Vulnerability-Lookup

RHSA-2026:22258

Vulnerability from csaf_redhat - Published: 2026-06-01 06:42 - Updated: 2026-06-20 07:54

Summary

Red Hat Security Advisory: Assisted Installer RHEL 8 components for Multicluster Engine for Kubernetes 2.8.7

Severity

Important

Notes

Topic: Assisted installer RHEL 8 components for the multicluster engine for Kubernetes 2.8.7 General Availability release, with updates to container images.

Details: Assisted Installer RHEL 8 integrates components for the general multicluster engine for Kubernetes 2.8.7 release that simplify the process of deploying OpenShift Container Platform clusters. The multicluster engine for Kubernetes provides the foundational components that are necessary for the centralized management of multiple Kubernetes-based clusters across data centers, public clouds, and private clouds. You can use the engine to create new Red Hat OpenShift Container Platform clusters, or to import existing Kubernetes-based clusters for management. After the clusters are managed, you can use the APIs that are provided by the engine to distribute configuration based on placement policy.

Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

CVE-2026-32280

A flaw was found in the Go standard library packages `crypto/x509` and `crypto/tls`. During the process of building a certificate chain, an attacker can provide a large number of intermediate certificates. This excessive input is not properly limited, leading to an uncontrolled amount of work being performed. This can result in a denial of service (DoS) condition, making the affected system or application unavailable to legitimate users.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-770 - Allocation of Resources Without Limits or Throttling

Affected products

Fixed 4 products

Product	Version	Remediation
Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:0578fe32759bccad07a8624017ee4629a21b3623393af20cc16f0819a0d71cf1_arm64	—	Vendor Fix fix
Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:77ea535479c2c3e814107d03bd79f670c7c8ce641ff16482065ac7d5a9d818c3_amd64	—	Vendor Fix fix
Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:9bcb737b6ba68fc378edaa56d3b20900807df3f463c45628f4f2bc12d099b03a_ppc64le	—	Vendor Fix fix
Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:b9ffe0abc4785e59a27e0a0d2b6e0c6f9242a73691800252d1c9741bfcc389b4_s390x	—	Vendor Fix fix

Threats

Impact Important

CVE-2026-34986

A flaw was found in Go JOSE, a library for handling JSON Web Encryption (JWE) objects. A remote attacker could exploit this vulnerability by providing a specially crafted JWE object. When decrypting such an object, if a key wrapping algorithm is specified but the encrypted key field is empty, the application can crash. This leads to a denial of service (DoS), making the affected service unavailable to legitimate users.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-131 - Incorrect Calculation of Buffer Size

Affected products

Fixed 4 products

Product	Version	Remediation
Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:0578fe32759bccad07a8624017ee4629a21b3623393af20cc16f0819a0d71cf1_arm64	—	Vendor Fix fix Workaround
Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:77ea535479c2c3e814107d03bd79f670c7c8ce641ff16482065ac7d5a9d818c3_amd64	—	Vendor Fix fix Workaround
Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:9bcb737b6ba68fc378edaa56d3b20900807df3f463c45628f4f2bc12d099b03a_ppc64le	—	Vendor Fix fix Workaround
Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:b9ffe0abc4785e59a27e0a0d2b6e0c6f9242a73691800252d1c9741bfcc389b4_s390x	—	Vendor Fix fix Workaround

