows attackers to trigger excessive dynamic memory allocations by submitting specially crafted XML input. A small input (~250 KiB) can cause the parser to allocate hundreds of megabytes, leading to denial-of-service (DoS) through memory exhaustion.
5.3 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/vllm-rocm-rhel9@sha256:c5efe40fa2a6e98d7d3d6676befff0dbbd87b2887769bb7e5856c5b0b0ada125_amd64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A vulnerability in vLLM allows attackers to supply malicious serialized prompt-embedding tensors that are deserialized using torch.load() without validation. Due to PyTorch 2.8.0 disabling sparse-tensor integrity checks by default, a crafted tensor can bypass bounds checks and cause an out-of-bounds write during to_dense(), leading to a crash (DoS) and potentially remote code execution on the vLLM server.
8.8 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/vllm-rocm-rhel9@sha256:c5efe40fa2a6e98d7d3d6676befff0dbbd87b2887769bb7e5856c5b0b0ada125_amd64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A denial-of-service vulnerability in vLLM allows an attacker with API access to crash the engine by submitting multimodal embedding tensors that have the correct number of dimensions but an invalid internal shape. Because vLLM validates only the tensor’s ndim and not the full expected shape, malformed embeddings trigger shape mismatches or validation failures during processing, causing the inference engine to terminate.
6.5 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/vllm-rocm-rhel9@sha256:c5efe40fa2a6e98d7d3d6676befff0dbbd87b2887769bb7e5856c5b0b0ada125_amd64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A remote code execution vulnerability has been identified in vLLM. An attacker can exploit a weakness in the model loading process to silently fetch and run unauthorized, malicious Python code on the host system. This happens because the engine mistakenly executes code from a remote repository referenced in a model's configuration, even when explicit security measures are set to prevent it.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/vllm-rocm-rhel9@sha256:c5efe40fa2a6e98d7d3d6676befff0dbbd87b2887769bb7e5856c5b0b0ada125_amd64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A flaw was found in Fulcio, a free-to-use certificate authority. This vulnerability allows a denial of service (DoS) due to excessive memory allocation when processing a malicious OpenID Connect (OIDC) identity token containing numerous period characters.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/vllm-rocm-rhel9@sha256:c5efe40fa2a6e98d7d3d6676befff0dbbd87b2887769bb7e5856c5b0b0ada125_amd64 | — |
Vendor Fix
fix
|
Threats
Impact
Important
References
84 references
Acknowledgments
jub0bs
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Red Hat AI Inference Server 3.2.5 (ROCm) is now available.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat\u00ae AI Inference Server",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2025:23449",
"url": "https://access.redhat.com/errata/RHSA-2025:23449"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-22868",
"url": "https://access.redhat.com/security/cve/CVE-2025-22868"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-22869",
"url": "https://access.redhat.com/security/cve/CVE-2025-22869"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-47906",
"url": "https://access.redhat.com/security/cve/CVE-2025-47906"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-52565",
"url": "https://access.redhat.com/security/cve/CVE-2025-52565"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-59375",
"url": "https://access.redhat.com/security/cve/CVE-2025-59375"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-62164",
"url": "https://access.redhat.com/security/cve/CVE-2025-62164"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-62372",
"url": "https://access.redhat.com/security/cve/CVE-2025-62372"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-66448",
"url": "https://access.redhat.com/security/cve/CVE-2025-66448"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-66506",
"url": "https://access.redhat.com/security/cve/CVE-2025-66506"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-9230",
"url": "https://access.redhat.com/security/cve/CVE-2025-9230"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-9714",
"url": "https://access.redhat.com/security/cve/CVE-2025-9714"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/",
"url": "https://access.redhat.com/security/updates/classification/"
},
{
"category": "external",
"summary": "https://www.redhat.com/en/products/ai/inference-server",
"url": "https://www.redhat.com/en/products/ai/inference-server"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_23449.json"
}
],
"title": "Red Hat Security Advisory: Red Hat AI Inference Server 3.2.5 (ROCm)",
"tracking": {
"current_release_date": "2026-06-07T15:33:33+00:00",
"generator": {
"date": "2026-06-07T15:33:33+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.8.2"
}
},
"id": "RHSA-2025:23449",
"initial_release_date": "2025-12-17T08:22:31+00:00",
"revision_history": [
{
"date": "2025-12-17T08:22:31+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2025-12-17T08:22:37+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-06-07T15:33:33+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat AI Inference Server 3.2",
"product": {
"name": "Red Hat AI Inference Server 3.2",
"product_id": "Red Hat AI Inference Server 3.2",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:ai_inference_server:3.2::el9"
}
}
}
],
"category": "product_family",
"name": "Red Hat AI Inference Server"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/rhaiis/vllm-rocm-rhel9@sha256:c5efe40fa2a6e98d7d3d6676befff0dbbd87b2887769bb7e5856c5b0b0ada125_amd64",
"product": {
"name": "registry.redhat.io/rhaiis/vllm-rocm-rhel9@sha256:c5efe40fa2a6e98d7d3d6676befff0dbbd87b2887769bb7e5856c5b0b0ada125_amd64",
"product_id": "registry.redhat.io/rhaiis/vllm-rocm-rhel9@sha256:c5efe40fa2a6e98d7d3d6676befff0dbbd87b2887769bb7e5856c5b0b0ada125_amd64",
"product_identification_helper": {
"purl": "pkg:oci/vllm-rocm-rhel9@sha256%3Ac5efe40fa2a6e98d7d3d6676befff0dbbd87b2887769bb7e5856c5b0b0ada125?arch=amd64\u0026repository_url=registry.redhat.io/rhaiis\u0026tag=3.2.5-1765552603"
}
}
}
],
"category": "architecture",
"name": "amd64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhaiis/vllm-rocm-rhel9@sha256:c5efe40fa2a6e98d7d3d6676befff0dbbd87b2887769bb7e5856c5b0b0ada125_amd64 as a component of Red Hat AI Inference Server 3.2",
"product_id": "Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/vllm-rocm-rhel9@sha256:c5efe40fa2a6e98d7d3d6676befff0dbbd87b2887769bb7e5856c5b0b0ada125_amd64"
},
"product_reference": "registry.redhat.io/rhaiis/vllm-rocm-rhel9@sha256:c5efe40fa2a6e98d7d3d6676befff0dbbd87b2887769bb7e5856c5b0b0ada125_amd64",
"relates_to_product_reference": "Red Hat AI Inference Server 3.2"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-9230",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2025-09-17T12:15:34.387000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2396054"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the OpenSSL CMS implementation (RFC 3211 KEK Unwrap). This vulnerability allows memory corruption, an application level denial of service, or potential execution of attacker-supplied code via crafted CMS messages using password-based encryption (PWRI).",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "openssl: Out-of-bounds read \u0026 write in RFC 3211 KEK Unwrap",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The vulnerability was rated as Moderate because, while the potential impact includes an application level denial of service and possible arbitrary code execution, successful exploitation is considered unlikely due to the high attack complexity and the fact that password-based CMS encryption (PWRI) is rarely used in real-world deployments.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/vllm-rocm-rhel9@sha256:c5efe40fa2a6e98d7d3d6676befff0dbbd87b2887769bb7e5856c5b0b0ada125_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-9230"
},
{
"category": "external",
"summary": "RHBZ#2396054",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2396054"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-9230",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-9230"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-9230",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-9230"
}
],
"release_date": "2025-09-30T23:59:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-12-17T08:22:31+00:00",
"details": "For more information visit https://access.redhat.com/errata/RHSA-2025:23449",
"product_ids": [
"Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/vllm-rocm-rhel9@sha256:c5efe40fa2a6e98d7d3d6676befff0dbbd87b2887769bb7e5856c5b0b0ada125_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:23449"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/vllm-rocm-rhel9@sha256:c5efe40fa2a6e98d7d3d6676befff0dbbd87b2887769bb7e5856c5b0b0ada125_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/vllm-rocm-rhel9@sha256:c5efe40fa2a6e98d7d3d6676befff0dbbd87b2887769bb7e5856c5b0b0ada125_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "openssl: Out-of-bounds read \u0026 write in RFC 3211 KEK Unwrap"
},
{
"cve": "CVE-2025-9714",
"cwe": {
"id": "CWE-606",
"name": "Unchecked Input for Loop Condition"
},
"discovery_date": "2025-09-02T13:03:56.452000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2392605"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in libxstl/libxml2. The \u0027exsltDynMapFunction\u0027 function in libexslt/dynamic.c does not contain a recursion depth check, which may cause an infinite loop via a specially crafted XSLT document while handling \u0027dyn:map()\u0027, leading to stack exhaustion and a local denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "libxslt: libxml2: Inifinite recursion at exsltDynMapFunction function in libexslt/dynamic.c",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "No evidence was found for arbitrary memory corruption through this flaw, limiting its impact to Availability only, and reducing its severity to Moderate.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/vllm-rocm-rhel9@sha256:c5efe40fa2a6e98d7d3d6676befff0dbbd87b2887769bb7e5856c5b0b0ada125_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-9714"
},
{
"category": "external",
"summary": "RHBZ#2392605",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2392605"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-9714",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-9714"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-9714",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-9714"
},
{
"category": "external",
"summary": "https://gitlab.gnome.org/GNOME/libxml2/-/commit/677a42645ef22b5a50741bad5facf9d8a8bc6d21",
"url": "https://gitlab.gnome.org/GNOME/libxml2/-/commit/677a42645ef22b5a50741bad5facf9d8a8bc6d21"
},
{
"category": "external",
"summary": "https://gitlab.gnome.org/GNOME/libxslt/-/issues/148",
"url": "https://gitlab.gnome.org/GNOME/libxslt/-/issues/148"
}
],
"release_date": "2025-09-02T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-12-17T08:22:31+00:00",
"details": "For more information visit https://access.redhat.com/errata/RHSA-2025:23449",
"product_ids": [
"Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/vllm-rocm-rhel9@sha256:c5efe40fa2a6e98d7d3d6676befff0dbbd87b2887769bb7e5856c5b0b0ada125_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:23449"
},
{
"category": "workaround",
"details": "The impact of this flaw may be reduced by setting strict resource limits to the stack size of processes at the operational system level. This can be achieved either through the \u0027ulimit\u0027 shell built-in or the \u0027limits.conf\u0027 file.",
"product_ids": [
"Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/vllm-rocm-rhel9@sha256:c5efe40fa2a6e98d7d3d6676befff0dbbd87b2887769bb7e5856c5b0b0ada125_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/vllm-rocm-rhel9@sha256:c5efe40fa2a6e98d7d3d6676befff0dbbd87b2887769bb7e5856c5b0b0ada125_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "libxslt: libxml2: Inifinite recursion at exsltDynMapFunction function in libexslt/dynamic.c"
},
{
"acknowledgments": [
{
"names": [
"jub0bs"
]
}
],
"cve": "CVE-2025-22868",
"cwe": {
"id": "CWE-1286",
"name": "Improper Validation of Syntactic Correctness of Input"
},
"discovery_date": "2025-02-26T04:00:44.350024+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2348366"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the `golang.org/x/oauth2/jws` package in the token parsing component. This vulnerability is made possible because of the use of `strings.Split(token, \".\")` to split JWT tokens, which can lead to excessive memory consumption when processing maliciously crafted tokens with a large number of `.` characters. An attacker could exploit this functionality by sending numerous malformed tokens and can trigger memory exhaustion and a Denial of Service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang.org/x/oauth2/jws: Unexpected memory consumption during token parsing in golang.org/x/oauth2/jws",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/vllm-rocm-rhel9@sha256:c5efe40fa2a6e98d7d3d6676befff0dbbd87b2887769bb7e5856c5b0b0ada125_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-22868"
},
{
"category": "external",
"summary": "RHBZ#2348366",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2348366"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-22868",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22868"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-22868",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-22868"
},
{
"category": "external",
"summary": "https://go.dev/cl/652155",
"url": "https://go.dev/cl/652155"
},
{
"category": "external",
"summary": "https://go.dev/issue/71490",
"url": "https://go.dev/issue/71490"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2025-3488",
"url": "https://pkg.go.dev/vuln/GO-2025-3488"
}
],
"release_date": "2025-02-26T03:07:49.012000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-12-17T08:22:31+00:00",
"details": "For more information visit https://access.redhat.com/errata/RHSA-2025:23449",
"product_ids": [
"Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/vllm-rocm-rhel9@sha256:c5efe40fa2a6e98d7d3d6676befff0dbbd87b2887769bb7e5856c5b0b0ada125_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:23449"
},
{
"category": "workaround",
"details": "To mitigate this vulnerability, it is recommended to pre-validate any payloads passed to `go-jose` to check that they do not contain an excessive amount of `.` characters.",
"product_ids": [
"Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/vllm-rocm-rhel9@sha256:c5efe40fa2a6e98d7d3d6676befff0dbbd87b2887769bb7e5856c5b0b0ada125_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/vllm-rocm-rhel9@sha256:c5efe40fa2a6e98d7d3d6676befff0dbbd87b2887769bb7e5856c5b0b0ada125_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "golang.org/x/oauth2/jws: Unexpected memory consumption during token parsing in golang.org/x/oauth2/jws"
},
{
"cve": "CVE-2025-22869",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2025-02-26T04:00:47.683125+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2348367"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the golang.org/x/crypto/ssh package. SSH clients and servers are vulnerable to increased resource consumption, possibly leading to memory exhaustion and a DoS. This can occur during key exchange when the other party is slow to respond during key exchange.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang.org/x/crypto/ssh: Denial of Service in the Key Exchange of golang.org/x/crypto/ssh",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "While this flaw affects both SSH clients and servers implemented with golang.org/x/crypto/ssh, realistically the flaw will only lead to a DoS when transferring large files, greatly reducing the likelihood of exploitation.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/vllm-rocm-rhel9@sha256:c5efe40fa2a6e98d7d3d6676befff0dbbd87b2887769bb7e5856c5b0b0ada125_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-22869"
},
{
"category": "external",
"summary": "RHBZ#2348367",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2348367"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-22869",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22869"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-22869",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-22869"
},
{
"category": "external",
"summary": "https://go.dev/cl/652135",
"url": "https://go.dev/cl/652135"
},
{
"category": "external",
"summary": "https://go.dev/issue/71931",
"url": "https://go.dev/issue/71931"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2025-3487",
"url": "https://pkg.go.dev/vuln/GO-2025-3487"
}
],
"release_date": "2025-02-26T03:07:48.855000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-12-17T08:22:31+00:00",
"details": "For more information visit https://access.redhat.com/errata/RHSA-2025:23449",
"product_ids": [
"Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/vllm-rocm-rhel9@sha256:c5efe40fa2a6e98d7d3d6676befff0dbbd87b2887769bb7e5856c5b0b0ada125_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:23449"
},
{
"category": "workaround",
"details": "This flaw can be mitigated when using the client only connecting to trusted servers.",
"product_ids": [
"Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/vllm-rocm-rhel9@sha256:c5efe40fa2a6e98d7d3d6676befff0dbbd87b2887769bb7e5856c5b0b0ada125_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/vllm-rocm-rhel9@sha256:c5efe40fa2a6e98d7d3d6676befff0dbbd87b2887769bb7e5856c5b0b0ada125_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "golang.org/x/crypto/ssh: Denial of Service in the Key Exchange of golang.org/x/crypto/ssh"
},
{
"cve": "CVE-2025-47906",
"cwe": {
"id": "CWE-440",
"name": "Expected Behavior Violation"
},
"discovery_date": "2025-09-18T19:00:47.541046+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2396546"
}
],
"notes": [
{
"category": "description",
"text": "A path handling flaw has been discovered in the os/exec go package. If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath (\"\", \".\", and \"..\"), can result in the binaries listed in the PATH being unexpectedly returned.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "os/exec: Unexpected paths returned from LookPath in os/exec",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/vllm-rocm-rhel9@sha256:c5efe40fa2a6e98d7d3d6676befff0dbbd87b2887769bb7e5856c5b0b0ada125_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-47906"
},
{
"category": "external",
"summary": "RHBZ#2396546",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2396546"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-47906",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-47906"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-47906",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47906"
},
{
"category": "external",
"summary": "https://go.dev/cl/691775",
"url": "https://go.dev/cl/691775"
},
{
"category": "external",
"summary": "https://go.dev/issue/74466",
"url": "https://go.dev/issue/74466"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/x5MKroML2yM",
"url": "https://groups.google.com/g/golang-announce/c/x5MKroML2yM"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2025-3956",
"url": "https://pkg.go.dev/vuln/GO-2025-3956"
}
],
"release_date": "2025-09-18T18:41:11.847000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-12-17T08:22:31+00:00",
"details": "For more information visit https://access.redhat.com/errata/RHSA-2025:23449",
"product_ids": [
"Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/vllm-rocm-rhel9@sha256:c5efe40fa2a6e98d7d3d6676befff0dbbd87b2887769bb7e5856c5b0b0ada125_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:23449"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/vllm-rocm-rhel9@sha256:c5efe40fa2a6e98d7d3d6676befff0dbbd87b2887769bb7e5856c5b0b0ada125_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L",
"version": "3.1"
},
"products": [
"Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/vllm-rocm-rhel9@sha256:c5efe40fa2a6e98d7d3d6676befff0dbbd87b2887769bb7e5856c5b0b0ada125_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "os/exec: Unexpected paths returned from LookPath in os/exec"
},
{
"cve": "CVE-2025-52565",
"cwe": {
"id": "CWE-59",
"name": "Improper Link Resolution Before File Access (\u0027Link Following\u0027)"
},
"discovery_date": "2025-10-17T14:19:18.653000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2404708"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in runc. CVE-2025-52565 is very similar in concept and application toCVE-2025-31133, except that it exploits a flaw in /dev/console\nbind-mounts. When creating the /dev/console bind-mount (to /dev/pts/$n), if an attacker replaces /dev/pts/$n with a symlink then runc will bind-mount the symlink target over /dev/console.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "runc: container escape with malicious config due to /dev/console mount and related races",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat considers this as an Important flaw since the impact is limited to local attack with minimal privileges in order to jeopardize the environment.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/vllm-rocm-rhel9@sha256:c5efe40fa2a6e98d7d3d6676befff0dbbd87b2887769bb7e5856c5b0b0ada125_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-52565"
},
{
"category": "external",
"summary": "RHBZ#2404708",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2404708"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-52565",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-52565"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-52565",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-52565"
},
{
"category": "external",
"summary": "https://github.com/opencontainers/runc/security/advisories/GHSA-qw9x-cqr3-wc7r",
"url": "https://github.com/opencontainers/runc/security/advisories/GHSA-qw9x-cqr3-wc7r"
}
],
"release_date": "2025-11-05T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-12-17T08:22:31+00:00",
"details": "For more information visit https://access.redhat.com/errata/RHSA-2025:23449",
"product_ids": [
"Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/vllm-rocm-rhel9@sha256:c5efe40fa2a6e98d7d3d6676befff0dbbd87b2887769bb7e5856c5b0b0ada125_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:23449"
},
{
"category": "workaround",
"details": "Potential mitigations for this issue include:\n\n* Using user namespaces, with the host root user not mapped into the container\u0027s namespace. procfs file permissions are managed using Unix DAC and thus user namespaces stop a container process from being able to write to them.\n* Not running as a root user in the container (this includes disabling setuid binaries with noNewPrivileges). As above, procfs file permissions are managed using Unix DAC and thus non-root users cannot write to them.\n* The default SELinux policy should mitigate this issue, as the /dev/console bind-mount does not re-label the mount and so the container process should not be able to write to unsafe procfs files. However, CVE-2025-52881 allows an attacker to bypass LSM labels, and so this mitigation is not helpful when considered in combination with CVE-2025-52881.\n* The default AppArmor profile used by most runtimes will NOT help mitigate this issue, as /dev/console access is permitted. You could create a custom profile that blocks access to /dev/console, but such a profile might break regular containers. In addition, CVE-2025-52881 allows an attacker to bypass LSM labels, and so that mitigation is not helpful when considered in combination with CVE-2025-52881.",
"product_ids": [
"Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/vllm-rocm-rhel9@sha256:c5efe40fa2a6e98d7d3d6676befff0dbbd87b2887769bb7e5856c5b0b0ada125_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/vllm-rocm-rhel9@sha256:c5efe40fa2a6e98d7d3d6676befff0dbbd87b2887769bb7e5856c5b0b0ada125_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "runc: container escape with malicious config due to /dev/console mount and related races"
},
{
"cve": "CVE-2025-59375",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2025-09-15T03:00:59.775098+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2395108"
}
],
"notes": [
{
"category": "description",
"text": "A memory amplification vulnerability in libexpat allows attackers to trigger excessive dynamic memory allocations by submitting specially crafted XML input. A small input (~250 KiB) can cause the parser to allocate hundreds of megabytes, leading to denial-of-service (DoS) through memory exhaustion.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "firefox: thunderbird: expat: libexpat in Expat allows attackers to trigger large dynamic memory allocations via a small document that is submitted for parsing",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This issue is Important rather than Critical because, while it allows for significant resource exhaustion leading to denial-of-service (DoS), it does not enable arbitrary code execution, data leakage, or privilege escalation. The vulnerability stems from an uncontrolled memory amplification behavior in libexpat\u2019s parser, where a relatively small XML payload can cause disproportionately large heap allocations. However, the flaw is limited in scope to service disruption and requires the attacker to submit a crafted XML document\u2014something that can be mitigated with proper input validation and memory usage limits. Therefore, while the exploitability is high, the impact is confined to availability, not confidentiality or integrity, making it a high-severity but not critical flaw.\n\nIn Firefox and Thunderbird, where libexpat is a transitive userspace dependency, exploitation usually just crashes the application (app-level DoS), so it is classified as Moderate instead of Important.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/vllm-rocm-rhel9@sha256:c5efe40fa2a6e98d7d3d6676befff0dbbd87b2887769bb7e5856c5b0b0ada125_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-59375"
},
{
"category": "external",
"summary": "RHBZ#2395108",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2395108"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-59375",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-59375"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-59375",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59375"
},
{
"category": "external",
"summary": "https://www.mozilla.org/security/advisories/mfsa2026-22/#CVE-2025-59375",
"url": "https://www.mozilla.org/security/advisories/mfsa2026-22/#CVE-2025-59375"
},
{
"category": "external",
"summary": "https://www.mozilla.org/security/advisories/mfsa2026-24/#CVE-2025-59375",
"url": "https://www.mozilla.org/security/advisories/mfsa2026-24/#CVE-2025-59375"
}
],
"release_date": "2025-09-15T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-12-17T08:22:31+00:00",
"details": "For more information visit https://access.redhat.com/errata/RHSA-2025:23449",
"product_ids": [
"Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/vllm-rocm-rhel9@sha256:c5efe40fa2a6e98d7d3d6676befff0dbbd87b2887769bb7e5856c5b0b0ada125_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:23449"
},
{
"category": "workaround",
"details": "To mitigate the issue, limit XML input size and complexity before parsing, and avoid accepting compressed or deeply nested XML. Use OS-level resource controls (like ulimit or setrlimit()) to cap memory usage, or run the parser in a sandboxed or isolated process with strict memory and CPU limits. This helps prevent denial-of-service by containing excessive resource consumption.",
"product_ids": [
"Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/vllm-rocm-rhel9@sha256:c5efe40fa2a6e98d7d3d6676befff0dbbd87b2887769bb7e5856c5b0b0ada125_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/vllm-rocm-rhel9@sha256:c5efe40fa2a6e98d7d3d6676befff0dbbd87b2887769bb7e5856c5b0b0ada125_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "firefox: thunderbird: expat: libexpat in Expat allows attackers to trigger large dynamic memory allocations via a small document that is submitted for parsing"
},
{
"cve": "CVE-2025-62164",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2025-11-21T02:01:11.280042+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2416282"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability in vLLM allows attackers to supply malicious serialized prompt-embedding tensors that are deserialized using torch.load() without validation. Due to PyTorch 2.8.0 disabling sparse-tensor integrity checks by default, a crafted tensor can bypass bounds checks and cause an out-of-bounds write during to_dense(), leading to a crash (DoS) and potentially remote code execution on the vLLM server.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "vllm: VLLM deserialization vulnerability leading to DoS and potential RCE",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is considered important rather than moderate because it involves unsafe deserialization leading to memory corruption in a network-reachable, unauthenticated API path. Unlike typical moderate flaws that may only allow limited DoS or require specific conditions, this issue allows an attacker to supply a crafted sparse tensor that triggers an out-of-bounds memory write during PyTorch\u2019s to_dense() conversion. Memory corruption in a server process handling untrusted input significantly elevates security risk because it can lead not only to a reliable crash but also to potential remote code execution, enabling full compromise of the vLLM service. Additionally, the affected code path is part of the standard Completions API workflow, making the attack surface broadly exposed in real deployments. The combination of remote exploitability, unauthenticated access, memory corruption, and potential RCE clearly positions this issue above a moderate classification and into an important severity level.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/vllm-rocm-rhel9@sha256:c5efe40fa2a6e98d7d3d6676befff0dbbd87b2887769bb7e5856c5b0b0ada125_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-62164"
},
{
"category": "external",
"summary": "RHBZ#2416282",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2416282"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-62164",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-62164"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-62164",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62164"
},
{
"category": "external",
"summary": "https://github.com/vllm-project/vllm/commit/58fab50d82838d5014f4a14d991fdb9352c9c84b",
"url": "https://github.com/vllm-project/vllm/commit/58fab50d82838d5014f4a14d991fdb9352c9c84b"
},
{
"category": "external",
"summary": "https://github.com/vllm-project/vllm/pull/27204",
"url": "https://github.com/vllm-project/vllm/pull/27204"
},
{
"category": "external",
"summary": "https://github.com/vllm-project/vllm/security/advisories/GHSA-mrw7-hf4f-83pf",
"url": "https://github.com/vllm-project/vllm/security/advisories/GHSA-mrw7-hf4f-83pf"
}
],
"release_date": "2025-11-21T01:18:38.803000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-12-17T08:22:31+00:00",
"details": "For more information visit https://access.redhat.com/errata/RHSA-2025:23449",
"product_ids": [
"Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/vllm-rocm-rhel9@sha256:c5efe40fa2a6e98d7d3d6676befff0dbbd87b2887769bb7e5856c5b0b0ada125_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:23449"
},
{
"category": "workaround",
"details": "No mitigation is currently available that meets Red Hat Product Security\u2019s standards for usability, deployment, applicability, or stability.",
"product_ids": [
"Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/vllm-rocm-rhel9@sha256:c5efe40fa2a6e98d7d3d6676befff0dbbd87b2887769bb7e5856c5b0b0ada125_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/vllm-rocm-rhel9@sha256:c5efe40fa2a6e98d7d3d6676befff0dbbd87b2887769bb7e5856c5b0b0ada125_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "vllm: VLLM deserialization vulnerability leading to DoS and potential RCE"
},
{
"cve": "CVE-2025-62372",
"cwe": {
"id": "CWE-129",
"name": "Improper Validation of Array Index"
},
"discovery_date": "2025-11-21T02:00:57.180567+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2416280"
}
],
"notes": [
{
"category": "description",
"text": "A denial-of-service vulnerability in vLLM allows an attacker with API access to crash the engine by submitting multimodal embedding tensors that have the correct number of dimensions but an invalid internal shape. Because vLLM validates only the tensor\u2019s ndim and not the full expected shape, malformed embeddings trigger shape mismatches or validation failures during processing, causing the inference engine to terminate.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "vllm: vLLM vulnerable to DoS with incorrect shape of multimodal embedding inputs",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This flaw is rated Moderate rather than Important because its impact is strictly limited to availability and requires low but existing privileges to exploit. The issue arises from incomplete shape validation of multimodal embedding tensors, which can cause deterministic crashes in the inference engine, but it does not enable memory corruption, data leakage, integrity compromise, or execution of arbitrary code. Exploitation requires an authenticated or API-key-holding user to submit malformed multimodal inputs, meaning it cannot be triggered by an unauthenticated attacker on an exposed endpoint. Additionally, the failure mode is a clean crash rather than undefined behavior, so the blast radius is constrained to service interruption rather than broader systemic compromise. These factors\u2014PR:L requirement, no confidentiality/integrity impact, deterministic failure mode, and scoped DoS only\u2014technically align the issue with Moderate severity instead of an Important flaw.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/vllm-rocm-rhel9@sha256:c5efe40fa2a6e98d7d3d6676befff0dbbd87b2887769bb7e5856c5b0b0ada125_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-62372"
},
{
"category": "external",
"summary": "RHBZ#2416280",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2416280"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-62372",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-62372"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-62372",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62372"
},
{
"category": "external",
"summary": "https://github.com/vllm-project/vllm/commit/58fab50d82838d5014f4a14d991fdb9352c9c84b",
"url": "https://github.com/vllm-project/vllm/commit/58fab50d82838d5014f4a14d991fdb9352c9c84b"
},
{
"category": "external",
"summary": "https://github.com/vllm-project/vllm/pull/27204",
"url": "https://github.com/vllm-project/vllm/pull/27204"
},
{
"category": "external",
"summary": "https://github.com/vllm-project/vllm/pull/6613",
"url": "https://github.com/vllm-project/vllm/pull/6613"
},
{
"category": "external",
"summary": "https://github.com/vllm-project/vllm/security/advisories/GHSA-pmqf-x6x8-p7qw",
"url": "https://github.com/vllm-project/vllm/security/advisories/GHSA-pmqf-x6x8-p7qw"
}
],
"release_date": "2025-11-21T01:22:37.121000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-12-17T08:22:31+00:00",
"details": "For more information visit https://access.redhat.com/errata/RHSA-2025:23449",
"product_ids": [
"Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/vllm-rocm-rhel9@sha256:c5efe40fa2a6e98d7d3d6676befff0dbbd87b2887769bb7e5856c5b0b0ada125_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:23449"
},
{
"category": "workaround",
"details": "No mitigation is currently available that meets Red Hat Product Security\u2019s standards for usability, deployment, applicability, or stability.",
"product_ids": [
"Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/vllm-rocm-rhel9@sha256:c5efe40fa2a6e98d7d3d6676befff0dbbd87b2887769bb7e5856c5b0b0ada125_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/vllm-rocm-rhel9@sha256:c5efe40fa2a6e98d7d3d6676befff0dbbd87b2887769bb7e5856c5b0b0ada125_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "vllm: vLLM vulnerable to DoS with incorrect shape of multimodal embedding inputs"
},
{
"cve": "CVE-2025-66448",
"cwe": {
"id": "CWE-94",
"name": "Improper Control of Generation of Code (\u0027Code Injection\u0027)"
},
"discovery_date": "2025-12-01T23:01:07.198041+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2418152"
}
],
"notes": [
{
"category": "description",
"text": "A remote code execution vulnerability has been identified in vLLM. An attacker can exploit a weakness in the model loading process to silently fetch and run unauthorized, malicious Python code on the host system. This happens because the engine mistakenly executes code from a remote repository referenced in a model\u0027s configuration, even when explicit security measures are set to prevent it.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "vllm: vLLM: Remote Code Execution via malicious model configuration",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is rated Important for Red Hat because vLLM, when deployed in a Red Hat environment, is susceptible to remote code execution. An attacker can craft a malicious model configuration that, when loaded, fetches and executes arbitrary Python code from a remote repository, even if `trust_remote_code` is explicitly set to `False`.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/vllm-rocm-rhel9@sha256:c5efe40fa2a6e98d7d3d6676befff0dbbd87b2887769bb7e5856c5b0b0ada125_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-66448"
},
{
"category": "external",
"summary": "RHBZ#2418152",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2418152"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-66448",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-66448"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-66448",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66448"
},
{
"category": "external",
"summary": "https://github.com/vllm-project/vllm/commit/ffb08379d8870a1a81ba82b72797f196838d0c86",
"url": "https://github.com/vllm-project/vllm/commit/ffb08379d8870a1a81ba82b72797f196838d0c86"
},
{
"category": "external",
"summary": "https://github.com/vllm-project/vllm/pull/28126",
"url": "https://github.com/vllm-project/vllm/pull/28126"
},
{
"category": "external",
"summary": "https://github.com/vllm-project/vllm/security/advisories/GHSA-8fr4-5q9j-m8gm",
"url": "https://github.com/vllm-project/vllm/security/advisories/GHSA-8fr4-5q9j-m8gm"
}
],
"release_date": "2025-12-01T22:45:42.566000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-12-17T08:22:31+00:00",
"details": "For more information visit https://access.redhat.com/errata/RHSA-2025:23449",
"product_ids": [
"Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/vllm-rocm-rhel9@sha256:c5efe40fa2a6e98d7d3d6676befff0dbbd87b2887769bb7e5856c5b0b0ada125_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:23449"
},
{
"category": "workaround",
"details": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.",
"product_ids": [
"Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/vllm-rocm-rhel9@sha256:c5efe40fa2a6e98d7d3d6676befff0dbbd87b2887769bb7e5856c5b0b0ada125_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/vllm-rocm-rhel9@sha256:c5efe40fa2a6e98d7d3d6676befff0dbbd87b2887769bb7e5856c5b0b0ada125_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "vllm: vLLM: Remote Code Execution via malicious model configuration"
},
{
"cve": "CVE-2025-66506",
"cwe": {
"id": "CWE-405",
"name": "Asymmetric Resource Consumption (Amplification)"
},
"discovery_date": "2025-12-04T23:01:20.507333+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2419056"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Fulcio, a free-to-use certificate authority. This vulnerability allows a denial of service (DoS) due to excessive memory allocation when processing a malicious OpenID Connect (OIDC) identity token containing numerous period characters.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "github.com/sigstore/fulcio: Fulcio: Denial of Service via crafted OpenID Connect (OIDC) token",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is rated Important for Red Hat as Fulcio, a certificate authority used for issuing code signing certificates, is susceptible to a denial of service when processing a specially crafted OpenID Connect (OIDC) token. This could lead to resource exhaustion and service unavailability in affected Red Hat products that utilize Fulcio.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/vllm-rocm-rhel9@sha256:c5efe40fa2a6e98d7d3d6676befff0dbbd87b2887769bb7e5856c5b0b0ada125_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-66506"
},
{
"category": "external",
"summary": "RHBZ#2419056",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2419056"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-66506",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-66506"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-66506",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66506"
},
{
"category": "external",
"summary": "https://github.com/sigstore/fulcio/commit/765a0e57608b9ef390e1eeeea8595b9054c63a5a",
"url": "https://github.com/sigstore/fulcio/commit/765a0e57608b9ef390e1eeeea8595b9054c63a5a"
},
{
"category": "external",
"summary": "https://github.com/sigstore/fulcio/security/advisories/GHSA-f83f-xpx7-ffpw",
"url": "https://github.com/sigstore/fulcio/security/advisories/GHSA-f83f-xpx7-ffpw"
}
],
"release_date": "2025-12-04T22:04:41.637000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-12-17T08:22:31+00:00",
"details": "For more information visit https://access.redhat.com/errata/RHSA-2025:23449",
"product_ids": [
"Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/vllm-rocm-rhel9@sha256:c5efe40fa2a6e98d7d3d6676befff0dbbd87b2887769bb7e5856c5b0b0ada125_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:23449"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/vllm-rocm-rhel9@sha256:c5efe40fa2a6e98d7d3d6676befff0dbbd87b2887769bb7e5856c5b0b0ada125_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "github.com/sigstore/fulcio: Fulcio: Denial of Service via crafted OpenID Connect (OIDC) token"
}
]
}
RHSA-2025:23733
Vulnerability from csaf_redhat - Published: 2025-12-22 01:38 - Updated: 2026-06-07 15:33Summary
Red Hat Security Advisory: go-toolset:rhel8 security update
Severity
Moderate
Notes
Topic: An update for the go-toolset:rhel8 module is now available for Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.6 Telecommunications Update Service.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Go Toolset provides the Go programming language tools and libraries. Go is alternatively known as golang.
