RHSA-2026:36167

Vulnerability from csaf_redhat - Published: 2026-07-07 08:06 - Updated: 2026-07-09 11:44
Summary
Red Hat Security Advisory: Assisted Installer RHEL 9 components for Multicluster Engine for Kubernetes 2.6.12
Severity
Important
Notes
Topic: Assisted installer RHEL 9 components for the multicluster engine for Kubernetes 2.6.12 General Availability release, with updates to container images.
Details: Assisted Installer RHEL 9 integrates components for the general multicluster engine for Kubernetes 2.6.12 release that simplify the process of deploying OpenShift Container Platform clusters. The multicluster engine for Kubernetes provides the foundational components that are necessary for the centralized management of multiple Kubernetes-based clusters across data centers, public clouds, and private clouds. You can use the engine to create new Red Hat OpenShift Container Platform clusters, or to import existing Kubernetes-based clusters for management. After the clusters are managed, you can use the APIs that are provided by the engine to distribute configuration based on placement policy.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

A flaw was found in golang.org/x/net/idna. ToASCII and ToUnicode incorrectly accept Punycode-encoded labels that decode to an ASCII-only hostname (for example, xn--example-.com returns example.com instead of an error). Applications that validate the ASCII form then convert to Unicode may grant access to a restricted hostname the ASCII check would have rejected.

CWE-1289 - Improper Validation of Unsafe Equivalence in Input
Affected products
Product Identifier Version Remediation
Unresolved product id: multicluster engine for Kubernetes 2.6:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:0dea3f88818977c2392172f46f00c2298360811d7f1d8a8878a947ee986f68e9_amd64
Vendor Fix fix
Workaround
Unresolved product id: multicluster engine for Kubernetes 2.6:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:88a25f8f2cc5c935b8b6f7ffda5beac8d58e3370051cb704dcba9f7fc2c446c4_ppc64le
Vendor Fix fix
Workaround
Unresolved product id: multicluster engine for Kubernetes 2.6:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:d9d180f6958fbaf250b99cb10d3c955dde07037c01fc39936b74e9cd2484d486_arm64
Vendor Fix fix
Workaround
Unresolved product id: multicluster engine for Kubernetes 2.6:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:ea5ac20c57933b17e55ae6e629ec272f385c3c61d12d0cf91678b6bda12396c8_s390x
Vendor Fix fix
Workaround
Threats
Impact Important

A flaw was found in golang.org/x/crypto/ssh. A remote attacker could exploit this vulnerability when an SSH server authentication callback returned a PartialSuccessError with non-nil permissions. This flaw caused these permissions to be silently discarded, potentially bypassing certificate restrictions, such as a force-command, after a second authentication factor succeeded. This could lead to unauthorized command execution or access.

CWE-281 - Improper Preservation of Permissions
Affected products
Product Identifier Version Remediation
Unresolved product id: multicluster engine for Kubernetes 2.6:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:0dea3f88818977c2392172f46f00c2298360811d7f1d8a8878a947ee986f68e9_amd64
Vendor Fix fix
Workaround
Unresolved product id: multicluster engine for Kubernetes 2.6:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:88a25f8f2cc5c935b8b6f7ffda5beac8d58e3370051cb704dcba9f7fc2c446c4_ppc64le
Vendor Fix fix
Workaround
Unresolved product id: multicluster engine for Kubernetes 2.6:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:d9d180f6958fbaf250b99cb10d3c955dde07037c01fc39936b74e9cd2484d486_arm64
Vendor Fix fix
Workaround
Unresolved product id: multicluster engine for Kubernetes 2.6:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:ea5ac20c57933b17e55ae6e629ec272f385c3c61d12d0cf91678b6bda12396c8_s390x
Vendor Fix fix
Workaround
Threats
Impact Important

A flaw was found in containerd, an open-source container runtime. The Container Runtime Interface (CRI) plugin, which manages container operations, fails to validate labels propagated from an image configuration to a container. This oversight could enable an attacker to execute arbitrary commands on the host system through a plugin that processes these unvalidated labels. The primary impact is host-root command execution, allowing unauthorized control over the underlying system.

CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Affected products
Product Identifier Version Remediation
Unresolved product id: multicluster engine for Kubernetes 2.6:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:0dea3f88818977c2392172f46f00c2298360811d7f1d8a8878a947ee986f68e9_amd64
Vendor Fix fix
Workaround
Unresolved product id: multicluster engine for Kubernetes 2.6:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:88a25f8f2cc5c935b8b6f7ffda5beac8d58e3370051cb704dcba9f7fc2c446c4_ppc64le
Vendor Fix fix
Workaround
Unresolved product id: multicluster engine for Kubernetes 2.6:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:d9d180f6958fbaf250b99cb10d3c955dde07037c01fc39936b74e9cd2484d486_arm64
Vendor Fix fix
Workaround
Unresolved product id: multicluster engine for Kubernetes 2.6:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:ea5ac20c57933b17e55ae6e629ec272f385c3c61d12d0cf91678b6bda12396c8_s390x
Vendor Fix fix
Workaround
Threats
Impact Important
References

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Assisted installer RHEL 9 components for the multicluster engine for Kubernetes 2.6.12 General Availability release, with updates to container images.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Assisted Installer RHEL 9 integrates components for the general multicluster engine\nfor Kubernetes 2.6.12 release that simplify the process of deploying OpenShift Container\nPlatform clusters.\n\nThe multicluster engine for Kubernetes provides the foundational components\nthat are necessary for the centralized management of multiple\nKubernetes-based clusters across data centers, public clouds, and private\nclouds.\n\nYou can use the engine to create new Red Hat OpenShift Container Platform\nclusters, or to import existing Kubernetes-based clusters for management.\n\nAfter the clusters are managed, you can use the APIs that\nare provided by the engine to distribute configuration based on placement\npolicy.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2026:36167",
        "url": "https://access.redhat.com/errata/RHSA-2026:36167"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-39821",
        "url": "https://access.redhat.com/security/cve/CVE-2026-39821"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-39828",
        "url": "https://access.redhat.com/security/cve/CVE-2026-39828"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-53488",
        "url": "https://access.redhat.com/security/cve/CVE-2026-53488"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/",
        "url": "https://access.redhat.com/security/updates/classification/"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_36167.json"
      }
    ],
    "title": "Red Hat Security Advisory: Assisted Installer RHEL 9 components for Multicluster Engine for Kubernetes 2.6.12",
    "tracking": {
      "current_release_date": "2026-07-09T11:44:18+00:00",
      "generator": {
        "date": "2026-07-09T11:44:18+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "5.3.2"
        }
      },
      "id": "RHSA-2026:36167",
      "initial_release_date": "2026-07-07T08:06:49+00:00",
      "revision_history": [
        {
          "date": "2026-07-07T08:06:49+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2026-07-07T08:06:55+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2026-07-09T11:44:18+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "multicluster engine for Kubernetes 2.6",
                "product": {
                  "name": "multicluster engine for Kubernetes 2.6",
                  "product_id": "multicluster engine for Kubernetes 2.6",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:multicluster_engine:2.6::el9"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "multicluster engine for Kubernetes"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:0dea3f88818977c2392172f46f00c2298360811d7f1d8a8878a947ee986f68e9_amd64",
                "product": {
                  "name": "registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:0dea3f88818977c2392172f46f00c2298360811d7f1d8a8878a947ee986f68e9_amd64",
                  "product_id": "registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:0dea3f88818977c2392172f46f00c2298360811d7f1d8a8878a947ee986f68e9_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/assisted-service-9-rhel9@sha256%3A0dea3f88818977c2392172f46f00c2298360811d7f1d8a8878a947ee986f68e9?arch=amd64\u0026repository_url=registry.redhat.io/multicluster-engine/assisted-service-9-rhel9\u0026tag=1783333268"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "amd64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:d9d180f6958fbaf250b99cb10d3c955dde07037c01fc39936b74e9cd2484d486_arm64",
                "product": {
                  "name": "registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:d9d180f6958fbaf250b99cb10d3c955dde07037c01fc39936b74e9cd2484d486_arm64",
                  "product_id": "registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:d9d180f6958fbaf250b99cb10d3c955dde07037c01fc39936b74e9cd2484d486_arm64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/assisted-service-9-rhel9@sha256%3Ad9d180f6958fbaf250b99cb10d3c955dde07037c01fc39936b74e9cd2484d486?arch=arm64\u0026repository_url=registry.redhat.io/multicluster-engine/assisted-service-9-rhel9\u0026tag=1783333268"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "arm64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:88a25f8f2cc5c935b8b6f7ffda5beac8d58e3370051cb704dcba9f7fc2c446c4_ppc64le",
