RHSA-2026:37271
Vulnerability from csaf_redhat - Published: 2026-07-09 11:43 - Updated: 2026-07-10 12:41A flaw was found in golang.org/x/crypto/ssh. A remote attacker could exploit this vulnerability when an SSH server authentication callback returned a PartialSuccessError with non-nil permissions. This flaw caused these permissions to be silently discarded, potentially bypassing certificate restrictions, such as a force-command, after a second authentication factor succeeded. This could lead to unauthorized command execution or access.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/cosign-rhel9@sha256:15a1e1d82e2ac631cb5bd6aa420fad3f7e52c414d4efba2d642ace24c5b9f3b4_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/cosign-rhel9@sha256:4a1174f4cdc367db08f99ccb9586bf0ff8faa47c3360482b4fb33e75588b53eb_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/cosign-rhel9@sha256:e1b929b778eb5dc42b81c18cf1cab4a989ec9124de99dbabdaaec8f0531b41ae_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/cosign-rhel9@sha256:f8a19541958467e3f1aa9ddd2868f20ce7cb760581c3c965941bedade78058ef_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:55bf157183d6a9df8032ca0ab62c418a3cc8b591b1a26a193c5eed36bebd01ac_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:74f364bbf2fe939ce8a02f19afd8f43aa2478090c99067add41b6aff004fda4c_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:c9094568f2e694d6a3c7b0162f3b68a2ef9d2f299efce735afc582f66a27130b_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:f8b01d3f2d6400b4208d80d8b66eab7b1f4ec2cd4dcdef06552c3d05db0e896e_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/gitsign-rhel9@sha256:4f95c088ef66165779e4b2d5ba89cf2594dd0d837bb707350712dc13b8a27c90_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/gitsign-rhel9@sha256:7c443c3f2c72d1c3cd6ce6cde49a3b781a1b6336bd9b2d974cd69cdfa4c94098_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/gitsign-rhel9@sha256:ce50f18c962fc813d635461aa9e9bc4fdbf7e8236731caa49b05c1770465cac2_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/gitsign-rhel9@sha256:f9877376bb17567472e84a42ce27273ec3c537103a58d3ff5b616da1b9c18b75_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:0187f0248ce7d219797450636bedd086e14ee6932e676bb51d35592306965583_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:0ef106aebc41f050e4833a546a4259c877f3852b94ee914c16a6d646c82d6ec2_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:4565fb543e312c3d113f415fe7d59267086c16a98d8567d2094aed58ff63586e_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:ad6c77b11bdde5dcd5bdddcedfea9f0422e3b685fbf224165a20605b1882d8fc_ppc64le | — |
Vendor Fix
fix
Workaround
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/updatetree-rhel9@sha256:01024a46eac2bb846cee776132a6ce78a69fdc9dfe75df7a0fb379bed6444db1_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/updatetree-rhel9@sha256:205ef0889fb950e337a07d793cec8cbdfd713c4190ddb374f8c2a6206506a66e_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/updatetree-rhel9@sha256:3a7241f722dbbc7f3bc86cfb15cf2b0d96738ad60ad49dbb0b413c524d50013f_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/updatetree-rhel9@sha256:d034bb82bde1eafe676ce11295bcac3a1e653cab1aa0eb1c61e494b8069f1582_arm64 | — |
Workaround
|
A flaw was found in golang.org/x/crypto/ssh. The RSA and DSA public key parsers in the affected component did not enforce size limits on key parameters. This vulnerability allows an unauthenticated client to provide a crafted public key with an excessively large modulus or DSA parameter during public key authentication. Successful exploitation could lead to a denial of service (DoS) due to prolonged CPU consumption during signature verification.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/cosign-rhel9@sha256:15a1e1d82e2ac631cb5bd6aa420fad3f7e52c414d4efba2d642ace24c5b9f3b4_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/cosign-rhel9@sha256:4a1174f4cdc367db08f99ccb9586bf0ff8faa47c3360482b4fb33e75588b53eb_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/cosign-rhel9@sha256:e1b929b778eb5dc42b81c18cf1cab4a989ec9124de99dbabdaaec8f0531b41ae_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/cosign-rhel9@sha256:f8a19541958467e3f1aa9ddd2868f20ce7cb760581c3c965941bedade78058ef_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:55bf157183d6a9df8032ca0ab62c418a3cc8b591b1a26a193c5eed36bebd01ac_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:74f364bbf2fe939ce8a02f19afd8f43aa2478090c99067add41b6aff004fda4c_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:c9094568f2e694d6a3c7b0162f3b68a2ef9d2f299efce735afc582f66a27130b_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:f8b01d3f2d6400b4208d80d8b66eab7b1f4ec2cd4dcdef06552c3d05db0e896e_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/gitsign-rhel9@sha256:4f95c088ef66165779e4b2d5ba89cf2594dd0d837bb707350712dc13b8a27c90_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/gitsign-rhel9@sha256:7c443c3f2c72d1c3cd6ce6cde49a3b781a1b6336bd9b2d974cd69cdfa4c94098_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/gitsign-rhel9@sha256:ce50f18c962fc813d635461aa9e9bc4fdbf7e8236731caa49b05c1770465cac2_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/gitsign-rhel9@sha256:f9877376bb17567472e84a42ce27273ec3c537103a58d3ff5b616da1b9c18b75_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:0187f0248ce7d219797450636bedd086e14ee6932e676bb51d35592306965583_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:0ef106aebc41f050e4833a546a4259c877f3852b94ee914c16a6d646c82d6ec2_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:4565fb543e312c3d113f415fe7d59267086c16a98d8567d2094aed58ff63586e_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:ad6c77b11bdde5dcd5bdddcedfea9f0422e3b685fbf224165a20605b1882d8fc_ppc64le | — |
Vendor Fix
fix
Workaround
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/updatetree-rhel9@sha256:01024a46eac2bb846cee776132a6ce78a69fdc9dfe75df7a0fb379bed6444db1_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/updatetree-rhel9@sha256:205ef0889fb950e337a07d793cec8cbdfd713c4190ddb374f8c2a6206506a66e_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/updatetree-rhel9@sha256:3a7241f722dbbc7f3bc86cfb15cf2b0d96738ad60ad49dbb0b413c524d50013f_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/updatetree-rhel9@sha256:d034bb82bde1eafe676ce11295bcac3a1e653cab1aa0eb1c61e494b8069f1582_arm64 | — |
Workaround
|
A flaw was found in golang.org/x/crypto/ssh. A remote malicious SSH peer can exploit this by sending unsolicited global request responses, which fills an internal buffer and blocks the connection's read loop. This prevents the associated resources from being released, leading to a resource leak per connection. The consequence is a Denial of Service (DoS) for the affected system.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/cosign-rhel9@sha256:15a1e1d82e2ac631cb5bd6aa420fad3f7e52c414d4efba2d642ace24c5b9f3b4_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/cosign-rhel9@sha256:4a1174f4cdc367db08f99ccb9586bf0ff8faa47c3360482b4fb33e75588b53eb_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/cosign-rhel9@sha256:e1b929b778eb5dc42b81c18cf1cab4a989ec9124de99dbabdaaec8f0531b41ae_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/cosign-rhel9@sha256:f8a19541958467e3f1aa9ddd2868f20ce7cb760581c3c965941bedade78058ef_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:55bf157183d6a9df8032ca0ab62c418a3cc8b591b1a26a193c5eed36bebd01ac_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:74f364bbf2fe939ce8a02f19afd8f43aa2478090c99067add41b6aff004fda4c_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:c9094568f2e694d6a3c7b0162f3b68a2ef9d2f299efce735afc582f66a27130b_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:f8b01d3f2d6400b4208d80d8b66eab7b1f4ec2cd4dcdef06552c3d05db0e896e_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/gitsign-rhel9@sha256:4f95c088ef66165779e4b2d5ba89cf2594dd0d837bb707350712dc13b8a27c90_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/gitsign-rhel9@sha256:7c443c3f2c72d1c3cd6ce6cde49a3b781a1b6336bd9b2d974cd69cdfa4c94098_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/gitsign-rhel9@sha256:ce50f18c962fc813d635461aa9e9bc4fdbf7e8236731caa49b05c1770465cac2_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/gitsign-rhel9@sha256:f9877376bb17567472e84a42ce27273ec3c537103a58d3ff5b616da1b9c18b75_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:0187f0248ce7d219797450636bedd086e14ee6932e676bb51d35592306965583_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:0ef106aebc41f050e4833a546a4259c877f3852b94ee914c16a6d646c82d6ec2_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:4565fb543e312c3d113f415fe7d59267086c16a98d8567d2094aed58ff63586e_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:ad6c77b11bdde5dcd5bdddcedfea9f0422e3b685fbf224165a20605b1882d8fc_ppc64le | — |
Vendor Fix
fix
Workaround
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/updatetree-rhel9@sha256:01024a46eac2bb846cee776132a6ce78a69fdc9dfe75df7a0fb379bed6444db1_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/updatetree-rhel9@sha256:205ef0889fb950e337a07d793cec8cbdfd713c4190ddb374f8c2a6206506a66e_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/updatetree-rhel9@sha256:3a7241f722dbbc7f3bc86cfb15cf2b0d96738ad60ad49dbb0b413c524d50013f_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/updatetree-rhel9@sha256:d034bb82bde1eafe676ce11295bcac3a1e653cab1aa0eb1c61e494b8069f1582_arm64 | — |
Workaround
|
A flaw was found in golang.org/x/crypto/ssh/agent. When a key was added to a remote agent, security restrictions, known as constraint extensions, were not properly processed during the request. This allowed these restrictions to be silently removed when keys were forwarded, leading to the unrestricted use of the key on the remote host. This vulnerability could enable an attacker to bypass intended security controls and perform unauthorized actions.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/gitsign-rhel9@sha256:4f95c088ef66165779e4b2d5ba89cf2594dd0d837bb707350712dc13b8a27c90_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/gitsign-rhel9@sha256:7c443c3f2c72d1c3cd6ce6cde49a3b781a1b6336bd9b2d974cd69cdfa4c94098_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/gitsign-rhel9@sha256:ce50f18c962fc813d635461aa9e9bc4fdbf7e8236731caa49b05c1770465cac2_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/gitsign-rhel9@sha256:f9877376bb17567472e84a42ce27273ec3c537103a58d3ff5b616da1b9c18b75_arm64 | — |
Vendor Fix
fix
Workaround
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/cosign-rhel9@sha256:15a1e1d82e2ac631cb5bd6aa420fad3f7e52c414d4efba2d642ace24c5b9f3b4_arm64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/cosign-rhel9@sha256:4a1174f4cdc367db08f99ccb9586bf0ff8faa47c3360482b4fb33e75588b53eb_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/cosign-rhel9@sha256:e1b929b778eb5dc42b81c18cf1cab4a989ec9124de99dbabdaaec8f0531b41ae_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/cosign-rhel9@sha256:f8a19541958467e3f1aa9ddd2868f20ce7cb760581c3c965941bedade78058ef_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:55bf157183d6a9df8032ca0ab62c418a3cc8b591b1a26a193c5eed36bebd01ac_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:74f364bbf2fe939ce8a02f19afd8f43aa2478090c99067add41b6aff004fda4c_arm64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:c9094568f2e694d6a3c7b0162f3b68a2ef9d2f299efce735afc582f66a27130b_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:f8b01d3f2d6400b4208d80d8b66eab7b1f4ec2cd4dcdef06552c3d05db0e896e_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:0187f0248ce7d219797450636bedd086e14ee6932e676bb51d35592306965583_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:0ef106aebc41f050e4833a546a4259c877f3852b94ee914c16a6d646c82d6ec2_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:4565fb543e312c3d113f415fe7d59267086c16a98d8567d2094aed58ff63586e_arm64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:ad6c77b11bdde5dcd5bdddcedfea9f0422e3b685fbf224165a20605b1882d8fc_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/updatetree-rhel9@sha256:01024a46eac2bb846cee776132a6ce78a69fdc9dfe75df7a0fb379bed6444db1_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/updatetree-rhel9@sha256:205ef0889fb950e337a07d793cec8cbdfd713c4190ddb374f8c2a6206506a66e_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/updatetree-rhel9@sha256:3a7241f722dbbc7f3bc86cfb15cf2b0d96738ad60ad49dbb0b413c524d50013f_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/updatetree-rhel9@sha256:d034bb82bde1eafe676ce11295bcac3a1e653cab1aa0eb1c61e494b8069f1582_arm64 | — |
Workaround
|
A flaw was found in golang.org/x/crypto/ssh/agent. The NewKeyring() function, which creates an in-memory keyring, failed to enforce the ConfirmBeforeUse constraint on keys. This allowed keys configured to require user confirmation before use to perform signing operations without any prompt or indication to the user. Consequently, an attacker could potentially bypass intended security controls, leading to unauthorized cryptographic signing actions.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/gitsign-rhel9@sha256:4f95c088ef66165779e4b2d5ba89cf2594dd0d837bb707350712dc13b8a27c90_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/gitsign-rhel9@sha256:7c443c3f2c72d1c3cd6ce6cde49a3b781a1b6336bd9b2d974cd69cdfa4c94098_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/gitsign-rhel9@sha256:ce50f18c962fc813d635461aa9e9bc4fdbf7e8236731caa49b05c1770465cac2_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/gitsign-rhel9@sha256:f9877376bb17567472e84a42ce27273ec3c537103a58d3ff5b616da1b9c18b75_arm64 | — |
Vendor Fix
fix
Workaround
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/cosign-rhel9@sha256:15a1e1d82e2ac631cb5bd6aa420fad3f7e52c414d4efba2d642ace24c5b9f3b4_arm64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/cosign-rhel9@sha256:4a1174f4cdc367db08f99ccb9586bf0ff8faa47c3360482b4fb33e75588b53eb_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/cosign-rhel9@sha256:e1b929b778eb5dc42b81c18cf1cab4a989ec9124de99dbabdaaec8f0531b41ae_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/cosign-rhel9@sha256:f8a19541958467e3f1aa9ddd2868f20ce7cb760581c3c965941bedade78058ef_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:55bf157183d6a9df8032ca0ab62c418a3cc8b591b1a26a193c5eed36bebd01ac_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:74f364bbf2fe939ce8a02f19afd8f43aa2478090c99067add41b6aff004fda4c_arm64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:c9094568f2e694d6a3c7b0162f3b68a2ef9d2f299efce735afc582f66a27130b_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:f8b01d3f2d6400b4208d80d8b66eab7b1f4ec2cd4dcdef06552c3d05db0e896e_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:0187f0248ce7d219797450636bedd086e14ee6932e676bb51d35592306965583_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:0ef106aebc41f050e4833a546a4259c877f3852b94ee914c16a6d646c82d6ec2_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:4565fb543e312c3d113f415fe7d59267086c16a98d8567d2094aed58ff63586e_arm64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:ad6c77b11bdde5dcd5bdddcedfea9f0422e3b685fbf224165a20605b1882d8fc_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/updatetree-rhel9@sha256:01024a46eac2bb846cee776132a6ce78a69fdc9dfe75df7a0fb379bed6444db1_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/updatetree-rhel9@sha256:205ef0889fb950e337a07d793cec8cbdfd713c4190ddb374f8c2a6206506a66e_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/updatetree-rhel9@sha256:3a7241f722dbbc7f3bc86cfb15cf2b0d96738ad60ad49dbb0b413c524d50013f_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/updatetree-rhel9@sha256:d034bb82bde1eafe676ce11295bcac3a1e653cab1aa0eb1c61e494b8069f1582_arm64 | — |
Workaround
|
A flaw was found in golang.org/x/crypto/ssh. SSH servers configured to use CertChecker as a public key callback, without explicitly setting IsUserAuthority or IsHostAuthority, are vulnerable. A remote attacker can exploit this by presenting a specially crafted certificate, causing the server to panic and resulting in a Denial of Service (DoS).