Security Fix(es):
* os/exec: Unexpected paths returned from LookPath in os/exec (CVE-2025-47906)
* golang: archive/tar: Unbounded allocation when parsing GNU sparse map (CVE-2025-58183)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A path handling flaw has been discovered in the os/exec go package. If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath ("", ".", and ".."), can result in the binaries listed in the PATH being unexpectedly returned.
6.5 (Medium)
Affected products
Fixed
51 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-8.6.0.Z.AUS:delve-0:1.7.2-1.module+el8.6.0+12972+ebab5911.src::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.6.0.Z.AUS:delve-0:1.7.2-1.module+el8.6.0+12972+ebab5911.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.6.0.Z.AUS:delve-debuginfo-0:1.7.2-1.module+el8.6.0+12972+ebab5911.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.6.0.Z.AUS:delve-debugsource-0:1.7.2-1.module+el8.6.0+12972+ebab5911.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.6.0.Z.AUS:go-toolset-0:1.17.13-2.module+el8.6.0+22782+bd95fb4c.src::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.6.0.Z.AUS:go-toolset-0:1.17.13-2.module+el8.6.0+22782+bd95fb4c.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.6.0.Z.AUS:golang-0:1.17.13-11.module+el8.6.0+23831+7077efd1.src::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.6.0.Z.AUS:golang-0:1.17.13-11.module+el8.6.0+23831+7077efd1.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.6.0.Z.AUS:golang-bin-0:1.17.13-11.module+el8.6.0+23831+7077efd1.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.6.0.Z.AUS:golang-docs-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.6.0.Z.AUS:golang-misc-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.6.0.Z.AUS:golang-race-0:1.17.13-11.module+el8.6.0+23831+7077efd1.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.6.0.Z.AUS:golang-src-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.6.0.Z.AUS:golang-tests-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.6.0.Z.E4S:delve-0:1.7.2-1.module+el8.6.0+12972+ebab5911.src::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.6.0.Z.E4S:delve-0:1.7.2-1.module+el8.6.0+12972+ebab5911.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.6.0.Z.E4S:delve-debuginfo-0:1.7.2-1.module+el8.6.0+12972+ebab5911.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.6.0.Z.E4S:delve-debugsource-0:1.7.2-1.module+el8.6.0+12972+ebab5911.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.6.0.Z.E4S:go-toolset-0:1.17.13-2.module+el8.6.0+22782+bd95fb4c.aarch64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.6.0.Z.E4S:go-toolset-0:1.17.13-2.module+el8.6.0+22782+bd95fb4c.ppc64le::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.6.0.Z.E4S:go-toolset-0:1.17.13-2.module+el8.6.0+22782+bd95fb4c.s390x::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.6.0.Z.E4S:go-toolset-0:1.17.13-2.module+el8.6.0+22782+bd95fb4c.src::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.6.0.Z.E4S:go-toolset-0:1.17.13-2.module+el8.6.0+22782+bd95fb4c.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.6.0.Z.E4S:golang-0:1.17.13-11.module+el8.6.0+23831+7077efd1.aarch64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.6.0.Z.E4S:golang-0:1.17.13-11.module+el8.6.0+23831+7077efd1.ppc64le::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.6.0.Z.E4S:golang-0:1.17.13-11.module+el8.6.0+23831+7077efd1.s390x::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.6.0.Z.E4S:golang-0:1.17.13-11.module+el8.6.0+23831+7077efd1.src::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.6.0.Z.E4S:golang-0:1.17.13-11.module+el8.6.0+23831+7077efd1.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.6.0.Z.E4S:golang-bin-0:1.17.13-11.module+el8.6.0+23831+7077efd1.aarch64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.6.0.Z.E4S:golang-bin-0:1.17.13-11.module+el8.6.0+23831+7077efd1.ppc64le::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.6.0.Z.E4S:golang-bin-0:1.17.13-11.module+el8.6.0+23831+7077efd1.s390x::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.6.0.Z.E4S:golang-bin-0:1.17.13-11.module+el8.6.0+23831+7077efd1.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.6.0.Z.E4S:golang-docs-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.6.0.Z.E4S:golang-misc-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.6.0.Z.E4S:golang-race-0:1.17.13-11.module+el8.6.0+23831+7077efd1.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.6.0.Z.E4S:golang-src-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.6.0.Z.E4S:golang-tests-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.6.0.Z.TUS:delve-0:1.7.2-1.module+el8.6.0+12972+ebab5911.src::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.6.0.Z.TUS:delve-0:1.7.2-1.module+el8.6.0+12972+ebab5911.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.6.0.Z.TUS:delve-debuginfo-0:1.7.2-1.module+el8.6.0+12972+ebab5911.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.6.0.Z.TUS:delve-debugsource-0:1.7.2-1.module+el8.6.0+12972+ebab5911.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.6.0.Z.TUS:go-toolset-0:1.17.13-2.module+el8.6.0+22782+bd95fb4c.src::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.6.0.Z.TUS:go-toolset-0:1.17.13-2.module+el8.6.0+22782+bd95fb4c.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.6.0.Z.TUS:golang-0:1.17.13-11.module+el8.6.0+23831+7077efd1.src::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.6.0.Z.TUS:golang-0:1.17.13-11.module+el8.6.0+23831+7077efd1.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.6.0.Z.TUS:golang-bin-0:1.17.13-11.module+el8.6.0+23831+7077efd1.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.6.0.Z.TUS:golang-docs-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.6.0.Z.TUS:golang-misc-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.6.0.Z.TUS:golang-race-0:1.17.13-11.module+el8.6.0+23831+7077efd1.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.6.0.Z.TUS:golang-src-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.6.0.Z.TUS:golang-tests-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in the archive/tar package in the Go standard library. tar.Reader does not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A specially crafted tar archive with a pax header indicating a big number of sparse regions can cause a Go program to try to allocate a large amount of memory, causing an out-of-memory condition and resulting in a denial of service.
7.5 (High)
Affected products
Fixed
51 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-8.6.0.Z.AUS:delve-0:1.7.2-1.module+el8.6.0+12972+ebab5911.src::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.6.0.Z.AUS:delve-0:1.7.2-1.module+el8.6.0+12972+ebab5911.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.6.0.Z.AUS:delve-debuginfo-0:1.7.2-1.module+el8.6.0+12972+ebab5911.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.6.0.Z.AUS:delve-debugsource-0:1.7.2-1.module+el8.6.0+12972+ebab5911.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.6.0.Z.AUS:go-toolset-0:1.17.13-2.module+el8.6.0+22782+bd95fb4c.src::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.6.0.Z.AUS:go-toolset-0:1.17.13-2.module+el8.6.0+22782+bd95fb4c.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.6.0.Z.AUS:golang-0:1.17.13-11.module+el8.6.0+23831+7077efd1.src::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.6.0.Z.AUS:golang-0:1.17.13-11.module+el8.6.0+23831+7077efd1.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.6.0.Z.AUS:golang-bin-0:1.17.13-11.module+el8.6.0+23831+7077efd1.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.6.0.Z.AUS:golang-docs-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.6.0.Z.AUS:golang-misc-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.6.0.Z.AUS:golang-race-0:1.17.13-11.module+el8.6.0+23831+7077efd1.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.6.0.Z.AUS:golang-src-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.6.0.Z.AUS:golang-tests-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.6.0.Z.E4S:delve-0:1.7.2-1.module+el8.6.0+12972+ebab5911.src::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.6.0.Z.E4S:delve-0:1.7.2-1.module+el8.6.0+12972+ebab5911.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.6.0.Z.E4S:delve-debuginfo-0:1.7.2-1.module+el8.6.0+12972+ebab5911.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.6.0.Z.E4S:delve-debugsource-0:1.7.2-1.module+el8.6.0+12972+ebab5911.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.6.0.Z.E4S:go-toolset-0:1.17.13-2.module+el8.6.0+22782+bd95fb4c.aarch64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.6.0.Z.E4S:go-toolset-0:1.17.13-2.module+el8.6.0+22782+bd95fb4c.ppc64le::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.6.0.Z.E4S:go-toolset-0:1.17.13-2.module+el8.6.0+22782+bd95fb4c.s390x::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.6.0.Z.E4S:go-toolset-0:1.17.13-2.module+el8.6.0+22782+bd95fb4c.src::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.6.0.Z.E4S:go-toolset-0:1.17.13-2.module+el8.6.0+22782+bd95fb4c.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.6.0.Z.E4S:golang-0:1.17.13-11.module+el8.6.0+23831+7077efd1.aarch64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.6.0.Z.E4S:golang-0:1.17.13-11.module+el8.6.0+23831+7077efd1.ppc64le::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.6.0.Z.E4S:golang-0:1.17.13-11.module+el8.6.0+23831+7077efd1.s390x::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.6.0.Z.E4S:golang-0:1.17.13-11.module+el8.6.0+23831+7077efd1.src::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.6.0.Z.E4S:golang-0:1.17.13-11.module+el8.6.0+23831+7077efd1.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.6.0.Z.E4S:golang-bin-0:1.17.13-11.module+el8.6.0+23831+7077efd1.aarch64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.6.0.Z.E4S:golang-bin-0:1.17.13-11.module+el8.6.0+23831+7077efd1.ppc64le::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.6.0.Z.E4S:golang-bin-0:1.17.13-11.module+el8.6.0+23831+7077efd1.s390x::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.6.0.Z.E4S:golang-bin-0:1.17.13-11.module+el8.6.0+23831+7077efd1.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.6.0.Z.E4S:golang-docs-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.6.0.Z.E4S:golang-misc-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.6.0.Z.E4S:golang-race-0:1.17.13-11.module+el8.6.0+23831+7077efd1.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.6.0.Z.E4S:golang-src-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.6.0.Z.E4S:golang-tests-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.6.0.Z.TUS:delve-0:1.7.2-1.module+el8.6.0+12972+ebab5911.src::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.6.0.Z.TUS:delve-0:1.7.2-1.module+el8.6.0+12972+ebab5911.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.6.0.Z.TUS:delve-debuginfo-0:1.7.2-1.module+el8.6.0+12972+ebab5911.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.6.0.Z.TUS:delve-debugsource-0:1.7.2-1.module+el8.6.0+12972+ebab5911.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.6.0.Z.TUS:go-toolset-0:1.17.13-2.module+el8.6.0+22782+bd95fb4c.src::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.6.0.Z.TUS:go-toolset-0:1.17.13-2.module+el8.6.0+22782+bd95fb4c.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.6.0.Z.TUS:golang-0:1.17.13-11.module+el8.6.0+23831+7077efd1.src::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.6.0.Z.TUS:golang-0:1.17.13-11.module+el8.6.0+23831+7077efd1.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.6.0.Z.TUS:golang-bin-0:1.17.13-11.module+el8.6.0+23831+7077efd1.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.6.0.Z.TUS:golang-docs-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.6.0.Z.TUS:golang-misc-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.6.0.Z.TUS:golang-race-0:1.17.13-11.module+el8.6.0+23831+7077efd1.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.6.0.Z.TUS:golang-src-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.6.0.Z.TUS:golang-tests-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
References
21 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for the go-toolset:rhel8 module is now available for Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.6 Telecommunications Update Service.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Go Toolset provides the Go programming language tools and libraries. Go is alternatively known as golang. \n\nSecurity Fix(es):\n\n* os/exec: Unexpected paths returned from LookPath in os/exec (CVE-2025-47906)\n\n* golang: archive/tar: Unbounded allocation when parsing GNU sparse map (CVE-2025-58183)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2025:23733",
"url": "https://access.redhat.com/errata/RHSA-2025:23733"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "2396546",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2396546"
},
{
"category": "external",
"summary": "2407258",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2407258"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_23733.json"
}
],
"title": "Red Hat Security Advisory: go-toolset:rhel8 security update",
"tracking": {
"current_release_date": "2026-06-07T15:33:41+00:00",
"generator": {
"date": "2026-06-07T15:33:41+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.8.2"
}
},
"id": "RHSA-2025:23733",
"initial_release_date": "2025-12-22T01:38:52+00:00",
"revision_history": [
{
"date": "2025-12-22T01:38:52+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2025-12-22T01:38:52+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-06-07T15:33:41+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AppStream AUS (v.8.6)",
"product": {
"name": "Red Hat Enterprise Linux AppStream AUS (v.8.6)",
"product_id": "AppStream-8.6.0.Z.AUS",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_aus:8.6::appstream"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AppStream E4S (v.8.6)",
"product": {
"name": "Red Hat Enterprise Linux AppStream E4S (v.8.6)",
"product_id": "AppStream-8.6.0.Z.E4S",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_e4s:8.6::appstream"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AppStream TUS (v.8.6)",
"product": {
"name": "Red Hat Enterprise Linux AppStream TUS (v.8.6)",
"product_id": "AppStream-8.6.0.Z.TUS",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_tus:8.6::appstream"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "delve-0:1.7.2-1.module+el8.6.0+12972+ebab5911.src::go-toolset:rhel8",
"product": {
"name": "delve-0:1.7.2-1.module+el8.6.0+12972+ebab5911.src (go-toolset:rhel8)",
"product_id": "delve-0:1.7.2-1.module+el8.6.0+12972+ebab5911.src::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/delve@1.7.2-1.module%2Bel8.6.0%2B12972%2Bebab5911?arch=src\u0026rpmmod=go-toolset:rhel8:8060020251219132124:97d7f71f"
}
}
},
{
"category": "product_version",
"name": "go-toolset-0:1.17.13-2.module+el8.6.0+22782+bd95fb4c.src::go-toolset:rhel8",
"product": {
"name": "go-toolset-0:1.17.13-2.module+el8.6.0+22782+bd95fb4c.src (go-toolset:rhel8)",
"product_id": "go-toolset-0:1.17.13-2.module+el8.6.0+22782+bd95fb4c.src::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-toolset@1.17.13-2.module%2Bel8.6.0%2B22782%2Bbd95fb4c?arch=src\u0026rpmmod=go-toolset:rhel8:8060020251219132124:97d7f71f"
}
}
},
{
"category": "product_version",
"name": "golang-0:1.17.13-11.module+el8.6.0+23831+7077efd1.src::go-toolset:rhel8",
"product": {
"name": "golang-0:1.17.13-11.module+el8.6.0+23831+7077efd1.src (go-toolset:rhel8)",
"product_id": "golang-0:1.17.13-11.module+el8.6.0+23831+7077efd1.src::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang@1.17.13-11.module%2Bel8.6.0%2B23831%2B7077efd1?arch=src\u0026rpmmod=go-toolset:rhel8:8060020251219132124:97d7f71f"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "delve-0:1.7.2-1.module+el8.6.0+12972+ebab5911.x86_64::go-toolset:rhel8",
"product": {
"name": "delve-0:1.7.2-1.module+el8.6.0+12972+ebab5911.x86_64 (go-toolset:rhel8)",
"product_id": "delve-0:1.7.2-1.module+el8.6.0+12972+ebab5911.x86_64::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/delve@1.7.2-1.module%2Bel8.6.0%2B12972%2Bebab5911?arch=x86_64\u0026rpmmod=go-toolset:rhel8:8060020251219132124:97d7f71f"
}
}
},
{
"category": "product_version",
"name": "delve-debuginfo-0:1.7.2-1.module+el8.6.0+12972+ebab5911.x86_64::go-toolset:rhel8",
"product": {
"name": "delve-debuginfo-0:1.7.2-1.module+el8.6.0+12972+ebab5911.x86_64 (go-toolset:rhel8)",
"product_id": "delve-debuginfo-0:1.7.2-1.module+el8.6.0+12972+ebab5911.x86_64::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/delve-debuginfo@1.7.2-1.module%2Bel8.6.0%2B12972%2Bebab5911?arch=x86_64\u0026rpmmod=go-toolset:rhel8:8060020251219132124:97d7f71f"
}
}
},
{
"category": "product_version",
"name": "delve-debugsource-0:1.7.2-1.module+el8.6.0+12972+ebab5911.x86_64::go-toolset:rhel8",
"product": {
"name": "delve-debugsource-0:1.7.2-1.module+el8.6.0+12972+ebab5911.x86_64 (go-toolset:rhel8)",
"product_id": "delve-debugsource-0:1.7.2-1.module+el8.6.0+12972+ebab5911.x86_64::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/delve-debugsource@1.7.2-1.module%2Bel8.6.0%2B12972%2Bebab5911?arch=x86_64\u0026rpmmod=go-toolset:rhel8:8060020251219132124:97d7f71f"
}
}
},
{
"category": "product_version",
"name": "go-toolset-0:1.17.13-2.module+el8.6.0+22782+bd95fb4c.x86_64::go-toolset:rhel8",
"product": {
"name": "go-toolset-0:1.17.13-2.module+el8.6.0+22782+bd95fb4c.x86_64 (go-toolset:rhel8)",
"product_id": "go-toolset-0:1.17.13-2.module+el8.6.0+22782+bd95fb4c.x86_64::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-toolset@1.17.13-2.module%2Bel8.6.0%2B22782%2Bbd95fb4c?arch=x86_64\u0026rpmmod=go-toolset:rhel8:8060020251219132124:97d7f71f"
}
}
},
{
"category": "product_version",
"name": "golang-0:1.17.13-11.module+el8.6.0+23831+7077efd1.x86_64::go-toolset:rhel8",
"product": {
"name": "golang-0:1.17.13-11.module+el8.6.0+23831+7077efd1.x86_64 (go-toolset:rhel8)",
"product_id": "golang-0:1.17.13-11.module+el8.6.0+23831+7077efd1.x86_64::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang@1.17.13-11.module%2Bel8.6.0%2B23831%2B7077efd1?arch=x86_64\u0026rpmmod=go-toolset:rhel8:8060020251219132124:97d7f71f"
}
}
},
{
"category": "product_version",
"name": "golang-bin-0:1.17.13-11.module+el8.6.0+23831+7077efd1.x86_64::go-toolset:rhel8",
"product": {
"name": "golang-bin-0:1.17.13-11.module+el8.6.0+23831+7077efd1.x86_64 (go-toolset:rhel8)",
"product_id": "golang-bin-0:1.17.13-11.module+el8.6.0+23831+7077efd1.x86_64::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-bin@1.17.13-11.module%2Bel8.6.0%2B23831%2B7077efd1?arch=x86_64\u0026rpmmod=go-toolset:rhel8:8060020251219132124:97d7f71f"
}
}
},
{
"category": "product_version",
"name": "golang-race-0:1.17.13-11.module+el8.6.0+23831+7077efd1.x86_64::go-toolset:rhel8",
"product": {
"name": "golang-race-0:1.17.13-11.module+el8.6.0+23831+7077efd1.x86_64 (go-toolset:rhel8)",
"product_id": "golang-race-0:1.17.13-11.module+el8.6.0+23831+7077efd1.x86_64::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-race@1.17.13-11.module%2Bel8.6.0%2B23831%2B7077efd1?arch=x86_64\u0026rpmmod=go-toolset:rhel8:8060020251219132124:97d7f71f"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "golang-docs-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8",
"product": {
"name": "golang-docs-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch (go-toolset:rhel8)",
"product_id": "golang-docs-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-docs@1.17.13-11.module%2Bel8.6.0%2B23831%2B7077efd1?arch=noarch\u0026rpmmod=go-toolset:rhel8:8060020251219132124:97d7f71f"
}
}
},
{
"category": "product_version",
"name": "golang-misc-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8",
"product": {
"name": "golang-misc-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch (go-toolset:rhel8)",
"product_id": "golang-misc-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-misc@1.17.13-11.module%2Bel8.6.0%2B23831%2B7077efd1?arch=noarch\u0026rpmmod=go-toolset:rhel8:8060020251219132124:97d7f71f"
}
}
},
{
"category": "product_version",
"name": "golang-src-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8",
"product": {
"name": "golang-src-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch (go-toolset:rhel8)",
"product_id": "golang-src-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-src@1.17.13-11.module%2Bel8.6.0%2B23831%2B7077efd1?arch=noarch\u0026rpmmod=go-toolset:rhel8:8060020251219132124:97d7f71f"
}
}
},
{
"category": "product_version",
"name": "golang-tests-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8",
"product": {
"name": "golang-tests-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch (go-toolset:rhel8)",
"product_id": "golang-tests-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-tests@1.17.13-11.module%2Bel8.6.0%2B23831%2B7077efd1?arch=noarch\u0026rpmmod=go-toolset:rhel8:8060020251219132124:97d7f71f"
}
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "go-toolset-0:1.17.13-2.module+el8.6.0+22782+bd95fb4c.aarch64::go-toolset:rhel8",
"product": {
"name": "go-toolset-0:1.17.13-2.module+el8.6.0+22782+bd95fb4c.aarch64 (go-toolset:rhel8)",
"product_id": "go-toolset-0:1.17.13-2.module+el8.6.0+22782+bd95fb4c.aarch64::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-toolset@1.17.13-2.module%2Bel8.6.0%2B22782%2Bbd95fb4c?arch=aarch64\u0026rpmmod=go-toolset:rhel8:8060020251219132124:97d7f71f"
}
}
},
{
"category": "product_version",
"name": "golang-0:1.17.13-11.module+el8.6.0+23831+7077efd1.aarch64::go-toolset:rhel8",
"product": {
"name": "golang-0:1.17.13-11.module+el8.6.0+23831+7077efd1.aarch64 (go-toolset:rhel8)",
"product_id": "golang-0:1.17.13-11.module+el8.6.0+23831+7077efd1.aarch64::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang@1.17.13-11.module%2Bel8.6.0%2B23831%2B7077efd1?arch=aarch64\u0026rpmmod=go-toolset:rhel8:8060020251219132124:97d7f71f"
}
}
},
{
"category": "product_version",
"name": "golang-bin-0:1.17.13-11.module+el8.6.0+23831+7077efd1.aarch64::go-toolset:rhel8",
"product": {
"name": "golang-bin-0:1.17.13-11.module+el8.6.0+23831+7077efd1.aarch64 (go-toolset:rhel8)",
"product_id": "golang-bin-0:1.17.13-11.module+el8.6.0+23831+7077efd1.aarch64::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-bin@1.17.13-11.module%2Bel8.6.0%2B23831%2B7077efd1?arch=aarch64\u0026rpmmod=go-toolset:rhel8:8060020251219132124:97d7f71f"
}
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "go-toolset-0:1.17.13-2.module+el8.6.0+22782+bd95fb4c.ppc64le::go-toolset:rhel8",
"product": {
"name": "go-toolset-0:1.17.13-2.module+el8.6.0+22782+bd95fb4c.ppc64le (go-toolset:rhel8)",
"product_id": "go-toolset-0:1.17.13-2.module+el8.6.0+22782+bd95fb4c.ppc64le::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-toolset@1.17.13-2.module%2Bel8.6.0%2B22782%2Bbd95fb4c?arch=ppc64le\u0026rpmmod=go-toolset:rhel8:8060020251219132124:97d7f71f"
}
}
},
{
"category": "product_version",
"name": "golang-0:1.17.13-11.module+el8.6.0+23831+7077efd1.ppc64le::go-toolset:rhel8",
"product": {
"name": "golang-0:1.17.13-11.module+el8.6.0+23831+7077efd1.ppc64le (go-toolset:rhel8)",
"product_id": "golang-0:1.17.13-11.module+el8.6.0+23831+7077efd1.ppc64le::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang@1.17.13-11.module%2Bel8.6.0%2B23831%2B7077efd1?arch=ppc64le\u0026rpmmod=go-toolset:rhel8:8060020251219132124:97d7f71f"
}
}
},
{
"category": "product_version",
"name": "golang-bin-0:1.17.13-11.module+el8.6.0+23831+7077efd1.ppc64le::go-toolset:rhel8",
"product": {
"name": "golang-bin-0:1.17.13-11.module+el8.6.0+23831+7077efd1.ppc64le (go-toolset:rhel8)",
"product_id": "golang-bin-0:1.17.13-11.module+el8.6.0+23831+7077efd1.ppc64le::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-bin@1.17.13-11.module%2Bel8.6.0%2B23831%2B7077efd1?arch=ppc64le\u0026rpmmod=go-toolset:rhel8:8060020251219132124:97d7f71f"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "go-toolset-0:1.17.13-2.module+el8.6.0+22782+bd95fb4c.s390x::go-toolset:rhel8",
"product": {
"name": "go-toolset-0:1.17.13-2.module+el8.6.0+22782+bd95fb4c.s390x (go-toolset:rhel8)",
"product_id": "go-toolset-0:1.17.13-2.module+el8.6.0+22782+bd95fb4c.s390x::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-toolset@1.17.13-2.module%2Bel8.6.0%2B22782%2Bbd95fb4c?arch=s390x\u0026rpmmod=go-toolset:rhel8:8060020251219132124:97d7f71f"
}
}
},
{
"category": "product_version",
"name": "golang-0:1.17.13-11.module+el8.6.0+23831+7077efd1.s390x::go-toolset:rhel8",
"product": {
"name": "golang-0:1.17.13-11.module+el8.6.0+23831+7077efd1.s390x (go-toolset:rhel8)",
"product_id": "golang-0:1.17.13-11.module+el8.6.0+23831+7077efd1.s390x::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang@1.17.13-11.module%2Bel8.6.0%2B23831%2B7077efd1?arch=s390x\u0026rpmmod=go-toolset:rhel8:8060020251219132124:97d7f71f"
}
}
},
{
"category": "product_version",
"name": "golang-bin-0:1.17.13-11.module+el8.6.0+23831+7077efd1.s390x::go-toolset:rhel8",
"product": {
"name": "golang-bin-0:1.17.13-11.module+el8.6.0+23831+7077efd1.s390x (go-toolset:rhel8)",
"product_id": "golang-bin-0:1.17.13-11.module+el8.6.0+23831+7077efd1.s390x::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-bin@1.17.13-11.module%2Bel8.6.0%2B23831%2B7077efd1?arch=s390x\u0026rpmmod=go-toolset:rhel8:8060020251219132124:97d7f71f"
}
}
}
],
"category": "architecture",
"name": "s390x"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "delve-0:1.7.2-1.module+el8.6.0+12972+ebab5911.src (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream AUS (v.8.6)",
"product_id": "AppStream-8.6.0.Z.AUS:delve-0:1.7.2-1.module+el8.6.0+12972+ebab5911.src::go-toolset:rhel8"
},
"product_reference": "delve-0:1.7.2-1.module+el8.6.0+12972+ebab5911.src::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.6.0.Z.AUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "delve-0:1.7.2-1.module+el8.6.0+12972+ebab5911.x86_64 (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream AUS (v.8.6)",
"product_id": "AppStream-8.6.0.Z.AUS:delve-0:1.7.2-1.module+el8.6.0+12972+ebab5911.x86_64::go-toolset:rhel8"
},
"product_reference": "delve-0:1.7.2-1.module+el8.6.0+12972+ebab5911.x86_64::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.6.0.Z.AUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "delve-debuginfo-0:1.7.2-1.module+el8.6.0+12972+ebab5911.x86_64 (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream AUS (v.8.6)",
"product_id": "AppStream-8.6.0.Z.AUS:delve-debuginfo-0:1.7.2-1.module+el8.6.0+12972+ebab5911.x86_64::go-toolset:rhel8"
},
"product_reference": "delve-debuginfo-0:1.7.2-1.module+el8.6.0+12972+ebab5911.x86_64::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.6.0.Z.AUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "delve-debugsource-0:1.7.2-1.module+el8.6.0+12972+ebab5911.x86_64 (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream AUS (v.8.6)",
"product_id": "AppStream-8.6.0.Z.AUS:delve-debugsource-0:1.7.2-1.module+el8.6.0+12972+ebab5911.x86_64::go-toolset:rhel8"
},
"product_reference": "delve-debugsource-0:1.7.2-1.module+el8.6.0+12972+ebab5911.x86_64::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.6.0.Z.AUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-toolset-0:1.17.13-2.module+el8.6.0+22782+bd95fb4c.src (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream AUS (v.8.6)",
"product_id": "AppStream-8.6.0.Z.AUS:go-toolset-0:1.17.13-2.module+el8.6.0+22782+bd95fb4c.src::go-toolset:rhel8"
},
"product_reference": "go-toolset-0:1.17.13-2.module+el8.6.0+22782+bd95fb4c.src::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.6.0.Z.AUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-toolset-0:1.17.13-2.module+el8.6.0+22782+bd95fb4c.x86_64 (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream AUS (v.8.6)",
"product_id": "AppStream-8.6.0.Z.AUS:go-toolset-0:1.17.13-2.module+el8.6.0+22782+bd95fb4c.x86_64::go-toolset:rhel8"
},
"product_reference": "go-toolset-0:1.17.13-2.module+el8.6.0+22782+bd95fb4c.x86_64::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.6.0.Z.AUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-0:1.17.13-11.module+el8.6.0+23831+7077efd1.src (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream AUS (v.8.6)",
"product_id": "AppStream-8.6.0.Z.AUS:golang-0:1.17.13-11.module+el8.6.0+23831+7077efd1.src::go-toolset:rhel8"
},
"product_reference": "golang-0:1.17.13-11.module+el8.6.0+23831+7077efd1.src::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.6.0.Z.AUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-0:1.17.13-11.module+el8.6.0+23831+7077efd1.x86_64 (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream AUS (v.8.6)",
"product_id": "AppStream-8.6.0.Z.AUS:golang-0:1.17.13-11.module+el8.6.0+23831+7077efd1.x86_64::go-toolset:rhel8"
},
"product_reference": "golang-0:1.17.13-11.module+el8.6.0+23831+7077efd1.x86_64::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.6.0.Z.AUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-bin-0:1.17.13-11.module+el8.6.0+23831+7077efd1.x86_64 (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream AUS (v.8.6)",
"product_id": "AppStream-8.6.0.Z.AUS:golang-bin-0:1.17.13-11.module+el8.6.0+23831+7077efd1.x86_64::go-toolset:rhel8"
},
"product_reference": "golang-bin-0:1.17.13-11.module+el8.6.0+23831+7077efd1.x86_64::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.6.0.Z.AUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-docs-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream AUS (v.8.6)",
"product_id": "AppStream-8.6.0.Z.AUS:golang-docs-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8"
},
"product_reference": "golang-docs-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.6.0.Z.AUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-misc-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream AUS (v.8.6)",
"product_id": "AppStream-8.6.0.Z.AUS:golang-misc-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8"
},
"product_reference": "golang-misc-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.6.0.Z.AUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-race-0:1.17.13-11.module+el8.6.0+23831+7077efd1.x86_64 (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream AUS (v.8.6)",
"product_id": "AppStream-8.6.0.Z.AUS:golang-race-0:1.17.13-11.module+el8.6.0+23831+7077efd1.x86_64::go-toolset:rhel8"
},
"product_reference": "golang-race-0:1.17.13-11.module+el8.6.0+23831+7077efd1.x86_64::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.6.0.Z.AUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-src-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream AUS (v.8.6)",
"product_id": "AppStream-8.6.0.Z.AUS:golang-src-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8"
},
"product_reference": "golang-src-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.6.0.Z.AUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-tests-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream AUS (v.8.6)",
"product_id": "AppStream-8.6.0.Z.AUS:golang-tests-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8"
},
"product_reference": "golang-tests-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.6.0.Z.AUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "delve-0:1.7.2-1.module+el8.6.0+12972+ebab5911.src (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream E4S (v.8.6)",
"product_id": "AppStream-8.6.0.Z.E4S:delve-0:1.7.2-1.module+el8.6.0+12972+ebab5911.src::go-toolset:rhel8"
},
"product_reference": "delve-0:1.7.2-1.module+el8.6.0+12972+ebab5911.src::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.6.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "delve-0:1.7.2-1.module+el8.6.0+12972+ebab5911.x86_64 (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream E4S (v.8.6)",
"product_id": "AppStream-8.6.0.Z.E4S:delve-0:1.7.2-1.module+el8.6.0+12972+ebab5911.x86_64::go-toolset:rhel8"
},
"product_reference": "delve-0:1.7.2-1.module+el8.6.0+12972+ebab5911.x86_64::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.6.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "delve-debuginfo-0:1.7.2-1.module+el8.6.0+12972+ebab5911.x86_64 (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream E4S (v.8.6)",
"product_id": "AppStream-8.6.0.Z.E4S:delve-debuginfo-0:1.7.2-1.module+el8.6.0+12972+ebab5911.x86_64::go-toolset:rhel8"
},
"product_reference": "delve-debuginfo-0:1.7.2-1.module+el8.6.0+12972+ebab5911.x86_64::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.6.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "delve-debugsource-0:1.7.2-1.module+el8.6.0+12972+ebab5911.x86_64 (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream E4S (v.8.6)",
"product_id": "AppStream-8.6.0.Z.E4S:delve-debugsource-0:1.7.2-1.module+el8.6.0+12972+ebab5911.x86_64::go-toolset:rhel8"
},
"product_reference": "delve-debugsource-0:1.7.2-1.module+el8.6.0+12972+ebab5911.x86_64::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.6.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-toolset-0:1.17.13-2.module+el8.6.0+22782+bd95fb4c.aarch64 (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream E4S (v.8.6)",
"product_id": "AppStream-8.6.0.Z.E4S:go-toolset-0:1.17.13-2.module+el8.6.0+22782+bd95fb4c.aarch64::go-toolset:rhel8"
},
"product_reference": "go-toolset-0:1.17.13-2.module+el8.6.0+22782+bd95fb4c.aarch64::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.6.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-toolset-0:1.17.13-2.module+el8.6.0+22782+bd95fb4c.ppc64le (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream E4S (v.8.6)",
"product_id": "AppStream-8.6.0.Z.E4S:go-toolset-0:1.17.13-2.module+el8.6.0+22782+bd95fb4c.ppc64le::go-toolset:rhel8"
},
"product_reference": "go-toolset-0:1.17.13-2.module+el8.6.0+22782+bd95fb4c.ppc64le::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.6.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-toolset-0:1.17.13-2.module+el8.6.0+22782+bd95fb4c.s390x (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream E4S (v.8.6)",
"product_id": "AppStream-8.6.0.Z.E4S:go-toolset-0:1.17.13-2.module+el8.6.0+22782+bd95fb4c.s390x::go-toolset:rhel8"
},
"product_reference": "go-toolset-0:1.17.13-2.module+el8.6.0+22782+bd95fb4c.s390x::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.6.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-toolset-0:1.17.13-2.module+el8.6.0+22782+bd95fb4c.src (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream E4S (v.8.6)",
"product_id": "AppStream-8.6.0.Z.E4S:go-toolset-0:1.17.13-2.module+el8.6.0+22782+bd95fb4c.src::go-toolset:rhel8"
},
"product_reference": "go-toolset-0:1.17.13-2.module+el8.6.0+22782+bd95fb4c.src::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.6.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-toolset-0:1.17.13-2.module+el8.6.0+22782+bd95fb4c.x86_64 (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream E4S (v.8.6)",
"product_id": "AppStream-8.6.0.Z.E4S:go-toolset-0:1.17.13-2.module+el8.6.0+22782+bd95fb4c.x86_64::go-toolset:rhel8"
},
"product_reference": "go-toolset-0:1.17.13-2.module+el8.6.0+22782+bd95fb4c.x86_64::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.6.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-0:1.17.13-11.module+el8.6.0+23831+7077efd1.aarch64 (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream E4S (v.8.6)",
"product_id": "AppStream-8.6.0.Z.E4S:golang-0:1.17.13-11.module+el8.6.0+23831+7077efd1.aarch64::go-toolset:rhel8"
},
"product_reference": "golang-0:1.17.13-11.module+el8.6.0+23831+7077efd1.aarch64::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.6.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-0:1.17.13-11.module+el8.6.0+23831+7077efd1.ppc64le (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream E4S (v.8.6)",
"product_id": "AppStream-8.6.0.Z.E4S:golang-0:1.17.13-11.module+el8.6.0+23831+7077efd1.ppc64le::go-toolset:rhel8"
},
"product_reference": "golang-0:1.17.13-11.module+el8.6.0+23831+7077efd1.ppc64le::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.6.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-0:1.17.13-11.module+el8.6.0+23831+7077efd1.s390x (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream E4S (v.8.6)",
"product_id": "AppStream-8.6.0.Z.E4S:golang-0:1.17.13-11.module+el8.6.0+23831+7077efd1.s390x::go-toolset:rhel8"
},
"product_reference": "golang-0:1.17.13-11.module+el8.6.0+23831+7077efd1.s390x::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.6.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-0:1.17.13-11.module+el8.6.0+23831+7077efd1.src (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream E4S (v.8.6)",
"product_id": "AppStream-8.6.0.Z.E4S:golang-0:1.17.13-11.module+el8.6.0+23831+7077efd1.src::go-toolset:rhel8"
},
"product_reference": "golang-0:1.17.13-11.module+el8.6.0+23831+7077efd1.src::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.6.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-0:1.17.13-11.module+el8.6.0+23831+7077efd1.x86_64 (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream E4S (v.8.6)",
"product_id": "AppStream-8.6.0.Z.E4S:golang-0:1.17.13-11.module+el8.6.0+23831+7077efd1.x86_64::go-toolset:rhel8"
},
"product_reference": "golang-0:1.17.13-11.module+el8.6.0+23831+7077efd1.x86_64::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.6.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-bin-0:1.17.13-11.module+el8.6.0+23831+7077efd1.aarch64 (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream E4S (v.8.6)",
"product_id": "AppStream-8.6.0.Z.E4S:golang-bin-0:1.17.13-11.module+el8.6.0+23831+7077efd1.aarch64::go-toolset:rhel8"
},
"product_reference": "golang-bin-0:1.17.13-11.module+el8.6.0+23831+7077efd1.aarch64::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.6.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-bin-0:1.17.13-11.module+el8.6.0+23831+7077efd1.ppc64le (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream E4S (v.8.6)",
"product_id": "AppStream-8.6.0.Z.E4S:golang-bin-0:1.17.13-11.module+el8.6.0+23831+7077efd1.ppc64le::go-toolset:rhel8"
},
"product_reference": "golang-bin-0:1.17.13-11.module+el8.6.0+23831+7077efd1.ppc64le::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.6.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-bin-0:1.17.13-11.module+el8.6.0+23831+7077efd1.s390x (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream E4S (v.8.6)",
"product_id": "AppStream-8.6.0.Z.E4S:golang-bin-0:1.17.13-11.module+el8.6.0+23831+7077efd1.s390x::go-toolset:rhel8"
},
"product_reference": "golang-bin-0:1.17.13-11.module+el8.6.0+23831+7077efd1.s390x::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.6.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-bin-0:1.17.13-11.module+el8.6.0+23831+7077efd1.x86_64 (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream E4S (v.8.6)",
"product_id": "AppStream-8.6.0.Z.E4S:golang-bin-0:1.17.13-11.module+el8.6.0+23831+7077efd1.x86_64::go-toolset:rhel8"
},
"product_reference": "golang-bin-0:1.17.13-11.module+el8.6.0+23831+7077efd1.x86_64::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.6.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-docs-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream E4S (v.8.6)",
"product_id": "AppStream-8.6.0.Z.E4S:golang-docs-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8"
},
"product_reference": "golang-docs-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.6.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-misc-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream E4S (v.8.6)",
