The Red Hat Service Telemetry Framework (STF) version 1.5.7 update addresses several security vulnerabilities: CVE-2026-23490 (denial of service via memory exhaustion from malformed RELATIVE-OID in pyasn1), CVE-2026-24049 (privilege escalation or arbitrary code execution through malicious wheel file unpacking), CVE-2026-25679 (incorrect parsing of IPv6 host literals in net/url), CVE-2026-30922 (denial of service via unbounded recursion in pyasn1), CVE-2026-32280 (denial of service in certificate chain building), and CVE-2025-61729 (excessive resource consumption when printing error strings during host certificate validation in crypto/x509). These vulnerabilities affect Red Hat OpenStack Platform and related components. The vendor advisory directs users to updated container images available from the Red Hat Container Registry for remediation.

The vulnerabilities collectively could allow denial of service conditions through memory exhaustion and unbounded recursion, privilege escalation or arbitrary code execution via malicious package unpacking, and resource exhaustion during certificate validation processes. These impacts could disrupt telemetry data collection and processing within affected Red Hat environments, potentially affecting monitoring and management operations. There are no known exploits in the wild at the time of the advisory.

Red Hat has released updated Service Telemetry Framework container images (version 1.5.7) that address these vulnerabilities. Users should update their deployments by pulling the new images from the Red Hat Container Registry as specified in the advisory and amend Dockerfiles or deployment scripts to reference these updated images. No other specific mitigations are indicated by the vendor advisory. Patch status is confirmed as an official fix available via updated container images.