Vulnerability-Lookup

RHSA-2026:24475

Vulnerability from csaf_redhat - Published: 2026-06-08 12:54 - Updated: 2026-06-20 13:51

Summary

Red Hat Security Advisory: RHTAS 1.3.5 - Red Hat Trusted Artifact Signer Release

Severity

Important

Notes

Topic: The 1.3.5 release of Red Hat Trusted Artifact Signer OpenShift Operator. For more details please visit the product documentation at https://access.redhat.com/documentation/en-us/red_hat_trusted_artifact_signer/1.3

Details: The RHTAS Operator can be used with OpenShift Container Platform 4.16, 4.17, 4.18, 4.19, 4.20 and 4.21

Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

CVE-2026-33815

A flaw was found in github.com/jackc/pgx. This memory-safety vulnerability could potentially lead to unexpected behavior or system instability.

8.3 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

CWE-787 - Out-of-bounds Write

Affected products

Fixed 1 product

Product	Identifier	Version	Remediation
Unresolved product id: Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/createtree-rhel9@sha256:83e0145d441e7f379c4092250141b1415e458c81670cd457a6be2381ba4584c1_amd64		—	Vendor Fix fix Workaround

Threats

Impact Important

CVE-2026-33816

A flaw was found in github.com/jackc/pgx, a PostgreSQL driver for Go. This memory-safety vulnerability could allow an attacker to cause various impacts, such as denial of service (DoS) or potentially arbitrary code execution, by exploiting memory corruption issues. The exact method of exploitation and specific consequences would depend on the nature of the memory corruption.

8.3 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

CWE-787 - Out-of-bounds Write

Affected products

Fixed 1 product

Product	Identifier	Version	Remediation
Unresolved product id: Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/createtree-rhel9@sha256:83e0145d441e7f379c4092250141b1415e458c81670cd457a6be2381ba4584c1_amd64		—	Vendor Fix fix Workaround

Threats

Impact Important

CVE-2026-34986

A flaw was found in Go JOSE, a library for handling JSON Web Encryption (JWE) objects. A remote attacker could exploit this vulnerability by providing a specially crafted JWE object. When decrypting such an object, if a key wrapping algorithm is specified but the encrypted key field is empty, the application can crash. This leads to a denial of service (DoS), making the affected service unavailable to legitimate users.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-131 - Incorrect Calculation of Buffer Size

Affected products

Fixed 1 product

Product	Identifier	Version	Remediation
Unresolved product id: Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/createtree-rhel9@sha256:83e0145d441e7f379c4092250141b1415e458c81670cd457a6be2381ba4584c1_amd64		—	Vendor Fix fix Workaround