"product_id": "AppStream-8.6.0.Z.E4S:golang-misc-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8"
},
"product_reference": "golang-misc-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.6.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-race-0:1.17.13-11.module+el8.6.0+23831+7077efd1.x86_64 (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream E4S (v.8.6)",
"product_id": "AppStream-8.6.0.Z.E4S:golang-race-0:1.17.13-11.module+el8.6.0+23831+7077efd1.x86_64::go-toolset:rhel8"
},
"product_reference": "golang-race-0:1.17.13-11.module+el8.6.0+23831+7077efd1.x86_64::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.6.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-src-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream E4S (v.8.6)",
"product_id": "AppStream-8.6.0.Z.E4S:golang-src-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8"
},
"product_reference": "golang-src-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.6.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-tests-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream E4S (v.8.6)",
"product_id": "AppStream-8.6.0.Z.E4S:golang-tests-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8"
},
"product_reference": "golang-tests-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.6.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "delve-0:1.7.2-1.module+el8.6.0+12972+ebab5911.src (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream TUS (v.8.6)",
"product_id": "AppStream-8.6.0.Z.TUS:delve-0:1.7.2-1.module+el8.6.0+12972+ebab5911.src::go-toolset:rhel8"
},
"product_reference": "delve-0:1.7.2-1.module+el8.6.0+12972+ebab5911.src::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.6.0.Z.TUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "delve-0:1.7.2-1.module+el8.6.0+12972+ebab5911.x86_64 (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream TUS (v.8.6)",
"product_id": "AppStream-8.6.0.Z.TUS:delve-0:1.7.2-1.module+el8.6.0+12972+ebab5911.x86_64::go-toolset:rhel8"
},
"product_reference": "delve-0:1.7.2-1.module+el8.6.0+12972+ebab5911.x86_64::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.6.0.Z.TUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "delve-debuginfo-0:1.7.2-1.module+el8.6.0+12972+ebab5911.x86_64 (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream TUS (v.8.6)",
"product_id": "AppStream-8.6.0.Z.TUS:delve-debuginfo-0:1.7.2-1.module+el8.6.0+12972+ebab5911.x86_64::go-toolset:rhel8"
},
"product_reference": "delve-debuginfo-0:1.7.2-1.module+el8.6.0+12972+ebab5911.x86_64::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.6.0.Z.TUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "delve-debugsource-0:1.7.2-1.module+el8.6.0+12972+ebab5911.x86_64 (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream TUS (v.8.6)",
"product_id": "AppStream-8.6.0.Z.TUS:delve-debugsource-0:1.7.2-1.module+el8.6.0+12972+ebab5911.x86_64::go-toolset:rhel8"
},
"product_reference": "delve-debugsource-0:1.7.2-1.module+el8.6.0+12972+ebab5911.x86_64::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.6.0.Z.TUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-toolset-0:1.17.13-2.module+el8.6.0+22782+bd95fb4c.src (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream TUS (v.8.6)",
"product_id": "AppStream-8.6.0.Z.TUS:go-toolset-0:1.17.13-2.module+el8.6.0+22782+bd95fb4c.src::go-toolset:rhel8"
},
"product_reference": "go-toolset-0:1.17.13-2.module+el8.6.0+22782+bd95fb4c.src::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.6.0.Z.TUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-toolset-0:1.17.13-2.module+el8.6.0+22782+bd95fb4c.x86_64 (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream TUS (v.8.6)",
"product_id": "AppStream-8.6.0.Z.TUS:go-toolset-0:1.17.13-2.module+el8.6.0+22782+bd95fb4c.x86_64::go-toolset:rhel8"
},
"product_reference": "go-toolset-0:1.17.13-2.module+el8.6.0+22782+bd95fb4c.x86_64::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.6.0.Z.TUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-0:1.17.13-11.module+el8.6.0+23831+7077efd1.src (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream TUS (v.8.6)",
"product_id": "AppStream-8.6.0.Z.TUS:golang-0:1.17.13-11.module+el8.6.0+23831+7077efd1.src::go-toolset:rhel8"
},
"product_reference": "golang-0:1.17.13-11.module+el8.6.0+23831+7077efd1.src::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.6.0.Z.TUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-0:1.17.13-11.module+el8.6.0+23831+7077efd1.x86_64 (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream TUS (v.8.6)",
"product_id": "AppStream-8.6.0.Z.TUS:golang-0:1.17.13-11.module+el8.6.0+23831+7077efd1.x86_64::go-toolset:rhel8"
},
"product_reference": "golang-0:1.17.13-11.module+el8.6.0+23831+7077efd1.x86_64::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.6.0.Z.TUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-bin-0:1.17.13-11.module+el8.6.0+23831+7077efd1.x86_64 (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream TUS (v.8.6)",
"product_id": "AppStream-8.6.0.Z.TUS:golang-bin-0:1.17.13-11.module+el8.6.0+23831+7077efd1.x86_64::go-toolset:rhel8"
},
"product_reference": "golang-bin-0:1.17.13-11.module+el8.6.0+23831+7077efd1.x86_64::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.6.0.Z.TUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-docs-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream TUS (v.8.6)",
"product_id": "AppStream-8.6.0.Z.TUS:golang-docs-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8"
},
"product_reference": "golang-docs-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.6.0.Z.TUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-misc-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream TUS (v.8.6)",
"product_id": "AppStream-8.6.0.Z.TUS:golang-misc-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8"
},
"product_reference": "golang-misc-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.6.0.Z.TUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-race-0:1.17.13-11.module+el8.6.0+23831+7077efd1.x86_64 (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream TUS (v.8.6)",
"product_id": "AppStream-8.6.0.Z.TUS:golang-race-0:1.17.13-11.module+el8.6.0+23831+7077efd1.x86_64::go-toolset:rhel8"
},
"product_reference": "golang-race-0:1.17.13-11.module+el8.6.0+23831+7077efd1.x86_64::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.6.0.Z.TUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-src-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream TUS (v.8.6)",
"product_id": "AppStream-8.6.0.Z.TUS:golang-src-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8"
},
"product_reference": "golang-src-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.6.0.Z.TUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-tests-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream TUS (v.8.6)",
"product_id": "AppStream-8.6.0.Z.TUS:golang-tests-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8"
},
"product_reference": "golang-tests-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.6.0.Z.TUS"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-47906",
"cwe": {
"id": "CWE-440",
"name": "Expected Behavior Violation"
},
"discovery_date": "2025-09-18T19:00:47.541046+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2396546"
}
],
"notes": [
{
"category": "description",
"text": "A path handling flaw has been discovered in the os/exec go package. If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath (\"\", \".\", and \"..\"), can result in the binaries listed in the PATH being unexpectedly returned.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "os/exec: Unexpected paths returned from LookPath in os/exec",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-8.6.0.Z.AUS:delve-0:1.7.2-1.module+el8.6.0+12972+ebab5911.src::go-toolset:rhel8",
"AppStream-8.6.0.Z.AUS:delve-0:1.7.2-1.module+el8.6.0+12972+ebab5911.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.AUS:delve-debuginfo-0:1.7.2-1.module+el8.6.0+12972+ebab5911.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.AUS:delve-debugsource-0:1.7.2-1.module+el8.6.0+12972+ebab5911.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.AUS:go-toolset-0:1.17.13-2.module+el8.6.0+22782+bd95fb4c.src::go-toolset:rhel8",
"AppStream-8.6.0.Z.AUS:go-toolset-0:1.17.13-2.module+el8.6.0+22782+bd95fb4c.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.AUS:golang-0:1.17.13-11.module+el8.6.0+23831+7077efd1.src::go-toolset:rhel8",
"AppStream-8.6.0.Z.AUS:golang-0:1.17.13-11.module+el8.6.0+23831+7077efd1.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.AUS:golang-bin-0:1.17.13-11.module+el8.6.0+23831+7077efd1.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.AUS:golang-docs-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8",
"AppStream-8.6.0.Z.AUS:golang-misc-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8",
"AppStream-8.6.0.Z.AUS:golang-race-0:1.17.13-11.module+el8.6.0+23831+7077efd1.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.AUS:golang-src-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8",
"AppStream-8.6.0.Z.AUS:golang-tests-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:delve-0:1.7.2-1.module+el8.6.0+12972+ebab5911.src::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:delve-0:1.7.2-1.module+el8.6.0+12972+ebab5911.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:delve-debuginfo-0:1.7.2-1.module+el8.6.0+12972+ebab5911.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:delve-debugsource-0:1.7.2-1.module+el8.6.0+12972+ebab5911.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:go-toolset-0:1.17.13-2.module+el8.6.0+22782+bd95fb4c.aarch64::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:go-toolset-0:1.17.13-2.module+el8.6.0+22782+bd95fb4c.ppc64le::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:go-toolset-0:1.17.13-2.module+el8.6.0+22782+bd95fb4c.s390x::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:go-toolset-0:1.17.13-2.module+el8.6.0+22782+bd95fb4c.src::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:go-toolset-0:1.17.13-2.module+el8.6.0+22782+bd95fb4c.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:golang-0:1.17.13-11.module+el8.6.0+23831+7077efd1.aarch64::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:golang-0:1.17.13-11.module+el8.6.0+23831+7077efd1.ppc64le::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:golang-0:1.17.13-11.module+el8.6.0+23831+7077efd1.s390x::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:golang-0:1.17.13-11.module+el8.6.0+23831+7077efd1.src::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:golang-0:1.17.13-11.module+el8.6.0+23831+7077efd1.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:golang-bin-0:1.17.13-11.module+el8.6.0+23831+7077efd1.aarch64::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:golang-bin-0:1.17.13-11.module+el8.6.0+23831+7077efd1.ppc64le::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:golang-bin-0:1.17.13-11.module+el8.6.0+23831+7077efd1.s390x::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:golang-bin-0:1.17.13-11.module+el8.6.0+23831+7077efd1.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:golang-docs-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:golang-misc-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:golang-race-0:1.17.13-11.module+el8.6.0+23831+7077efd1.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:golang-src-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:golang-tests-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8",
"AppStream-8.6.0.Z.TUS:delve-0:1.7.2-1.module+el8.6.0+12972+ebab5911.src::go-toolset:rhel8",
"AppStream-8.6.0.Z.TUS:delve-0:1.7.2-1.module+el8.6.0+12972+ebab5911.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.TUS:delve-debuginfo-0:1.7.2-1.module+el8.6.0+12972+ebab5911.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.TUS:delve-debugsource-0:1.7.2-1.module+el8.6.0+12972+ebab5911.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.TUS:go-toolset-0:1.17.13-2.module+el8.6.0+22782+bd95fb4c.src::go-toolset:rhel8",
"AppStream-8.6.0.Z.TUS:go-toolset-0:1.17.13-2.module+el8.6.0+22782+bd95fb4c.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.TUS:golang-0:1.17.13-11.module+el8.6.0+23831+7077efd1.src::go-toolset:rhel8",
"AppStream-8.6.0.Z.TUS:golang-0:1.17.13-11.module+el8.6.0+23831+7077efd1.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.TUS:golang-bin-0:1.17.13-11.module+el8.6.0+23831+7077efd1.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.TUS:golang-docs-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8",
"AppStream-8.6.0.Z.TUS:golang-misc-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8",
"AppStream-8.6.0.Z.TUS:golang-race-0:1.17.13-11.module+el8.6.0+23831+7077efd1.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.TUS:golang-src-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8",
"AppStream-8.6.0.Z.TUS:golang-tests-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-47906"
},
{
"category": "external",
"summary": "RHBZ#2396546",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2396546"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-47906",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-47906"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-47906",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47906"
},
{
"category": "external",
"summary": "https://go.dev/cl/691775",
"url": "https://go.dev/cl/691775"
},
{
"category": "external",
"summary": "https://go.dev/issue/74466",
"url": "https://go.dev/issue/74466"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/x5MKroML2yM",
"url": "https://groups.google.com/g/golang-announce/c/x5MKroML2yM"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2025-3956",
"url": "https://pkg.go.dev/vuln/GO-2025-3956"
}
],
"release_date": "2025-09-18T18:41:11.847000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-12-22T01:38:52+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-8.6.0.Z.AUS:delve-0:1.7.2-1.module+el8.6.0+12972+ebab5911.src::go-toolset:rhel8",
"AppStream-8.6.0.Z.AUS:delve-0:1.7.2-1.module+el8.6.0+12972+ebab5911.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.AUS:delve-debuginfo-0:1.7.2-1.module+el8.6.0+12972+ebab5911.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.AUS:delve-debugsource-0:1.7.2-1.module+el8.6.0+12972+ebab5911.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.AUS:go-toolset-0:1.17.13-2.module+el8.6.0+22782+bd95fb4c.src::go-toolset:rhel8",
"AppStream-8.6.0.Z.AUS:go-toolset-0:1.17.13-2.module+el8.6.0+22782+bd95fb4c.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.AUS:golang-0:1.17.13-11.module+el8.6.0+23831+7077efd1.src::go-toolset:rhel8",
"AppStream-8.6.0.Z.AUS:golang-0:1.17.13-11.module+el8.6.0+23831+7077efd1.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.AUS:golang-bin-0:1.17.13-11.module+el8.6.0+23831+7077efd1.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.AUS:golang-docs-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8",
"AppStream-8.6.0.Z.AUS:golang-misc-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8",
"AppStream-8.6.0.Z.AUS:golang-race-0:1.17.13-11.module+el8.6.0+23831+7077efd1.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.AUS:golang-src-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8",
"AppStream-8.6.0.Z.AUS:golang-tests-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:delve-0:1.7.2-1.module+el8.6.0+12972+ebab5911.src::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:delve-0:1.7.2-1.module+el8.6.0+12972+ebab5911.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:delve-debuginfo-0:1.7.2-1.module+el8.6.0+12972+ebab5911.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:delve-debugsource-0:1.7.2-1.module+el8.6.0+12972+ebab5911.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:go-toolset-0:1.17.13-2.module+el8.6.0+22782+bd95fb4c.aarch64::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:go-toolset-0:1.17.13-2.module+el8.6.0+22782+bd95fb4c.ppc64le::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:go-toolset-0:1.17.13-2.module+el8.6.0+22782+bd95fb4c.s390x::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:go-toolset-0:1.17.13-2.module+el8.6.0+22782+bd95fb4c.src::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:go-toolset-0:1.17.13-2.module+el8.6.0+22782+bd95fb4c.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:golang-0:1.17.13-11.module+el8.6.0+23831+7077efd1.aarch64::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:golang-0:1.17.13-11.module+el8.6.0+23831+7077efd1.ppc64le::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:golang-0:1.17.13-11.module+el8.6.0+23831+7077efd1.s390x::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:golang-0:1.17.13-11.module+el8.6.0+23831+7077efd1.src::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:golang-0:1.17.13-11.module+el8.6.0+23831+7077efd1.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:golang-bin-0:1.17.13-11.module+el8.6.0+23831+7077efd1.aarch64::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:golang-bin-0:1.17.13-11.module+el8.6.0+23831+7077efd1.ppc64le::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:golang-bin-0:1.17.13-11.module+el8.6.0+23831+7077efd1.s390x::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:golang-bin-0:1.17.13-11.module+el8.6.0+23831+7077efd1.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:golang-docs-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:golang-misc-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:golang-race-0:1.17.13-11.module+el8.6.0+23831+7077efd1.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:golang-src-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:golang-tests-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8",
"AppStream-8.6.0.Z.TUS:delve-0:1.7.2-1.module+el8.6.0+12972+ebab5911.src::go-toolset:rhel8",
"AppStream-8.6.0.Z.TUS:delve-0:1.7.2-1.module+el8.6.0+12972+ebab5911.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.TUS:delve-debuginfo-0:1.7.2-1.module+el8.6.0+12972+ebab5911.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.TUS:delve-debugsource-0:1.7.2-1.module+el8.6.0+12972+ebab5911.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.TUS:go-toolset-0:1.17.13-2.module+el8.6.0+22782+bd95fb4c.src::go-toolset:rhel8",
"AppStream-8.6.0.Z.TUS:go-toolset-0:1.17.13-2.module+el8.6.0+22782+bd95fb4c.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.TUS:golang-0:1.17.13-11.module+el8.6.0+23831+7077efd1.src::go-toolset:rhel8",
"AppStream-8.6.0.Z.TUS:golang-0:1.17.13-11.module+el8.6.0+23831+7077efd1.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.TUS:golang-bin-0:1.17.13-11.module+el8.6.0+23831+7077efd1.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.TUS:golang-docs-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8",
"AppStream-8.6.0.Z.TUS:golang-misc-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8",
"AppStream-8.6.0.Z.TUS:golang-race-0:1.17.13-11.module+el8.6.0+23831+7077efd1.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.TUS:golang-src-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8",
"AppStream-8.6.0.Z.TUS:golang-tests-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:23733"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"AppStream-8.6.0.Z.AUS:delve-0:1.7.2-1.module+el8.6.0+12972+ebab5911.src::go-toolset:rhel8",
"AppStream-8.6.0.Z.AUS:delve-0:1.7.2-1.module+el8.6.0+12972+ebab5911.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.AUS:delve-debuginfo-0:1.7.2-1.module+el8.6.0+12972+ebab5911.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.AUS:delve-debugsource-0:1.7.2-1.module+el8.6.0+12972+ebab5911.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.AUS:go-toolset-0:1.17.13-2.module+el8.6.0+22782+bd95fb4c.src::go-toolset:rhel8",
"AppStream-8.6.0.Z.AUS:go-toolset-0:1.17.13-2.module+el8.6.0+22782+bd95fb4c.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.AUS:golang-0:1.17.13-11.module+el8.6.0+23831+7077efd1.src::go-toolset:rhel8",
"AppStream-8.6.0.Z.AUS:golang-0:1.17.13-11.module+el8.6.0+23831+7077efd1.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.AUS:golang-bin-0:1.17.13-11.module+el8.6.0+23831+7077efd1.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.AUS:golang-docs-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8",
"AppStream-8.6.0.Z.AUS:golang-misc-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8",
"AppStream-8.6.0.Z.AUS:golang-race-0:1.17.13-11.module+el8.6.0+23831+7077efd1.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.AUS:golang-src-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8",
"AppStream-8.6.0.Z.AUS:golang-tests-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:delve-0:1.7.2-1.module+el8.6.0+12972+ebab5911.src::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:delve-0:1.7.2-1.module+el8.6.0+12972+ebab5911.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:delve-debuginfo-0:1.7.2-1.module+el8.6.0+12972+ebab5911.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:delve-debugsource-0:1.7.2-1.module+el8.6.0+12972+ebab5911.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:go-toolset-0:1.17.13-2.module+el8.6.0+22782+bd95fb4c.aarch64::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:go-toolset-0:1.17.13-2.module+el8.6.0+22782+bd95fb4c.ppc64le::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:go-toolset-0:1.17.13-2.module+el8.6.0+22782+bd95fb4c.s390x::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:go-toolset-0:1.17.13-2.module+el8.6.0+22782+bd95fb4c.src::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:go-toolset-0:1.17.13-2.module+el8.6.0+22782+bd95fb4c.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:golang-0:1.17.13-11.module+el8.6.0+23831+7077efd1.aarch64::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:golang-0:1.17.13-11.module+el8.6.0+23831+7077efd1.ppc64le::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:golang-0:1.17.13-11.module+el8.6.0+23831+7077efd1.s390x::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:golang-0:1.17.13-11.module+el8.6.0+23831+7077efd1.src::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:golang-0:1.17.13-11.module+el8.6.0+23831+7077efd1.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:golang-bin-0:1.17.13-11.module+el8.6.0+23831+7077efd1.aarch64::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:golang-bin-0:1.17.13-11.module+el8.6.0+23831+7077efd1.ppc64le::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:golang-bin-0:1.17.13-11.module+el8.6.0+23831+7077efd1.s390x::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:golang-bin-0:1.17.13-11.module+el8.6.0+23831+7077efd1.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:golang-docs-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:golang-misc-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:golang-race-0:1.17.13-11.module+el8.6.0+23831+7077efd1.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:golang-src-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:golang-tests-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8",
"AppStream-8.6.0.Z.TUS:delve-0:1.7.2-1.module+el8.6.0+12972+ebab5911.src::go-toolset:rhel8",
"AppStream-8.6.0.Z.TUS:delve-0:1.7.2-1.module+el8.6.0+12972+ebab5911.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.TUS:delve-debuginfo-0:1.7.2-1.module+el8.6.0+12972+ebab5911.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.TUS:delve-debugsource-0:1.7.2-1.module+el8.6.0+12972+ebab5911.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.TUS:go-toolset-0:1.17.13-2.module+el8.6.0+22782+bd95fb4c.src::go-toolset:rhel8",
"AppStream-8.6.0.Z.TUS:go-toolset-0:1.17.13-2.module+el8.6.0+22782+bd95fb4c.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.TUS:golang-0:1.17.13-11.module+el8.6.0+23831+7077efd1.src::go-toolset:rhel8",
"AppStream-8.6.0.Z.TUS:golang-0:1.17.13-11.module+el8.6.0+23831+7077efd1.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.TUS:golang-bin-0:1.17.13-11.module+el8.6.0+23831+7077efd1.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.TUS:golang-docs-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8",
"AppStream-8.6.0.Z.TUS:golang-misc-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8",
"AppStream-8.6.0.Z.TUS:golang-race-0:1.17.13-11.module+el8.6.0+23831+7077efd1.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.TUS:golang-src-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8",
"AppStream-8.6.0.Z.TUS:golang-tests-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L",
"version": "3.1"
},
"products": [
"AppStream-8.6.0.Z.AUS:delve-0:1.7.2-1.module+el8.6.0+12972+ebab5911.src::go-toolset:rhel8",
"AppStream-8.6.0.Z.AUS:delve-0:1.7.2-1.module+el8.6.0+12972+ebab5911.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.AUS:delve-debuginfo-0:1.7.2-1.module+el8.6.0+12972+ebab5911.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.AUS:delve-debugsource-0:1.7.2-1.module+el8.6.0+12972+ebab5911.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.AUS:go-toolset-0:1.17.13-2.module+el8.6.0+22782+bd95fb4c.src::go-toolset:rhel8",
"AppStream-8.6.0.Z.AUS:go-toolset-0:1.17.13-2.module+el8.6.0+22782+bd95fb4c.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.AUS:golang-0:1.17.13-11.module+el8.6.0+23831+7077efd1.src::go-toolset:rhel8",
"AppStream-8.6.0.Z.AUS:golang-0:1.17.13-11.module+el8.6.0+23831+7077efd1.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.AUS:golang-bin-0:1.17.13-11.module+el8.6.0+23831+7077efd1.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.AUS:golang-docs-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8",
"AppStream-8.6.0.Z.AUS:golang-misc-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8",
"AppStream-8.6.0.Z.AUS:golang-race-0:1.17.13-11.module+el8.6.0+23831+7077efd1.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.AUS:golang-src-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8",
"AppStream-8.6.0.Z.AUS:golang-tests-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:delve-0:1.7.2-1.module+el8.6.0+12972+ebab5911.src::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:delve-0:1.7.2-1.module+el8.6.0+12972+ebab5911.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:delve-debuginfo-0:1.7.2-1.module+el8.6.0+12972+ebab5911.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:delve-debugsource-0:1.7.2-1.module+el8.6.0+12972+ebab5911.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:go-toolset-0:1.17.13-2.module+el8.6.0+22782+bd95fb4c.aarch64::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:go-toolset-0:1.17.13-2.module+el8.6.0+22782+bd95fb4c.ppc64le::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:go-toolset-0:1.17.13-2.module+el8.6.0+22782+bd95fb4c.s390x::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:go-toolset-0:1.17.13-2.module+el8.6.0+22782+bd95fb4c.src::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:go-toolset-0:1.17.13-2.module+el8.6.0+22782+bd95fb4c.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:golang-0:1.17.13-11.module+el8.6.0+23831+7077efd1.aarch64::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:golang-0:1.17.13-11.module+el8.6.0+23831+7077efd1.ppc64le::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:golang-0:1.17.13-11.module+el8.6.0+23831+7077efd1.s390x::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:golang-0:1.17.13-11.module+el8.6.0+23831+7077efd1.src::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:golang-0:1.17.13-11.module+el8.6.0+23831+7077efd1.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:golang-bin-0:1.17.13-11.module+el8.6.0+23831+7077efd1.aarch64::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:golang-bin-0:1.17.13-11.module+el8.6.0+23831+7077efd1.ppc64le::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:golang-bin-0:1.17.13-11.module+el8.6.0+23831+7077efd1.s390x::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:golang-bin-0:1.17.13-11.module+el8.6.0+23831+7077efd1.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:golang-docs-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:golang-misc-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:golang-race-0:1.17.13-11.module+el8.6.0+23831+7077efd1.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:golang-src-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:golang-tests-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8",
"AppStream-8.6.0.Z.TUS:delve-0:1.7.2-1.module+el8.6.0+12972+ebab5911.src::go-toolset:rhel8",
"AppStream-8.6.0.Z.TUS:delve-0:1.7.2-1.module+el8.6.0+12972+ebab5911.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.TUS:delve-debuginfo-0:1.7.2-1.module+el8.6.0+12972+ebab5911.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.TUS:delve-debugsource-0:1.7.2-1.module+el8.6.0+12972+ebab5911.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.TUS:go-toolset-0:1.17.13-2.module+el8.6.0+22782+bd95fb4c.src::go-toolset:rhel8",
"AppStream-8.6.0.Z.TUS:go-toolset-0:1.17.13-2.module+el8.6.0+22782+bd95fb4c.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.TUS:golang-0:1.17.13-11.module+el8.6.0+23831+7077efd1.src::go-toolset:rhel8",
"AppStream-8.6.0.Z.TUS:golang-0:1.17.13-11.module+el8.6.0+23831+7077efd1.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.TUS:golang-bin-0:1.17.13-11.module+el8.6.0+23831+7077efd1.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.TUS:golang-docs-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8",
"AppStream-8.6.0.Z.TUS:golang-misc-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8",
"AppStream-8.6.0.Z.TUS:golang-race-0:1.17.13-11.module+el8.6.0+23831+7077efd1.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.TUS:golang-src-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8",
"AppStream-8.6.0.Z.TUS:golang-tests-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "os/exec: Unexpected paths returned from LookPath in os/exec"
},
{
"cve": "CVE-2025-58183",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2025-10-29T23:01:50.573951+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2407258"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the archive/tar package in the Go standard library. tar.Reader does not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A specially crafted tar archive with a pax header indicating a big number of sparse regions can cause a Go program to try to allocate a large amount of memory, causing an out-of-memory condition and resulting in a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: archive/tar: Unbounded allocation when parsing GNU sparse map",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "To exploit this issue, an attacker needs to be able to process a specially crafted GNU tar pax 1.0 archive with the application using the archive/tar package. Additionally, this issue can cause the Go application to allocate a large amount of memory, eventually leading to an out-of-memory condition and resulting in a denial of service with no other security impact. Due to these reasons, this flaw has been rated with a moderate severity.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-8.6.0.Z.AUS:delve-0:1.7.2-1.module+el8.6.0+12972+ebab5911.src::go-toolset:rhel8",
"AppStream-8.6.0.Z.AUS:delve-0:1.7.2-1.module+el8.6.0+12972+ebab5911.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.AUS:delve-debuginfo-0:1.7.2-1.module+el8.6.0+12972+ebab5911.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.AUS:delve-debugsource-0:1.7.2-1.module+el8.6.0+12972+ebab5911.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.AUS:go-toolset-0:1.17.13-2.module+el8.6.0+22782+bd95fb4c.src::go-toolset:rhel8",
"AppStream-8.6.0.Z.AUS:go-toolset-0:1.17.13-2.module+el8.6.0+22782+bd95fb4c.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.AUS:golang-0:1.17.13-11.module+el8.6.0+23831+7077efd1.src::go-toolset:rhel8",
"AppStream-8.6.0.Z.AUS:golang-0:1.17.13-11.module+el8.6.0+23831+7077efd1.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.AUS:golang-bin-0:1.17.13-11.module+el8.6.0+23831+7077efd1.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.AUS:golang-docs-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8",
"AppStream-8.6.0.Z.AUS:golang-misc-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8",
"AppStream-8.6.0.Z.AUS:golang-race-0:1.17.13-11.module+el8.6.0+23831+7077efd1.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.AUS:golang-src-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8",
"AppStream-8.6.0.Z.AUS:golang-tests-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:delve-0:1.7.2-1.module+el8.6.0+12972+ebab5911.src::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:delve-0:1.7.2-1.module+el8.6.0+12972+ebab5911.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:delve-debuginfo-0:1.7.2-1.module+el8.6.0+12972+ebab5911.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:delve-debugsource-0:1.7.2-1.module+el8.6.0+12972+ebab5911.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:go-toolset-0:1.17.13-2.module+el8.6.0+22782+bd95fb4c.aarch64::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:go-toolset-0:1.17.13-2.module+el8.6.0+22782+bd95fb4c.ppc64le::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:go-toolset-0:1.17.13-2.module+el8.6.0+22782+bd95fb4c.s390x::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:go-toolset-0:1.17.13-2.module+el8.6.0+22782+bd95fb4c.src::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:go-toolset-0:1.17.13-2.module+el8.6.0+22782+bd95fb4c.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:golang-0:1.17.13-11.module+el8.6.0+23831+7077efd1.aarch64::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:golang-0:1.17.13-11.module+el8.6.0+23831+7077efd1.ppc64le::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:golang-0:1.17.13-11.module+el8.6.0+23831+7077efd1.s390x::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:golang-0:1.17.13-11.module+el8.6.0+23831+7077efd1.src::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:golang-0:1.17.13-11.module+el8.6.0+23831+7077efd1.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:golang-bin-0:1.17.13-11.module+el8.6.0+23831+7077efd1.aarch64::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:golang-bin-0:1.17.13-11.module+el8.6.0+23831+7077efd1.ppc64le::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:golang-bin-0:1.17.13-11.module+el8.6.0+23831+7077efd1.s390x::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:golang-bin-0:1.17.13-11.module+el8.6.0+23831+7077efd1.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:golang-docs-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:golang-misc-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:golang-race-0:1.17.13-11.module+el8.6.0+23831+7077efd1.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:golang-src-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:golang-tests-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8",
"AppStream-8.6.0.Z.TUS:delve-0:1.7.2-1.module+el8.6.0+12972+ebab5911.src::go-toolset:rhel8",
"AppStream-8.6.0.Z.TUS:delve-0:1.7.2-1.module+el8.6.0+12972+ebab5911.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.TUS:delve-debuginfo-0:1.7.2-1.module+el8.6.0+12972+ebab5911.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.TUS:delve-debugsource-0:1.7.2-1.module+el8.6.0+12972+ebab5911.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.TUS:go-toolset-0:1.17.13-2.module+el8.6.0+22782+bd95fb4c.src::go-toolset:rhel8",
"AppStream-8.6.0.Z.TUS:go-toolset-0:1.17.13-2.module+el8.6.0+22782+bd95fb4c.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.TUS:golang-0:1.17.13-11.module+el8.6.0+23831+7077efd1.src::go-toolset:rhel8",
"AppStream-8.6.0.Z.TUS:golang-0:1.17.13-11.module+el8.6.0+23831+7077efd1.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.TUS:golang-bin-0:1.17.13-11.module+el8.6.0+23831+7077efd1.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.TUS:golang-docs-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8",
"AppStream-8.6.0.Z.TUS:golang-misc-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8",
"AppStream-8.6.0.Z.TUS:golang-race-0:1.17.13-11.module+el8.6.0+23831+7077efd1.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.TUS:golang-src-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8",
"AppStream-8.6.0.Z.TUS:golang-tests-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-58183"
},
{
"category": "external",
"summary": "RHBZ#2407258",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2407258"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-58183",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-58183"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-58183",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58183"
},
{
"category": "external",
"summary": "https://go.dev/cl/709861",
"url": "https://go.dev/cl/709861"
},
{
"category": "external",
"summary": "https://go.dev/issue/75677",
"url": "https://go.dev/issue/75677"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/4Emdl2iQ_bI",
"url": "https://groups.google.com/g/golang-announce/c/4Emdl2iQ_bI"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2025-4014",
"url": "https://pkg.go.dev/vuln/GO-2025-4014"
}
],
"release_date": "2025-10-29T22:10:14.376000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-12-22T01:38:52+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-8.6.0.Z.AUS:delve-0:1.7.2-1.module+el8.6.0+12972+ebab5911.src::go-toolset:rhel8",
"AppStream-8.6.0.Z.AUS:delve-0:1.7.2-1.module+el8.6.0+12972+ebab5911.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.AUS:delve-debuginfo-0:1.7.2-1.module+el8.6.0+12972+ebab5911.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.AUS:delve-debugsource-0:1.7.2-1.module+el8.6.0+12972+ebab5911.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.AUS:go-toolset-0:1.17.13-2.module+el8.6.0+22782+bd95fb4c.src::go-toolset:rhel8",
"AppStream-8.6.0.Z.AUS:go-toolset-0:1.17.13-2.module+el8.6.0+22782+bd95fb4c.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.AUS:golang-0:1.17.13-11.module+el8.6.0+23831+7077efd1.src::go-toolset:rhel8",
"AppStream-8.6.0.Z.AUS:golang-0:1.17.13-11.module+el8.6.0+23831+7077efd1.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.AUS:golang-bin-0:1.17.13-11.module+el8.6.0+23831+7077efd1.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.AUS:golang-docs-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8",
"AppStream-8.6.0.Z.AUS:golang-misc-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8",
"AppStream-8.6.0.Z.AUS:golang-race-0:1.17.13-11.module+el8.6.0+23831+7077efd1.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.AUS:golang-src-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8",