Threats

Impact Important

References

19 references

URL	Category
https://access.redhat.com/errata/RHSA-2026:22258	self
https://access.redhat.com/security/cve/CVE-2026-32280	external
https://access.redhat.com/security/cve/CVE-2026-34986	external
https://access.redhat.com/security/updates/classi…	external
https://security.access.redhat.com/data/csaf/v2/a…	self
https://access.redhat.com/security/cve/CVE-2026-32280	self
https://bugzilla.redhat.com/show_bug.cgi?id=2456339	external
https://www.cve.org/CVERecord?id=CVE-2026-32280	external
https://nvd.nist.gov/vuln/detail/CVE-2026-32280	external
https://go.dev/cl/758320	external
https://go.dev/issue/78282	external
https://groups.google.com/g/golang-announce/c/0uY…	external
https://pkg.go.dev/vuln/GO-2026-4947	external
https://access.redhat.com/security/cve/CVE-2026-34986	self
https://bugzilla.redhat.com/show_bug.cgi?id=2455470	external
https://www.cve.org/CVERecord?id=CVE-2026-34986	external
https://nvd.nist.gov/vuln/detail/CVE-2026-34986	external
https://github.com/go-jose/go-jose/security/advis…	external
https://pkg.go.dev/github.com/go-jose/go-jose/v4#…	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Assisted installer RHEL 8 components for the multicluster engine for Kubernetes 2.8.7 General Availability release, with updates to container images.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Assisted Installer RHEL 8 integrates components for the general multicluster engine\nfor Kubernetes 2.8.7 release that simplify the process of deploying OpenShift Container\nPlatform clusters.\n\nThe multicluster engine for Kubernetes provides the foundational components\nthat are necessary for the centralized management of multiple\nKubernetes-based clusters across data centers, public clouds, and private\nclouds.\n\nYou can use the engine to create new Red Hat OpenShift Container Platform\nclusters, or to import existing Kubernetes-based clusters for management.\n\nAfter the clusters are managed, you can use the APIs that\nare provided by the engine to distribute configuration based on placement\npolicy.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2026:22258",
        "url": "https://access.redhat.com/errata/RHSA-2026:22258"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-32280",
        "url": "https://access.redhat.com/security/cve/CVE-2026-32280"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-34986",
        "url": "https://access.redhat.com/security/cve/CVE-2026-34986"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/",
        "url": "https://access.redhat.com/security/updates/classification/"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_22258.json"
      }
    ],
    "title": "Red Hat Security Advisory: Assisted Installer RHEL 8 components for Multicluster Engine for Kubernetes 2.8.7",
    "tracking": {
      "current_release_date": "2026-06-20T07:54:12+00:00",
      "generator": {
        "date": "2026-06-20T07:54:12+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "5.0.0"
        }
      },
      "id": "RHSA-2026:22258",
      "initial_release_date": "2026-06-01T06:42:53+00:00",
      "revision_history": [
        {
          "date": "2026-06-01T06:42:53+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2026-06-01T06:42:56+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2026-06-20T07:54:12+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "multicluster engine for Kubernetes 2.8",
                "product": {
                  "name": "multicluster engine for Kubernetes 2.8",
                  "product_id": "multicluster engine for Kubernetes 2.8",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:multicluster_engine:2.8::el8"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "multicluster engine for Kubernetes"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:77ea535479c2c3e814107d03bd79f670c7c8ce641ff16482065ac7d5a9d818c3_amd64",
                "product": {
                  "name": "registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:77ea535479c2c3e814107d03bd79f670c7c8ce641ff16482065ac7d5a9d818c3_amd64",
                  "product_id": "registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:77ea535479c2c3e814107d03bd79f670c7c8ce641ff16482065ac7d5a9d818c3_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/assisted-service-8-rhel8@sha256%3A77ea535479c2c3e814107d03bd79f670c7c8ce641ff16482065ac7d5a9d818c3?arch=amd64\u0026repository_url=registry.redhat.io/multicluster-engine/assisted-service-8-rhel8\u0026tag=1779910504"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "amd64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:0578fe32759bccad07a8624017ee4629a21b3623393af20cc16f0819a0d71cf1_arm64",
                "product": {
                  "name": "registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:0578fe32759bccad07a8624017ee4629a21b3623393af20cc16f0819a0d71cf1_arm64",
                  "product_id": "registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:0578fe32759bccad07a8624017ee4629a21b3623393af20cc16f0819a0d71cf1_arm64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/assisted-service-8-rhel8@sha256%3A0578fe32759bccad07a8624017ee4629a21b3623393af20cc16f0819a0d71cf1?arch=arm64\u0026repository_url=registry.redhat.io/multicluster-engine/assisted-service-8-rhel8\u0026tag=1779910504"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "arm64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:9bcb737b6ba68fc378edaa56d3b20900807df3f463c45628f4f2bc12d099b03a_ppc64le",
                "product": {
                  "name": "registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:9bcb737b6ba68fc378edaa56d3b20900807df3f463c45628f4f2bc12d099b03a_ppc64le",
                  "product_id": "registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:9bcb737b6ba68fc378edaa56d3b20900807df3f463c45628f4f2bc12d099b03a_ppc64le",
                  "product_identification_helper": {
                    "purl": "pkg:oci/assisted-service-8-rhel8@sha256%3A9bcb737b6ba68fc378edaa56d3b20900807df3f463c45628f4f2bc12d099b03a?arch=ppc64le\u0026repository_url=registry.redhat.io/multicluster-engine/assisted-service-8-rhel8\u0026tag=1779910504"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:b9ffe0abc4785e59a27e0a0d2b6e0c6f9242a73691800252d1c9741bfcc389b4_s390x",