Threats

Impact Important

References

24 references

URL	Category
https://access.redhat.com/errata/RHSA-2026:24475	self
https://access.redhat.com/documentation/en-us/red…	external
https://access.redhat.com/documentation/en-us/red…	external
https://access.redhat.com/security/cve/CVE-2026-33815	external
https://access.redhat.com/security/cve/CVE-2026-33816	external
https://access.redhat.com/security/cve/CVE-2026-34986	external
https://access.redhat.com/security/updates/classi…	external
https://security.access.redhat.com/data/csaf/v2/a…	self
https://access.redhat.com/security/cve/CVE-2026-33815	self
https://bugzilla.redhat.com/show_bug.cgi?id=2455975	external
https://www.cve.org/CVERecord?id=CVE-2026-33815	external
https://nvd.nist.gov/vuln/detail/CVE-2026-33815	external
https://pkg.go.dev/vuln/GO-2026-4771	external
https://access.redhat.com/security/cve/CVE-2026-33816	self
https://bugzilla.redhat.com/show_bug.cgi?id=2455972	external
https://www.cve.org/CVERecord?id=CVE-2026-33816	external
https://nvd.nist.gov/vuln/detail/CVE-2026-33816	external
https://pkg.go.dev/vuln/GO-2026-4772	external
https://access.redhat.com/security/cve/CVE-2026-34986	self
https://bugzilla.redhat.com/show_bug.cgi?id=2455470	external
https://www.cve.org/CVERecord?id=CVE-2026-34986	external
https://nvd.nist.gov/vuln/detail/CVE-2026-34986	external
https://github.com/go-jose/go-jose/security/advis…	external
https://pkg.go.dev/github.com/go-jose/go-jose/v4#…	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "The 1.3.5 release of Red Hat Trusted Artifact Signer OpenShift Operator.\nFor more details please visit the product documentation at https://access.redhat.com/documentation/en-us/red_hat_trusted_artifact_signer/1.3",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "The RHTAS Operator can be used with OpenShift Container Platform 4.16, 4.17, 4.18, 4.19, 4.20 and 4.21",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2026:24475",
        "url": "https://access.redhat.com/errata/RHSA-2026:24475"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/documentation/en-us/red_hat_trusted_artifact_signer/1.3",
        "url": "https://access.redhat.com/documentation/en-us/red_hat_trusted_artifact_signer/1.3"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/documentation/en-us/red_hat_trusted_artifact_signer/1.3/html-single/release_notes/index",
        "url": "https://access.redhat.com/documentation/en-us/red_hat_trusted_artifact_signer/1.3/html-single/release_notes/index"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-33815",
        "url": "https://access.redhat.com/security/cve/CVE-2026-33815"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-33816",
        "url": "https://access.redhat.com/security/cve/CVE-2026-33816"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-34986",
        "url": "https://access.redhat.com/security/cve/CVE-2026-34986"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/",
        "url": "https://access.redhat.com/security/updates/classification/"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_24475.json"
      }
    ],
    "title": "Red Hat Security Advisory: RHTAS 1.3.5 - Red Hat Trusted Artifact Signer Release",
    "tracking": {
      "current_release_date": "2026-06-20T13:51:27+00:00",
      "generator": {
        "date": "2026-06-20T13:51:27+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "5.0.0"
        }
      },
      "id": "RHSA-2026:24475",
      "initial_release_date": "2026-06-08T12:54:10+00:00",
      "revision_history": [
        {
          "date": "2026-06-08T12:54:10+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2026-06-08T12:54:21+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2026-06-20T13:51:27+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat Trusted Artifact Signer 1.3",
                "product": {
                  "name": "Red Hat Trusted Artifact Signer 1.3",
                  "product_id": "Red Hat Trusted Artifact Signer 1.3",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:trusted_artifact_signer:1.3::el9"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat Trusted Artifact Signer"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "registry.redhat.io/rhtas/createtree-rhel9@sha256:83e0145d441e7f379c4092250141b1415e458c81670cd457a6be2381ba4584c1_amd64",
                "product": {
                  "name": "registry.redhat.io/rhtas/createtree-rhel9@sha256:83e0145d441e7f379c4092250141b1415e458c81670cd457a6be2381ba4584c1_amd64",
                  "product_id": "registry.redhat.io/rhtas/createtree-rhel9@sha256:83e0145d441e7f379c4092250141b1415e458c81670cd457a6be2381ba4584c1_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/createtree-rhel9@sha256%3A83e0145d441e7f379c4092250141b1415e458c81670cd457a6be2381ba4584c1?arch=amd64\u0026repository_url=registry.redhat.io/rhtas/createtree-rhel9\u0026tag=1780053572"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "amd64"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/rhtas/createtree-rhel9@sha256:83e0145d441e7f379c4092250141b1415e458c81670cd457a6be2381ba4584c1_amd64 as a component of Red Hat Trusted Artifact Signer 1.3",
          "product_id": "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/createtree-rhel9@sha256:83e0145d441e7f379c4092250141b1415e458c81670cd457a6be2381ba4584c1_amd64"
