Vulnerability-Lookup

RHSA-2026:26257

Vulnerability from csaf_redhat - Published: 2026-06-16 10:21 - Updated: 2026-06-16 10:23

Summary

Red Hat Security Advisory: Assisted Installer RHEL 8 components for Multicluster Engine for Kubernetes 2.8.8

Severity

Important

Notes

Topic: Assisted installer RHEL 8 components for the multicluster engine for Kubernetes 2.8.8 General Availability release, with updates to container images.

Details: Assisted Installer RHEL 8 integrates components for the general multicluster engine for Kubernetes 2.8.8 release that simplify the process of deploying OpenShift Container Platform clusters. The multicluster engine for Kubernetes provides the foundational components that are necessary for the centralized management of multiple Kubernetes-based clusters across data centers, public clouds, and private clouds. You can use the engine to create new Red Hat OpenShift Container Platform clusters, or to import existing Kubernetes-based clusters for management. After the clusters are managed, you can use the APIs that are provided by the engine to distribute configuration based on placement policy.

Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

CVE-2025-58058

A memory leak flaw has been discovered in the golang github.com/ulikunitz/xz package. In affected versions, it is possible to put data in front of an LZMA-encoded byte stream without detecting the situation while reading the header. This can lead to increased memory consumption because the current implementation allocates the full decoding buffer directly after reading the header. The LZMA header doesn't include a magic number or has a checksum to detect such an issue according to the specification. Note that the code recognizes the issue later while reading the stream, but at this time the memory allocation has already been done.

5.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CWE-770 - Allocation of Resources Without Limits or Throttling

Affected products

Fixed 4 products

Product	Version	Remediation
Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:2c6a0275687920af7a4852828689429b54fc89f5f6d457fc5b00e6300bef47ff_ppc64le	—	Vendor Fix fix Workaround
Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:78857cf0c460c7639b30bcee92cff7e5e2c8d0423e42522267c4d9ace96ad1b9_s390x	—	Vendor Fix fix Workaround
Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:96d38a23205177fb651c7eac72711143cdbc847d29d26d60e1b364e3dd969f25_amd64	—	Vendor Fix fix Workaround
Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:aa1b61f73bdfc1b60d1fa100e2b060eca0ef578c69a681f7603b49d81fc273ce_arm64	—	Vendor Fix fix Workaround

Threats

Impact Moderate

CVE-2026-39883

A flaw was found in OpenTelemetry-Go. On BSD and Solaris platforms, a local attacker could exploit a vulnerability related to the `kenv` command. By manipulating the system's PATH environment variable, an attacker could achieve arbitrary code execution or privilege escalation, leading to a compromise of system integrity and confidentiality.

8.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE-426 - Untrusted Search Path

Affected products

Fixed 4 products

Product	Version	Remediation
Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:2c6a0275687920af7a4852828689429b54fc89f5f6d457fc5b00e6300bef47ff_ppc64le	—	Vendor Fix fix
Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:78857cf0c460c7639b30bcee92cff7e5e2c8d0423e42522267c4d9ace96ad1b9_s390x	—	Vendor Fix fix
Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:96d38a23205177fb651c7eac72711143cdbc847d29d26d60e1b364e3dd969f25_amd64	—	Vendor Fix fix
Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:aa1b61f73bdfc1b60d1fa100e2b060eca0ef578c69a681f7603b49d81fc273ce_arm64	—	Vendor Fix fix

