Vulnerability-Lookup

RHSA-2026:17123

Vulnerability from csaf_redhat - Published: 2026-05-13 16:35 - Updated: 2026-05-15 00:58

Summary

Red Hat Security Advisory: Assisted Installer RHEL 9 components for Multicluster Engine for Kubernetes 2.8.6

Severity

Important

Notes

Topic: Assisted installer RHEL 9 components for the multicluster engine for Kubernetes 2.8.6 General Availability release, with updates to container images.

Details: Assisted Installer RHEL 9 integrates components for the general multicluster engine for Kubernetes 2.8.6 release that simplify the process of deploying OpenShift Container Platform clusters. The multicluster engine for Kubernetes provides the foundational components that are necessary for the centralized management of multiple Kubernetes-based clusters across data centers, public clouds, and private clouds. You can use the engine to create new Red Hat OpenShift Container Platform clusters, or to import existing Kubernetes-based clusters for management. After the clusters are managed, you can use the APIs that are provided by the engine to distribute configuration based on placement policy.

Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

CVE-2026-32285

A flaw was found in github.com/buger/jsonparser. The Delete function, when processing malformed JSON input, fails to properly validate offsets. This vulnerability can lead to a negative slice index and a runtime panic, allowing a remote attacker to cause a denial of service (DoS) by providing specially crafted JSON data.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-1285 - Improper Validation of Specified Index, Position, or Offset in Input

Affected products

Fixed 4 products

Product	Version	Remediation
Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:389f764be799b3bc07a1bcbc20a6f1c2d1798ddca799b9265c9a8cc88abfb4e9_amd64	—	Vendor Fix fix Workaround
Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:61b8959a3ae2811bcc510c0ee430fc06622894108af90bd40a07e11ae48d3f9e_s390x	—	Vendor Fix fix Workaround
Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:671d4315ef64cbad6c295b87dedae1d9111664ab6b6737e01d4a6057bf0ecd13_ppc64le	—	Vendor Fix fix Workaround
Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:debac6cee35ad72042a0c01ac743ba72aa12b34516fa9a774ad193a6705d4ac6_arm64	—	Vendor Fix fix Workaround

Known not affected 16 products

Product	Version	Remediation
Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:0a489743a137c59c945e0cb78f17961765f1d9a3c5525b191a768ce71a13af62_s390x	—	Workaround
Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:1a76db6fb8a0cd7a7de58826e94dabe8b21e7ac82dbd4846b7bc4c659b788a00_arm64	—	Workaround
Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:649bcd0409be091c4408aaebb217815f052a3a0f3028f60888de8807e9107873_amd64	—	Workaround
Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:dbdc452cf7641e4f8fc3db0b3a177c2a942716f3d6ae84adef4b00d41f598674_ppc64le	—	Workaround
Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:04c5cb5f2e2f4471b78a27076967e76ab7d1f1f9be4c93656546f92024c9e5d6_ppc64le	—	Workaround
Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:126febd6e6ce9b106a1f31c00143ce35f1b02d66ec2e0023e00ec541c737cfef_arm64	—	Workaround
Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:28011ea661599db0a8b8674fd11dd25b4cd13f441a8db4b779d324d15476fbbd_s390x	—	Workaround
Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:98e1164448b86412029cba515adc555ad3c218ed7f2d9a6c39eddd3e69e2c851_amd64	—	Workaround
Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:2157410769cc1243e3396847f32ad03eadb6bdf4693cf14d332e55afd9a107e1_s390x	—	Workaround
Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:917b4f598ae4234111b2590d47588091766d313d4a7147ae1755941a994aa760_amd64	—	Workaround
Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:a7e85ee18acbe2d0a304c382575c8d4c38059c7ef7869ec21992334bb496cb2e_ppc64le	—	Workaround
Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:e22e1363bcb64372c3d37fe43c5e545ebe747424c55e97f04160fbe702f5b7fa_arm64	—	Workaround
Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:2d9aba27b570807fd42734ab23effe8146ddcf4df1ccbb232a34675ddf368c5d_s390x	—	Workaround
Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:2dd7530831a9409f32b7bdad48e2144532ed6933404a72ec1e447a7b3d89e8bc_arm64	—	Workaround
Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:a0c73efc3def005df32901b6d99fe31d5abae6fbadca3c1b41c3ff5f0710ceda_amd64	—	Workaround
Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:a3bd59b3d69bc70133aa174b2a1b7105599bb87e407f71b96aa07256f1f4da41_ppc64le	—	Workaround

Threats

Impact Important

CVE-2026-33186

A flaw was found in gRPC-Go, the Go language implementation of gRPC. This vulnerability, an authorization bypass, is caused by improper input validation of the HTTP/2 `:path` pseudo-header. A remote attacker can exploit this by sending raw HTTP/2 frames with a malformed `:path` that omits the mandatory leading slash. This allows the attacker to bypass defined security policies, potentially leading to unauthorized access to services or information disclosure.

9.1 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE-551 - Incorrect Behavior Order: Authorization Before Parsing and Canonicalization

Affected products

Fixed 8 products

Product	Version	Remediation
Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:2157410769cc1243e3396847f32ad03eadb6bdf4693cf14d332e55afd9a107e1_s390x	—	Vendor Fix fix Workaround
Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:917b4f598ae4234111b2590d47588091766d313d4a7147ae1755941a994aa760_amd64	—	Vendor Fix fix Workaround
Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:a7e85ee18acbe2d0a304c382575c8d4c38059c7ef7869ec21992334bb496cb2e_ppc64le	—	Vendor Fix fix Workaround
Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:e22e1363bcb64372c3d37fe43c5e545ebe747424c55e97f04160fbe702f5b7fa_arm64	—	Vendor Fix fix Workaround
Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:2d9aba27b570807fd42734ab23effe8146ddcf4df1ccbb232a34675ddf368c5d_s390x	—	Vendor Fix fix Workaround
Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:2dd7530831a9409f32b7bdad48e2144532ed6933404a72ec1e447a7b3d89e8bc_arm64	—	Vendor Fix fix Workaround
Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:a0c73efc3def005df32901b6d99fe31d5abae6fbadca3c1b41c3ff5f0710ceda_amd64	—	Vendor Fix fix Workaround
Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:a3bd59b3d69bc70133aa174b2a1b7105599bb87e407f71b96aa07256f1f4da41_ppc64le	—	Vendor Fix fix Workaround

Known not affected 12 products

Product	Version	Remediation
Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:0a489743a137c59c945e0cb78f17961765f1d9a3c5525b191a768ce71a13af62_s390x	—	Workaround
Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:1a76db6fb8a0cd7a7de58826e94dabe8b21e7ac82dbd4846b7bc4c659b788a00_arm64	—	Workaround
Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:649bcd0409be091c4408aaebb217815f052a3a0f3028f60888de8807e9107873_amd64	—	Workaround
Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:dbdc452cf7641e4f8fc3db0b3a177c2a942716f3d6ae84adef4b00d41f598674_ppc64le	—	Workaround
Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:04c5cb5f2e2f4471b78a27076967e76ab7d1f1f9be4c93656546f92024c9e5d6_ppc64le	—	Workaround
Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:126febd6e6ce9b106a1f31c00143ce35f1b02d66ec2e0023e00ec541c737cfef_arm64	—	Workaround
Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:28011ea661599db0a8b8674fd11dd25b4cd13f441a8db4b779d324d15476fbbd_s390x	—	Workaround
Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:98e1164448b86412029cba515adc555ad3c218ed7f2d9a6c39eddd3e69e2c851_amd64	—	Workaround
Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:389f764be799b3bc07a1bcbc20a6f1c2d1798ddca799b9265c9a8cc88abfb4e9_amd64	—	Workaround
Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:61b8959a3ae2811bcc510c0ee430fc06622894108af90bd40a07e11ae48d3f9e_s390x	—	Workaround
Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:671d4315ef64cbad6c295b87dedae1d9111664ab6b6737e01d4a6057bf0ecd13_ppc64le	—	Workaround
Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:debac6cee35ad72042a0c01ac743ba72aa12b34516fa9a774ad193a6705d4ac6_arm64	—	Workaround

Threats

Impact Important

CVE-2026-34986

A flaw was found in Go JOSE, a library for handling JSON Web Encryption (JWE) objects. A remote attacker could exploit this vulnerability by providing a specially crafted JWE object. When decrypting such an object, if a key wrapping algorithm is specified but the encrypted key field is empty, the application can crash. This leads to a denial of service (DoS), making the affected service unavailable to legitimate users.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-131 - Incorrect Calculation of Buffer Size

Affected products

Fixed 16 products

Product	Version	Remediation
Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:04c5cb5f2e2f4471b78a27076967e76ab7d1f1f9be4c93656546f92024c9e5d6_ppc64le	—	Vendor Fix fix Workaround
Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:126febd6e6ce9b106a1f31c00143ce35f1b02d66ec2e0023e00ec541c737cfef_arm64	—	Vendor Fix fix Workaround
Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:28011ea661599db0a8b8674fd11dd25b4cd13f441a8db4b779d324d15476fbbd_s390x	—	Vendor Fix fix Workaround
Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:98e1164448b86412029cba515adc555ad3c218ed7f2d9a6c39eddd3e69e2c851_amd64	—	Vendor Fix fix Workaround
Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:2157410769cc1243e3396847f32ad03eadb6bdf4693cf14d332e55afd9a107e1_s390x	—	Vendor Fix fix Workaround
Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:917b4f598ae4234111b2590d47588091766d313d4a7147ae1755941a994aa760_amd64	—	Vendor Fix fix Workaround
Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:a7e85ee18acbe2d0a304c382575c8d4c38059c7ef7869ec21992334bb496cb2e_ppc64le	—	Vendor Fix fix Workaround
Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:e22e1363bcb64372c3d37fe43c5e545ebe747424c55e97f04160fbe702f5b7fa_arm64	—	Vendor Fix fix Workaround
Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:2d9aba27b570807fd42734ab23effe8146ddcf4df1ccbb232a34675ddf368c5d_s390x	—	Vendor Fix fix Workaround
Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:2dd7530831a9409f32b7bdad48e2144532ed6933404a72ec1e447a7b3d89e8bc_arm64	—	Vendor Fix fix Workaround
Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:a0c73efc3def005df32901b6d99fe31d5abae6fbadca3c1b41c3ff5f0710ceda_amd64	—	Vendor Fix fix Workaround
Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:a3bd59b3d69bc70133aa174b2a1b7105599bb87e407f71b96aa07256f1f4da41_ppc64le	—	Vendor Fix fix Workaround
Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:389f764be799b3bc07a1bcbc20a6f1c2d1798ddca799b9265c9a8cc88abfb4e9_amd64	—	Vendor Fix fix Workaround
Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:61b8959a3ae2811bcc510c0ee430fc06622894108af90bd40a07e11ae48d3f9e_s390x	—	Vendor Fix fix Workaround
Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:671d4315ef64cbad6c295b87dedae1d9111664ab6b6737e01d4a6057bf0ecd13_ppc64le	—	Vendor Fix fix Workaround
Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:debac6cee35ad72042a0c01ac743ba72aa12b34516fa9a774ad193a6705d4ac6_arm64	—	Vendor Fix fix Workaround

Known not affected 4 products

Product	Version	Remediation
Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:0a489743a137c59c945e0cb78f17961765f1d9a3c5525b191a768ce71a13af62_s390x	—	Workaround
Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:1a76db6fb8a0cd7a7de58826e94dabe8b21e7ac82dbd4846b7bc4c659b788a00_arm64	—	Workaround
Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:649bcd0409be091c4408aaebb217815f052a3a0f3028f60888de8807e9107873_amd64	—	Workaround
Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:dbdc452cf7641e4f8fc3db0b3a177c2a942716f3d6ae84adef4b00d41f598674_ppc64le	—	Workaround

Threats

Impact Important

CVE-2026-35469

A flaw was found in the SPDY streaming code used by Kubelet, CRI-O, and kube-apiserver. An attacker with specific cluster roles, such as those allowing access to pod port forwarding, execution, or attachment, or node proxying, could exploit this vulnerability. This could lead to a Denial of Service (DoS) by causing the affected components to become unresponsive.