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/cosign-rhel9@sha256:15a1e1d82e2ac631cb5bd6aa420fad3f7e52c414d4efba2d642ace24c5b9f3b4_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/cosign-rhel9@sha256:4a1174f4cdc367db08f99ccb9586bf0ff8faa47c3360482b4fb33e75588b53eb_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/cosign-rhel9@sha256:e1b929b778eb5dc42b81c18cf1cab4a989ec9124de99dbabdaaec8f0531b41ae_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/cosign-rhel9@sha256:f8a19541958467e3f1aa9ddd2868f20ce7cb760581c3c965941bedade78058ef_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:55bf157183d6a9df8032ca0ab62c418a3cc8b591b1a26a193c5eed36bebd01ac_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:74f364bbf2fe939ce8a02f19afd8f43aa2478090c99067add41b6aff004fda4c_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:c9094568f2e694d6a3c7b0162f3b68a2ef9d2f299efce735afc582f66a27130b_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:f8b01d3f2d6400b4208d80d8b66eab7b1f4ec2cd4dcdef06552c3d05db0e896e_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/gitsign-rhel9@sha256:4f95c088ef66165779e4b2d5ba89cf2594dd0d837bb707350712dc13b8a27c90_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/gitsign-rhel9@sha256:7c443c3f2c72d1c3cd6ce6cde49a3b781a1b6336bd9b2d974cd69cdfa4c94098_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/gitsign-rhel9@sha256:ce50f18c962fc813d635461aa9e9bc4fdbf7e8236731caa49b05c1770465cac2_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/gitsign-rhel9@sha256:f9877376bb17567472e84a42ce27273ec3c537103a58d3ff5b616da1b9c18b75_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:0187f0248ce7d219797450636bedd086e14ee6932e676bb51d35592306965583_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:0ef106aebc41f050e4833a546a4259c877f3852b94ee914c16a6d646c82d6ec2_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:4565fb543e312c3d113f415fe7d59267086c16a98d8567d2094aed58ff63586e_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:ad6c77b11bdde5dcd5bdddcedfea9f0422e3b685fbf224165a20605b1882d8fc_ppc64le | — |
Vendor Fix
fix
Workaround
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/updatetree-rhel9@sha256:01024a46eac2bb846cee776132a6ce78a69fdc9dfe75df7a0fb379bed6444db1_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/updatetree-rhel9@sha256:205ef0889fb950e337a07d793cec8cbdfd713c4190ddb374f8c2a6206506a66e_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/updatetree-rhel9@sha256:3a7241f722dbbc7f3bc86cfb15cf2b0d96738ad60ad49dbb0b413c524d50013f_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/updatetree-rhel9@sha256:d034bb82bde1eafe676ce11295bcac3a1e653cab1aa0eb1c61e494b8069f1582_arm64 | — |
Workaround
|
A flaw was found in Prometheus, an open-source monitoring system. The `client_secret` field within the Azure Active Directory (AD) remote write OAuth configuration was incorrectly handled as a plain string instead of a secure Secret type. This misconfiguration allowed any user or process with access to the `/-/config` HTTP API endpoint to view the Azure OAuth client secret in plaintext. This vulnerability leads to information disclosure, potentially compromising the security of integrated Azure AD services.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/updatetree-rhel9@sha256:01024a46eac2bb846cee776132a6ce78a69fdc9dfe75df7a0fb379bed6444db1_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/updatetree-rhel9@sha256:205ef0889fb950e337a07d793cec8cbdfd713c4190ddb374f8c2a6206506a66e_s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/updatetree-rhel9@sha256:3a7241f722dbbc7f3bc86cfb15cf2b0d96738ad60ad49dbb0b413c524d50013f_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/updatetree-rhel9@sha256:d034bb82bde1eafe676ce11295bcac3a1e653cab1aa0eb1c61e494b8069f1582_arm64 | — |
Vendor Fix
fix
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/cosign-rhel9@sha256:15a1e1d82e2ac631cb5bd6aa420fad3f7e52c414d4efba2d642ace24c5b9f3b4_arm64 | — | ||
| Unresolved product id: Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/cosign-rhel9@sha256:4a1174f4cdc367db08f99ccb9586bf0ff8faa47c3360482b4fb33e75588b53eb_amd64 | — | ||
| Unresolved product id: Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/cosign-rhel9@sha256:e1b929b778eb5dc42b81c18cf1cab4a989ec9124de99dbabdaaec8f0531b41ae_s390x | — | ||
| Unresolved product id: Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/cosign-rhel9@sha256:f8a19541958467e3f1aa9ddd2868f20ce7cb760581c3c965941bedade78058ef_ppc64le | — | ||
| Unresolved product id: Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:55bf157183d6a9df8032ca0ab62c418a3cc8b591b1a26a193c5eed36bebd01ac_ppc64le | — | ||
| Unresolved product id: Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:74f364bbf2fe939ce8a02f19afd8f43aa2478090c99067add41b6aff004fda4c_arm64 | — | ||
| Unresolved product id: Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:c9094568f2e694d6a3c7b0162f3b68a2ef9d2f299efce735afc582f66a27130b_s390x | — | ||
| Unresolved product id: Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:f8b01d3f2d6400b4208d80d8b66eab7b1f4ec2cd4dcdef06552c3d05db0e896e_amd64 | — | ||
| Unresolved product id: Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/gitsign-rhel9@sha256:4f95c088ef66165779e4b2d5ba89cf2594dd0d837bb707350712dc13b8a27c90_amd64 | — | ||
| Unresolved product id: Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/gitsign-rhel9@sha256:7c443c3f2c72d1c3cd6ce6cde49a3b781a1b6336bd9b2d974cd69cdfa4c94098_ppc64le | — | ||
| Unresolved product id: Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/gitsign-rhel9@sha256:ce50f18c962fc813d635461aa9e9bc4fdbf7e8236731caa49b05c1770465cac2_s390x | — | ||
| Unresolved product id: Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/gitsign-rhel9@sha256:f9877376bb17567472e84a42ce27273ec3c537103a58d3ff5b616da1b9c18b75_arm64 | — | ||
| Unresolved product id: Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:0187f0248ce7d219797450636bedd086e14ee6932e676bb51d35592306965583_s390x | — | ||
| Unresolved product id: Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:0ef106aebc41f050e4833a546a4259c877f3852b94ee914c16a6d646c82d6ec2_amd64 | — | ||
| Unresolved product id: Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:4565fb543e312c3d113f415fe7d59267086c16a98d8567d2094aed58ff63586e_arm64 | — | ||
| Unresolved product id: Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:ad6c77b11bdde5dcd5bdddcedfea9f0422e3b685fbf224165a20605b1882d8fc_ppc64le | — |
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "The 1.4.2 release of Red Hat Trusted Artifact Signer OpenShift Operator.\nFor more details please visit the product documentation at https://access.redhat.com/documentation/en-us/red_hat_trusted_artifact_signer/1.4",
"title": "Topic"
},
{
"category": "general",
"text": "The RHTAS Operator can be used with OpenShift Container Platform 4.17, 4.18, 4.19, 4.20, 4.21, 4.22",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:37271",
"url": "https://access.redhat.com/errata/RHSA-2026:37271"
},
{
"category": "external",
"summary": "https://access.redhat.com/documentation/en-us/red_hat_trusted_artifact_signer/1.4",
"url": "https://access.redhat.com/documentation/en-us/red_hat_trusted_artifact_signer/1.4"
},
{
"category": "external",
"summary": "https://access.redhat.com/documentation/en-us/red_hat_trusted_artifact_signer/1.4/html-single/release_notes/index",
"url": "https://access.redhat.com/documentation/en-us/red_hat_trusted_artifact_signer/1.4/html-single/release_notes/index"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-39828",
"url": "https://access.redhat.com/security/cve/CVE-2026-39828"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-39829",
"url": "https://access.redhat.com/security/cve/CVE-2026-39829"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-39830",
"url": "https://access.redhat.com/security/cve/CVE-2026-39830"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-39832",
"url": "https://access.redhat.com/security/cve/CVE-2026-39832"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-39833",
"url": "https://access.redhat.com/security/cve/CVE-2026-39833"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-39835",
"url": "https://access.redhat.com/security/cve/CVE-2026-39835"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-42151",
"url": "https://access.redhat.com/security/cve/CVE-2026-42151"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/",
"url": "https://access.redhat.com/security/updates/classification/"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_37271.json"
}
],
"title": "Red Hat Security Advisory: RHTAS 1.4.2 - Red Hat Trusted Artifact Signer Release",
"tracking": {
"current_release_date": "2026-07-10T12:41:30+00:00",
"generator": {
"date": "2026-07-10T12:41:30+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "5.3.2"
}
},
"id": "RHSA-2026:37271",
"initial_release_date": "2026-07-09T11:43:07+00:00",
"revision_history": [
{
"date": "2026-07-09T11:43:07+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-07-09T11:43:15+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-07-10T12:41:30+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Trusted Artifact Signer 1.4",
"product": {
"name": "Red Hat Trusted Artifact Signer 1.4",
"product_id": "Red Hat Trusted Artifact Signer 1.4",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:trusted_artifact_signer:1.4::el9"
}
}
}
],
"category": "product_family",
"name": "Red Hat Trusted Artifact Signer"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/rhtas/cosign-rhel9@sha256:4a1174f4cdc367db08f99ccb9586bf0ff8faa47c3360482b4fb33e75588b53eb_amd64",
"product": {
"name": "registry.redhat.io/rhtas/cosign-rhel9@sha256:4a1174f4cdc367db08f99ccb9586bf0ff8faa47c3360482b4fb33e75588b53eb_amd64",
"product_id": "registry.redhat.io/rhtas/cosign-rhel9@sha256:4a1174f4cdc367db08f99ccb9586bf0ff8faa47c3360482b4fb33e75588b53eb_amd64",
"product_identification_helper": {
"purl": "pkg:oci/cosign-rhel9@sha256%3A4a1174f4cdc367db08f99ccb9586bf0ff8faa47c3360482b4fb33e75588b53eb?arch=amd64\u0026repository_url=registry.redhat.io/rhtas/cosign-rhel9\u0026tag=1783330691"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:f8b01d3f2d6400b4208d80d8b66eab7b1f4ec2cd4dcdef06552c3d05db0e896e_amd64",
"product": {
"name": "registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:f8b01d3f2d6400b4208d80d8b66eab7b1f4ec2cd4dcdef06552c3d05db0e896e_amd64",
"product_id": "registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:f8b01d3f2d6400b4208d80d8b66eab7b1f4ec2cd4dcdef06552c3d05db0e896e_amd64",
"product_identification_helper": {
"purl": "pkg:oci/fetch-tsa-certs-rhel9@sha256%3Af8b01d3f2d6400b4208d80d8b66eab7b1f4ec2cd4dcdef06552c3d05db0e896e?arch=amd64\u0026repository_url=registry.redhat.io/rhtas/fetch-tsa-certs-rhel9\u0026tag=1783326690"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/rhtas/gitsign-rhel9@sha256:4f95c088ef66165779e4b2d5ba89cf2594dd0d837bb707350712dc13b8a27c90_amd64",
"product": {
"name": "registry.redhat.io/rhtas/gitsign-rhel9@sha256:4f95c088ef66165779e4b2d5ba89cf2594dd0d837bb707350712dc13b8a27c90_amd64",
"product_id": "registry.redhat.io/rhtas/gitsign-rhel9@sha256:4f95c088ef66165779e4b2d5ba89cf2594dd0d837bb707350712dc13b8a27c90_amd64",
"product_identification_helper": {
"purl": "pkg:oci/gitsign-rhel9@sha256%3A4f95c088ef66165779e4b2d5ba89cf2594dd0d837bb707350712dc13b8a27c90?arch=amd64\u0026repository_url=registry.redhat.io/rhtas/gitsign-rhel9\u0026tag=1783332061"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:0ef106aebc41f050e4833a546a4259c877f3852b94ee914c16a6d646c82d6ec2_amd64",
"product": {
"name": "registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:0ef106aebc41f050e4833a546a4259c877f3852b94ee914c16a6d646c82d6ec2_amd64",
"product_id": "registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:0ef106aebc41f050e4833a546a4259c877f3852b94ee914c16a6d646c82d6ec2_amd64",
"product_identification_helper": {
"purl": "pkg:oci/rekor-cli-rhel9@sha256%3A0ef106aebc41f050e4833a546a4259c877f3852b94ee914c16a6d646c82d6ec2?arch=amd64\u0026repository_url=registry.redhat.io/rhtas/rekor-cli-rhel9\u0026tag=1783332625"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/rhtas/updatetree-rhel9@sha256:3a7241f722dbbc7f3bc86cfb15cf2b0d96738ad60ad49dbb0b413c524d50013f_amd64",
"product": {
"name": "registry.redhat.io/rhtas/updatetree-rhel9@sha256:3a7241f722dbbc7f3bc86cfb15cf2b0d96738ad60ad49dbb0b413c524d50013f_amd64",
"product_id": "registry.redhat.io/rhtas/updatetree-rhel9@sha256:3a7241f722dbbc7f3bc86cfb15cf2b0d96738ad60ad49dbb0b413c524d50013f_amd64",
"product_identification_helper": {
"purl": "pkg:oci/updatetree-rhel9@sha256%3A3a7241f722dbbc7f3bc86cfb15cf2b0d96738ad60ad49dbb0b413c524d50013f?arch=amd64\u0026repository_url=registry.redhat.io/rhtas/updatetree-rhel9\u0026tag=1783329793"
}
}
}
],
"category": "architecture",
"name": "amd64"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/rhtas/cosign-rhel9@sha256:15a1e1d82e2ac631cb5bd6aa420fad3f7e52c414d4efba2d642ace24c5b9f3b4_arm64",
"product": {
"name": "registry.redhat.io/rhtas/cosign-rhel9@sha256:15a1e1d82e2ac631cb5bd6aa420fad3f7e52c414d4efba2d642ace24c5b9f3b4_arm64",
"product_id": "registry.redhat.io/rhtas/cosign-rhel9@sha256:15a1e1d82e2ac631cb5bd6aa420fad3f7e52c414d4efba2d642ace24c5b9f3b4_arm64",
"product_identification_helper": {
"purl": "pkg:oci/cosign-rhel9@sha256%3A15a1e1d82e2ac631cb5bd6aa420fad3f7e52c414d4efba2d642ace24c5b9f3b4?arch=arm64\u0026repository_url=registry.redhat.io/rhtas/cosign-rhel9\u0026tag=1783330691"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:74f364bbf2fe939ce8a02f19afd8f43aa2478090c99067add41b6aff004fda4c_arm64",
"product": {
"name": "registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:74f364bbf2fe939ce8a02f19afd8f43aa2478090c99067add41b6aff004fda4c_arm64",
"product_id": "registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:74f364bbf2fe939ce8a02f19afd8f43aa2478090c99067add41b6aff004fda4c_arm64",
"product_identification_helper": {
"purl": "pkg:oci/fetch-tsa-certs-rhel9@sha256%3A74f364bbf2fe939ce8a02f19afd8f43aa2478090c99067add41b6aff004fda4c?arch=arm64\u0026repository_url=registry.redhat.io/rhtas/fetch-tsa-certs-rhel9\u0026tag=1783326690"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/rhtas/gitsign-rhel9@sha256:f9877376bb17567472e84a42ce27273ec3c537103a58d3ff5b616da1b9c18b75_arm64",
"product": {
"name": "registry.redhat.io/rhtas/gitsign-rhel9@sha256:f9877376bb17567472e84a42ce27273ec3c537103a58d3ff5b616da1b9c18b75_arm64",
"product_id": "registry.redhat.io/rhtas/gitsign-rhel9@sha256:f9877376bb17567472e84a42ce27273ec3c537103a58d3ff5b616da1b9c18b75_arm64",
"product_identification_helper": {
"purl": "pkg:oci/gitsign-rhel9@sha256%3Af9877376bb17567472e84a42ce27273ec3c537103a58d3ff5b616da1b9c18b75?arch=arm64\u0026repository_url=registry.redhat.io/rhtas/gitsign-rhel9\u0026tag=1783332061"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:4565fb543e312c3d113f415fe7d59267086c16a98d8567d2094aed58ff63586e_arm64",
"product": {
"name": "registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:4565fb543e312c3d113f415fe7d59267086c16a98d8567d2094aed58ff63586e_arm64",
"product_id": "registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:4565fb543e312c3d113f415fe7d59267086c16a98d8567d2094aed58ff63586e_arm64",
"product_identification_helper": {
"purl": "pkg:oci/rekor-cli-rhel9@sha256%3A4565fb543e312c3d113f415fe7d59267086c16a98d8567d2094aed58ff63586e?arch=arm64\u0026repository_url=registry.redhat.io/rhtas/rekor-cli-rhel9\u0026tag=1783332625"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/rhtas/updatetree-rhel9@sha256:d034bb82bde1eafe676ce11295bcac3a1e653cab1aa0eb1c61e494b8069f1582_arm64",
"product": {
"name": "registry.redhat.io/rhtas/updatetree-rhel9@sha256:d034bb82bde1eafe676ce11295bcac3a1e653cab1aa0eb1c61e494b8069f1582_arm64",
"product_id": "registry.redhat.io/rhtas/updatetree-rhel9@sha256:d034bb82bde1eafe676ce11295bcac3a1e653cab1aa0eb1c61e494b8069f1582_arm64",
"product_identification_helper": {
"purl": "pkg:oci/updatetree-rhel9@sha256%3Ad034bb82bde1eafe676ce11295bcac3a1e653cab1aa0eb1c61e494b8069f1582?arch=arm64\u0026repository_url=registry.redhat.io/rhtas/updatetree-rhel9\u0026tag=1783329793"
}
}
}
],
"category": "architecture",
"name": "arm64"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/rhtas/cosign-rhel9@sha256:f8a19541958467e3f1aa9ddd2868f20ce7cb760581c3c965941bedade78058ef_ppc64le",
"product": {
"name": "registry.redhat.io/rhtas/cosign-rhel9@sha256:f8a19541958467e3f1aa9ddd2868f20ce7cb760581c3c965941bedade78058ef_ppc64le",
"product_id": "registry.redhat.io/rhtas/cosign-rhel9@sha256:f8a19541958467e3f1aa9ddd2868f20ce7cb760581c3c965941bedade78058ef_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/cosign-rhel9@sha256%3Af8a19541958467e3f1aa9ddd2868f20ce7cb760581c3c965941bedade78058ef?arch=ppc64le\u0026repository_url=registry.redhat.io/rhtas/cosign-rhel9\u0026tag=1783330691"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:55bf157183d6a9df8032ca0ab62c418a3cc8b591b1a26a193c5eed36bebd01ac_ppc64le",
"product": {
"name": "registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:55bf157183d6a9df8032ca0ab62c418a3cc8b591b1a26a193c5eed36bebd01ac_ppc64le",
"product_id": "registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:55bf157183d6a9df8032ca0ab62c418a3cc8b591b1a26a193c5eed36bebd01ac_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/fetch-tsa-certs-rhel9@sha256%3A55bf157183d6a9df8032ca0ab62c418a3cc8b591b1a26a193c5eed36bebd01ac?arch=ppc64le\u0026repository_url=registry.redhat.io/rhtas/fetch-tsa-certs-rhel9\u0026tag=1783326690"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/rhtas/gitsign-rhel9@sha256:7c443c3f2c72d1c3cd6ce6cde49a3b781a1b6336bd9b2d974cd69cdfa4c94098_ppc64le",
"product": {
"name": "registry.redhat.io/rhtas/gitsign-rhel9@sha256:7c443c3f2c72d1c3cd6ce6cde49a3b781a1b6336bd9b2d974cd69cdfa4c94098_ppc64le",
"product_id": "registry.redhat.io/rhtas/gitsign-rhel9@sha256:7c443c3f2c72d1c3cd6ce6cde49a3b781a1b6336bd9b2d974cd69cdfa4c94098_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/gitsign-rhel9@sha256%3A7c443c3f2c72d1c3cd6ce6cde49a3b781a1b6336bd9b2d974cd69cdfa4c94098?arch=ppc64le\u0026repository_url=registry.redhat.io/rhtas/gitsign-rhel9\u0026tag=1783332061"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:ad6c77b11bdde5dcd5bdddcedfea9f0422e3b685fbf224165a20605b1882d8fc_ppc64le",
"product": {
"name": "registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:ad6c77b11bdde5dcd5bdddcedfea9f0422e3b685fbf224165a20605b1882d8fc_ppc64le",
"product_id": "registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:ad6c77b11bdde5dcd5bdddcedfea9f0422e3b685fbf224165a20605b1882d8fc_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/rekor-cli-rhel9@sha256%3Aad6c77b11bdde5dcd5bdddcedfea9f0422e3b685fbf224165a20605b1882d8fc?arch=ppc64le\u0026repository_url=registry.redhat.io/rhtas/rekor-cli-rhel9\u0026tag=1783332625"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/rhtas/updatetree-rhel9@sha256:01024a46eac2bb846cee776132a6ce78a69fdc9dfe75df7a0fb379bed6444db1_ppc64le",
"product": {
"name": "registry.redhat.io/rhtas/updatetree-rhel9@sha256:01024a46eac2bb846cee776132a6ce78a69fdc9dfe75df7a0fb379bed6444db1_ppc64le",
