Vulnerability-Lookup

RHSA-2026:17121

Vulnerability from csaf_redhat - Published: 2026-05-13 16:35 - Updated: 2026-05-15 02:39

Summary

Red Hat Security Advisory: Assisted Installer RHEL 8 components for Multicluster Engine for Kubernetes 2.8.6

Severity

Important

Notes

Topic: Assisted installer RHEL 8 components for the multicluster engine for Kubernetes 2.8.6 General Availability release, with updates to container images.

Details: Assisted Installer RHEL 8 integrates components for the general multicluster engine for Kubernetes 2.8.6 release that simplify the process of deploying OpenShift Container Platform clusters. The multicluster engine for Kubernetes provides the foundational components that are necessary for the centralized management of multiple Kubernetes-based clusters across data centers, public clouds, and private clouds. You can use the engine to create new Red Hat OpenShift Container Platform clusters, or to import existing Kubernetes-based clusters for management. After the clusters are managed, you can use the APIs that are provided by the engine to distribute configuration based on placement policy.

Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

CVE-2026-32285

A flaw was found in github.com/buger/jsonparser. The Delete function, when processing malformed JSON input, fails to properly validate offsets. This vulnerability can lead to a negative slice index and a runtime panic, allowing a remote attacker to cause a denial of service (DoS) by providing specially crafted JSON data.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-1285 - Improper Validation of Specified Index, Position, or Offset in Input

Affected products

Fixed 4 products

Product	Version	Remediation
Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:319978f477315441f9bcfc8ecb40bde3ad84136d3e634627ce114b400263c593_ppc64le	—	Vendor Fix fix Workaround
Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:5c3fb43dee6299526b4c48d8a4c0a551ce138ff468bec663a29b7f174f4f2d9d_amd64	—	Vendor Fix fix Workaround
Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:9ed7a2abd8c1949da891af2e7cbec5fbb03a58acf76048078b03c5ead7f4d5cd_arm64	—	Vendor Fix fix Workaround
Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:cf5366023df8dafdc799931d295128ea6b80ef1c84da4fcdede321dd44676390_s390x	—	Vendor Fix fix Workaround

Threats

Impact Important

CVE-2026-34986

A flaw was found in Go JOSE, a library for handling JSON Web Encryption (JWE) objects. A remote attacker could exploit this vulnerability by providing a specially crafted JWE object. When decrypting such an object, if a key wrapping algorithm is specified but the encrypted key field is empty, the application can crash. This leads to a denial of service (DoS), making the affected service unavailable to legitimate users.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-131 - Incorrect Calculation of Buffer Size

Affected products

Fixed 4 products

Product	Version	Remediation
Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:319978f477315441f9bcfc8ecb40bde3ad84136d3e634627ce114b400263c593_ppc64le	—	Vendor Fix fix Workaround
Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:5c3fb43dee6299526b4c48d8a4c0a551ce138ff468bec663a29b7f174f4f2d9d_amd64	—	Vendor Fix fix Workaround
Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:9ed7a2abd8c1949da891af2e7cbec5fbb03a58acf76048078b03c5ead7f4d5cd_arm64	—	Vendor Fix fix Workaround
Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:cf5366023df8dafdc799931d295128ea6b80ef1c84da4fcdede321dd44676390_s390x	—	Vendor Fix fix Workaround

Threats

Impact Important

CVE-2026-35469

A flaw was found in the SPDY streaming code used by Kubelet, CRI-O, and kube-apiserver. An attacker with specific cluster roles, such as those allowing access to pod port forwarding, execution, or attachment, or node proxying, could exploit this vulnerability. This could lead to a Denial of Service (DoS) by causing the affected components to become unresponsive.

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE-770 - Allocation of Resources Without Limits or Throttling

Affected products

Fixed 4 products

Product	Version	Remediation
Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:319978f477315441f9bcfc8ecb40bde3ad84136d3e634627ce114b400263c593_ppc64le	—	Vendor Fix fix Workaround
Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:5c3fb43dee6299526b4c48d8a4c0a551ce138ff468bec663a29b7f174f4f2d9d_amd64	—	Vendor Fix fix Workaround
Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:9ed7a2abd8c1949da891af2e7cbec5fbb03a58acf76048078b03c5ead7f4d5cd_arm64	—	Vendor Fix fix Workaround
Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:cf5366023df8dafdc799931d295128ea6b80ef1c84da4fcdede321dd44676390_s390x	—	Vendor Fix fix Workaround