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE-770 - Allocation of Resources Without Limits or Throttling

Affected products

Fixed 4 products

Product	Version	Remediation
Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:389f764be799b3bc07a1bcbc20a6f1c2d1798ddca799b9265c9a8cc88abfb4e9_amd64	—	Vendor Fix fix Workaround
Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:61b8959a3ae2811bcc510c0ee430fc06622894108af90bd40a07e11ae48d3f9e_s390x	—	Vendor Fix fix Workaround
Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:671d4315ef64cbad6c295b87dedae1d9111664ab6b6737e01d4a6057bf0ecd13_ppc64le	—	Vendor Fix fix Workaround
Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:debac6cee35ad72042a0c01ac743ba72aa12b34516fa9a774ad193a6705d4ac6_arm64	—	Vendor Fix fix Workaround

Known not affected 16 products

Product	Version	Remediation
Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:0a489743a137c59c945e0cb78f17961765f1d9a3c5525b191a768ce71a13af62_s390x	—	Workaround
Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:1a76db6fb8a0cd7a7de58826e94dabe8b21e7ac82dbd4846b7bc4c659b788a00_arm64	—	Workaround
Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:649bcd0409be091c4408aaebb217815f052a3a0f3028f60888de8807e9107873_amd64	—	Workaround
Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:dbdc452cf7641e4f8fc3db0b3a177c2a942716f3d6ae84adef4b00d41f598674_ppc64le	—	Workaround
Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:04c5cb5f2e2f4471b78a27076967e76ab7d1f1f9be4c93656546f92024c9e5d6_ppc64le	—	Workaround
Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:126febd6e6ce9b106a1f31c00143ce35f1b02d66ec2e0023e00ec541c737cfef_arm64	—	Workaround
Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:28011ea661599db0a8b8674fd11dd25b4cd13f441a8db4b779d324d15476fbbd_s390x	—	Workaround
Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:98e1164448b86412029cba515adc555ad3c218ed7f2d9a6c39eddd3e69e2c851_amd64	—	Workaround
Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:2157410769cc1243e3396847f32ad03eadb6bdf4693cf14d332e55afd9a107e1_s390x	—	Workaround
Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:917b4f598ae4234111b2590d47588091766d313d4a7147ae1755941a994aa760_amd64	—	Workaround
Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:a7e85ee18acbe2d0a304c382575c8d4c38059c7ef7869ec21992334bb496cb2e_ppc64le	—	Workaround
Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:e22e1363bcb64372c3d37fe43c5e545ebe747424c55e97f04160fbe702f5b7fa_arm64	—	Workaround
Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:2d9aba27b570807fd42734ab23effe8146ddcf4df1ccbb232a34675ddf368c5d_s390x	—	Workaround
Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:2dd7530831a9409f32b7bdad48e2144532ed6933404a72ec1e447a7b3d89e8bc_arm64	—	Workaround
Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:a0c73efc3def005df32901b6d99fe31d5abae6fbadca3c1b41c3ff5f0710ceda_amd64	—	Workaround
Unresolved product id: multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:a3bd59b3d69bc70133aa174b2a1b7105599bb87e407f71b96aa07256f1f4da41_ppc64le	—	Workaround