"product_id": "registry.redhat.io/rhtas/updatetree-rhel9@sha256:01024a46eac2bb846cee776132a6ce78a69fdc9dfe75df7a0fb379bed6444db1_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/updatetree-rhel9@sha256%3A01024a46eac2bb846cee776132a6ce78a69fdc9dfe75df7a0fb379bed6444db1?arch=ppc64le\u0026repository_url=registry.redhat.io/rhtas/updatetree-rhel9\u0026tag=1783329793"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/rhtas/cosign-rhel9@sha256:e1b929b778eb5dc42b81c18cf1cab4a989ec9124de99dbabdaaec8f0531b41ae_s390x",
"product": {
"name": "registry.redhat.io/rhtas/cosign-rhel9@sha256:e1b929b778eb5dc42b81c18cf1cab4a989ec9124de99dbabdaaec8f0531b41ae_s390x",
"product_id": "registry.redhat.io/rhtas/cosign-rhel9@sha256:e1b929b778eb5dc42b81c18cf1cab4a989ec9124de99dbabdaaec8f0531b41ae_s390x",
"product_identification_helper": {
"purl": "pkg:oci/cosign-rhel9@sha256%3Ae1b929b778eb5dc42b81c18cf1cab4a989ec9124de99dbabdaaec8f0531b41ae?arch=s390x\u0026repository_url=registry.redhat.io/rhtas/cosign-rhel9\u0026tag=1783330691"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:c9094568f2e694d6a3c7b0162f3b68a2ef9d2f299efce735afc582f66a27130b_s390x",
"product": {
"name": "registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:c9094568f2e694d6a3c7b0162f3b68a2ef9d2f299efce735afc582f66a27130b_s390x",
"product_id": "registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:c9094568f2e694d6a3c7b0162f3b68a2ef9d2f299efce735afc582f66a27130b_s390x",
"product_identification_helper": {
"purl": "pkg:oci/fetch-tsa-certs-rhel9@sha256%3Ac9094568f2e694d6a3c7b0162f3b68a2ef9d2f299efce735afc582f66a27130b?arch=s390x\u0026repository_url=registry.redhat.io/rhtas/fetch-tsa-certs-rhel9\u0026tag=1783326690"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/rhtas/gitsign-rhel9@sha256:ce50f18c962fc813d635461aa9e9bc4fdbf7e8236731caa49b05c1770465cac2_s390x",
"product": {
"name": "registry.redhat.io/rhtas/gitsign-rhel9@sha256:ce50f18c962fc813d635461aa9e9bc4fdbf7e8236731caa49b05c1770465cac2_s390x",
"product_id": "registry.redhat.io/rhtas/gitsign-rhel9@sha256:ce50f18c962fc813d635461aa9e9bc4fdbf7e8236731caa49b05c1770465cac2_s390x",
"product_identification_helper": {
"purl": "pkg:oci/gitsign-rhel9@sha256%3Ace50f18c962fc813d635461aa9e9bc4fdbf7e8236731caa49b05c1770465cac2?arch=s390x\u0026repository_url=registry.redhat.io/rhtas/gitsign-rhel9\u0026tag=1783332061"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:0187f0248ce7d219797450636bedd086e14ee6932e676bb51d35592306965583_s390x",
"product": {
"name": "registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:0187f0248ce7d219797450636bedd086e14ee6932e676bb51d35592306965583_s390x",
"product_id": "registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:0187f0248ce7d219797450636bedd086e14ee6932e676bb51d35592306965583_s390x",
"product_identification_helper": {
"purl": "pkg:oci/rekor-cli-rhel9@sha256%3A0187f0248ce7d219797450636bedd086e14ee6932e676bb51d35592306965583?arch=s390x\u0026repository_url=registry.redhat.io/rhtas/rekor-cli-rhel9\u0026tag=1783332625"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/rhtas/updatetree-rhel9@sha256:205ef0889fb950e337a07d793cec8cbdfd713c4190ddb374f8c2a6206506a66e_s390x",
"product": {
"name": "registry.redhat.io/rhtas/updatetree-rhel9@sha256:205ef0889fb950e337a07d793cec8cbdfd713c4190ddb374f8c2a6206506a66e_s390x",
"product_id": "registry.redhat.io/rhtas/updatetree-rhel9@sha256:205ef0889fb950e337a07d793cec8cbdfd713c4190ddb374f8c2a6206506a66e_s390x",
"product_identification_helper": {
"purl": "pkg:oci/updatetree-rhel9@sha256%3A205ef0889fb950e337a07d793cec8cbdfd713c4190ddb374f8c2a6206506a66e?arch=s390x\u0026repository_url=registry.redhat.io/rhtas/updatetree-rhel9\u0026tag=1783329793"
}
}
}
],
"category": "architecture",
"name": "s390x"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhtas/cosign-rhel9@sha256:15a1e1d82e2ac631cb5bd6aa420fad3f7e52c414d4efba2d642ace24c5b9f3b4_arm64 as a component of Red Hat Trusted Artifact Signer 1.4",
"product_id": "Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/cosign-rhel9@sha256:15a1e1d82e2ac631cb5bd6aa420fad3f7e52c414d4efba2d642ace24c5b9f3b4_arm64"
},
"product_reference": "registry.redhat.io/rhtas/cosign-rhel9@sha256:15a1e1d82e2ac631cb5bd6aa420fad3f7e52c414d4efba2d642ace24c5b9f3b4_arm64",
"relates_to_product_reference": "Red Hat Trusted Artifact Signer 1.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhtas/cosign-rhel9@sha256:4a1174f4cdc367db08f99ccb9586bf0ff8faa47c3360482b4fb33e75588b53eb_amd64 as a component of Red Hat Trusted Artifact Signer 1.4",
"product_id": "Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/cosign-rhel9@sha256:4a1174f4cdc367db08f99ccb9586bf0ff8faa47c3360482b4fb33e75588b53eb_amd64"
},
"product_reference": "registry.redhat.io/rhtas/cosign-rhel9@sha256:4a1174f4cdc367db08f99ccb9586bf0ff8faa47c3360482b4fb33e75588b53eb_amd64",
"relates_to_product_reference": "Red Hat Trusted Artifact Signer 1.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhtas/cosign-rhel9@sha256:e1b929b778eb5dc42b81c18cf1cab4a989ec9124de99dbabdaaec8f0531b41ae_s390x as a component of Red Hat Trusted Artifact Signer 1.4",
"product_id": "Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/cosign-rhel9@sha256:e1b929b778eb5dc42b81c18cf1cab4a989ec9124de99dbabdaaec8f0531b41ae_s390x"
},
"product_reference": "registry.redhat.io/rhtas/cosign-rhel9@sha256:e1b929b778eb5dc42b81c18cf1cab4a989ec9124de99dbabdaaec8f0531b41ae_s390x",
"relates_to_product_reference": "Red Hat Trusted Artifact Signer 1.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhtas/cosign-rhel9@sha256:f8a19541958467e3f1aa9ddd2868f20ce7cb760581c3c965941bedade78058ef_ppc64le as a component of Red Hat Trusted Artifact Signer 1.4",
"product_id": "Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/cosign-rhel9@sha256:f8a19541958467e3f1aa9ddd2868f20ce7cb760581c3c965941bedade78058ef_ppc64le"
},
"product_reference": "registry.redhat.io/rhtas/cosign-rhel9@sha256:f8a19541958467e3f1aa9ddd2868f20ce7cb760581c3c965941bedade78058ef_ppc64le",
"relates_to_product_reference": "Red Hat Trusted Artifact Signer 1.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:55bf157183d6a9df8032ca0ab62c418a3cc8b591b1a26a193c5eed36bebd01ac_ppc64le as a component of Red Hat Trusted Artifact Signer 1.4",
"product_id": "Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:55bf157183d6a9df8032ca0ab62c418a3cc8b591b1a26a193c5eed36bebd01ac_ppc64le"
},
"product_reference": "registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:55bf157183d6a9df8032ca0ab62c418a3cc8b591b1a26a193c5eed36bebd01ac_ppc64le",
"relates_to_product_reference": "Red Hat Trusted Artifact Signer 1.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:74f364bbf2fe939ce8a02f19afd8f43aa2478090c99067add41b6aff004fda4c_arm64 as a component of Red Hat Trusted Artifact Signer 1.4",
"product_id": "Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:74f364bbf2fe939ce8a02f19afd8f43aa2478090c99067add41b6aff004fda4c_arm64"
},
"product_reference": "registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:74f364bbf2fe939ce8a02f19afd8f43aa2478090c99067add41b6aff004fda4c_arm64",
"relates_to_product_reference": "Red Hat Trusted Artifact Signer 1.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:c9094568f2e694d6a3c7b0162f3b68a2ef9d2f299efce735afc582f66a27130b_s390x as a component of Red Hat Trusted Artifact Signer 1.4",
"product_id": "Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:c9094568f2e694d6a3c7b0162f3b68a2ef9d2f299efce735afc582f66a27130b_s390x"
},
"product_reference": "registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:c9094568f2e694d6a3c7b0162f3b68a2ef9d2f299efce735afc582f66a27130b_s390x",
"relates_to_product_reference": "Red Hat Trusted Artifact Signer 1.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:f8b01d3f2d6400b4208d80d8b66eab7b1f4ec2cd4dcdef06552c3d05db0e896e_amd64 as a component of Red Hat Trusted Artifact Signer 1.4",
"product_id": "Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:f8b01d3f2d6400b4208d80d8b66eab7b1f4ec2cd4dcdef06552c3d05db0e896e_amd64"
},
"product_reference": "registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:f8b01d3f2d6400b4208d80d8b66eab7b1f4ec2cd4dcdef06552c3d05db0e896e_amd64",
"relates_to_product_reference": "Red Hat Trusted Artifact Signer 1.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhtas/gitsign-rhel9@sha256:4f95c088ef66165779e4b2d5ba89cf2594dd0d837bb707350712dc13b8a27c90_amd64 as a component of Red Hat Trusted Artifact Signer 1.4",
"product_id": "Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/gitsign-rhel9@sha256:4f95c088ef66165779e4b2d5ba89cf2594dd0d837bb707350712dc13b8a27c90_amd64"
},
"product_reference": "registry.redhat.io/rhtas/gitsign-rhel9@sha256:4f95c088ef66165779e4b2d5ba89cf2594dd0d837bb707350712dc13b8a27c90_amd64",
"relates_to_product_reference": "Red Hat Trusted Artifact Signer 1.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhtas/gitsign-rhel9@sha256:7c443c3f2c72d1c3cd6ce6cde49a3b781a1b6336bd9b2d974cd69cdfa4c94098_ppc64le as a component of Red Hat Trusted Artifact Signer 1.4",
"product_id": "Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/gitsign-rhel9@sha256:7c443c3f2c72d1c3cd6ce6cde49a3b781a1b6336bd9b2d974cd69cdfa4c94098_ppc64le"
},
"product_reference": "registry.redhat.io/rhtas/gitsign-rhel9@sha256:7c443c3f2c72d1c3cd6ce6cde49a3b781a1b6336bd9b2d974cd69cdfa4c94098_ppc64le",
"relates_to_product_reference": "Red Hat Trusted Artifact Signer 1.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhtas/gitsign-rhel9@sha256:ce50f18c962fc813d635461aa9e9bc4fdbf7e8236731caa49b05c1770465cac2_s390x as a component of Red Hat Trusted Artifact Signer 1.4",
"product_id": "Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/gitsign-rhel9@sha256:ce50f18c962fc813d635461aa9e9bc4fdbf7e8236731caa49b05c1770465cac2_s390x"
},
"product_reference": "registry.redhat.io/rhtas/gitsign-rhel9@sha256:ce50f18c962fc813d635461aa9e9bc4fdbf7e8236731caa49b05c1770465cac2_s390x",
"relates_to_product_reference": "Red Hat Trusted Artifact Signer 1.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhtas/gitsign-rhel9@sha256:f9877376bb17567472e84a42ce27273ec3c537103a58d3ff5b616da1b9c18b75_arm64 as a component of Red Hat Trusted Artifact Signer 1.4",
"product_id": "Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/gitsign-rhel9@sha256:f9877376bb17567472e84a42ce27273ec3c537103a58d3ff5b616da1b9c18b75_arm64"
},
"product_reference": "registry.redhat.io/rhtas/gitsign-rhel9@sha256:f9877376bb17567472e84a42ce27273ec3c537103a58d3ff5b616da1b9c18b75_arm64",
"relates_to_product_reference": "Red Hat Trusted Artifact Signer 1.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:0187f0248ce7d219797450636bedd086e14ee6932e676bb51d35592306965583_s390x as a component of Red Hat Trusted Artifact Signer 1.4",
"product_id": "Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:0187f0248ce7d219797450636bedd086e14ee6932e676bb51d35592306965583_s390x"
},
"product_reference": "registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:0187f0248ce7d219797450636bedd086e14ee6932e676bb51d35592306965583_s390x",
"relates_to_product_reference": "Red Hat Trusted Artifact Signer 1.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:0ef106aebc41f050e4833a546a4259c877f3852b94ee914c16a6d646c82d6ec2_amd64 as a component of Red Hat Trusted Artifact Signer 1.4",
"product_id": "Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:0ef106aebc41f050e4833a546a4259c877f3852b94ee914c16a6d646c82d6ec2_amd64"
},
"product_reference": "registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:0ef106aebc41f050e4833a546a4259c877f3852b94ee914c16a6d646c82d6ec2_amd64",
"relates_to_product_reference": "Red Hat Trusted Artifact Signer 1.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:4565fb543e312c3d113f415fe7d59267086c16a98d8567d2094aed58ff63586e_arm64 as a component of Red Hat Trusted Artifact Signer 1.4",
"product_id": "Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:4565fb543e312c3d113f415fe7d59267086c16a98d8567d2094aed58ff63586e_arm64"
},
"product_reference": "registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:4565fb543e312c3d113f415fe7d59267086c16a98d8567d2094aed58ff63586e_arm64",
"relates_to_product_reference": "Red Hat Trusted Artifact Signer 1.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:ad6c77b11bdde5dcd5bdddcedfea9f0422e3b685fbf224165a20605b1882d8fc_ppc64le as a component of Red Hat Trusted Artifact Signer 1.4",
"product_id": "Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:ad6c77b11bdde5dcd5bdddcedfea9f0422e3b685fbf224165a20605b1882d8fc_ppc64le"
},
"product_reference": "registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:ad6c77b11bdde5dcd5bdddcedfea9f0422e3b685fbf224165a20605b1882d8fc_ppc64le",
"relates_to_product_reference": "Red Hat Trusted Artifact Signer 1.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhtas/updatetree-rhel9@sha256:01024a46eac2bb846cee776132a6ce78a69fdc9dfe75df7a0fb379bed6444db1_ppc64le as a component of Red Hat Trusted Artifact Signer 1.4",
"product_id": "Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/updatetree-rhel9@sha256:01024a46eac2bb846cee776132a6ce78a69fdc9dfe75df7a0fb379bed6444db1_ppc64le"
},
"product_reference": "registry.redhat.io/rhtas/updatetree-rhel9@sha256:01024a46eac2bb846cee776132a6ce78a69fdc9dfe75df7a0fb379bed6444db1_ppc64le",
"relates_to_product_reference": "Red Hat Trusted Artifact Signer 1.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhtas/updatetree-rhel9@sha256:205ef0889fb950e337a07d793cec8cbdfd713c4190ddb374f8c2a6206506a66e_s390x as a component of Red Hat Trusted Artifact Signer 1.4",
"product_id": "Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/updatetree-rhel9@sha256:205ef0889fb950e337a07d793cec8cbdfd713c4190ddb374f8c2a6206506a66e_s390x"
},
"product_reference": "registry.redhat.io/rhtas/updatetree-rhel9@sha256:205ef0889fb950e337a07d793cec8cbdfd713c4190ddb374f8c2a6206506a66e_s390x",
"relates_to_product_reference": "Red Hat Trusted Artifact Signer 1.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhtas/updatetree-rhel9@sha256:3a7241f722dbbc7f3bc86cfb15cf2b0d96738ad60ad49dbb0b413c524d50013f_amd64 as a component of Red Hat Trusted Artifact Signer 1.4",
"product_id": "Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/updatetree-rhel9@sha256:3a7241f722dbbc7f3bc86cfb15cf2b0d96738ad60ad49dbb0b413c524d50013f_amd64"
},
"product_reference": "registry.redhat.io/rhtas/updatetree-rhel9@sha256:3a7241f722dbbc7f3bc86cfb15cf2b0d96738ad60ad49dbb0b413c524d50013f_amd64",
"relates_to_product_reference": "Red Hat Trusted Artifact Signer 1.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhtas/updatetree-rhel9@sha256:d034bb82bde1eafe676ce11295bcac3a1e653cab1aa0eb1c61e494b8069f1582_arm64 as a component of Red Hat Trusted Artifact Signer 1.4",
"product_id": "Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/updatetree-rhel9@sha256:d034bb82bde1eafe676ce11295bcac3a1e653cab1aa0eb1c61e494b8069f1582_arm64"
},
"product_reference": "registry.redhat.io/rhtas/updatetree-rhel9@sha256:d034bb82bde1eafe676ce11295bcac3a1e653cab1aa0eb1c61e494b8069f1582_arm64",
"relates_to_product_reference": "Red Hat Trusted Artifact Signer 1.4"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-39828",
"cwe": {
"id": "CWE-281",
"name": "Improper Preservation of Permissions"
},
"discovery_date": "2026-05-22T04:01:46.775641+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/updatetree-rhel9@sha256:01024a46eac2bb846cee776132a6ce78a69fdc9dfe75df7a0fb379bed6444db1_ppc64le",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/updatetree-rhel9@sha256:205ef0889fb950e337a07d793cec8cbdfd713c4190ddb374f8c2a6206506a66e_s390x",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/updatetree-rhel9@sha256:3a7241f722dbbc7f3bc86cfb15cf2b0d96738ad60ad49dbb0b413c524d50013f_amd64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/updatetree-rhel9@sha256:d034bb82bde1eafe676ce11295bcac3a1e653cab1aa0eb1c61e494b8069f1582_arm64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2480687"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in golang.org/x/crypto/ssh. A remote attacker could exploit this vulnerability when an SSH server authentication callback returned a PartialSuccessError with non-nil permissions. This flaw caused these permissions to be silently discarded, potentially bypassing certificate restrictions, such as a force-command, after a second authentication factor succeeded. This could lead to unauthorized command execution or access.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This is an Important security flaw in the `golang.org/x/crypto/ssh` library. When an SSH server utilizing this library is configured with specific authentication callbacks that return a `PartialSuccessError` with non-nil permissions, an attacker could bypass intended certificate restrictions, such as `force-command`. This bypass could lead to unauthorized command execution or access on affected Red Hat systems configured with multi-factor authentication and certificate-based access controls.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/cosign-rhel9@sha256:15a1e1d82e2ac631cb5bd6aa420fad3f7e52c414d4efba2d642ace24c5b9f3b4_arm64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/cosign-rhel9@sha256:4a1174f4cdc367db08f99ccb9586bf0ff8faa47c3360482b4fb33e75588b53eb_amd64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/cosign-rhel9@sha256:e1b929b778eb5dc42b81c18cf1cab4a989ec9124de99dbabdaaec8f0531b41ae_s390x",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/cosign-rhel9@sha256:f8a19541958467e3f1aa9ddd2868f20ce7cb760581c3c965941bedade78058ef_ppc64le",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:55bf157183d6a9df8032ca0ab62c418a3cc8b591b1a26a193c5eed36bebd01ac_ppc64le",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:74f364bbf2fe939ce8a02f19afd8f43aa2478090c99067add41b6aff004fda4c_arm64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:c9094568f2e694d6a3c7b0162f3b68a2ef9d2f299efce735afc582f66a27130b_s390x",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:f8b01d3f2d6400b4208d80d8b66eab7b1f4ec2cd4dcdef06552c3d05db0e896e_amd64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/gitsign-rhel9@sha256:4f95c088ef66165779e4b2d5ba89cf2594dd0d837bb707350712dc13b8a27c90_amd64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/gitsign-rhel9@sha256:7c443c3f2c72d1c3cd6ce6cde49a3b781a1b6336bd9b2d974cd69cdfa4c94098_ppc64le",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/gitsign-rhel9@sha256:ce50f18c962fc813d635461aa9e9bc4fdbf7e8236731caa49b05c1770465cac2_s390x",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/gitsign-rhel9@sha256:f9877376bb17567472e84a42ce27273ec3c537103a58d3ff5b616da1b9c18b75_arm64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:0187f0248ce7d219797450636bedd086e14ee6932e676bb51d35592306965583_s390x",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:0ef106aebc41f050e4833a546a4259c877f3852b94ee914c16a6d646c82d6ec2_amd64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:4565fb543e312c3d113f415fe7d59267086c16a98d8567d2094aed58ff63586e_arm64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:ad6c77b11bdde5dcd5bdddcedfea9f0422e3b685fbf224165a20605b1882d8fc_ppc64le"
],
"known_not_affected": [