Threats

Impact Important

References

23 references

URL	Category
https://access.redhat.com/errata/RHSA-2026:17121	self
https://access.redhat.com/security/cve/CVE-2026-32285	external
https://access.redhat.com/security/cve/CVE-2026-34986	external
https://access.redhat.com/security/cve/CVE-2026-35469	external
https://access.redhat.com/security/updates/classi…	external
https://security.access.redhat.com/data/csaf/v2/a…	self
https://access.redhat.com/security/cve/CVE-2026-32285	self
https://bugzilla.redhat.com/show_bug.cgi?id=2451846	external
https://www.cve.org/CVERecord?id=CVE-2026-32285	external
https://nvd.nist.gov/vuln/detail/CVE-2026-32285	external
https://github.com/buger/jsonparser/issues/275	external
https://github.com/golang/vulndb/issues/4514	external
https://pkg.go.dev/vuln/GO-2026-4514	external
https://access.redhat.com/security/cve/CVE-2026-34986	self
https://bugzilla.redhat.com/show_bug.cgi?id=2455470	external
https://www.cve.org/CVERecord?id=CVE-2026-34986	external
https://nvd.nist.gov/vuln/detail/CVE-2026-34986	external
https://github.com/go-jose/go-jose/security/advis…	external
https://pkg.go.dev/github.com/go-jose/go-jose/v4#…	external
https://access.redhat.com/security/cve/CVE-2026-35469	self
https://bugzilla.redhat.com/show_bug.cgi?id=2457729	external
https://www.cve.org/CVERecord?id=CVE-2026-35469	external
https://nvd.nist.gov/vuln/detail/CVE-2026-35469	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Assisted installer RHEL 8 components for the multicluster engine for Kubernetes 2.8.6 General Availability release, with updates to container images.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Assisted Installer RHEL 8 integrates components for the general multicluster engine\nfor Kubernetes 2.8.6 release that simplify the process of deploying OpenShift Container\nPlatform clusters.\n\nThe multicluster engine for Kubernetes provides the foundational components\nthat are necessary for the centralized management of multiple\nKubernetes-based clusters across data centers, public clouds, and private\nclouds.\n\nYou can use the engine to create new Red Hat OpenShift Container Platform\nclusters, or to import existing Kubernetes-based clusters for management.\n\nAfter the clusters are managed, you can use the APIs that\nare provided by the engine to distribute configuration based on placement\npolicy.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2026:17121",
        "url": "https://access.redhat.com/errata/RHSA-2026:17121"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-32285",
        "url": "https://access.redhat.com/security/cve/CVE-2026-32285"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-34986",
        "url": "https://access.redhat.com/security/cve/CVE-2026-34986"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-35469",
        "url": "https://access.redhat.com/security/cve/CVE-2026-35469"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/",
        "url": "https://access.redhat.com/security/updates/classification/"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_17121.json"
      }
    ],
    "title": "Red Hat Security Advisory: Assisted Installer RHEL 8 components for Multicluster Engine for Kubernetes 2.8.6",
    "tracking": {
      "current_release_date": "2026-05-15T02:39:13+00:00",
      "generator": {
        "date": "2026-05-15T02:39:13+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.8.0"
        }
      },
      "id": "RHSA-2026:17121",
      "initial_release_date": "2026-05-13T16:35:04+00:00",
      "revision_history": [
        {
          "date": "2026-05-13T16:35:04+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2026-05-13T16:35:12+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2026-05-15T02:39:13+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "multicluster engine for Kubernetes 2.8",
                "product": {
                  "name": "multicluster engine for Kubernetes 2.8",
                  "product_id": "multicluster engine for Kubernetes 2.8",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:multicluster_engine:2.8::el8"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "multicluster engine for Kubernetes"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:5c3fb43dee6299526b4c48d8a4c0a551ce138ff468bec663a29b7f174f4f2d9d_amd64",
                "product": {
                  "name": "registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:5c3fb43dee6299526b4c48d8a4c0a551ce138ff468bec663a29b7f174f4f2d9d_amd64",
                  "product_id": "registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:5c3fb43dee6299526b4c48d8a4c0a551ce138ff468bec663a29b7f174f4f2d9d_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/assisted-service-8-rhel8@sha256%3A5c3fb43dee6299526b4c48d8a4c0a551ce138ff468bec663a29b7f174f4f2d9d?arch=amd64\u0026repository_url=registry.redhat.io/multicluster-engine\u0026tag=1778288655"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "amd64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:9ed7a2abd8c1949da891af2e7cbec5fbb03a58acf76048078b03c5ead7f4d5cd_arm64",