"AppStream-8.6.0.Z.AUS:golang-tests-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:delve-0:1.7.2-1.module+el8.6.0+12972+ebab5911.src::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:delve-0:1.7.2-1.module+el8.6.0+12972+ebab5911.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:delve-debuginfo-0:1.7.2-1.module+el8.6.0+12972+ebab5911.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:delve-debugsource-0:1.7.2-1.module+el8.6.0+12972+ebab5911.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:go-toolset-0:1.17.13-2.module+el8.6.0+22782+bd95fb4c.aarch64::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:go-toolset-0:1.17.13-2.module+el8.6.0+22782+bd95fb4c.ppc64le::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:go-toolset-0:1.17.13-2.module+el8.6.0+22782+bd95fb4c.s390x::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:go-toolset-0:1.17.13-2.module+el8.6.0+22782+bd95fb4c.src::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:go-toolset-0:1.17.13-2.module+el8.6.0+22782+bd95fb4c.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:golang-0:1.17.13-11.module+el8.6.0+23831+7077efd1.aarch64::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:golang-0:1.17.13-11.module+el8.6.0+23831+7077efd1.ppc64le::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:golang-0:1.17.13-11.module+el8.6.0+23831+7077efd1.s390x::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:golang-0:1.17.13-11.module+el8.6.0+23831+7077efd1.src::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:golang-0:1.17.13-11.module+el8.6.0+23831+7077efd1.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:golang-bin-0:1.17.13-11.module+el8.6.0+23831+7077efd1.aarch64::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:golang-bin-0:1.17.13-11.module+el8.6.0+23831+7077efd1.ppc64le::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:golang-bin-0:1.17.13-11.module+el8.6.0+23831+7077efd1.s390x::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:golang-bin-0:1.17.13-11.module+el8.6.0+23831+7077efd1.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:golang-docs-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:golang-misc-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:golang-race-0:1.17.13-11.module+el8.6.0+23831+7077efd1.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:golang-src-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:golang-tests-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8",
"AppStream-8.6.0.Z.TUS:delve-0:1.7.2-1.module+el8.6.0+12972+ebab5911.src::go-toolset:rhel8",
"AppStream-8.6.0.Z.TUS:delve-0:1.7.2-1.module+el8.6.0+12972+ebab5911.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.TUS:delve-debuginfo-0:1.7.2-1.module+el8.6.0+12972+ebab5911.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.TUS:delve-debugsource-0:1.7.2-1.module+el8.6.0+12972+ebab5911.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.TUS:go-toolset-0:1.17.13-2.module+el8.6.0+22782+bd95fb4c.src::go-toolset:rhel8",
"AppStream-8.6.0.Z.TUS:go-toolset-0:1.17.13-2.module+el8.6.0+22782+bd95fb4c.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.TUS:golang-0:1.17.13-11.module+el8.6.0+23831+7077efd1.src::go-toolset:rhel8",
"AppStream-8.6.0.Z.TUS:golang-0:1.17.13-11.module+el8.6.0+23831+7077efd1.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.TUS:golang-bin-0:1.17.13-11.module+el8.6.0+23831+7077efd1.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.TUS:golang-docs-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8",
"AppStream-8.6.0.Z.TUS:golang-misc-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8",
"AppStream-8.6.0.Z.TUS:golang-race-0:1.17.13-11.module+el8.6.0+23831+7077efd1.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.TUS:golang-src-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8",
"AppStream-8.6.0.Z.TUS:golang-tests-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:23733"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"AppStream-8.6.0.Z.AUS:delve-0:1.7.2-1.module+el8.6.0+12972+ebab5911.src::go-toolset:rhel8",
"AppStream-8.6.0.Z.AUS:delve-0:1.7.2-1.module+el8.6.0+12972+ebab5911.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.AUS:delve-debuginfo-0:1.7.2-1.module+el8.6.0+12972+ebab5911.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.AUS:delve-debugsource-0:1.7.2-1.module+el8.6.0+12972+ebab5911.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.AUS:go-toolset-0:1.17.13-2.module+el8.6.0+22782+bd95fb4c.src::go-toolset:rhel8",
"AppStream-8.6.0.Z.AUS:go-toolset-0:1.17.13-2.module+el8.6.0+22782+bd95fb4c.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.AUS:golang-0:1.17.13-11.module+el8.6.0+23831+7077efd1.src::go-toolset:rhel8",
"AppStream-8.6.0.Z.AUS:golang-0:1.17.13-11.module+el8.6.0+23831+7077efd1.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.AUS:golang-bin-0:1.17.13-11.module+el8.6.0+23831+7077efd1.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.AUS:golang-docs-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8",
"AppStream-8.6.0.Z.AUS:golang-misc-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8",
"AppStream-8.6.0.Z.AUS:golang-race-0:1.17.13-11.module+el8.6.0+23831+7077efd1.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.AUS:golang-src-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8",
"AppStream-8.6.0.Z.AUS:golang-tests-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:delve-0:1.7.2-1.module+el8.6.0+12972+ebab5911.src::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:delve-0:1.7.2-1.module+el8.6.0+12972+ebab5911.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:delve-debuginfo-0:1.7.2-1.module+el8.6.0+12972+ebab5911.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:delve-debugsource-0:1.7.2-1.module+el8.6.0+12972+ebab5911.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:go-toolset-0:1.17.13-2.module+el8.6.0+22782+bd95fb4c.aarch64::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:go-toolset-0:1.17.13-2.module+el8.6.0+22782+bd95fb4c.ppc64le::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:go-toolset-0:1.17.13-2.module+el8.6.0+22782+bd95fb4c.s390x::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:go-toolset-0:1.17.13-2.module+el8.6.0+22782+bd95fb4c.src::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:go-toolset-0:1.17.13-2.module+el8.6.0+22782+bd95fb4c.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:golang-0:1.17.13-11.module+el8.6.0+23831+7077efd1.aarch64::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:golang-0:1.17.13-11.module+el8.6.0+23831+7077efd1.ppc64le::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:golang-0:1.17.13-11.module+el8.6.0+23831+7077efd1.s390x::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:golang-0:1.17.13-11.module+el8.6.0+23831+7077efd1.src::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:golang-0:1.17.13-11.module+el8.6.0+23831+7077efd1.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:golang-bin-0:1.17.13-11.module+el8.6.0+23831+7077efd1.aarch64::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:golang-bin-0:1.17.13-11.module+el8.6.0+23831+7077efd1.ppc64le::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:golang-bin-0:1.17.13-11.module+el8.6.0+23831+7077efd1.s390x::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:golang-bin-0:1.17.13-11.module+el8.6.0+23831+7077efd1.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:golang-docs-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:golang-misc-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:golang-race-0:1.17.13-11.module+el8.6.0+23831+7077efd1.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:golang-src-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:golang-tests-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8",
"AppStream-8.6.0.Z.TUS:delve-0:1.7.2-1.module+el8.6.0+12972+ebab5911.src::go-toolset:rhel8",
"AppStream-8.6.0.Z.TUS:delve-0:1.7.2-1.module+el8.6.0+12972+ebab5911.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.TUS:delve-debuginfo-0:1.7.2-1.module+el8.6.0+12972+ebab5911.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.TUS:delve-debugsource-0:1.7.2-1.module+el8.6.0+12972+ebab5911.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.TUS:go-toolset-0:1.17.13-2.module+el8.6.0+22782+bd95fb4c.src::go-toolset:rhel8",
"AppStream-8.6.0.Z.TUS:go-toolset-0:1.17.13-2.module+el8.6.0+22782+bd95fb4c.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.TUS:golang-0:1.17.13-11.module+el8.6.0+23831+7077efd1.src::go-toolset:rhel8",
"AppStream-8.6.0.Z.TUS:golang-0:1.17.13-11.module+el8.6.0+23831+7077efd1.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.TUS:golang-bin-0:1.17.13-11.module+el8.6.0+23831+7077efd1.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.TUS:golang-docs-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8",
"AppStream-8.6.0.Z.TUS:golang-misc-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8",
"AppStream-8.6.0.Z.TUS:golang-race-0:1.17.13-11.module+el8.6.0+23831+7077efd1.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.TUS:golang-src-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8",
"AppStream-8.6.0.Z.TUS:golang-tests-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"AppStream-8.6.0.Z.AUS:delve-0:1.7.2-1.module+el8.6.0+12972+ebab5911.src::go-toolset:rhel8",
"AppStream-8.6.0.Z.AUS:delve-0:1.7.2-1.module+el8.6.0+12972+ebab5911.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.AUS:delve-debuginfo-0:1.7.2-1.module+el8.6.0+12972+ebab5911.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.AUS:delve-debugsource-0:1.7.2-1.module+el8.6.0+12972+ebab5911.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.AUS:go-toolset-0:1.17.13-2.module+el8.6.0+22782+bd95fb4c.src::go-toolset:rhel8",
"AppStream-8.6.0.Z.AUS:go-toolset-0:1.17.13-2.module+el8.6.0+22782+bd95fb4c.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.AUS:golang-0:1.17.13-11.module+el8.6.0+23831+7077efd1.src::go-toolset:rhel8",
"AppStream-8.6.0.Z.AUS:golang-0:1.17.13-11.module+el8.6.0+23831+7077efd1.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.AUS:golang-bin-0:1.17.13-11.module+el8.6.0+23831+7077efd1.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.AUS:golang-docs-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8",
"AppStream-8.6.0.Z.AUS:golang-misc-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8",
"AppStream-8.6.0.Z.AUS:golang-race-0:1.17.13-11.module+el8.6.0+23831+7077efd1.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.AUS:golang-src-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8",
"AppStream-8.6.0.Z.AUS:golang-tests-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:delve-0:1.7.2-1.module+el8.6.0+12972+ebab5911.src::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:delve-0:1.7.2-1.module+el8.6.0+12972+ebab5911.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:delve-debuginfo-0:1.7.2-1.module+el8.6.0+12972+ebab5911.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:delve-debugsource-0:1.7.2-1.module+el8.6.0+12972+ebab5911.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:go-toolset-0:1.17.13-2.module+el8.6.0+22782+bd95fb4c.aarch64::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:go-toolset-0:1.17.13-2.module+el8.6.0+22782+bd95fb4c.ppc64le::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:go-toolset-0:1.17.13-2.module+el8.6.0+22782+bd95fb4c.s390x::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:go-toolset-0:1.17.13-2.module+el8.6.0+22782+bd95fb4c.src::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:go-toolset-0:1.17.13-2.module+el8.6.0+22782+bd95fb4c.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:golang-0:1.17.13-11.module+el8.6.0+23831+7077efd1.aarch64::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:golang-0:1.17.13-11.module+el8.6.0+23831+7077efd1.ppc64le::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:golang-0:1.17.13-11.module+el8.6.0+23831+7077efd1.s390x::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:golang-0:1.17.13-11.module+el8.6.0+23831+7077efd1.src::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:golang-0:1.17.13-11.module+el8.6.0+23831+7077efd1.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:golang-bin-0:1.17.13-11.module+el8.6.0+23831+7077efd1.aarch64::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:golang-bin-0:1.17.13-11.module+el8.6.0+23831+7077efd1.ppc64le::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:golang-bin-0:1.17.13-11.module+el8.6.0+23831+7077efd1.s390x::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:golang-bin-0:1.17.13-11.module+el8.6.0+23831+7077efd1.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:golang-docs-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:golang-misc-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:golang-race-0:1.17.13-11.module+el8.6.0+23831+7077efd1.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:golang-src-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8",
"AppStream-8.6.0.Z.E4S:golang-tests-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8",
"AppStream-8.6.0.Z.TUS:delve-0:1.7.2-1.module+el8.6.0+12972+ebab5911.src::go-toolset:rhel8",
"AppStream-8.6.0.Z.TUS:delve-0:1.7.2-1.module+el8.6.0+12972+ebab5911.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.TUS:delve-debuginfo-0:1.7.2-1.module+el8.6.0+12972+ebab5911.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.TUS:delve-debugsource-0:1.7.2-1.module+el8.6.0+12972+ebab5911.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.TUS:go-toolset-0:1.17.13-2.module+el8.6.0+22782+bd95fb4c.src::go-toolset:rhel8",
"AppStream-8.6.0.Z.TUS:go-toolset-0:1.17.13-2.module+el8.6.0+22782+bd95fb4c.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.TUS:golang-0:1.17.13-11.module+el8.6.0+23831+7077efd1.src::go-toolset:rhel8",
"AppStream-8.6.0.Z.TUS:golang-0:1.17.13-11.module+el8.6.0+23831+7077efd1.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.TUS:golang-bin-0:1.17.13-11.module+el8.6.0+23831+7077efd1.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.TUS:golang-docs-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8",
"AppStream-8.6.0.Z.TUS:golang-misc-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8",
"AppStream-8.6.0.Z.TUS:golang-race-0:1.17.13-11.module+el8.6.0+23831+7077efd1.x86_64::go-toolset:rhel8",
"AppStream-8.6.0.Z.TUS:golang-src-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8",
"AppStream-8.6.0.Z.TUS:golang-tests-0:1.17.13-11.module+el8.6.0+23831+7077efd1.noarch::go-toolset:rhel8"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang: archive/tar: Unbounded allocation when parsing GNU sparse map"
}
]
}
RHSA-2025:23737
Vulnerability from csaf_redhat - Published: 2025-12-22 01:43 - Updated: 2026-06-07 15:33Summary
Red Hat Security Advisory: go-toolset:rhel8 security update
Severity
Moderate
Notes
Topic: An update for the go-toolset:rhel8 module is now available for Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions and Red Hat Enterprise Linux 8.8 Telecommunications Update Service.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Go Toolset provides the Go programming language tools and libraries. Go is alternatively known as golang.
Security Fix(es):
* os/exec: Unexpected paths returned from LookPath in os/exec (CVE-2025-47906)
* golang: archive/tar: Unbounded allocation when parsing GNU sparse map (CVE-2025-58183)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A path handling flaw has been discovered in the os/exec go package. If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath ("", ".", and ".."), can result in the binaries listed in the PATH being unexpectedly returned.
6.5 (Medium)
Affected products
Fixed
31 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-8.8.0.Z.E4S:delve-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.src::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.E4S:delve-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.E4S:delve-debuginfo-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.E4S:delve-debugsource-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.E4S:go-toolset-0:1.19.13-3.module+el8.8.0+23822+add30b82.ppc64le::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.E4S:go-toolset-0:1.19.13-3.module+el8.8.0+23822+add30b82.src::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.E4S:go-toolset-0:1.19.13-3.module+el8.8.0+23822+add30b82.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.E4S:golang-0:1.19.13-18.module+el8.8.0+23822+add30b82.ppc64le::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.E4S:golang-0:1.19.13-18.module+el8.8.0+23822+add30b82.src::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.E4S:golang-0:1.19.13-18.module+el8.8.0+23822+add30b82.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.E4S:golang-bin-0:1.19.13-18.module+el8.8.0+23822+add30b82.ppc64le::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.E4S:golang-bin-0:1.19.13-18.module+el8.8.0+23822+add30b82.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.E4S:golang-docs-0:1.19.13-18.module+el8.8.0+23822+add30b82.noarch::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.E4S:golang-misc-0:1.19.13-18.module+el8.8.0+23822+add30b82.noarch::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.E4S:golang-race-0:1.19.13-18.module+el8.8.0+23822+add30b82.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.E4S:golang-src-0:1.19.13-18.module+el8.8.0+23822+add30b82.noarch::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.E4S:golang-tests-0:1.19.13-18.module+el8.8.0+23822+add30b82.noarch::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.TUS:delve-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.src::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.TUS:delve-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.TUS:delve-debuginfo-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.TUS:delve-debugsource-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.TUS:go-toolset-0:1.19.13-3.module+el8.8.0+23822+add30b82.src::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.TUS:go-toolset-0:1.19.13-3.module+el8.8.0+23822+add30b82.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.TUS:golang-0:1.19.13-18.module+el8.8.0+23822+add30b82.src::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.TUS:golang-0:1.19.13-18.module+el8.8.0+23822+add30b82.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.TUS:golang-bin-0:1.19.13-18.module+el8.8.0+23822+add30b82.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.TUS:golang-docs-0:1.19.13-18.module+el8.8.0+23822+add30b82.noarch::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.TUS:golang-misc-0:1.19.13-18.module+el8.8.0+23822+add30b82.noarch::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.TUS:golang-race-0:1.19.13-18.module+el8.8.0+23822+add30b82.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.TUS:golang-src-0:1.19.13-18.module+el8.8.0+23822+add30b82.noarch::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.TUS:golang-tests-0:1.19.13-18.module+el8.8.0+23822+add30b82.noarch::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in the archive/tar package in the Go standard library. tar.Reader does not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A specially crafted tar archive with a pax header indicating a big number of sparse regions can cause a Go program to try to allocate a large amount of memory, causing an out-of-memory condition and resulting in a denial of service.
7.5 (High)
Affected products
Fixed
31 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-8.8.0.Z.E4S:delve-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.src::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.E4S:delve-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.E4S:delve-debuginfo-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.E4S:delve-debugsource-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.E4S:go-toolset-0:1.19.13-3.module+el8.8.0+23822+add30b82.ppc64le::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.E4S:go-toolset-0:1.19.13-3.module+el8.8.0+23822+add30b82.src::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.E4S:go-toolset-0:1.19.13-3.module+el8.8.0+23822+add30b82.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.E4S:golang-0:1.19.13-18.module+el8.8.0+23822+add30b82.ppc64le::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.E4S:golang-0:1.19.13-18.module+el8.8.0+23822+add30b82.src::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.E4S:golang-0:1.19.13-18.module+el8.8.0+23822+add30b82.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.E4S:golang-bin-0:1.19.13-18.module+el8.8.0+23822+add30b82.ppc64le::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.E4S:golang-bin-0:1.19.13-18.module+el8.8.0+23822+add30b82.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.E4S:golang-docs-0:1.19.13-18.module+el8.8.0+23822+add30b82.noarch::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.E4S:golang-misc-0:1.19.13-18.module+el8.8.0+23822+add30b82.noarch::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.E4S:golang-race-0:1.19.13-18.module+el8.8.0+23822+add30b82.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.E4S:golang-src-0:1.19.13-18.module+el8.8.0+23822+add30b82.noarch::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.E4S:golang-tests-0:1.19.13-18.module+el8.8.0+23822+add30b82.noarch::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.TUS:delve-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.src::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.TUS:delve-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.TUS:delve-debuginfo-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.TUS:delve-debugsource-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.TUS:go-toolset-0:1.19.13-3.module+el8.8.0+23822+add30b82.src::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.TUS:go-toolset-0:1.19.13-3.module+el8.8.0+23822+add30b82.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.TUS:golang-0:1.19.13-18.module+el8.8.0+23822+add30b82.src::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.TUS:golang-0:1.19.13-18.module+el8.8.0+23822+add30b82.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.TUS:golang-bin-0:1.19.13-18.module+el8.8.0+23822+add30b82.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.TUS:golang-docs-0:1.19.13-18.module+el8.8.0+23822+add30b82.noarch::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.TUS:golang-misc-0:1.19.13-18.module+el8.8.0+23822+add30b82.noarch::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.TUS:golang-race-0:1.19.13-18.module+el8.8.0+23822+add30b82.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.TUS:golang-src-0:1.19.13-18.module+el8.8.0+23822+add30b82.noarch::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.TUS:golang-tests-0:1.19.13-18.module+el8.8.0+23822+add30b82.noarch::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
References
21 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for the go-toolset:rhel8 module is now available for Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions and Red Hat Enterprise Linux 8.8 Telecommunications Update Service.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Go Toolset provides the Go programming language tools and libraries. Go is alternatively known as golang. \n\nSecurity Fix(es):\n\n* os/exec: Unexpected paths returned from LookPath in os/exec (CVE-2025-47906)\n\n* golang: archive/tar: Unbounded allocation when parsing GNU sparse map (CVE-2025-58183)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2025:23737",
"url": "https://access.redhat.com/errata/RHSA-2025:23737"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "2396546",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2396546"
},
{
"category": "external",
"summary": "2407258",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2407258"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_23737.json"
}
],
"title": "Red Hat Security Advisory: go-toolset:rhel8 security update",
"tracking": {
"current_release_date": "2026-06-07T15:33:37+00:00",
"generator": {
"date": "2026-06-07T15:33:37+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.8.2"
}
},
"id": "RHSA-2025:23737",
"initial_release_date": "2025-12-22T01:43:37+00:00",
"revision_history": [
{
"date": "2025-12-22T01:43:37+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2025-12-22T01:43:37+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-06-07T15:33:37+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AppStream E4S (v.8.8)",
"product": {
"name": "Red Hat Enterprise Linux AppStream E4S (v.8.8)",
"product_id": "AppStream-8.8.0.Z.E4S",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_e4s:8.8::appstream"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AppStream TUS (v.8.8)",
"product": {
"name": "Red Hat Enterprise Linux AppStream TUS (v.8.8)",
"product_id": "AppStream-8.8.0.Z.TUS",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_tus:8.8::appstream"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "delve-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.src::go-toolset:rhel8",
"product": {
"name": "delve-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.src (go-toolset:rhel8)",
"product_id": "delve-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.src::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/delve@1.9.1-1.module%2Bel8.8.0%2B16778%2B5fbb74f5?arch=src\u0026rpmmod=go-toolset:rhel8:8080020251215161342:17f3f959"
}
}
},
{
"category": "product_version",
"name": "go-toolset-0:1.19.13-3.module+el8.8.0+23822+add30b82.src::go-toolset:rhel8",
"product": {
"name": "go-toolset-0:1.19.13-3.module+el8.8.0+23822+add30b82.src (go-toolset:rhel8)",
"product_id": "go-toolset-0:1.19.13-3.module+el8.8.0+23822+add30b82.src::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-toolset@1.19.13-3.module%2Bel8.8.0%2B23822%2Badd30b82?arch=src\u0026rpmmod=go-toolset:rhel8:8080020251215161342:17f3f959"
}
}
},
{
"category": "product_version",
"name": "golang-0:1.19.13-18.module+el8.8.0+23822+add30b82.src::go-toolset:rhel8",
"product": {
"name": "golang-0:1.19.13-18.module+el8.8.0+23822+add30b82.src (go-toolset:rhel8)",
"product_id": "golang-0:1.19.13-18.module+el8.8.0+23822+add30b82.src::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang@1.19.13-18.module%2Bel8.8.0%2B23822%2Badd30b82?arch=src\u0026rpmmod=go-toolset:rhel8:8080020251215161342:17f3f959"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "delve-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64::go-toolset:rhel8",
"product": {
"name": "delve-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64 (go-toolset:rhel8)",
"product_id": "delve-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/delve@1.9.1-1.module%2Bel8.8.0%2B16778%2B5fbb74f5?arch=x86_64\u0026rpmmod=go-toolset:rhel8:8080020251215161342:17f3f959"
}
}
},
{
"category": "product_version",
"name": "delve-debuginfo-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64::go-toolset:rhel8",
"product": {
"name": "delve-debuginfo-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64 (go-toolset:rhel8)",
"product_id": "delve-debuginfo-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/delve-debuginfo@1.9.1-1.module%2Bel8.8.0%2B16778%2B5fbb74f5?arch=x86_64\u0026rpmmod=go-toolset:rhel8:8080020251215161342:17f3f959"
}
}
},
{
"category": "product_version",
"name": "delve-debugsource-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64::go-toolset:rhel8",
"product": {
"name": "delve-debugsource-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64 (go-toolset:rhel8)",
"product_id": "delve-debugsource-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/delve-debugsource@1.9.1-1.module%2Bel8.8.0%2B16778%2B5fbb74f5?arch=x86_64\u0026rpmmod=go-toolset:rhel8:8080020251215161342:17f3f959"
}
}
},
{
"category": "product_version",
"name": "go-toolset-0:1.19.13-3.module+el8.8.0+23822+add30b82.x86_64::go-toolset:rhel8",
"product": {
"name": "go-toolset-0:1.19.13-3.module+el8.8.0+23822+add30b82.x86_64 (go-toolset:rhel8)",
"product_id": "go-toolset-0:1.19.13-3.module+el8.8.0+23822+add30b82.x86_64::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-toolset@1.19.13-3.module%2Bel8.8.0%2B23822%2Badd30b82?arch=x86_64\u0026rpmmod=go-toolset:rhel8:8080020251215161342:17f3f959"
}
}
},
{
"category": "product_version",
"name": "golang-0:1.19.13-18.module+el8.8.0+23822+add30b82.x86_64::go-toolset:rhel8",
"product": {
"name": "golang-0:1.19.13-18.module+el8.8.0+23822+add30b82.x86_64 (go-toolset:rhel8)",
"product_id": "golang-0:1.19.13-18.module+el8.8.0+23822+add30b82.x86_64::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang@1.19.13-18.module%2Bel8.8.0%2B23822%2Badd30b82?arch=x86_64\u0026rpmmod=go-toolset:rhel8:8080020251215161342:17f3f959"
}
}
},
{
"category": "product_version",
"name": "golang-bin-0:1.19.13-18.module+el8.8.0+23822+add30b82.x86_64::go-toolset:rhel8",
"product": {
"name": "golang-bin-0:1.19.13-18.module+el8.8.0+23822+add30b82.x86_64 (go-toolset:rhel8)",
"product_id": "golang-bin-0:1.19.13-18.module+el8.8.0+23822+add30b82.x86_64::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-bin@1.19.13-18.module%2Bel8.8.0%2B23822%2Badd30b82?arch=x86_64\u0026rpmmod=go-toolset:rhel8:8080020251215161342:17f3f959"
}
}
},
{
"category": "product_version",
"name": "golang-race-0:1.19.13-18.module+el8.8.0+23822+add30b82.x86_64::go-toolset:rhel8",
"product": {
"name": "golang-race-0:1.19.13-18.module+el8.8.0+23822+add30b82.x86_64 (go-toolset:rhel8)",
"product_id": "golang-race-0:1.19.13-18.module+el8.8.0+23822+add30b82.x86_64::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-race@1.19.13-18.module%2Bel8.8.0%2B23822%2Badd30b82?arch=x86_64\u0026rpmmod=go-toolset:rhel8:8080020251215161342:17f3f959"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "golang-docs-0:1.19.13-18.module+el8.8.0+23822+add30b82.noarch::go-toolset:rhel8",
"product": {
"name": "golang-docs-0:1.19.13-18.module+el8.8.0+23822+add30b82.noarch (go-toolset:rhel8)",
"product_id": "golang-docs-0:1.19.13-18.module+el8.8.0+23822+add30b82.noarch::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-docs@1.19.13-18.module%2Bel8.8.0%2B23822%2Badd30b82?arch=noarch\u0026rpmmod=go-toolset:rhel8:8080020251215161342:17f3f959"
}
}
},
{
"category": "product_version",
"name": "golang-misc-0:1.19.13-18.module+el8.8.0+23822+add30b82.noarch::go-toolset:rhel8",
"product": {
"name": "golang-misc-0:1.19.13-18.module+el8.8.0+23822+add30b82.noarch (go-toolset:rhel8)",
"product_id": "golang-misc-0:1.19.13-18.module+el8.8.0+23822+add30b82.noarch::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-misc@1.19.13-18.module%2Bel8.8.0%2B23822%2Badd30b82?arch=noarch\u0026rpmmod=go-toolset:rhel8:8080020251215161342:17f3f959"
}
}
},
{
"category": "product_version",
"name": "golang-src-0:1.19.13-18.module+el8.8.0+23822+add30b82.noarch::go-toolset:rhel8",
"product": {
"name": "golang-src-0:1.19.13-18.module+el8.8.0+23822+add30b82.noarch (go-toolset:rhel8)",
"product_id": "golang-src-0:1.19.13-18.module+el8.8.0+23822+add30b82.noarch::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-src@1.19.13-18.module%2Bel8.8.0%2B23822%2Badd30b82?arch=noarch\u0026rpmmod=go-toolset:rhel8:8080020251215161342:17f3f959"
}
}
},
{
"category": "product_version",
"name": "golang-tests-0:1.19.13-18.module+el8.8.0+23822+add30b82.noarch::go-toolset:rhel8",
"product": {
"name": "golang-tests-0:1.19.13-18.module+el8.8.0+23822+add30b82.noarch (go-toolset:rhel8)",
"product_id": "golang-tests-0:1.19.13-18.module+el8.8.0+23822+add30b82.noarch::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-tests@1.19.13-18.module%2Bel8.8.0%2B23822%2Badd30b82?arch=noarch\u0026rpmmod=go-toolset:rhel8:8080020251215161342:17f3f959"
}
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "go-toolset-0:1.19.13-3.module+el8.8.0+23822+add30b82.ppc64le::go-toolset:rhel8",
"product": {
"name": "go-toolset-0:1.19.13-3.module+el8.8.0+23822+add30b82.ppc64le (go-toolset:rhel8)",
"product_id": "go-toolset-0:1.19.13-3.module+el8.8.0+23822+add30b82.ppc64le::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-toolset@1.19.13-3.module%2Bel8.8.0%2B23822%2Badd30b82?arch=ppc64le\u0026rpmmod=go-toolset:rhel8:8080020251215161342:17f3f959"
}
}
},
{
"category": "product_version",
"name": "golang-0:1.19.13-18.module+el8.8.0+23822+add30b82.ppc64le::go-toolset:rhel8",
"product": {
"name": "golang-0:1.19.13-18.module+el8.8.0+23822+add30b82.ppc64le (go-toolset:rhel8)",
"product_id": "golang-0:1.19.13-18.module+el8.8.0+23822+add30b82.ppc64le::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang@1.19.13-18.module%2Bel8.8.0%2B23822%2Badd30b82?arch=ppc64le\u0026rpmmod=go-toolset:rhel8:8080020251215161342:17f3f959"
}
}
},
{
"category": "product_version",
"name": "golang-bin-0:1.19.13-18.module+el8.8.0+23822+add30b82.ppc64le::go-toolset:rhel8",
"product": {
"name": "golang-bin-0:1.19.13-18.module+el8.8.0+23822+add30b82.ppc64le (go-toolset:rhel8)",
"product_id": "golang-bin-0:1.19.13-18.module+el8.8.0+23822+add30b82.ppc64le::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-bin@1.19.13-18.module%2Bel8.8.0%2B23822%2Badd30b82?arch=ppc64le\u0026rpmmod=go-toolset:rhel8:8080020251215161342:17f3f959"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "delve-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.src (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream E4S (v.8.8)",
"product_id": "AppStream-8.8.0.Z.E4S:delve-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.src::go-toolset:rhel8"
},
"product_reference": "delve-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.src::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.8.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "delve-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64 (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream E4S (v.8.8)",
"product_id": "AppStream-8.8.0.Z.E4S:delve-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64::go-toolset:rhel8"
},
"product_reference": "delve-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.8.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "delve-debuginfo-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64 (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream E4S (v.8.8)",
"product_id": "AppStream-8.8.0.Z.E4S:delve-debuginfo-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64::go-toolset:rhel8"
},
"product_reference": "delve-debuginfo-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.8.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "delve-debugsource-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64 (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream E4S (v.8.8)",
"product_id": "AppStream-8.8.0.Z.E4S:delve-debugsource-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64::go-toolset:rhel8"
},
"product_reference": "delve-debugsource-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.8.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-toolset-0:1.19.13-3.module+el8.8.0+23822+add30b82.ppc64le (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream E4S (v.8.8)",
"product_id": "AppStream-8.8.0.Z.E4S:go-toolset-0:1.19.13-3.module+el8.8.0+23822+add30b82.ppc64le::go-toolset:rhel8"
},
"product_reference": "go-toolset-0:1.19.13-3.module+el8.8.0+23822+add30b82.ppc64le::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.8.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-toolset-0:1.19.13-3.module+el8.8.0+23822+add30b82.src (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream E4S (v.8.8)",
"product_id": "AppStream-8.8.0.Z.E4S:go-toolset-0:1.19.13-3.module+el8.8.0+23822+add30b82.src::go-toolset:rhel8"
},
"product_reference": "go-toolset-0:1.19.13-3.module+el8.8.0+23822+add30b82.src::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.8.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-toolset-0:1.19.13-3.module+el8.8.0+23822+add30b82.x86_64 (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream E4S (v.8.8)",
"product_id": "AppStream-8.8.0.Z.E4S:go-toolset-0:1.19.13-3.module+el8.8.0+23822+add30b82.x86_64::go-toolset:rhel8"
},
"product_reference": "go-toolset-0:1.19.13-3.module+el8.8.0+23822+add30b82.x86_64::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.8.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-0:1.19.13-18.module+el8.8.0+23822+add30b82.ppc64le (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream E4S (v.8.8)",
"product_id": "AppStream-8.8.0.Z.E4S:golang-0:1.19.13-18.module+el8.8.0+23822+add30b82.ppc64le::go-toolset:rhel8"
},
"product_reference": "golang-0:1.19.13-18.module+el8.8.0+23822+add30b82.ppc64le::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.8.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-0:1.19.13-18.module+el8.8.0+23822+add30b82.src (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream E4S (v.8.8)",
"product_id": "AppStream-8.8.0.Z.E4S:golang-0:1.19.13-18.module+el8.8.0+23822+add30b82.src::go-toolset:rhel8"
},
"product_reference": "golang-0:1.19.13-18.module+el8.8.0+23822+add30b82.src::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.8.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-0:1.19.13-18.module+el8.8.0+23822+add30b82.x86_64 (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream E4S (v.8.8)",
"product_id": "AppStream-8.8.0.Z.E4S:golang-0:1.19.13-18.module+el8.8.0+23822+add30b82.x86_64::go-toolset:rhel8"
},
"product_reference": "golang-0:1.19.13-18.module+el8.8.0+23822+add30b82.x86_64::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.8.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-bin-0:1.19.13-18.module+el8.8.0+23822+add30b82.ppc64le (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream E4S (v.8.8)",
"product_id": "AppStream-8.8.0.Z.E4S:golang-bin-0:1.19.13-18.module+el8.8.0+23822+add30b82.ppc64le::go-toolset:rhel8"
},
"product_reference": "golang-bin-0:1.19.13-18.module+el8.8.0+23822+add30b82.ppc64le::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.8.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-bin-0:1.19.13-18.module+el8.8.0+23822+add30b82.x86_64 (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream E4S (v.8.8)",
"product_id": "AppStream-8.8.0.Z.E4S:golang-bin-0:1.19.13-18.module+el8.8.0+23822+add30b82.x86_64::go-toolset:rhel8"
},
"product_reference": "golang-bin-0:1.19.13-18.module+el8.8.0+23822+add30b82.x86_64::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.8.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-docs-0:1.19.13-18.module+el8.8.0+23822+add30b82.noarch (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream E4S (v.8.8)",
"product_id": "AppStream-8.8.0.Z.E4S:golang-docs-0:1.19.13-18.module+el8.8.0+23822+add30b82.noarch::go-toolset:rhel8"
},
"product_reference": "golang-docs-0:1.19.13-18.module+el8.8.0+23822+add30b82.noarch::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.8.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-misc-0:1.19.13-18.module+el8.8.0+23822+add30b82.noarch (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream E4S (v.8.8)",
"product_id": "AppStream-8.8.0.Z.E4S:golang-misc-0:1.19.13-18.module+el8.8.0+23822+add30b82.noarch::go-toolset:rhel8"
},
"product_reference": "golang-misc-0:1.19.13-18.module+el8.8.0+23822+add30b82.noarch::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.8.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-race-0:1.19.13-18.module+el8.8.0+23822+add30b82.x86_64 (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream E4S (v.8.8)",
"product_id": "AppStream-8.8.0.Z.E4S:golang-race-0:1.19.13-18.module+el8.8.0+23822+add30b82.x86_64::go-toolset:rhel8"
},
"product_reference": "golang-race-0:1.19.13-18.module+el8.8.0+23822+add30b82.x86_64::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.8.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-src-0:1.19.13-18.module+el8.8.0+23822+add30b82.noarch (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream E4S (v.8.8)",
"product_id": "AppStream-8.8.0.Z.E4S:golang-src-0:1.19.13-18.module+el8.8.0+23822+add30b82.noarch::go-toolset:rhel8"
},
"product_reference": "golang-src-0:1.19.13-18.module+el8.8.0+23822+add30b82.noarch::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.8.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-tests-0:1.19.13-18.module+el8.8.0+23822+add30b82.noarch (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream E4S (v.8.8)",
"product_id": "AppStream-8.8.0.Z.E4S:golang-tests-0:1.19.13-18.module+el8.8.0+23822+add30b82.noarch::go-toolset:rhel8"
},