Threats

Impact Important

References

29 references

URL	Category
https://access.redhat.com/errata/RHSA-2026:17123	self
https://access.redhat.com/security/cve/CVE-2026-32285	external
https://access.redhat.com/security/cve/CVE-2026-33186	external
https://access.redhat.com/security/cve/CVE-2026-34986	external
https://access.redhat.com/security/cve/CVE-2026-35469	external
https://access.redhat.com/security/updates/classi…	external
https://security.access.redhat.com/data/csaf/v2/a…	self
https://access.redhat.com/security/cve/CVE-2026-32285	self
https://bugzilla.redhat.com/show_bug.cgi?id=2451846	external
https://www.cve.org/CVERecord?id=CVE-2026-32285	external
https://nvd.nist.gov/vuln/detail/CVE-2026-32285	external
https://github.com/buger/jsonparser/issues/275	external
https://github.com/golang/vulndb/issues/4514	external
https://pkg.go.dev/vuln/GO-2026-4514	external
https://access.redhat.com/security/cve/CVE-2026-33186	self
https://bugzilla.redhat.com/show_bug.cgi?id=2449833	external
https://www.cve.org/CVERecord?id=CVE-2026-33186	external
https://nvd.nist.gov/vuln/detail/CVE-2026-33186	external
https://github.com/grpc/grpc-go/security/advisori…	external
https://access.redhat.com/security/cve/CVE-2026-34986	self
https://bugzilla.redhat.com/show_bug.cgi?id=2455470	external
https://www.cve.org/CVERecord?id=CVE-2026-34986	external
https://nvd.nist.gov/vuln/detail/CVE-2026-34986	external
https://github.com/go-jose/go-jose/security/advis…	external
https://pkg.go.dev/github.com/go-jose/go-jose/v4#…	external
https://access.redhat.com/security/cve/CVE-2026-35469	self
https://bugzilla.redhat.com/show_bug.cgi?id=2457729	external
https://www.cve.org/CVERecord?id=CVE-2026-35469	external
https://nvd.nist.gov/vuln/detail/CVE-2026-35469	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Assisted installer RHEL 9 components for the multicluster engine for Kubernetes 2.8.6 General Availability release, with updates to container images.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Assisted Installer RHEL 9 integrates components for the general multicluster engine\nfor Kubernetes 2.8.6 release that simplify the process of deploying OpenShift Container\nPlatform clusters.\n\nThe multicluster engine for Kubernetes provides the foundational components\nthat are necessary for the centralized management of multiple\nKubernetes-based clusters across data centers, public clouds, and private\nclouds.\n\nYou can use the engine to create new Red Hat OpenShift Container Platform\nclusters, or to import existing Kubernetes-based clusters for management.\n\nAfter the clusters are managed, you can use the APIs that\nare provided by the engine to distribute configuration based on placement\npolicy.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2026:17123",
        "url": "https://access.redhat.com/errata/RHSA-2026:17123"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-32285",
        "url": "https://access.redhat.com/security/cve/CVE-2026-32285"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-33186",
        "url": "https://access.redhat.com/security/cve/CVE-2026-33186"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-34986",
        "url": "https://access.redhat.com/security/cve/CVE-2026-34986"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-35469",
        "url": "https://access.redhat.com/security/cve/CVE-2026-35469"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/",
        "url": "https://access.redhat.com/security/updates/classification/"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_17123.json"
      }
    ],
    "title": "Red Hat Security Advisory: Assisted Installer RHEL 9 components for Multicluster Engine for Kubernetes 2.8.6",
    "tracking": {
      "current_release_date": "2026-05-15T00:58:05+00:00",
      "generator": {
        "date": "2026-05-15T00:58:05+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.8.0"
        }
      },
      "id": "RHSA-2026:17123",
      "initial_release_date": "2026-05-13T16:35:41+00:00",
      "revision_history": [
        {
          "date": "2026-05-13T16:35:41+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2026-05-13T16:35:51+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2026-05-15T00:58:05+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "multicluster engine for Kubernetes 2.8",
                "product": {
                  "name": "multicluster engine for Kubernetes 2.8",
                  "product_id": "multicluster engine for Kubernetes 2.8",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:multicluster_engine:2.8::el9"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "multicluster engine for Kubernetes"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:649bcd0409be091c4408aaebb217815f052a3a0f3028f60888de8807e9107873_amd64",
                "product": {
                  "name": "registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:649bcd0409be091c4408aaebb217815f052a3a0f3028f60888de8807e9107873_amd64",
                  "product_id": "registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:649bcd0409be091c4408aaebb217815f052a3a0f3028f60888de8807e9107873_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/assisted-image-service-rhel9@sha256%3A649bcd0409be091c4408aaebb217815f052a3a0f3028f60888de8807e9107873?arch=amd64\u0026repository_url=registry.redhat.io/multicluster-engine\u0026tag=1778503284"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:a0c73efc3def005df32901b6d99fe31d5abae6fbadca3c1b41c3ff5f0710ceda_amd64",
                "product": {
                  "name": "registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:a0c73efc3def005df32901b6d99fe31d5abae6fbadca3c1b41c3ff5f0710ceda_amd64",
                  "product_id": "registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:a0c73efc3def005df32901b6d99fe31d5abae6fbadca3c1b41c3ff5f0710ceda_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/assisted-installer-rhel9@sha256%3Aa0c73efc3def005df32901b6d99fe31d5abae6fbadca3c1b41c3ff5f0710ceda?arch=amd64\u0026repository_url=registry.redhat.io/multicluster-engine\u0026tag=1778503297"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:98e1164448b86412029cba515adc555ad3c218ed7f2d9a6c39eddd3e69e2c851_amd64",
                "product": {
                  "name": "registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:98e1164448b86412029cba515adc555ad3c218ed7f2d9a6c39eddd3e69e2c851_amd64",
                  "product_id": "registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:98e1164448b86412029cba515adc555ad3c218ed7f2d9a6c39eddd3e69e2c851_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/assisted-installer-agent-rhel9@sha256%3A98e1164448b86412029cba515adc555ad3c218ed7f2d9a6c39eddd3e69e2c851?arch=amd64\u0026repository_url=registry.redhat.io/multicluster-engine\u0026tag=1778503377"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:917b4f598ae4234111b2590d47588091766d313d4a7147ae1755941a994aa760_amd64",
                "product": {
                  "name": "registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:917b4f598ae4234111b2590d47588091766d313d4a7147ae1755941a994aa760_amd64",
                  "product_id": "registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:917b4f598ae4234111b2590d47588091766d313d4a7147ae1755941a994aa760_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/assisted-installer-controller-rhel9@sha256%3A917b4f598ae4234111b2590d47588091766d313d4a7147ae1755941a994aa760?arch=amd64\u0026repository_url=registry.redhat.io/multicluster-engine\u0026tag=1778503196"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:389f764be799b3bc07a1bcbc20a6f1c2d1798ddca799b9265c9a8cc88abfb4e9_amd64",
                "product": {
                  "name": "registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:389f764be799b3bc07a1bcbc20a6f1c2d1798ddca799b9265c9a8cc88abfb4e9_amd64",
                  "product_id": "registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:389f764be799b3bc07a1bcbc20a6f1c2d1798ddca799b9265c9a8cc88abfb4e9_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/assisted-service-9-rhel9@sha256%3A389f764be799b3bc07a1bcbc20a6f1c2d1798ddca799b9265c9a8cc88abfb4e9?arch=amd64\u0026repository_url=registry.redhat.io/multicluster-engine\u0026tag=1778288646"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "amd64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:1a76db6fb8a0cd7a7de58826e94dabe8b21e7ac82dbd4846b7bc4c659b788a00_arm64",
                "product": {
                  "name": "registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:1a76db6fb8a0cd7a7de58826e94dabe8b21e7ac82dbd4846b7bc4c659b788a00_arm64",
                  "product_id": "registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:1a76db6fb8a0cd7a7de58826e94dabe8b21e7ac82dbd4846b7bc4c659b788a00_arm64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/assisted-image-service-rhel9@sha256%3A1a76db6fb8a0cd7a7de58826e94dabe8b21e7ac82dbd4846b7bc4c659b788a00?arch=arm64\u0026repository_url=registry.redhat.io/multicluster-engine\u0026tag=1778503284"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:2dd7530831a9409f32b7bdad48e2144532ed6933404a72ec1e447a7b3d89e8bc_arm64",
                "product": {
                  "name": "registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:2dd7530831a9409f32b7bdad48e2144532ed6933404a72ec1e447a7b3d89e8bc_arm64",
                  "product_id": "registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:2dd7530831a9409f32b7bdad48e2144532ed6933404a72ec1e447a7b3d89e8bc_arm64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/assisted-installer-rhel9@sha256%3A2dd7530831a9409f32b7bdad48e2144532ed6933404a72ec1e447a7b3d89e8bc?arch=arm64\u0026repository_url=registry.redhat.io/multicluster-engine\u0026tag=1778503297"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:126febd6e6ce9b106a1f31c00143ce35f1b02d66ec2e0023e00ec541c737cfef_arm64",
                "product": {
                  "name": "registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:126febd6e6ce9b106a1f31c00143ce35f1b02d66ec2e0023e00ec541c737cfef_arm64",
                  "product_id": "registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:126febd6e6ce9b106a1f31c00143ce35f1b02d66ec2e0023e00ec541c737cfef_arm64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/assisted-installer-agent-rhel9@sha256%3A126febd6e6ce9b106a1f31c00143ce35f1b02d66ec2e0023e00ec541c737cfef?arch=arm64\u0026repository_url=registry.redhat.io/multicluster-engine\u0026tag=1778503377"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:e22e1363bcb64372c3d37fe43c5e545ebe747424c55e97f04160fbe702f5b7fa_arm64",
                "product": {
                  "name": "registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:e22e1363bcb64372c3d37fe43c5e545ebe747424c55e97f04160fbe702f5b7fa_arm64",
                  "product_id": "registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:e22e1363bcb64372c3d37fe43c5e545ebe747424c55e97f04160fbe702f5b7fa_arm64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/assisted-installer-controller-rhel9@sha256%3Ae22e1363bcb64372c3d37fe43c5e545ebe747424c55e97f04160fbe702f5b7fa?arch=arm64\u0026repository_url=registry.redhat.io/multicluster-engine\u0026tag=1778503196"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:debac6cee35ad72042a0c01ac743ba72aa12b34516fa9a774ad193a6705d4ac6_arm64",
                "product": {
                  "name": "registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:debac6cee35ad72042a0c01ac743ba72aa12b34516fa9a774ad193a6705d4ac6_arm64",
                  "product_id": "registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:debac6cee35ad72042a0c01ac743ba72aa12b34516fa9a774ad193a6705d4ac6_arm64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/assisted-service-9-rhel9@sha256%3Adebac6cee35ad72042a0c01ac743ba72aa12b34516fa9a774ad193a6705d4ac6?arch=arm64\u0026repository_url=registry.redhat.io/multicluster-engine\u0026tag=1778288646"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "arm64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:dbdc452cf7641e4f8fc3db0b3a177c2a942716f3d6ae84adef4b00d41f598674_ppc64le",
                "product": {
                  "name": "registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:dbdc452cf7641e4f8fc3db0b3a177c2a942716f3d6ae84adef4b00d41f598674_ppc64le",
                  "product_id": "registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:dbdc452cf7641e4f8fc3db0b3a177c2a942716f3d6ae84adef4b00d41f598674_ppc64le",
                  "product_identification_helper": {
                    "purl": "pkg:oci/assisted-image-service-rhel9@sha256%3Adbdc452cf7641e4f8fc3db0b3a177c2a942716f3d6ae84adef4b00d41f598674?arch=ppc64le\u0026repository_url=registry.redhat.io/multicluster-engine\u0026tag=1778503284"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:a3bd59b3d69bc70133aa174b2a1b7105599bb87e407f71b96aa07256f1f4da41_ppc64le",
                "product": {
                  "name": "registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:a3bd59b3d69bc70133aa174b2a1b7105599bb87e407f71b96aa07256f1f4da41_ppc64le",
                  "product_id": "registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:a3bd59b3d69bc70133aa174b2a1b7105599bb87e407f71b96aa07256f1f4da41_ppc64le",
                  "product_identification_helper": {
                    "purl": "pkg:oci/assisted-installer-rhel9@sha256%3Aa3bd59b3d69bc70133aa174b2a1b7105599bb87e407f71b96aa07256f1f4da41?arch=ppc64le\u0026repository_url=registry.redhat.io/multicluster-engine\u0026tag=1778503297"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:04c5cb5f2e2f4471b78a27076967e76ab7d1f1f9be4c93656546f92024c9e5d6_ppc64le",
                "product": {
                  "name": "registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:04c5cb5f2e2f4471b78a27076967e76ab7d1f1f9be4c93656546f92024c9e5d6_ppc64le",
                  "product_id": "registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:04c5cb5f2e2f4471b78a27076967e76ab7d1f1f9be4c93656546f92024c9e5d6_ppc64le",
                  "product_identification_helper": {
                    "purl": "pkg:oci/assisted-installer-agent-rhel9@sha256%3A04c5cb5f2e2f4471b78a27076967e76ab7d1f1f9be4c93656546f92024c9e5d6?arch=ppc64le\u0026repository_url=registry.redhat.io/multicluster-engine\u0026tag=1778503377"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:a7e85ee18acbe2d0a304c382575c8d4c38059c7ef7869ec21992334bb496cb2e_ppc64le",
                "product": {
                  "name": "registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:a7e85ee18acbe2d0a304c382575c8d4c38059c7ef7869ec21992334bb496cb2e_ppc64le",
                  "product_id": "registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:a7e85ee18acbe2d0a304c382575c8d4c38059c7ef7869ec21992334bb496cb2e_ppc64le",
                  "product_identification_helper": {
                    "purl": "pkg:oci/assisted-installer-controller-rhel9@sha256%3Aa7e85ee18acbe2d0a304c382575c8d4c38059c7ef7869ec21992334bb496cb2e?arch=ppc64le\u0026repository_url=registry.redhat.io/multicluster-engine\u0026tag=1778503196"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:671d4315ef64cbad6c295b87dedae1d9111664ab6b6737e01d4a6057bf0ecd13_ppc64le",
                "product": {
                  "name": "registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:671d4315ef64cbad6c295b87dedae1d9111664ab6b6737e01d4a6057bf0ecd13_ppc64le",
                  "product_id": "registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:671d4315ef64cbad6c295b87dedae1d9111664ab6b6737e01d4a6057bf0ecd13_ppc64le",
                  "product_identification_helper": {
                    "purl": "pkg:oci/assisted-service-9-rhel9@sha256%3A671d4315ef64cbad6c295b87dedae1d9111664ab6b6737e01d4a6057bf0ecd13?arch=ppc64le\u0026repository_url=registry.redhat.io/multicluster-engine\u0026tag=1778288646"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:0a489743a137c59c945e0cb78f17961765f1d9a3c5525b191a768ce71a13af62_s390x",
                "product": {
                  "name": "registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:0a489743a137c59c945e0cb78f17961765f1d9a3c5525b191a768ce71a13af62_s390x",
                  "product_id": "registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:0a489743a137c59c945e0cb78f17961765f1d9a3c5525b191a768ce71a13af62_s390x",
                  "product_identification_helper": {
                    "purl": "pkg:oci/assisted-image-service-rhel9@sha256%3A0a489743a137c59c945e0cb78f17961765f1d9a3c5525b191a768ce71a13af62?arch=s390x\u0026repository_url=registry.redhat.io/multicluster-engine\u0026tag=1778503284"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:2d9aba27b570807fd42734ab23effe8146ddcf4df1ccbb232a34675ddf368c5d_s390x",
                "product": {
                  "name": "registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:2d9aba27b570807fd42734ab23effe8146ddcf4df1ccbb232a34675ddf368c5d_s390x",
                  "product_id": "registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:2d9aba27b570807fd42734ab23effe8146ddcf4df1ccbb232a34675ddf368c5d_s390x",