                "product": {
                  "name": "registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:9ed7a2abd8c1949da891af2e7cbec5fbb03a58acf76048078b03c5ead7f4d5cd_arm64",
                  "product_id": "registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:9ed7a2abd8c1949da891af2e7cbec5fbb03a58acf76048078b03c5ead7f4d5cd_arm64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/assisted-service-8-rhel8@sha256%3A9ed7a2abd8c1949da891af2e7cbec5fbb03a58acf76048078b03c5ead7f4d5cd?arch=arm64\u0026repository_url=registry.redhat.io/multicluster-engine\u0026tag=1778288655"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "arm64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:319978f477315441f9bcfc8ecb40bde3ad84136d3e634627ce114b400263c593_ppc64le",
                "product": {
                  "name": "registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:319978f477315441f9bcfc8ecb40bde3ad84136d3e634627ce114b400263c593_ppc64le",
                  "product_id": "registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:319978f477315441f9bcfc8ecb40bde3ad84136d3e634627ce114b400263c593_ppc64le",
                  "product_identification_helper": {
                    "purl": "pkg:oci/assisted-service-8-rhel8@sha256%3A319978f477315441f9bcfc8ecb40bde3ad84136d3e634627ce114b400263c593?arch=ppc64le\u0026repository_url=registry.redhat.io/multicluster-engine\u0026tag=1778288655"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:cf5366023df8dafdc799931d295128ea6b80ef1c84da4fcdede321dd44676390_s390x",
                "product": {
                  "name": "registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:cf5366023df8dafdc799931d295128ea6b80ef1c84da4fcdede321dd44676390_s390x",
                  "product_id": "registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:cf5366023df8dafdc799931d295128ea6b80ef1c84da4fcdede321dd44676390_s390x",
                  "product_identification_helper": {
                    "purl": "pkg:oci/assisted-service-8-rhel8@sha256%3Acf5366023df8dafdc799931d295128ea6b80ef1c84da4fcdede321dd44676390?arch=s390x\u0026repository_url=registry.redhat.io/multicluster-engine\u0026tag=1778288655"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:319978f477315441f9bcfc8ecb40bde3ad84136d3e634627ce114b400263c593_ppc64le as a component of multicluster engine for Kubernetes 2.8",
          "product_id": "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:319978f477315441f9bcfc8ecb40bde3ad84136d3e634627ce114b400263c593_ppc64le"
        },
        "product_reference": "registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:319978f477315441f9bcfc8ecb40bde3ad84136d3e634627ce114b400263c593_ppc64le",
        "relates_to_product_reference": "multicluster engine for Kubernetes 2.8"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:5c3fb43dee6299526b4c48d8a4c0a551ce138ff468bec663a29b7f174f4f2d9d_amd64 as a component of multicluster engine for Kubernetes 2.8",
          "product_id": "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:5c3fb43dee6299526b4c48d8a4c0a551ce138ff468bec663a29b7f174f4f2d9d_amd64"
        },
        "product_reference": "registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:5c3fb43dee6299526b4c48d8a4c0a551ce138ff468bec663a29b7f174f4f2d9d_amd64",
        "relates_to_product_reference": "multicluster engine for Kubernetes 2.8"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:9ed7a2abd8c1949da891af2e7cbec5fbb03a58acf76048078b03c5ead7f4d5cd_arm64 as a component of multicluster engine for Kubernetes 2.8",
          "product_id": "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:9ed7a2abd8c1949da891af2e7cbec5fbb03a58acf76048078b03c5ead7f4d5cd_arm64"
        },
        "product_reference": "registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:9ed7a2abd8c1949da891af2e7cbec5fbb03a58acf76048078b03c5ead7f4d5cd_arm64",
        "relates_to_product_reference": "multicluster engine for Kubernetes 2.8"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:cf5366023df8dafdc799931d295128ea6b80ef1c84da4fcdede321dd44676390_s390x as a component of multicluster engine for Kubernetes 2.8",
          "product_id": "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:cf5366023df8dafdc799931d295128ea6b80ef1c84da4fcdede321dd44676390_s390x"
        },
        "product_reference": "registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:cf5366023df8dafdc799931d295128ea6b80ef1c84da4fcdede321dd44676390_s390x",
        "relates_to_product_reference": "multicluster engine for Kubernetes 2.8"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-32285",
      "cwe": {
        "id": "CWE-1285",
        "name": "Improper Validation of Specified Index, Position, or Offset in Input"
      },