"product_reference": "golang-tests-0:1.19.13-18.module+el8.8.0+23822+add30b82.noarch::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.8.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "delve-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.src (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream TUS (v.8.8)",
"product_id": "AppStream-8.8.0.Z.TUS:delve-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.src::go-toolset:rhel8"
},
"product_reference": "delve-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.src::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.8.0.Z.TUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "delve-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64 (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream TUS (v.8.8)",
"product_id": "AppStream-8.8.0.Z.TUS:delve-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64::go-toolset:rhel8"
},
"product_reference": "delve-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.8.0.Z.TUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "delve-debuginfo-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64 (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream TUS (v.8.8)",
"product_id": "AppStream-8.8.0.Z.TUS:delve-debuginfo-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64::go-toolset:rhel8"
},
"product_reference": "delve-debuginfo-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.8.0.Z.TUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "delve-debugsource-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64 (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream TUS (v.8.8)",
"product_id": "AppStream-8.8.0.Z.TUS:delve-debugsource-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64::go-toolset:rhel8"
},
"product_reference": "delve-debugsource-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.8.0.Z.TUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-toolset-0:1.19.13-3.module+el8.8.0+23822+add30b82.src (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream TUS (v.8.8)",
"product_id": "AppStream-8.8.0.Z.TUS:go-toolset-0:1.19.13-3.module+el8.8.0+23822+add30b82.src::go-toolset:rhel8"
},
"product_reference": "go-toolset-0:1.19.13-3.module+el8.8.0+23822+add30b82.src::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.8.0.Z.TUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-toolset-0:1.19.13-3.module+el8.8.0+23822+add30b82.x86_64 (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream TUS (v.8.8)",
"product_id": "AppStream-8.8.0.Z.TUS:go-toolset-0:1.19.13-3.module+el8.8.0+23822+add30b82.x86_64::go-toolset:rhel8"
},
"product_reference": "go-toolset-0:1.19.13-3.module+el8.8.0+23822+add30b82.x86_64::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.8.0.Z.TUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-0:1.19.13-18.module+el8.8.0+23822+add30b82.src (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream TUS (v.8.8)",
"product_id": "AppStream-8.8.0.Z.TUS:golang-0:1.19.13-18.module+el8.8.0+23822+add30b82.src::go-toolset:rhel8"
},
"product_reference": "golang-0:1.19.13-18.module+el8.8.0+23822+add30b82.src::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.8.0.Z.TUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-0:1.19.13-18.module+el8.8.0+23822+add30b82.x86_64 (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream TUS (v.8.8)",
"product_id": "AppStream-8.8.0.Z.TUS:golang-0:1.19.13-18.module+el8.8.0+23822+add30b82.x86_64::go-toolset:rhel8"
},
"product_reference": "golang-0:1.19.13-18.module+el8.8.0+23822+add30b82.x86_64::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.8.0.Z.TUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-bin-0:1.19.13-18.module+el8.8.0+23822+add30b82.x86_64 (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream TUS (v.8.8)",
"product_id": "AppStream-8.8.0.Z.TUS:golang-bin-0:1.19.13-18.module+el8.8.0+23822+add30b82.x86_64::go-toolset:rhel8"
},
"product_reference": "golang-bin-0:1.19.13-18.module+el8.8.0+23822+add30b82.x86_64::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.8.0.Z.TUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-docs-0:1.19.13-18.module+el8.8.0+23822+add30b82.noarch (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream TUS (v.8.8)",
"product_id": "AppStream-8.8.0.Z.TUS:golang-docs-0:1.19.13-18.module+el8.8.0+23822+add30b82.noarch::go-toolset:rhel8"
},
"product_reference": "golang-docs-0:1.19.13-18.module+el8.8.0+23822+add30b82.noarch::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.8.0.Z.TUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-misc-0:1.19.13-18.module+el8.8.0+23822+add30b82.noarch (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream TUS (v.8.8)",
"product_id": "AppStream-8.8.0.Z.TUS:golang-misc-0:1.19.13-18.module+el8.8.0+23822+add30b82.noarch::go-toolset:rhel8"
},
"product_reference": "golang-misc-0:1.19.13-18.module+el8.8.0+23822+add30b82.noarch::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.8.0.Z.TUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-race-0:1.19.13-18.module+el8.8.0+23822+add30b82.x86_64 (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream TUS (v.8.8)",
"product_id": "AppStream-8.8.0.Z.TUS:golang-race-0:1.19.13-18.module+el8.8.0+23822+add30b82.x86_64::go-toolset:rhel8"
},
"product_reference": "golang-race-0:1.19.13-18.module+el8.8.0+23822+add30b82.x86_64::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.8.0.Z.TUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-src-0:1.19.13-18.module+el8.8.0+23822+add30b82.noarch (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream TUS (v.8.8)",
"product_id": "AppStream-8.8.0.Z.TUS:golang-src-0:1.19.13-18.module+el8.8.0+23822+add30b82.noarch::go-toolset:rhel8"
},
"product_reference": "golang-src-0:1.19.13-18.module+el8.8.0+23822+add30b82.noarch::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.8.0.Z.TUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-tests-0:1.19.13-18.module+el8.8.0+23822+add30b82.noarch (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream TUS (v.8.8)",
"product_id": "AppStream-8.8.0.Z.TUS:golang-tests-0:1.19.13-18.module+el8.8.0+23822+add30b82.noarch::go-toolset:rhel8"
},
"product_reference": "golang-tests-0:1.19.13-18.module+el8.8.0+23822+add30b82.noarch::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.8.0.Z.TUS"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-47906",
"cwe": {
"id": "CWE-440",
"name": "Expected Behavior Violation"
},
"discovery_date": "2025-09-18T19:00:47.541046+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2396546"
}
],
"notes": [
{
"category": "description",
"text": "A path handling flaw has been discovered in the os/exec go package. If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath (\"\", \".\", and \"..\"), can result in the binaries listed in the PATH being unexpectedly returned.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "os/exec: Unexpected paths returned from LookPath in os/exec",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-8.8.0.Z.E4S:delve-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.src::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:delve-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:delve-debuginfo-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:delve-debugsource-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:go-toolset-0:1.19.13-3.module+el8.8.0+23822+add30b82.ppc64le::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:go-toolset-0:1.19.13-3.module+el8.8.0+23822+add30b82.src::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:go-toolset-0:1.19.13-3.module+el8.8.0+23822+add30b82.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:golang-0:1.19.13-18.module+el8.8.0+23822+add30b82.ppc64le::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:golang-0:1.19.13-18.module+el8.8.0+23822+add30b82.src::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:golang-0:1.19.13-18.module+el8.8.0+23822+add30b82.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:golang-bin-0:1.19.13-18.module+el8.8.0+23822+add30b82.ppc64le::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:golang-bin-0:1.19.13-18.module+el8.8.0+23822+add30b82.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:golang-docs-0:1.19.13-18.module+el8.8.0+23822+add30b82.noarch::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:golang-misc-0:1.19.13-18.module+el8.8.0+23822+add30b82.noarch::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:golang-race-0:1.19.13-18.module+el8.8.0+23822+add30b82.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:golang-src-0:1.19.13-18.module+el8.8.0+23822+add30b82.noarch::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:golang-tests-0:1.19.13-18.module+el8.8.0+23822+add30b82.noarch::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:delve-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.src::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:delve-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:delve-debuginfo-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:delve-debugsource-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:go-toolset-0:1.19.13-3.module+el8.8.0+23822+add30b82.src::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:go-toolset-0:1.19.13-3.module+el8.8.0+23822+add30b82.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:golang-0:1.19.13-18.module+el8.8.0+23822+add30b82.src::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:golang-0:1.19.13-18.module+el8.8.0+23822+add30b82.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:golang-bin-0:1.19.13-18.module+el8.8.0+23822+add30b82.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:golang-docs-0:1.19.13-18.module+el8.8.0+23822+add30b82.noarch::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:golang-misc-0:1.19.13-18.module+el8.8.0+23822+add30b82.noarch::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:golang-race-0:1.19.13-18.module+el8.8.0+23822+add30b82.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:golang-src-0:1.19.13-18.module+el8.8.0+23822+add30b82.noarch::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:golang-tests-0:1.19.13-18.module+el8.8.0+23822+add30b82.noarch::go-toolset:rhel8"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-47906"
},
{
"category": "external",
"summary": "RHBZ#2396546",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2396546"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-47906",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-47906"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-47906",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47906"
},
{
"category": "external",
"summary": "https://go.dev/cl/691775",
"url": "https://go.dev/cl/691775"
},
{
"category": "external",
"summary": "https://go.dev/issue/74466",
"url": "https://go.dev/issue/74466"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/x5MKroML2yM",
"url": "https://groups.google.com/g/golang-announce/c/x5MKroML2yM"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2025-3956",
"url": "https://pkg.go.dev/vuln/GO-2025-3956"
}
],
"release_date": "2025-09-18T18:41:11.847000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-12-22T01:43:37+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-8.8.0.Z.E4S:delve-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.src::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:delve-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:delve-debuginfo-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:delve-debugsource-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:go-toolset-0:1.19.13-3.module+el8.8.0+23822+add30b82.ppc64le::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:go-toolset-0:1.19.13-3.module+el8.8.0+23822+add30b82.src::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:go-toolset-0:1.19.13-3.module+el8.8.0+23822+add30b82.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:golang-0:1.19.13-18.module+el8.8.0+23822+add30b82.ppc64le::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:golang-0:1.19.13-18.module+el8.8.0+23822+add30b82.src::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:golang-0:1.19.13-18.module+el8.8.0+23822+add30b82.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:golang-bin-0:1.19.13-18.module+el8.8.0+23822+add30b82.ppc64le::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:golang-bin-0:1.19.13-18.module+el8.8.0+23822+add30b82.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:golang-docs-0:1.19.13-18.module+el8.8.0+23822+add30b82.noarch::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:golang-misc-0:1.19.13-18.module+el8.8.0+23822+add30b82.noarch::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:golang-race-0:1.19.13-18.module+el8.8.0+23822+add30b82.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:golang-src-0:1.19.13-18.module+el8.8.0+23822+add30b82.noarch::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:golang-tests-0:1.19.13-18.module+el8.8.0+23822+add30b82.noarch::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:delve-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.src::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:delve-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:delve-debuginfo-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:delve-debugsource-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:go-toolset-0:1.19.13-3.module+el8.8.0+23822+add30b82.src::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:go-toolset-0:1.19.13-3.module+el8.8.0+23822+add30b82.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:golang-0:1.19.13-18.module+el8.8.0+23822+add30b82.src::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:golang-0:1.19.13-18.module+el8.8.0+23822+add30b82.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:golang-bin-0:1.19.13-18.module+el8.8.0+23822+add30b82.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:golang-docs-0:1.19.13-18.module+el8.8.0+23822+add30b82.noarch::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:golang-misc-0:1.19.13-18.module+el8.8.0+23822+add30b82.noarch::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:golang-race-0:1.19.13-18.module+el8.8.0+23822+add30b82.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:golang-src-0:1.19.13-18.module+el8.8.0+23822+add30b82.noarch::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:golang-tests-0:1.19.13-18.module+el8.8.0+23822+add30b82.noarch::go-toolset:rhel8"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:23737"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"AppStream-8.8.0.Z.E4S:delve-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.src::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:delve-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:delve-debuginfo-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:delve-debugsource-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:go-toolset-0:1.19.13-3.module+el8.8.0+23822+add30b82.ppc64le::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:go-toolset-0:1.19.13-3.module+el8.8.0+23822+add30b82.src::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:go-toolset-0:1.19.13-3.module+el8.8.0+23822+add30b82.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:golang-0:1.19.13-18.module+el8.8.0+23822+add30b82.ppc64le::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:golang-0:1.19.13-18.module+el8.8.0+23822+add30b82.src::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:golang-0:1.19.13-18.module+el8.8.0+23822+add30b82.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:golang-bin-0:1.19.13-18.module+el8.8.0+23822+add30b82.ppc64le::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:golang-bin-0:1.19.13-18.module+el8.8.0+23822+add30b82.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:golang-docs-0:1.19.13-18.module+el8.8.0+23822+add30b82.noarch::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:golang-misc-0:1.19.13-18.module+el8.8.0+23822+add30b82.noarch::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:golang-race-0:1.19.13-18.module+el8.8.0+23822+add30b82.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:golang-src-0:1.19.13-18.module+el8.8.0+23822+add30b82.noarch::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:golang-tests-0:1.19.13-18.module+el8.8.0+23822+add30b82.noarch::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:delve-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.src::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:delve-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:delve-debuginfo-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:delve-debugsource-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:go-toolset-0:1.19.13-3.module+el8.8.0+23822+add30b82.src::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:go-toolset-0:1.19.13-3.module+el8.8.0+23822+add30b82.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:golang-0:1.19.13-18.module+el8.8.0+23822+add30b82.src::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:golang-0:1.19.13-18.module+el8.8.0+23822+add30b82.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:golang-bin-0:1.19.13-18.module+el8.8.0+23822+add30b82.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:golang-docs-0:1.19.13-18.module+el8.8.0+23822+add30b82.noarch::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:golang-misc-0:1.19.13-18.module+el8.8.0+23822+add30b82.noarch::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:golang-race-0:1.19.13-18.module+el8.8.0+23822+add30b82.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:golang-src-0:1.19.13-18.module+el8.8.0+23822+add30b82.noarch::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:golang-tests-0:1.19.13-18.module+el8.8.0+23822+add30b82.noarch::go-toolset:rhel8"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L",
"version": "3.1"
},
"products": [
"AppStream-8.8.0.Z.E4S:delve-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.src::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:delve-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:delve-debuginfo-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:delve-debugsource-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:go-toolset-0:1.19.13-3.module+el8.8.0+23822+add30b82.ppc64le::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:go-toolset-0:1.19.13-3.module+el8.8.0+23822+add30b82.src::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:go-toolset-0:1.19.13-3.module+el8.8.0+23822+add30b82.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:golang-0:1.19.13-18.module+el8.8.0+23822+add30b82.ppc64le::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:golang-0:1.19.13-18.module+el8.8.0+23822+add30b82.src::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:golang-0:1.19.13-18.module+el8.8.0+23822+add30b82.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:golang-bin-0:1.19.13-18.module+el8.8.0+23822+add30b82.ppc64le::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:golang-bin-0:1.19.13-18.module+el8.8.0+23822+add30b82.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:golang-docs-0:1.19.13-18.module+el8.8.0+23822+add30b82.noarch::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:golang-misc-0:1.19.13-18.module+el8.8.0+23822+add30b82.noarch::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:golang-race-0:1.19.13-18.module+el8.8.0+23822+add30b82.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:golang-src-0:1.19.13-18.module+el8.8.0+23822+add30b82.noarch::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:golang-tests-0:1.19.13-18.module+el8.8.0+23822+add30b82.noarch::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:delve-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.src::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:delve-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:delve-debuginfo-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:delve-debugsource-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:go-toolset-0:1.19.13-3.module+el8.8.0+23822+add30b82.src::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:go-toolset-0:1.19.13-3.module+el8.8.0+23822+add30b82.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:golang-0:1.19.13-18.module+el8.8.0+23822+add30b82.src::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:golang-0:1.19.13-18.module+el8.8.0+23822+add30b82.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:golang-bin-0:1.19.13-18.module+el8.8.0+23822+add30b82.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:golang-docs-0:1.19.13-18.module+el8.8.0+23822+add30b82.noarch::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:golang-misc-0:1.19.13-18.module+el8.8.0+23822+add30b82.noarch::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:golang-race-0:1.19.13-18.module+el8.8.0+23822+add30b82.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:golang-src-0:1.19.13-18.module+el8.8.0+23822+add30b82.noarch::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:golang-tests-0:1.19.13-18.module+el8.8.0+23822+add30b82.noarch::go-toolset:rhel8"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "os/exec: Unexpected paths returned from LookPath in os/exec"
},
{
"cve": "CVE-2025-58183",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2025-10-29T23:01:50.573951+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2407258"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the archive/tar package in the Go standard library. tar.Reader does not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A specially crafted tar archive with a pax header indicating a big number of sparse regions can cause a Go program to try to allocate a large amount of memory, causing an out-of-memory condition and resulting in a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: archive/tar: Unbounded allocation when parsing GNU sparse map",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "To exploit this issue, an attacker needs to be able to process a specially crafted GNU tar pax 1.0 archive with the application using the archive/tar package. Additionally, this issue can cause the Go application to allocate a large amount of memory, eventually leading to an out-of-memory condition and resulting in a denial of service with no other security impact. Due to these reasons, this flaw has been rated with a moderate severity.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-8.8.0.Z.E4S:delve-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.src::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:delve-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:delve-debuginfo-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:delve-debugsource-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:go-toolset-0:1.19.13-3.module+el8.8.0+23822+add30b82.ppc64le::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:go-toolset-0:1.19.13-3.module+el8.8.0+23822+add30b82.src::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:go-toolset-0:1.19.13-3.module+el8.8.0+23822+add30b82.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:golang-0:1.19.13-18.module+el8.8.0+23822+add30b82.ppc64le::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:golang-0:1.19.13-18.module+el8.8.0+23822+add30b82.src::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:golang-0:1.19.13-18.module+el8.8.0+23822+add30b82.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:golang-bin-0:1.19.13-18.module+el8.8.0+23822+add30b82.ppc64le::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:golang-bin-0:1.19.13-18.module+el8.8.0+23822+add30b82.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:golang-docs-0:1.19.13-18.module+el8.8.0+23822+add30b82.noarch::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:golang-misc-0:1.19.13-18.module+el8.8.0+23822+add30b82.noarch::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:golang-race-0:1.19.13-18.module+el8.8.0+23822+add30b82.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:golang-src-0:1.19.13-18.module+el8.8.0+23822+add30b82.noarch::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:golang-tests-0:1.19.13-18.module+el8.8.0+23822+add30b82.noarch::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:delve-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.src::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:delve-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:delve-debuginfo-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:delve-debugsource-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:go-toolset-0:1.19.13-3.module+el8.8.0+23822+add30b82.src::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:go-toolset-0:1.19.13-3.module+el8.8.0+23822+add30b82.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:golang-0:1.19.13-18.module+el8.8.0+23822+add30b82.src::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:golang-0:1.19.13-18.module+el8.8.0+23822+add30b82.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:golang-bin-0:1.19.13-18.module+el8.8.0+23822+add30b82.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:golang-docs-0:1.19.13-18.module+el8.8.0+23822+add30b82.noarch::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:golang-misc-0:1.19.13-18.module+el8.8.0+23822+add30b82.noarch::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:golang-race-0:1.19.13-18.module+el8.8.0+23822+add30b82.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:golang-src-0:1.19.13-18.module+el8.8.0+23822+add30b82.noarch::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:golang-tests-0:1.19.13-18.module+el8.8.0+23822+add30b82.noarch::go-toolset:rhel8"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-58183"
},
{
"category": "external",
"summary": "RHBZ#2407258",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2407258"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-58183",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-58183"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-58183",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58183"
},
{
"category": "external",
"summary": "https://go.dev/cl/709861",
"url": "https://go.dev/cl/709861"
},
{
"category": "external",
"summary": "https://go.dev/issue/75677",
"url": "https://go.dev/issue/75677"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/4Emdl2iQ_bI",
"url": "https://groups.google.com/g/golang-announce/c/4Emdl2iQ_bI"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2025-4014",
"url": "https://pkg.go.dev/vuln/GO-2025-4014"
}
],
"release_date": "2025-10-29T22:10:14.376000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-12-22T01:43:37+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-8.8.0.Z.E4S:delve-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.src::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:delve-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:delve-debuginfo-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:delve-debugsource-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:go-toolset-0:1.19.13-3.module+el8.8.0+23822+add30b82.ppc64le::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:go-toolset-0:1.19.13-3.module+el8.8.0+23822+add30b82.src::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:go-toolset-0:1.19.13-3.module+el8.8.0+23822+add30b82.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:golang-0:1.19.13-18.module+el8.8.0+23822+add30b82.ppc64le::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:golang-0:1.19.13-18.module+el8.8.0+23822+add30b82.src::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:golang-0:1.19.13-18.module+el8.8.0+23822+add30b82.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:golang-bin-0:1.19.13-18.module+el8.8.0+23822+add30b82.ppc64le::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:golang-bin-0:1.19.13-18.module+el8.8.0+23822+add30b82.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:golang-docs-0:1.19.13-18.module+el8.8.0+23822+add30b82.noarch::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:golang-misc-0:1.19.13-18.module+el8.8.0+23822+add30b82.noarch::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:golang-race-0:1.19.13-18.module+el8.8.0+23822+add30b82.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:golang-src-0:1.19.13-18.module+el8.8.0+23822+add30b82.noarch::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:golang-tests-0:1.19.13-18.module+el8.8.0+23822+add30b82.noarch::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:delve-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.src::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:delve-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:delve-debuginfo-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:delve-debugsource-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:go-toolset-0:1.19.13-3.module+el8.8.0+23822+add30b82.src::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:go-toolset-0:1.19.13-3.module+el8.8.0+23822+add30b82.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:golang-0:1.19.13-18.module+el8.8.0+23822+add30b82.src::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:golang-0:1.19.13-18.module+el8.8.0+23822+add30b82.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:golang-bin-0:1.19.13-18.module+el8.8.0+23822+add30b82.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:golang-docs-0:1.19.13-18.module+el8.8.0+23822+add30b82.noarch::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:golang-misc-0:1.19.13-18.module+el8.8.0+23822+add30b82.noarch::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:golang-race-0:1.19.13-18.module+el8.8.0+23822+add30b82.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:golang-src-0:1.19.13-18.module+el8.8.0+23822+add30b82.noarch::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:golang-tests-0:1.19.13-18.module+el8.8.0+23822+add30b82.noarch::go-toolset:rhel8"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:23737"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"AppStream-8.8.0.Z.E4S:delve-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.src::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:delve-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:delve-debuginfo-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:delve-debugsource-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:go-toolset-0:1.19.13-3.module+el8.8.0+23822+add30b82.ppc64le::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:go-toolset-0:1.19.13-3.module+el8.8.0+23822+add30b82.src::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:go-toolset-0:1.19.13-3.module+el8.8.0+23822+add30b82.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:golang-0:1.19.13-18.module+el8.8.0+23822+add30b82.ppc64le::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:golang-0:1.19.13-18.module+el8.8.0+23822+add30b82.src::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:golang-0:1.19.13-18.module+el8.8.0+23822+add30b82.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:golang-bin-0:1.19.13-18.module+el8.8.0+23822+add30b82.ppc64le::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:golang-bin-0:1.19.13-18.module+el8.8.0+23822+add30b82.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:golang-docs-0:1.19.13-18.module+el8.8.0+23822+add30b82.noarch::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:golang-misc-0:1.19.13-18.module+el8.8.0+23822+add30b82.noarch::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:golang-race-0:1.19.13-18.module+el8.8.0+23822+add30b82.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:golang-src-0:1.19.13-18.module+el8.8.0+23822+add30b82.noarch::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:golang-tests-0:1.19.13-18.module+el8.8.0+23822+add30b82.noarch::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:delve-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.src::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:delve-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:delve-debuginfo-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:delve-debugsource-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:go-toolset-0:1.19.13-3.module+el8.8.0+23822+add30b82.src::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:go-toolset-0:1.19.13-3.module+el8.8.0+23822+add30b82.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:golang-0:1.19.13-18.module+el8.8.0+23822+add30b82.src::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:golang-0:1.19.13-18.module+el8.8.0+23822+add30b82.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:golang-bin-0:1.19.13-18.module+el8.8.0+23822+add30b82.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:golang-docs-0:1.19.13-18.module+el8.8.0+23822+add30b82.noarch::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:golang-misc-0:1.19.13-18.module+el8.8.0+23822+add30b82.noarch::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:golang-race-0:1.19.13-18.module+el8.8.0+23822+add30b82.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:golang-src-0:1.19.13-18.module+el8.8.0+23822+add30b82.noarch::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:golang-tests-0:1.19.13-18.module+el8.8.0+23822+add30b82.noarch::go-toolset:rhel8"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"AppStream-8.8.0.Z.E4S:delve-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.src::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:delve-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:delve-debuginfo-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:delve-debugsource-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:go-toolset-0:1.19.13-3.module+el8.8.0+23822+add30b82.ppc64le::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:go-toolset-0:1.19.13-3.module+el8.8.0+23822+add30b82.src::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:go-toolset-0:1.19.13-3.module+el8.8.0+23822+add30b82.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:golang-0:1.19.13-18.module+el8.8.0+23822+add30b82.ppc64le::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:golang-0:1.19.13-18.module+el8.8.0+23822+add30b82.src::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:golang-0:1.19.13-18.module+el8.8.0+23822+add30b82.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:golang-bin-0:1.19.13-18.module+el8.8.0+23822+add30b82.ppc64le::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:golang-bin-0:1.19.13-18.module+el8.8.0+23822+add30b82.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:golang-docs-0:1.19.13-18.module+el8.8.0+23822+add30b82.noarch::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:golang-misc-0:1.19.13-18.module+el8.8.0+23822+add30b82.noarch::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:golang-race-0:1.19.13-18.module+el8.8.0+23822+add30b82.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:golang-src-0:1.19.13-18.module+el8.8.0+23822+add30b82.noarch::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:golang-tests-0:1.19.13-18.module+el8.8.0+23822+add30b82.noarch::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:delve-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.src::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:delve-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:delve-debuginfo-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:delve-debugsource-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:go-toolset-0:1.19.13-3.module+el8.8.0+23822+add30b82.src::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:go-toolset-0:1.19.13-3.module+el8.8.0+23822+add30b82.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:golang-0:1.19.13-18.module+el8.8.0+23822+add30b82.src::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:golang-0:1.19.13-18.module+el8.8.0+23822+add30b82.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:golang-bin-0:1.19.13-18.module+el8.8.0+23822+add30b82.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:golang-docs-0:1.19.13-18.module+el8.8.0+23822+add30b82.noarch::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:golang-misc-0:1.19.13-18.module+el8.8.0+23822+add30b82.noarch::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:golang-race-0:1.19.13-18.module+el8.8.0+23822+add30b82.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:golang-src-0:1.19.13-18.module+el8.8.0+23822+add30b82.noarch::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:golang-tests-0:1.19.13-18.module+el8.8.0+23822+add30b82.noarch::go-toolset:rhel8"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang: archive/tar: Unbounded allocation when parsing GNU sparse map"
}
]
}
RHSA-2025:23740
Vulnerability from csaf_redhat - Published: 2025-12-22 01:19 - Updated: 2026-06-07 15:33Summary
Red Hat Security Advisory: go-toolset:rhel8 security update
Severity
Moderate
Notes
Topic: An update for the go-toolset:rhel8 module is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Go Toolset provides the Go programming language tools and libraries. Go is alternatively known as golang.
Security Fix(es):
* os/exec: Unexpected paths returned from LookPath in os/exec (CVE-2025-47906)
* golang: archive/tar: Unbounded allocation when parsing GNU sparse map (CVE-2025-58183)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A path handling flaw has been discovered in the os/exec go package. If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath ("", ".", and ".."), can result in the binaries listed in the PATH being unexpectedly returned.
6.5 (Medium)
Affected products
Fixed
14 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-8.2.0.Z.AUS:delve-0:1.3.2-3.module+el8.2.0+5581+896cb53e.src::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.2.0.Z.AUS:delve-0:1.3.2-3.module+el8.2.0+5581+896cb53e.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.2.0.Z.AUS:delve-debuginfo-0:1.3.2-3.module+el8.2.0+5581+896cb53e.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.2.0.Z.AUS:delve-debugsource-0:1.3.2-3.module+el8.2.0+5581+896cb53e.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.2.0.Z.AUS:go-toolset-0:1.13.15-1.module+el8.2.0+7662+fa98b974.src::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.2.0.Z.AUS:go-toolset-0:1.13.15-1.module+el8.2.0+7662+fa98b974.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.2.0.Z.AUS:golang-0:1.13.15-12.module+el8.2.0+23813+4482ebdd.src::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.2.0.Z.AUS:golang-0:1.13.15-12.module+el8.2.0+23813+4482ebdd.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.2.0.Z.AUS:golang-bin-0:1.13.15-12.module+el8.2.0+23813+4482ebdd.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.2.0.Z.AUS:golang-docs-0:1.13.15-12.module+el8.2.0+23813+4482ebdd.noarch::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.2.0.Z.AUS:golang-misc-0:1.13.15-12.module+el8.2.0+23813+4482ebdd.noarch::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.2.0.Z.AUS:golang-race-0:1.13.15-12.module+el8.2.0+23813+4482ebdd.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.2.0.Z.AUS:golang-src-0:1.13.15-12.module+el8.2.0+23813+4482ebdd.noarch::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.2.0.Z.AUS:golang-tests-0:1.13.15-12.module+el8.2.0+23813+4482ebdd.noarch::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in the archive/tar package in the Go standard library. tar.Reader does not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A specially crafted tar archive with a pax header indicating a big number of sparse regions can cause a Go program to try to allocate a large amount of memory, causing an out-of-memory condition and resulting in a denial of service.
