This Red Hat security advisory for OpenShift distributed tracing platform (Tempo) 3.9.3 fixes several vulnerabilities in the Apache Thrift library. The fixed issues include an integer overflow in TFramedTransport (CVE-2026-41602), improper server certificate hostname validation (CVE-2026-41603), out-of-bounds read vulnerabilities (CVE-2026-41604, CVE-2026-41607), a general integer overflow (CVE-2026-41605), and uncontrolled recursion leading to denial-of-service (CVE-2026-41606). These flaws could allow remote attackers to cause denial-of-service, information disclosure, or man-in-the-middle attacks by exploiting certificate validation weaknesses. The update corrects these vulnerabilities by improving input validation, memory boundary checks, integer operation handling, and certificate verification. The advisory does not report any breaking changes, deprecations, or new features.

The vulnerabilities fixed in this release could allow remote attackers to cause denial-of-service conditions via integer overflows or uncontrolled recursion, potentially exhausting system resources. The out-of-bounds read flaws could lead to information disclosure by accessing memory outside allocated bounds. The improper server certificate validation vulnerability could enable attackers to impersonate legitimate servers, intercept or alter sensitive communications, and gain unauthorized access or disclose information. These impacts affect system availability, integrity, and confidentiality.

A fixed version of Red Hat OpenShift distributed tracing platform (Tempo) 3.9.3 is available that addresses all listed vulnerabilities. Users should apply this update promptly to remediate the integer overflow, out-of-bounds read, uncontrolled recursion, and server certificate validation issues in Apache Thrift. For detailed upgrade instructions, refer to Red Hat's official documentation on upgrading operators in OpenShift. No additional mitigations are indicated by the vendor advisory.