                "product": {
                  "name": "registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:b9ffe0abc4785e59a27e0a0d2b6e0c6f9242a73691800252d1c9741bfcc389b4_s390x",
                  "product_id": "registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:b9ffe0abc4785e59a27e0a0d2b6e0c6f9242a73691800252d1c9741bfcc389b4_s390x",
                  "product_identification_helper": {
                    "purl": "pkg:oci/assisted-service-8-rhel8@sha256%3Ab9ffe0abc4785e59a27e0a0d2b6e0c6f9242a73691800252d1c9741bfcc389b4?arch=s390x\u0026repository_url=registry.redhat.io/multicluster-engine/assisted-service-8-rhel8\u0026tag=1779910504"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:0578fe32759bccad07a8624017ee4629a21b3623393af20cc16f0819a0d71cf1_arm64 as a component of multicluster engine for Kubernetes 2.8",
          "product_id": "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:0578fe32759bccad07a8624017ee4629a21b3623393af20cc16f0819a0d71cf1_arm64"
        },
        "product_reference": "registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:0578fe32759bccad07a8624017ee4629a21b3623393af20cc16f0819a0d71cf1_arm64",
        "relates_to_product_reference": "multicluster engine for Kubernetes 2.8"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:77ea535479c2c3e814107d03bd79f670c7c8ce641ff16482065ac7d5a9d818c3_amd64 as a component of multicluster engine for Kubernetes 2.8",
          "product_id": "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:77ea535479c2c3e814107d03bd79f670c7c8ce641ff16482065ac7d5a9d818c3_amd64"
        },
        "product_reference": "registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:77ea535479c2c3e814107d03bd79f670c7c8ce641ff16482065ac7d5a9d818c3_amd64",
        "relates_to_product_reference": "multicluster engine for Kubernetes 2.8"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:9bcb737b6ba68fc378edaa56d3b20900807df3f463c45628f4f2bc12d099b03a_ppc64le as a component of multicluster engine for Kubernetes 2.8",
          "product_id": "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:9bcb737b6ba68fc378edaa56d3b20900807df3f463c45628f4f2bc12d099b03a_ppc64le"
        },
        "product_reference": "registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:9bcb737b6ba68fc378edaa56d3b20900807df3f463c45628f4f2bc12d099b03a_ppc64le",
        "relates_to_product_reference": "multicluster engine for Kubernetes 2.8"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:b9ffe0abc4785e59a27e0a0d2b6e0c6f9242a73691800252d1c9741bfcc389b4_s390x as a component of multicluster engine for Kubernetes 2.8",
          "product_id": "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:b9ffe0abc4785e59a27e0a0d2b6e0c6f9242a73691800252d1c9741bfcc389b4_s390x"
        },
        "product_reference": "registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:b9ffe0abc4785e59a27e0a0d2b6e0c6f9242a73691800252d1c9741bfcc389b4_s390x",
        "relates_to_product_reference": "multicluster engine for Kubernetes 2.8"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-32280",
      "cwe": {
        "id": "CWE-770",
        "name": "Allocation of Resources Without Limits or Throttling"
      },
      "discovery_date": "2026-04-08T02:01:19.572351+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2456339"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in the Go standard library packages `crypto/x509` and `crypto/tls`. During the process of building a certificate chain, an attacker can provide a large number of intermediate certificates. This excessive input is not properly limited, leading to an uncontrolled amount of work being performed. This can result in a denial of service (DoS) condition, making the affected system or application unavailable to legitimate users.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "crypto/x509: crypto/tls: golang: Go: Denial of Service vulnerability in certificate chain building",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:0578fe32759bccad07a8624017ee4629a21b3623393af20cc16f0819a0d71cf1_arm64",
          "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:77ea535479c2c3e814107d03bd79f670c7c8ce641ff16482065ac7d5a9d818c3_amd64",
          "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:9bcb737b6ba68fc378edaa56d3b20900807df3f463c45628f4f2bc12d099b03a_ppc64le",
          "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:b9ffe0abc4785e59a27e0a0d2b6e0c6f9242a73691800252d1c9741bfcc389b4_s390x"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-32280"
        },
        {
          "category": "external",
          "summary": "RHBZ#2456339",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456339"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-32280",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-32280"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-32280",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32280"
        },
        {
          "category": "external",
          "summary": "https://go.dev/cl/758320",
          "url": "https://go.dev/cl/758320"
        },
        {
          "category": "external",
          "summary": "https://go.dev/issue/78282",
          "url": "https://go.dev/issue/78282"
        },
        {
          "category": "external",
          "summary": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU",
          "url": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU"
        },
        {
          "category": "external",
          "summary": "https://pkg.go.dev/vuln/GO-2026-4947",
          "url": "https://pkg.go.dev/vuln/GO-2026-4947"
        }
      ],
      "release_date": "2026-04-08T01:06:58.595000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-06-01T06:42:53+00:00",
          "details": "For more information about Assisted Installer, see the following documentation:\n\nhttps://docs.redhat.com/en/documentation/red_hat_advanced_cluster_management_for_kubernetes/2.13/html/clusters/cluster_mce_overview#cim-intro\n\nFor multicluster engine for Kubernetes, see the following documentation for\ndetails on how to install the images:\n\nhttps://docs.redhat.com/en/documentation/red_hat_advanced_cluster_management_for_kubernetes/2.13/html/clusters/cluster_mce_overview#mce-install-intro\n\nThis documentation will be available after the general availability release of Red Hat Advanced Cluster Management 2.13.",