7.5 (High)
Affected products
Fixed
14 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-8.2.0.Z.AUS:delve-0:1.3.2-3.module+el8.2.0+5581+896cb53e.src::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.2.0.Z.AUS:delve-0:1.3.2-3.module+el8.2.0+5581+896cb53e.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.2.0.Z.AUS:delve-debuginfo-0:1.3.2-3.module+el8.2.0+5581+896cb53e.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.2.0.Z.AUS:delve-debugsource-0:1.3.2-3.module+el8.2.0+5581+896cb53e.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.2.0.Z.AUS:go-toolset-0:1.13.15-1.module+el8.2.0+7662+fa98b974.src::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.2.0.Z.AUS:go-toolset-0:1.13.15-1.module+el8.2.0+7662+fa98b974.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.2.0.Z.AUS:golang-0:1.13.15-12.module+el8.2.0+23813+4482ebdd.src::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.2.0.Z.AUS:golang-0:1.13.15-12.module+el8.2.0+23813+4482ebdd.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.2.0.Z.AUS:golang-bin-0:1.13.15-12.module+el8.2.0+23813+4482ebdd.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.2.0.Z.AUS:golang-docs-0:1.13.15-12.module+el8.2.0+23813+4482ebdd.noarch::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.2.0.Z.AUS:golang-misc-0:1.13.15-12.module+el8.2.0+23813+4482ebdd.noarch::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.2.0.Z.AUS:golang-race-0:1.13.15-12.module+el8.2.0+23813+4482ebdd.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.2.0.Z.AUS:golang-src-0:1.13.15-12.module+el8.2.0+23813+4482ebdd.noarch::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.2.0.Z.AUS:golang-tests-0:1.13.15-12.module+el8.2.0+23813+4482ebdd.noarch::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
References
21 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for the go-toolset:rhel8 module is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Go Toolset provides the Go programming language tools and libraries. Go is alternatively known as golang. \n\nSecurity Fix(es):\n\n* os/exec: Unexpected paths returned from LookPath in os/exec (CVE-2025-47906)\n\n* golang: archive/tar: Unbounded allocation when parsing GNU sparse map (CVE-2025-58183)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2025:23740",
"url": "https://access.redhat.com/errata/RHSA-2025:23740"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "2396546",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2396546"
},
{
"category": "external",
"summary": "2407258",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2407258"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_23740.json"
}
],
"title": "Red Hat Security Advisory: go-toolset:rhel8 security update",
"tracking": {
"current_release_date": "2026-06-07T15:33:38+00:00",
"generator": {
"date": "2026-06-07T15:33:38+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.8.2"
}
},
"id": "RHSA-2025:23740",
"initial_release_date": "2025-12-22T01:19:27+00:00",
"revision_history": [
{
"date": "2025-12-22T01:19:27+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2025-12-22T01:19:27+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-06-07T15:33:38+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AppStream AUS (v. 8.2)",
"product": {
"name": "Red Hat Enterprise Linux AppStream AUS (v. 8.2)",
"product_id": "AppStream-8.2.0.Z.AUS",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_aus:8.2::appstream"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "delve-0:1.3.2-3.module+el8.2.0+5581+896cb53e.src::go-toolset:rhel8",
"product": {
"name": "delve-0:1.3.2-3.module+el8.2.0+5581+896cb53e.src (go-toolset:rhel8)",
"product_id": "delve-0:1.3.2-3.module+el8.2.0+5581+896cb53e.src::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/delve@1.3.2-3.module%2Bel8.2.0%2B5581%2B896cb53e?arch=src\u0026rpmmod=go-toolset:rhel8:8020020251212160632:02f7cb7a"
}
}
},
{
"category": "product_version",
"name": "go-toolset-0:1.13.15-1.module+el8.2.0+7662+fa98b974.src::go-toolset:rhel8",
"product": {
"name": "go-toolset-0:1.13.15-1.module+el8.2.0+7662+fa98b974.src (go-toolset:rhel8)",
"product_id": "go-toolset-0:1.13.15-1.module+el8.2.0+7662+fa98b974.src::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-toolset@1.13.15-1.module%2Bel8.2.0%2B7662%2Bfa98b974?arch=src\u0026rpmmod=go-toolset:rhel8:8020020251212160632:02f7cb7a"
}
}
},
{
"category": "product_version",
"name": "golang-0:1.13.15-12.module+el8.2.0+23813+4482ebdd.src::go-toolset:rhel8",
"product": {
"name": "golang-0:1.13.15-12.module+el8.2.0+23813+4482ebdd.src (go-toolset:rhel8)",
"product_id": "golang-0:1.13.15-12.module+el8.2.0+23813+4482ebdd.src::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang@1.13.15-12.module%2Bel8.2.0%2B23813%2B4482ebdd?arch=src\u0026rpmmod=go-toolset:rhel8:8020020251212160632:02f7cb7a"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "delve-0:1.3.2-3.module+el8.2.0+5581+896cb53e.x86_64::go-toolset:rhel8",
"product": {
"name": "delve-0:1.3.2-3.module+el8.2.0+5581+896cb53e.x86_64 (go-toolset:rhel8)",
"product_id": "delve-0:1.3.2-3.module+el8.2.0+5581+896cb53e.x86_64::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/delve@1.3.2-3.module%2Bel8.2.0%2B5581%2B896cb53e?arch=x86_64\u0026rpmmod=go-toolset:rhel8:8020020251212160632:02f7cb7a"
}
}
},
{
"category": "product_version",
"name": "delve-debuginfo-0:1.3.2-3.module+el8.2.0+5581+896cb53e.x86_64::go-toolset:rhel8",
"product": {
"name": "delve-debuginfo-0:1.3.2-3.module+el8.2.0+5581+896cb53e.x86_64 (go-toolset:rhel8)",
"product_id": "delve-debuginfo-0:1.3.2-3.module+el8.2.0+5581+896cb53e.x86_64::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/delve-debuginfo@1.3.2-3.module%2Bel8.2.0%2B5581%2B896cb53e?arch=x86_64\u0026rpmmod=go-toolset:rhel8:8020020251212160632:02f7cb7a"
}
}
},
{
"category": "product_version",
"name": "delve-debugsource-0:1.3.2-3.module+el8.2.0+5581+896cb53e.x86_64::go-toolset:rhel8",
"product": {
"name": "delve-debugsource-0:1.3.2-3.module+el8.2.0+5581+896cb53e.x86_64 (go-toolset:rhel8)",
"product_id": "delve-debugsource-0:1.3.2-3.module+el8.2.0+5581+896cb53e.x86_64::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/delve-debugsource@1.3.2-3.module%2Bel8.2.0%2B5581%2B896cb53e?arch=x86_64\u0026rpmmod=go-toolset:rhel8:8020020251212160632:02f7cb7a"
}
}
},
{
"category": "product_version",
"name": "go-toolset-0:1.13.15-1.module+el8.2.0+7662+fa98b974.x86_64::go-toolset:rhel8",
"product": {
"name": "go-toolset-0:1.13.15-1.module+el8.2.0+7662+fa98b974.x86_64 (go-toolset:rhel8)",
"product_id": "go-toolset-0:1.13.15-1.module+el8.2.0+7662+fa98b974.x86_64::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-toolset@1.13.15-1.module%2Bel8.2.0%2B7662%2Bfa98b974?arch=x86_64\u0026rpmmod=go-toolset:rhel8:8020020251212160632:02f7cb7a"
}
}
},
{
"category": "product_version",
"name": "golang-0:1.13.15-12.module+el8.2.0+23813+4482ebdd.x86_64::go-toolset:rhel8",
"product": {
"name": "golang-0:1.13.15-12.module+el8.2.0+23813+4482ebdd.x86_64 (go-toolset:rhel8)",
"product_id": "golang-0:1.13.15-12.module+el8.2.0+23813+4482ebdd.x86_64::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang@1.13.15-12.module%2Bel8.2.0%2B23813%2B4482ebdd?arch=x86_64\u0026rpmmod=go-toolset:rhel8:8020020251212160632:02f7cb7a"
}
}
},
{
"category": "product_version",
"name": "golang-bin-0:1.13.15-12.module+el8.2.0+23813+4482ebdd.x86_64::go-toolset:rhel8",
"product": {
"name": "golang-bin-0:1.13.15-12.module+el8.2.0+23813+4482ebdd.x86_64 (go-toolset:rhel8)",
"product_id": "golang-bin-0:1.13.15-12.module+el8.2.0+23813+4482ebdd.x86_64::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-bin@1.13.15-12.module%2Bel8.2.0%2B23813%2B4482ebdd?arch=x86_64\u0026rpmmod=go-toolset:rhel8:8020020251212160632:02f7cb7a"
}
}
},
{
"category": "product_version",
"name": "golang-race-0:1.13.15-12.module+el8.2.0+23813+4482ebdd.x86_64::go-toolset:rhel8",
"product": {
"name": "golang-race-0:1.13.15-12.module+el8.2.0+23813+4482ebdd.x86_64 (go-toolset:rhel8)",
"product_id": "golang-race-0:1.13.15-12.module+el8.2.0+23813+4482ebdd.x86_64::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-race@1.13.15-12.module%2Bel8.2.0%2B23813%2B4482ebdd?arch=x86_64\u0026rpmmod=go-toolset:rhel8:8020020251212160632:02f7cb7a"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "golang-docs-0:1.13.15-12.module+el8.2.0+23813+4482ebdd.noarch::go-toolset:rhel8",
"product": {
"name": "golang-docs-0:1.13.15-12.module+el8.2.0+23813+4482ebdd.noarch (go-toolset:rhel8)",
"product_id": "golang-docs-0:1.13.15-12.module+el8.2.0+23813+4482ebdd.noarch::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-docs@1.13.15-12.module%2Bel8.2.0%2B23813%2B4482ebdd?arch=noarch\u0026rpmmod=go-toolset:rhel8:8020020251212160632:02f7cb7a"
}
}
},
{
"category": "product_version",
"name": "golang-misc-0:1.13.15-12.module+el8.2.0+23813+4482ebdd.noarch::go-toolset:rhel8",
"product": {
"name": "golang-misc-0:1.13.15-12.module+el8.2.0+23813+4482ebdd.noarch (go-toolset:rhel8)",
"product_id": "golang-misc-0:1.13.15-12.module+el8.2.0+23813+4482ebdd.noarch::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-misc@1.13.15-12.module%2Bel8.2.0%2B23813%2B4482ebdd?arch=noarch\u0026rpmmod=go-toolset:rhel8:8020020251212160632:02f7cb7a"
}
}
},
{
"category": "product_version",
"name": "golang-src-0:1.13.15-12.module+el8.2.0+23813+4482ebdd.noarch::go-toolset:rhel8",
"product": {
"name": "golang-src-0:1.13.15-12.module+el8.2.0+23813+4482ebdd.noarch (go-toolset:rhel8)",
"product_id": "golang-src-0:1.13.15-12.module+el8.2.0+23813+4482ebdd.noarch::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-src@1.13.15-12.module%2Bel8.2.0%2B23813%2B4482ebdd?arch=noarch\u0026rpmmod=go-toolset:rhel8:8020020251212160632:02f7cb7a"
}
}
},
{
"category": "product_version",
"name": "golang-tests-0:1.13.15-12.module+el8.2.0+23813+4482ebdd.noarch::go-toolset:rhel8",
"product": {
"name": "golang-tests-0:1.13.15-12.module+el8.2.0+23813+4482ebdd.noarch (go-toolset:rhel8)",
"product_id": "golang-tests-0:1.13.15-12.module+el8.2.0+23813+4482ebdd.noarch::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-tests@1.13.15-12.module%2Bel8.2.0%2B23813%2B4482ebdd?arch=noarch\u0026rpmmod=go-toolset:rhel8:8020020251212160632:02f7cb7a"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "delve-0:1.3.2-3.module+el8.2.0+5581+896cb53e.src (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream AUS (v. 8.2)",
"product_id": "AppStream-8.2.0.Z.AUS:delve-0:1.3.2-3.module+el8.2.0+5581+896cb53e.src::go-toolset:rhel8"
},
"product_reference": "delve-0:1.3.2-3.module+el8.2.0+5581+896cb53e.src::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.2.0.Z.AUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "delve-0:1.3.2-3.module+el8.2.0+5581+896cb53e.x86_64 (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream AUS (v. 8.2)",
"product_id": "AppStream-8.2.0.Z.AUS:delve-0:1.3.2-3.module+el8.2.0+5581+896cb53e.x86_64::go-toolset:rhel8"
},
"product_reference": "delve-0:1.3.2-3.module+el8.2.0+5581+896cb53e.x86_64::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.2.0.Z.AUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "delve-debuginfo-0:1.3.2-3.module+el8.2.0+5581+896cb53e.x86_64 (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream AUS (v. 8.2)",
"product_id": "AppStream-8.2.0.Z.AUS:delve-debuginfo-0:1.3.2-3.module+el8.2.0+5581+896cb53e.x86_64::go-toolset:rhel8"
},
"product_reference": "delve-debuginfo-0:1.3.2-3.module+el8.2.0+5581+896cb53e.x86_64::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.2.0.Z.AUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "delve-debugsource-0:1.3.2-3.module+el8.2.0+5581+896cb53e.x86_64 (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream AUS (v. 8.2)",
"product_id": "AppStream-8.2.0.Z.AUS:delve-debugsource-0:1.3.2-3.module+el8.2.0+5581+896cb53e.x86_64::go-toolset:rhel8"
},
"product_reference": "delve-debugsource-0:1.3.2-3.module+el8.2.0+5581+896cb53e.x86_64::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.2.0.Z.AUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-toolset-0:1.13.15-1.module+el8.2.0+7662+fa98b974.src (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream AUS (v. 8.2)",
"product_id": "AppStream-8.2.0.Z.AUS:go-toolset-0:1.13.15-1.module+el8.2.0+7662+fa98b974.src::go-toolset:rhel8"
},
"product_reference": "go-toolset-0:1.13.15-1.module+el8.2.0+7662+fa98b974.src::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.2.0.Z.AUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-toolset-0:1.13.15-1.module+el8.2.0+7662+fa98b974.x86_64 (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream AUS (v. 8.2)",
"product_id": "AppStream-8.2.0.Z.AUS:go-toolset-0:1.13.15-1.module+el8.2.0+7662+fa98b974.x86_64::go-toolset:rhel8"
},
"product_reference": "go-toolset-0:1.13.15-1.module+el8.2.0+7662+fa98b974.x86_64::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.2.0.Z.AUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-0:1.13.15-12.module+el8.2.0+23813+4482ebdd.src (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream AUS (v. 8.2)",
"product_id": "AppStream-8.2.0.Z.AUS:golang-0:1.13.15-12.module+el8.2.0+23813+4482ebdd.src::go-toolset:rhel8"
},
"product_reference": "golang-0:1.13.15-12.module+el8.2.0+23813+4482ebdd.src::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.2.0.Z.AUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-0:1.13.15-12.module+el8.2.0+23813+4482ebdd.x86_64 (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream AUS (v. 8.2)",
"product_id": "AppStream-8.2.0.Z.AUS:golang-0:1.13.15-12.module+el8.2.0+23813+4482ebdd.x86_64::go-toolset:rhel8"
},
"product_reference": "golang-0:1.13.15-12.module+el8.2.0+23813+4482ebdd.x86_64::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.2.0.Z.AUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-bin-0:1.13.15-12.module+el8.2.0+23813+4482ebdd.x86_64 (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream AUS (v. 8.2)",
"product_id": "AppStream-8.2.0.Z.AUS:golang-bin-0:1.13.15-12.module+el8.2.0+23813+4482ebdd.x86_64::go-toolset:rhel8"
},
"product_reference": "golang-bin-0:1.13.15-12.module+el8.2.0+23813+4482ebdd.x86_64::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.2.0.Z.AUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-docs-0:1.13.15-12.module+el8.2.0+23813+4482ebdd.noarch (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream AUS (v. 8.2)",
"product_id": "AppStream-8.2.0.Z.AUS:golang-docs-0:1.13.15-12.module+el8.2.0+23813+4482ebdd.noarch::go-toolset:rhel8"
},
"product_reference": "golang-docs-0:1.13.15-12.module+el8.2.0+23813+4482ebdd.noarch::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.2.0.Z.AUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-misc-0:1.13.15-12.module+el8.2.0+23813+4482ebdd.noarch (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream AUS (v. 8.2)",
"product_id": "AppStream-8.2.0.Z.AUS:golang-misc-0:1.13.15-12.module+el8.2.0+23813+4482ebdd.noarch::go-toolset:rhel8"
},
"product_reference": "golang-misc-0:1.13.15-12.module+el8.2.0+23813+4482ebdd.noarch::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.2.0.Z.AUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-race-0:1.13.15-12.module+el8.2.0+23813+4482ebdd.x86_64 (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream AUS (v. 8.2)",
"product_id": "AppStream-8.2.0.Z.AUS:golang-race-0:1.13.15-12.module+el8.2.0+23813+4482ebdd.x86_64::go-toolset:rhel8"
},
"product_reference": "golang-race-0:1.13.15-12.module+el8.2.0+23813+4482ebdd.x86_64::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.2.0.Z.AUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-src-0:1.13.15-12.module+el8.2.0+23813+4482ebdd.noarch (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream AUS (v. 8.2)",
"product_id": "AppStream-8.2.0.Z.AUS:golang-src-0:1.13.15-12.module+el8.2.0+23813+4482ebdd.noarch::go-toolset:rhel8"
},
"product_reference": "golang-src-0:1.13.15-12.module+el8.2.0+23813+4482ebdd.noarch::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.2.0.Z.AUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-tests-0:1.13.15-12.module+el8.2.0+23813+4482ebdd.noarch (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream AUS (v. 8.2)",
"product_id": "AppStream-8.2.0.Z.AUS:golang-tests-0:1.13.15-12.module+el8.2.0+23813+4482ebdd.noarch::go-toolset:rhel8"
},
"product_reference": "golang-tests-0:1.13.15-12.module+el8.2.0+23813+4482ebdd.noarch::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.2.0.Z.AUS"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-47906",
"cwe": {
"id": "CWE-440",
"name": "Expected Behavior Violation"
},
"discovery_date": "2025-09-18T19:00:47.541046+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2396546"
}
],
"notes": [
{
"category": "description",
"text": "A path handling flaw has been discovered in the os/exec go package. If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath (\"\", \".\", and \"..\"), can result in the binaries listed in the PATH being unexpectedly returned.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "os/exec: Unexpected paths returned from LookPath in os/exec",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-8.2.0.Z.AUS:delve-0:1.3.2-3.module+el8.2.0+5581+896cb53e.src::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:delve-0:1.3.2-3.module+el8.2.0+5581+896cb53e.x86_64::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:delve-debuginfo-0:1.3.2-3.module+el8.2.0+5581+896cb53e.x86_64::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:delve-debugsource-0:1.3.2-3.module+el8.2.0+5581+896cb53e.x86_64::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:go-toolset-0:1.13.15-1.module+el8.2.0+7662+fa98b974.src::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:go-toolset-0:1.13.15-1.module+el8.2.0+7662+fa98b974.x86_64::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:golang-0:1.13.15-12.module+el8.2.0+23813+4482ebdd.src::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:golang-0:1.13.15-12.module+el8.2.0+23813+4482ebdd.x86_64::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:golang-bin-0:1.13.15-12.module+el8.2.0+23813+4482ebdd.x86_64::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:golang-docs-0:1.13.15-12.module+el8.2.0+23813+4482ebdd.noarch::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:golang-misc-0:1.13.15-12.module+el8.2.0+23813+4482ebdd.noarch::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:golang-race-0:1.13.15-12.module+el8.2.0+23813+4482ebdd.x86_64::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:golang-src-0:1.13.15-12.module+el8.2.0+23813+4482ebdd.noarch::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:golang-tests-0:1.13.15-12.module+el8.2.0+23813+4482ebdd.noarch::go-toolset:rhel8"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-47906"
},
{
"category": "external",
"summary": "RHBZ#2396546",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2396546"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-47906",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-47906"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-47906",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47906"
},
{
"category": "external",
"summary": "https://go.dev/cl/691775",
"url": "https://go.dev/cl/691775"
},
{
"category": "external",
"summary": "https://go.dev/issue/74466",
"url": "https://go.dev/issue/74466"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/x5MKroML2yM",
"url": "https://groups.google.com/g/golang-announce/c/x5MKroML2yM"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2025-3956",
"url": "https://pkg.go.dev/vuln/GO-2025-3956"
}
],
"release_date": "2025-09-18T18:41:11.847000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-12-22T01:19:27+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-8.2.0.Z.AUS:delve-0:1.3.2-3.module+el8.2.0+5581+896cb53e.src::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:delve-0:1.3.2-3.module+el8.2.0+5581+896cb53e.x86_64::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:delve-debuginfo-0:1.3.2-3.module+el8.2.0+5581+896cb53e.x86_64::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:delve-debugsource-0:1.3.2-3.module+el8.2.0+5581+896cb53e.x86_64::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:go-toolset-0:1.13.15-1.module+el8.2.0+7662+fa98b974.src::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:go-toolset-0:1.13.15-1.module+el8.2.0+7662+fa98b974.x86_64::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:golang-0:1.13.15-12.module+el8.2.0+23813+4482ebdd.src::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:golang-0:1.13.15-12.module+el8.2.0+23813+4482ebdd.x86_64::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:golang-bin-0:1.13.15-12.module+el8.2.0+23813+4482ebdd.x86_64::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:golang-docs-0:1.13.15-12.module+el8.2.0+23813+4482ebdd.noarch::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:golang-misc-0:1.13.15-12.module+el8.2.0+23813+4482ebdd.noarch::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:golang-race-0:1.13.15-12.module+el8.2.0+23813+4482ebdd.x86_64::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:golang-src-0:1.13.15-12.module+el8.2.0+23813+4482ebdd.noarch::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:golang-tests-0:1.13.15-12.module+el8.2.0+23813+4482ebdd.noarch::go-toolset:rhel8"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:23740"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"AppStream-8.2.0.Z.AUS:delve-0:1.3.2-3.module+el8.2.0+5581+896cb53e.src::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:delve-0:1.3.2-3.module+el8.2.0+5581+896cb53e.x86_64::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:delve-debuginfo-0:1.3.2-3.module+el8.2.0+5581+896cb53e.x86_64::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:delve-debugsource-0:1.3.2-3.module+el8.2.0+5581+896cb53e.x86_64::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:go-toolset-0:1.13.15-1.module+el8.2.0+7662+fa98b974.src::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:go-toolset-0:1.13.15-1.module+el8.2.0+7662+fa98b974.x86_64::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:golang-0:1.13.15-12.module+el8.2.0+23813+4482ebdd.src::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:golang-0:1.13.15-12.module+el8.2.0+23813+4482ebdd.x86_64::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:golang-bin-0:1.13.15-12.module+el8.2.0+23813+4482ebdd.x86_64::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:golang-docs-0:1.13.15-12.module+el8.2.0+23813+4482ebdd.noarch::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:golang-misc-0:1.13.15-12.module+el8.2.0+23813+4482ebdd.noarch::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:golang-race-0:1.13.15-12.module+el8.2.0+23813+4482ebdd.x86_64::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:golang-src-0:1.13.15-12.module+el8.2.0+23813+4482ebdd.noarch::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:golang-tests-0:1.13.15-12.module+el8.2.0+23813+4482ebdd.noarch::go-toolset:rhel8"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L",
"version": "3.1"
},
"products": [
"AppStream-8.2.0.Z.AUS:delve-0:1.3.2-3.module+el8.2.0+5581+896cb53e.src::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:delve-0:1.3.2-3.module+el8.2.0+5581+896cb53e.x86_64::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:delve-debuginfo-0:1.3.2-3.module+el8.2.0+5581+896cb53e.x86_64::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:delve-debugsource-0:1.3.2-3.module+el8.2.0+5581+896cb53e.x86_64::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:go-toolset-0:1.13.15-1.module+el8.2.0+7662+fa98b974.src::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:go-toolset-0:1.13.15-1.module+el8.2.0+7662+fa98b974.x86_64::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:golang-0:1.13.15-12.module+el8.2.0+23813+4482ebdd.src::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:golang-0:1.13.15-12.module+el8.2.0+23813+4482ebdd.x86_64::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:golang-bin-0:1.13.15-12.module+el8.2.0+23813+4482ebdd.x86_64::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:golang-docs-0:1.13.15-12.module+el8.2.0+23813+4482ebdd.noarch::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:golang-misc-0:1.13.15-12.module+el8.2.0+23813+4482ebdd.noarch::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:golang-race-0:1.13.15-12.module+el8.2.0+23813+4482ebdd.x86_64::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:golang-src-0:1.13.15-12.module+el8.2.0+23813+4482ebdd.noarch::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:golang-tests-0:1.13.15-12.module+el8.2.0+23813+4482ebdd.noarch::go-toolset:rhel8"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "os/exec: Unexpected paths returned from LookPath in os/exec"
},
{
"cve": "CVE-2025-58183",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2025-10-29T23:01:50.573951+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2407258"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the archive/tar package in the Go standard library. tar.Reader does not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A specially crafted tar archive with a pax header indicating a big number of sparse regions can cause a Go program to try to allocate a large amount of memory, causing an out-of-memory condition and resulting in a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: archive/tar: Unbounded allocation when parsing GNU sparse map",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "To exploit this issue, an attacker needs to be able to process a specially crafted GNU tar pax 1.0 archive with the application using the archive/tar package. Additionally, this issue can cause the Go application to allocate a large amount of memory, eventually leading to an out-of-memory condition and resulting in a denial of service with no other security impact. Due to these reasons, this flaw has been rated with a moderate severity.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-8.2.0.Z.AUS:delve-0:1.3.2-3.module+el8.2.0+5581+896cb53e.src::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:delve-0:1.3.2-3.module+el8.2.0+5581+896cb53e.x86_64::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:delve-debuginfo-0:1.3.2-3.module+el8.2.0+5581+896cb53e.x86_64::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:delve-debugsource-0:1.3.2-3.module+el8.2.0+5581+896cb53e.x86_64::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:go-toolset-0:1.13.15-1.module+el8.2.0+7662+fa98b974.src::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:go-toolset-0:1.13.15-1.module+el8.2.0+7662+fa98b974.x86_64::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:golang-0:1.13.15-12.module+el8.2.0+23813+4482ebdd.src::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:golang-0:1.13.15-12.module+el8.2.0+23813+4482ebdd.x86_64::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:golang-bin-0:1.13.15-12.module+el8.2.0+23813+4482ebdd.x86_64::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:golang-docs-0:1.13.15-12.module+el8.2.0+23813+4482ebdd.noarch::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:golang-misc-0:1.13.15-12.module+el8.2.0+23813+4482ebdd.noarch::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:golang-race-0:1.13.15-12.module+el8.2.0+23813+4482ebdd.x86_64::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:golang-src-0:1.13.15-12.module+el8.2.0+23813+4482ebdd.noarch::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:golang-tests-0:1.13.15-12.module+el8.2.0+23813+4482ebdd.noarch::go-toolset:rhel8"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-58183"
},
{
"category": "external",
"summary": "RHBZ#2407258",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2407258"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-58183",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-58183"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-58183",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58183"
},
{
"category": "external",
"summary": "https://go.dev/cl/709861",
"url": "https://go.dev/cl/709861"
},
{
"category": "external",
"summary": "https://go.dev/issue/75677",
"url": "https://go.dev/issue/75677"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/4Emdl2iQ_bI",
"url": "https://groups.google.com/g/golang-announce/c/4Emdl2iQ_bI"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2025-4014",
"url": "https://pkg.go.dev/vuln/GO-2025-4014"
}
],
"release_date": "2025-10-29T22:10:14.376000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-12-22T01:19:27+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-8.2.0.Z.AUS:delve-0:1.3.2-3.module+el8.2.0+5581+896cb53e.src::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:delve-0:1.3.2-3.module+el8.2.0+5581+896cb53e.x86_64::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:delve-debuginfo-0:1.3.2-3.module+el8.2.0+5581+896cb53e.x86_64::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:delve-debugsource-0:1.3.2-3.module+el8.2.0+5581+896cb53e.x86_64::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:go-toolset-0:1.13.15-1.module+el8.2.0+7662+fa98b974.src::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:go-toolset-0:1.13.15-1.module+el8.2.0+7662+fa98b974.x86_64::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:golang-0:1.13.15-12.module+el8.2.0+23813+4482ebdd.src::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:golang-0:1.13.15-12.module+el8.2.0+23813+4482ebdd.x86_64::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:golang-bin-0:1.13.15-12.module+el8.2.0+23813+4482ebdd.x86_64::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:golang-docs-0:1.13.15-12.module+el8.2.0+23813+4482ebdd.noarch::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:golang-misc-0:1.13.15-12.module+el8.2.0+23813+4482ebdd.noarch::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:golang-race-0:1.13.15-12.module+el8.2.0+23813+4482ebdd.x86_64::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:golang-src-0:1.13.15-12.module+el8.2.0+23813+4482ebdd.noarch::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:golang-tests-0:1.13.15-12.module+el8.2.0+23813+4482ebdd.noarch::go-toolset:rhel8"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:23740"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"AppStream-8.2.0.Z.AUS:delve-0:1.3.2-3.module+el8.2.0+5581+896cb53e.src::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:delve-0:1.3.2-3.module+el8.2.0+5581+896cb53e.x86_64::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:delve-debuginfo-0:1.3.2-3.module+el8.2.0+5581+896cb53e.x86_64::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:delve-debugsource-0:1.3.2-3.module+el8.2.0+5581+896cb53e.x86_64::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:go-toolset-0:1.13.15-1.module+el8.2.0+7662+fa98b974.src::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:go-toolset-0:1.13.15-1.module+el8.2.0+7662+fa98b974.x86_64::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:golang-0:1.13.15-12.module+el8.2.0+23813+4482ebdd.src::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:golang-0:1.13.15-12.module+el8.2.0+23813+4482ebdd.x86_64::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:golang-bin-0:1.13.15-12.module+el8.2.0+23813+4482ebdd.x86_64::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:golang-docs-0:1.13.15-12.module+el8.2.0+23813+4482ebdd.noarch::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:golang-misc-0:1.13.15-12.module+el8.2.0+23813+4482ebdd.noarch::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:golang-race-0:1.13.15-12.module+el8.2.0+23813+4482ebdd.x86_64::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:golang-src-0:1.13.15-12.module+el8.2.0+23813+4482ebdd.noarch::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:golang-tests-0:1.13.15-12.module+el8.2.0+23813+4482ebdd.noarch::go-toolset:rhel8"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"AppStream-8.2.0.Z.AUS:delve-0:1.3.2-3.module+el8.2.0+5581+896cb53e.src::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:delve-0:1.3.2-3.module+el8.2.0+5581+896cb53e.x86_64::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:delve-debuginfo-0:1.3.2-3.module+el8.2.0+5581+896cb53e.x86_64::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:delve-debugsource-0:1.3.2-3.module+el8.2.0+5581+896cb53e.x86_64::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:go-toolset-0:1.13.15-1.module+el8.2.0+7662+fa98b974.src::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:go-toolset-0:1.13.15-1.module+el8.2.0+7662+fa98b974.x86_64::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:golang-0:1.13.15-12.module+el8.2.0+23813+4482ebdd.src::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:golang-0:1.13.15-12.module+el8.2.0+23813+4482ebdd.x86_64::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:golang-bin-0:1.13.15-12.module+el8.2.0+23813+4482ebdd.x86_64::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:golang-docs-0:1.13.15-12.module+el8.2.0+23813+4482ebdd.noarch::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:golang-misc-0:1.13.15-12.module+el8.2.0+23813+4482ebdd.noarch::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:golang-race-0:1.13.15-12.module+el8.2.0+23813+4482ebdd.x86_64::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:golang-src-0:1.13.15-12.module+el8.2.0+23813+4482ebdd.noarch::go-toolset:rhel8",
"AppStream-8.2.0.Z.AUS:golang-tests-0:1.13.15-12.module+el8.2.0+23813+4482ebdd.noarch::go-toolset:rhel8"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang: archive/tar: Unbounded allocation when parsing GNU sparse map"
}
]
}
RHSA-2025:23741
Vulnerability from csaf_redhat - Published: 2025-12-22 01:35 - Updated: 2026-06-07 15:33Summary
Red Hat Security Advisory: go-toolset:rhel8 security update
Severity
Moderate
Notes
Topic: An update for the go-toolset:rhel8 module is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support and Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Go Toolset provides the Go programming language tools and libraries. Go is alternatively known as golang.
Security Fix(es):
* os/exec: Unexpected paths returned from LookPath in os/exec (CVE-2025-47906)
* golang: archive/tar: Unbounded allocation when parsing GNU sparse map (CVE-2025-58183)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A path handling flaw has been discovered in the os/exec go package. If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath ("", ".", and ".."), can result in the binaries listed in the PATH being unexpectedly returned.
6.5 (Medium)
Affected products
Fixed
28 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-8.4.0.Z.AUS:delve-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.src::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.4.0.Z.AUS:delve-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.4.0.Z.AUS:delve-debuginfo-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.4.0.Z.AUS:delve-debugsource-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.4.0.Z.AUS:go-toolset-0:1.15.14-3.module+el8.4.0+22765+91da4d3f.src::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.4.0.Z.AUS:go-toolset-0:1.15.14-3.module+el8.4.0+22765+91da4d3f.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.4.0.Z.AUS:golang-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.src::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.4.0.Z.AUS:golang-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.4.0.Z.AUS:golang-bin-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.4.0.Z.AUS:golang-docs-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.noarch::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.4.0.Z.AUS:golang-misc-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.noarch::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.4.0.Z.AUS:golang-race-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.4.0.Z.AUS:golang-src-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.noarch::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.4.0.Z.AUS:golang-tests-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.noarch::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS.EXTENSION:delve-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.src::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS.EXTENSION:delve-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS.EXTENSION:delve-debuginfo-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS.EXTENSION:delve-debugsource-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS.EXTENSION:go-toolset-0:1.15.14-3.module+el8.4.0+22765+91da4d3f.src::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS.EXTENSION:go-toolset-0:1.15.14-3.module+el8.4.0+22765+91da4d3f.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS.EXTENSION:golang-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.src::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS.EXTENSION:golang-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS.EXTENSION:golang-bin-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS.EXTENSION:golang-docs-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.noarch::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS.EXTENSION:golang-misc-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.noarch::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS.EXTENSION:golang-race-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS.EXTENSION:golang-src-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.noarch::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS.EXTENSION:golang-tests-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.noarch::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in the archive/tar package in the Go standard library. tar.Reader does not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A specially crafted tar archive with a pax header indicating a big number of sparse regions can cause a Go program to try to allocate a large amount of memory, causing an out-of-memory condition and resulting in a denial of service.