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/updatetree-rhel9@sha256:01024a46eac2bb846cee776132a6ce78a69fdc9dfe75df7a0fb379bed6444db1_ppc64le",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/updatetree-rhel9@sha256:205ef0889fb950e337a07d793cec8cbdfd713c4190ddb374f8c2a6206506a66e_s390x",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/updatetree-rhel9@sha256:3a7241f722dbbc7f3bc86cfb15cf2b0d96738ad60ad49dbb0b413c524d50013f_amd64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/updatetree-rhel9@sha256:d034bb82bde1eafe676ce11295bcac3a1e653cab1aa0eb1c61e494b8069f1582_arm64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-39828"
},
{
"category": "external",
"summary": "RHBZ#2480687",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2480687"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-39828",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-39828"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-39828",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39828"
},
{
"category": "external",
"summary": "https://go.dev/cl/781621",
"url": "https://go.dev/cl/781621"
},
{
"category": "external",
"summary": "https://go.dev/issue/79562",
"url": "https://go.dev/issue/79562"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/a082jnz-LvI",
"url": "https://groups.google.com/g/golang-announce/c/a082jnz-LvI"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2026-5014",
"url": "https://pkg.go.dev/vuln/GO-2026-5014"
}
],
"release_date": "2026-05-22T02:31:26.883000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-07-09T11:43:07+00:00",
"details": "Red Hat Trusted Artifact Signer simplifies cryptographic signing and verifying of software artifacts such as container images, binaries and source code changes. It is a self-managed on-premise deployment of the Sigstore project available at https://sigstore.dev\n\nPlatform Engineers, Software Developers and Security Professionals may use RHTAS to ensure the integrity, transparency and assurance of their organization\u0027s software supply chain.\n\nFor details on using the operator, refer to the product documentation at https://access.redhat.com/documentation/en-us/red_hat_trusted_artifact_signer/1.4\n\nYou can find the release notes for this version of Red Hat Trusted Artifact Signer at https://access.redhat.com/documentation/en-us/red_hat_trusted_artifact_signer/1.4/html-single/release_notes/index",
"product_ids": [
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/cosign-rhel9@sha256:15a1e1d82e2ac631cb5bd6aa420fad3f7e52c414d4efba2d642ace24c5b9f3b4_arm64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/cosign-rhel9@sha256:4a1174f4cdc367db08f99ccb9586bf0ff8faa47c3360482b4fb33e75588b53eb_amd64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/cosign-rhel9@sha256:e1b929b778eb5dc42b81c18cf1cab4a989ec9124de99dbabdaaec8f0531b41ae_s390x",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/cosign-rhel9@sha256:f8a19541958467e3f1aa9ddd2868f20ce7cb760581c3c965941bedade78058ef_ppc64le",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:55bf157183d6a9df8032ca0ab62c418a3cc8b591b1a26a193c5eed36bebd01ac_ppc64le",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:74f364bbf2fe939ce8a02f19afd8f43aa2478090c99067add41b6aff004fda4c_arm64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:c9094568f2e694d6a3c7b0162f3b68a2ef9d2f299efce735afc582f66a27130b_s390x",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:f8b01d3f2d6400b4208d80d8b66eab7b1f4ec2cd4dcdef06552c3d05db0e896e_amd64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/gitsign-rhel9@sha256:4f95c088ef66165779e4b2d5ba89cf2594dd0d837bb707350712dc13b8a27c90_amd64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/gitsign-rhel9@sha256:7c443c3f2c72d1c3cd6ce6cde49a3b781a1b6336bd9b2d974cd69cdfa4c94098_ppc64le",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/gitsign-rhel9@sha256:ce50f18c962fc813d635461aa9e9bc4fdbf7e8236731caa49b05c1770465cac2_s390x",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/gitsign-rhel9@sha256:f9877376bb17567472e84a42ce27273ec3c537103a58d3ff5b616da1b9c18b75_arm64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:0187f0248ce7d219797450636bedd086e14ee6932e676bb51d35592306965583_s390x",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:0ef106aebc41f050e4833a546a4259c877f3852b94ee914c16a6d646c82d6ec2_amd64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:4565fb543e312c3d113f415fe7d59267086c16a98d8567d2094aed58ff63586e_arm64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:ad6c77b11bdde5dcd5bdddcedfea9f0422e3b685fbf224165a20605b1882d8fc_ppc64le"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:37271"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/cosign-rhel9@sha256:15a1e1d82e2ac631cb5bd6aa420fad3f7e52c414d4efba2d642ace24c5b9f3b4_arm64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/cosign-rhel9@sha256:4a1174f4cdc367db08f99ccb9586bf0ff8faa47c3360482b4fb33e75588b53eb_amd64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/cosign-rhel9@sha256:e1b929b778eb5dc42b81c18cf1cab4a989ec9124de99dbabdaaec8f0531b41ae_s390x",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/cosign-rhel9@sha256:f8a19541958467e3f1aa9ddd2868f20ce7cb760581c3c965941bedade78058ef_ppc64le",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:55bf157183d6a9df8032ca0ab62c418a3cc8b591b1a26a193c5eed36bebd01ac_ppc64le",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:74f364bbf2fe939ce8a02f19afd8f43aa2478090c99067add41b6aff004fda4c_arm64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:c9094568f2e694d6a3c7b0162f3b68a2ef9d2f299efce735afc582f66a27130b_s390x",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:f8b01d3f2d6400b4208d80d8b66eab7b1f4ec2cd4dcdef06552c3d05db0e896e_amd64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/gitsign-rhel9@sha256:4f95c088ef66165779e4b2d5ba89cf2594dd0d837bb707350712dc13b8a27c90_amd64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/gitsign-rhel9@sha256:7c443c3f2c72d1c3cd6ce6cde49a3b781a1b6336bd9b2d974cd69cdfa4c94098_ppc64le",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/gitsign-rhel9@sha256:ce50f18c962fc813d635461aa9e9bc4fdbf7e8236731caa49b05c1770465cac2_s390x",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/gitsign-rhel9@sha256:f9877376bb17567472e84a42ce27273ec3c537103a58d3ff5b616da1b9c18b75_arm64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:0187f0248ce7d219797450636bedd086e14ee6932e676bb51d35592306965583_s390x",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:0ef106aebc41f050e4833a546a4259c877f3852b94ee914c16a6d646c82d6ec2_amd64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:4565fb543e312c3d113f415fe7d59267086c16a98d8567d2094aed58ff63586e_arm64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:ad6c77b11bdde5dcd5bdddcedfea9f0422e3b685fbf224165a20605b1882d8fc_ppc64le",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/updatetree-rhel9@sha256:01024a46eac2bb846cee776132a6ce78a69fdc9dfe75df7a0fb379bed6444db1_ppc64le",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/updatetree-rhel9@sha256:205ef0889fb950e337a07d793cec8cbdfd713c4190ddb374f8c2a6206506a66e_s390x",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/updatetree-rhel9@sha256:3a7241f722dbbc7f3bc86cfb15cf2b0d96738ad60ad49dbb0b413c524d50013f_amd64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/updatetree-rhel9@sha256:d034bb82bde1eafe676ce11295bcac3a1e653cab1aa0eb1c61e494b8069f1582_arm64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/cosign-rhel9@sha256:15a1e1d82e2ac631cb5bd6aa420fad3f7e52c414d4efba2d642ace24c5b9f3b4_arm64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/cosign-rhel9@sha256:4a1174f4cdc367db08f99ccb9586bf0ff8faa47c3360482b4fb33e75588b53eb_amd64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/cosign-rhel9@sha256:e1b929b778eb5dc42b81c18cf1cab4a989ec9124de99dbabdaaec8f0531b41ae_s390x",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/cosign-rhel9@sha256:f8a19541958467e3f1aa9ddd2868f20ce7cb760581c3c965941bedade78058ef_ppc64le",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:55bf157183d6a9df8032ca0ab62c418a3cc8b591b1a26a193c5eed36bebd01ac_ppc64le",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:74f364bbf2fe939ce8a02f19afd8f43aa2478090c99067add41b6aff004fda4c_arm64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:c9094568f2e694d6a3c7b0162f3b68a2ef9d2f299efce735afc582f66a27130b_s390x",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:f8b01d3f2d6400b4208d80d8b66eab7b1f4ec2cd4dcdef06552c3d05db0e896e_amd64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/gitsign-rhel9@sha256:4f95c088ef66165779e4b2d5ba89cf2594dd0d837bb707350712dc13b8a27c90_amd64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/gitsign-rhel9@sha256:7c443c3f2c72d1c3cd6ce6cde49a3b781a1b6336bd9b2d974cd69cdfa4c94098_ppc64le",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/gitsign-rhel9@sha256:ce50f18c962fc813d635461aa9e9bc4fdbf7e8236731caa49b05c1770465cac2_s390x",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/gitsign-rhel9@sha256:f9877376bb17567472e84a42ce27273ec3c537103a58d3ff5b616da1b9c18b75_arm64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:0187f0248ce7d219797450636bedd086e14ee6932e676bb51d35592306965583_s390x",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:0ef106aebc41f050e4833a546a4259c877f3852b94ee914c16a6d646c82d6ec2_amd64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:4565fb543e312c3d113f415fe7d59267086c16a98d8567d2094aed58ff63586e_arm64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:ad6c77b11bdde5dcd5bdddcedfea9f0422e3b685fbf224165a20605b1882d8fc_ppc64le",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/updatetree-rhel9@sha256:01024a46eac2bb846cee776132a6ce78a69fdc9dfe75df7a0fb379bed6444db1_ppc64le",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/updatetree-rhel9@sha256:205ef0889fb950e337a07d793cec8cbdfd713c4190ddb374f8c2a6206506a66e_s390x",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/updatetree-rhel9@sha256:3a7241f722dbbc7f3bc86cfb15cf2b0d96738ad60ad49dbb0b413c524d50013f_amd64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/updatetree-rhel9@sha256:d034bb82bde1eafe676ce11295bcac3a1e653cab1aa0eb1c61e494b8069f1582_arm64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions"
},
{
"cve": "CVE-2026-39829",
"cwe": {
"id": "CWE-1284",
"name": "Improper Validation of Specified Quantity in Input"
},
"discovery_date": "2026-05-22T04:01:30.092249+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/updatetree-rhel9@sha256:01024a46eac2bb846cee776132a6ce78a69fdc9dfe75df7a0fb379bed6444db1_ppc64le",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/updatetree-rhel9@sha256:205ef0889fb950e337a07d793cec8cbdfd713c4190ddb374f8c2a6206506a66e_s390x",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/updatetree-rhel9@sha256:3a7241f722dbbc7f3bc86cfb15cf2b0d96738ad60ad49dbb0b413c524d50013f_amd64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/updatetree-rhel9@sha256:d034bb82bde1eafe676ce11295bcac3a1e653cab1aa0eb1c61e494b8069f1582_arm64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2480681"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in golang.org/x/crypto/ssh. The RSA and DSA public key parsers in the affected component did not enforce size limits on key parameters. This vulnerability allows an unauthenticated client to provide a crafted public key with an excessively large modulus or DSA parameter during public key authentication. Successful exploitation could lead to a denial of service (DoS) due to prolonged CPU consumption during signature verification.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability in golang.org/x/crypto/ssh is rated as Important. An unauthenticated remote attacker could trigger a denial of service by providing a specially crafted public key with excessively large parameters during SSH public key authentication. This could lead to prolonged CPU consumption on the server, impacting service availability.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/cosign-rhel9@sha256:15a1e1d82e2ac631cb5bd6aa420fad3f7e52c414d4efba2d642ace24c5b9f3b4_arm64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/cosign-rhel9@sha256:4a1174f4cdc367db08f99ccb9586bf0ff8faa47c3360482b4fb33e75588b53eb_amd64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/cosign-rhel9@sha256:e1b929b778eb5dc42b81c18cf1cab4a989ec9124de99dbabdaaec8f0531b41ae_s390x",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/cosign-rhel9@sha256:f8a19541958467e3f1aa9ddd2868f20ce7cb760581c3c965941bedade78058ef_ppc64le",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:55bf157183d6a9df8032ca0ab62c418a3cc8b591b1a26a193c5eed36bebd01ac_ppc64le",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:74f364bbf2fe939ce8a02f19afd8f43aa2478090c99067add41b6aff004fda4c_arm64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:c9094568f2e694d6a3c7b0162f3b68a2ef9d2f299efce735afc582f66a27130b_s390x",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:f8b01d3f2d6400b4208d80d8b66eab7b1f4ec2cd4dcdef06552c3d05db0e896e_amd64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/gitsign-rhel9@sha256:4f95c088ef66165779e4b2d5ba89cf2594dd0d837bb707350712dc13b8a27c90_amd64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/gitsign-rhel9@sha256:7c443c3f2c72d1c3cd6ce6cde49a3b781a1b6336bd9b2d974cd69cdfa4c94098_ppc64le",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/gitsign-rhel9@sha256:ce50f18c962fc813d635461aa9e9bc4fdbf7e8236731caa49b05c1770465cac2_s390x",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/gitsign-rhel9@sha256:f9877376bb17567472e84a42ce27273ec3c537103a58d3ff5b616da1b9c18b75_arm64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:0187f0248ce7d219797450636bedd086e14ee6932e676bb51d35592306965583_s390x",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:0ef106aebc41f050e4833a546a4259c877f3852b94ee914c16a6d646c82d6ec2_amd64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:4565fb543e312c3d113f415fe7d59267086c16a98d8567d2094aed58ff63586e_arm64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:ad6c77b11bdde5dcd5bdddcedfea9f0422e3b685fbf224165a20605b1882d8fc_ppc64le"
],
"known_not_affected": [
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/updatetree-rhel9@sha256:01024a46eac2bb846cee776132a6ce78a69fdc9dfe75df7a0fb379bed6444db1_ppc64le",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/updatetree-rhel9@sha256:205ef0889fb950e337a07d793cec8cbdfd713c4190ddb374f8c2a6206506a66e_s390x",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/updatetree-rhel9@sha256:3a7241f722dbbc7f3bc86cfb15cf2b0d96738ad60ad49dbb0b413c524d50013f_amd64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/updatetree-rhel9@sha256:d034bb82bde1eafe676ce11295bcac3a1e653cab1aa0eb1c61e494b8069f1582_arm64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-39829"
},
{
"category": "external",
"summary": "RHBZ#2480681",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2480681"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-39829",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-39829"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-39829",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39829"
},
{
"category": "external",
"summary": "https://go.dev/cl/781641",
"url": "https://go.dev/cl/781641"
},
{
"category": "external",
"summary": "https://go.dev/cl/781661",
"url": "https://go.dev/cl/781661"
},
{
"category": "external",
"summary": "https://go.dev/issue/79565",
"url": "https://go.dev/issue/79565"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/a082jnz-LvI",
"url": "https://groups.google.com/g/golang-announce/c/a082jnz-LvI"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2026-5018",
"url": "https://pkg.go.dev/vuln/GO-2026-5018"
}
],
"release_date": "2026-05-22T02:31:27.324000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-07-09T11:43:07+00:00",
"details": "Red Hat Trusted Artifact Signer simplifies cryptographic signing and verifying of software artifacts such as container images, binaries and source code changes. It is a self-managed on-premise deployment of the Sigstore project available at https://sigstore.dev\n\nPlatform Engineers, Software Developers and Security Professionals may use RHTAS to ensure the integrity, transparency and assurance of their organization\u0027s software supply chain.\n\nFor details on using the operator, refer to the product documentation at https://access.redhat.com/documentation/en-us/red_hat_trusted_artifact_signer/1.4\n\nYou can find the release notes for this version of Red Hat Trusted Artifact Signer at https://access.redhat.com/documentation/en-us/red_hat_trusted_artifact_signer/1.4/html-single/release_notes/index",
"product_ids": [