      "discovery_date": "2026-03-26T20:01:54.925687+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2451846"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in github.com/buger/jsonparser. The Delete function, when processing malformed JSON input, fails to properly validate offsets. This vulnerability can lead to a negative slice index and a runtime panic, allowing a remote attacker to cause a denial of service (DoS) by providing specially crafted JSON data.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "github.com/buger/jsonparser: github.com/buger/jsonparser: Denial of Service via malformed JSON input",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:319978f477315441f9bcfc8ecb40bde3ad84136d3e634627ce114b400263c593_ppc64le",
          "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:5c3fb43dee6299526b4c48d8a4c0a551ce138ff468bec663a29b7f174f4f2d9d_amd64",
          "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:9ed7a2abd8c1949da891af2e7cbec5fbb03a58acf76048078b03c5ead7f4d5cd_arm64",
          "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:cf5366023df8dafdc799931d295128ea6b80ef1c84da4fcdede321dd44676390_s390x"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-32285"
        },
        {
          "category": "external",
          "summary": "RHBZ#2451846",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451846"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-32285",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-32285"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-32285",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32285"
        },
        {
          "category": "external",
          "summary": "https://github.com/buger/jsonparser/issues/275",
          "url": "https://github.com/buger/jsonparser/issues/275"
        },
        {
          "category": "external",
          "summary": "https://github.com/golang/vulndb/issues/4514",
          "url": "https://github.com/golang/vulndb/issues/4514"
        },
        {
          "category": "external",
          "summary": "https://pkg.go.dev/vuln/GO-2026-4514",
          "url": "https://pkg.go.dev/vuln/GO-2026-4514"
        }
      ],
      "release_date": "2026-03-26T19:40:51.837000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-05-13T16:35:04+00:00",
          "details": "For more information about Assisted Installer, see the following documentation:\n\nhttps://docs.redhat.com/en/documentation/red_hat_advanced_cluster_management_for_kubernetes/2.13/html/clusters/cluster_mce_overview#cim-intro\n\nFor multicluster engine for Kubernetes, see the following documentation for\ndetails on how to install the images:\n\nhttps://docs.redhat.com/en/documentation/red_hat_advanced_cluster_management_for_kubernetes/2.13/html/clusters/cluster_mce_overview#mce-install-intro\n\nThis documentation will be available after the general availability release of Red Hat Advanced Cluster Management 2.13.",
          "product_ids": [
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:319978f477315441f9bcfc8ecb40bde3ad84136d3e634627ce114b400263c593_ppc64le",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:5c3fb43dee6299526b4c48d8a4c0a551ce138ff468bec663a29b7f174f4f2d9d_amd64",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:9ed7a2abd8c1949da891af2e7cbec5fbb03a58acf76048078b03c5ead7f4d5cd_arm64",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:cf5366023df8dafdc799931d295128ea6b80ef1c84da4fcdede321dd44676390_s390x"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:17121"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:319978f477315441f9bcfc8ecb40bde3ad84136d3e634627ce114b400263c593_ppc64le",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:5c3fb43dee6299526b4c48d8a4c0a551ce138ff468bec663a29b7f174f4f2d9d_amd64",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:9ed7a2abd8c1949da891af2e7cbec5fbb03a58acf76048078b03c5ead7f4d5cd_arm64",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:cf5366023df8dafdc799931d295128ea6b80ef1c84da4fcdede321dd44676390_s390x"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:319978f477315441f9bcfc8ecb40bde3ad84136d3e634627ce114b400263c593_ppc64le",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:5c3fb43dee6299526b4c48d8a4c0a551ce138ff468bec663a29b7f174f4f2d9d_amd64",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:9ed7a2abd8c1949da891af2e7cbec5fbb03a58acf76048078b03c5ead7f4d5cd_arm64",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:cf5366023df8dafdc799931d295128ea6b80ef1c84da4fcdede321dd44676390_s390x"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "github.com/buger/jsonparser: github.com/buger/jsonparser: Denial of Service via malformed JSON input"
    },
    {
      "cve": "CVE-2026-34986",
      "cwe": {
        "id": "CWE-131",
        "name": "Incorrect Calculation of Buffer Size"
      },