7.5 (High)
Affected products
Fixed
28 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-8.4.0.Z.AUS:delve-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.src::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.4.0.Z.AUS:delve-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.4.0.Z.AUS:delve-debuginfo-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.4.0.Z.AUS:delve-debugsource-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.4.0.Z.AUS:go-toolset-0:1.15.14-3.module+el8.4.0+22765+91da4d3f.src::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.4.0.Z.AUS:go-toolset-0:1.15.14-3.module+el8.4.0+22765+91da4d3f.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.4.0.Z.AUS:golang-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.src::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.4.0.Z.AUS:golang-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.4.0.Z.AUS:golang-bin-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.4.0.Z.AUS:golang-docs-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.noarch::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.4.0.Z.AUS:golang-misc-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.noarch::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.4.0.Z.AUS:golang-race-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.4.0.Z.AUS:golang-src-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.noarch::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.4.0.Z.AUS:golang-tests-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.noarch::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS.EXTENSION:delve-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.src::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS.EXTENSION:delve-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS.EXTENSION:delve-debuginfo-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS.EXTENSION:delve-debugsource-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS.EXTENSION:go-toolset-0:1.15.14-3.module+el8.4.0+22765+91da4d3f.src::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS.EXTENSION:go-toolset-0:1.15.14-3.module+el8.4.0+22765+91da4d3f.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS.EXTENSION:golang-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.src::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS.EXTENSION:golang-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS.EXTENSION:golang-bin-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS.EXTENSION:golang-docs-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.noarch::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS.EXTENSION:golang-misc-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.noarch::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS.EXTENSION:golang-race-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS.EXTENSION:golang-src-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.noarch::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS.EXTENSION:golang-tests-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.noarch::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
References
21 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for the go-toolset:rhel8 module is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support and Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Go Toolset provides the Go programming language tools and libraries. Go is alternatively known as golang. \n\nSecurity Fix(es):\n\n* os/exec: Unexpected paths returned from LookPath in os/exec (CVE-2025-47906)\n\n* golang: archive/tar: Unbounded allocation when parsing GNU sparse map (CVE-2025-58183)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2025:23741",
"url": "https://access.redhat.com/errata/RHSA-2025:23741"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "2396546",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2396546"
},
{
"category": "external",
"summary": "2407258",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2407258"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_23741.json"
}
],
"title": "Red Hat Security Advisory: go-toolset:rhel8 security update",
"tracking": {
"current_release_date": "2026-06-07T15:33:38+00:00",
"generator": {
"date": "2026-06-07T15:33:38+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.8.2"
}
},
"id": "RHSA-2025:23741",
"initial_release_date": "2025-12-22T01:35:17+00:00",
"revision_history": [
{
"date": "2025-12-22T01:35:17+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2025-12-22T01:35:17+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-06-07T15:33:38+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AppStream AUS (v.8.4)",
"product": {
"name": "Red Hat Enterprise Linux AppStream AUS (v.8.4)",
"product_id": "AppStream-8.4.0.Z.AUS",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_aus:8.4::appstream"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.4)",
"product": {
"name": "Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.4)",
"product_id": "AppStream-8.4.0.Z.EUS.EXTENSION",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_eus_long_life:8.4::appstream"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "delve-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.src::go-toolset:rhel8",
"product": {
"name": "delve-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.src (go-toolset:rhel8)",
"product_id": "delve-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.src::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/delve@1.5.0-2.module%2Bel8.4.0%2B8864%2B58b0fcdb?arch=src\u0026rpmmod=go-toolset:rhel8:8040020251212161217:5081a262"
}
}
},
{
"category": "product_version",
"name": "go-toolset-0:1.15.14-3.module+el8.4.0+22765+91da4d3f.src::go-toolset:rhel8",
"product": {
"name": "go-toolset-0:1.15.14-3.module+el8.4.0+22765+91da4d3f.src (go-toolset:rhel8)",
"product_id": "go-toolset-0:1.15.14-3.module+el8.4.0+22765+91da4d3f.src::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-toolset@1.15.14-3.module%2Bel8.4.0%2B22765%2B91da4d3f?arch=src\u0026rpmmod=go-toolset:rhel8:8040020251212161217:5081a262"
}
}
},
{
"category": "product_version",
"name": "golang-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.src::go-toolset:rhel8",
"product": {
"name": "golang-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.src (go-toolset:rhel8)",
"product_id": "golang-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.src::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang@1.15.14-17.module%2Bel8.4.0%2B23814%2B8f618eb7?arch=src\u0026rpmmod=go-toolset:rhel8:8040020251212161217:5081a262"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "delve-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8",
"product": {
"name": "delve-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64 (go-toolset:rhel8)",
"product_id": "delve-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/delve@1.5.0-2.module%2Bel8.4.0%2B8864%2B58b0fcdb?arch=x86_64\u0026rpmmod=go-toolset:rhel8:8040020251212161217:5081a262"
}
}
},
{
"category": "product_version",
"name": "delve-debuginfo-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8",
"product": {
"name": "delve-debuginfo-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64 (go-toolset:rhel8)",
"product_id": "delve-debuginfo-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/delve-debuginfo@1.5.0-2.module%2Bel8.4.0%2B8864%2B58b0fcdb?arch=x86_64\u0026rpmmod=go-toolset:rhel8:8040020251212161217:5081a262"
}
}
},
{
"category": "product_version",
"name": "delve-debugsource-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8",
"product": {
"name": "delve-debugsource-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64 (go-toolset:rhel8)",
"product_id": "delve-debugsource-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/delve-debugsource@1.5.0-2.module%2Bel8.4.0%2B8864%2B58b0fcdb?arch=x86_64\u0026rpmmod=go-toolset:rhel8:8040020251212161217:5081a262"
}
}
},
{
"category": "product_version",
"name": "go-toolset-0:1.15.14-3.module+el8.4.0+22765+91da4d3f.x86_64::go-toolset:rhel8",
"product": {
"name": "go-toolset-0:1.15.14-3.module+el8.4.0+22765+91da4d3f.x86_64 (go-toolset:rhel8)",
"product_id": "go-toolset-0:1.15.14-3.module+el8.4.0+22765+91da4d3f.x86_64::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-toolset@1.15.14-3.module%2Bel8.4.0%2B22765%2B91da4d3f?arch=x86_64\u0026rpmmod=go-toolset:rhel8:8040020251212161217:5081a262"
}
}
},
{
"category": "product_version",
"name": "golang-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.x86_64::go-toolset:rhel8",
"product": {
"name": "golang-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.x86_64 (go-toolset:rhel8)",
"product_id": "golang-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.x86_64::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang@1.15.14-17.module%2Bel8.4.0%2B23814%2B8f618eb7?arch=x86_64\u0026rpmmod=go-toolset:rhel8:8040020251212161217:5081a262"
}
}
},
{
"category": "product_version",
"name": "golang-bin-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.x86_64::go-toolset:rhel8",
"product": {
"name": "golang-bin-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.x86_64 (go-toolset:rhel8)",
"product_id": "golang-bin-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.x86_64::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-bin@1.15.14-17.module%2Bel8.4.0%2B23814%2B8f618eb7?arch=x86_64\u0026rpmmod=go-toolset:rhel8:8040020251212161217:5081a262"
}
}
},
{
"category": "product_version",
"name": "golang-race-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.x86_64::go-toolset:rhel8",
"product": {
"name": "golang-race-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.x86_64 (go-toolset:rhel8)",
"product_id": "golang-race-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.x86_64::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-race@1.15.14-17.module%2Bel8.4.0%2B23814%2B8f618eb7?arch=x86_64\u0026rpmmod=go-toolset:rhel8:8040020251212161217:5081a262"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "golang-docs-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.noarch::go-toolset:rhel8",
"product": {
"name": "golang-docs-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.noarch (go-toolset:rhel8)",
"product_id": "golang-docs-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.noarch::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-docs@1.15.14-17.module%2Bel8.4.0%2B23814%2B8f618eb7?arch=noarch\u0026rpmmod=go-toolset:rhel8:8040020251212161217:5081a262"
}
}
},
{
"category": "product_version",
"name": "golang-misc-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.noarch::go-toolset:rhel8",
"product": {
"name": "golang-misc-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.noarch (go-toolset:rhel8)",
"product_id": "golang-misc-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.noarch::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-misc@1.15.14-17.module%2Bel8.4.0%2B23814%2B8f618eb7?arch=noarch\u0026rpmmod=go-toolset:rhel8:8040020251212161217:5081a262"
}
}
},
{
"category": "product_version",
"name": "golang-src-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.noarch::go-toolset:rhel8",
"product": {
"name": "golang-src-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.noarch (go-toolset:rhel8)",
"product_id": "golang-src-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.noarch::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-src@1.15.14-17.module%2Bel8.4.0%2B23814%2B8f618eb7?arch=noarch\u0026rpmmod=go-toolset:rhel8:8040020251212161217:5081a262"
}
}
},
{
"category": "product_version",
"name": "golang-tests-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.noarch::go-toolset:rhel8",
"product": {
"name": "golang-tests-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.noarch (go-toolset:rhel8)",
"product_id": "golang-tests-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.noarch::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-tests@1.15.14-17.module%2Bel8.4.0%2B23814%2B8f618eb7?arch=noarch\u0026rpmmod=go-toolset:rhel8:8040020251212161217:5081a262"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "delve-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.src (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream AUS (v.8.4)",
"product_id": "AppStream-8.4.0.Z.AUS:delve-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.src::go-toolset:rhel8"
},
"product_reference": "delve-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.src::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.4.0.Z.AUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "delve-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64 (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream AUS (v.8.4)",
"product_id": "AppStream-8.4.0.Z.AUS:delve-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8"
},
"product_reference": "delve-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.4.0.Z.AUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "delve-debuginfo-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64 (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream AUS (v.8.4)",
"product_id": "AppStream-8.4.0.Z.AUS:delve-debuginfo-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8"
},
"product_reference": "delve-debuginfo-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.4.0.Z.AUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "delve-debugsource-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64 (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream AUS (v.8.4)",
"product_id": "AppStream-8.4.0.Z.AUS:delve-debugsource-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8"
},
"product_reference": "delve-debugsource-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.4.0.Z.AUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-toolset-0:1.15.14-3.module+el8.4.0+22765+91da4d3f.src (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream AUS (v.8.4)",
"product_id": "AppStream-8.4.0.Z.AUS:go-toolset-0:1.15.14-3.module+el8.4.0+22765+91da4d3f.src::go-toolset:rhel8"
},
"product_reference": "go-toolset-0:1.15.14-3.module+el8.4.0+22765+91da4d3f.src::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.4.0.Z.AUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-toolset-0:1.15.14-3.module+el8.4.0+22765+91da4d3f.x86_64 (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream AUS (v.8.4)",
"product_id": "AppStream-8.4.0.Z.AUS:go-toolset-0:1.15.14-3.module+el8.4.0+22765+91da4d3f.x86_64::go-toolset:rhel8"
},
"product_reference": "go-toolset-0:1.15.14-3.module+el8.4.0+22765+91da4d3f.x86_64::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.4.0.Z.AUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.src (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream AUS (v.8.4)",
"product_id": "AppStream-8.4.0.Z.AUS:golang-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.src::go-toolset:rhel8"
},
"product_reference": "golang-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.src::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.4.0.Z.AUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.x86_64 (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream AUS (v.8.4)",
"product_id": "AppStream-8.4.0.Z.AUS:golang-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.x86_64::go-toolset:rhel8"
},
"product_reference": "golang-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.x86_64::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.4.0.Z.AUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-bin-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.x86_64 (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream AUS (v.8.4)",
"product_id": "AppStream-8.4.0.Z.AUS:golang-bin-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.x86_64::go-toolset:rhel8"
},
"product_reference": "golang-bin-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.x86_64::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.4.0.Z.AUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-docs-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.noarch (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream AUS (v.8.4)",
"product_id": "AppStream-8.4.0.Z.AUS:golang-docs-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.noarch::go-toolset:rhel8"
},
"product_reference": "golang-docs-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.noarch::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.4.0.Z.AUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-misc-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.noarch (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream AUS (v.8.4)",
"product_id": "AppStream-8.4.0.Z.AUS:golang-misc-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.noarch::go-toolset:rhel8"
},
"product_reference": "golang-misc-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.noarch::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.4.0.Z.AUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-race-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.x86_64 (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream AUS (v.8.4)",
"product_id": "AppStream-8.4.0.Z.AUS:golang-race-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.x86_64::go-toolset:rhel8"
},
"product_reference": "golang-race-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.x86_64::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.4.0.Z.AUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-src-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.noarch (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream AUS (v.8.4)",
"product_id": "AppStream-8.4.0.Z.AUS:golang-src-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.noarch::go-toolset:rhel8"
},
"product_reference": "golang-src-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.noarch::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.4.0.Z.AUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-tests-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.noarch (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream AUS (v.8.4)",
"product_id": "AppStream-8.4.0.Z.AUS:golang-tests-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.noarch::go-toolset:rhel8"
},
"product_reference": "golang-tests-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.noarch::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.4.0.Z.AUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "delve-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.src (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.4)",
"product_id": "AppStream-8.4.0.Z.EUS.EXTENSION:delve-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.src::go-toolset:rhel8"
},
"product_reference": "delve-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.src::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.4.0.Z.EUS.EXTENSION"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "delve-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64 (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.4)",
"product_id": "AppStream-8.4.0.Z.EUS.EXTENSION:delve-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8"
},
"product_reference": "delve-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.4.0.Z.EUS.EXTENSION"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "delve-debuginfo-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64 (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.4)",
"product_id": "AppStream-8.4.0.Z.EUS.EXTENSION:delve-debuginfo-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8"
},
"product_reference": "delve-debuginfo-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.4.0.Z.EUS.EXTENSION"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "delve-debugsource-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64 (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.4)",
"product_id": "AppStream-8.4.0.Z.EUS.EXTENSION:delve-debugsource-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8"
},
"product_reference": "delve-debugsource-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.4.0.Z.EUS.EXTENSION"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-toolset-0:1.15.14-3.module+el8.4.0+22765+91da4d3f.src (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.4)",
"product_id": "AppStream-8.4.0.Z.EUS.EXTENSION:go-toolset-0:1.15.14-3.module+el8.4.0+22765+91da4d3f.src::go-toolset:rhel8"
},
"product_reference": "go-toolset-0:1.15.14-3.module+el8.4.0+22765+91da4d3f.src::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.4.0.Z.EUS.EXTENSION"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-toolset-0:1.15.14-3.module+el8.4.0+22765+91da4d3f.x86_64 (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.4)",
"product_id": "AppStream-8.4.0.Z.EUS.EXTENSION:go-toolset-0:1.15.14-3.module+el8.4.0+22765+91da4d3f.x86_64::go-toolset:rhel8"
},
"product_reference": "go-toolset-0:1.15.14-3.module+el8.4.0+22765+91da4d3f.x86_64::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.4.0.Z.EUS.EXTENSION"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.src (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.4)",
"product_id": "AppStream-8.4.0.Z.EUS.EXTENSION:golang-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.src::go-toolset:rhel8"
},
"product_reference": "golang-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.src::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.4.0.Z.EUS.EXTENSION"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.x86_64 (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.4)",
"product_id": "AppStream-8.4.0.Z.EUS.EXTENSION:golang-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.x86_64::go-toolset:rhel8"
},
"product_reference": "golang-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.x86_64::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.4.0.Z.EUS.EXTENSION"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-bin-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.x86_64 (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.4)",
"product_id": "AppStream-8.4.0.Z.EUS.EXTENSION:golang-bin-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.x86_64::go-toolset:rhel8"
},
"product_reference": "golang-bin-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.x86_64::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.4.0.Z.EUS.EXTENSION"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-docs-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.noarch (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.4)",
"product_id": "AppStream-8.4.0.Z.EUS.EXTENSION:golang-docs-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.noarch::go-toolset:rhel8"
},
"product_reference": "golang-docs-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.noarch::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.4.0.Z.EUS.EXTENSION"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-misc-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.noarch (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.4)",
"product_id": "AppStream-8.4.0.Z.EUS.EXTENSION:golang-misc-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.noarch::go-toolset:rhel8"
},
"product_reference": "golang-misc-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.noarch::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.4.0.Z.EUS.EXTENSION"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-race-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.x86_64 (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.4)",
"product_id": "AppStream-8.4.0.Z.EUS.EXTENSION:golang-race-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.x86_64::go-toolset:rhel8"
},
"product_reference": "golang-race-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.x86_64::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.4.0.Z.EUS.EXTENSION"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-src-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.noarch (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.4)",
"product_id": "AppStream-8.4.0.Z.EUS.EXTENSION:golang-src-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.noarch::go-toolset:rhel8"
},
"product_reference": "golang-src-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.noarch::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.4.0.Z.EUS.EXTENSION"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-tests-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.noarch (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.4)",
"product_id": "AppStream-8.4.0.Z.EUS.EXTENSION:golang-tests-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.noarch::go-toolset:rhel8"
},
"product_reference": "golang-tests-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.noarch::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.4.0.Z.EUS.EXTENSION"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-47906",
"cwe": {
"id": "CWE-440",
"name": "Expected Behavior Violation"
},
"discovery_date": "2025-09-18T19:00:47.541046+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2396546"
}
],
"notes": [
{
"category": "description",
"text": "A path handling flaw has been discovered in the os/exec go package. If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath (\"\", \".\", and \"..\"), can result in the binaries listed in the PATH being unexpectedly returned.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "os/exec: Unexpected paths returned from LookPath in os/exec",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-8.4.0.Z.AUS:delve-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.src::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:delve-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:delve-debuginfo-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:delve-debugsource-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:go-toolset-0:1.15.14-3.module+el8.4.0+22765+91da4d3f.src::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:go-toolset-0:1.15.14-3.module+el8.4.0+22765+91da4d3f.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:golang-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.src::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:golang-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:golang-bin-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:golang-docs-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.noarch::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:golang-misc-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.noarch::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:golang-race-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:golang-src-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.noarch::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:golang-tests-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.noarch::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:delve-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.src::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:delve-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:delve-debuginfo-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:delve-debugsource-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:go-toolset-0:1.15.14-3.module+el8.4.0+22765+91da4d3f.src::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:go-toolset-0:1.15.14-3.module+el8.4.0+22765+91da4d3f.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:golang-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.src::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:golang-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:golang-bin-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:golang-docs-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.noarch::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:golang-misc-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.noarch::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:golang-race-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:golang-src-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.noarch::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:golang-tests-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.noarch::go-toolset:rhel8"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-47906"
},
{
"category": "external",
"summary": "RHBZ#2396546",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2396546"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-47906",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-47906"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-47906",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47906"
},
{
"category": "external",
"summary": "https://go.dev/cl/691775",
"url": "https://go.dev/cl/691775"
},
{
"category": "external",
"summary": "https://go.dev/issue/74466",
"url": "https://go.dev/issue/74466"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/x5MKroML2yM",
"url": "https://groups.google.com/g/golang-announce/c/x5MKroML2yM"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2025-3956",
"url": "https://pkg.go.dev/vuln/GO-2025-3956"
}
],
"release_date": "2025-09-18T18:41:11.847000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-12-22T01:35:17+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-8.4.0.Z.AUS:delve-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.src::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:delve-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:delve-debuginfo-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:delve-debugsource-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:go-toolset-0:1.15.14-3.module+el8.4.0+22765+91da4d3f.src::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:go-toolset-0:1.15.14-3.module+el8.4.0+22765+91da4d3f.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:golang-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.src::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:golang-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:golang-bin-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:golang-docs-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.noarch::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:golang-misc-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.noarch::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:golang-race-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:golang-src-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.noarch::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:golang-tests-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.noarch::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:delve-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.src::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:delve-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:delve-debuginfo-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:delve-debugsource-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:go-toolset-0:1.15.14-3.module+el8.4.0+22765+91da4d3f.src::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:go-toolset-0:1.15.14-3.module+el8.4.0+22765+91da4d3f.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:golang-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.src::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:golang-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:golang-bin-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:golang-docs-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.noarch::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:golang-misc-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.noarch::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:golang-race-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:golang-src-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.noarch::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:golang-tests-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.noarch::go-toolset:rhel8"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:23741"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"AppStream-8.4.0.Z.AUS:delve-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.src::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:delve-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:delve-debuginfo-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:delve-debugsource-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:go-toolset-0:1.15.14-3.module+el8.4.0+22765+91da4d3f.src::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:go-toolset-0:1.15.14-3.module+el8.4.0+22765+91da4d3f.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:golang-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.src::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:golang-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:golang-bin-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:golang-docs-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.noarch::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:golang-misc-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.noarch::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:golang-race-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:golang-src-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.noarch::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:golang-tests-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.noarch::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:delve-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.src::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:delve-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:delve-debuginfo-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:delve-debugsource-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:go-toolset-0:1.15.14-3.module+el8.4.0+22765+91da4d3f.src::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:go-toolset-0:1.15.14-3.module+el8.4.0+22765+91da4d3f.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:golang-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.src::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:golang-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:golang-bin-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:golang-docs-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.noarch::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:golang-misc-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.noarch::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:golang-race-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:golang-src-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.noarch::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:golang-tests-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.noarch::go-toolset:rhel8"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L",
"version": "3.1"
},
"products": [
"AppStream-8.4.0.Z.AUS:delve-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.src::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:delve-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:delve-debuginfo-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:delve-debugsource-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:go-toolset-0:1.15.14-3.module+el8.4.0+22765+91da4d3f.src::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:go-toolset-0:1.15.14-3.module+el8.4.0+22765+91da4d3f.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:golang-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.src::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:golang-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:golang-bin-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:golang-docs-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.noarch::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:golang-misc-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.noarch::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:golang-race-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:golang-src-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.noarch::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:golang-tests-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.noarch::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:delve-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.src::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:delve-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:delve-debuginfo-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:delve-debugsource-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:go-toolset-0:1.15.14-3.module+el8.4.0+22765+91da4d3f.src::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:go-toolset-0:1.15.14-3.module+el8.4.0+22765+91da4d3f.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:golang-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.src::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:golang-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:golang-bin-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:golang-docs-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.noarch::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:golang-misc-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.noarch::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:golang-race-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:golang-src-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.noarch::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:golang-tests-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.noarch::go-toolset:rhel8"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "os/exec: Unexpected paths returned from LookPath in os/exec"
},
{
"cve": "CVE-2025-58183",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2025-10-29T23:01:50.573951+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2407258"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the archive/tar package in the Go standard library. tar.Reader does not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A specially crafted tar archive with a pax header indicating a big number of sparse regions can cause a Go program to try to allocate a large amount of memory, causing an out-of-memory condition and resulting in a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: archive/tar: Unbounded allocation when parsing GNU sparse map",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "To exploit this issue, an attacker needs to be able to process a specially crafted GNU tar pax 1.0 archive with the application using the archive/tar package. Additionally, this issue can cause the Go application to allocate a large amount of memory, eventually leading to an out-of-memory condition and resulting in a denial of service with no other security impact. Due to these reasons, this flaw has been rated with a moderate severity.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-8.4.0.Z.AUS:delve-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.src::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:delve-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:delve-debuginfo-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:delve-debugsource-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:go-toolset-0:1.15.14-3.module+el8.4.0+22765+91da4d3f.src::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:go-toolset-0:1.15.14-3.module+el8.4.0+22765+91da4d3f.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:golang-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.src::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:golang-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:golang-bin-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:golang-docs-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.noarch::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:golang-misc-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.noarch::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:golang-race-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:golang-src-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.noarch::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:golang-tests-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.noarch::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:delve-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.src::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:delve-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:delve-debuginfo-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:delve-debugsource-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:go-toolset-0:1.15.14-3.module+el8.4.0+22765+91da4d3f.src::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:go-toolset-0:1.15.14-3.module+el8.4.0+22765+91da4d3f.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:golang-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.src::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:golang-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:golang-bin-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:golang-docs-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.noarch::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:golang-misc-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.noarch::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:golang-race-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:golang-src-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.noarch::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:golang-tests-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.noarch::go-toolset:rhel8"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-58183"
},
{
"category": "external",
"summary": "RHBZ#2407258",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2407258"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-58183",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-58183"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-58183",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58183"
},
{
"category": "external",
"summary": "https://go.dev/cl/709861",
"url": "https://go.dev/cl/709861"
},
{
"category": "external",
"summary": "https://go.dev/issue/75677",
"url": "https://go.dev/issue/75677"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/4Emdl2iQ_bI",
"url": "https://groups.google.com/g/golang-announce/c/4Emdl2iQ_bI"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2025-4014",
"url": "https://pkg.go.dev/vuln/GO-2025-4014"
}
],
"release_date": "2025-10-29T22:10:14.376000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-12-22T01:35:17+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-8.4.0.Z.AUS:delve-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.src::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:delve-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:delve-debuginfo-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:delve-debugsource-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:go-toolset-0:1.15.14-3.module+el8.4.0+22765+91da4d3f.src::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:go-toolset-0:1.15.14-3.module+el8.4.0+22765+91da4d3f.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:golang-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.src::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:golang-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:golang-bin-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:golang-docs-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.noarch::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:golang-misc-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.noarch::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:golang-race-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:golang-src-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.noarch::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:golang-tests-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.noarch::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:delve-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.src::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:delve-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:delve-debuginfo-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:delve-debugsource-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:go-toolset-0:1.15.14-3.module+el8.4.0+22765+91da4d3f.src::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:go-toolset-0:1.15.14-3.module+el8.4.0+22765+91da4d3f.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:golang-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.src::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:golang-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:golang-bin-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:golang-docs-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.noarch::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:golang-misc-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.noarch::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:golang-race-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:golang-src-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.noarch::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:golang-tests-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.noarch::go-toolset:rhel8"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:23741"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"AppStream-8.4.0.Z.AUS:delve-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.src::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:delve-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:delve-debuginfo-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:delve-debugsource-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:go-toolset-0:1.15.14-3.module+el8.4.0+22765+91da4d3f.src::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:go-toolset-0:1.15.14-3.module+el8.4.0+22765+91da4d3f.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:golang-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.src::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:golang-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:golang-bin-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:golang-docs-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.noarch::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:golang-misc-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.noarch::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:golang-race-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:golang-src-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.noarch::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:golang-tests-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.noarch::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:delve-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.src::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:delve-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:delve-debuginfo-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:delve-debugsource-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:go-toolset-0:1.15.14-3.module+el8.4.0+22765+91da4d3f.src::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:go-toolset-0:1.15.14-3.module+el8.4.0+22765+91da4d3f.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:golang-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.src::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:golang-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:golang-bin-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:golang-docs-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.noarch::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:golang-misc-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.noarch::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:golang-race-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:golang-src-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.noarch::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:golang-tests-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.noarch::go-toolset:rhel8"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"AppStream-8.4.0.Z.AUS:delve-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.src::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:delve-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:delve-debuginfo-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:delve-debugsource-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:go-toolset-0:1.15.14-3.module+el8.4.0+22765+91da4d3f.src::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:go-toolset-0:1.15.14-3.module+el8.4.0+22765+91da4d3f.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:golang-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.src::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:golang-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:golang-bin-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:golang-docs-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.noarch::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:golang-misc-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.noarch::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:golang-race-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:golang-src-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.noarch::go-toolset:rhel8",
"AppStream-8.4.0.Z.AUS:golang-tests-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.noarch::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:delve-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.src::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:delve-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:delve-debuginfo-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:delve-debugsource-0:1.5.0-2.module+el8.4.0+8864+58b0fcdb.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:go-toolset-0:1.15.14-3.module+el8.4.0+22765+91da4d3f.src::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:go-toolset-0:1.15.14-3.module+el8.4.0+22765+91da4d3f.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:golang-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.src::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:golang-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:golang-bin-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:golang-docs-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.noarch::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:golang-misc-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.noarch::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:golang-race-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.x86_64::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:golang-src-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.noarch::go-toolset:rhel8",
"AppStream-8.4.0.Z.EUS.EXTENSION:golang-tests-0:1.15.14-17.module+el8.4.0+23814+8f618eb7.noarch::go-toolset:rhel8"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang: archive/tar: Unbounded allocation when parsing GNU sparse map"
}
]
}
RHSA-2025:23833
Vulnerability from csaf_redhat - Published: 2025-12-22 09:31 - Updated: 2026-04-30 13:33Summary
Red Hat Security Advisory: go-rpm-macros security update
Severity
Moderate
Notes
Topic: An update for go-rpm-macros is now available for Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: This package provides build-stage rpm automation to simplify the creation of Go language (golang) packages. It does not need to be included in the default build root: go-srpm-macros will pull it in for Go packages only.
Security Fix(es):
* os/exec: Unexpected paths returned from LookPath in os/exec (CVE-2025-47906)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A path handling flaw has been discovered in the os/exec go package. If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath ("", ".", and ".."), can result in the binaries listed in the PATH being unexpectedly returned.
6.5 (Medium)
Affected products
Fixed
11 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.2.0.Z.E4S:go-filesystem-0:3.2.0-2.el9_2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:go-filesystem-0:3.2.0-2.el9_2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:go-filesystem-0:3.2.0-2.el9_2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:go-filesystem-0:3.2.0-2.el9_2.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:go-rpm-macros-0:3.2.0-2.el9_2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:go-rpm-macros-0:3.2.0-2.el9_2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:go-rpm-macros-0:3.2.0-2.el9_2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:go-rpm-macros-0:3.2.0-2.el9_2.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:go-rpm-macros-0:3.2.0-2.el9_2.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:go-rpm-templates-0:3.2.0-2.el9_2.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:go-srpm-macros-0:3.2.0-2.el9_2.noarch | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
References
12 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for go-rpm-macros is now available for Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "This package provides build-stage rpm automation to simplify the creation of Go language (golang) packages. It does not need to be included in the default build root: go-srpm-macros will pull it in for Go packages only.\n\nSecurity Fix(es):\n\n* os/exec: Unexpected paths returned from LookPath in os/exec (CVE-2025-47906)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2025:23833",
"url": "https://access.redhat.com/errata/RHSA-2025:23833"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "2396546",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2396546"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_23833.json"
}
],
"title": "Red Hat Security Advisory: go-rpm-macros security update",
"tracking": {
"current_release_date": "2026-04-30T13:33:27+00:00",
"generator": {
"date": "2026-04-30T13:33:27+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.7.7"
}
},
"id": "RHSA-2025:23833",
"initial_release_date": "2025-12-22T09:31:10+00:00",
"revision_history": [
{
"date": "2025-12-22T09:31:10+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2025-12-22T09:31:10+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-04-30T13:33:27+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AppStream E4S (v.9.2)",
"product": {
"name": "Red Hat Enterprise Linux AppStream E4S (v.9.2)",
"product_id": "AppStream-9.2.0.Z.E4S",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_e4s:9.2::appstream"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "go-filesystem-0:3.2.0-2.el9_2.aarch64",
"product": {
"name": "go-filesystem-0:3.2.0-2.el9_2.aarch64",
"product_id": "go-filesystem-0:3.2.0-2.el9_2.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-filesystem@3.2.0-2.el9_2?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "go-rpm-macros-0:3.2.0-2.el9_2.aarch64",
"product": {
"name": "go-rpm-macros-0:3.2.0-2.el9_2.aarch64",
"product_id": "go-rpm-macros-0:3.2.0-2.el9_2.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-rpm-macros@3.2.0-2.el9_2?arch=aarch64"
}
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "go-filesystem-0:3.2.0-2.el9_2.ppc64le",
"product": {
"name": "go-filesystem-0:3.2.0-2.el9_2.ppc64le",
"product_id": "go-filesystem-0:3.2.0-2.el9_2.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-filesystem@3.2.0-2.el9_2?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "go-rpm-macros-0:3.2.0-2.el9_2.ppc64le",
"product": {
"name": "go-rpm-macros-0:3.2.0-2.el9_2.ppc64le",
"product_id": "go-rpm-macros-0:3.2.0-2.el9_2.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-rpm-macros@3.2.0-2.el9_2?arch=ppc64le"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "go-filesystem-0:3.2.0-2.el9_2.x86_64",
"product": {
"name": "go-filesystem-0:3.2.0-2.el9_2.x86_64",
"product_id": "go-filesystem-0:3.2.0-2.el9_2.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-filesystem@3.2.0-2.el9_2?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "go-rpm-macros-0:3.2.0-2.el9_2.x86_64",
"product": {
"name": "go-rpm-macros-0:3.2.0-2.el9_2.x86_64",
"product_id": "go-rpm-macros-0:3.2.0-2.el9_2.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-rpm-macros@3.2.0-2.el9_2?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "go-filesystem-0:3.2.0-2.el9_2.s390x",
"product": {
"name": "go-filesystem-0:3.2.0-2.el9_2.s390x",
"product_id": "go-filesystem-0:3.2.0-2.el9_2.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-filesystem@3.2.0-2.el9_2?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "go-rpm-macros-0:3.2.0-2.el9_2.s390x",
"product": {
"name": "go-rpm-macros-0:3.2.0-2.el9_2.s390x",
"product_id": "go-rpm-macros-0:3.2.0-2.el9_2.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-rpm-macros@3.2.0-2.el9_2?arch=s390x"
}
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "go-rpm-macros-0:3.2.0-2.el9_2.src",
"product": {
"name": "go-rpm-macros-0:3.2.0-2.el9_2.src",
"product_id": "go-rpm-macros-0:3.2.0-2.el9_2.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-rpm-macros@3.2.0-2.el9_2?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "go-rpm-templates-0:3.2.0-2.el9_2.noarch",
"product": {
"name": "go-rpm-templates-0:3.2.0-2.el9_2.noarch",
"product_id": "go-rpm-templates-0:3.2.0-2.el9_2.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-rpm-templates@3.2.0-2.el9_2?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "go-srpm-macros-0:3.2.0-2.el9_2.noarch",
"product": {
"name": "go-srpm-macros-0:3.2.0-2.el9_2.noarch",
"product_id": "go-srpm-macros-0:3.2.0-2.el9_2.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-srpm-macros@3.2.0-2.el9_2?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "go-filesystem-0:3.2.0-2.el9_2.aarch64 as a component of Red Hat Enterprise Linux AppStream E4S (v.9.2)",
"product_id": "AppStream-9.2.0.Z.E4S:go-filesystem-0:3.2.0-2.el9_2.aarch64"
},
"product_reference": "go-filesystem-0:3.2.0-2.el9_2.aarch64",
"relates_to_product_reference": "AppStream-9.2.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-filesystem-0:3.2.0-2.el9_2.ppc64le as a component of Red Hat Enterprise Linux AppStream E4S (v.9.2)",
"product_id": "AppStream-9.2.0.Z.E4S:go-filesystem-0:3.2.0-2.el9_2.ppc64le"
},
"product_reference": "go-filesystem-0:3.2.0-2.el9_2.ppc64le",
"relates_to_product_reference": "AppStream-9.2.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-filesystem-0:3.2.0-2.el9_2.s390x as a component of Red Hat Enterprise Linux AppStream E4S (v.9.2)",
"product_id": "AppStream-9.2.0.Z.E4S:go-filesystem-0:3.2.0-2.el9_2.s390x"
},
"product_reference": "go-filesystem-0:3.2.0-2.el9_2.s390x",
"relates_to_product_reference": "AppStream-9.2.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-filesystem-0:3.2.0-2.el9_2.x86_64 as a component of Red Hat Enterprise Linux AppStream E4S (v.9.2)",
"product_id": "AppStream-9.2.0.Z.E4S:go-filesystem-0:3.2.0-2.el9_2.x86_64"
},
"product_reference": "go-filesystem-0:3.2.0-2.el9_2.x86_64",
"relates_to_product_reference": "AppStream-9.2.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-rpm-macros-0:3.2.0-2.el9_2.aarch64 as a component of Red Hat Enterprise Linux AppStream E4S (v.9.2)",
"product_id": "AppStream-9.2.0.Z.E4S:go-rpm-macros-0:3.2.0-2.el9_2.aarch64"
},
"product_reference": "go-rpm-macros-0:3.2.0-2.el9_2.aarch64",
"relates_to_product_reference": "AppStream-9.2.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-rpm-macros-0:3.2.0-2.el9_2.ppc64le as a component of Red Hat Enterprise Linux AppStream E4S (v.9.2)",
"product_id": "AppStream-9.2.0.Z.E4S:go-rpm-macros-0:3.2.0-2.el9_2.ppc64le"
},
"product_reference": "go-rpm-macros-0:3.2.0-2.el9_2.ppc64le",
"relates_to_product_reference": "AppStream-9.2.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-rpm-macros-0:3.2.0-2.el9_2.s390x as a component of Red Hat Enterprise Linux AppStream E4S (v.9.2)",
"product_id": "AppStream-9.2.0.Z.E4S:go-rpm-macros-0:3.2.0-2.el9_2.s390x"
},
"product_reference": "go-rpm-macros-0:3.2.0-2.el9_2.s390x",
"relates_to_product_reference": "AppStream-9.2.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-rpm-macros-0:3.2.0-2.el9_2.src as a component of Red Hat Enterprise Linux AppStream E4S (v.9.2)",
"product_id": "AppStream-9.2.0.Z.E4S:go-rpm-macros-0:3.2.0-2.el9_2.src"
},
"product_reference": "go-rpm-macros-0:3.2.0-2.el9_2.src",
"relates_to_product_reference": "AppStream-9.2.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-rpm-macros-0:3.2.0-2.el9_2.x86_64 as a component of Red Hat Enterprise Linux AppStream E4S (v.9.2)",
"product_id": "AppStream-9.2.0.Z.E4S:go-rpm-macros-0:3.2.0-2.el9_2.x86_64"
},
"product_reference": "go-rpm-macros-0:3.2.0-2.el9_2.x86_64",
"relates_to_product_reference": "AppStream-9.2.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-rpm-templates-0:3.2.0-2.el9_2.noarch as a component of Red Hat Enterprise Linux AppStream E4S (v.9.2)",
"product_id": "AppStream-9.2.0.Z.E4S:go-rpm-templates-0:3.2.0-2.el9_2.noarch"
},
"product_reference": "go-rpm-templates-0:3.2.0-2.el9_2.noarch",
"relates_to_product_reference": "AppStream-9.2.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-srpm-macros-0:3.2.0-2.el9_2.noarch as a component of Red Hat Enterprise Linux AppStream E4S (v.9.2)",
"product_id": "AppStream-9.2.0.Z.E4S:go-srpm-macros-0:3.2.0-2.el9_2.noarch"
},
"product_reference": "go-srpm-macros-0:3.2.0-2.el9_2.noarch",
"relates_to_product_reference": "AppStream-9.2.0.Z.E4S"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-47906",
"cwe": {
"id": "CWE-440",
"name": "Expected Behavior Violation"
},
"discovery_date": "2025-09-18T19:00:47.541046+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2396546"
}
],
"notes": [
{
"category": "description",
"text": "A path handling flaw has been discovered in the os/exec go package. If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath (\"\", \".\", and \"..\"), can result in the binaries listed in the PATH being unexpectedly returned.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "os/exec: Unexpected paths returned from LookPath in os/exec",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.2.0.Z.E4S:go-filesystem-0:3.2.0-2.el9_2.aarch64",
"AppStream-9.2.0.Z.E4S:go-filesystem-0:3.2.0-2.el9_2.ppc64le",
"AppStream-9.2.0.Z.E4S:go-filesystem-0:3.2.0-2.el9_2.s390x",
"AppStream-9.2.0.Z.E4S:go-filesystem-0:3.2.0-2.el9_2.x86_64",
"AppStream-9.2.0.Z.E4S:go-rpm-macros-0:3.2.0-2.el9_2.aarch64",
"AppStream-9.2.0.Z.E4S:go-rpm-macros-0:3.2.0-2.el9_2.ppc64le",
"AppStream-9.2.0.Z.E4S:go-rpm-macros-0:3.2.0-2.el9_2.s390x",
"AppStream-9.2.0.Z.E4S:go-rpm-macros-0:3.2.0-2.el9_2.src",
"AppStream-9.2.0.Z.E4S:go-rpm-macros-0:3.2.0-2.el9_2.x86_64",
"AppStream-9.2.0.Z.E4S:go-rpm-templates-0:3.2.0-2.el9_2.noarch",
"AppStream-9.2.0.Z.E4S:go-srpm-macros-0:3.2.0-2.el9_2.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-47906"
},
{
"category": "external",
"summary": "RHBZ#2396546",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2396546"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-47906",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-47906"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-47906",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47906"
},
{
"category": "external",
"summary": "https://go.dev/cl/691775",
"url": "https://go.dev/cl/691775"
},
{
"category": "external",
"summary": "https://go.dev/issue/74466",
"url": "https://go.dev/issue/74466"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/x5MKroML2yM",
"url": "https://groups.google.com/g/golang-announce/c/x5MKroML2yM"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2025-3956",
"url": "https://pkg.go.dev/vuln/GO-2025-3956"
}
],
"release_date": "2025-09-18T18:41:11.847000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-12-22T09:31:10+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.2.0.Z.E4S:go-filesystem-0:3.2.0-2.el9_2.aarch64",
"AppStream-9.2.0.Z.E4S:go-filesystem-0:3.2.0-2.el9_2.ppc64le",
"AppStream-9.2.0.Z.E4S:go-filesystem-0:3.2.0-2.el9_2.s390x",
"AppStream-9.2.0.Z.E4S:go-filesystem-0:3.2.0-2.el9_2.x86_64",
"AppStream-9.2.0.Z.E4S:go-rpm-macros-0:3.2.0-2.el9_2.aarch64",
"AppStream-9.2.0.Z.E4S:go-rpm-macros-0:3.2.0-2.el9_2.ppc64le",
"AppStream-9.2.0.Z.E4S:go-rpm-macros-0:3.2.0-2.el9_2.s390x",
"AppStream-9.2.0.Z.E4S:go-rpm-macros-0:3.2.0-2.el9_2.src",
"AppStream-9.2.0.Z.E4S:go-rpm-macros-0:3.2.0-2.el9_2.x86_64",
"AppStream-9.2.0.Z.E4S:go-rpm-templates-0:3.2.0-2.el9_2.noarch",
"AppStream-9.2.0.Z.E4S:go-srpm-macros-0:3.2.0-2.el9_2.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:23833"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"AppStream-9.2.0.Z.E4S:go-filesystem-0:3.2.0-2.el9_2.aarch64",
"AppStream-9.2.0.Z.E4S:go-filesystem-0:3.2.0-2.el9_2.ppc64le",
"AppStream-9.2.0.Z.E4S:go-filesystem-0:3.2.0-2.el9_2.s390x",
"AppStream-9.2.0.Z.E4S:go-filesystem-0:3.2.0-2.el9_2.x86_64",
"AppStream-9.2.0.Z.E4S:go-rpm-macros-0:3.2.0-2.el9_2.aarch64",
"AppStream-9.2.0.Z.E4S:go-rpm-macros-0:3.2.0-2.el9_2.ppc64le",
"AppStream-9.2.0.Z.E4S:go-rpm-macros-0:3.2.0-2.el9_2.s390x",
"AppStream-9.2.0.Z.E4S:go-rpm-macros-0:3.2.0-2.el9_2.src",
"AppStream-9.2.0.Z.E4S:go-rpm-macros-0:3.2.0-2.el9_2.x86_64",
"AppStream-9.2.0.Z.E4S:go-rpm-templates-0:3.2.0-2.el9_2.noarch",
"AppStream-9.2.0.Z.E4S:go-srpm-macros-0:3.2.0-2.el9_2.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L",
"version": "3.1"
},
"products": [
"AppStream-9.2.0.Z.E4S:go-filesystem-0:3.2.0-2.el9_2.aarch64",
"AppStream-9.2.0.Z.E4S:go-filesystem-0:3.2.0-2.el9_2.ppc64le",
"AppStream-9.2.0.Z.E4S:go-filesystem-0:3.2.0-2.el9_2.s390x",
"AppStream-9.2.0.Z.E4S:go-filesystem-0:3.2.0-2.el9_2.x86_64",
"AppStream-9.2.0.Z.E4S:go-rpm-macros-0:3.2.0-2.el9_2.aarch64",
"AppStream-9.2.0.Z.E4S:go-rpm-macros-0:3.2.0-2.el9_2.ppc64le",
"AppStream-9.2.0.Z.E4S:go-rpm-macros-0:3.2.0-2.el9_2.s390x",
"AppStream-9.2.0.Z.E4S:go-rpm-macros-0:3.2.0-2.el9_2.src",
"AppStream-9.2.0.Z.E4S:go-rpm-macros-0:3.2.0-2.el9_2.x86_64",
"AppStream-9.2.0.Z.E4S:go-rpm-templates-0:3.2.0-2.el9_2.noarch",
"AppStream-9.2.0.Z.E4S:go-srpm-macros-0:3.2.0-2.el9_2.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "os/exec: Unexpected paths returned from LookPath in os/exec"
}
]
}
RHSA-2025:23834
Vulnerability from csaf_redhat - Published: 2025-12-22 09:38 - Updated: 2026-04-30 13:33Summary
Red Hat Security Advisory: go-rpm-macros security update
Severity
Moderate
Notes
Topic: An update for go-rpm-macros is now available for Red Hat Enterprise Linux 9.4 Extended Update Support.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: This package provides build-stage rpm automation to simplify the creation of Go language (golang) packages. It does not need to be included in the default build root: go-srpm-macros will pull it in for Go packages only.