          "product_ids": [
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:0578fe32759bccad07a8624017ee4629a21b3623393af20cc16f0819a0d71cf1_arm64",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:77ea535479c2c3e814107d03bd79f670c7c8ce641ff16482065ac7d5a9d818c3_amd64",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:9bcb737b6ba68fc378edaa56d3b20900807df3f463c45628f4f2bc12d099b03a_ppc64le",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:b9ffe0abc4785e59a27e0a0d2b6e0c6f9242a73691800252d1c9741bfcc389b4_s390x"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:22258"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:0578fe32759bccad07a8624017ee4629a21b3623393af20cc16f0819a0d71cf1_arm64",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:77ea535479c2c3e814107d03bd79f670c7c8ce641ff16482065ac7d5a9d818c3_amd64",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:9bcb737b6ba68fc378edaa56d3b20900807df3f463c45628f4f2bc12d099b03a_ppc64le",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:b9ffe0abc4785e59a27e0a0d2b6e0c6f9242a73691800252d1c9741bfcc389b4_s390x"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "crypto/x509: crypto/tls: golang: Go: Denial of Service vulnerability in certificate chain building"
    },
    {
      "cve": "CVE-2026-34986",
      "cwe": {
        "id": "CWE-131",
        "name": "Incorrect Calculation of Buffer Size"
      },
      "discovery_date": "2026-04-06T17:01:34.639203+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2455470"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Go JOSE, a library for handling JSON Web Encryption (JWE) objects. A remote attacker could exploit this vulnerability by providing a specially crafted JWE object. When decrypting such an object, if a key wrapping algorithm is specified but the encrypted key field is empty, the application can crash. This leads to a denial of service (DoS), making the affected service unavailable to legitimate users.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "github.com/go-jose/go-jose/v3: github.com/go-jose/go-jose/v4: Go JOSE: Denial of Service via crafted JSON Web Encryption (JWE) object",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:0578fe32759bccad07a8624017ee4629a21b3623393af20cc16f0819a0d71cf1_arm64",
          "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:77ea535479c2c3e814107d03bd79f670c7c8ce641ff16482065ac7d5a9d818c3_amd64",
          "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:9bcb737b6ba68fc378edaa56d3b20900807df3f463c45628f4f2bc12d099b03a_ppc64le",
          "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:b9ffe0abc4785e59a27e0a0d2b6e0c6f9242a73691800252d1c9741bfcc389b4_s390x"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-34986"
        },
        {
          "category": "external",
          "summary": "RHBZ#2455470",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2455470"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-34986",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-34986"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-34986",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34986"
        },
        {
          "category": "external",
          "summary": "https://github.com/go-jose/go-jose/security/advisories/GHSA-78h2-9frx-2jm8",
          "url": "https://github.com/go-jose/go-jose/security/advisories/GHSA-78h2-9frx-2jm8"
        },
        {
          "category": "external",
          "summary": "https://pkg.go.dev/github.com/go-jose/go-jose/v4#pkg-constants",
          "url": "https://pkg.go.dev/github.com/go-jose/go-jose/v4#pkg-constants"
        }
      ],
      "release_date": "2026-04-06T16:22:45.353000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-06-01T06:42:53+00:00",
          "details": "For more information about Assisted Installer, see the following documentation:\n\nhttps://docs.redhat.com/en/documentation/red_hat_advanced_cluster_management_for_kubernetes/2.13/html/clusters/cluster_mce_overview#cim-intro\n\nFor multicluster engine for Kubernetes, see the following documentation for\ndetails on how to install the images:\n\nhttps://docs.redhat.com/en/documentation/red_hat_advanced_cluster_management_for_kubernetes/2.13/html/clusters/cluster_mce_overview#mce-install-intro\n\nThis documentation will be available after the general availability release of Red Hat Advanced Cluster Management 2.13.",
          "product_ids": [
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:0578fe32759bccad07a8624017ee4629a21b3623393af20cc16f0819a0d71cf1_arm64",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:77ea535479c2c3e814107d03bd79f670c7c8ce641ff16482065ac7d5a9d818c3_amd64",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:9bcb737b6ba68fc378edaa56d3b20900807df3f463c45628f4f2bc12d099b03a_ppc64le",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:b9ffe0abc4785e59a27e0a0d2b6e0c6f9242a73691800252d1c9741bfcc389b4_s390x"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:22258"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:0578fe32759bccad07a8624017ee4629a21b3623393af20cc16f0819a0d71cf1_arm64",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:77ea535479c2c3e814107d03bd79f670c7c8ce641ff16482065ac7d5a9d818c3_amd64",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:9bcb737b6ba68fc378edaa56d3b20900807df3f463c45628f4f2bc12d099b03a_ppc64le",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:b9ffe0abc4785e59a27e0a0d2b6e0c6f9242a73691800252d1c9741bfcc389b4_s390x"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:0578fe32759bccad07a8624017ee4629a21b3623393af20cc16f0819a0d71cf1_arm64",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:77ea535479c2c3e814107d03bd79f670c7c8ce641ff16482065ac7d5a9d818c3_amd64",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:9bcb737b6ba68fc378edaa56d3b20900807df3f463c45628f4f2bc12d099b03a_ppc64le",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:b9ffe0abc4785e59a27e0a0d2b6e0c6f9242a73691800252d1c9741bfcc389b4_s390x"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "github.com/go-jose/go-jose/v3: github.com/go-jose/go-jose/v4: Go JOSE: Denial of Service via crafted JSON Web Encryption (JWE) object"
    }
  ]
}