                "product": {
                  "name": "registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:88a25f8f2cc5c935b8b6f7ffda5beac8d58e3370051cb704dcba9f7fc2c446c4_ppc64le",
                  "product_id": "registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:88a25f8f2cc5c935b8b6f7ffda5beac8d58e3370051cb704dcba9f7fc2c446c4_ppc64le",
                  "product_identification_helper": {
                    "purl": "pkg:oci/assisted-service-9-rhel9@sha256%3A88a25f8f2cc5c935b8b6f7ffda5beac8d58e3370051cb704dcba9f7fc2c446c4?arch=ppc64le\u0026repository_url=registry.redhat.io/multicluster-engine/assisted-service-9-rhel9\u0026tag=1783333268"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:ea5ac20c57933b17e55ae6e629ec272f385c3c61d12d0cf91678b6bda12396c8_s390x",
                "product": {
                  "name": "registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:ea5ac20c57933b17e55ae6e629ec272f385c3c61d12d0cf91678b6bda12396c8_s390x",
                  "product_id": "registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:ea5ac20c57933b17e55ae6e629ec272f385c3c61d12d0cf91678b6bda12396c8_s390x",
                  "product_identification_helper": {
                    "purl": "pkg:oci/assisted-service-9-rhel9@sha256%3Aea5ac20c57933b17e55ae6e629ec272f385c3c61d12d0cf91678b6bda12396c8?arch=s390x\u0026repository_url=registry.redhat.io/multicluster-engine/assisted-service-9-rhel9\u0026tag=1783333268"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:0dea3f88818977c2392172f46f00c2298360811d7f1d8a8878a947ee986f68e9_amd64 as a component of multicluster engine for Kubernetes 2.6",
          "product_id": "multicluster engine for Kubernetes 2.6:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:0dea3f88818977c2392172f46f00c2298360811d7f1d8a8878a947ee986f68e9_amd64"
        },
        "product_reference": "registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:0dea3f88818977c2392172f46f00c2298360811d7f1d8a8878a947ee986f68e9_amd64",
        "relates_to_product_reference": "multicluster engine for Kubernetes 2.6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:88a25f8f2cc5c935b8b6f7ffda5beac8d58e3370051cb704dcba9f7fc2c446c4_ppc64le as a component of multicluster engine for Kubernetes 2.6",
          "product_id": "multicluster engine for Kubernetes 2.6:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:88a25f8f2cc5c935b8b6f7ffda5beac8d58e3370051cb704dcba9f7fc2c446c4_ppc64le"
        },
        "product_reference": "registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:88a25f8f2cc5c935b8b6f7ffda5beac8d58e3370051cb704dcba9f7fc2c446c4_ppc64le",
        "relates_to_product_reference": "multicluster engine for Kubernetes 2.6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:d9d180f6958fbaf250b99cb10d3c955dde07037c01fc39936b74e9cd2484d486_arm64 as a component of multicluster engine for Kubernetes 2.6",
          "product_id": "multicluster engine for Kubernetes 2.6:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:d9d180f6958fbaf250b99cb10d3c955dde07037c01fc39936b74e9cd2484d486_arm64"
        },
        "product_reference": "registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:d9d180f6958fbaf250b99cb10d3c955dde07037c01fc39936b74e9cd2484d486_arm64",
        "relates_to_product_reference": "multicluster engine for Kubernetes 2.6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:ea5ac20c57933b17e55ae6e629ec272f385c3c61d12d0cf91678b6bda12396c8_s390x as a component of multicluster engine for Kubernetes 2.6",
          "product_id": "multicluster engine for Kubernetes 2.6:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:ea5ac20c57933b17e55ae6e629ec272f385c3c61d12d0cf91678b6bda12396c8_s390x"
        },
        "product_reference": "registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:ea5ac20c57933b17e55ae6e629ec272f385c3c61d12d0cf91678b6bda12396c8_s390x",
        "relates_to_product_reference": "multicluster engine for Kubernetes 2.6"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-39821",
      "cwe": {
        "id": "CWE-1289",
        "name": "Improper Validation of Unsafe Equivalence in Input"
      },
      "discovery_date": "2026-05-22T16:00:52.844126+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2480756"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in golang.org/x/net/idna. ToASCII and ToUnicode incorrectly accept Punycode-encoded labels that decode to an ASCII-only hostname (for example, xn--example-.com returns example.com instead of an error). Applications that validate the ASCII form then convert to Unicode may grant access to a restricted hostname the ASCII check would have rejected.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "golang.org/x/net/idna: golang: golang.org/x/net/idna: Privilege escalation via incorrect Punycode label processing",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "golang.org/x/net/idna is vulnerable to privilege escalation through incorrect Punycode label handling in ToASCII and ToUnicode. An attacker who can supply a Punycode hostname that passes an ASCII-only authorization check may have it normalized to a restricted ASCII name the application intended to block. Red Hat exposure is broad across products shipping the Go toolchain or bundling golang.org/x/net, including RHEL and RHEL-AI golang RPMs, hummingbird Go runtimes, OpenShift and ODF container builds, and Ceph/OpenShift components compiled against affected x/net versions.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "multicluster engine for Kubernetes 2.6:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:0dea3f88818977c2392172f46f00c2298360811d7f1d8a8878a947ee986f68e9_amd64",