                  "product_identification_helper": {
                    "purl": "pkg:oci/assisted-installer-rhel9@sha256%3A2d9aba27b570807fd42734ab23effe8146ddcf4df1ccbb232a34675ddf368c5d?arch=s390x\u0026repository_url=registry.redhat.io/multicluster-engine\u0026tag=1778503297"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:28011ea661599db0a8b8674fd11dd25b4cd13f441a8db4b779d324d15476fbbd_s390x",
                "product": {
                  "name": "registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:28011ea661599db0a8b8674fd11dd25b4cd13f441a8db4b779d324d15476fbbd_s390x",
                  "product_id": "registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:28011ea661599db0a8b8674fd11dd25b4cd13f441a8db4b779d324d15476fbbd_s390x",
                  "product_identification_helper": {
                    "purl": "pkg:oci/assisted-installer-agent-rhel9@sha256%3A28011ea661599db0a8b8674fd11dd25b4cd13f441a8db4b779d324d15476fbbd?arch=s390x\u0026repository_url=registry.redhat.io/multicluster-engine\u0026tag=1778503377"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:2157410769cc1243e3396847f32ad03eadb6bdf4693cf14d332e55afd9a107e1_s390x",
                "product": {
                  "name": "registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:2157410769cc1243e3396847f32ad03eadb6bdf4693cf14d332e55afd9a107e1_s390x",
                  "product_id": "registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:2157410769cc1243e3396847f32ad03eadb6bdf4693cf14d332e55afd9a107e1_s390x",
                  "product_identification_helper": {
                    "purl": "pkg:oci/assisted-installer-controller-rhel9@sha256%3A2157410769cc1243e3396847f32ad03eadb6bdf4693cf14d332e55afd9a107e1?arch=s390x\u0026repository_url=registry.redhat.io/multicluster-engine\u0026tag=1778503196"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:61b8959a3ae2811bcc510c0ee430fc06622894108af90bd40a07e11ae48d3f9e_s390x",
                "product": {
                  "name": "registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:61b8959a3ae2811bcc510c0ee430fc06622894108af90bd40a07e11ae48d3f9e_s390x",
                  "product_id": "registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:61b8959a3ae2811bcc510c0ee430fc06622894108af90bd40a07e11ae48d3f9e_s390x",
                  "product_identification_helper": {
                    "purl": "pkg:oci/assisted-service-9-rhel9@sha256%3A61b8959a3ae2811bcc510c0ee430fc06622894108af90bd40a07e11ae48d3f9e?arch=s390x\u0026repository_url=registry.redhat.io/multicluster-engine\u0026tag=1778288646"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:0a489743a137c59c945e0cb78f17961765f1d9a3c5525b191a768ce71a13af62_s390x as a component of multicluster engine for Kubernetes 2.8",
          "product_id": "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:0a489743a137c59c945e0cb78f17961765f1d9a3c5525b191a768ce71a13af62_s390x"
        },
        "product_reference": "registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:0a489743a137c59c945e0cb78f17961765f1d9a3c5525b191a768ce71a13af62_s390x",
        "relates_to_product_reference": "multicluster engine for Kubernetes 2.8"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:1a76db6fb8a0cd7a7de58826e94dabe8b21e7ac82dbd4846b7bc4c659b788a00_arm64 as a component of multicluster engine for Kubernetes 2.8",
          "product_id": "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:1a76db6fb8a0cd7a7de58826e94dabe8b21e7ac82dbd4846b7bc4c659b788a00_arm64"
        },
        "product_reference": "registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:1a76db6fb8a0cd7a7de58826e94dabe8b21e7ac82dbd4846b7bc4c659b788a00_arm64",
        "relates_to_product_reference": "multicluster engine for Kubernetes 2.8"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:649bcd0409be091c4408aaebb217815f052a3a0f3028f60888de8807e9107873_amd64 as a component of multicluster engine for Kubernetes 2.8",
          "product_id": "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:649bcd0409be091c4408aaebb217815f052a3a0f3028f60888de8807e9107873_amd64"
        },
        "product_reference": "registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:649bcd0409be091c4408aaebb217815f052a3a0f3028f60888de8807e9107873_amd64",
        "relates_to_product_reference": "multicluster engine for Kubernetes 2.8"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:dbdc452cf7641e4f8fc3db0b3a177c2a942716f3d6ae84adef4b00d41f598674_ppc64le as a component of multicluster engine for Kubernetes 2.8",
          "product_id": "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:dbdc452cf7641e4f8fc3db0b3a177c2a942716f3d6ae84adef4b00d41f598674_ppc64le"
        },
        "product_reference": "registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:dbdc452cf7641e4f8fc3db0b3a177c2a942716f3d6ae84adef4b00d41f598674_ppc64le",
        "relates_to_product_reference": "multicluster engine for Kubernetes 2.8"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:04c5cb5f2e2f4471b78a27076967e76ab7d1f1f9be4c93656546f92024c9e5d6_ppc64le as a component of multicluster engine for Kubernetes 2.8",
          "product_id": "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:04c5cb5f2e2f4471b78a27076967e76ab7d1f1f9be4c93656546f92024c9e5d6_ppc64le"
        },
        "product_reference": "registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:04c5cb5f2e2f4471b78a27076967e76ab7d1f1f9be4c93656546f92024c9e5d6_ppc64le",
        "relates_to_product_reference": "multicluster engine for Kubernetes 2.8"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:126febd6e6ce9b106a1f31c00143ce35f1b02d66ec2e0023e00ec541c737cfef_arm64 as a component of multicluster engine for Kubernetes 2.8",
          "product_id": "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:126febd6e6ce9b106a1f31c00143ce35f1b02d66ec2e0023e00ec541c737cfef_arm64"
        },
        "product_reference": "registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:126febd6e6ce9b106a1f31c00143ce35f1b02d66ec2e0023e00ec541c737cfef_arm64",
        "relates_to_product_reference": "multicluster engine for Kubernetes 2.8"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:28011ea661599db0a8b8674fd11dd25b4cd13f441a8db4b779d324d15476fbbd_s390x as a component of multicluster engine for Kubernetes 2.8",
          "product_id": "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:28011ea661599db0a8b8674fd11dd25b4cd13f441a8db4b779d324d15476fbbd_s390x"
        },
        "product_reference": "registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:28011ea661599db0a8b8674fd11dd25b4cd13f441a8db4b779d324d15476fbbd_s390x",
        "relates_to_product_reference": "multicluster engine for Kubernetes 2.8"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:98e1164448b86412029cba515adc555ad3c218ed7f2d9a6c39eddd3e69e2c851_amd64 as a component of multicluster engine for Kubernetes 2.8",
          "product_id": "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:98e1164448b86412029cba515adc555ad3c218ed7f2d9a6c39eddd3e69e2c851_amd64"
        },
        "product_reference": "registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:98e1164448b86412029cba515adc555ad3c218ed7f2d9a6c39eddd3e69e2c851_amd64",
        "relates_to_product_reference": "multicluster engine for Kubernetes 2.8"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:2157410769cc1243e3396847f32ad03eadb6bdf4693cf14d332e55afd9a107e1_s390x as a component of multicluster engine for Kubernetes 2.8",
          "product_id": "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:2157410769cc1243e3396847f32ad03eadb6bdf4693cf14d332e55afd9a107e1_s390x"
        },
        "product_reference": "registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:2157410769cc1243e3396847f32ad03eadb6bdf4693cf14d332e55afd9a107e1_s390x",
        "relates_to_product_reference": "multicluster engine for Kubernetes 2.8"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:917b4f598ae4234111b2590d47588091766d313d4a7147ae1755941a994aa760_amd64 as a component of multicluster engine for Kubernetes 2.8",
          "product_id": "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:917b4f598ae4234111b2590d47588091766d313d4a7147ae1755941a994aa760_amd64"
        },
        "product_reference": "registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:917b4f598ae4234111b2590d47588091766d313d4a7147ae1755941a994aa760_amd64",
        "relates_to_product_reference": "multicluster engine for Kubernetes 2.8"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:a7e85ee18acbe2d0a304c382575c8d4c38059c7ef7869ec21992334bb496cb2e_ppc64le as a component of multicluster engine for Kubernetes 2.8",
          "product_id": "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:a7e85ee18acbe2d0a304c382575c8d4c38059c7ef7869ec21992334bb496cb2e_ppc64le"
        },
        "product_reference": "registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:a7e85ee18acbe2d0a304c382575c8d4c38059c7ef7869ec21992334bb496cb2e_ppc64le",
        "relates_to_product_reference": "multicluster engine for Kubernetes 2.8"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:e22e1363bcb64372c3d37fe43c5e545ebe747424c55e97f04160fbe702f5b7fa_arm64 as a component of multicluster engine for Kubernetes 2.8",
          "product_id": "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:e22e1363bcb64372c3d37fe43c5e545ebe747424c55e97f04160fbe702f5b7fa_arm64"
        },
        "product_reference": "registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:e22e1363bcb64372c3d37fe43c5e545ebe747424c55e97f04160fbe702f5b7fa_arm64",
        "relates_to_product_reference": "multicluster engine for Kubernetes 2.8"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:2d9aba27b570807fd42734ab23effe8146ddcf4df1ccbb232a34675ddf368c5d_s390x as a component of multicluster engine for Kubernetes 2.8",
          "product_id": "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:2d9aba27b570807fd42734ab23effe8146ddcf4df1ccbb232a34675ddf368c5d_s390x"
        },
        "product_reference": "registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:2d9aba27b570807fd42734ab23effe8146ddcf4df1ccbb232a34675ddf368c5d_s390x",
        "relates_to_product_reference": "multicluster engine for Kubernetes 2.8"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:2dd7530831a9409f32b7bdad48e2144532ed6933404a72ec1e447a7b3d89e8bc_arm64 as a component of multicluster engine for Kubernetes 2.8",
          "product_id": "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:2dd7530831a9409f32b7bdad48e2144532ed6933404a72ec1e447a7b3d89e8bc_arm64"
        },
        "product_reference": "registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:2dd7530831a9409f32b7bdad48e2144532ed6933404a72ec1e447a7b3d89e8bc_arm64",
        "relates_to_product_reference": "multicluster engine for Kubernetes 2.8"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:a0c73efc3def005df32901b6d99fe31d5abae6fbadca3c1b41c3ff5f0710ceda_amd64 as a component of multicluster engine for Kubernetes 2.8",
          "product_id": "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:a0c73efc3def005df32901b6d99fe31d5abae6fbadca3c1b41c3ff5f0710ceda_amd64"
        },
        "product_reference": "registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:a0c73efc3def005df32901b6d99fe31d5abae6fbadca3c1b41c3ff5f0710ceda_amd64",
        "relates_to_product_reference": "multicluster engine for Kubernetes 2.8"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:a3bd59b3d69bc70133aa174b2a1b7105599bb87e407f71b96aa07256f1f4da41_ppc64le as a component of multicluster engine for Kubernetes 2.8",
          "product_id": "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:a3bd59b3d69bc70133aa174b2a1b7105599bb87e407f71b96aa07256f1f4da41_ppc64le"
        },
        "product_reference": "registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:a3bd59b3d69bc70133aa174b2a1b7105599bb87e407f71b96aa07256f1f4da41_ppc64le",
        "relates_to_product_reference": "multicluster engine for Kubernetes 2.8"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:389f764be799b3bc07a1bcbc20a6f1c2d1798ddca799b9265c9a8cc88abfb4e9_amd64 as a component of multicluster engine for Kubernetes 2.8",
          "product_id": "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:389f764be799b3bc07a1bcbc20a6f1c2d1798ddca799b9265c9a8cc88abfb4e9_amd64"
        },
        "product_reference": "registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:389f764be799b3bc07a1bcbc20a6f1c2d1798ddca799b9265c9a8cc88abfb4e9_amd64",
        "relates_to_product_reference": "multicluster engine for Kubernetes 2.8"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:61b8959a3ae2811bcc510c0ee430fc06622894108af90bd40a07e11ae48d3f9e_s390x as a component of multicluster engine for Kubernetes 2.8",
          "product_id": "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:61b8959a3ae2811bcc510c0ee430fc06622894108af90bd40a07e11ae48d3f9e_s390x"
        },
        "product_reference": "registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:61b8959a3ae2811bcc510c0ee430fc06622894108af90bd40a07e11ae48d3f9e_s390x",
        "relates_to_product_reference": "multicluster engine for Kubernetes 2.8"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:671d4315ef64cbad6c295b87dedae1d9111664ab6b6737e01d4a6057bf0ecd13_ppc64le as a component of multicluster engine for Kubernetes 2.8",
          "product_id": "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:671d4315ef64cbad6c295b87dedae1d9111664ab6b6737e01d4a6057bf0ecd13_ppc64le"
        },
        "product_reference": "registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:671d4315ef64cbad6c295b87dedae1d9111664ab6b6737e01d4a6057bf0ecd13_ppc64le",
        "relates_to_product_reference": "multicluster engine for Kubernetes 2.8"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:debac6cee35ad72042a0c01ac743ba72aa12b34516fa9a774ad193a6705d4ac6_arm64 as a component of multicluster engine for Kubernetes 2.8",
          "product_id": "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:debac6cee35ad72042a0c01ac743ba72aa12b34516fa9a774ad193a6705d4ac6_arm64"
        },
        "product_reference": "registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:debac6cee35ad72042a0c01ac743ba72aa12b34516fa9a774ad193a6705d4ac6_arm64",
        "relates_to_product_reference": "multicluster engine for Kubernetes 2.8"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-32285",
      "cwe": {
        "id": "CWE-1285",
        "name": "Improper Validation of Specified Index, Position, or Offset in Input"
      },
      "discovery_date": "2026-03-26T20:01:54.925687+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:0a489743a137c59c945e0cb78f17961765f1d9a3c5525b191a768ce71a13af62_s390x",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:1a76db6fb8a0cd7a7de58826e94dabe8b21e7ac82dbd4846b7bc4c659b788a00_arm64",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:649bcd0409be091c4408aaebb217815f052a3a0f3028f60888de8807e9107873_amd64",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:dbdc452cf7641e4f8fc3db0b3a177c2a942716f3d6ae84adef4b00d41f598674_ppc64le",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:04c5cb5f2e2f4471b78a27076967e76ab7d1f1f9be4c93656546f92024c9e5d6_ppc64le",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:126febd6e6ce9b106a1f31c00143ce35f1b02d66ec2e0023e00ec541c737cfef_arm64",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:28011ea661599db0a8b8674fd11dd25b4cd13f441a8db4b779d324d15476fbbd_s390x",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:98e1164448b86412029cba515adc555ad3c218ed7f2d9a6c39eddd3e69e2c851_amd64",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:2157410769cc1243e3396847f32ad03eadb6bdf4693cf14d332e55afd9a107e1_s390x",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:917b4f598ae4234111b2590d47588091766d313d4a7147ae1755941a994aa760_amd64",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:a7e85ee18acbe2d0a304c382575c8d4c38059c7ef7869ec21992334bb496cb2e_ppc64le",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:e22e1363bcb64372c3d37fe43c5e545ebe747424c55e97f04160fbe702f5b7fa_arm64",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:2d9aba27b570807fd42734ab23effe8146ddcf4df1ccbb232a34675ddf368c5d_s390x",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:2dd7530831a9409f32b7bdad48e2144532ed6933404a72ec1e447a7b3d89e8bc_arm64",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:a0c73efc3def005df32901b6d99fe31d5abae6fbadca3c1b41c3ff5f0710ceda_amd64",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:a3bd59b3d69bc70133aa174b2a1b7105599bb87e407f71b96aa07256f1f4da41_ppc64le"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2451846"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in github.com/buger/jsonparser. The Delete function, when processing malformed JSON input, fails to properly validate offsets. This vulnerability can lead to a negative slice index and a runtime panic, allowing a remote attacker to cause a denial of service (DoS) by providing specially crafted JSON data.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "github.com/buger/jsonparser: github.com/buger/jsonparser: Denial of Service via malformed JSON input",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:389f764be799b3bc07a1bcbc20a6f1c2d1798ddca799b9265c9a8cc88abfb4e9_amd64",
