This advisory for Red Hat OpenShift Container Platform 4.17.54 addresses three security vulnerabilities: CVE-2026-24049, a privilege escalation or arbitrary code execution vulnerability via malicious wheel file unpacking; CVE-2026-33186, an authorization bypass in gRPC-Go caused by improper HTTP/2 path validation; and CVE-2026-35469, a denial of service vulnerability affecting kubelet, CRI-O, and kube-apiserver via SPDY streaming code. The update includes RPM packages and container images to remediate these issues. Red Hat rates the security impact as Important and recommends upgrading to these updated components. Instructions for upgrading clusters are available through official Red Hat documentation. The advisory does not provide CVSS scores but references CVE pages for detailed severity ratings. No exploits in the wild are currently known.

The vulnerabilities fixed in this update could allow an attacker to cause denial of service (CVE-2026-35469), bypass authorization controls (CVE-2026-33186), or escalate privileges or execute arbitrary code via crafted wheel files (CVE-2026-24049). These issues affect core components of the OpenShift Container Platform, potentially impacting cluster stability, security boundaries, and code execution trust. The overall security impact is rated as Important by Red Hat Product Security. No known active exploitation has been reported.

Red Hat has released updated RPM packages and container images as part of OpenShift Container Platform 4.17.54 to address these vulnerabilities. Users should upgrade their OpenShift clusters to this version using the OpenShift CLI (oc) or web console following the official Red Hat upgrade documentation. This update fully mitigates the described vulnerabilities. There are no indications that additional temporary workarounds are required or recommended. Patch status is confirmed as available and official.