Red Hat Security Advisory: Red Hat OpenShift Service Mesh 2.6.14
Red Hat OpenShift Service Mesh 2. 6. 14 addresses multiple security vulnerabilities affecting components such as istio-operator-rhel8, istio-cni-rhel8, pilot-rhel8, and ratelimit-rhel8. The issues include unexpected session resumption in crypto/tls, potential code smuggling via doc comments, arbitrary file write via malicious pkg-config directives, memory exhaustion in query parameter parsing, and excessive CPU consumption when building archive indexes. These vulnerabilities collectively pose a high security risk. Red Hat has released this advisory to inform users of these issues and the availability of the updated OpenShift Service Mesh 2. 6. 14 version. No explicit patch links are provided, but the advisory references the updated version as the solution. No known exploits in the wild have been reported at this time.
AI Analysis
Technical Summary
This advisory covers multiple vulnerabilities in Red Hat OpenShift Service Mesh 2.6.14, which is based on the Istio project. The vulnerabilities include: (1) unexpected session resumption in crypto/tls (CVE-2025-68121), (2) potential code smuggling via doc comments in cmd/cgo (CVE-2025-61732), (3) arbitrary file write through malicious pkg-config directives in cmd/go (CVE-2025-61731), (4) memory exhaustion during query parameter parsing in net/url (CVE-2025-61726), and (5) excessive CPU consumption when building archive indexes in archive/zip (CVE-2025-61728). These affect multiple components such as istio-operator-rhel8, istio-cni-rhel8, pilot-rhel8, and ratelimit-rhel8. The advisory references Red Hat OpenShift Service Mesh 2.6.14 as the updated version addressing these issues. The vulnerabilities are categorized under CWE-770 (Allocation of Resources Without Limits or Throttling) and CWE-88 (Argument Injection or Modification).
Potential Impact
The vulnerabilities can lead to resource exhaustion (memory and CPU), arbitrary file writes, and unexpected session resumption, which may compromise the stability and security of the affected OpenShift Service Mesh components. These issues could potentially be exploited to disrupt service availability or manipulate system behavior. However, no known exploits in the wild have been reported. The overall severity is assessed as high due to the range of issues affecting critical components of the service mesh infrastructure.
Mitigation Recommendations
Red Hat recommends upgrading to Red Hat OpenShift Service Mesh version 2.6.14, which addresses all listed vulnerabilities. The advisory does not provide separate patch links but directs users to the updated version documentation. Users should apply this update promptly to mitigate the risks. Since this is not a cloud service, remediation is the responsibility of the user. Patch status is confirmed by the vendor advisory indicating the update to version 2.6.14 as the solution.
Red Hat Security Advisory: Red Hat OpenShift Service Mesh 2.6.14
Description
Red Hat OpenShift Service Mesh 2. 6. 14 addresses multiple security vulnerabilities affecting components such as istio-operator-rhel8, istio-cni-rhel8, pilot-rhel8, and ratelimit-rhel8. The issues include unexpected session resumption in crypto/tls, potential code smuggling via doc comments, arbitrary file write via malicious pkg-config directives, memory exhaustion in query parameter parsing, and excessive CPU consumption when building archive indexes. These vulnerabilities collectively pose a high security risk. Red Hat has released this advisory to inform users of these issues and the availability of the updated OpenShift Service Mesh 2. 6. 14 version. No explicit patch links are provided, but the advisory references the updated version as the solution. No known exploits in the wild have been reported at this time.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This advisory covers multiple vulnerabilities in Red Hat OpenShift Service Mesh 2.6.14, which is based on the Istio project. The vulnerabilities include: (1) unexpected session resumption in crypto/tls (CVE-2025-68121), (2) potential code smuggling via doc comments in cmd/cgo (CVE-2025-61732), (3) arbitrary file write through malicious pkg-config directives in cmd/go (CVE-2025-61731), (4) memory exhaustion during query parameter parsing in net/url (CVE-2025-61726), and (5) excessive CPU consumption when building archive indexes in archive/zip (CVE-2025-61728). These affect multiple components such as istio-operator-rhel8, istio-cni-rhel8, pilot-rhel8, and ratelimit-rhel8. The advisory references Red Hat OpenShift Service Mesh 2.6.14 as the updated version addressing these issues. The vulnerabilities are categorized under CWE-770 (Allocation of Resources Without Limits or Throttling) and CWE-88 (Argument Injection or Modification).
Potential Impact
The vulnerabilities can lead to resource exhaustion (memory and CPU), arbitrary file writes, and unexpected session resumption, which may compromise the stability and security of the affected OpenShift Service Mesh components. These issues could potentially be exploited to disrupt service availability or manipulate system behavior. However, no known exploits in the wild have been reported. The overall severity is assessed as high due to the range of issues affecting critical components of the service mesh infrastructure.
Mitigation Recommendations
Red Hat recommends upgrading to Red Hat OpenShift Service Mesh version 2.6.14, which addresses all listed vulnerabilities. The advisory does not provide separate patch links but directs users to the updated version documentation. Users should apply this update promptly to mitigate the risks. Since this is not a cloud service, remediation is the responsibility of the user. Patch status is confirmed by the vendor advisory indicating the update to version 2.6.14 as the solution.
Technical Details
- Gcve Source
- db.gcve.eu
- Csaf Category
- csaf_security_advisory
- Csaf Version
- 2.0
- Publisher
- Red Hat Product Security
- Advisory Id
- RHSA-2026:3559
- Cve Count
- 5
- Additional Cves
- ["CVE-2025-61728","CVE-2025-61731","CVE-2025-61732","CVE-2025-68121"]
- Cvss Version
- null
Threat ID: 6a16096ae29bf47b5062fa97
Added to database: 5/26/2026, 8:58:18 PM
Last enriched: 5/26/2026, 9:42:04 PM
Last updated: 5/27/2026, 4:54:41 AM
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.