Threats

Impact Important

References

17 references

URL	Category
https://access.redhat.com/errata/RHSA-2026:26257	self
https://access.redhat.com/security/cve/CVE-2025-58058	external
https://access.redhat.com/security/cve/CVE-2026-39883	external
https://access.redhat.com/security/updates/classi…	external
https://security.access.redhat.com/data/csaf/v2/a…	self
https://access.redhat.com/security/cve/CVE-2025-58058	self
https://bugzilla.redhat.com/show_bug.cgi?id=2391585	external
https://www.cve.org/CVERecord?id=CVE-2025-58058	external
https://nvd.nist.gov/vuln/detail/CVE-2025-58058	external
https://github.com/ulikunitz/xz/commit/88ddf1d0d9…	external
https://github.com/ulikunitz/xz/security/advisori…	external
https://access.redhat.com/security/cve/CVE-2026-39883	self
https://bugzilla.redhat.com/show_bug.cgi?id=2456718	external
https://www.cve.org/CVERecord?id=CVE-2026-39883	external
https://nvd.nist.gov/vuln/detail/CVE-2026-39883	external
http://github.com/open-telemetry/opentelemetry-go…	external
https://github.com/open-telemetry/opentelemetry-g…	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Assisted installer RHEL 8 components for the multicluster engine for Kubernetes 2.8.8 General Availability release, with updates to container images.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Assisted Installer RHEL 8 integrates components for the general multicluster engine\nfor Kubernetes 2.8.8 release that simplify the process of deploying OpenShift Container\nPlatform clusters.\n\nThe multicluster engine for Kubernetes provides the foundational components\nthat are necessary for the centralized management of multiple\nKubernetes-based clusters across data centers, public clouds, and private\nclouds.\n\nYou can use the engine to create new Red Hat OpenShift Container Platform\nclusters, or to import existing Kubernetes-based clusters for management.\n\nAfter the clusters are managed, you can use the APIs that\nare provided by the engine to distribute configuration based on placement\npolicy.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2026:26257",
        "url": "https://access.redhat.com/errata/RHSA-2026:26257"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2025-58058",
        "url": "https://access.redhat.com/security/cve/CVE-2025-58058"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-39883",
        "url": "https://access.redhat.com/security/cve/CVE-2026-39883"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/",
        "url": "https://access.redhat.com/security/updates/classification/"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_26257.json"
      }
    ],
    "title": "Red Hat Security Advisory: Assisted Installer RHEL 8 components for Multicluster Engine for Kubernetes 2.8.8",
    "tracking": {
      "current_release_date": "2026-06-16T10:23:19+00:00",
      "generator": {
        "date": "2026-06-16T10:23:19+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "5.0.0"
        }
      },
      "id": "RHSA-2026:26257",
      "initial_release_date": "2026-06-16T10:21:48+00:00",
      "revision_history": [
        {
          "date": "2026-06-16T10:21:48+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2026-06-16T10:21:53+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2026-06-16T10:23:19+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "multicluster engine for Kubernetes 2.8",
                "product": {
                  "name": "multicluster engine for Kubernetes 2.8",
                  "product_id": "multicluster engine for Kubernetes 2.8",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:multicluster_engine:2.8::el8"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "multicluster engine for Kubernetes"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:96d38a23205177fb651c7eac72711143cdbc847d29d26d60e1b364e3dd969f25_amd64",
                "product": {
                  "name": "registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:96d38a23205177fb651c7eac72711143cdbc847d29d26d60e1b364e3dd969f25_amd64",
                  "product_id": "registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:96d38a23205177fb651c7eac72711143cdbc847d29d26d60e1b364e3dd969f25_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/assisted-service-8-rhel8@sha256%3A96d38a23205177fb651c7eac72711143cdbc847d29d26d60e1b364e3dd969f25?arch=amd64\u0026repository_url=registry.redhat.io/multicluster-engine/assisted-service-8-rhel8\u0026tag=1781539691"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "amd64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:aa1b61f73bdfc1b60d1fa100e2b060eca0ef578c69a681f7603b49d81fc273ce_arm64",
                "product": {