        },
        "product_reference": "registry.redhat.io/rhtas/createtree-rhel9@sha256:83e0145d441e7f379c4092250141b1415e458c81670cd457a6be2381ba4584c1_amd64",
        "relates_to_product_reference": "Red Hat Trusted Artifact Signer 1.3"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-33815",
      "cwe": {
        "id": "CWE-787",
        "name": "Out-of-bounds Write"
      },
      "discovery_date": "2026-04-07T16:01:25.130006+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2455975"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in github.com/jackc/pgx. This memory-safety vulnerability could potentially lead to unexpected behavior or system instability.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "github.com/jackc/pgx/v5: github.com/jackc/pgx: Memory-safety vulnerability",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/createtree-rhel9@sha256:83e0145d441e7f379c4092250141b1415e458c81670cd457a6be2381ba4584c1_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-33815"
        },
        {
          "category": "external",
          "summary": "RHBZ#2455975",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2455975"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-33815",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-33815"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-33815",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33815"
        },
        {
          "category": "external",
          "summary": "https://pkg.go.dev/vuln/GO-2026-4771",
          "url": "https://pkg.go.dev/vuln/GO-2026-4771"
        }
      ],
      "release_date": "2026-04-07T15:19:24.344000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-06-08T12:54:10+00:00",
          "details": "Red Hat Trusted Artifact Signer simplifies cryptographic signing and verifying of software artifacts such as container images, binaries and source code changes. It is a self-managed on-premise deployment of the Sigstore project available at https://sigstore.dev\n\nPlatform Engineers, Software Developers and Security Professionals may use RHTAS to ensure the integrity, transparency and assurance of their organization\u0027s software supply chain.\n\nFor details on using the operator, refer to the product documentation at https://access.redhat.com/documentation/en-us/red_hat_trusted_artifact_signer/1.3\n\nYou can find the release notes for this version of Red Hat Trusted Artifact Signer at https://access.redhat.com/documentation/en-us/red_hat_trusted_artifact_signer/1.3/html-single/release_notes/index",
          "product_ids": [
            "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/createtree-rhel9@sha256:83e0145d441e7f379c4092250141b1415e458c81670cd457a6be2381ba4584c1_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:24475"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/createtree-rhel9@sha256:83e0145d441e7f379c4092250141b1415e458c81670cd457a6be2381ba4584c1_amd64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 8.3,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
            "version": "3.1"
          },
          "products": [
            "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/createtree-rhel9@sha256:83e0145d441e7f379c4092250141b1415e458c81670cd457a6be2381ba4584c1_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "github.com/jackc/pgx/v5: github.com/jackc/pgx: Memory-safety vulnerability"
    },
    {
      "cve": "CVE-2026-33816",
      "cwe": {
        "id": "CWE-787",
        "name": "Out-of-bounds Write"
      },
      "discovery_date": "2026-04-07T16:01:14.142946+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2455972"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in github.com/jackc/pgx, a PostgreSQL driver for Go. This memory-safety vulnerability could allow an attacker to cause various impacts, such as denial of service (DoS) or potentially arbitrary code execution, by exploiting memory corruption issues. The exact method of exploitation and specific consequences would depend on the nature of the memory corruption.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "github.com/jackc/pgx/v5: github.com/jackc/pgx: Memory-safety vulnerability",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/createtree-rhel9@sha256:83e0145d441e7f379c4092250141b1415e458c81670cd457a6be2381ba4584c1_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-33816"
        },
        {
          "category": "external",
          "summary": "RHBZ#2455972",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2455972"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-33816",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-33816"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-33816",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33816"
        },
        {
          "category": "external",
          "summary": "https://pkg.go.dev/vuln/GO-2026-4772",
          "url": "https://pkg.go.dev/vuln/GO-2026-4772"
        }
      ],
      "release_date": "2026-04-07T15:19:24.529000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-06-08T12:54:10+00:00",