      "discovery_date": "2026-04-06T17:01:34.639203+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2455470"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Go JOSE, a library for handling JSON Web Encryption (JWE) objects. A remote attacker could exploit this vulnerability by providing a specially crafted JWE object. When decrypting such an object, if a key wrapping algorithm is specified but the encrypted key field is empty, the application can crash. This leads to a denial of service (DoS), making the affected service unavailable to legitimate users.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "github.com/go-jose/go-jose/v3: github.com/go-jose/go-jose/v4: Go JOSE: Denial of Service via crafted JSON Web Encryption (JWE) object",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:319978f477315441f9bcfc8ecb40bde3ad84136d3e634627ce114b400263c593_ppc64le",
          "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:5c3fb43dee6299526b4c48d8a4c0a551ce138ff468bec663a29b7f174f4f2d9d_amd64",
          "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:9ed7a2abd8c1949da891af2e7cbec5fbb03a58acf76048078b03c5ead7f4d5cd_arm64",
          "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:cf5366023df8dafdc799931d295128ea6b80ef1c84da4fcdede321dd44676390_s390x"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-34986"
        },
        {
          "category": "external",
          "summary": "RHBZ#2455470",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2455470"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-34986",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-34986"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-34986",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34986"
        },
        {
          "category": "external",
          "summary": "https://github.com/go-jose/go-jose/security/advisories/GHSA-78h2-9frx-2jm8",
          "url": "https://github.com/go-jose/go-jose/security/advisories/GHSA-78h2-9frx-2jm8"
        },
        {
          "category": "external",
          "summary": "https://pkg.go.dev/github.com/go-jose/go-jose/v4#pkg-constants",
          "url": "https://pkg.go.dev/github.com/go-jose/go-jose/v4#pkg-constants"
        }
      ],
      "release_date": "2026-04-06T16:22:45.353000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-05-13T16:35:04+00:00",
          "details": "For more information about Assisted Installer, see the following documentation:\n\nhttps://docs.redhat.com/en/documentation/red_hat_advanced_cluster_management_for_kubernetes/2.13/html/clusters/cluster_mce_overview#cim-intro\n\nFor multicluster engine for Kubernetes, see the following documentation for\ndetails on how to install the images:\n\nhttps://docs.redhat.com/en/documentation/red_hat_advanced_cluster_management_for_kubernetes/2.13/html/clusters/cluster_mce_overview#mce-install-intro\n\nThis documentation will be available after the general availability release of Red Hat Advanced Cluster Management 2.13.",
          "product_ids": [
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:319978f477315441f9bcfc8ecb40bde3ad84136d3e634627ce114b400263c593_ppc64le",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:5c3fb43dee6299526b4c48d8a4c0a551ce138ff468bec663a29b7f174f4f2d9d_amd64",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:9ed7a2abd8c1949da891af2e7cbec5fbb03a58acf76048078b03c5ead7f4d5cd_arm64",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:cf5366023df8dafdc799931d295128ea6b80ef1c84da4fcdede321dd44676390_s390x"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:17121"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:319978f477315441f9bcfc8ecb40bde3ad84136d3e634627ce114b400263c593_ppc64le",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:5c3fb43dee6299526b4c48d8a4c0a551ce138ff468bec663a29b7f174f4f2d9d_amd64",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:9ed7a2abd8c1949da891af2e7cbec5fbb03a58acf76048078b03c5ead7f4d5cd_arm64",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:cf5366023df8dafdc799931d295128ea6b80ef1c84da4fcdede321dd44676390_s390x"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:319978f477315441f9bcfc8ecb40bde3ad84136d3e634627ce114b400263c593_ppc64le",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:5c3fb43dee6299526b4c48d8a4c0a551ce138ff468bec663a29b7f174f4f2d9d_amd64",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:9ed7a2abd8c1949da891af2e7cbec5fbb03a58acf76048078b03c5ead7f4d5cd_arm64",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:cf5366023df8dafdc799931d295128ea6b80ef1c84da4fcdede321dd44676390_s390x"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "github.com/go-jose/go-jose/v3: github.com/go-jose/go-jose/v4: Go JOSE: Denial of Service via crafted JSON Web Encryption (JWE) object"
    },
    {
      "cve": "CVE-2026-35469",
      "cwe": {
        "id": "CWE-770",
        "name": "Allocation of Resources Without Limits or Throttling"
      },