                  "name": "registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:aa1b61f73bdfc1b60d1fa100e2b060eca0ef578c69a681f7603b49d81fc273ce_arm64",
                  "product_id": "registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:aa1b61f73bdfc1b60d1fa100e2b060eca0ef578c69a681f7603b49d81fc273ce_arm64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/assisted-service-8-rhel8@sha256%3Aaa1b61f73bdfc1b60d1fa100e2b060eca0ef578c69a681f7603b49d81fc273ce?arch=arm64\u0026repository_url=registry.redhat.io/multicluster-engine/assisted-service-8-rhel8\u0026tag=1781539691"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "arm64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:2c6a0275687920af7a4852828689429b54fc89f5f6d457fc5b00e6300bef47ff_ppc64le",
                "product": {
                  "name": "registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:2c6a0275687920af7a4852828689429b54fc89f5f6d457fc5b00e6300bef47ff_ppc64le",
                  "product_id": "registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:2c6a0275687920af7a4852828689429b54fc89f5f6d457fc5b00e6300bef47ff_ppc64le",
                  "product_identification_helper": {
                    "purl": "pkg:oci/assisted-service-8-rhel8@sha256%3A2c6a0275687920af7a4852828689429b54fc89f5f6d457fc5b00e6300bef47ff?arch=ppc64le\u0026repository_url=registry.redhat.io/multicluster-engine/assisted-service-8-rhel8\u0026tag=1781539691"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:78857cf0c460c7639b30bcee92cff7e5e2c8d0423e42522267c4d9ace96ad1b9_s390x",
                "product": {
                  "name": "registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:78857cf0c460c7639b30bcee92cff7e5e2c8d0423e42522267c4d9ace96ad1b9_s390x",
                  "product_id": "registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:78857cf0c460c7639b30bcee92cff7e5e2c8d0423e42522267c4d9ace96ad1b9_s390x",
                  "product_identification_helper": {
                    "purl": "pkg:oci/assisted-service-8-rhel8@sha256%3A78857cf0c460c7639b30bcee92cff7e5e2c8d0423e42522267c4d9ace96ad1b9?arch=s390x\u0026repository_url=registry.redhat.io/multicluster-engine/assisted-service-8-rhel8\u0026tag=1781539691"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:2c6a0275687920af7a4852828689429b54fc89f5f6d457fc5b00e6300bef47ff_ppc64le as a component of multicluster engine for Kubernetes 2.8",
          "product_id": "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:2c6a0275687920af7a4852828689429b54fc89f5f6d457fc5b00e6300bef47ff_ppc64le"
        },
        "product_reference": "registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:2c6a0275687920af7a4852828689429b54fc89f5f6d457fc5b00e6300bef47ff_ppc64le",
        "relates_to_product_reference": "multicluster engine for Kubernetes 2.8"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:78857cf0c460c7639b30bcee92cff7e5e2c8d0423e42522267c4d9ace96ad1b9_s390x as a component of multicluster engine for Kubernetes 2.8",
          "product_id": "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:78857cf0c460c7639b30bcee92cff7e5e2c8d0423e42522267c4d9ace96ad1b9_s390x"
        },
        "product_reference": "registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:78857cf0c460c7639b30bcee92cff7e5e2c8d0423e42522267c4d9ace96ad1b9_s390x",
        "relates_to_product_reference": "multicluster engine for Kubernetes 2.8"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:96d38a23205177fb651c7eac72711143cdbc847d29d26d60e1b364e3dd969f25_amd64 as a component of multicluster engine for Kubernetes 2.8",
          "product_id": "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:96d38a23205177fb651c7eac72711143cdbc847d29d26d60e1b364e3dd969f25_amd64"
        },
        "product_reference": "registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:96d38a23205177fb651c7eac72711143cdbc847d29d26d60e1b364e3dd969f25_amd64",
        "relates_to_product_reference": "multicluster engine for Kubernetes 2.8"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:aa1b61f73bdfc1b60d1fa100e2b060eca0ef578c69a681f7603b49d81fc273ce_arm64 as a component of multicluster engine for Kubernetes 2.8",
          "product_id": "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:aa1b61f73bdfc1b60d1fa100e2b060eca0ef578c69a681f7603b49d81fc273ce_arm64"
        },
        "product_reference": "registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:aa1b61f73bdfc1b60d1fa100e2b060eca0ef578c69a681f7603b49d81fc273ce_arm64",
        "relates_to_product_reference": "multicluster engine for Kubernetes 2.8"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-58058",
      "cwe": {
        "id": "CWE-770",
        "name": "Allocation of Resources Without Limits or Throttling"