          "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:61b8959a3ae2811bcc510c0ee430fc06622894108af90bd40a07e11ae48d3f9e_s390x",
          "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:671d4315ef64cbad6c295b87dedae1d9111664ab6b6737e01d4a6057bf0ecd13_ppc64le",
          "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:debac6cee35ad72042a0c01ac743ba72aa12b34516fa9a774ad193a6705d4ac6_arm64"
        ],
        "known_not_affected": [
          "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:0a489743a137c59c945e0cb78f17961765f1d9a3c5525b191a768ce71a13af62_s390x",
          "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:1a76db6fb8a0cd7a7de58826e94dabe8b21e7ac82dbd4846b7bc4c659b788a00_arm64",
          "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:649bcd0409be091c4408aaebb217815f052a3a0f3028f60888de8807e9107873_amd64",
          "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:dbdc452cf7641e4f8fc3db0b3a177c2a942716f3d6ae84adef4b00d41f598674_ppc64le",
          "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:04c5cb5f2e2f4471b78a27076967e76ab7d1f1f9be4c93656546f92024c9e5d6_ppc64le",
          "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:126febd6e6ce9b106a1f31c00143ce35f1b02d66ec2e0023e00ec541c737cfef_arm64",
          "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:28011ea661599db0a8b8674fd11dd25b4cd13f441a8db4b779d324d15476fbbd_s390x",
          "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:98e1164448b86412029cba515adc555ad3c218ed7f2d9a6c39eddd3e69e2c851_amd64",
          "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:2157410769cc1243e3396847f32ad03eadb6bdf4693cf14d332e55afd9a107e1_s390x",
          "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:917b4f598ae4234111b2590d47588091766d313d4a7147ae1755941a994aa760_amd64",
          "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:a7e85ee18acbe2d0a304c382575c8d4c38059c7ef7869ec21992334bb496cb2e_ppc64le",
          "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:e22e1363bcb64372c3d37fe43c5e545ebe747424c55e97f04160fbe702f5b7fa_arm64",
          "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:2d9aba27b570807fd42734ab23effe8146ddcf4df1ccbb232a34675ddf368c5d_s390x",
          "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:2dd7530831a9409f32b7bdad48e2144532ed6933404a72ec1e447a7b3d89e8bc_arm64",
          "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:a0c73efc3def005df32901b6d99fe31d5abae6fbadca3c1b41c3ff5f0710ceda_amd64",
          "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:a3bd59b3d69bc70133aa174b2a1b7105599bb87e407f71b96aa07256f1f4da41_ppc64le"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-32285"
        },
        {
          "category": "external",
          "summary": "RHBZ#2451846",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451846"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-32285",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-32285"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-32285",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32285"
        },
        {
          "category": "external",
          "summary": "https://github.com/buger/jsonparser/issues/275",
          "url": "https://github.com/buger/jsonparser/issues/275"
        },
        {
          "category": "external",
          "summary": "https://github.com/golang/vulndb/issues/4514",
          "url": "https://github.com/golang/vulndb/issues/4514"
        },
        {
          "category": "external",
          "summary": "https://pkg.go.dev/vuln/GO-2026-4514",
          "url": "https://pkg.go.dev/vuln/GO-2026-4514"
        }
      ],
      "release_date": "2026-03-26T19:40:51.837000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-05-13T16:35:41+00:00",
          "details": "For more information about Assisted Installer, see the following documentation:\n\nhttps://docs.redhat.com/en/documentation/red_hat_advanced_cluster_management_for_kubernetes/2.13/html/clusters/cluster_mce_overview#cim-intro\n\nFor multicluster engine for Kubernetes, see the following documentation for\ndetails on how to install the images:\n\nhttps://docs.redhat.com/en/documentation/red_hat_advanced_cluster_management_for_kubernetes/2.13/html/clusters/cluster_mce_overview#mce-install-intro\n\nThis documentation will be available after the general availability release of Red Hat Advanced Cluster Management 2.13.",
          "product_ids": [
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:389f764be799b3bc07a1bcbc20a6f1c2d1798ddca799b9265c9a8cc88abfb4e9_amd64",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:61b8959a3ae2811bcc510c0ee430fc06622894108af90bd40a07e11ae48d3f9e_s390x",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:671d4315ef64cbad6c295b87dedae1d9111664ab6b6737e01d4a6057bf0ecd13_ppc64le",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:debac6cee35ad72042a0c01ac743ba72aa12b34516fa9a774ad193a6705d4ac6_arm64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:17123"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:0a489743a137c59c945e0cb78f17961765f1d9a3c5525b191a768ce71a13af62_s390x",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:1a76db6fb8a0cd7a7de58826e94dabe8b21e7ac82dbd4846b7bc4c659b788a00_arm64",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:649bcd0409be091c4408aaebb217815f052a3a0f3028f60888de8807e9107873_amd64",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:dbdc452cf7641e4f8fc3db0b3a177c2a942716f3d6ae84adef4b00d41f598674_ppc64le",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:04c5cb5f2e2f4471b78a27076967e76ab7d1f1f9be4c93656546f92024c9e5d6_ppc64le",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:126febd6e6ce9b106a1f31c00143ce35f1b02d66ec2e0023e00ec541c737cfef_arm64",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:28011ea661599db0a8b8674fd11dd25b4cd13f441a8db4b779d324d15476fbbd_s390x",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:98e1164448b86412029cba515adc555ad3c218ed7f2d9a6c39eddd3e69e2c851_amd64",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:2157410769cc1243e3396847f32ad03eadb6bdf4693cf14d332e55afd9a107e1_s390x",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:917b4f598ae4234111b2590d47588091766d313d4a7147ae1755941a994aa760_amd64",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:a7e85ee18acbe2d0a304c382575c8d4c38059c7ef7869ec21992334bb496cb2e_ppc64le",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:e22e1363bcb64372c3d37fe43c5e545ebe747424c55e97f04160fbe702f5b7fa_arm64",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:2d9aba27b570807fd42734ab23effe8146ddcf4df1ccbb232a34675ddf368c5d_s390x",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:2dd7530831a9409f32b7bdad48e2144532ed6933404a72ec1e447a7b3d89e8bc_arm64",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:a0c73efc3def005df32901b6d99fe31d5abae6fbadca3c1b41c3ff5f0710ceda_amd64",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:a3bd59b3d69bc70133aa174b2a1b7105599bb87e407f71b96aa07256f1f4da41_ppc64le",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:389f764be799b3bc07a1bcbc20a6f1c2d1798ddca799b9265c9a8cc88abfb4e9_amd64",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:61b8959a3ae2811bcc510c0ee430fc06622894108af90bd40a07e11ae48d3f9e_s390x",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:671d4315ef64cbad6c295b87dedae1d9111664ab6b6737e01d4a6057bf0ecd13_ppc64le",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:debac6cee35ad72042a0c01ac743ba72aa12b34516fa9a774ad193a6705d4ac6_arm64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:0a489743a137c59c945e0cb78f17961765f1d9a3c5525b191a768ce71a13af62_s390x",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:1a76db6fb8a0cd7a7de58826e94dabe8b21e7ac82dbd4846b7bc4c659b788a00_arm64",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:649bcd0409be091c4408aaebb217815f052a3a0f3028f60888de8807e9107873_amd64",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:dbdc452cf7641e4f8fc3db0b3a177c2a942716f3d6ae84adef4b00d41f598674_ppc64le",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:04c5cb5f2e2f4471b78a27076967e76ab7d1f1f9be4c93656546f92024c9e5d6_ppc64le",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:126febd6e6ce9b106a1f31c00143ce35f1b02d66ec2e0023e00ec541c737cfef_arm64",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:28011ea661599db0a8b8674fd11dd25b4cd13f441a8db4b779d324d15476fbbd_s390x",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:98e1164448b86412029cba515adc555ad3c218ed7f2d9a6c39eddd3e69e2c851_amd64",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:2157410769cc1243e3396847f32ad03eadb6bdf4693cf14d332e55afd9a107e1_s390x",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:917b4f598ae4234111b2590d47588091766d313d4a7147ae1755941a994aa760_amd64",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:a7e85ee18acbe2d0a304c382575c8d4c38059c7ef7869ec21992334bb496cb2e_ppc64le",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:e22e1363bcb64372c3d37fe43c5e545ebe747424c55e97f04160fbe702f5b7fa_arm64",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:2d9aba27b570807fd42734ab23effe8146ddcf4df1ccbb232a34675ddf368c5d_s390x",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:2dd7530831a9409f32b7bdad48e2144532ed6933404a72ec1e447a7b3d89e8bc_arm64",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:a0c73efc3def005df32901b6d99fe31d5abae6fbadca3c1b41c3ff5f0710ceda_amd64",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:a3bd59b3d69bc70133aa174b2a1b7105599bb87e407f71b96aa07256f1f4da41_ppc64le",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:389f764be799b3bc07a1bcbc20a6f1c2d1798ddca799b9265c9a8cc88abfb4e9_amd64",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:61b8959a3ae2811bcc510c0ee430fc06622894108af90bd40a07e11ae48d3f9e_s390x",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:671d4315ef64cbad6c295b87dedae1d9111664ab6b6737e01d4a6057bf0ecd13_ppc64le",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:debac6cee35ad72042a0c01ac743ba72aa12b34516fa9a774ad193a6705d4ac6_arm64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "github.com/buger/jsonparser: github.com/buger/jsonparser: Denial of Service via malformed JSON input"
    },
    {
      "cve": "CVE-2026-33186",
      "cwe": {
        "id": "CWE-551",
        "name": "Incorrect Behavior Order: Authorization Before Parsing and Canonicalization"
      },
      "discovery_date": "2026-03-20T23:02:27.802640+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:0a489743a137c59c945e0cb78f17961765f1d9a3c5525b191a768ce71a13af62_s390x",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:1a76db6fb8a0cd7a7de58826e94dabe8b21e7ac82dbd4846b7bc4c659b788a00_arm64",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:649bcd0409be091c4408aaebb217815f052a3a0f3028f60888de8807e9107873_amd64",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:dbdc452cf7641e4f8fc3db0b3a177c2a942716f3d6ae84adef4b00d41f598674_ppc64le",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:04c5cb5f2e2f4471b78a27076967e76ab7d1f1f9be4c93656546f92024c9e5d6_ppc64le",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:126febd6e6ce9b106a1f31c00143ce35f1b02d66ec2e0023e00ec541c737cfef_arm64",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:28011ea661599db0a8b8674fd11dd25b4cd13f441a8db4b779d324d15476fbbd_s390x",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:98e1164448b86412029cba515adc555ad3c218ed7f2d9a6c39eddd3e69e2c851_amd64",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:389f764be799b3bc07a1bcbc20a6f1c2d1798ddca799b9265c9a8cc88abfb4e9_amd64",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:61b8959a3ae2811bcc510c0ee430fc06622894108af90bd40a07e11ae48d3f9e_s390x",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:671d4315ef64cbad6c295b87dedae1d9111664ab6b6737e01d4a6057bf0ecd13_ppc64le",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:debac6cee35ad72042a0c01ac743ba72aa12b34516fa9a774ad193a6705d4ac6_arm64"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2449833"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in gRPC-Go, the Go language implementation of gRPC. This vulnerability, an authorization bypass, is caused by improper input validation of the HTTP/2 `:path` pseudo-header. A remote attacker can exploit this by sending raw HTTP/2 frames with a malformed `:path` that omits the mandatory leading slash. This allows the attacker to bypass defined security policies, potentially leading to unauthorized access to services or information disclosure.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "google.golang.org/grpc/grpc-go: google.golang.org/grpc/authz: gRPC-Go: Authorization bypass due to improper HTTP/2 path validation",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:2157410769cc1243e3396847f32ad03eadb6bdf4693cf14d332e55afd9a107e1_s390x",
          "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:917b4f598ae4234111b2590d47588091766d313d4a7147ae1755941a994aa760_amd64",
          "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:a7e85ee18acbe2d0a304c382575c8d4c38059c7ef7869ec21992334bb496cb2e_ppc64le",
          "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:e22e1363bcb64372c3d37fe43c5e545ebe747424c55e97f04160fbe702f5b7fa_arm64",
          "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:2d9aba27b570807fd42734ab23effe8146ddcf4df1ccbb232a34675ddf368c5d_s390x",
          "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:2dd7530831a9409f32b7bdad48e2144532ed6933404a72ec1e447a7b3d89e8bc_arm64",
          "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:a0c73efc3def005df32901b6d99fe31d5abae6fbadca3c1b41c3ff5f0710ceda_amd64",
          "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:a3bd59b3d69bc70133aa174b2a1b7105599bb87e407f71b96aa07256f1f4da41_ppc64le"
        ],
        "known_not_affected": [
          "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:0a489743a137c59c945e0cb78f17961765f1d9a3c5525b191a768ce71a13af62_s390x",
          "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:1a76db6fb8a0cd7a7de58826e94dabe8b21e7ac82dbd4846b7bc4c659b788a00_arm64",
          "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:649bcd0409be091c4408aaebb217815f052a3a0f3028f60888de8807e9107873_amd64",
          "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:dbdc452cf7641e4f8fc3db0b3a177c2a942716f3d6ae84adef4b00d41f598674_ppc64le",
          "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:04c5cb5f2e2f4471b78a27076967e76ab7d1f1f9be4c93656546f92024c9e5d6_ppc64le",
          "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:126febd6e6ce9b106a1f31c00143ce35f1b02d66ec2e0023e00ec541c737cfef_arm64",
          "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:28011ea661599db0a8b8674fd11dd25b4cd13f441a8db4b779d324d15476fbbd_s390x",
          "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:98e1164448b86412029cba515adc555ad3c218ed7f2d9a6c39eddd3e69e2c851_amd64",
          "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:389f764be799b3bc07a1bcbc20a6f1c2d1798ddca799b9265c9a8cc88abfb4e9_amd64",
          "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:61b8959a3ae2811bcc510c0ee430fc06622894108af90bd40a07e11ae48d3f9e_s390x",
          "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:671d4315ef64cbad6c295b87dedae1d9111664ab6b6737e01d4a6057bf0ecd13_ppc64le",
          "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:debac6cee35ad72042a0c01ac743ba72aa12b34516fa9a774ad193a6705d4ac6_arm64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-33186"
        },
        {
          "category": "external",
          "summary": "RHBZ#2449833",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2449833"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-33186",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-33186"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-33186",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33186"
        },
        {
          "category": "external",
          "summary": "https://github.com/grpc/grpc-go/security/advisories/GHSA-p77j-4mvh-x3m3",
          "url": "https://github.com/grpc/grpc-go/security/advisories/GHSA-p77j-4mvh-x3m3"
        }
      ],
      "release_date": "2026-03-20T22:23:32.147000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-05-13T16:35:41+00:00",
          "details": "For more information about Assisted Installer, see the following documentation:\n\nhttps://docs.redhat.com/en/documentation/red_hat_advanced_cluster_management_for_kubernetes/2.13/html/clusters/cluster_mce_overview#cim-intro\n\nFor multicluster engine for Kubernetes, see the following documentation for\ndetails on how to install the images:\n\nhttps://docs.redhat.com/en/documentation/red_hat_advanced_cluster_management_for_kubernetes/2.13/html/clusters/cluster_mce_overview#mce-install-intro\n\nThis documentation will be available after the general availability release of Red Hat Advanced Cluster Management 2.13.",