          "details": "Red Hat Trusted Artifact Signer simplifies cryptographic signing and verifying of software artifacts such as container images, binaries and source code changes. It is a self-managed on-premise deployment of the Sigstore project available at https://sigstore.dev\n\nPlatform Engineers, Software Developers and Security Professionals may use RHTAS to ensure the integrity, transparency and assurance of their organization\u0027s software supply chain.\n\nFor details on using the operator, refer to the product documentation at https://access.redhat.com/documentation/en-us/red_hat_trusted_artifact_signer/1.3\n\nYou can find the release notes for this version of Red Hat Trusted Artifact Signer at https://access.redhat.com/documentation/en-us/red_hat_trusted_artifact_signer/1.3/html-single/release_notes/index",
          "product_ids": [
            "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/createtree-rhel9@sha256:83e0145d441e7f379c4092250141b1415e458c81670cd457a6be2381ba4584c1_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:24475"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/createtree-rhel9@sha256:83e0145d441e7f379c4092250141b1415e458c81670cd457a6be2381ba4584c1_amd64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 8.3,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
            "version": "3.1"
          },
          "products": [
            "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/createtree-rhel9@sha256:83e0145d441e7f379c4092250141b1415e458c81670cd457a6be2381ba4584c1_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "github.com/jackc/pgx/v5: github.com/jackc/pgx: Memory-safety vulnerability"
    },
    {
      "cve": "CVE-2026-34986",
      "cwe": {
        "id": "CWE-131",
        "name": "Incorrect Calculation of Buffer Size"
      },
      "discovery_date": "2026-04-06T17:01:34.639203+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2455470"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Go JOSE, a library for handling JSON Web Encryption (JWE) objects. A remote attacker could exploit this vulnerability by providing a specially crafted JWE object. When decrypting such an object, if a key wrapping algorithm is specified but the encrypted key field is empty, the application can crash. This leads to a denial of service (DoS), making the affected service unavailable to legitimate users.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "github.com/go-jose/go-jose/v3: github.com/go-jose/go-jose/v4: Go JOSE: Denial of Service via crafted JSON Web Encryption (JWE) object",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/createtree-rhel9@sha256:83e0145d441e7f379c4092250141b1415e458c81670cd457a6be2381ba4584c1_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-34986"
        },
        {
          "category": "external",
          "summary": "RHBZ#2455470",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2455470"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-34986",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-34986"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-34986",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34986"
        },
        {
          "category": "external",
          "summary": "https://github.com/go-jose/go-jose/security/advisories/GHSA-78h2-9frx-2jm8",
          "url": "https://github.com/go-jose/go-jose/security/advisories/GHSA-78h2-9frx-2jm8"
        },
        {
          "category": "external",
          "summary": "https://pkg.go.dev/github.com/go-jose/go-jose/v4#pkg-constants",
          "url": "https://pkg.go.dev/github.com/go-jose/go-jose/v4#pkg-constants"
        }
      ],
      "release_date": "2026-04-06T16:22:45.353000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-06-08T12:54:10+00:00",
          "details": "Red Hat Trusted Artifact Signer simplifies cryptographic signing and verifying of software artifacts such as container images, binaries and source code changes. It is a self-managed on-premise deployment of the Sigstore project available at https://sigstore.dev\n\nPlatform Engineers, Software Developers and Security Professionals may use RHTAS to ensure the integrity, transparency and assurance of their organization\u0027s software supply chain.\n\nFor details on using the operator, refer to the product documentation at https://access.redhat.com/documentation/en-us/red_hat_trusted_artifact_signer/1.3\n\nYou can find the release notes for this version of Red Hat Trusted Artifact Signer at https://access.redhat.com/documentation/en-us/red_hat_trusted_artifact_signer/1.3/html-single/release_notes/index",
          "product_ids": [
            "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/createtree-rhel9@sha256:83e0145d441e7f379c4092250141b1415e458c81670cd457a6be2381ba4584c1_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:24475"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/createtree-rhel9@sha256:83e0145d441e7f379c4092250141b1415e458c81670cd457a6be2381ba4584c1_amd64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/createtree-rhel9@sha256:83e0145d441e7f379c4092250141b1415e458c81670cd457a6be2381ba4584c1_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "github.com/go-jose/go-jose/v3: github.com/go-jose/go-jose/v4: Go JOSE: Denial of Service via crafted JSON Web Encryption (JWE) object"
    }
  ]
}