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/cosign-rhel9@sha256:15a1e1d82e2ac631cb5bd6aa420fad3f7e52c414d4efba2d642ace24c5b9f3b4_arm64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/cosign-rhel9@sha256:4a1174f4cdc367db08f99ccb9586bf0ff8faa47c3360482b4fb33e75588b53eb_amd64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/cosign-rhel9@sha256:e1b929b778eb5dc42b81c18cf1cab4a989ec9124de99dbabdaaec8f0531b41ae_s390x",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/cosign-rhel9@sha256:f8a19541958467e3f1aa9ddd2868f20ce7cb760581c3c965941bedade78058ef_ppc64le",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:55bf157183d6a9df8032ca0ab62c418a3cc8b591b1a26a193c5eed36bebd01ac_ppc64le",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:74f364bbf2fe939ce8a02f19afd8f43aa2478090c99067add41b6aff004fda4c_arm64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:c9094568f2e694d6a3c7b0162f3b68a2ef9d2f299efce735afc582f66a27130b_s390x",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:f8b01d3f2d6400b4208d80d8b66eab7b1f4ec2cd4dcdef06552c3d05db0e896e_amd64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/gitsign-rhel9@sha256:4f95c088ef66165779e4b2d5ba89cf2594dd0d837bb707350712dc13b8a27c90_amd64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/gitsign-rhel9@sha256:7c443c3f2c72d1c3cd6ce6cde49a3b781a1b6336bd9b2d974cd69cdfa4c94098_ppc64le",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/gitsign-rhel9@sha256:ce50f18c962fc813d635461aa9e9bc4fdbf7e8236731caa49b05c1770465cac2_s390x",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/gitsign-rhel9@sha256:f9877376bb17567472e84a42ce27273ec3c537103a58d3ff5b616da1b9c18b75_arm64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:0187f0248ce7d219797450636bedd086e14ee6932e676bb51d35592306965583_s390x",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:0ef106aebc41f050e4833a546a4259c877f3852b94ee914c16a6d646c82d6ec2_amd64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:4565fb543e312c3d113f415fe7d59267086c16a98d8567d2094aed58ff63586e_arm64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:ad6c77b11bdde5dcd5bdddcedfea9f0422e3b685fbf224165a20605b1882d8fc_ppc64le"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:37271"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/cosign-rhel9@sha256:15a1e1d82e2ac631cb5bd6aa420fad3f7e52c414d4efba2d642ace24c5b9f3b4_arm64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/cosign-rhel9@sha256:4a1174f4cdc367db08f99ccb9586bf0ff8faa47c3360482b4fb33e75588b53eb_amd64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/cosign-rhel9@sha256:e1b929b778eb5dc42b81c18cf1cab4a989ec9124de99dbabdaaec8f0531b41ae_s390x",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/cosign-rhel9@sha256:f8a19541958467e3f1aa9ddd2868f20ce7cb760581c3c965941bedade78058ef_ppc64le",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:55bf157183d6a9df8032ca0ab62c418a3cc8b591b1a26a193c5eed36bebd01ac_ppc64le",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:74f364bbf2fe939ce8a02f19afd8f43aa2478090c99067add41b6aff004fda4c_arm64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:c9094568f2e694d6a3c7b0162f3b68a2ef9d2f299efce735afc582f66a27130b_s390x",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:f8b01d3f2d6400b4208d80d8b66eab7b1f4ec2cd4dcdef06552c3d05db0e896e_amd64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/gitsign-rhel9@sha256:4f95c088ef66165779e4b2d5ba89cf2594dd0d837bb707350712dc13b8a27c90_amd64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/gitsign-rhel9@sha256:7c443c3f2c72d1c3cd6ce6cde49a3b781a1b6336bd9b2d974cd69cdfa4c94098_ppc64le",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/gitsign-rhel9@sha256:ce50f18c962fc813d635461aa9e9bc4fdbf7e8236731caa49b05c1770465cac2_s390x",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/gitsign-rhel9@sha256:f9877376bb17567472e84a42ce27273ec3c537103a58d3ff5b616da1b9c18b75_arm64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:0187f0248ce7d219797450636bedd086e14ee6932e676bb51d35592306965583_s390x",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:0ef106aebc41f050e4833a546a4259c877f3852b94ee914c16a6d646c82d6ec2_amd64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:4565fb543e312c3d113f415fe7d59267086c16a98d8567d2094aed58ff63586e_arm64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:ad6c77b11bdde5dcd5bdddcedfea9f0422e3b685fbf224165a20605b1882d8fc_ppc64le",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/updatetree-rhel9@sha256:01024a46eac2bb846cee776132a6ce78a69fdc9dfe75df7a0fb379bed6444db1_ppc64le",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/updatetree-rhel9@sha256:205ef0889fb950e337a07d793cec8cbdfd713c4190ddb374f8c2a6206506a66e_s390x",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/updatetree-rhel9@sha256:3a7241f722dbbc7f3bc86cfb15cf2b0d96738ad60ad49dbb0b413c524d50013f_amd64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/updatetree-rhel9@sha256:d034bb82bde1eafe676ce11295bcac3a1e653cab1aa0eb1c61e494b8069f1582_arm64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/cosign-rhel9@sha256:15a1e1d82e2ac631cb5bd6aa420fad3f7e52c414d4efba2d642ace24c5b9f3b4_arm64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/cosign-rhel9@sha256:4a1174f4cdc367db08f99ccb9586bf0ff8faa47c3360482b4fb33e75588b53eb_amd64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/cosign-rhel9@sha256:e1b929b778eb5dc42b81c18cf1cab4a989ec9124de99dbabdaaec8f0531b41ae_s390x",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/cosign-rhel9@sha256:f8a19541958467e3f1aa9ddd2868f20ce7cb760581c3c965941bedade78058ef_ppc64le",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:55bf157183d6a9df8032ca0ab62c418a3cc8b591b1a26a193c5eed36bebd01ac_ppc64le",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:74f364bbf2fe939ce8a02f19afd8f43aa2478090c99067add41b6aff004fda4c_arm64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:c9094568f2e694d6a3c7b0162f3b68a2ef9d2f299efce735afc582f66a27130b_s390x",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:f8b01d3f2d6400b4208d80d8b66eab7b1f4ec2cd4dcdef06552c3d05db0e896e_amd64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/gitsign-rhel9@sha256:4f95c088ef66165779e4b2d5ba89cf2594dd0d837bb707350712dc13b8a27c90_amd64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/gitsign-rhel9@sha256:7c443c3f2c72d1c3cd6ce6cde49a3b781a1b6336bd9b2d974cd69cdfa4c94098_ppc64le",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/gitsign-rhel9@sha256:ce50f18c962fc813d635461aa9e9bc4fdbf7e8236731caa49b05c1770465cac2_s390x",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/gitsign-rhel9@sha256:f9877376bb17567472e84a42ce27273ec3c537103a58d3ff5b616da1b9c18b75_arm64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:0187f0248ce7d219797450636bedd086e14ee6932e676bb51d35592306965583_s390x",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:0ef106aebc41f050e4833a546a4259c877f3852b94ee914c16a6d646c82d6ec2_amd64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:4565fb543e312c3d113f415fe7d59267086c16a98d8567d2094aed58ff63586e_arm64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:ad6c77b11bdde5dcd5bdddcedfea9f0422e3b685fbf224165a20605b1882d8fc_ppc64le",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/updatetree-rhel9@sha256:01024a46eac2bb846cee776132a6ce78a69fdc9dfe75df7a0fb379bed6444db1_ppc64le",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/updatetree-rhel9@sha256:205ef0889fb950e337a07d793cec8cbdfd713c4190ddb374f8c2a6206506a66e_s390x",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/updatetree-rhel9@sha256:3a7241f722dbbc7f3bc86cfb15cf2b0d96738ad60ad49dbb0b413c524d50013f_amd64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/updatetree-rhel9@sha256:d034bb82bde1eafe676ce11295bcac3a1e653cab1aa0eb1c61e494b8069f1582_arm64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters"
},
{
"cve": "CVE-2026-39830",
"cwe": {
"id": "CWE-772",
"name": "Missing Release of Resource after Effective Lifetime"
},
"discovery_date": "2026-05-22T04:01:38.517202+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/updatetree-rhel9@sha256:01024a46eac2bb846cee776132a6ce78a69fdc9dfe75df7a0fb379bed6444db1_ppc64le",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/updatetree-rhel9@sha256:205ef0889fb950e337a07d793cec8cbdfd713c4190ddb374f8c2a6206506a66e_s390x",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/updatetree-rhel9@sha256:3a7241f722dbbc7f3bc86cfb15cf2b0d96738ad60ad49dbb0b413c524d50013f_amd64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/updatetree-rhel9@sha256:d034bb82bde1eafe676ce11295bcac3a1e653cab1aa0eb1c61e494b8069f1582_arm64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2480684"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in golang.org/x/crypto/ssh. A remote malicious SSH peer can exploit this by sending unsolicited global request responses, which fills an internal buffer and blocks the connection\u0027s read loop. This prevents the associated resources from being released, leading to a resource leak per connection. The consequence is a Denial of Service (DoS) for the affected system.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This is an Important denial of service flaw in `golang.org/x/crypto/ssh`. A remote, unauthenticated attacker can exploit this vulnerability by sending unsolicited global request responses to an affected SSH server, leading to resource exhaustion and a denial of service. The impact is considered Important due to the potential for unauthenticated remote disruption of services utilizing the vulnerable SSH library.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/cosign-rhel9@sha256:15a1e1d82e2ac631cb5bd6aa420fad3f7e52c414d4efba2d642ace24c5b9f3b4_arm64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/cosign-rhel9@sha256:4a1174f4cdc367db08f99ccb9586bf0ff8faa47c3360482b4fb33e75588b53eb_amd64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/cosign-rhel9@sha256:e1b929b778eb5dc42b81c18cf1cab4a989ec9124de99dbabdaaec8f0531b41ae_s390x",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/cosign-rhel9@sha256:f8a19541958467e3f1aa9ddd2868f20ce7cb760581c3c965941bedade78058ef_ppc64le",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:55bf157183d6a9df8032ca0ab62c418a3cc8b591b1a26a193c5eed36bebd01ac_ppc64le",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:74f364bbf2fe939ce8a02f19afd8f43aa2478090c99067add41b6aff004fda4c_arm64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:c9094568f2e694d6a3c7b0162f3b68a2ef9d2f299efce735afc582f66a27130b_s390x",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:f8b01d3f2d6400b4208d80d8b66eab7b1f4ec2cd4dcdef06552c3d05db0e896e_amd64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/gitsign-rhel9@sha256:4f95c088ef66165779e4b2d5ba89cf2594dd0d837bb707350712dc13b8a27c90_amd64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/gitsign-rhel9@sha256:7c443c3f2c72d1c3cd6ce6cde49a3b781a1b6336bd9b2d974cd69cdfa4c94098_ppc64le",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/gitsign-rhel9@sha256:ce50f18c962fc813d635461aa9e9bc4fdbf7e8236731caa49b05c1770465cac2_s390x",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/gitsign-rhel9@sha256:f9877376bb17567472e84a42ce27273ec3c537103a58d3ff5b616da1b9c18b75_arm64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:0187f0248ce7d219797450636bedd086e14ee6932e676bb51d35592306965583_s390x",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:0ef106aebc41f050e4833a546a4259c877f3852b94ee914c16a6d646c82d6ec2_amd64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:4565fb543e312c3d113f415fe7d59267086c16a98d8567d2094aed58ff63586e_arm64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:ad6c77b11bdde5dcd5bdddcedfea9f0422e3b685fbf224165a20605b1882d8fc_ppc64le"
],
"known_not_affected": [
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/updatetree-rhel9@sha256:01024a46eac2bb846cee776132a6ce78a69fdc9dfe75df7a0fb379bed6444db1_ppc64le",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/updatetree-rhel9@sha256:205ef0889fb950e337a07d793cec8cbdfd713c4190ddb374f8c2a6206506a66e_s390x",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/updatetree-rhel9@sha256:3a7241f722dbbc7f3bc86cfb15cf2b0d96738ad60ad49dbb0b413c524d50013f_amd64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/updatetree-rhel9@sha256:d034bb82bde1eafe676ce11295bcac3a1e653cab1aa0eb1c61e494b8069f1582_arm64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-39830"
},
{
"category": "external",
"summary": "RHBZ#2480684",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2480684"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-39830",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-39830"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-39830",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39830"
},
{
"category": "external",
"summary": "https://go.dev/cl/781640",
"url": "https://go.dev/cl/781640"
},
{
"category": "external",
"summary": "https://go.dev/cl/781664",
"url": "https://go.dev/cl/781664"
},
{
"category": "external",
"summary": "https://go.dev/issue/79564",
"url": "https://go.dev/issue/79564"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/a082jnz-LvI",
"url": "https://groups.google.com/g/golang-announce/c/a082jnz-LvI"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2026-5017",
"url": "https://pkg.go.dev/vuln/GO-2026-5017"
}
],
"release_date": "2026-05-22T02:31:27.208000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-07-09T11:43:07+00:00",
"details": "Red Hat Trusted Artifact Signer simplifies cryptographic signing and verifying of software artifacts such as container images, binaries and source code changes. It is a self-managed on-premise deployment of the Sigstore project available at https://sigstore.dev\n\nPlatform Engineers, Software Developers and Security Professionals may use RHTAS to ensure the integrity, transparency and assurance of their organization\u0027s software supply chain.\n\nFor details on using the operator, refer to the product documentation at https://access.redhat.com/documentation/en-us/red_hat_trusted_artifact_signer/1.4\n\nYou can find the release notes for this version of Red Hat Trusted Artifact Signer at https://access.redhat.com/documentation/en-us/red_hat_trusted_artifact_signer/1.4/html-single/release_notes/index",
"product_ids": [
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/cosign-rhel9@sha256:15a1e1d82e2ac631cb5bd6aa420fad3f7e52c414d4efba2d642ace24c5b9f3b4_arm64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/cosign-rhel9@sha256:4a1174f4cdc367db08f99ccb9586bf0ff8faa47c3360482b4fb33e75588b53eb_amd64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/cosign-rhel9@sha256:e1b929b778eb5dc42b81c18cf1cab4a989ec9124de99dbabdaaec8f0531b41ae_s390x",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/cosign-rhel9@sha256:f8a19541958467e3f1aa9ddd2868f20ce7cb760581c3c965941bedade78058ef_ppc64le",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:55bf157183d6a9df8032ca0ab62c418a3cc8b591b1a26a193c5eed36bebd01ac_ppc64le",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:74f364bbf2fe939ce8a02f19afd8f43aa2478090c99067add41b6aff004fda4c_arm64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:c9094568f2e694d6a3c7b0162f3b68a2ef9d2f299efce735afc582f66a27130b_s390x",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:f8b01d3f2d6400b4208d80d8b66eab7b1f4ec2cd4dcdef06552c3d05db0e896e_amd64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/gitsign-rhel9@sha256:4f95c088ef66165779e4b2d5ba89cf2594dd0d837bb707350712dc13b8a27c90_amd64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/gitsign-rhel9@sha256:7c443c3f2c72d1c3cd6ce6cde49a3b781a1b6336bd9b2d974cd69cdfa4c94098_ppc64le",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/gitsign-rhel9@sha256:ce50f18c962fc813d635461aa9e9bc4fdbf7e8236731caa49b05c1770465cac2_s390x",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/gitsign-rhel9@sha256:f9877376bb17567472e84a42ce27273ec3c537103a58d3ff5b616da1b9c18b75_arm64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:0187f0248ce7d219797450636bedd086e14ee6932e676bb51d35592306965583_s390x",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:0ef106aebc41f050e4833a546a4259c877f3852b94ee914c16a6d646c82d6ec2_amd64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:4565fb543e312c3d113f415fe7d59267086c16a98d8567d2094aed58ff63586e_arm64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:ad6c77b11bdde5dcd5bdddcedfea9f0422e3b685fbf224165a20605b1882d8fc_ppc64le"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:37271"
},
{
"category": "workaround",
"details": "To mitigate this denial of service vulnerability, restrict network access to any service that utilizes the `golang.org/x/crypto/ssh` library and is exposed to untrusted networks. Implement firewall rules to allow connections only from trusted hosts or networks. This action limits the ability of malicious peers to send unsolicited global request responses. A restart of the affected service may be necessary for the new network rules to be applied effectively.",
"product_ids": [
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/cosign-rhel9@sha256:15a1e1d82e2ac631cb5bd6aa420fad3f7e52c414d4efba2d642ace24c5b9f3b4_arm64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/cosign-rhel9@sha256:4a1174f4cdc367db08f99ccb9586bf0ff8faa47c3360482b4fb33e75588b53eb_amd64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/cosign-rhel9@sha256:e1b929b778eb5dc42b81c18cf1cab4a989ec9124de99dbabdaaec8f0531b41ae_s390x",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/cosign-rhel9@sha256:f8a19541958467e3f1aa9ddd2868f20ce7cb760581c3c965941bedade78058ef_ppc64le",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:55bf157183d6a9df8032ca0ab62c418a3cc8b591b1a26a193c5eed36bebd01ac_ppc64le",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:74f364bbf2fe939ce8a02f19afd8f43aa2478090c99067add41b6aff004fda4c_arm64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:c9094568f2e694d6a3c7b0162f3b68a2ef9d2f299efce735afc582f66a27130b_s390x",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:f8b01d3f2d6400b4208d80d8b66eab7b1f4ec2cd4dcdef06552c3d05db0e896e_amd64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/gitsign-rhel9@sha256:4f95c088ef66165779e4b2d5ba89cf2594dd0d837bb707350712dc13b8a27c90_amd64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/gitsign-rhel9@sha256:7c443c3f2c72d1c3cd6ce6cde49a3b781a1b6336bd9b2d974cd69cdfa4c94098_ppc64le",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/gitsign-rhel9@sha256:ce50f18c962fc813d635461aa9e9bc4fdbf7e8236731caa49b05c1770465cac2_s390x",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/gitsign-rhel9@sha256:f9877376bb17567472e84a42ce27273ec3c537103a58d3ff5b616da1b9c18b75_arm64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:0187f0248ce7d219797450636bedd086e14ee6932e676bb51d35592306965583_s390x",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:0ef106aebc41f050e4833a546a4259c877f3852b94ee914c16a6d646c82d6ec2_amd64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:4565fb543e312c3d113f415fe7d59267086c16a98d8567d2094aed58ff63586e_arm64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:ad6c77b11bdde5dcd5bdddcedfea9f0422e3b685fbf224165a20605b1882d8fc_ppc64le",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/updatetree-rhel9@sha256:01024a46eac2bb846cee776132a6ce78a69fdc9dfe75df7a0fb379bed6444db1_ppc64le",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/updatetree-rhel9@sha256:205ef0889fb950e337a07d793cec8cbdfd713c4190ddb374f8c2a6206506a66e_s390x",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/updatetree-rhel9@sha256:3a7241f722dbbc7f3bc86cfb15cf2b0d96738ad60ad49dbb0b413c524d50013f_amd64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/updatetree-rhel9@sha256:d034bb82bde1eafe676ce11295bcac3a1e653cab1aa0eb1c61e494b8069f1582_arm64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/cosign-rhel9@sha256:15a1e1d82e2ac631cb5bd6aa420fad3f7e52c414d4efba2d642ace24c5b9f3b4_arm64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/cosign-rhel9@sha256:4a1174f4cdc367db08f99ccb9586bf0ff8faa47c3360482b4fb33e75588b53eb_amd64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/cosign-rhel9@sha256:e1b929b778eb5dc42b81c18cf1cab4a989ec9124de99dbabdaaec8f0531b41ae_s390x",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/cosign-rhel9@sha256:f8a19541958467e3f1aa9ddd2868f20ce7cb760581c3c965941bedade78058ef_ppc64le",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:55bf157183d6a9df8032ca0ab62c418a3cc8b591b1a26a193c5eed36bebd01ac_ppc64le",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:74f364bbf2fe939ce8a02f19afd8f43aa2478090c99067add41b6aff004fda4c_arm64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:c9094568f2e694d6a3c7b0162f3b68a2ef9d2f299efce735afc582f66a27130b_s390x",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:f8b01d3f2d6400b4208d80d8b66eab7b1f4ec2cd4dcdef06552c3d05db0e896e_amd64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/gitsign-rhel9@sha256:4f95c088ef66165779e4b2d5ba89cf2594dd0d837bb707350712dc13b8a27c90_amd64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/gitsign-rhel9@sha256:7c443c3f2c72d1c3cd6ce6cde49a3b781a1b6336bd9b2d974cd69cdfa4c94098_ppc64le",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/gitsign-rhel9@sha256:ce50f18c962fc813d635461aa9e9bc4fdbf7e8236731caa49b05c1770465cac2_s390x",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/gitsign-rhel9@sha256:f9877376bb17567472e84a42ce27273ec3c537103a58d3ff5b616da1b9c18b75_arm64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:0187f0248ce7d219797450636bedd086e14ee6932e676bb51d35592306965583_s390x",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:0ef106aebc41f050e4833a546a4259c877f3852b94ee914c16a6d646c82d6ec2_amd64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:4565fb543e312c3d113f415fe7d59267086c16a98d8567d2094aed58ff63586e_arm64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:ad6c77b11bdde5dcd5bdddcedfea9f0422e3b685fbf224165a20605b1882d8fc_ppc64le",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/updatetree-rhel9@sha256:01024a46eac2bb846cee776132a6ce78a69fdc9dfe75df7a0fb379bed6444db1_ppc64le",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/updatetree-rhel9@sha256:205ef0889fb950e337a07d793cec8cbdfd713c4190ddb374f8c2a6206506a66e_s390x",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/updatetree-rhel9@sha256:3a7241f722dbbc7f3bc86cfb15cf2b0d96738ad60ad49dbb0b413c524d50013f_amd64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/updatetree-rhel9@sha256:d034bb82bde1eafe676ce11295bcac3a1e653cab1aa0eb1c61e494b8069f1582_arm64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses"