CVE-2026-32280 (GCVE-0-2026-32280)

Vulnerability from cvelistv5 – Published: 2026-04-08 01:06 – Updated: 2026-04-08 17:46

Title

Unexpected work during chain building in crypto/x509

Summary

During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions.Intermediates, which can lead to a denial of service. This affects both direct users of crypto/x509 and users of crypto/tls.

Severity

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

SSVC

Exploitation: none Automatable: yes Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-770 - Allocation of Resources Without Limits or Throttling

Assigner

References

4 references

URL	Tags
https://go.dev/cl/758320
https://go.dev/issue/78282
https://groups.google.com/g/golang-announce/c/0uY…
https://pkg.go.dev/vuln/GO-2026-4947

Impacted products

1 product

Vendor	Product	Version
Go standard library	crypto/x509	Affected: 0 , < 1.25.9 (semver) Affected: 1.26.0-0 , < 1.26.2 (semver)

Credits

Jakub Ciolek - https://ciolek.dev

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-32280",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-08T17:46:14.569488Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-770",
                "description": "CWE-770 Allocation of Resources Without Limits or Throttling",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-08T17:46:47.347Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "crypto/x509",
          "product": "crypto/x509",
          "programRoutines": [
            {
              "name": "Certificate.buildChains"
            },
            {
              "name": "Certificate.Verify"
            }
          ],
          "vendor": "Go standard library",
          "versions": [
            {
              "lessThan": "1.25.9",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.26.2",
              "status": "affected",
              "version": "1.26.0-0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Jakub Ciolek - https://ciolek.dev"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions.Intermediates, which can lead to a denial of service. This affects both direct users of crypto/x509 and users of crypto/tls."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-770: Allocation of Resources Without Limits or Throttling",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-08T01:06:58.595Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://go.dev/cl/758320"
        },
        {
          "url": "https://go.dev/issue/78282"
        },
        {
          "url": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2026-4947"
        }
      ],
      "title": "Unexpected work during chain building in crypto/x509"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2026-32280",
    "datePublished": "2026-04-08T01:06:58.595Z",
    "dateReserved": "2026-03-11T16:38:46.555Z",
    "dateUpdated": "2026-04-08T17:46:47.347Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-34986 (GCVE-0-2026-34986)