CVE-2026-33815 (GCVE-0-2026-33815)

Vulnerability from cvelistv5 – Published: 2026-04-07 15:19 – Updated: 2026-05-14 16:04

Title

CVE-2026-33815 in github.com/jackc/pgx

Summary

Memory-safety vulnerability in github.com/jackc/pgx/v5.

Severity

9.8 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

SSVC

Exploitation: none Automatable: yes Technical Impact: total

CISA Coordinator (v2.0.3)

CWE

CWE-129 — Improper Validation of Array Index

Assigner

References

1 reference

URL	Tags
https://pkg.go.dev/vuln/GO-2026-4771

Impacted products

1 product

Vendor	Product	Version
github.com/jackc/pgx/v5	github.com/jackc/pgx/v5/pgproto3	Affected: 0 , < 5.9.0 (semver)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 9.8,
              "baseSeverity": "CRITICAL",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-33815",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-09T14:21:42.714758Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-14T16:04:02.725Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "github.com/jackc/pgx/v5/pgproto3",
          "product": "github.com/jackc/pgx/v5/pgproto3",
          "programRoutines": [
            {
              "name": "Bind.Decode"
            },
            {
              "name": "Backend.Receive"
            }
          ],
          "vendor": "github.com/jackc/pgx/v5",
          "versions": [
            {
              "lessThan": "5.9.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Memory-safety vulnerability in github.com/jackc/pgx/v5."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-129 \u2014 Improper Validation of Array Index",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-17T18:30:29.157Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://pkg.go.dev/vuln/GO-2026-4771"
        }
      ],
      "title": "CVE-2026-33815 in github.com/jackc/pgx"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2026-33815",
    "datePublished": "2026-04-07T15:19:24.344Z",
    "dateReserved": "2026-03-23T20:35:32.814Z",
    "dateUpdated": "2026-05-14T16:04:02.725Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-33816 (GCVE-0-2026-33816)

Vulnerability from cvelistv5 – Published: 2026-04-07 15:19 – Updated: 2026-05-14 16:04

Title

CVE-2026-33816 in github.com/jackc/pgx

Summary

Memory-safety vulnerability in github.com/jackc/pgx/v5.

Severity

9.8 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

SSVC

Exploitation: none Automatable: yes Technical Impact: total

CISA Coordinator (v2.0.3)

CWE

CWE-697 — Incorrect Comparison

Assigner

References

1 reference

URL	Tags
https://pkg.go.dev/vuln/GO-2026-4772

Impacted products

1 product

Vendor	Product	Version
github.com/jackc/pgx/v5	github.com/jackc/pgx/v5/pgproto3	Affected: 0 , < 5.9.0 (semver)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 9.8,
              "baseSeverity": "CRITICAL",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-33816",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-09T14:24:50.570972Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-14T16:04:30.991Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "github.com/jackc/pgx/v5/pgproto3",
          "product": "github.com/jackc/pgx/v5/pgproto3",
          "programRoutines": [
            {
              "name": "FunctionCall.Decode"
            },
            {
              "name": "Backend.Receive"
            }
          ],
          "vendor": "github.com/jackc/pgx/v5",
          "versions": [
            {
              "lessThan": "5.9.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Memory-safety vulnerability in github.com/jackc/pgx/v5."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-697 \u2014 Incorrect Comparison",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-15T15:49:13.116Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://pkg.go.dev/vuln/GO-2026-4772"
        }
      ],
      "title": "CVE-2026-33816 in github.com/jackc/pgx"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2026-33816",
    "datePublished": "2026-04-07T15:19:24.529Z",
    "dateReserved": "2026-03-23T20:35:32.814Z",
    "dateUpdated": "2026-05-14T16:04:30.991Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-34986 (GCVE-0-2026-34986)