},
{
"cve": "CVE-2026-39832",
"cwe": {
"id": "CWE-281",
"name": "Improper Preservation of Permissions"
},
"discovery_date": "2026-05-22T04:01:41.402561+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/cosign-rhel9@sha256:15a1e1d82e2ac631cb5bd6aa420fad3f7e52c414d4efba2d642ace24c5b9f3b4_arm64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/cosign-rhel9@sha256:4a1174f4cdc367db08f99ccb9586bf0ff8faa47c3360482b4fb33e75588b53eb_amd64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/cosign-rhel9@sha256:e1b929b778eb5dc42b81c18cf1cab4a989ec9124de99dbabdaaec8f0531b41ae_s390x",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/cosign-rhel9@sha256:f8a19541958467e3f1aa9ddd2868f20ce7cb760581c3c965941bedade78058ef_ppc64le",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:55bf157183d6a9df8032ca0ab62c418a3cc8b591b1a26a193c5eed36bebd01ac_ppc64le",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:74f364bbf2fe939ce8a02f19afd8f43aa2478090c99067add41b6aff004fda4c_arm64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:c9094568f2e694d6a3c7b0162f3b68a2ef9d2f299efce735afc582f66a27130b_s390x",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:f8b01d3f2d6400b4208d80d8b66eab7b1f4ec2cd4dcdef06552c3d05db0e896e_amd64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:0187f0248ce7d219797450636bedd086e14ee6932e676bb51d35592306965583_s390x",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:0ef106aebc41f050e4833a546a4259c877f3852b94ee914c16a6d646c82d6ec2_amd64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:4565fb543e312c3d113f415fe7d59267086c16a98d8567d2094aed58ff63586e_arm64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:ad6c77b11bdde5dcd5bdddcedfea9f0422e3b685fbf224165a20605b1882d8fc_ppc64le",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/updatetree-rhel9@sha256:01024a46eac2bb846cee776132a6ce78a69fdc9dfe75df7a0fb379bed6444db1_ppc64le",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/updatetree-rhel9@sha256:205ef0889fb950e337a07d793cec8cbdfd713c4190ddb374f8c2a6206506a66e_s390x",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/updatetree-rhel9@sha256:3a7241f722dbbc7f3bc86cfb15cf2b0d96738ad60ad49dbb0b413c524d50013f_amd64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/updatetree-rhel9@sha256:d034bb82bde1eafe676ce11295bcac3a1e653cab1aa0eb1c61e494b8069f1582_arm64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2480685"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in golang.org/x/crypto/ssh/agent. When a key was added to a remote agent, security restrictions, known as constraint extensions, were not properly processed during the request. This allowed these restrictions to be silently removed when keys were forwarded, leading to the unrestricted use of the key on the remote host. This vulnerability could enable an attacker to bypass intended security controls and perform unauthorized actions.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang.org/x/crypto/ssh/agent: golang.org/x/crypto/ssh/agent: Security bypass due to improper handling of key restrictions",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This Important vulnerability in `golang.org/x/crypto/ssh/agent` allows for a security bypass when SSH keys with destination restrictions are forwarded via an SSH agent. This flaw could lead to unintended exposure of SSH keys, enabling an attacker to use the forwarded key without the specified restrictions on remote hosts. Red Hat products utilizing `golang.org/x/crypto/ssh/agent` for key forwarding may be affected if users rely on constraint extensions for limiting key usage.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/gitsign-rhel9@sha256:4f95c088ef66165779e4b2d5ba89cf2594dd0d837bb707350712dc13b8a27c90_amd64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/gitsign-rhel9@sha256:7c443c3f2c72d1c3cd6ce6cde49a3b781a1b6336bd9b2d974cd69cdfa4c94098_ppc64le",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/gitsign-rhel9@sha256:ce50f18c962fc813d635461aa9e9bc4fdbf7e8236731caa49b05c1770465cac2_s390x",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/gitsign-rhel9@sha256:f9877376bb17567472e84a42ce27273ec3c537103a58d3ff5b616da1b9c18b75_arm64"
],
"known_not_affected": [
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/cosign-rhel9@sha256:15a1e1d82e2ac631cb5bd6aa420fad3f7e52c414d4efba2d642ace24c5b9f3b4_arm64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/cosign-rhel9@sha256:4a1174f4cdc367db08f99ccb9586bf0ff8faa47c3360482b4fb33e75588b53eb_amd64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/cosign-rhel9@sha256:e1b929b778eb5dc42b81c18cf1cab4a989ec9124de99dbabdaaec8f0531b41ae_s390x",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/cosign-rhel9@sha256:f8a19541958467e3f1aa9ddd2868f20ce7cb760581c3c965941bedade78058ef_ppc64le",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:55bf157183d6a9df8032ca0ab62c418a3cc8b591b1a26a193c5eed36bebd01ac_ppc64le",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:74f364bbf2fe939ce8a02f19afd8f43aa2478090c99067add41b6aff004fda4c_arm64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:c9094568f2e694d6a3c7b0162f3b68a2ef9d2f299efce735afc582f66a27130b_s390x",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:f8b01d3f2d6400b4208d80d8b66eab7b1f4ec2cd4dcdef06552c3d05db0e896e_amd64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:0187f0248ce7d219797450636bedd086e14ee6932e676bb51d35592306965583_s390x",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:0ef106aebc41f050e4833a546a4259c877f3852b94ee914c16a6d646c82d6ec2_amd64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:4565fb543e312c3d113f415fe7d59267086c16a98d8567d2094aed58ff63586e_arm64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:ad6c77b11bdde5dcd5bdddcedfea9f0422e3b685fbf224165a20605b1882d8fc_ppc64le",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/updatetree-rhel9@sha256:01024a46eac2bb846cee776132a6ce78a69fdc9dfe75df7a0fb379bed6444db1_ppc64le",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/updatetree-rhel9@sha256:205ef0889fb950e337a07d793cec8cbdfd713c4190ddb374f8c2a6206506a66e_s390x",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/updatetree-rhel9@sha256:3a7241f722dbbc7f3bc86cfb15cf2b0d96738ad60ad49dbb0b413c524d50013f_amd64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/updatetree-rhel9@sha256:d034bb82bde1eafe676ce11295bcac3a1e653cab1aa0eb1c61e494b8069f1582_arm64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-39832"
},
{
"category": "external",
"summary": "RHBZ#2480685",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2480685"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-39832",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-39832"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-39832",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39832"
},
{
"category": "external",
"summary": "https://go.dev/cl/778642",
"url": "https://go.dev/cl/778642"
},
{
"category": "external",
"summary": "https://go.dev/issue/79435",
"url": "https://go.dev/issue/79435"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/a082jnz-LvI",
"url": "https://groups.google.com/g/golang-announce/c/a082jnz-LvI"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2026-5006",
"url": "https://pkg.go.dev/vuln/GO-2026-5006"
}
],
"release_date": "2026-05-22T02:31:26.660000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-07-09T11:43:07+00:00",
"details": "Red Hat Trusted Artifact Signer simplifies cryptographic signing and verifying of software artifacts such as container images, binaries and source code changes. It is a self-managed on-premise deployment of the Sigstore project available at https://sigstore.dev\n\nPlatform Engineers, Software Developers and Security Professionals may use RHTAS to ensure the integrity, transparency and assurance of their organization\u0027s software supply chain.\n\nFor details on using the operator, refer to the product documentation at https://access.redhat.com/documentation/en-us/red_hat_trusted_artifact_signer/1.4\n\nYou can find the release notes for this version of Red Hat Trusted Artifact Signer at https://access.redhat.com/documentation/en-us/red_hat_trusted_artifact_signer/1.4/html-single/release_notes/index",
"product_ids": [
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/gitsign-rhel9@sha256:4f95c088ef66165779e4b2d5ba89cf2594dd0d837bb707350712dc13b8a27c90_amd64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/gitsign-rhel9@sha256:7c443c3f2c72d1c3cd6ce6cde49a3b781a1b6336bd9b2d974cd69cdfa4c94098_ppc64le",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/gitsign-rhel9@sha256:ce50f18c962fc813d635461aa9e9bc4fdbf7e8236731caa49b05c1770465cac2_s390x",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/gitsign-rhel9@sha256:f9877376bb17567472e84a42ce27273ec3c537103a58d3ff5b616da1b9c18b75_arm64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:37271"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/cosign-rhel9@sha256:15a1e1d82e2ac631cb5bd6aa420fad3f7e52c414d4efba2d642ace24c5b9f3b4_arm64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/cosign-rhel9@sha256:4a1174f4cdc367db08f99ccb9586bf0ff8faa47c3360482b4fb33e75588b53eb_amd64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/cosign-rhel9@sha256:e1b929b778eb5dc42b81c18cf1cab4a989ec9124de99dbabdaaec8f0531b41ae_s390x",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/cosign-rhel9@sha256:f8a19541958467e3f1aa9ddd2868f20ce7cb760581c3c965941bedade78058ef_ppc64le",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:55bf157183d6a9df8032ca0ab62c418a3cc8b591b1a26a193c5eed36bebd01ac_ppc64le",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:74f364bbf2fe939ce8a02f19afd8f43aa2478090c99067add41b6aff004fda4c_arm64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:c9094568f2e694d6a3c7b0162f3b68a2ef9d2f299efce735afc582f66a27130b_s390x",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:f8b01d3f2d6400b4208d80d8b66eab7b1f4ec2cd4dcdef06552c3d05db0e896e_amd64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/gitsign-rhel9@sha256:4f95c088ef66165779e4b2d5ba89cf2594dd0d837bb707350712dc13b8a27c90_amd64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/gitsign-rhel9@sha256:7c443c3f2c72d1c3cd6ce6cde49a3b781a1b6336bd9b2d974cd69cdfa4c94098_ppc64le",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/gitsign-rhel9@sha256:ce50f18c962fc813d635461aa9e9bc4fdbf7e8236731caa49b05c1770465cac2_s390x",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/gitsign-rhel9@sha256:f9877376bb17567472e84a42ce27273ec3c537103a58d3ff5b616da1b9c18b75_arm64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:0187f0248ce7d219797450636bedd086e14ee6932e676bb51d35592306965583_s390x",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:0ef106aebc41f050e4833a546a4259c877f3852b94ee914c16a6d646c82d6ec2_amd64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:4565fb543e312c3d113f415fe7d59267086c16a98d8567d2094aed58ff63586e_arm64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:ad6c77b11bdde5dcd5bdddcedfea9f0422e3b685fbf224165a20605b1882d8fc_ppc64le",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/updatetree-rhel9@sha256:01024a46eac2bb846cee776132a6ce78a69fdc9dfe75df7a0fb379bed6444db1_ppc64le",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/updatetree-rhel9@sha256:205ef0889fb950e337a07d793cec8cbdfd713c4190ddb374f8c2a6206506a66e_s390x",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/updatetree-rhel9@sha256:3a7241f722dbbc7f3bc86cfb15cf2b0d96738ad60ad49dbb0b413c524d50013f_amd64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/updatetree-rhel9@sha256:d034bb82bde1eafe676ce11295bcac3a1e653cab1aa0eb1c61e494b8069f1582_arm64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/cosign-rhel9@sha256:15a1e1d82e2ac631cb5bd6aa420fad3f7e52c414d4efba2d642ace24c5b9f3b4_arm64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/cosign-rhel9@sha256:4a1174f4cdc367db08f99ccb9586bf0ff8faa47c3360482b4fb33e75588b53eb_amd64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/cosign-rhel9@sha256:e1b929b778eb5dc42b81c18cf1cab4a989ec9124de99dbabdaaec8f0531b41ae_s390x",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/cosign-rhel9@sha256:f8a19541958467e3f1aa9ddd2868f20ce7cb760581c3c965941bedade78058ef_ppc64le",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:55bf157183d6a9df8032ca0ab62c418a3cc8b591b1a26a193c5eed36bebd01ac_ppc64le",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:74f364bbf2fe939ce8a02f19afd8f43aa2478090c99067add41b6aff004fda4c_arm64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:c9094568f2e694d6a3c7b0162f3b68a2ef9d2f299efce735afc582f66a27130b_s390x",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:f8b01d3f2d6400b4208d80d8b66eab7b1f4ec2cd4dcdef06552c3d05db0e896e_amd64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/gitsign-rhel9@sha256:4f95c088ef66165779e4b2d5ba89cf2594dd0d837bb707350712dc13b8a27c90_amd64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/gitsign-rhel9@sha256:7c443c3f2c72d1c3cd6ce6cde49a3b781a1b6336bd9b2d974cd69cdfa4c94098_ppc64le",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/gitsign-rhel9@sha256:ce50f18c962fc813d635461aa9e9bc4fdbf7e8236731caa49b05c1770465cac2_s390x",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/gitsign-rhel9@sha256:f9877376bb17567472e84a42ce27273ec3c537103a58d3ff5b616da1b9c18b75_arm64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:0187f0248ce7d219797450636bedd086e14ee6932e676bb51d35592306965583_s390x",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:0ef106aebc41f050e4833a546a4259c877f3852b94ee914c16a6d646c82d6ec2_amd64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:4565fb543e312c3d113f415fe7d59267086c16a98d8567d2094aed58ff63586e_arm64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:ad6c77b11bdde5dcd5bdddcedfea9f0422e3b685fbf224165a20605b1882d8fc_ppc64le",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/updatetree-rhel9@sha256:01024a46eac2bb846cee776132a6ce78a69fdc9dfe75df7a0fb379bed6444db1_ppc64le",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/updatetree-rhel9@sha256:205ef0889fb950e337a07d793cec8cbdfd713c4190ddb374f8c2a6206506a66e_s390x",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/updatetree-rhel9@sha256:3a7241f722dbbc7f3bc86cfb15cf2b0d96738ad60ad49dbb0b413c524d50013f_amd64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/updatetree-rhel9@sha256:d034bb82bde1eafe676ce11295bcac3a1e653cab1aa0eb1c61e494b8069f1582_arm64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "golang.org/x/crypto/ssh/agent: golang.org/x/crypto/ssh/agent: Security bypass due to improper handling of key restrictions"
},
{
"cve": "CVE-2026-39833",
"cwe": {
"id": "CWE-358",
"name": "Improperly Implemented Security Check for Standard"
},
"discovery_date": "2026-05-22T04:01:35.714593+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/cosign-rhel9@sha256:15a1e1d82e2ac631cb5bd6aa420fad3f7e52c414d4efba2d642ace24c5b9f3b4_arm64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/cosign-rhel9@sha256:4a1174f4cdc367db08f99ccb9586bf0ff8faa47c3360482b4fb33e75588b53eb_amd64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/cosign-rhel9@sha256:e1b929b778eb5dc42b81c18cf1cab4a989ec9124de99dbabdaaec8f0531b41ae_s390x",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/cosign-rhel9@sha256:f8a19541958467e3f1aa9ddd2868f20ce7cb760581c3c965941bedade78058ef_ppc64le",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:55bf157183d6a9df8032ca0ab62c418a3cc8b591b1a26a193c5eed36bebd01ac_ppc64le",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:74f364bbf2fe939ce8a02f19afd8f43aa2478090c99067add41b6aff004fda4c_arm64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:c9094568f2e694d6a3c7b0162f3b68a2ef9d2f299efce735afc582f66a27130b_s390x",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:f8b01d3f2d6400b4208d80d8b66eab7b1f4ec2cd4dcdef06552c3d05db0e896e_amd64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:0187f0248ce7d219797450636bedd086e14ee6932e676bb51d35592306965583_s390x",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:0ef106aebc41f050e4833a546a4259c877f3852b94ee914c16a6d646c82d6ec2_amd64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:4565fb543e312c3d113f415fe7d59267086c16a98d8567d2094aed58ff63586e_arm64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:ad6c77b11bdde5dcd5bdddcedfea9f0422e3b685fbf224165a20605b1882d8fc_ppc64le",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/updatetree-rhel9@sha256:01024a46eac2bb846cee776132a6ce78a69fdc9dfe75df7a0fb379bed6444db1_ppc64le",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/updatetree-rhel9@sha256:205ef0889fb950e337a07d793cec8cbdfd713c4190ddb374f8c2a6206506a66e_s390x",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/updatetree-rhel9@sha256:3a7241f722dbbc7f3bc86cfb15cf2b0d96738ad60ad49dbb0b413c524d50013f_amd64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/updatetree-rhel9@sha256:d034bb82bde1eafe676ce11295bcac3a1e653cab1aa0eb1c61e494b8069f1582_arm64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2480683"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in golang.org/x/crypto/ssh/agent. The NewKeyring() function, which creates an in-memory keyring, failed to enforce the ConfirmBeforeUse constraint on keys. This allowed keys configured to require user confirmation before use to perform signing operations without any prompt or indication to the user. Consequently, an attacker could potentially bypass intended security controls, leading to unauthorized cryptographic signing actions.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang.org/x/crypto/ssh/agent: golang.org/x/crypto/ssh/agent: Security bypass due to unenforced key confirmation",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat rates this issue as Moderate with RH CVSS 5.5 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N). A flaw was found in golang.org/x/crypto/ssh/agent where the in-memory keyring returned by NewKeyring() silently accepted SSH agent keys with the ConfirmBeforeUse constraint but did not enforce interactive confirmation before signing. Exploitation requires local access and low privileges on a system where an affected application uses NewKeyring() with ConfirmBeforeUse. Most Red Hat products that bundle golang.org/x/crypto do not use the ssh/agent ConfirmBeforeUse feature in their supported execution paths. The upstream CISA CVSS 9.1 assumes a broader network attack context that does not reflect Red Hat product deployment.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/gitsign-rhel9@sha256:4f95c088ef66165779e4b2d5ba89cf2594dd0d837bb707350712dc13b8a27c90_amd64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/gitsign-rhel9@sha256:7c443c3f2c72d1c3cd6ce6cde49a3b781a1b6336bd9b2d974cd69cdfa4c94098_ppc64le",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/gitsign-rhel9@sha256:ce50f18c962fc813d635461aa9e9bc4fdbf7e8236731caa49b05c1770465cac2_s390x",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/gitsign-rhel9@sha256:f9877376bb17567472e84a42ce27273ec3c537103a58d3ff5b616da1b9c18b75_arm64"