      },
      "discovery_date": "2025-08-28T22:00:45.848319+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2391585"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A memory leak flaw has been discovered in the golang github.com/ulikunitz/xz package. In affected versions, it is possible to put data in front of an LZMA-encoded byte stream without detecting the situation while reading the header. This can lead to increased memory consumption because the current implementation allocates the full decoding buffer directly after reading the header. The LZMA header doesn\u0027t include a magic number or has a checksum to detect such an issue according to the specification. Note that the code recognizes the issue later while reading the stream, but at this time the memory allocation has already been done.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "github.com/ulikunitz/xz: github.com/ulikunitz/xz leaks memory",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:2c6a0275687920af7a4852828689429b54fc89f5f6d457fc5b00e6300bef47ff_ppc64le",
          "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:78857cf0c460c7639b30bcee92cff7e5e2c8d0423e42522267c4d9ace96ad1b9_s390x",
          "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:96d38a23205177fb651c7eac72711143cdbc847d29d26d60e1b364e3dd969f25_amd64",
          "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:aa1b61f73bdfc1b60d1fa100e2b060eca0ef578c69a681f7603b49d81fc273ce_arm64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2025-58058"
        },
        {
          "category": "external",
          "summary": "RHBZ#2391585",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2391585"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2025-58058",
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-58058"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-58058",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58058"
        },
        {
          "category": "external",
          "summary": "https://github.com/ulikunitz/xz/commit/88ddf1d0d98d688db65de034f48960b2760d2ae2",
          "url": "https://github.com/ulikunitz/xz/commit/88ddf1d0d98d688db65de034f48960b2760d2ae2"
        },
        {
          "category": "external",
          "summary": "https://github.com/ulikunitz/xz/security/advisories/GHSA-jc7w-c686-c4v9",
          "url": "https://github.com/ulikunitz/xz/security/advisories/GHSA-jc7w-c686-c4v9"
        }
      ],
      "release_date": "2025-08-28T21:54:05.561000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-06-16T10:21:48+00:00",
          "details": "For more information about Assisted Installer, see the following documentation:\n\nhttps://docs.redhat.com/en/documentation/red_hat_advanced_cluster_management_for_kubernetes/2.13/html/clusters/cluster_mce_overview#cim-intro\n\nFor multicluster engine for Kubernetes, see the following documentation for\ndetails on how to install the images:\n\nhttps://docs.redhat.com/en/documentation/red_hat_advanced_cluster_management_for_kubernetes/2.13/html/clusters/cluster_mce_overview#mce-install-intro\n\nThis documentation will be available after the general availability release of Red Hat Advanced Cluster Management 2.13.",
          "product_ids": [
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:2c6a0275687920af7a4852828689429b54fc89f5f6d457fc5b00e6300bef47ff_ppc64le",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:78857cf0c460c7639b30bcee92cff7e5e2c8d0423e42522267c4d9ace96ad1b9_s390x",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:96d38a23205177fb651c7eac72711143cdbc847d29d26d60e1b364e3dd969f25_amd64",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:aa1b61f73bdfc1b60d1fa100e2b060eca0ef578c69a681f7603b49d81fc273ce_arm64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:26257"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:2c6a0275687920af7a4852828689429b54fc89f5f6d457fc5b00e6300bef47ff_ppc64le",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:78857cf0c460c7639b30bcee92cff7e5e2c8d0423e42522267c4d9ace96ad1b9_s390x",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:96d38a23205177fb651c7eac72711143cdbc847d29d26d60e1b364e3dd969f25_amd64",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:aa1b61f73bdfc1b60d1fa100e2b060eca0ef578c69a681f7603b49d81fc273ce_arm64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          },
          "products": [