          "multicluster engine for Kubernetes 2.6:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:88a25f8f2cc5c935b8b6f7ffda5beac8d58e3370051cb704dcba9f7fc2c446c4_ppc64le",
          "multicluster engine for Kubernetes 2.6:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:d9d180f6958fbaf250b99cb10d3c955dde07037c01fc39936b74e9cd2484d486_arm64",
          "multicluster engine for Kubernetes 2.6:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:ea5ac20c57933b17e55ae6e629ec272f385c3c61d12d0cf91678b6bda12396c8_s390x"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-39821"
        },
        {
          "category": "external",
          "summary": "RHBZ#2480756",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2480756"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-39821",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-39821"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-39821",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39821"
        },
        {
          "category": "external",
          "summary": "https://go.dev/cl/767220",
          "url": "https://go.dev/cl/767220"
        },
        {
          "category": "external",
          "summary": "https://go.dev/issue/78760",
          "url": "https://go.dev/issue/78760"
        },
        {
          "category": "external",
          "summary": "https://groups.google.com/g/golang-announce/c/iI-mYSI0lu8",
          "url": "https://groups.google.com/g/golang-announce/c/iI-mYSI0lu8"
        },
        {
          "category": "external",
          "summary": "https://pkg.go.dev/vuln/GO-2026-5026",
          "url": "https://pkg.go.dev/vuln/GO-2026-5026"
        }
      ],
      "release_date": "2026-05-22T15:01:21.462000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-07-07T08:06:49+00:00",
          "details": "For more information about Assisted Installer, see the following documentation:\n\nhttps://docs.redhat.com/en/documentation/red_hat_advanced_cluster_management_for_kubernetes/2.11/html/clusters/cluster_mce_overview#cim-intro\n\nFor multicluster engine for Kubernetes, see the following documentation for\ndetails on how to install the images:\n\nhttps://docs.redhat.com/en/documentation/red_hat_advanced_cluster_management_for_kubernetes/2.11/html/clusters/cluster_mce_overview#mce-install-intro\n\nThis documentation will be available after the general availability release of Red Hat Advanced Cluster Management 2.11.",
          "product_ids": [
            "multicluster engine for Kubernetes 2.6:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:0dea3f88818977c2392172f46f00c2298360811d7f1d8a8878a947ee986f68e9_amd64",
            "multicluster engine for Kubernetes 2.6:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:88a25f8f2cc5c935b8b6f7ffda5beac8d58e3370051cb704dcba9f7fc2c446c4_ppc64le",
            "multicluster engine for Kubernetes 2.6:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:d9d180f6958fbaf250b99cb10d3c955dde07037c01fc39936b74e9cd2484d486_arm64",
            "multicluster engine for Kubernetes 2.6:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:ea5ac20c57933b17e55ae6e629ec272f385c3c61d12d0cf91678b6bda12396c8_s390x"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:36167"
        },
        {
          "category": "workaround",
          "details": "Upgrade to a fixed golang.org/x/net release that includes the idna correction, via updated golang or dependent package rebuilds.",
          "product_ids": [
            "multicluster engine for Kubernetes 2.6:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:0dea3f88818977c2392172f46f00c2298360811d7f1d8a8878a947ee986f68e9_amd64",
            "multicluster engine for Kubernetes 2.6:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:88a25f8f2cc5c935b8b6f7ffda5beac8d58e3370051cb704dcba9f7fc2c446c4_ppc64le",
            "multicluster engine for Kubernetes 2.6:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:d9d180f6958fbaf250b99cb10d3c955dde07037c01fc39936b74e9cd2484d486_arm64",
            "multicluster engine for Kubernetes 2.6:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:ea5ac20c57933b17e55ae6e629ec272f385c3c61d12d0cf91678b6bda12396c8_s390x"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "multicluster engine for Kubernetes 2.6:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:0dea3f88818977c2392172f46f00c2298360811d7f1d8a8878a947ee986f68e9_amd64",
            "multicluster engine for Kubernetes 2.6:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:88a25f8f2cc5c935b8b6f7ffda5beac8d58e3370051cb704dcba9f7fc2c446c4_ppc64le",
            "multicluster engine for Kubernetes 2.6:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:d9d180f6958fbaf250b99cb10d3c955dde07037c01fc39936b74e9cd2484d486_arm64",