Vulnerability from cvelistv5 – Published: 2026-04-06 16:22 – Updated: 2026-04-07 14:21

Title

Go JOSE affect by a panic in JWE decryption

Summary

Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. Prior to 4.1.4 and 3.0.5, decrypting a JSON Web Encryption (JWE) object will panic if the alg field indicates a key wrapping algorithm (one ending in KW, with the exception of A128GCMKW, A192GCMKW, and A256GCMKW) and the encrypted_key field is empty. The panic happens when cipher.KeyUnwrap() in key_wrap.go attempts to allocate a slice with a zero or negative length based on the length of the encrypted_key. This code path is reachable from ParseEncrypted() / ParseEncryptedJSON() / ParseEncryptedCompact() followed by Decrypt() on the resulting object. Note that the parse functions take a list of accepted key algorithms. If the accepted key algorithms do not include any key wrapping algorithms, parsing will fail and the application will be unaffected. This panic is also reachable by calling cipher.KeyUnwrap() directly with any ciphertext parameter less than 16 bytes long, but calling this function directly is less common. Panics can lead to denial of service. This vulnerability is fixed in 4.1.4 and 3.0.5.

Severity

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

SSVC

Exploitation: none Automatable: yes Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-248 - Uncaught Exception

Assigner

GitHub_M

References

2 references

URL	Tags
https://github.com/go-jose/go-jose/security/advis…	x_refsource_CONFIRM
https://pkg.go.dev/github.com/go-jose/go-jose/v4#…	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
go-jose	go-jose	Affected: >= 4.0.0, < 4.1.4 Affected: < 3.0.5

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-34986",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-07T14:21:42.477191Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-07T14:21:54.041Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "go-jose",
          "vendor": "go-jose",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 4.0.0, \u003c 4.1.4"
            },
            {
              "status": "affected",
              "version": "\u003c 3.0.5"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. Prior to 4.1.4 and 3.0.5, decrypting a JSON Web Encryption (JWE) object will panic if the alg field indicates a key wrapping algorithm (one ending in KW, with the exception of A128GCMKW, A192GCMKW, and A256GCMKW) and the encrypted_key field is empty. The panic happens when cipher.KeyUnwrap() in key_wrap.go attempts to allocate a slice with a zero or negative length based on the length of the encrypted_key. This code path is reachable from ParseEncrypted() / ParseEncryptedJSON() / ParseEncryptedCompact() followed by Decrypt() on the resulting object. Note that the parse functions take a list of accepted key algorithms. If the accepted key algorithms do not include any key wrapping algorithms, parsing will fail and the application will be unaffected. This panic is also reachable by calling cipher.KeyUnwrap() directly with any ciphertext parameter less than 16 bytes long, but calling this function directly is less common. Panics can lead to denial of service. This vulnerability is fixed in 4.1.4 and 3.0.5."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-248",
              "description": "CWE-248: Uncaught Exception",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-06T16:22:45.353Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/go-jose/go-jose/security/advisories/GHSA-78h2-9frx-2jm8",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/go-jose/go-jose/security/advisories/GHSA-78h2-9frx-2jm8"
        },
        {
          "name": "https://pkg.go.dev/github.com/go-jose/go-jose/v4#pkg-constants",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://pkg.go.dev/github.com/go-jose/go-jose/v4#pkg-constants"
        }
      ],
      "source": {
        "advisory": "GHSA-78h2-9frx-2jm8",
        "discovery": "UNKNOWN"
      },
      "title": "Go JOSE affect by a panic in JWE decryption"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-34986",
    "datePublished": "2026-04-06T16:22:45.353Z",
    "dateReserved": "2026-03-31T19:38:31.617Z",
    "dateUpdated": "2026-04-07T14:21:54.041Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

RHSA-2026:22258

CVE-2026-32280 (GCVE-0-2026-32280)

CVE-2026-34986 (GCVE-0-2026-34986)

Tags

Sightings

Nomenclature