],
"known_not_affected": [
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/cosign-rhel9@sha256:15a1e1d82e2ac631cb5bd6aa420fad3f7e52c414d4efba2d642ace24c5b9f3b4_arm64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/cosign-rhel9@sha256:4a1174f4cdc367db08f99ccb9586bf0ff8faa47c3360482b4fb33e75588b53eb_amd64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/cosign-rhel9@sha256:e1b929b778eb5dc42b81c18cf1cab4a989ec9124de99dbabdaaec8f0531b41ae_s390x",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/cosign-rhel9@sha256:f8a19541958467e3f1aa9ddd2868f20ce7cb760581c3c965941bedade78058ef_ppc64le",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:55bf157183d6a9df8032ca0ab62c418a3cc8b591b1a26a193c5eed36bebd01ac_ppc64le",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:74f364bbf2fe939ce8a02f19afd8f43aa2478090c99067add41b6aff004fda4c_arm64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:c9094568f2e694d6a3c7b0162f3b68a2ef9d2f299efce735afc582f66a27130b_s390x",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:f8b01d3f2d6400b4208d80d8b66eab7b1f4ec2cd4dcdef06552c3d05db0e896e_amd64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:0187f0248ce7d219797450636bedd086e14ee6932e676bb51d35592306965583_s390x",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:0ef106aebc41f050e4833a546a4259c877f3852b94ee914c16a6d646c82d6ec2_amd64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:4565fb543e312c3d113f415fe7d59267086c16a98d8567d2094aed58ff63586e_arm64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:ad6c77b11bdde5dcd5bdddcedfea9f0422e3b685fbf224165a20605b1882d8fc_ppc64le",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/updatetree-rhel9@sha256:01024a46eac2bb846cee776132a6ce78a69fdc9dfe75df7a0fb379bed6444db1_ppc64le",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/updatetree-rhel9@sha256:205ef0889fb950e337a07d793cec8cbdfd713c4190ddb374f8c2a6206506a66e_s390x",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/updatetree-rhel9@sha256:3a7241f722dbbc7f3bc86cfb15cf2b0d96738ad60ad49dbb0b413c524d50013f_amd64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/updatetree-rhel9@sha256:d034bb82bde1eafe676ce11295bcac3a1e653cab1aa0eb1c61e494b8069f1582_arm64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-39833"
},
{
"category": "external",
"summary": "RHBZ#2480683",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2480683"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-39833",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-39833"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-39833",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39833"
},
{
"category": "external",
"summary": "https://go.dev/cl/778640",
"url": "https://go.dev/cl/778640"
},
{
"category": "external",
"summary": "https://go.dev/cl/778641",
"url": "https://go.dev/cl/778641"
},
{
"category": "external",
"summary": "https://go.dev/issue/79436",
"url": "https://go.dev/issue/79436"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/a082jnz-LvI",
"url": "https://groups.google.com/g/golang-announce/c/a082jnz-LvI"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2026-5005",
"url": "https://pkg.go.dev/vuln/GO-2026-5005"
}
],
"release_date": "2026-05-22T02:31:26.294000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-07-09T11:43:07+00:00",
"details": "Red Hat Trusted Artifact Signer simplifies cryptographic signing and verifying of software artifacts such as container images, binaries and source code changes. It is a self-managed on-premise deployment of the Sigstore project available at https://sigstore.dev\n\nPlatform Engineers, Software Developers and Security Professionals may use RHTAS to ensure the integrity, transparency and assurance of their organization\u0027s software supply chain.\n\nFor details on using the operator, refer to the product documentation at https://access.redhat.com/documentation/en-us/red_hat_trusted_artifact_signer/1.4\n\nYou can find the release notes for this version of Red Hat Trusted Artifact Signer at https://access.redhat.com/documentation/en-us/red_hat_trusted_artifact_signer/1.4/html-single/release_notes/index",
"product_ids": [
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/gitsign-rhel9@sha256:4f95c088ef66165779e4b2d5ba89cf2594dd0d837bb707350712dc13b8a27c90_amd64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/gitsign-rhel9@sha256:7c443c3f2c72d1c3cd6ce6cde49a3b781a1b6336bd9b2d974cd69cdfa4c94098_ppc64le",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/gitsign-rhel9@sha256:ce50f18c962fc813d635461aa9e9bc4fdbf7e8236731caa49b05c1770465cac2_s390x",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/gitsign-rhel9@sha256:f9877376bb17567472e84a42ce27273ec3c537103a58d3ff5b616da1b9c18b75_arm64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:37271"
},
{
"category": "workaround",
"details": "Update affected Go applications to use golang.org/x/crypto version 0.52.0 or later, which rejects unsupported ConfirmBeforeUse keys instead of silently ignoring the constraint. As a workaround, do not add keys with ConfirmBeforeUse to the in-memory keyring from golang.org/x/crypto/ssh/agent, or use an SSH agent implementation that correctly enforces confirm-before-use.",
"product_ids": [
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/cosign-rhel9@sha256:15a1e1d82e2ac631cb5bd6aa420fad3f7e52c414d4efba2d642ace24c5b9f3b4_arm64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/cosign-rhel9@sha256:4a1174f4cdc367db08f99ccb9586bf0ff8faa47c3360482b4fb33e75588b53eb_amd64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/cosign-rhel9@sha256:e1b929b778eb5dc42b81c18cf1cab4a989ec9124de99dbabdaaec8f0531b41ae_s390x",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/cosign-rhel9@sha256:f8a19541958467e3f1aa9ddd2868f20ce7cb760581c3c965941bedade78058ef_ppc64le",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:55bf157183d6a9df8032ca0ab62c418a3cc8b591b1a26a193c5eed36bebd01ac_ppc64le",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:74f364bbf2fe939ce8a02f19afd8f43aa2478090c99067add41b6aff004fda4c_arm64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:c9094568f2e694d6a3c7b0162f3b68a2ef9d2f299efce735afc582f66a27130b_s390x",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:f8b01d3f2d6400b4208d80d8b66eab7b1f4ec2cd4dcdef06552c3d05db0e896e_amd64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/gitsign-rhel9@sha256:4f95c088ef66165779e4b2d5ba89cf2594dd0d837bb707350712dc13b8a27c90_amd64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/gitsign-rhel9@sha256:7c443c3f2c72d1c3cd6ce6cde49a3b781a1b6336bd9b2d974cd69cdfa4c94098_ppc64le",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/gitsign-rhel9@sha256:ce50f18c962fc813d635461aa9e9bc4fdbf7e8236731caa49b05c1770465cac2_s390x",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/gitsign-rhel9@sha256:f9877376bb17567472e84a42ce27273ec3c537103a58d3ff5b616da1b9c18b75_arm64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:0187f0248ce7d219797450636bedd086e14ee6932e676bb51d35592306965583_s390x",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:0ef106aebc41f050e4833a546a4259c877f3852b94ee914c16a6d646c82d6ec2_amd64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:4565fb543e312c3d113f415fe7d59267086c16a98d8567d2094aed58ff63586e_arm64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:ad6c77b11bdde5dcd5bdddcedfea9f0422e3b685fbf224165a20605b1882d8fc_ppc64le",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/updatetree-rhel9@sha256:01024a46eac2bb846cee776132a6ce78a69fdc9dfe75df7a0fb379bed6444db1_ppc64le",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/updatetree-rhel9@sha256:205ef0889fb950e337a07d793cec8cbdfd713c4190ddb374f8c2a6206506a66e_s390x",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/updatetree-rhel9@sha256:3a7241f722dbbc7f3bc86cfb15cf2b0d96738ad60ad49dbb0b413c524d50013f_amd64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/updatetree-rhel9@sha256:d034bb82bde1eafe676ce11295bcac3a1e653cab1aa0eb1c61e494b8069f1582_arm64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/cosign-rhel9@sha256:15a1e1d82e2ac631cb5bd6aa420fad3f7e52c414d4efba2d642ace24c5b9f3b4_arm64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/cosign-rhel9@sha256:4a1174f4cdc367db08f99ccb9586bf0ff8faa47c3360482b4fb33e75588b53eb_amd64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/cosign-rhel9@sha256:e1b929b778eb5dc42b81c18cf1cab4a989ec9124de99dbabdaaec8f0531b41ae_s390x",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/cosign-rhel9@sha256:f8a19541958467e3f1aa9ddd2868f20ce7cb760581c3c965941bedade78058ef_ppc64le",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:55bf157183d6a9df8032ca0ab62c418a3cc8b591b1a26a193c5eed36bebd01ac_ppc64le",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:74f364bbf2fe939ce8a02f19afd8f43aa2478090c99067add41b6aff004fda4c_arm64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:c9094568f2e694d6a3c7b0162f3b68a2ef9d2f299efce735afc582f66a27130b_s390x",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:f8b01d3f2d6400b4208d80d8b66eab7b1f4ec2cd4dcdef06552c3d05db0e896e_amd64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/gitsign-rhel9@sha256:4f95c088ef66165779e4b2d5ba89cf2594dd0d837bb707350712dc13b8a27c90_amd64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/gitsign-rhel9@sha256:7c443c3f2c72d1c3cd6ce6cde49a3b781a1b6336bd9b2d974cd69cdfa4c94098_ppc64le",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/gitsign-rhel9@sha256:ce50f18c962fc813d635461aa9e9bc4fdbf7e8236731caa49b05c1770465cac2_s390x",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/gitsign-rhel9@sha256:f9877376bb17567472e84a42ce27273ec3c537103a58d3ff5b616da1b9c18b75_arm64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:0187f0248ce7d219797450636bedd086e14ee6932e676bb51d35592306965583_s390x",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:0ef106aebc41f050e4833a546a4259c877f3852b94ee914c16a6d646c82d6ec2_amd64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:4565fb543e312c3d113f415fe7d59267086c16a98d8567d2094aed58ff63586e_arm64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:ad6c77b11bdde5dcd5bdddcedfea9f0422e3b685fbf224165a20605b1882d8fc_ppc64le",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/updatetree-rhel9@sha256:01024a46eac2bb846cee776132a6ce78a69fdc9dfe75df7a0fb379bed6444db1_ppc64le",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/updatetree-rhel9@sha256:205ef0889fb950e337a07d793cec8cbdfd713c4190ddb374f8c2a6206506a66e_s390x",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/updatetree-rhel9@sha256:3a7241f722dbbc7f3bc86cfb15cf2b0d96738ad60ad49dbb0b413c524d50013f_amd64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/updatetree-rhel9@sha256:d034bb82bde1eafe676ce11295bcac3a1e653cab1aa0eb1c61e494b8069f1582_arm64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang.org/x/crypto/ssh/agent: golang.org/x/crypto/ssh/agent: Security bypass due to unenforced key confirmation"
},
{
"cve": "CVE-2026-39835",
"cwe": {
"id": "CWE-476",
"name": "NULL Pointer Dereference"
},
"discovery_date": "2026-05-22T04:01:27.279943+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/updatetree-rhel9@sha256:01024a46eac2bb846cee776132a6ce78a69fdc9dfe75df7a0fb379bed6444db1_ppc64le",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/updatetree-rhel9@sha256:205ef0889fb950e337a07d793cec8cbdfd713c4190ddb374f8c2a6206506a66e_s390x",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/updatetree-rhel9@sha256:3a7241f722dbbc7f3bc86cfb15cf2b0d96738ad60ad49dbb0b413c524d50013f_amd64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/updatetree-rhel9@sha256:d034bb82bde1eafe676ce11295bcac3a1e653cab1aa0eb1c61e494b8069f1582_arm64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2480680"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in golang.org/x/crypto/ssh. SSH servers configured to use CertChecker as a public key callback, without explicitly setting IsUserAuthority or IsHostAuthority, are vulnerable. A remote attacker can exploit this by presenting a specially crafted certificate, causing the server to panic and resulting in a Denial of Service (DoS).",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang.org/x/crypto/ssh: golang: golang.org/x/crypto/ssh: Denial of Service via crafted SSH certificate",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This is an Important denial of service flaw in `golang.org/x/crypto/ssh` affecting SSH servers that utilize `CertChecker` as a public key callback without explicitly configuring `IsUserAuthority` or `IsHostAuthority`. A remote, unauthenticated attacker can trigger a server panic by presenting a specially crafted certificate, leading to service disruption. Exploitation requires a specific, non-default configuration of the `CertChecker`.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/cosign-rhel9@sha256:15a1e1d82e2ac631cb5bd6aa420fad3f7e52c414d4efba2d642ace24c5b9f3b4_arm64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/cosign-rhel9@sha256:4a1174f4cdc367db08f99ccb9586bf0ff8faa47c3360482b4fb33e75588b53eb_amd64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/cosign-rhel9@sha256:e1b929b778eb5dc42b81c18cf1cab4a989ec9124de99dbabdaaec8f0531b41ae_s390x",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/cosign-rhel9@sha256:f8a19541958467e3f1aa9ddd2868f20ce7cb760581c3c965941bedade78058ef_ppc64le",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:55bf157183d6a9df8032ca0ab62c418a3cc8b591b1a26a193c5eed36bebd01ac_ppc64le",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:74f364bbf2fe939ce8a02f19afd8f43aa2478090c99067add41b6aff004fda4c_arm64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:c9094568f2e694d6a3c7b0162f3b68a2ef9d2f299efce735afc582f66a27130b_s390x",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:f8b01d3f2d6400b4208d80d8b66eab7b1f4ec2cd4dcdef06552c3d05db0e896e_amd64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/gitsign-rhel9@sha256:4f95c088ef66165779e4b2d5ba89cf2594dd0d837bb707350712dc13b8a27c90_amd64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/gitsign-rhel9@sha256:7c443c3f2c72d1c3cd6ce6cde49a3b781a1b6336bd9b2d974cd69cdfa4c94098_ppc64le",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/gitsign-rhel9@sha256:ce50f18c962fc813d635461aa9e9bc4fdbf7e8236731caa49b05c1770465cac2_s390x",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/gitsign-rhel9@sha256:f9877376bb17567472e84a42ce27273ec3c537103a58d3ff5b616da1b9c18b75_arm64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:0187f0248ce7d219797450636bedd086e14ee6932e676bb51d35592306965583_s390x",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:0ef106aebc41f050e4833a546a4259c877f3852b94ee914c16a6d646c82d6ec2_amd64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:4565fb543e312c3d113f415fe7d59267086c16a98d8567d2094aed58ff63586e_arm64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:ad6c77b11bdde5dcd5bdddcedfea9f0422e3b685fbf224165a20605b1882d8fc_ppc64le"
],
"known_not_affected": [
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/updatetree-rhel9@sha256:01024a46eac2bb846cee776132a6ce78a69fdc9dfe75df7a0fb379bed6444db1_ppc64le",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/updatetree-rhel9@sha256:205ef0889fb950e337a07d793cec8cbdfd713c4190ddb374f8c2a6206506a66e_s390x",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/updatetree-rhel9@sha256:3a7241f722dbbc7f3bc86cfb15cf2b0d96738ad60ad49dbb0b413c524d50013f_amd64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/updatetree-rhel9@sha256:d034bb82bde1eafe676ce11295bcac3a1e653cab1aa0eb1c61e494b8069f1582_arm64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-39835"
},
{
"category": "external",
"summary": "RHBZ#2480680",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2480680"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-39835",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-39835"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-39835",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39835"
},
{
"category": "external",
"summary": "https://go.dev/cl/781660",
"url": "https://go.dev/cl/781660"
},
{
"category": "external",
"summary": "https://go.dev/issue/79563",
"url": "https://go.dev/issue/79563"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/a082jnz-LvI",
"url": "https://groups.google.com/g/golang-announce/c/a082jnz-LvI"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2026-5015",
"url": "https://pkg.go.dev/vuln/GO-2026-5015"
}
],
"release_date": "2026-05-22T02:31:26.982000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-07-09T11:43:07+00:00",
"details": "Red Hat Trusted Artifact Signer simplifies cryptographic signing and verifying of software artifacts such as container images, binaries and source code changes. It is a self-managed on-premise deployment of the Sigstore project available at https://sigstore.dev\n\nPlatform Engineers, Software Developers and Security Professionals may use RHTAS to ensure the integrity, transparency and assurance of their organization\u0027s software supply chain.\n\nFor details on using the operator, refer to the product documentation at https://access.redhat.com/documentation/en-us/red_hat_trusted_artifact_signer/1.4\n\nYou can find the release notes for this version of Red Hat Trusted Artifact Signer at https://access.redhat.com/documentation/en-us/red_hat_trusted_artifact_signer/1.4/html-single/release_notes/index",
"product_ids": [