Security Fix(es):
* os/exec: Unexpected paths returned from LookPath in os/exec (CVE-2025-47906)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A path handling flaw has been discovered in the os/exec go package. If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath ("", ".", and ".."), can result in the binaries listed in the PATH being unexpectedly returned.
6.5 (Medium)
Affected products
Fixed
11 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.4.0.Z.EUS:go-filesystem-0:3.2.0-4.el9_4.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.EUS:go-filesystem-0:3.2.0-4.el9_4.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.EUS:go-filesystem-0:3.2.0-4.el9_4.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.EUS:go-filesystem-0:3.2.0-4.el9_4.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.EUS:go-rpm-macros-0:3.2.0-4.el9_4.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.EUS:go-rpm-macros-0:3.2.0-4.el9_4.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.EUS:go-rpm-macros-0:3.2.0-4.el9_4.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.EUS:go-rpm-macros-0:3.2.0-4.el9_4.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.EUS:go-rpm-macros-0:3.2.0-4.el9_4.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.EUS:go-rpm-templates-0:3.2.0-4.el9_4.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.EUS:go-srpm-macros-0:3.2.0-4.el9_4.noarch | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
References
12 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for go-rpm-macros is now available for Red Hat Enterprise Linux 9.4 Extended Update Support.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "This package provides build-stage rpm automation to simplify the creation of Go language (golang) packages. It does not need to be included in the default build root: go-srpm-macros will pull it in for Go packages only.\n\nSecurity Fix(es):\n\n* os/exec: Unexpected paths returned from LookPath in os/exec (CVE-2025-47906)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2025:23834",
"url": "https://access.redhat.com/errata/RHSA-2025:23834"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "2396546",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2396546"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_23834.json"
}
],
"title": "Red Hat Security Advisory: go-rpm-macros security update",
"tracking": {
"current_release_date": "2026-04-30T13:33:30+00:00",
"generator": {
"date": "2026-04-30T13:33:30+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.7.7"
}
},
"id": "RHSA-2025:23834",
"initial_release_date": "2025-12-22T09:38:58+00:00",
"revision_history": [
{
"date": "2025-12-22T09:38:58+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2025-12-22T09:38:58+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-04-30T13:33:30+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product": {
"name": "Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_eus:9.4::appstream"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "go-filesystem-0:3.2.0-4.el9_4.aarch64",
"product": {
"name": "go-filesystem-0:3.2.0-4.el9_4.aarch64",
"product_id": "go-filesystem-0:3.2.0-4.el9_4.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-filesystem@3.2.0-4.el9_4?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "go-rpm-macros-0:3.2.0-4.el9_4.aarch64",
"product": {
"name": "go-rpm-macros-0:3.2.0-4.el9_4.aarch64",
"product_id": "go-rpm-macros-0:3.2.0-4.el9_4.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-rpm-macros@3.2.0-4.el9_4?arch=aarch64"
}
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "go-filesystem-0:3.2.0-4.el9_4.ppc64le",
"product": {
"name": "go-filesystem-0:3.2.0-4.el9_4.ppc64le",
"product_id": "go-filesystem-0:3.2.0-4.el9_4.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-filesystem@3.2.0-4.el9_4?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "go-rpm-macros-0:3.2.0-4.el9_4.ppc64le",
"product": {
"name": "go-rpm-macros-0:3.2.0-4.el9_4.ppc64le",
"product_id": "go-rpm-macros-0:3.2.0-4.el9_4.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-rpm-macros@3.2.0-4.el9_4?arch=ppc64le"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "go-filesystem-0:3.2.0-4.el9_4.x86_64",
"product": {
"name": "go-filesystem-0:3.2.0-4.el9_4.x86_64",
"product_id": "go-filesystem-0:3.2.0-4.el9_4.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-filesystem@3.2.0-4.el9_4?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "go-rpm-macros-0:3.2.0-4.el9_4.x86_64",
"product": {
"name": "go-rpm-macros-0:3.2.0-4.el9_4.x86_64",
"product_id": "go-rpm-macros-0:3.2.0-4.el9_4.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-rpm-macros@3.2.0-4.el9_4?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "go-filesystem-0:3.2.0-4.el9_4.s390x",
"product": {
"name": "go-filesystem-0:3.2.0-4.el9_4.s390x",
"product_id": "go-filesystem-0:3.2.0-4.el9_4.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-filesystem@3.2.0-4.el9_4?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "go-rpm-macros-0:3.2.0-4.el9_4.s390x",
"product": {
"name": "go-rpm-macros-0:3.2.0-4.el9_4.s390x",
"product_id": "go-rpm-macros-0:3.2.0-4.el9_4.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-rpm-macros@3.2.0-4.el9_4?arch=s390x"
}
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "go-rpm-macros-0:3.2.0-4.el9_4.src",
"product": {
"name": "go-rpm-macros-0:3.2.0-4.el9_4.src",
"product_id": "go-rpm-macros-0:3.2.0-4.el9_4.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-rpm-macros@3.2.0-4.el9_4?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "go-rpm-templates-0:3.2.0-4.el9_4.noarch",
"product": {
"name": "go-rpm-templates-0:3.2.0-4.el9_4.noarch",
"product_id": "go-rpm-templates-0:3.2.0-4.el9_4.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-rpm-templates@3.2.0-4.el9_4?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "go-srpm-macros-0:3.2.0-4.el9_4.noarch",
"product": {
"name": "go-srpm-macros-0:3.2.0-4.el9_4.noarch",
"product_id": "go-srpm-macros-0:3.2.0-4.el9_4.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-srpm-macros@3.2.0-4.el9_4?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "go-filesystem-0:3.2.0-4.el9_4.aarch64 as a component of Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS:go-filesystem-0:3.2.0-4.el9_4.aarch64"
},
"product_reference": "go-filesystem-0:3.2.0-4.el9_4.aarch64",
"relates_to_product_reference": "AppStream-9.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-filesystem-0:3.2.0-4.el9_4.ppc64le as a component of Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS:go-filesystem-0:3.2.0-4.el9_4.ppc64le"
},
"product_reference": "go-filesystem-0:3.2.0-4.el9_4.ppc64le",
"relates_to_product_reference": "AppStream-9.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-filesystem-0:3.2.0-4.el9_4.s390x as a component of Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS:go-filesystem-0:3.2.0-4.el9_4.s390x"
},
"product_reference": "go-filesystem-0:3.2.0-4.el9_4.s390x",
"relates_to_product_reference": "AppStream-9.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-filesystem-0:3.2.0-4.el9_4.x86_64 as a component of Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS:go-filesystem-0:3.2.0-4.el9_4.x86_64"
},
"product_reference": "go-filesystem-0:3.2.0-4.el9_4.x86_64",
"relates_to_product_reference": "AppStream-9.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-rpm-macros-0:3.2.0-4.el9_4.aarch64 as a component of Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS:go-rpm-macros-0:3.2.0-4.el9_4.aarch64"
},
"product_reference": "go-rpm-macros-0:3.2.0-4.el9_4.aarch64",
"relates_to_product_reference": "AppStream-9.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-rpm-macros-0:3.2.0-4.el9_4.ppc64le as a component of Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS:go-rpm-macros-0:3.2.0-4.el9_4.ppc64le"
},
"product_reference": "go-rpm-macros-0:3.2.0-4.el9_4.ppc64le",
"relates_to_product_reference": "AppStream-9.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-rpm-macros-0:3.2.0-4.el9_4.s390x as a component of Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS:go-rpm-macros-0:3.2.0-4.el9_4.s390x"
},
"product_reference": "go-rpm-macros-0:3.2.0-4.el9_4.s390x",
"relates_to_product_reference": "AppStream-9.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-rpm-macros-0:3.2.0-4.el9_4.src as a component of Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS:go-rpm-macros-0:3.2.0-4.el9_4.src"
},
"product_reference": "go-rpm-macros-0:3.2.0-4.el9_4.src",
"relates_to_product_reference": "AppStream-9.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-rpm-macros-0:3.2.0-4.el9_4.x86_64 as a component of Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS:go-rpm-macros-0:3.2.0-4.el9_4.x86_64"
},
"product_reference": "go-rpm-macros-0:3.2.0-4.el9_4.x86_64",
"relates_to_product_reference": "AppStream-9.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-rpm-templates-0:3.2.0-4.el9_4.noarch as a component of Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS:go-rpm-templates-0:3.2.0-4.el9_4.noarch"
},
"product_reference": "go-rpm-templates-0:3.2.0-4.el9_4.noarch",
"relates_to_product_reference": "AppStream-9.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-srpm-macros-0:3.2.0-4.el9_4.noarch as a component of Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS:go-srpm-macros-0:3.2.0-4.el9_4.noarch"
},
"product_reference": "go-srpm-macros-0:3.2.0-4.el9_4.noarch",
"relates_to_product_reference": "AppStream-9.4.0.Z.EUS"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-47906",
"cwe": {
"id": "CWE-440",
"name": "Expected Behavior Violation"
},
"discovery_date": "2025-09-18T19:00:47.541046+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2396546"
}
],
"notes": [
{
"category": "description",
"text": "A path handling flaw has been discovered in the os/exec go package. If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath (\"\", \".\", and \"..\"), can result in the binaries listed in the PATH being unexpectedly returned.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "os/exec: Unexpected paths returned from LookPath in os/exec",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.4.0.Z.EUS:go-filesystem-0:3.2.0-4.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:go-filesystem-0:3.2.0-4.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:go-filesystem-0:3.2.0-4.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:go-filesystem-0:3.2.0-4.el9_4.x86_64",
"AppStream-9.4.0.Z.EUS:go-rpm-macros-0:3.2.0-4.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:go-rpm-macros-0:3.2.0-4.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:go-rpm-macros-0:3.2.0-4.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:go-rpm-macros-0:3.2.0-4.el9_4.src",
"AppStream-9.4.0.Z.EUS:go-rpm-macros-0:3.2.0-4.el9_4.x86_64",
"AppStream-9.4.0.Z.EUS:go-rpm-templates-0:3.2.0-4.el9_4.noarch",
"AppStream-9.4.0.Z.EUS:go-srpm-macros-0:3.2.0-4.el9_4.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-47906"
},
{
"category": "external",
"summary": "RHBZ#2396546",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2396546"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-47906",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-47906"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-47906",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47906"
},
{
"category": "external",
"summary": "https://go.dev/cl/691775",
"url": "https://go.dev/cl/691775"
},
{
"category": "external",
"summary": "https://go.dev/issue/74466",
"url": "https://go.dev/issue/74466"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/x5MKroML2yM",
"url": "https://groups.google.com/g/golang-announce/c/x5MKroML2yM"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2025-3956",
"url": "https://pkg.go.dev/vuln/GO-2025-3956"
}
],
"release_date": "2025-09-18T18:41:11.847000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-12-22T09:38:58+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.4.0.Z.EUS:go-filesystem-0:3.2.0-4.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:go-filesystem-0:3.2.0-4.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:go-filesystem-0:3.2.0-4.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:go-filesystem-0:3.2.0-4.el9_4.x86_64",
"AppStream-9.4.0.Z.EUS:go-rpm-macros-0:3.2.0-4.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:go-rpm-macros-0:3.2.0-4.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:go-rpm-macros-0:3.2.0-4.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:go-rpm-macros-0:3.2.0-4.el9_4.src",
"AppStream-9.4.0.Z.EUS:go-rpm-macros-0:3.2.0-4.el9_4.x86_64",
"AppStream-9.4.0.Z.EUS:go-rpm-templates-0:3.2.0-4.el9_4.noarch",
"AppStream-9.4.0.Z.EUS:go-srpm-macros-0:3.2.0-4.el9_4.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:23834"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"AppStream-9.4.0.Z.EUS:go-filesystem-0:3.2.0-4.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:go-filesystem-0:3.2.0-4.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:go-filesystem-0:3.2.0-4.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:go-filesystem-0:3.2.0-4.el9_4.x86_64",
"AppStream-9.4.0.Z.EUS:go-rpm-macros-0:3.2.0-4.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:go-rpm-macros-0:3.2.0-4.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:go-rpm-macros-0:3.2.0-4.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:go-rpm-macros-0:3.2.0-4.el9_4.src",
"AppStream-9.4.0.Z.EUS:go-rpm-macros-0:3.2.0-4.el9_4.x86_64",
"AppStream-9.4.0.Z.EUS:go-rpm-templates-0:3.2.0-4.el9_4.noarch",
"AppStream-9.4.0.Z.EUS:go-srpm-macros-0:3.2.0-4.el9_4.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L",
"version": "3.1"
},
"products": [
"AppStream-9.4.0.Z.EUS:go-filesystem-0:3.2.0-4.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:go-filesystem-0:3.2.0-4.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:go-filesystem-0:3.2.0-4.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:go-filesystem-0:3.2.0-4.el9_4.x86_64",
"AppStream-9.4.0.Z.EUS:go-rpm-macros-0:3.2.0-4.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:go-rpm-macros-0:3.2.0-4.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:go-rpm-macros-0:3.2.0-4.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:go-rpm-macros-0:3.2.0-4.el9_4.src",
"AppStream-9.4.0.Z.EUS:go-rpm-macros-0:3.2.0-4.el9_4.x86_64",
"AppStream-9.4.0.Z.EUS:go-rpm-templates-0:3.2.0-4.el9_4.noarch",
"AppStream-9.4.0.Z.EUS:go-srpm-macros-0:3.2.0-4.el9_4.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "os/exec: Unexpected paths returned from LookPath in os/exec"
}
]
}
RHSA-2025:23851
Vulnerability from csaf_redhat - Published: 2025-12-22 11:31 - Updated: 2026-04-30 13:33Summary
Red Hat Security Advisory: go-rpm-macros security update
Severity
Moderate
Notes
Topic: An update for go-rpm-macros is now available for Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: This package provides build-stage rpm automation to simplify the creation of Go language (golang) packages. It does not need to be included in the default build root: go-srpm-macros will pull it in for Go packages only.
Security Fix(es):
* os/exec: Unexpected paths returned from LookPath in os/exec (CVE-2025-47906)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A path handling flaw has been discovered in the os/exec go package. If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath ("", ".", and ".."), can result in the binaries listed in the PATH being unexpectedly returned.
6.5 (Medium)
Affected products
Fixed
11 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.0.0.Z.E4S:go-filesystem-0:3.0.9-12.el9_0.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.0.0.Z.E4S:go-filesystem-0:3.0.9-12.el9_0.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.0.0.Z.E4S:go-filesystem-0:3.0.9-12.el9_0.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.0.0.Z.E4S:go-filesystem-0:3.0.9-12.el9_0.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.0.0.Z.E4S:go-rpm-macros-0:3.0.9-12.el9_0.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.0.0.Z.E4S:go-rpm-macros-0:3.0.9-12.el9_0.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.0.0.Z.E4S:go-rpm-macros-0:3.0.9-12.el9_0.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.0.0.Z.E4S:go-rpm-macros-0:3.0.9-12.el9_0.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.0.0.Z.E4S:go-rpm-macros-0:3.0.9-12.el9_0.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.0.0.Z.E4S:go-rpm-templates-0:3.0.9-12.el9_0.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.0.0.Z.E4S:go-srpm-macros-0:3.0.9-12.el9_0.noarch | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
References
12 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for go-rpm-macros is now available for Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "This package provides build-stage rpm automation to simplify the creation of Go language (golang) packages. It does not need to be included in the default build root: go-srpm-macros will pull it in for Go packages only.\n\nSecurity Fix(es):\n\n* os/exec: Unexpected paths returned from LookPath in os/exec (CVE-2025-47906)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2025:23851",
"url": "https://access.redhat.com/errata/RHSA-2025:23851"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "2396546",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2396546"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_23851.json"
}
],
"title": "Red Hat Security Advisory: go-rpm-macros security update",
"tracking": {
"current_release_date": "2026-04-30T13:33:32+00:00",
"generator": {
"date": "2026-04-30T13:33:32+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.7.7"
}
},
"id": "RHSA-2025:23851",
"initial_release_date": "2025-12-22T11:31:13+00:00",
"revision_history": [
{
"date": "2025-12-22T11:31:13+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2025-12-22T11:31:13+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-04-30T13:33:32+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AppStream E4S (v.9.0)",
"product": {
"name": "Red Hat Enterprise Linux AppStream E4S (v.9.0)",
"product_id": "AppStream-9.0.0.Z.E4S",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_e4s:9.0::appstream"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "go-filesystem-0:3.0.9-12.el9_0.aarch64",
"product": {
"name": "go-filesystem-0:3.0.9-12.el9_0.aarch64",
"product_id": "go-filesystem-0:3.0.9-12.el9_0.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-filesystem@3.0.9-12.el9_0?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "go-rpm-macros-0:3.0.9-12.el9_0.aarch64",
"product": {
"name": "go-rpm-macros-0:3.0.9-12.el9_0.aarch64",
"product_id": "go-rpm-macros-0:3.0.9-12.el9_0.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-rpm-macros@3.0.9-12.el9_0?arch=aarch64"
}
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "go-filesystem-0:3.0.9-12.el9_0.ppc64le",
"product": {
"name": "go-filesystem-0:3.0.9-12.el9_0.ppc64le",
"product_id": "go-filesystem-0:3.0.9-12.el9_0.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-filesystem@3.0.9-12.el9_0?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "go-rpm-macros-0:3.0.9-12.el9_0.ppc64le",
"product": {
"name": "go-rpm-macros-0:3.0.9-12.el9_0.ppc64le",
"product_id": "go-rpm-macros-0:3.0.9-12.el9_0.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-rpm-macros@3.0.9-12.el9_0?arch=ppc64le"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "go-filesystem-0:3.0.9-12.el9_0.x86_64",
"product": {
"name": "go-filesystem-0:3.0.9-12.el9_0.x86_64",
"product_id": "go-filesystem-0:3.0.9-12.el9_0.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-filesystem@3.0.9-12.el9_0?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "go-rpm-macros-0:3.0.9-12.el9_0.x86_64",
"product": {
"name": "go-rpm-macros-0:3.0.9-12.el9_0.x86_64",
"product_id": "go-rpm-macros-0:3.0.9-12.el9_0.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-rpm-macros@3.0.9-12.el9_0?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "go-filesystem-0:3.0.9-12.el9_0.s390x",
"product": {
"name": "go-filesystem-0:3.0.9-12.el9_0.s390x",
"product_id": "go-filesystem-0:3.0.9-12.el9_0.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-filesystem@3.0.9-12.el9_0?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "go-rpm-macros-0:3.0.9-12.el9_0.s390x",
"product": {
"name": "go-rpm-macros-0:3.0.9-12.el9_0.s390x",
"product_id": "go-rpm-macros-0:3.0.9-12.el9_0.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-rpm-macros@3.0.9-12.el9_0?arch=s390x"
}
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "go-rpm-macros-0:3.0.9-12.el9_0.src",
"product": {
"name": "go-rpm-macros-0:3.0.9-12.el9_0.src",
"product_id": "go-rpm-macros-0:3.0.9-12.el9_0.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-rpm-macros@3.0.9-12.el9_0?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "go-rpm-templates-0:3.0.9-12.el9_0.noarch",
"product": {
"name": "go-rpm-templates-0:3.0.9-12.el9_0.noarch",
"product_id": "go-rpm-templates-0:3.0.9-12.el9_0.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-rpm-templates@3.0.9-12.el9_0?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "go-srpm-macros-0:3.0.9-12.el9_0.noarch",
"product": {
"name": "go-srpm-macros-0:3.0.9-12.el9_0.noarch",
"product_id": "go-srpm-macros-0:3.0.9-12.el9_0.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-srpm-macros@3.0.9-12.el9_0?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "go-filesystem-0:3.0.9-12.el9_0.aarch64 as a component of Red Hat Enterprise Linux AppStream E4S (v.9.0)",
"product_id": "AppStream-9.0.0.Z.E4S:go-filesystem-0:3.0.9-12.el9_0.aarch64"
},
"product_reference": "go-filesystem-0:3.0.9-12.el9_0.aarch64",
"relates_to_product_reference": "AppStream-9.0.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-filesystem-0:3.0.9-12.el9_0.ppc64le as a component of Red Hat Enterprise Linux AppStream E4S (v.9.0)",
"product_id": "AppStream-9.0.0.Z.E4S:go-filesystem-0:3.0.9-12.el9_0.ppc64le"
},
"product_reference": "go-filesystem-0:3.0.9-12.el9_0.ppc64le",
"relates_to_product_reference": "AppStream-9.0.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-filesystem-0:3.0.9-12.el9_0.s390x as a component of Red Hat Enterprise Linux AppStream E4S (v.9.0)",
"product_id": "AppStream-9.0.0.Z.E4S:go-filesystem-0:3.0.9-12.el9_0.s390x"
},
"product_reference": "go-filesystem-0:3.0.9-12.el9_0.s390x",
"relates_to_product_reference": "AppStream-9.0.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-filesystem-0:3.0.9-12.el9_0.x86_64 as a component of Red Hat Enterprise Linux AppStream E4S (v.9.0)",
"product_id": "AppStream-9.0.0.Z.E4S:go-filesystem-0:3.0.9-12.el9_0.x86_64"
},
"product_reference": "go-filesystem-0:3.0.9-12.el9_0.x86_64",
"relates_to_product_reference": "AppStream-9.0.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-rpm-macros-0:3.0.9-12.el9_0.aarch64 as a component of Red Hat Enterprise Linux AppStream E4S (v.9.0)",
"product_id": "AppStream-9.0.0.Z.E4S:go-rpm-macros-0:3.0.9-12.el9_0.aarch64"
},
"product_reference": "go-rpm-macros-0:3.0.9-12.el9_0.aarch64",
"relates_to_product_reference": "AppStream-9.0.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-rpm-macros-0:3.0.9-12.el9_0.ppc64le as a component of Red Hat Enterprise Linux AppStream E4S (v.9.0)",
"product_id": "AppStream-9.0.0.Z.E4S:go-rpm-macros-0:3.0.9-12.el9_0.ppc64le"
},
"product_reference": "go-rpm-macros-0:3.0.9-12.el9_0.ppc64le",
"relates_to_product_reference": "AppStream-9.0.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-rpm-macros-0:3.0.9-12.el9_0.s390x as a component of Red Hat Enterprise Linux AppStream E4S (v.9.0)",
"product_id": "AppStream-9.0.0.Z.E4S:go-rpm-macros-0:3.0.9-12.el9_0.s390x"
},
"product_reference": "go-rpm-macros-0:3.0.9-12.el9_0.s390x",
"relates_to_product_reference": "AppStream-9.0.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-rpm-macros-0:3.0.9-12.el9_0.src as a component of Red Hat Enterprise Linux AppStream E4S (v.9.0)",
"product_id": "AppStream-9.0.0.Z.E4S:go-rpm-macros-0:3.0.9-12.el9_0.src"
},
"product_reference": "go-rpm-macros-0:3.0.9-12.el9_0.src",
"relates_to_product_reference": "AppStream-9.0.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-rpm-macros-0:3.0.9-12.el9_0.x86_64 as a component of Red Hat Enterprise Linux AppStream E4S (v.9.0)",
"product_id": "AppStream-9.0.0.Z.E4S:go-rpm-macros-0:3.0.9-12.el9_0.x86_64"
},
"product_reference": "go-rpm-macros-0:3.0.9-12.el9_0.x86_64",
"relates_to_product_reference": "AppStream-9.0.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-rpm-templates-0:3.0.9-12.el9_0.noarch as a component of Red Hat Enterprise Linux AppStream E4S (v.9.0)",
"product_id": "AppStream-9.0.0.Z.E4S:go-rpm-templates-0:3.0.9-12.el9_0.noarch"
},
"product_reference": "go-rpm-templates-0:3.0.9-12.el9_0.noarch",
"relates_to_product_reference": "AppStream-9.0.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-srpm-macros-0:3.0.9-12.el9_0.noarch as a component of Red Hat Enterprise Linux AppStream E4S (v.9.0)",
"product_id": "AppStream-9.0.0.Z.E4S:go-srpm-macros-0:3.0.9-12.el9_0.noarch"
},
"product_reference": "go-srpm-macros-0:3.0.9-12.el9_0.noarch",
"relates_to_product_reference": "AppStream-9.0.0.Z.E4S"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-47906",
"cwe": {
"id": "CWE-440",
"name": "Expected Behavior Violation"
},
"discovery_date": "2025-09-18T19:00:47.541046+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2396546"
}
],
"notes": [
{
"category": "description",
"text": "A path handling flaw has been discovered in the os/exec go package. If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath (\"\", \".\", and \"..\"), can result in the binaries listed in the PATH being unexpectedly returned.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "os/exec: Unexpected paths returned from LookPath in os/exec",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.0.0.Z.E4S:go-filesystem-0:3.0.9-12.el9_0.aarch64",
"AppStream-9.0.0.Z.E4S:go-filesystem-0:3.0.9-12.el9_0.ppc64le",
"AppStream-9.0.0.Z.E4S:go-filesystem-0:3.0.9-12.el9_0.s390x",
"AppStream-9.0.0.Z.E4S:go-filesystem-0:3.0.9-12.el9_0.x86_64",
"AppStream-9.0.0.Z.E4S:go-rpm-macros-0:3.0.9-12.el9_0.aarch64",
"AppStream-9.0.0.Z.E4S:go-rpm-macros-0:3.0.9-12.el9_0.ppc64le",
"AppStream-9.0.0.Z.E4S:go-rpm-macros-0:3.0.9-12.el9_0.s390x",
"AppStream-9.0.0.Z.E4S:go-rpm-macros-0:3.0.9-12.el9_0.src",
"AppStream-9.0.0.Z.E4S:go-rpm-macros-0:3.0.9-12.el9_0.x86_64",
"AppStream-9.0.0.Z.E4S:go-rpm-templates-0:3.0.9-12.el9_0.noarch",
"AppStream-9.0.0.Z.E4S:go-srpm-macros-0:3.0.9-12.el9_0.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-47906"
},
{
"category": "external",
"summary": "RHBZ#2396546",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2396546"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-47906",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-47906"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-47906",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47906"
},
{
"category": "external",
"summary": "https://go.dev/cl/691775",
"url": "https://go.dev/cl/691775"
},
{
"category": "external",
"summary": "https://go.dev/issue/74466",
"url": "https://go.dev/issue/74466"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/x5MKroML2yM",
"url": "https://groups.google.com/g/golang-announce/c/x5MKroML2yM"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2025-3956",
"url": "https://pkg.go.dev/vuln/GO-2025-3956"
}
],
"release_date": "2025-09-18T18:41:11.847000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-12-22T11:31:13+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.0.0.Z.E4S:go-filesystem-0:3.0.9-12.el9_0.aarch64",
"AppStream-9.0.0.Z.E4S:go-filesystem-0:3.0.9-12.el9_0.ppc64le",
"AppStream-9.0.0.Z.E4S:go-filesystem-0:3.0.9-12.el9_0.s390x",
"AppStream-9.0.0.Z.E4S:go-filesystem-0:3.0.9-12.el9_0.x86_64",
"AppStream-9.0.0.Z.E4S:go-rpm-macros-0:3.0.9-12.el9_0.aarch64",
"AppStream-9.0.0.Z.E4S:go-rpm-macros-0:3.0.9-12.el9_0.ppc64le",
"AppStream-9.0.0.Z.E4S:go-rpm-macros-0:3.0.9-12.el9_0.s390x",
"AppStream-9.0.0.Z.E4S:go-rpm-macros-0:3.0.9-12.el9_0.src",
"AppStream-9.0.0.Z.E4S:go-rpm-macros-0:3.0.9-12.el9_0.x86_64",
"AppStream-9.0.0.Z.E4S:go-rpm-templates-0:3.0.9-12.el9_0.noarch",
"AppStream-9.0.0.Z.E4S:go-srpm-macros-0:3.0.9-12.el9_0.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:23851"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"AppStream-9.0.0.Z.E4S:go-filesystem-0:3.0.9-12.el9_0.aarch64",
"AppStream-9.0.0.Z.E4S:go-filesystem-0:3.0.9-12.el9_0.ppc64le",
"AppStream-9.0.0.Z.E4S:go-filesystem-0:3.0.9-12.el9_0.s390x",
"AppStream-9.0.0.Z.E4S:go-filesystem-0:3.0.9-12.el9_0.x86_64",
"AppStream-9.0.0.Z.E4S:go-rpm-macros-0:3.0.9-12.el9_0.aarch64",
"AppStream-9.0.0.Z.E4S:go-rpm-macros-0:3.0.9-12.el9_0.ppc64le",
"AppStream-9.0.0.Z.E4S:go-rpm-macros-0:3.0.9-12.el9_0.s390x",
"AppStream-9.0.0.Z.E4S:go-rpm-macros-0:3.0.9-12.el9_0.src",
"AppStream-9.0.0.Z.E4S:go-rpm-macros-0:3.0.9-12.el9_0.x86_64",
"AppStream-9.0.0.Z.E4S:go-rpm-templates-0:3.0.9-12.el9_0.noarch",
"AppStream-9.0.0.Z.E4S:go-srpm-macros-0:3.0.9-12.el9_0.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L",
"version": "3.1"
},
"products": [
"AppStream-9.0.0.Z.E4S:go-filesystem-0:3.0.9-12.el9_0.aarch64",
"AppStream-9.0.0.Z.E4S:go-filesystem-0:3.0.9-12.el9_0.ppc64le",
"AppStream-9.0.0.Z.E4S:go-filesystem-0:3.0.9-12.el9_0.s390x",
"AppStream-9.0.0.Z.E4S:go-filesystem-0:3.0.9-12.el9_0.x86_64",
"AppStream-9.0.0.Z.E4S:go-rpm-macros-0:3.0.9-12.el9_0.aarch64",
"AppStream-9.0.0.Z.E4S:go-rpm-macros-0:3.0.9-12.el9_0.ppc64le",
"AppStream-9.0.0.Z.E4S:go-rpm-macros-0:3.0.9-12.el9_0.s390x",
"AppStream-9.0.0.Z.E4S:go-rpm-macros-0:3.0.9-12.el9_0.src",
"AppStream-9.0.0.Z.E4S:go-rpm-macros-0:3.0.9-12.el9_0.x86_64",
"AppStream-9.0.0.Z.E4S:go-rpm-templates-0:3.0.9-12.el9_0.noarch",
"AppStream-9.0.0.Z.E4S:go-srpm-macros-0:3.0.9-12.el9_0.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "os/exec: Unexpected paths returned from LookPath in os/exec"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…