          "product_ids": [
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:2157410769cc1243e3396847f32ad03eadb6bdf4693cf14d332e55afd9a107e1_s390x",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:917b4f598ae4234111b2590d47588091766d313d4a7147ae1755941a994aa760_amd64",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:a7e85ee18acbe2d0a304c382575c8d4c38059c7ef7869ec21992334bb496cb2e_ppc64le",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:e22e1363bcb64372c3d37fe43c5e545ebe747424c55e97f04160fbe702f5b7fa_arm64",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:2d9aba27b570807fd42734ab23effe8146ddcf4df1ccbb232a34675ddf368c5d_s390x",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:2dd7530831a9409f32b7bdad48e2144532ed6933404a72ec1e447a7b3d89e8bc_arm64",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:a0c73efc3def005df32901b6d99fe31d5abae6fbadca3c1b41c3ff5f0710ceda_amd64",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:a3bd59b3d69bc70133aa174b2a1b7105599bb87e407f71b96aa07256f1f4da41_ppc64le"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:17123"
        },
        {
          "category": "workaround",
          "details": "To mitigate this issue, implement infrastructure-level normalization to ensure all incoming HTTP/2 `:path` headers are properly formatted with a leading slash before reaching the gRPC-Go server. This can be achieved by configuring a reverse proxy or API gateway to validate and normalize the `:path` header. Ensure that any such intermediary is properly configured and restarted to apply the changes, which may temporarily impact service availability.",
          "product_ids": [
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:0a489743a137c59c945e0cb78f17961765f1d9a3c5525b191a768ce71a13af62_s390x",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:1a76db6fb8a0cd7a7de58826e94dabe8b21e7ac82dbd4846b7bc4c659b788a00_arm64",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:649bcd0409be091c4408aaebb217815f052a3a0f3028f60888de8807e9107873_amd64",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:dbdc452cf7641e4f8fc3db0b3a177c2a942716f3d6ae84adef4b00d41f598674_ppc64le",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:04c5cb5f2e2f4471b78a27076967e76ab7d1f1f9be4c93656546f92024c9e5d6_ppc64le",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:126febd6e6ce9b106a1f31c00143ce35f1b02d66ec2e0023e00ec541c737cfef_arm64",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:28011ea661599db0a8b8674fd11dd25b4cd13f441a8db4b779d324d15476fbbd_s390x",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:98e1164448b86412029cba515adc555ad3c218ed7f2d9a6c39eddd3e69e2c851_amd64",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:2157410769cc1243e3396847f32ad03eadb6bdf4693cf14d332e55afd9a107e1_s390x",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:917b4f598ae4234111b2590d47588091766d313d4a7147ae1755941a994aa760_amd64",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:a7e85ee18acbe2d0a304c382575c8d4c38059c7ef7869ec21992334bb496cb2e_ppc64le",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:e22e1363bcb64372c3d37fe43c5e545ebe747424c55e97f04160fbe702f5b7fa_arm64",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:2d9aba27b570807fd42734ab23effe8146ddcf4df1ccbb232a34675ddf368c5d_s390x",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:2dd7530831a9409f32b7bdad48e2144532ed6933404a72ec1e447a7b3d89e8bc_arm64",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:a0c73efc3def005df32901b6d99fe31d5abae6fbadca3c1b41c3ff5f0710ceda_amd64",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:a3bd59b3d69bc70133aa174b2a1b7105599bb87e407f71b96aa07256f1f4da41_ppc64le",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:389f764be799b3bc07a1bcbc20a6f1c2d1798ddca799b9265c9a8cc88abfb4e9_amd64",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:61b8959a3ae2811bcc510c0ee430fc06622894108af90bd40a07e11ae48d3f9e_s390x",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:671d4315ef64cbad6c295b87dedae1d9111664ab6b6737e01d4a6057bf0ecd13_ppc64le",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:debac6cee35ad72042a0c01ac743ba72aa12b34516fa9a774ad193a6705d4ac6_arm64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 9.1,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:0a489743a137c59c945e0cb78f17961765f1d9a3c5525b191a768ce71a13af62_s390x",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:1a76db6fb8a0cd7a7de58826e94dabe8b21e7ac82dbd4846b7bc4c659b788a00_arm64",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:649bcd0409be091c4408aaebb217815f052a3a0f3028f60888de8807e9107873_amd64",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:dbdc452cf7641e4f8fc3db0b3a177c2a942716f3d6ae84adef4b00d41f598674_ppc64le",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:04c5cb5f2e2f4471b78a27076967e76ab7d1f1f9be4c93656546f92024c9e5d6_ppc64le",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:126febd6e6ce9b106a1f31c00143ce35f1b02d66ec2e0023e00ec541c737cfef_arm64",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:28011ea661599db0a8b8674fd11dd25b4cd13f441a8db4b779d324d15476fbbd_s390x",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:98e1164448b86412029cba515adc555ad3c218ed7f2d9a6c39eddd3e69e2c851_amd64",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:2157410769cc1243e3396847f32ad03eadb6bdf4693cf14d332e55afd9a107e1_s390x",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:917b4f598ae4234111b2590d47588091766d313d4a7147ae1755941a994aa760_amd64",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:a7e85ee18acbe2d0a304c382575c8d4c38059c7ef7869ec21992334bb496cb2e_ppc64le",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:e22e1363bcb64372c3d37fe43c5e545ebe747424c55e97f04160fbe702f5b7fa_arm64",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:2d9aba27b570807fd42734ab23effe8146ddcf4df1ccbb232a34675ddf368c5d_s390x",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:2dd7530831a9409f32b7bdad48e2144532ed6933404a72ec1e447a7b3d89e8bc_arm64",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:a0c73efc3def005df32901b6d99fe31d5abae6fbadca3c1b41c3ff5f0710ceda_amd64",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:a3bd59b3d69bc70133aa174b2a1b7105599bb87e407f71b96aa07256f1f4da41_ppc64le",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:389f764be799b3bc07a1bcbc20a6f1c2d1798ddca799b9265c9a8cc88abfb4e9_amd64",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:61b8959a3ae2811bcc510c0ee430fc06622894108af90bd40a07e11ae48d3f9e_s390x",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:671d4315ef64cbad6c295b87dedae1d9111664ab6b6737e01d4a6057bf0ecd13_ppc64le",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:debac6cee35ad72042a0c01ac743ba72aa12b34516fa9a774ad193a6705d4ac6_arm64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "google.golang.org/grpc/grpc-go: google.golang.org/grpc/authz: gRPC-Go: Authorization bypass due to improper HTTP/2 path validation"
    },
    {
      "cve": "CVE-2026-34986",
      "cwe": {
        "id": "CWE-131",
        "name": "Incorrect Calculation of Buffer Size"
      },
      "discovery_date": "2026-04-06T17:01:34.639203+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:0a489743a137c59c945e0cb78f17961765f1d9a3c5525b191a768ce71a13af62_s390x",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:1a76db6fb8a0cd7a7de58826e94dabe8b21e7ac82dbd4846b7bc4c659b788a00_arm64",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:649bcd0409be091c4408aaebb217815f052a3a0f3028f60888de8807e9107873_amd64",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:dbdc452cf7641e4f8fc3db0b3a177c2a942716f3d6ae84adef4b00d41f598674_ppc64le"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2455470"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Go JOSE, a library for handling JSON Web Encryption (JWE) objects. A remote attacker could exploit this vulnerability by providing a specially crafted JWE object. When decrypting such an object, if a key wrapping algorithm is specified but the encrypted key field is empty, the application can crash. This leads to a denial of service (DoS), making the affected service unavailable to legitimate users.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "github.com/go-jose/go-jose/v3: github.com/go-jose/go-jose/v4: Go JOSE: Denial of Service via crafted JSON Web Encryption (JWE) object",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:04c5cb5f2e2f4471b78a27076967e76ab7d1f1f9be4c93656546f92024c9e5d6_ppc64le",
          "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:126febd6e6ce9b106a1f31c00143ce35f1b02d66ec2e0023e00ec541c737cfef_arm64",
          "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:28011ea661599db0a8b8674fd11dd25b4cd13f441a8db4b779d324d15476fbbd_s390x",
          "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:98e1164448b86412029cba515adc555ad3c218ed7f2d9a6c39eddd3e69e2c851_amd64",
          "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:2157410769cc1243e3396847f32ad03eadb6bdf4693cf14d332e55afd9a107e1_s390x",
          "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:917b4f598ae4234111b2590d47588091766d313d4a7147ae1755941a994aa760_amd64",
          "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:a7e85ee18acbe2d0a304c382575c8d4c38059c7ef7869ec21992334bb496cb2e_ppc64le",
          "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:e22e1363bcb64372c3d37fe43c5e545ebe747424c55e97f04160fbe702f5b7fa_arm64",
          "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:2d9aba27b570807fd42734ab23effe8146ddcf4df1ccbb232a34675ddf368c5d_s390x",
          "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:2dd7530831a9409f32b7bdad48e2144532ed6933404a72ec1e447a7b3d89e8bc_arm64",
          "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:a0c73efc3def005df32901b6d99fe31d5abae6fbadca3c1b41c3ff5f0710ceda_amd64",
          "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:a3bd59b3d69bc70133aa174b2a1b7105599bb87e407f71b96aa07256f1f4da41_ppc64le",
          "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:389f764be799b3bc07a1bcbc20a6f1c2d1798ddca799b9265c9a8cc88abfb4e9_amd64",
          "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:61b8959a3ae2811bcc510c0ee430fc06622894108af90bd40a07e11ae48d3f9e_s390x",
          "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:671d4315ef64cbad6c295b87dedae1d9111664ab6b6737e01d4a6057bf0ecd13_ppc64le",
          "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:debac6cee35ad72042a0c01ac743ba72aa12b34516fa9a774ad193a6705d4ac6_arm64"
        ],
        "known_not_affected": [
          "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:0a489743a137c59c945e0cb78f17961765f1d9a3c5525b191a768ce71a13af62_s390x",
          "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:1a76db6fb8a0cd7a7de58826e94dabe8b21e7ac82dbd4846b7bc4c659b788a00_arm64",
          "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:649bcd0409be091c4408aaebb217815f052a3a0f3028f60888de8807e9107873_amd64",
          "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:dbdc452cf7641e4f8fc3db0b3a177c2a942716f3d6ae84adef4b00d41f598674_ppc64le"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-34986"
        },
        {
          "category": "external",
          "summary": "RHBZ#2455470",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2455470"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-34986",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-34986"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-34986",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34986"
        },
        {
          "category": "external",
          "summary": "https://github.com/go-jose/go-jose/security/advisories/GHSA-78h2-9frx-2jm8",
          "url": "https://github.com/go-jose/go-jose/security/advisories/GHSA-78h2-9frx-2jm8"
        },
        {
          "category": "external",
          "summary": "https://pkg.go.dev/github.com/go-jose/go-jose/v4#pkg-constants",
          "url": "https://pkg.go.dev/github.com/go-jose/go-jose/v4#pkg-constants"
        }
      ],
      "release_date": "2026-04-06T16:22:45.353000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-05-13T16:35:41+00:00",
          "details": "For more information about Assisted Installer, see the following documentation:\n\nhttps://docs.redhat.com/en/documentation/red_hat_advanced_cluster_management_for_kubernetes/2.13/html/clusters/cluster_mce_overview#cim-intro\n\nFor multicluster engine for Kubernetes, see the following documentation for\ndetails on how to install the images:\n\nhttps://docs.redhat.com/en/documentation/red_hat_advanced_cluster_management_for_kubernetes/2.13/html/clusters/cluster_mce_overview#mce-install-intro\n\nThis documentation will be available after the general availability release of Red Hat Advanced Cluster Management 2.13.",
          "product_ids": [
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:04c5cb5f2e2f4471b78a27076967e76ab7d1f1f9be4c93656546f92024c9e5d6_ppc64le",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:126febd6e6ce9b106a1f31c00143ce35f1b02d66ec2e0023e00ec541c737cfef_arm64",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:28011ea661599db0a8b8674fd11dd25b4cd13f441a8db4b779d324d15476fbbd_s390x",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:98e1164448b86412029cba515adc555ad3c218ed7f2d9a6c39eddd3e69e2c851_amd64",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:2157410769cc1243e3396847f32ad03eadb6bdf4693cf14d332e55afd9a107e1_s390x",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:917b4f598ae4234111b2590d47588091766d313d4a7147ae1755941a994aa760_amd64",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:a7e85ee18acbe2d0a304c382575c8d4c38059c7ef7869ec21992334bb496cb2e_ppc64le",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:e22e1363bcb64372c3d37fe43c5e545ebe747424c55e97f04160fbe702f5b7fa_arm64",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:2d9aba27b570807fd42734ab23effe8146ddcf4df1ccbb232a34675ddf368c5d_s390x",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:2dd7530831a9409f32b7bdad48e2144532ed6933404a72ec1e447a7b3d89e8bc_arm64",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:a0c73efc3def005df32901b6d99fe31d5abae6fbadca3c1b41c3ff5f0710ceda_amd64",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:a3bd59b3d69bc70133aa174b2a1b7105599bb87e407f71b96aa07256f1f4da41_ppc64le",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:389f764be799b3bc07a1bcbc20a6f1c2d1798ddca799b9265c9a8cc88abfb4e9_amd64",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:61b8959a3ae2811bcc510c0ee430fc06622894108af90bd40a07e11ae48d3f9e_s390x",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:671d4315ef64cbad6c295b87dedae1d9111664ab6b6737e01d4a6057bf0ecd13_ppc64le",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:debac6cee35ad72042a0c01ac743ba72aa12b34516fa9a774ad193a6705d4ac6_arm64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:17123"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:0a489743a137c59c945e0cb78f17961765f1d9a3c5525b191a768ce71a13af62_s390x",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:1a76db6fb8a0cd7a7de58826e94dabe8b21e7ac82dbd4846b7bc4c659b788a00_arm64",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:649bcd0409be091c4408aaebb217815f052a3a0f3028f60888de8807e9107873_amd64",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:dbdc452cf7641e4f8fc3db0b3a177c2a942716f3d6ae84adef4b00d41f598674_ppc64le",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:04c5cb5f2e2f4471b78a27076967e76ab7d1f1f9be4c93656546f92024c9e5d6_ppc64le",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:126febd6e6ce9b106a1f31c00143ce35f1b02d66ec2e0023e00ec541c737cfef_arm64",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:28011ea661599db0a8b8674fd11dd25b4cd13f441a8db4b779d324d15476fbbd_s390x",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:98e1164448b86412029cba515adc555ad3c218ed7f2d9a6c39eddd3e69e2c851_amd64",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:2157410769cc1243e3396847f32ad03eadb6bdf4693cf14d332e55afd9a107e1_s390x",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:917b4f598ae4234111b2590d47588091766d313d4a7147ae1755941a994aa760_amd64",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:a7e85ee18acbe2d0a304c382575c8d4c38059c7ef7869ec21992334bb496cb2e_ppc64le",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:e22e1363bcb64372c3d37fe43c5e545ebe747424c55e97f04160fbe702f5b7fa_arm64",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:2d9aba27b570807fd42734ab23effe8146ddcf4df1ccbb232a34675ddf368c5d_s390x",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:2dd7530831a9409f32b7bdad48e2144532ed6933404a72ec1e447a7b3d89e8bc_arm64",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:a0c73efc3def005df32901b6d99fe31d5abae6fbadca3c1b41c3ff5f0710ceda_amd64",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