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:2c6a0275687920af7a4852828689429b54fc89f5f6d457fc5b00e6300bef47ff_ppc64le",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:78857cf0c460c7639b30bcee92cff7e5e2c8d0423e42522267c4d9ace96ad1b9_s390x",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:96d38a23205177fb651c7eac72711143cdbc847d29d26d60e1b364e3dd969f25_amd64",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:aa1b61f73bdfc1b60d1fa100e2b060eca0ef578c69a681f7603b49d81fc273ce_arm64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "github.com/ulikunitz/xz: github.com/ulikunitz/xz leaks memory"
    },
    {
      "cve": "CVE-2026-39883",
      "cwe": {
        "id": "CWE-426",
        "name": "Untrusted Search Path"
      },
      "discovery_date": "2026-04-08T21:01:31.690577+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2456718"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in OpenTelemetry-Go. On BSD and Solaris platforms, a local attacker could exploit a vulnerability related to the `kenv` command. By manipulating the system\u0027s PATH environment variable, an attacker could achieve arbitrary code execution or privilege escalation, leading to a compromise of system integrity and confidentiality.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "github.com/open-telemetry/opentelemetry-go: OpenTelemetry-Go: Arbitrary code execution via PATH hijacking on BSD/Solaris",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:2c6a0275687920af7a4852828689429b54fc89f5f6d457fc5b00e6300bef47ff_ppc64le",
          "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:78857cf0c460c7639b30bcee92cff7e5e2c8d0423e42522267c4d9ace96ad1b9_s390x",
          "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:96d38a23205177fb651c7eac72711143cdbc847d29d26d60e1b364e3dd969f25_amd64",
          "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:aa1b61f73bdfc1b60d1fa100e2b060eca0ef578c69a681f7603b49d81fc273ce_arm64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-39883"
        },
        {
          "category": "external",
          "summary": "RHBZ#2456718",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456718"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-39883",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-39883"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-39883",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39883"
        },
        {
          "category": "external",
          "summary": "http://github.com/open-telemetry/opentelemetry-go/releases/tag/v1.43.0",
          "url": "http://github.com/open-telemetry/opentelemetry-go/releases/tag/v1.43.0"
        },
        {
          "category": "external",
          "summary": "https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-hfvc-g4fc-pqhx",
          "url": "https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-hfvc-g4fc-pqhx"
        }
      ],
      "release_date": "2026-04-08T20:26:41.731000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-06-16T10:21:48+00:00",
          "details": "For more information about Assisted Installer, see the following documentation:\n\nhttps://docs.redhat.com/en/documentation/red_hat_advanced_cluster_management_for_kubernetes/2.13/html/clusters/cluster_mce_overview#cim-intro\n\nFor multicluster engine for Kubernetes, see the following documentation for\ndetails on how to install the images:\n\nhttps://docs.redhat.com/en/documentation/red_hat_advanced_cluster_management_for_kubernetes/2.13/html/clusters/cluster_mce_overview#mce-install-intro\n\nThis documentation will be available after the general availability release of Red Hat Advanced Cluster Management 2.13.",
          "product_ids": [
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:2c6a0275687920af7a4852828689429b54fc89f5f6d457fc5b00e6300bef47ff_ppc64le",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:78857cf0c460c7639b30bcee92cff7e5e2c8d0423e42522267c4d9ace96ad1b9_s390x",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:96d38a23205177fb651c7eac72711143cdbc847d29d26d60e1b364e3dd969f25_amd64",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:aa1b61f73bdfc1b60d1fa100e2b060eca0ef578c69a681f7603b49d81fc273ce_arm64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:26257"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:2c6a0275687920af7a4852828689429b54fc89f5f6d457fc5b00e6300bef47ff_ppc64le",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:78857cf0c460c7639b30bcee92cff7e5e2c8d0423e42522267c4d9ace96ad1b9_s390x",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:96d38a23205177fb651c7eac72711143cdbc847d29d26d60e1b364e3dd969f25_amd64",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:aa1b61f73bdfc1b60d1fa100e2b060eca0ef578c69a681f7603b49d81fc273ce_arm64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "github.com/open-telemetry/opentelemetry-go: OpenTelemetry-Go: Arbitrary code execution via PATH hijacking on BSD/Solaris"
    }
  ]
}