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/cosign-rhel9@sha256:15a1e1d82e2ac631cb5bd6aa420fad3f7e52c414d4efba2d642ace24c5b9f3b4_arm64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/cosign-rhel9@sha256:4a1174f4cdc367db08f99ccb9586bf0ff8faa47c3360482b4fb33e75588b53eb_amd64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/cosign-rhel9@sha256:e1b929b778eb5dc42b81c18cf1cab4a989ec9124de99dbabdaaec8f0531b41ae_s390x",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/cosign-rhel9@sha256:f8a19541958467e3f1aa9ddd2868f20ce7cb760581c3c965941bedade78058ef_ppc64le",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:55bf157183d6a9df8032ca0ab62c418a3cc8b591b1a26a193c5eed36bebd01ac_ppc64le",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:74f364bbf2fe939ce8a02f19afd8f43aa2478090c99067add41b6aff004fda4c_arm64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:c9094568f2e694d6a3c7b0162f3b68a2ef9d2f299efce735afc582f66a27130b_s390x",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:f8b01d3f2d6400b4208d80d8b66eab7b1f4ec2cd4dcdef06552c3d05db0e896e_amd64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/gitsign-rhel9@sha256:4f95c088ef66165779e4b2d5ba89cf2594dd0d837bb707350712dc13b8a27c90_amd64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/gitsign-rhel9@sha256:7c443c3f2c72d1c3cd6ce6cde49a3b781a1b6336bd9b2d974cd69cdfa4c94098_ppc64le",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/gitsign-rhel9@sha256:ce50f18c962fc813d635461aa9e9bc4fdbf7e8236731caa49b05c1770465cac2_s390x",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/gitsign-rhel9@sha256:f9877376bb17567472e84a42ce27273ec3c537103a58d3ff5b616da1b9c18b75_arm64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:0187f0248ce7d219797450636bedd086e14ee6932e676bb51d35592306965583_s390x",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:0ef106aebc41f050e4833a546a4259c877f3852b94ee914c16a6d646c82d6ec2_amd64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:4565fb543e312c3d113f415fe7d59267086c16a98d8567d2094aed58ff63586e_arm64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:ad6c77b11bdde5dcd5bdddcedfea9f0422e3b685fbf224165a20605b1882d8fc_ppc64le"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:37271"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/cosign-rhel9@sha256:15a1e1d82e2ac631cb5bd6aa420fad3f7e52c414d4efba2d642ace24c5b9f3b4_arm64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/cosign-rhel9@sha256:4a1174f4cdc367db08f99ccb9586bf0ff8faa47c3360482b4fb33e75588b53eb_amd64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/cosign-rhel9@sha256:e1b929b778eb5dc42b81c18cf1cab4a989ec9124de99dbabdaaec8f0531b41ae_s390x",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/cosign-rhel9@sha256:f8a19541958467e3f1aa9ddd2868f20ce7cb760581c3c965941bedade78058ef_ppc64le",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:55bf157183d6a9df8032ca0ab62c418a3cc8b591b1a26a193c5eed36bebd01ac_ppc64le",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:74f364bbf2fe939ce8a02f19afd8f43aa2478090c99067add41b6aff004fda4c_arm64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:c9094568f2e694d6a3c7b0162f3b68a2ef9d2f299efce735afc582f66a27130b_s390x",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:f8b01d3f2d6400b4208d80d8b66eab7b1f4ec2cd4dcdef06552c3d05db0e896e_amd64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/gitsign-rhel9@sha256:4f95c088ef66165779e4b2d5ba89cf2594dd0d837bb707350712dc13b8a27c90_amd64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/gitsign-rhel9@sha256:7c443c3f2c72d1c3cd6ce6cde49a3b781a1b6336bd9b2d974cd69cdfa4c94098_ppc64le",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/gitsign-rhel9@sha256:ce50f18c962fc813d635461aa9e9bc4fdbf7e8236731caa49b05c1770465cac2_s390x",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/gitsign-rhel9@sha256:f9877376bb17567472e84a42ce27273ec3c537103a58d3ff5b616da1b9c18b75_arm64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:0187f0248ce7d219797450636bedd086e14ee6932e676bb51d35592306965583_s390x",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:0ef106aebc41f050e4833a546a4259c877f3852b94ee914c16a6d646c82d6ec2_amd64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:4565fb543e312c3d113f415fe7d59267086c16a98d8567d2094aed58ff63586e_arm64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:ad6c77b11bdde5dcd5bdddcedfea9f0422e3b685fbf224165a20605b1882d8fc_ppc64le",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/updatetree-rhel9@sha256:01024a46eac2bb846cee776132a6ce78a69fdc9dfe75df7a0fb379bed6444db1_ppc64le",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/updatetree-rhel9@sha256:205ef0889fb950e337a07d793cec8cbdfd713c4190ddb374f8c2a6206506a66e_s390x",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/updatetree-rhel9@sha256:3a7241f722dbbc7f3bc86cfb15cf2b0d96738ad60ad49dbb0b413c524d50013f_amd64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/updatetree-rhel9@sha256:d034bb82bde1eafe676ce11295bcac3a1e653cab1aa0eb1c61e494b8069f1582_arm64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/cosign-rhel9@sha256:15a1e1d82e2ac631cb5bd6aa420fad3f7e52c414d4efba2d642ace24c5b9f3b4_arm64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/cosign-rhel9@sha256:4a1174f4cdc367db08f99ccb9586bf0ff8faa47c3360482b4fb33e75588b53eb_amd64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/cosign-rhel9@sha256:e1b929b778eb5dc42b81c18cf1cab4a989ec9124de99dbabdaaec8f0531b41ae_s390x",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/cosign-rhel9@sha256:f8a19541958467e3f1aa9ddd2868f20ce7cb760581c3c965941bedade78058ef_ppc64le",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:55bf157183d6a9df8032ca0ab62c418a3cc8b591b1a26a193c5eed36bebd01ac_ppc64le",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:74f364bbf2fe939ce8a02f19afd8f43aa2478090c99067add41b6aff004fda4c_arm64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:c9094568f2e694d6a3c7b0162f3b68a2ef9d2f299efce735afc582f66a27130b_s390x",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:f8b01d3f2d6400b4208d80d8b66eab7b1f4ec2cd4dcdef06552c3d05db0e896e_amd64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/gitsign-rhel9@sha256:4f95c088ef66165779e4b2d5ba89cf2594dd0d837bb707350712dc13b8a27c90_amd64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/gitsign-rhel9@sha256:7c443c3f2c72d1c3cd6ce6cde49a3b781a1b6336bd9b2d974cd69cdfa4c94098_ppc64le",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/gitsign-rhel9@sha256:ce50f18c962fc813d635461aa9e9bc4fdbf7e8236731caa49b05c1770465cac2_s390x",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/gitsign-rhel9@sha256:f9877376bb17567472e84a42ce27273ec3c537103a58d3ff5b616da1b9c18b75_arm64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:0187f0248ce7d219797450636bedd086e14ee6932e676bb51d35592306965583_s390x",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:0ef106aebc41f050e4833a546a4259c877f3852b94ee914c16a6d646c82d6ec2_amd64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:4565fb543e312c3d113f415fe7d59267086c16a98d8567d2094aed58ff63586e_arm64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:ad6c77b11bdde5dcd5bdddcedfea9f0422e3b685fbf224165a20605b1882d8fc_ppc64le",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/updatetree-rhel9@sha256:01024a46eac2bb846cee776132a6ce78a69fdc9dfe75df7a0fb379bed6444db1_ppc64le",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/updatetree-rhel9@sha256:205ef0889fb950e337a07d793cec8cbdfd713c4190ddb374f8c2a6206506a66e_s390x",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/updatetree-rhel9@sha256:3a7241f722dbbc7f3bc86cfb15cf2b0d96738ad60ad49dbb0b413c524d50013f_amd64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/updatetree-rhel9@sha256:d034bb82bde1eafe676ce11295bcac3a1e653cab1aa0eb1c61e494b8069f1582_arm64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "golang.org/x/crypto/ssh: golang: golang.org/x/crypto/ssh: Denial of Service via crafted SSH certificate"
},
{
"cve": "CVE-2026-42151",
"cwe": {
"id": "CWE-256",
"name": "Plaintext Storage of a Password"
},
"discovery_date": "2026-05-04T19:02:26.983660+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/cosign-rhel9@sha256:15a1e1d82e2ac631cb5bd6aa420fad3f7e52c414d4efba2d642ace24c5b9f3b4_arm64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/cosign-rhel9@sha256:4a1174f4cdc367db08f99ccb9586bf0ff8faa47c3360482b4fb33e75588b53eb_amd64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/cosign-rhel9@sha256:e1b929b778eb5dc42b81c18cf1cab4a989ec9124de99dbabdaaec8f0531b41ae_s390x",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/cosign-rhel9@sha256:f8a19541958467e3f1aa9ddd2868f20ce7cb760581c3c965941bedade78058ef_ppc64le",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:55bf157183d6a9df8032ca0ab62c418a3cc8b591b1a26a193c5eed36bebd01ac_ppc64le",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:74f364bbf2fe939ce8a02f19afd8f43aa2478090c99067add41b6aff004fda4c_arm64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:c9094568f2e694d6a3c7b0162f3b68a2ef9d2f299efce735afc582f66a27130b_s390x",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:f8b01d3f2d6400b4208d80d8b66eab7b1f4ec2cd4dcdef06552c3d05db0e896e_amd64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/gitsign-rhel9@sha256:4f95c088ef66165779e4b2d5ba89cf2594dd0d837bb707350712dc13b8a27c90_amd64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/gitsign-rhel9@sha256:7c443c3f2c72d1c3cd6ce6cde49a3b781a1b6336bd9b2d974cd69cdfa4c94098_ppc64le",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/gitsign-rhel9@sha256:ce50f18c962fc813d635461aa9e9bc4fdbf7e8236731caa49b05c1770465cac2_s390x",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/gitsign-rhel9@sha256:f9877376bb17567472e84a42ce27273ec3c537103a58d3ff5b616da1b9c18b75_arm64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:0187f0248ce7d219797450636bedd086e14ee6932e676bb51d35592306965583_s390x",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:0ef106aebc41f050e4833a546a4259c877f3852b94ee914c16a6d646c82d6ec2_amd64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:4565fb543e312c3d113f415fe7d59267086c16a98d8567d2094aed58ff63586e_arm64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:ad6c77b11bdde5dcd5bdddcedfea9f0422e3b685fbf224165a20605b1882d8fc_ppc64le"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2466507"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Prometheus, an open-source monitoring system. The `client_secret` field within the Azure Active Directory (AD) remote write OAuth configuration was incorrectly handled as a plain string instead of a secure Secret type. This misconfiguration allowed any user or process with access to the `/-/config` HTTP API endpoint to view the Azure OAuth client secret in plaintext. This vulnerability leads to information disclosure, potentially compromising the security of integrated Azure AD services.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "github.com/prometheus/prometheus: Prometheus: Information disclosure of Azure OAuth client secret via config API",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This Important information disclosure flaw in Prometheus affects instances configured to use Azure AD remote write with OAuth authentication. The client secret, intended to be a secure credential, is exposed in plaintext through the `/-/config` HTTP API endpoint. This could allow an attacker with access to this endpoint to retrieve the secret, potentially compromising integrated Azure AD services.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/updatetree-rhel9@sha256:01024a46eac2bb846cee776132a6ce78a69fdc9dfe75df7a0fb379bed6444db1_ppc64le",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/updatetree-rhel9@sha256:205ef0889fb950e337a07d793cec8cbdfd713c4190ddb374f8c2a6206506a66e_s390x",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/updatetree-rhel9@sha256:3a7241f722dbbc7f3bc86cfb15cf2b0d96738ad60ad49dbb0b413c524d50013f_amd64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/updatetree-rhel9@sha256:d034bb82bde1eafe676ce11295bcac3a1e653cab1aa0eb1c61e494b8069f1582_arm64"
],
"known_not_affected": [
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/cosign-rhel9@sha256:15a1e1d82e2ac631cb5bd6aa420fad3f7e52c414d4efba2d642ace24c5b9f3b4_arm64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/cosign-rhel9@sha256:4a1174f4cdc367db08f99ccb9586bf0ff8faa47c3360482b4fb33e75588b53eb_amd64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/cosign-rhel9@sha256:e1b929b778eb5dc42b81c18cf1cab4a989ec9124de99dbabdaaec8f0531b41ae_s390x",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/cosign-rhel9@sha256:f8a19541958467e3f1aa9ddd2868f20ce7cb760581c3c965941bedade78058ef_ppc64le",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:55bf157183d6a9df8032ca0ab62c418a3cc8b591b1a26a193c5eed36bebd01ac_ppc64le",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:74f364bbf2fe939ce8a02f19afd8f43aa2478090c99067add41b6aff004fda4c_arm64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:c9094568f2e694d6a3c7b0162f3b68a2ef9d2f299efce735afc582f66a27130b_s390x",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:f8b01d3f2d6400b4208d80d8b66eab7b1f4ec2cd4dcdef06552c3d05db0e896e_amd64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/gitsign-rhel9@sha256:4f95c088ef66165779e4b2d5ba89cf2594dd0d837bb707350712dc13b8a27c90_amd64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/gitsign-rhel9@sha256:7c443c3f2c72d1c3cd6ce6cde49a3b781a1b6336bd9b2d974cd69cdfa4c94098_ppc64le",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/gitsign-rhel9@sha256:ce50f18c962fc813d635461aa9e9bc4fdbf7e8236731caa49b05c1770465cac2_s390x",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/gitsign-rhel9@sha256:f9877376bb17567472e84a42ce27273ec3c537103a58d3ff5b616da1b9c18b75_arm64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:0187f0248ce7d219797450636bedd086e14ee6932e676bb51d35592306965583_s390x",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:0ef106aebc41f050e4833a546a4259c877f3852b94ee914c16a6d646c82d6ec2_amd64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:4565fb543e312c3d113f415fe7d59267086c16a98d8567d2094aed58ff63586e_arm64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:ad6c77b11bdde5dcd5bdddcedfea9f0422e3b685fbf224165a20605b1882d8fc_ppc64le"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-42151"
},
{
"category": "external",
"summary": "RHBZ#2466507",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2466507"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-42151",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-42151"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-42151",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42151"
},
{
"category": "external",
"summary": "https://github.com/prometheus/prometheus/pull/18587",
"url": "https://github.com/prometheus/prometheus/pull/18587"
},
{
"category": "external",
"summary": "https://github.com/prometheus/prometheus/pull/18590",
"url": "https://github.com/prometheus/prometheus/pull/18590"
},
{
"category": "external",
"summary": "https://github.com/prometheus/prometheus/releases/tag/v3.11.3",
"url": "https://github.com/prometheus/prometheus/releases/tag/v3.11.3"
},
{
"category": "external",
"summary": "https://github.com/prometheus/prometheus/releases/tag/v3.5.3",
"url": "https://github.com/prometheus/prometheus/releases/tag/v3.5.3"
},
{
"category": "external",
"summary": "https://github.com/prometheus/prometheus/security/advisories/GHSA-wg65-39gg-5wfj",
"url": "https://github.com/prometheus/prometheus/security/advisories/GHSA-wg65-39gg-5wfj"
}
],
"release_date": "2026-05-04T18:12:16.917000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-07-09T11:43:07+00:00",
"details": "Red Hat Trusted Artifact Signer simplifies cryptographic signing and verifying of software artifacts such as container images, binaries and source code changes. It is a self-managed on-premise deployment of the Sigstore project available at https://sigstore.dev\n\nPlatform Engineers, Software Developers and Security Professionals may use RHTAS to ensure the integrity, transparency and assurance of their organization\u0027s software supply chain.\n\nFor details on using the operator, refer to the product documentation at https://access.redhat.com/documentation/en-us/red_hat_trusted_artifact_signer/1.4\n\nYou can find the release notes for this version of Red Hat Trusted Artifact Signer at https://access.redhat.com/documentation/en-us/red_hat_trusted_artifact_signer/1.4/html-single/release_notes/index",
"product_ids": [
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/updatetree-rhel9@sha256:01024a46eac2bb846cee776132a6ce78a69fdc9dfe75df7a0fb379bed6444db1_ppc64le",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/updatetree-rhel9@sha256:205ef0889fb950e337a07d793cec8cbdfd713c4190ddb374f8c2a6206506a66e_s390x",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/updatetree-rhel9@sha256:3a7241f722dbbc7f3bc86cfb15cf2b0d96738ad60ad49dbb0b413c524d50013f_amd64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/updatetree-rhel9@sha256:d034bb82bde1eafe676ce11295bcac3a1e653cab1aa0eb1c61e494b8069f1582_arm64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:37271"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/cosign-rhel9@sha256:15a1e1d82e2ac631cb5bd6aa420fad3f7e52c414d4efba2d642ace24c5b9f3b4_arm64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/cosign-rhel9@sha256:4a1174f4cdc367db08f99ccb9586bf0ff8faa47c3360482b4fb33e75588b53eb_amd64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/cosign-rhel9@sha256:e1b929b778eb5dc42b81c18cf1cab4a989ec9124de99dbabdaaec8f0531b41ae_s390x",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/cosign-rhel9@sha256:f8a19541958467e3f1aa9ddd2868f20ce7cb760581c3c965941bedade78058ef_ppc64le",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:55bf157183d6a9df8032ca0ab62c418a3cc8b591b1a26a193c5eed36bebd01ac_ppc64le",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:74f364bbf2fe939ce8a02f19afd8f43aa2478090c99067add41b6aff004fda4c_arm64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:c9094568f2e694d6a3c7b0162f3b68a2ef9d2f299efce735afc582f66a27130b_s390x",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/fetch-tsa-certs-rhel9@sha256:f8b01d3f2d6400b4208d80d8b66eab7b1f4ec2cd4dcdef06552c3d05db0e896e_amd64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/gitsign-rhel9@sha256:4f95c088ef66165779e4b2d5ba89cf2594dd0d837bb707350712dc13b8a27c90_amd64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/gitsign-rhel9@sha256:7c443c3f2c72d1c3cd6ce6cde49a3b781a1b6336bd9b2d974cd69cdfa4c94098_ppc64le",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/gitsign-rhel9@sha256:ce50f18c962fc813d635461aa9e9bc4fdbf7e8236731caa49b05c1770465cac2_s390x",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/gitsign-rhel9@sha256:f9877376bb17567472e84a42ce27273ec3c537103a58d3ff5b616da1b9c18b75_arm64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:0187f0248ce7d219797450636bedd086e14ee6932e676bb51d35592306965583_s390x",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:0ef106aebc41f050e4833a546a4259c877f3852b94ee914c16a6d646c82d6ec2_amd64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:4565fb543e312c3d113f415fe7d59267086c16a98d8567d2094aed58ff63586e_arm64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/rekor-cli-rhel9@sha256:ad6c77b11bdde5dcd5bdddcedfea9f0422e3b685fbf224165a20605b1882d8fc_ppc64le",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/updatetree-rhel9@sha256:01024a46eac2bb846cee776132a6ce78a69fdc9dfe75df7a0fb379bed6444db1_ppc64le",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/updatetree-rhel9@sha256:205ef0889fb950e337a07d793cec8cbdfd713c4190ddb374f8c2a6206506a66e_s390x",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/updatetree-rhel9@sha256:3a7241f722dbbc7f3bc86cfb15cf2b0d96738ad60ad49dbb0b413c524d50013f_amd64",
"Red Hat Trusted Artifact Signer 1.4:registry.redhat.io/rhtas/updatetree-rhel9@sha256:d034bb82bde1eafe676ce11295bcac3a1e653cab1aa0eb1c61e494b8069f1582_arm64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "github.com/prometheus/prometheus: Prometheus: Information disclosure of Azure OAuth client secret via config API"
}
]
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.