:a3bd59b3d69bc70133aa174b2a1b7105599bb87e407f71b96aa07256f1f4da41_ppc64le",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:389f764be799b3bc07a1bcbc20a6f1c2d1798ddca799b9265c9a8cc88abfb4e9_amd64",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:61b8959a3ae2811bcc510c0ee430fc06622894108af90bd40a07e11ae48d3f9e_s390x",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:671d4315ef64cbad6c295b87dedae1d9111664ab6b6737e01d4a6057bf0ecd13_ppc64le",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:debac6cee35ad72042a0c01ac743ba72aa12b34516fa9a774ad193a6705d4ac6_arm64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:0a489743a137c59c945e0cb78f17961765f1d9a3c5525b191a768ce71a13af62_s390x",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:1a76db6fb8a0cd7a7de58826e94dabe8b21e7ac82dbd4846b7bc4c659b788a00_arm64",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:649bcd0409be091c4408aaebb217815f052a3a0f3028f60888de8807e9107873_amd64",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:dbdc452cf7641e4f8fc3db0b3a177c2a942716f3d6ae84adef4b00d41f598674_ppc64le",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:04c5cb5f2e2f4471b78a27076967e76ab7d1f1f9be4c93656546f92024c9e5d6_ppc64le",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:126febd6e6ce9b106a1f31c00143ce35f1b02d66ec2e0023e00ec541c737cfef_arm64",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:28011ea661599db0a8b8674fd11dd25b4cd13f441a8db4b779d324d15476fbbd_s390x",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:98e1164448b86412029cba515adc555ad3c218ed7f2d9a6c39eddd3e69e2c851_amd64",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:2157410769cc1243e3396847f32ad03eadb6bdf4693cf14d332e55afd9a107e1_s390x",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:917b4f598ae4234111b2590d47588091766d313d4a7147ae1755941a994aa760_amd64",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:a7e85ee18acbe2d0a304c382575c8d4c38059c7ef7869ec21992334bb496cb2e_ppc64le",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:e22e1363bcb64372c3d37fe43c5e545ebe747424c55e97f04160fbe702f5b7fa_arm64",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:2d9aba27b570807fd42734ab23effe8146ddcf4df1ccbb232a34675ddf368c5d_s390x",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:2dd7530831a9409f32b7bdad48e2144532ed6933404a72ec1e447a7b3d89e8bc_arm64",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:a0c73efc3def005df32901b6d99fe31d5abae6fbadca3c1b41c3ff5f0710ceda_amd64",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:a3bd59b3d69bc70133aa174b2a1b7105599bb87e407f71b96aa07256f1f4da41_ppc64le",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:389f764be799b3bc07a1bcbc20a6f1c2d1798ddca799b9265c9a8cc88abfb4e9_amd64",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:61b8959a3ae2811bcc510c0ee430fc06622894108af90bd40a07e11ae48d3f9e_s390x",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:671d4315ef64cbad6c295b87dedae1d9111664ab6b6737e01d4a6057bf0ecd13_ppc64le",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:debac6cee35ad72042a0c01ac743ba72aa12b34516fa9a774ad193a6705d4ac6_arm64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "github.com/go-jose/go-jose/v3: github.com/go-jose/go-jose/v4: Go JOSE: Denial of Service via crafted JSON Web Encryption (JWE) object"
    },
    {
      "cve": "CVE-2026-35469",
      "cwe": {
        "id": "CWE-770",
        "name": "Allocation of Resources Without Limits or Throttling"
      },
      "discovery_date": "2026-04-13T03:52:35+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:0a489743a137c59c945e0cb78f17961765f1d9a3c5525b191a768ce71a13af62_s390x",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:1a76db6fb8a0cd7a7de58826e94dabe8b21e7ac82dbd4846b7bc4c659b788a00_arm64",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:649bcd0409be091c4408aaebb217815f052a3a0f3028f60888de8807e9107873_amd64",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:dbdc452cf7641e4f8fc3db0b3a177c2a942716f3d6ae84adef4b00d41f598674_ppc64le",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:04c5cb5f2e2f4471b78a27076967e76ab7d1f1f9be4c93656546f92024c9e5d6_ppc64le",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:126febd6e6ce9b106a1f31c00143ce35f1b02d66ec2e0023e00ec541c737cfef_arm64",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:28011ea661599db0a8b8674fd11dd25b4cd13f441a8db4b779d324d15476fbbd_s390x",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:98e1164448b86412029cba515adc555ad3c218ed7f2d9a6c39eddd3e69e2c851_amd64",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:2157410769cc1243e3396847f32ad03eadb6bdf4693cf14d332e55afd9a107e1_s390x",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:917b4f598ae4234111b2590d47588091766d313d4a7147ae1755941a994aa760_amd64",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:a7e85ee18acbe2d0a304c382575c8d4c38059c7ef7869ec21992334bb496cb2e_ppc64le",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:e22e1363bcb64372c3d37fe43c5e545ebe747424c55e97f04160fbe702f5b7fa_arm64",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:2d9aba27b570807fd42734ab23effe8146ddcf4df1ccbb232a34675ddf368c5d_s390x",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:2dd7530831a9409f32b7bdad48e2144532ed6933404a72ec1e447a7b3d89e8bc_arm64",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:a0c73efc3def005df32901b6d99fe31d5abae6fbadca3c1b41c3ff5f0710ceda_amd64",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:a3bd59b3d69bc70133aa174b2a1b7105599bb87e407f71b96aa07256f1f4da41_ppc64le"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2457729"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in the SPDY streaming code used by Kubelet, CRI-O, and kube-apiserver. An attacker with specific cluster roles, such as those allowing access to pod port forwarding, execution, or attachment, or node proxying, could exploit this vulnerability. This could lead to a Denial of Service (DoS) by causing the affected components to become unresponsive.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "Kubelet: CRI-O: kube-apiserver: Kubelet, CRI-O, kube-apiserver: Denial of Service via SPDY streaming code",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This is an Important denial of service flaw affecting OpenShift Container Platform. An attacker with specific elevated cluster roles, such as those permitting pod port forwarding, execution, attachment, or node proxying, could exploit a vulnerability in the SPDY streaming code of Kubelet, CRI-O, and kube-apiserver, leading to unresponsiveness of these critical components.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:389f764be799b3bc07a1bcbc20a6f1c2d1798ddca799b9265c9a8cc88abfb4e9_amd64",
          "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:61b8959a3ae2811bcc510c0ee430fc06622894108af90bd40a07e11ae48d3f9e_s390x",
          "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:671d4315ef64cbad6c295b87dedae1d9111664ab6b6737e01d4a6057bf0ecd13_ppc64le",
          "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:debac6cee35ad72042a0c01ac743ba72aa12b34516fa9a774ad193a6705d4ac6_arm64"
        ],
        "known_not_affected": [
          "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:0a489743a137c59c945e0cb78f17961765f1d9a3c5525b191a768ce71a13af62_s390x",
          "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:1a76db6fb8a0cd7a7de58826e94dabe8b21e7ac82dbd4846b7bc4c659b788a00_arm64",
          "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:649bcd0409be091c4408aaebb217815f052a3a0f3028f60888de8807e9107873_amd64",
          "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:dbdc452cf7641e4f8fc3db0b3a177c2a942716f3d6ae84adef4b00d41f598674_ppc64le",
          "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:04c5cb5f2e2f4471b78a27076967e76ab7d1f1f9be4c93656546f92024c9e5d6_ppc64le",
          "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:126febd6e6ce9b106a1f31c00143ce35f1b02d66ec2e0023e00ec541c737cfef_arm64",
          "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:28011ea661599db0a8b8674fd11dd25b4cd13f441a8db4b779d324d15476fbbd_s390x",
          "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:98e1164448b86412029cba515adc555ad3c218ed7f2d9a6c39eddd3e69e2c851_amd64",
          "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:2157410769cc1243e3396847f32ad03eadb6bdf4693cf14d332e55afd9a107e1_s390x",
          "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:917b4f598ae4234111b2590d47588091766d313d4a7147ae1755941a994aa760_amd64",
          "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:a7e85ee18acbe2d0a304c382575c8d4c38059c7ef7869ec21992334bb496cb2e_ppc64le",
          "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:e22e1363bcb64372c3d37fe43c5e545ebe747424c55e97f04160fbe702f5b7fa_arm64",
          "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:2d9aba27b570807fd42734ab23effe8146ddcf4df1ccbb232a34675ddf368c5d_s390x",
          "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:2dd7530831a9409f32b7bdad48e2144532ed6933404a72ec1e447a7b3d89e8bc_arm64",
          "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:a0c73efc3def005df32901b6d99fe31d5abae6fbadca3c1b41c3ff5f0710ceda_amd64",
          "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:a3bd59b3d69bc70133aa174b2a1b7105599bb87e407f71b96aa07256f1f4da41_ppc64le"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-35469"
        },
        {
          "category": "external",
          "summary": "RHBZ#2457729",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2457729"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-35469",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-35469"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-35469",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35469"
        }
      ],
      "release_date": "2026-04-13T23:59:59+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-05-13T16:35:41+00:00",
          "details": "For more information about Assisted Installer, see the following documentation:\n\nhttps://docs.redhat.com/en/documentation/red_hat_advanced_cluster_management_for_kubernetes/2.13/html/clusters/cluster_mce_overview#cim-intro\n\nFor multicluster engine for Kubernetes, see the following documentation for\ndetails on how to install the images:\n\nhttps://docs.redhat.com/en/documentation/red_hat_advanced_cluster_management_for_kubernetes/2.13/html/clusters/cluster_mce_overview#mce-install-intro\n\nThis documentation will be available after the general availability release of Red Hat Advanced Cluster Management 2.13.",
          "product_ids": [
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:389f764be799b3bc07a1bcbc20a6f1c2d1798ddca799b9265c9a8cc88abfb4e9_amd64",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:61b8959a3ae2811bcc510c0ee430fc06622894108af90bd40a07e11ae48d3f9e_s390x",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:671d4315ef64cbad6c295b87dedae1d9111664ab6b6737e01d4a6057bf0ecd13_ppc64le",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:debac6cee35ad72042a0c01ac743ba72aa12b34516fa9a774ad193a6705d4ac6_arm64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:17123"
        },
        {
          "category": "workaround",
          "details": "To mitigate this issue, review and restrict the assignment of Kubernetes cluster roles `pods/portforward (create)`, `pods/exec (create)`, `pods/attach (create)`, and `nodes/proxy (get/create)` to untrusted users or service accounts. Ensure that only authorized and necessary entities possess these permissions. Modifying RBAC policies can impact the functionality of applications and services that rely on these permissions; careful testing is recommended.",
          "product_ids": [
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:0a489743a137c59c945e0cb78f17961765f1d9a3c5525b191a768ce71a13af62_s390x",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:1a76db6fb8a0cd7a7de58826e94dabe8b21e7ac82dbd4846b7bc4c659b788a00_arm64",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:649bcd0409be091c4408aaebb217815f052a3a0f3028f60888de8807e9107873_amd64",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:dbdc452cf7641e4f8fc3db0b3a177c2a942716f3d6ae84adef4b00d41f598674_ppc64le",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:04c5cb5f2e2f4471b78a27076967e76ab7d1f1f9be4c93656546f92024c9e5d6_ppc64le",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:126febd6e6ce9b106a1f31c00143ce35f1b02d66ec2e0023e00ec541c737cfef_arm64",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:28011ea661599db0a8b8674fd11dd25b4cd13f441a8db4b779d324d15476fbbd_s390x",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:98e1164448b86412029cba515adc555ad3c218ed7f2d9a6c39eddd3e69e2c851_amd64",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:2157410769cc1243e3396847f32ad03eadb6bdf4693cf14d332e55afd9a107e1_s390x",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:917b4f598ae4234111b2590d47588091766d313d4a7147ae1755941a994aa760_amd64",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:a7e85ee18acbe2d0a304c382575c8d4c38059c7ef7869ec21992334bb496cb2e_ppc64le",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:e22e1363bcb64372c3d37fe43c5e545ebe747424c55e97f04160fbe702f5b7fa_arm64",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:2d9aba27b570807fd42734ab23effe8146ddcf4df1ccbb232a34675ddf368c5d_s390x",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:2dd7530831a9409f32b7bdad48e2144532ed6933404a72ec1e447a7b3d89e8bc_arm64",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:a0c73efc3def005df32901b6d99fe31d5abae6fbadca3c1b41c3ff5f0710ceda_amd64",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:a3bd59b3d69bc70133aa174b2a1b7105599bb87e407f71b96aa07256f1f4da41_ppc64le",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:389f764be799b3bc07a1bcbc20a6f1c2d1798ddca799b9265c9a8cc88abfb4e9_amd64",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:61b8959a3ae2811bcc510c0ee430fc06622894108af90bd40a07e11ae48d3f9e_s390x",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:671d4315ef64cbad6c295b87dedae1d9111664ab6b6737e01d4a6057bf0ecd13_ppc64le",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:debac6cee35ad72042a0c01ac743ba72aa12b34516fa9a774ad193a6705d4ac6_arm64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:0a489743a137c59c945e0cb78f17961765f1d9a3c5525b191a768ce71a13af62_s390x",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:1a76db6fb8a0cd7a7de58826e94dabe8b21e7ac82dbd4846b7bc4c659b788a00_arm64",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:649bcd0409be091c4408aaebb217815f052a3a0f3028f60888de8807e9107873_amd64",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-image-service-rhel9@sha256:dbdc452cf7641e4f8fc3db0b3a177c2a942716f3d6ae84adef4b00d41f598674_ppc64le",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:04c5cb5f2e2f4471b78a27076967e76ab7d1f1f9be4c93656546f92024c9e5d6_ppc64le",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:126febd6e6ce9b106a1f31c00143ce35f1b02d66ec2e0023e00ec541c737cfef_arm64",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:28011ea661599db0a8b8674fd11dd25b4cd13f441a8db4b779d324d15476fbbd_s390x",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:98e1164448b86412029cba515adc555ad3c218ed7f2d9a6c39eddd3e69e2c851_amd64",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:2157410769cc1243e3396847f32ad03eadb6bdf4693cf14d332e55afd9a107e1_s390x",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:917b4f598ae4234111b2590d47588091766d313d4a7147ae1755941a994aa760_amd64",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:a7e85ee18acbe2d0a304c382575c8d4c38059c7ef7869ec21992334bb496cb2e_ppc64le",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-controller-rhel9@sha256:e22e1363bcb64372c3d37fe43c5e545ebe747424c55e97f04160fbe702f5b7fa_arm64",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:2d9aba27b570807fd42734ab23effe8146ddcf4df1ccbb232a34675ddf368c5d_s390x",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:2dd7530831a9409f32b7bdad48e2144532ed6933404a72ec1e447a7b3d89e8bc_arm64",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:a0c73efc3def005df32901b6d99fe31d5abae6fbadca3c1b41c3ff5f0710ceda_amd64",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-installer-rhel9@sha256:a3bd59b3d69bc70133aa174b2a1b7105599bb87e407f71b96aa07256f1f4da41_ppc64le",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:389f764be799b3bc07a1bcbc20a6f1c2d1798ddca799b9265c9a8cc88abfb4e9_amd64",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:61b8959a3ae2811bcc510c0ee430fc06622894108af90bd40a07e11ae48d3f9e_s390x",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:671d4315ef64cbad6c295b87dedae1d9111664ab6b6737e01d4a6057bf0ecd13_ppc64le",
            "multicluster engine for Kubernetes 2.8:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:debac6cee35ad72042a0c01ac743ba72aa12b34516fa9a774ad193a6705d4ac6_arm64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "Kubelet: CRI-O: kube-apiserver: Kubelet, CRI-O, kube-apiserver: Denial of Service via SPDY streaming code"
    }
  ]
}