CVE-2025-58058 (GCVE-0-2025-58058)

Vulnerability from cvelistv5 – Published: 2025-08-28 21:54 – Updated: 2025-08-29 13:23

Title

github.com/ulikunitz/xz leaks memory when decoding a corrupted multiple LZMA archives

Summary

xz is a pure golang package for reading and writing xz-compressed files. Prior to version 0.5.14, it is possible to put data in front of an LZMA-encoded byte stream without detecting the situation while reading the header. This can lead to increased memory consumption because the current implementation allocates the full decoding buffer directly after reading the header. The LZMA header doesn't include a magic number or has a checksum to detect such an issue according to the specification. Note that the code recognizes the issue later while reading the stream, but at this time the memory allocation has already been done. This issue has been patched in version 0.5.14.

Severity

5.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

SSVC

Exploitation: poc Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-770 - Allocation of Resources Without Limits or Throttling

Assigner

GitHub_M

References

2 references

URL	Tags
https://github.com/ulikunitz/xz/security/advisori…	x_refsource_CONFIRM
https://github.com/ulikunitz/xz/commit/88ddf1d0d9…	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
ulikunitz	xz	Affected: < 0.5.14

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-58058",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-08-29T13:22:52.507752Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-08-29T13:23:07.497Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "xz",
          "vendor": "ulikunitz",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.5.14"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "xz is a pure golang package for reading and writing xz-compressed files. Prior to version 0.5.14, it is possible to put data in front of an LZMA-encoded byte stream without detecting the situation while reading the header. This can lead to increased memory consumption because the current implementation allocates the full decoding buffer directly after reading the header. The LZMA header doesn\u0027t include a magic number or has a checksum to detect such an issue according to the specification. Note that the code recognizes the issue later while reading the stream, but at this time the memory allocation has already been done. This issue has been patched in version 0.5.14."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-770",
              "description": "CWE-770: Allocation of Resources Without Limits or Throttling",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-08-28T21:54:05.561Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/ulikunitz/xz/security/advisories/GHSA-jc7w-c686-c4v9",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/ulikunitz/xz/security/advisories/GHSA-jc7w-c686-c4v9"
        },
        {
          "name": "https://github.com/ulikunitz/xz/commit/88ddf1d0d98d688db65de034f48960b2760d2ae2",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/ulikunitz/xz/commit/88ddf1d0d98d688db65de034f48960b2760d2ae2"
        }
      ],
      "source": {
        "advisory": "GHSA-jc7w-c686-c4v9",
        "discovery": "UNKNOWN"
      },
      "title": "github.com/ulikunitz/xz leaks memory when decoding a corrupted multiple LZMA archives"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-58058",
    "datePublished": "2025-08-28T21:54:05.561Z",
    "dateReserved": "2025-08-22T14:30:32.221Z",
    "dateUpdated": "2025-08-29T13:23:07.497Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2026-39883 (GCVE-0-2026-39883)

Vulnerability from cvelistv5 – Published: 2026-04-08 20:26 – Updated: 2026-04-10 20:52

Title

OpenTelemetry-Go has an incomplete fix for CVE-2026-24051: BSD kenv command not using absolute path enables PATH hijacking

Summary

OpenTelemetry-Go is the Go implementation of OpenTelemetry. From 1.15.0 to 1.42.0, the fix for CVE-2026-24051 changed the Darwin ioreg command to use an absolute path but left the BSD kenv command using a bare name, allowing the same PATH hijacking attack on BSD and Solaris platforms. This vulnerability is fixed in 1.43.0.

Severity

7.3 (High)


                        
                          CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

7 (High)


                        
                          CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

SSVC

Exploitation: none Automatable: no Technical Impact: total

CISA Coordinator (v2.0.3)

CWE

CWE-426 - Untrusted Search Path

Assigner

GitHub_M

References

2 references

URL	Tags
https://github.com/open-telemetry/opentelemetry-g…	x_refsource_CONFIRM
http://github.com/open-telemetry/opentelemetry-go…	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
open-telemetry	opentelemetry-go	Affected: >= 1.15.0, < 1.43.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "HIGH",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-39883",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-10T20:52:34.310842Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-10T20:52:54.819Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "opentelemetry-go",
          "vendor": "open-telemetry",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 1.15.0, \u003c 1.43.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "OpenTelemetry-Go is the Go implementation of OpenTelemetry. From 1.15.0 to 1.42.0, the fix for CVE-2026-24051 changed the Darwin ioreg command to use an absolute path but left the BSD kenv command using a bare name, allowing the same PATH hijacking attack on BSD and Solaris platforms. This vulnerability is fixed in 1.43.0."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "HIGH",
            "attackRequirements": "NONE",
            "attackVector": "LOCAL",
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "privilegesRequired": "LOW",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-426",
              "description": "CWE-426: Untrusted Search Path",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-08T20:26:41.731Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-hfvc-g4fc-pqhx",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-hfvc-g4fc-pqhx"
        },
        {
          "name": "http://github.com/open-telemetry/opentelemetry-go/releases/tag/v1.43.0",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://github.com/open-telemetry/opentelemetry-go/releases/tag/v1.43.0"
        }
      ],
      "source": {
        "advisory": "GHSA-hfvc-g4fc-pqhx",
        "discovery": "UNKNOWN"
      },
      "title": "OpenTelemetry-Go has an incomplete fix for CVE-2026-24051: BSD kenv command not using absolute path enables PATH hijacking"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-39883",
    "datePublished": "2026-04-08T20:26:41.731Z",
    "dateReserved": "2026-04-07T20:32:03.010Z",
    "dateUpdated": "2026-04-10T20:52:54.819Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

RHSA-2026:26257

CVE-2025-58058 (GCVE-0-2025-58058)

CVE-2026-39883 (GCVE-0-2026-39883)

Tags

Sightings

Nomenclature