      "discovery_date": "2026-04-13T03:52:35+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2457729"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in the SPDY streaming code used by Kubelet, CRI-O, and kube-apiserver. An attacker with specific cluster roles, such as those allowing access to pod port forwarding, execution, or attachment, or node proxying, could exploit this vulnerability. This could lead to a Denial of Service (DoS) by causing the affected components to become unresponsive.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "Kubelet: CRI-O: kube-apiserver: Kubelet, CRI-O, kube-apiserver: Denial of Service via SPDY streaming code",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This is an Important denial of service flaw affecting OpenShift Container Platform. An attacker with specific elevated cluster roles, such as those permitting pod port forwarding, execution, attachment, or node proxying, could exploit a vulnerability in the SPDY streaming code of Kubelet, CRI-O, and kube-apiserver, leading to unresponsiveness of these critical components.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:319978f477315441f9bcfc8ecb40bde3ad84136d3e634627ce114b400263c593_ppc64le",
          "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:5c3fb43dee6299526b4c48d8a4c0a551ce138ff468bec663a29b7f174f4f2d9d_amd64",
          "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:9ed7a2abd8c1949da891af2e7cbec5fbb03a58acf76048078b03c5ead7f4d5cd_arm64",
          "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:cf5366023df8dafdc799931d295128ea6b80ef1c84da4fcdede321dd44676390_s390x"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-35469"
        },
        {
          "category": "external",
          "summary": "RHBZ#2457729",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2457729"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-35469",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-35469"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-35469",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35469"
        }
      ],
      "release_date": "2026-04-13T23:59:59+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-05-13T16:35:04+00:00",
          "details": "For more information about Assisted Installer, see the following documentation:\n\nhttps://docs.redhat.com/en/documentation/red_hat_advanced_cluster_management_for_kubernetes/2.13/html/clusters/cluster_mce_overview#cim-intro\n\nFor multicluster engine for Kubernetes, see the following documentation for\ndetails on how to install the images:\n\nhttps://docs.redhat.com/en/documentation/red_hat_advanced_cluster_management_for_kubernetes/2.13/html/clusters/cluster_mce_overview#mce-install-intro\n\nThis documentation will be available after the general availability release of Red Hat Advanced Cluster Management 2.13.",
          "product_ids": [
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:319978f477315441f9bcfc8ecb40bde3ad84136d3e634627ce114b400263c593_ppc64le",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:5c3fb43dee6299526b4c48d8a4c0a551ce138ff468bec663a29b7f174f4f2d9d_amd64",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:9ed7a2abd8c1949da891af2e7cbec5fbb03a58acf76048078b03c5ead7f4d5cd_arm64",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:cf5366023df8dafdc799931d295128ea6b80ef1c84da4fcdede321dd44676390_s390x"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:17121"
        },
        {
          "category": "workaround",
          "details": "To mitigate this issue, review and restrict the assignment of Kubernetes cluster roles `pods/portforward (create)`, `pods/exec (create)`, `pods/attach (create)`, and `nodes/proxy (get/create)` to untrusted users or service accounts. Ensure that only authorized and necessary entities possess these permissions. Modifying RBAC policies can impact the functionality of applications and services that rely on these permissions; careful testing is recommended.",
          "product_ids": [
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:319978f477315441f9bcfc8ecb40bde3ad84136d3e634627ce114b400263c593_ppc64le",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:5c3fb43dee6299526b4c48d8a4c0a551ce138ff468bec663a29b7f174f4f2d9d_amd64",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:9ed7a2abd8c1949da891af2e7cbec5fbb03a58acf76048078b03c5ead7f4d5cd_arm64",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:cf5366023df8dafdc799931d295128ea6b80ef1c84da4fcdede321dd44676390_s390x"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:319978f477315441f9bcfc8ecb40bde3ad84136d3e634627ce114b400263c593_ppc64le",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:5c3fb43dee6299526b4c48d8a4c0a551ce138ff468bec663a29b7f174f4f2d9d_amd64",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:9ed7a2abd8c1949da891af2e7cbec5fbb03a58acf76048078b03c5ead7f4d5cd_arm64",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-8-rhel8@sha256:cf5366023df8dafdc799931d295128ea6b80ef1c84da4fcdede321dd44676390_s390x"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "Kubelet: CRI-O: kube-apiserver: Kubelet, CRI-O, kube-apiserver: Denial of Service via SPDY streaming code"
    }
  ]
}

