Threats Tagged 'cve-2026-34986'

A denial of service vulnerability (CVE-2026-34986) exists in the Go JOSE library used by the buildah tool for building OCI container images. This vulnerability can be triggered via a crafted JSON Web Encryption (JWE) object. Red Hat has issued an important security update for buildah in Red Hat Enterprise Linux 9 to address this issue. The update mitigates the vulnerability by upgrading the affected Go JOSE library version. No known exploits are reported in the wild at this time.

This advisory concerns the Assisted Installer RHEL 9 components integrated with the Multicluster Engine for Kubernetes 2. 7. 10, which facilitates centralized management of multiple Kubernetes-based clusters. The vulnerability affects components used to deploy and manage OpenShift Container Platform clusters across various environments. No specific technical details about the vulnerability or exploitation methods are provided. The advisory does not mention any available patches or fixes at this time. The severity is assessed as high based on the advisory classification. No known exploits are reported in the wild. The vendor documentation references general installation and usage guidance but does not provide remediation steps or fixes.

Red Hat OpenShift Service Mesh 2. 6. 15 addresses multiple security vulnerabilities affecting components based on the Istio project. These include incorrect parsing of IPv6 host literals, denial of service (DoS) vulnerabilities via crafted JSON Web Encryption objects, DoS in certificate chain building, possible memory corruption after bound check elimination, and interface conversion issues bypassing overlap checking. The vulnerabilities impact several components such as istio-operator-rhel8, istio-cni-rhel8, pilot-rhel8, and ratelimit-rhel8. The advisory indicates these issues have a high severity impact. No explicit patch links are provided, but the advisory references the updated version 2. 6. 15 as the solution. There are no known exploits in the wild at the time of publication.

Multiple security vulnerabilities affecting the skopeo command in Red Hat Enterprise Linux 10. 0 Extended Update Support have been identified and addressed. These include denial of service issues due to excessive resource consumption via crafted certificates and crafted JSON Web Encryption objects, memory exhaustion in URL query parameter parsing, unexpected TLS session resumption behavior, and incorrect parsing of IPv6 host literals. The vulnerabilities impact components such as golang's crypto/x509, net/url, crypto/tls, and the Go JOSE library. Red Hat has released an important security update to fix these issues. No known exploits in the wild have been reported at this time.

Red Hat OpenShift Data Foundation 4. 18. 20 includes a security, enhancement, and bug fix update addressing multiple issues including UI blockers and certificate validation errors. The update fixes bugs related to the Storage System wizard, operator image usage, and external mode backing store connection failures. The advisory references four CVEs (CVE-2025-61729, CVE-2026-33036, CVE-2026-34986, CVE-2026-4800) but does not provide detailed vulnerability descriptions or CVSS scores. The update is classified as important with a high severity rating by Red Hat. No known exploits in the wild have been reported. Patch status is not explicitly stated in the advisory content, but the update itself is presented as a security and bug fix release.

Red Hat OpenShift Data Foundation 4. 17. 24 includes a security, enhancement, and bug fix update addressing multiple vulnerabilities identified by CVE-2025-61729, CVE-2026-4800, CVE-2026-33036, and CVE-2026-34986. The update fixes issues such as improper use of certain container images and problems related to self-signed certificates causing connection failures in external mode. The advisory does not provide detailed technical descriptions or CVSS scores for these vulnerabilities but categorizes the overall severity as high. No known exploits in the wild have been reported. The update is not a cloud service, so remediation requires applying the vendor's update. Patch status is confirmed via the advisory, which provides updated images and instructions for applying the update.

This advisory concerns the Assisted Installer RHEL 8 components integrated with the Multicluster Engine for Kubernetes 2. 9. 4, which facilitates centralized management of multiple Kubernetes clusters. The multicluster engine enables creation and import of OpenShift Container Platform clusters and provides APIs for configuration distribution based on placement policies. The advisory identifies two CVEs (CVE-2026-7163 and CVE-2026-34986) related to this component, categorized under CWE-312 (Cleartext Storage of Sensitive Information) and CWE-131 (Incorrect Calculation of Buffer Size). No fixes or patches are currently provided in the advisory. The severity is assessed as high. Documentation for installation and usage is referenced, but no direct remediation or mitigation steps are indicated in the vendor advisory.

Two security vulnerabilities affecting the podman container management tool in Red Hat Enterprise Linux 10 have been addressed. The first vulnerability (CVE-2026-25679) involves incorrect parsing of IPv6 host literals in the net/url package. The second (CVE-2026-34986) is a denial of service issue via crafted JSON Web Encryption (JWE) objects in the Go JOSE library. Red Hat has released an important security update to fix these issues in podman and related packages. The update is available for multiple architectures and variants of Red Hat Enterprise Linux 10 and CodeReady Linux Builder. No known exploits in the wild have been reported. Users should apply the update as recommended by Red Hat to remediate these vulnerabilities.

This advisory addresses multiple denial of service vulnerabilities in the buildah package used for building OCI container images on Red Hat Enterprise Linux 9. 6 Extended Update Support. The vulnerabilities include issues in Go JOSE library (CVE-2026-34986), Go crypto/tls (CVE-2026-32283), and Go crypto/x509 (CVE-2026-32280), all leading to potential denial of service conditions. Red Hat has released updated buildah packages that fix these issues. The advisory rates the security impact as Important (high severity).

Multiple denial of service vulnerabilities have been identified in the buildah package used for building OCI container images on Red Hat Enterprise Linux 10. 0 Extended Update Support. These vulnerabilities affect components such as Go JOSE, crypto/x509, and crypto/tls libraries, allowing denial of service via crafted JSON Web Encryption objects, inefficient certificate chain validation, multiple TLS 1. 3 key update messages, and certificate chain building. Red Hat has issued an important security update addressing these issues. The vulnerabilities are rated with high severity but no CVSS score is provided. The update is available for various architectures and Red Hat Enterprise Linux variants.