The golang-github-openprinting-ipp-usb package in Red Hat Enterprise Linux 10.0 EUS provides an HTTP reverse proxy for USB devices using the IPP-over-USB protocol. This update fixes three vulnerabilities: CVE-2026-32282, where Root.Chmod can follow symlinks outside the intended root directory, potentially leading to unauthorized file permission changes; CVE-2026-32283, a denial of service vulnerability triggered by multiple TLS 1.3 key update messages in Go's crypto/tls package; and CVE-2026-32280, a denial of service vulnerability in certificate chain building in Go's crypto/x509 package. These issues are addressed by updated packages provided by Red Hat. The advisory references Red Hat's errata RHSA-2026:19550 for detailed remediation instructions.

Successful exploitation of CVE-2026-32282 could allow an attacker to manipulate file permissions outside the intended root directory via symlink traversal. CVE-2026-32283 and CVE-2026-32280 could allow denial of service conditions in applications using Go's crypto/tls and crypto/x509 libraries, potentially disrupting services relying on TLS communications. The vulnerabilities affect systems running the affected golang-github-openprinting-ipp-usb package on Red Hat Enterprise Linux 10.0 EUS. No known active exploits have been reported.

Red Hat has released updated packages for golang-github-openprinting-ipp-usb to address these vulnerabilities. Users should apply the security update available in Red Hat Enterprise Linux 10.0 Extended Update Support as described in Red Hat advisory RHSA-2026:19550 and the update article https://access.redhat.com/articles/11258. Applying these updates will remediate the issues. There is no indication that additional mitigations are required beyond applying the official patches.