CVE-2026-35469 (GCVE-0-2026-35469)

Vulnerability from cvelistv5 – Published: 2026-04-16 21:19 – Updated: 2026-04-17 12:37

Title

SpdyStream: DOS on CRI

Summary

spdystream is a Go library for multiplexing streams over SPDY connections. In versions 0.5.0 and below, the SPDY/3 frame parser does not validate attacker-controlled counts and lengths before allocating memory. Three allocation paths are affected: the SETTINGS frame entry count, the header count in parseHeaderValueBlock, and individual header field sizes — all read as 32-bit integers and used directly as allocation sizes with no bounds checking. Because SPDY header blocks are zlib-compressed, a small on-the-wire payload can decompress into large attacker-controlled values. A remote peer that can send SPDY frames to a service using spdystream can exhaust process memory and cause an out-of-memory crash with a single crafted control frame. This issue has been fixed in version 0.5.1.

Severity ?

8.7 (High)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CWE

CWE-770 - Allocation of Resources Without Limits or Throttling

Assigner

GitHub_M

References

2 references

URL	Tags
https://github.com/moby/spdystream/security/advis…	x_refsource_CONFIRM
https://github.com/moby/spdystream/releases/tag/v0.5.1	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
moby	spdystream	Affected: < 0.5.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-35469",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-17T12:37:18.505269Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-17T12:37:27.329Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "spdystream",
          "vendor": "moby",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.5.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "spdystream is a Go library for multiplexing streams over SPDY connections. In versions 0.5.0 and below, the SPDY/3 frame parser does not validate attacker-controlled counts and lengths before allocating memory. Three allocation paths are affected: the SETTINGS frame entry count, the header count in parseHeaderValueBlock, and individual header field sizes \u2014 all read as 32-bit integers and used directly as allocation sizes with no bounds checking. Because SPDY header blocks are zlib-compressed, a small on-the-wire payload can decompress into large attacker-controlled values. A remote peer that can send SPDY frames to a service using spdystream can exhaust process memory and cause an out-of-memory crash with a single crafted control frame. This issue has been fixed in version 0.5.1."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-770",
              "description": "CWE-770: Allocation of Resources Without Limits or Throttling",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-16T21:19:23.516Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/moby/spdystream/security/advisories/GHSA-pc3f-x583-g7j2",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/moby/spdystream/security/advisories/GHSA-pc3f-x583-g7j2"
        },
        {
          "name": "https://github.com/moby/spdystream/releases/tag/v0.5.1",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/moby/spdystream/releases/tag/v0.5.1"
        }
      ],
      "source": {
        "advisory": "GHSA-pc3f-x583-g7j2",
        "discovery": "UNKNOWN"
      },
      "title": "SpdyStream: DOS on CRI"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-35469",
    "datePublished": "2026-04-16T21:19:23.516Z",
    "dateReserved": "2026-04-02T20:49:44.452Z",
    "dateUpdated": "2026-04-17T12:37:27.329Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-34986 (GCVE-0-2026-34986)

Vulnerability from cvelistv5 – Published: 2026-04-06 16:22 – Updated: 2026-04-07 14:21

Title

Go JOSE affect by a panic in JWE decryption

Summary

Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. Prior to 4.1.4 and 3.0.5, decrypting a JSON Web Encryption (JWE) object will panic if the alg field indicates a key wrapping algorithm (one ending in KW, with the exception of A128GCMKW, A192GCMKW, and A256GCMKW) and the encrypted_key field is empty. The panic happens when cipher.KeyUnwrap() in key_wrap.go attempts to allocate a slice with a zero or negative length based on the length of the encrypted_key. This code path is reachable from ParseEncrypted() / ParseEncryptedJSON() / ParseEncryptedCompact() followed by Decrypt() on the resulting object. Note that the parse functions take a list of accepted key algorithms. If the accepted key algorithms do not include any key wrapping algorithms, parsing will fail and the application will be unaffected. This panic is also reachable by calling cipher.KeyUnwrap() directly with any ciphertext parameter less than 16 bytes long, but calling this function directly is less common. Panics can lead to denial of service. This vulnerability is fixed in 4.1.4 and 3.0.5.

Severity ?

