The Red Hat Trusted Artifact Signer (RHTAS) Operator, used with OpenShift Container Platform versions 4.16 to 4.21, is affected by three vulnerabilities (CVE-2026-33815, CVE-2026-33816, CVE-2026-34986) related to weaknesses categorized under CWE-787 (Out-of-bounds Write) and CWE-131 (Incorrect Calculation of Buffer Size). These vulnerabilities potentially impact the cryptographic signing and verification processes of software artifacts. The advisory (RHSA-2026:24475) does not provide detailed technical descriptions or remediation steps and explicitly states that no fixes are included in the current release. The vulnerabilities are acknowledged but remain unpatched as of the advisory date.

The vulnerabilities affect the integrity and security assurance functions of the Red Hat Trusted Artifact Signer, potentially undermining the cryptographic signing and verification of container images, binaries, and source code changes. This could impact the software supply chain security for organizations using RHTAS with OpenShift Container Platform versions 4.16 through 4.21. No known exploits have been reported in the wild, and the advisory does not specify direct exploitation consequences or confirmed impact scenarios.

No official fixes or patches are currently available for these vulnerabilities as per the Red Hat advisory RHSA-2026:24475. Users should monitor Red Hat's official channels for updates and apply any future patches promptly once released. Since this is a self-managed on-premise deployment, organizations should consider risk assessment and potentially limit exposure by controlling access to the RHTAS Operator until a fix is provided. No vendor-provided mitigations or workarounds are documented in the advisory.