The Red Hat security advisory RHSA-2026:11514 addresses three vulnerabilities affecting the grafana-pcp package on Red Hat Enterprise Linux 8. The issues fixed include: (1) a symlink following flaw in golang's internal syscall unix Root.Chmod function (CVE-2026-32282), (2) a denial of service vulnerability triggered by multiple TLS 1.3 key update messages in golang's crypto/tls package (CVE-2026-32283), and (3) a denial of service vulnerability in certificate chain building in golang's crypto/x509 package (CVE-2026-32280). These vulnerabilities impact the Grafana plugin's ability to handle time series data and metrics securely. Red Hat has released updated packages to remediate these issues across multiple hardware architectures.

The vulnerabilities can lead to denial of service conditions and potential privilege escalation via symlink traversal in affected systems running the grafana-pcp plugin on Red Hat Enterprise Linux 8. The denial of service issues arise from flaws in Go's TLS and certificate handling libraries, which could disrupt services relying on secure communications. The symlink issue could allow unauthorized file permission changes outside intended directories. No exploits are currently known in the wild, but the issues are rated as important due to their potential impact on system stability and security.

Red Hat has released updated grafana-pcp packages for Red Hat Enterprise Linux 8 that address these vulnerabilities. Users should apply the official security update RHSA-2026:11514 promptly to remediate the issues. Detailed instructions for applying the update are available at https://access.redhat.com/articles/11258. Since this is a traditional software package and not a cloud service, remediation requires manual patching by system administrators. No additional mitigation steps are indicated by the vendor advisory.