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-248 - Uncaught Exception

Assigner

GitHub_M

References

2 references

URL	Tags
https://github.com/go-jose/go-jose/security/advis…	x_refsource_CONFIRM
https://pkg.go.dev/github.com/go-jose/go-jose/v4#…	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
go-jose	go-jose	Affected: >= 4.0.0, < 4.1.4 Affected: < 3.0.5

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-34986",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-07T14:21:42.477191Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-07T14:21:54.041Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "go-jose",
          "vendor": "go-jose",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 4.0.0, \u003c 4.1.4"
            },
            {
              "status": "affected",
              "version": "\u003c 3.0.5"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. Prior to 4.1.4 and 3.0.5, decrypting a JSON Web Encryption (JWE) object will panic if the alg field indicates a key wrapping algorithm (one ending in KW, with the exception of A128GCMKW, A192GCMKW, and A256GCMKW) and the encrypted_key field is empty. The panic happens when cipher.KeyUnwrap() in key_wrap.go attempts to allocate a slice with a zero or negative length based on the length of the encrypted_key. This code path is reachable from ParseEncrypted() / ParseEncryptedJSON() / ParseEncryptedCompact() followed by Decrypt() on the resulting object. Note that the parse functions take a list of accepted key algorithms. If the accepted key algorithms do not include any key wrapping algorithms, parsing will fail and the application will be unaffected. This panic is also reachable by calling cipher.KeyUnwrap() directly with any ciphertext parameter less than 16 bytes long, but calling this function directly is less common. Panics can lead to denial of service. This vulnerability is fixed in 4.1.4 and 3.0.5."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-248",
              "description": "CWE-248: Uncaught Exception",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-06T16:22:45.353Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/go-jose/go-jose/security/advisories/GHSA-78h2-9frx-2jm8",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/go-jose/go-jose/security/advisories/GHSA-78h2-9frx-2jm8"
        },
        {
          "name": "https://pkg.go.dev/github.com/go-jose/go-jose/v4#pkg-constants",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://pkg.go.dev/github.com/go-jose/go-jose/v4#pkg-constants"
        }
      ],
      "source": {
        "advisory": "GHSA-78h2-9frx-2jm8",
        "discovery": "UNKNOWN"
      },
      "title": "Go JOSE affect by a panic in JWE decryption"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-34986",
    "datePublished": "2026-04-06T16:22:45.353Z",
    "dateReserved": "2026-03-31T19:38:31.617Z",
    "dateUpdated": "2026-04-07T14:21:54.041Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-32285 (GCVE-0-2026-32285)

Vulnerability from cvelistv5 – Published: 2026-03-26 19:40 – Updated: 2026-04-20 19:01

Title

Denial of service in github.com/buger/jsonparser

Summary

The Delete function fails to properly validate offsets when processing malformed JSON input. This can lead to a negative slice index and a runtime panic, allowing a denial of service attack.

Severity ?

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-125 - Out-of-bounds Read

Assigner

References

3 references

URL	Tags
https://github.com/buger/jsonparser/issues/275
https://github.com/golang/vulndb/issues/4514
https://pkg.go.dev/vuln/GO-2026-4514

Impacted products

1 product

Vendor	Product	Version
github.com/buger/jsonparser	github.com/buger/jsonparser	Affected: 0 , < 1.1.2 (semver)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-32285",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-30T14:05:55.547828Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-30T14:55:19.026Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://securityinfinity.com/research/buger-jsonparser-negative-slice-panic-dos-2026"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "github.com/buger/jsonparser",
          "product": "github.com/buger/jsonparser",
          "programRoutines": [
            {
              "name": "Delete"
            },
            {
              "name": "FuzzDelete"
            }
          ],
          "vendor": "github.com/buger/jsonparser",
          "versions": [
            {
              "lessThan": "1.1.2",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The Delete function fails to properly validate offsets when processing malformed JSON input. This can lead to a negative slice index and a runtime panic, allowing a denial of service attack."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-125: Out-of-bounds Read",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-20T19:01:23.660Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://github.com/buger/jsonparser/issues/275"
        },
        {
          "url": "https://github.com/golang/vulndb/issues/4514"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2026-4514"
        }
      ],
      "title": "Denial of service in github.com/buger/jsonparser"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2026-32285",
    "datePublished": "2026-03-26T19:40:51.837Z",
    "dateReserved": "2026-03-11T16:38:46.556Z",
    "dateUpdated": "2026-04-20T19:01:23.660Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

RHSA-2026:17121

CVE-2026-35469 (GCVE-0-2026-35469)

CVE-2026-34986 (GCVE-0-2026-34986)

CVE-2026-32285 (GCVE-0-2026-32285)

Tags

Sightings

Nomenclature