Red Hat Security Advisory: Red Hat OpenShift Service Mesh 3.0.10
Red Hat OpenShift Service Mesh 3. 0. 10 addresses multiple security vulnerabilities including incorrect parsing of IPv6 host literals, an authorization bypass in gRPC-Go due to improper HTTP/2 path validation, and BuildKit-related arbitrary file write, code execution, and unauthorized file access issues. These vulnerabilities affect components such as istio-rhel9-operator, istio-cni-rhel9, istio-pilot-rhel9, and istio-proxyv2-rhel9. The update provides important security fixes to mitigate these issues.
AI Analysis
Technical Summary
Red Hat OpenShift Service Mesh 3.0.10, based on the Istio project, fixes several security vulnerabilities: CVE-2026-25679 involves incorrect parsing of IPv6 host literals in net/url across multiple components; CVE-2026-33186 is an authorization bypass in gRPC-Go caused by improper HTTP/2 path validation; CVE-2026-33747 and CVE-2026-33748 relate to BuildKit vulnerabilities allowing arbitrary file write, code execution, and unauthorized file access via Git URL fragment subdirectory components. These vulnerabilities affect key components of the service mesh operator and proxy implementations on RHEL9. The Red Hat advisory RHSA-2026:9440 provides these fixes in the 3.0.10 release.
Potential Impact
The vulnerabilities could allow attackers to bypass authorization controls, improperly handle IPv6 host literals potentially leading to unexpected behavior, and execute arbitrary code or access unauthorized files via BuildKit components. These issues pose a high security risk to microservice architectures relying on Red Hat OpenShift Service Mesh 3.0.x versions prior to 3.0.10. No known exploits in the wild have been reported at this time.
Mitigation Recommendations
Red Hat has released OpenShift Service Mesh version 3.0.10 which includes fixes for all listed vulnerabilities. Users should upgrade to this version to remediate these security issues. The vendor advisory RHSA-2026:9440 is the authoritative source for patch availability and remediation guidance. No additional mitigation steps are indicated beyond applying this update.
Red Hat Security Advisory: Red Hat OpenShift Service Mesh 3.0.10
Description
Red Hat OpenShift Service Mesh 3. 0. 10 addresses multiple security vulnerabilities including incorrect parsing of IPv6 host literals, an authorization bypass in gRPC-Go due to improper HTTP/2 path validation, and BuildKit-related arbitrary file write, code execution, and unauthorized file access issues. These vulnerabilities affect components such as istio-rhel9-operator, istio-cni-rhel9, istio-pilot-rhel9, and istio-proxyv2-rhel9. The update provides important security fixes to mitigate these issues.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Red Hat OpenShift Service Mesh 3.0.10, based on the Istio project, fixes several security vulnerabilities: CVE-2026-25679 involves incorrect parsing of IPv6 host literals in net/url across multiple components; CVE-2026-33186 is an authorization bypass in gRPC-Go caused by improper HTTP/2 path validation; CVE-2026-33747 and CVE-2026-33748 relate to BuildKit vulnerabilities allowing arbitrary file write, code execution, and unauthorized file access via Git URL fragment subdirectory components. These vulnerabilities affect key components of the service mesh operator and proxy implementations on RHEL9. The Red Hat advisory RHSA-2026:9440 provides these fixes in the 3.0.10 release.
Potential Impact
The vulnerabilities could allow attackers to bypass authorization controls, improperly handle IPv6 host literals potentially leading to unexpected behavior, and execute arbitrary code or access unauthorized files via BuildKit components. These issues pose a high security risk to microservice architectures relying on Red Hat OpenShift Service Mesh 3.0.x versions prior to 3.0.10. No known exploits in the wild have been reported at this time.
Mitigation Recommendations
Red Hat has released OpenShift Service Mesh version 3.0.10 which includes fixes for all listed vulnerabilities. Users should upgrade to this version to remediate these security issues. The vendor advisory RHSA-2026:9440 is the authoritative source for patch availability and remediation guidance. No additional mitigation steps are indicated beyond applying this update.
Technical Details
- Gcve Source
- db.gcve.eu
- Csaf Category
- csaf_security_advisory
- Csaf Version
- 2.0
- Publisher
- Red Hat Product Security
- Advisory Id
- RHSA-2026:9440
- Cve Count
- 4
- Additional Cves
- ["CVE-2026-33186","CVE-2026-33747","CVE-2026-33748"]
- Cvss Version
- null
Threat ID: 6a160952e29bf47b50618c83
Added to database: 5/26/2026, 8:57:54 PM
Last enriched: 5/26/2026, 8:59:28 PM
Last updated: 5/27/2026, 4:48:17 AM
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.