Vulnerability from cvelistv5 – Published: 2026-04-06 16:22 – Updated: 2026-04-07 14:21

Title

Go JOSE affect by a panic in JWE decryption

Summary

Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. Prior to 4.1.4 and 3.0.5, decrypting a JSON Web Encryption (JWE) object will panic if the alg field indicates a key wrapping algorithm (one ending in KW, with the exception of A128GCMKW, A192GCMKW, and A256GCMKW) and the encrypted_key field is empty. The panic happens when cipher.KeyUnwrap() in key_wrap.go attempts to allocate a slice with a zero or negative length based on the length of the encrypted_key. This code path is reachable from ParseEncrypted() / ParseEncryptedJSON() / ParseEncryptedCompact() followed by Decrypt() on the resulting object. Note that the parse functions take a list of accepted key algorithms. If the accepted key algorithms do not include any key wrapping algorithms, parsing will fail and the application will be unaffected. This panic is also reachable by calling cipher.KeyUnwrap() directly with any ciphertext parameter less than 16 bytes long, but calling this function directly is less common. Panics can lead to denial of service. This vulnerability is fixed in 4.1.4 and 3.0.5.

Severity

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

SSVC

Exploitation: none Automatable: yes Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-248 - Uncaught Exception

Assigner

GitHub_M

References

2 references

URL	Tags
https://github.com/go-jose/go-jose/security/advis…	x_refsource_CONFIRM
https://pkg.go.dev/github.com/go-jose/go-jose/v4#…	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
go-jose	go-jose	Affected: >= 4.0.0, < 4.1.4 Affected: < 3.0.5

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-34986",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-07T14:21:42.477191Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-07T14:21:54.041Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "go-jose",
          "vendor": "go-jose",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 4.0.0, \u003c 4.1.4"
            },
            {
              "status": "affected",
              "version": "\u003c 3.0.5"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. Prior to 4.1.4 and 3.0.5, decrypting a JSON Web Encryption (JWE) object will panic if the alg field indicates a key wrapping algorithm (one ending in KW, with the exception of A128GCMKW, A192GCMKW, and A256GCMKW) and the encrypted_key field is empty. The panic happens when cipher.KeyUnwrap() in key_wrap.go attempts to allocate a slice with a zero or negative length based on the length of the encrypted_key. This code path is reachable from ParseEncrypted() / ParseEncryptedJSON() / ParseEncryptedCompact() followed by Decrypt() on the resulting object. Note that the parse functions take a list of accepted key algorithms. If the accepted key algorithms do not include any key wrapping algorithms, parsing will fail and the application will be unaffected. This panic is also reachable by calling cipher.KeyUnwrap() directly with any ciphertext parameter less than 16 bytes long, but calling this function directly is less common. Panics can lead to denial of service. This vulnerability is fixed in 4.1.4 and 3.0.5."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-248",
              "description": "CWE-248: Uncaught Exception",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-06T16:22:45.353Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/go-jose/go-jose/security/advisories/GHSA-78h2-9frx-2jm8",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/go-jose/go-jose/security/advisories/GHSA-78h2-9frx-2jm8"
        },
        {
          "name": "https://pkg.go.dev/github.com/go-jose/go-jose/v4#pkg-constants",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://pkg.go.dev/github.com/go-jose/go-jose/v4#pkg-constants"
        }
      ],
      "source": {
        "advisory": "GHSA-78h2-9frx-2jm8",
        "discovery": "UNKNOWN"
      },
      "title": "Go JOSE affect by a panic in JWE decryption"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-34986",
    "datePublished": "2026-04-06T16:22:45.353Z",
    "dateReserved": "2026-03-31T19:38:31.617Z",
    "dateUpdated": "2026-04-07T14:21:54.041Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

RHSA-2026:24475

CVE-2026-33815 (GCVE-0-2026-33815)

CVE-2026-33816 (GCVE-0-2026-33816)

CVE-2026-34986 (GCVE-0-2026-34986)

Tags

Sightings

Nomenclature