CVE-2026-35469 (GCVE-0-2026-35469)

Vulnerability from cvelistv5 – Published: 2026-04-16 21:19 – Updated: 2026-04-17 12:37

Title

SpdyStream: DOS on CRI

Summary

spdystream is a Go library for multiplexing streams over SPDY connections. In versions 0.5.0 and below, the SPDY/3 frame parser does not validate attacker-controlled counts and lengths before allocating memory. Three allocation paths are affected: the SETTINGS frame entry count, the header count in parseHeaderValueBlock, and individual header field sizes — all read as 32-bit integers and used directly as allocation sizes with no bounds checking. Because SPDY header blocks are zlib-compressed, a small on-the-wire payload can decompress into large attacker-controlled values. A remote peer that can send SPDY frames to a service using spdystream can exhaust process memory and cause an out-of-memory crash with a single crafted control frame. This issue has been fixed in version 0.5.1.

Severity ?

8.7 (High)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CWE

CWE-770 - Allocation of Resources Without Limits or Throttling

Assigner

GitHub_M

References

2 references

URL	Tags
https://github.com/moby/spdystream/security/advis…	x_refsource_CONFIRM
https://github.com/moby/spdystream/releases/tag/v0.5.1	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
moby	spdystream	Affected: < 0.5.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-35469",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-17T12:37:18.505269Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-17T12:37:27.329Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "spdystream",
          "vendor": "moby",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.5.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "spdystream is a Go library for multiplexing streams over SPDY connections. In versions 0.5.0 and below, the SPDY/3 frame parser does not validate attacker-controlled counts and lengths before allocating memory. Three allocation paths are affected: the SETTINGS frame entry count, the header count in parseHeaderValueBlock, and individual header field sizes \u2014 all read as 32-bit integers and used directly as allocation sizes with no bounds checking. Because SPDY header blocks are zlib-compressed, a small on-the-wire payload can decompress into large attacker-controlled values. A remote peer that can send SPDY frames to a service using spdystream can exhaust process memory and cause an out-of-memory crash with a single crafted control frame. This issue has been fixed in version 0.5.1."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-770",
              "description": "CWE-770: Allocation of Resources Without Limits or Throttling",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-16T21:19:23.516Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/moby/spdystream/security/advisories/GHSA-pc3f-x583-g7j2",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/moby/spdystream/security/advisories/GHSA-pc3f-x583-g7j2"
        },
        {
          "name": "https://github.com/moby/spdystream/releases/tag/v0.5.1",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/moby/spdystream/releases/tag/v0.5.1"
        }
      ],
      "source": {
        "advisory": "GHSA-pc3f-x583-g7j2",
        "discovery": "UNKNOWN"
      },
      "title": "SpdyStream: DOS on CRI"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-35469",
    "datePublished": "2026-04-16T21:19:23.516Z",
    "dateReserved": "2026-04-02T20:49:44.452Z",
    "dateUpdated": "2026-04-17T12:37:27.329Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-33186 (GCVE-0-2026-33186)

Vulnerability from cvelistv5 – Published: 2026-03-20 22:23 – Updated: 2026-03-24 18:09

Title

gRPC-Go has an authorization bypass via missing leading slash in :path

Summary

gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omitted the mandatory leading slash (e.g., `Service/Method` instead of `/Service/Method`). While the server successfully routed these requests to the correct handler, authorization interceptors (including the official `grpc/authz` package) evaluated the raw, non-canonical path string. Consequently, "deny" rules defined using canonical paths (starting with `/`) failed to match the incoming request, allowing it to bypass the policy if a fallback "allow" rule was present. This affects gRPC-Go servers that use path-based authorization interceptors, such as the official RBAC implementation in `google.golang.org/grpc/authz` or custom interceptors relying on `info.FullMethod` or `grpc.Method(ctx)`; AND that have a security policy contains specific "deny" rules for canonical paths but allows other requests by default (a fallback "allow" rule). The vulnerability is exploitable by an attacker who can send raw HTTP/2 frames with malformed `:path` headers directly to the gRPC server. The fix in version 1.79.3 ensures that any request with a `:path` that does not start with a leading slash is immediately rejected with a `codes.Unimplemented` error, preventing it from reaching authorization interceptors or handlers with a non-canonical path string. While upgrading is the most secure and recommended path, users can mitigate the vulnerability using one of the following methods: Use a validating interceptor (recommended mitigation); infrastructure-level normalization; and/or policy hardening.

Severity ?

9.1 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE

CWE-285 - Improper Authorization

Assigner

GitHub_M

References

1 reference

URL	Tags
https://github.com/grpc/grpc-go/security/advisori…	x_refsource_CONFIRM

Impacted products

1 product

Vendor	Product	Version
grpc	grpc-go	Affected: < 1.79.3

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-33186",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-24T18:08:38.989284Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-24T18:09:13.422Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "grpc-go",
          "vendor": "grpc",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.79.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omitted the mandatory leading slash (e.g., `Service/Method` instead of `/Service/Method`). While the server successfully routed these requests to the correct handler, authorization interceptors (including the official `grpc/authz` package) evaluated the raw, non-canonical path string. Consequently, \"deny\" rules defined using canonical paths (starting with `/`) failed to match the incoming request, allowing it to bypass the policy if a fallback \"allow\" rule was present. This affects gRPC-Go servers that use path-based authorization interceptors, such as the official RBAC implementation in `google.golang.org/grpc/authz` or custom interceptors relying on `info.FullMethod` or `grpc.Method(ctx)`; AND that have a security policy contains specific \"deny\" rules for canonical paths but allows other requests by default (a fallback \"allow\" rule). The vulnerability is exploitable by an attacker who can send raw HTTP/2 frames with malformed `:path` headers directly to the gRPC server. The fix in version 1.79.3 ensures that any request with a `:path` that does not start with a leading slash is immediately rejected with a `codes.Unimplemented` error, preventing it from reaching authorization interceptors or handlers with a non-canonical path string. While upgrading is the most secure and recommended path, users can mitigate the vulnerability using one of the following methods: Use a validating interceptor (recommended mitigation); infrastructure-level normalization; and/or policy hardening."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 9.1,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-285",
              "description": "CWE-285: Improper Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-20T22:23:32.147Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/grpc/grpc-go/security/advisories/GHSA-p77j-4mvh-x3m3",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/grpc/grpc-go/security/advisories/GHSA-p77j-4mvh-x3m3"
        }
      ],
      "source": {
        "advisory": "GHSA-p77j-4mvh-x3m3",
        "discovery": "UNKNOWN"
      },
      "title": "gRPC-Go has an authorization bypass via missing leading slash in :path"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-33186",
    "datePublished": "2026-03-20T22:23:32.147Z",
    "dateReserved": "2026-03-17T22:16:36.720Z",
    "dateUpdated": "2026-03-24T18:09:13.422Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-34986 (GCVE-0-2026-34986)

Vulnerability from cvelistv5 – Published: 2026-04-06 16:22 – Updated: 2026-04-07 14:21

Title

Go JOSE affect by a panic in JWE decryption

Summary

Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. Prior to 4.1.4 and 3.0.5, decrypting a JSON Web Encryption (JWE) object will panic if the alg field indicates a key wrapping algorithm (one ending in KW, with the exception of A128GCMKW, A192GCMKW, and A256GCMKW) and the encrypted_key field is empty. The panic happens when cipher.KeyUnwrap() in key_wrap.go attempts to allocate a slice with a zero or negative length based on the length of the encrypted_key. This code path is reachable from ParseEncrypted() / ParseEncryptedJSON() / ParseEncryptedCompact() followed by Decrypt() on the resulting object. Note that the parse functions take a list of accepted key algorithms. If the accepted key algorithms do not include any key wrapping algorithms, parsing will fail and the application will be unaffected. This panic is also reachable by calling cipher.KeyUnwrap() directly with any ciphertext parameter less than 16 bytes long, but calling this function directly is less common. Panics can lead to denial of service. This vulnerability is fixed in 4.1.4 and 3.0.5.

Severity ?

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-248 - Uncaught Exception

Assigner

GitHub_M

References

2 references

URL	Tags
https://github.com/go-jose/go-jose/security/advis…	x_refsource_CONFIRM
https://pkg.go.dev/github.com/go-jose/go-jose/v4#…	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
go-jose	go-jose	Affected: >= 4.0.0, < 4.1.4 Affected: < 3.0.5

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-34986",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-07T14:21:42.477191Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-07T14:21:54.041Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "go-jose",
          "vendor": "go-jose",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 4.0.0, \u003c 4.1.4"
            },
            {
              "status": "affected",
              "version": "\u003c 3.0.5"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. Prior to 4.1.4 and 3.0.5, decrypting a JSON Web Encryption (JWE) object will panic if the alg field indicates a key wrapping algorithm (one ending in KW, with the exception of A128GCMKW, A192GCMKW, and A256GCMKW) and the encrypted_key field is empty. The panic happens when cipher.KeyUnwrap() in key_wrap.go attempts to allocate a slice with a zero or negative length based on the length of the encrypted_key. This code path is reachable from ParseEncrypted() / ParseEncryptedJSON() / ParseEncryptedCompact() followed by Decrypt() on the resulting object. Note that the parse functions take a list of accepted key algorithms. If the accepted key algorithms do not include any key wrapping algorithms, parsing will fail and the application will be unaffected. This panic is also reachable by calling cipher.KeyUnwrap() directly with any ciphertext parameter less than 16 bytes long, but calling this function directly is less common. Panics can lead to denial of service. This vulnerability is fixed in 4.1.4 and 3.0.5."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-248",
              "description": "CWE-248: Uncaught Exception",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-06T16:22:45.353Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/go-jose/go-jose/security/advisories/GHSA-78h2-9frx-2jm8",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/go-jose/go-jose/security/advisories/GHSA-78h2-9frx-2jm8"
        },
        {
          "name": "https://pkg.go.dev/github.com/go-jose/go-jose/v4#pkg-constants",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://pkg.go.dev/github.com/go-jose/go-jose/v4#pkg-constants"
        }
      ],
      "source": {
        "advisory": "GHSA-78h2-9frx-2jm8",
        "discovery": "UNKNOWN"
      },
      "title": "Go JOSE affect by a panic in JWE decryption"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-34986",
    "datePublished": "2026-04-06T16:22:45.353Z",
    "dateReserved": "2026-03-31T19:38:31.617Z",
    "dateUpdated": "2026-04-07T14:21:54.041Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-32285 (GCVE-0-2026-32285)

Vulnerability from cvelistv5 – Published: 2026-03-26 19:40 – Updated: 2026-04-20 19:01

Title

Denial of service in github.com/buger/jsonparser

Summary

The Delete function fails to properly validate offsets when processing malformed JSON input. This can lead to a negative slice index and a runtime panic, allowing a denial of service attack.

Severity ?

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-125 - Out-of-bounds Read

Assigner

References

3 references

URL	Tags
https://github.com/buger/jsonparser/issues/275
https://github.com/golang/vulndb/issues/4514
https://pkg.go.dev/vuln/GO-2026-4514

Impacted products

1 product

Vendor	Product	Version
github.com/buger/jsonparser	github.com/buger/jsonparser	Affected: 0 , < 1.1.2 (semver)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-32285",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-30T14:05:55.547828Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-30T14:55:19.026Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://securityinfinity.com/research/buger-jsonparser-negative-slice-panic-dos-2026"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "github.com/buger/jsonparser",
          "product": "github.com/buger/jsonparser",
          "programRoutines": [
            {
              "name": "Delete"
            },
            {
              "name": "FuzzDelete"
            }
          ],
          "vendor": "github.com/buger/jsonparser",
          "versions": [
            {
              "lessThan": "1.1.2",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The Delete function fails to properly validate offsets when processing malformed JSON input. This can lead to a negative slice index and a runtime panic, allowing a denial of service attack."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-125: Out-of-bounds Read",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-20T19:01:23.660Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://github.com/buger/jsonparser/issues/275"
        },
        {
          "url": "https://github.com/golang/vulndb/issues/4514"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2026-4514"
        }
      ],
      "title": "Denial of service in github.com/buger/jsonparser"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2026-32285",
    "datePublished": "2026-03-26T19:40:51.837Z",
    "dateReserved": "2026-03-11T16:38:46.556Z",
    "dateUpdated": "2026-04-20T19:01:23.660Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

RHSA-2026:17123

CVE-2026-35469 (GCVE-0-2026-35469)

CVE-2026-33186 (GCVE-0-2026-33186)

CVE-2026-34986 (GCVE-0-2026-34986)

CVE-2026-32285 (GCVE-0-2026-32285)

Tags

Sightings

Nomenclature