            "multicluster engine for Kubernetes 2.6:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:ea5ac20c57933b17e55ae6e629ec272f385c3c61d12d0cf91678b6bda12396c8_s390x"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "golang.org/x/net/idna: golang: golang.org/x/net/idna: Privilege escalation via incorrect Punycode label processing"
    },
    {
      "cve": "CVE-2026-39828",
      "cwe": {
        "id": "CWE-281",
        "name": "Improper Preservation of Permissions"
      },
      "discovery_date": "2026-05-22T04:01:46.775641+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2480687"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in golang.org/x/crypto/ssh. A remote attacker could exploit this vulnerability when an SSH server authentication callback returned a PartialSuccessError with non-nil permissions. This flaw caused these permissions to be silently discarded, potentially bypassing certificate restrictions, such as a force-command, after a second authentication factor succeeded. This could lead to unauthorized command execution or access.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This is an Important security flaw in the `golang.org/x/crypto/ssh` library. When an SSH server utilizing this library is configured with specific authentication callbacks that return a `PartialSuccessError` with non-nil permissions, an attacker could bypass intended certificate restrictions, such as `force-command`. This bypass could lead to unauthorized command execution or access on affected Red Hat systems configured with multi-factor authentication and certificate-based access controls.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "multicluster engine for Kubernetes 2.6:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:0dea3f88818977c2392172f46f00c2298360811d7f1d8a8878a947ee986f68e9_amd64",
          "multicluster engine for Kubernetes 2.6:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:88a25f8f2cc5c935b8b6f7ffda5beac8d58e3370051cb704dcba9f7fc2c446c4_ppc64le",
          "multicluster engine for Kubernetes 2.6:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:d9d180f6958fbaf250b99cb10d3c955dde07037c01fc39936b74e9cd2484d486_arm64",
          "multicluster engine for Kubernetes 2.6:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:ea5ac20c57933b17e55ae6e629ec272f385c3c61d12d0cf91678b6bda12396c8_s390x"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-39828"
        },
        {
          "category": "external",
          "summary": "RHBZ#2480687",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2480687"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-39828",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-39828"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-39828",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39828"
        },
        {
          "category": "external",
          "summary": "https://go.dev/cl/781621",
          "url": "https://go.dev/cl/781621"
        },
        {
          "category": "external",
          "summary": "https://go.dev/issue/79562",
          "url": "https://go.dev/issue/79562"
        },
        {
          "category": "external",
          "summary": "https://groups.google.com/g/golang-announce/c/a082jnz-LvI",
          "url": "https://groups.google.com/g/golang-announce/c/a082jnz-LvI"
        },
        {
          "category": "external",
          "summary": "https://pkg.go.dev/vuln/GO-2026-5014",
          "url": "https://pkg.go.dev/vuln/GO-2026-5014"
        }
      ],
      "release_date": "2026-05-22T02:31:26.883000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-07-07T08:06:49+00:00",
          "details": "For more information about Assisted Installer, see the following documentation:\n\nhttps://docs.redhat.com/en/documentation/red_hat_advanced_cluster_management_for_kubernetes/2.11/html/clusters/cluster_mce_overview#cim-intro\n\nFor multicluster engine for Kubernetes, see the following documentation for\ndetails on how to install the images:\n\nhttps://docs.redhat.com/en/documentation/red_hat_advanced_cluster_management_for_kubernetes/2.11/html/clusters/cluster_mce_overview#mce-install-intro\n\nThis documentation will be available after the general availability release of Red Hat Advanced Cluster Management 2.11.",
          "product_ids": [
            "multicluster engine for Kubernetes 2.6:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:0dea3f88818977c2392172f46f00c2298360811d7f1d8a8878a947ee986f68e9_amd64",
            "multicluster engine for Kubernetes 2.6:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:88a25f8f2cc5c935b8b6f7ffda5beac8d58e3370051cb704dcba9f7fc2c446c4_ppc64le",
            "multicluster engine for Kubernetes 2.6:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:d9d180f6958fbaf250b99cb10d3c955dde07037c01fc39936b74e9cd2484d486_arm64",
            "multicluster engine for Kubernetes 2.6:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:ea5ac20c57933b17e55ae6e629ec272f385c3c61d12d0cf91678b6bda12396c8_s390x"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:36167"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
          "product_ids": [
            "multicluster engine for Kubernetes 2.6:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:0dea3f88818977c2392172f46f00c2298360811d7f1d8a8878a947ee986f68e9_amd64",
            "multicluster engine for Kubernetes 2.6:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:88a25f8f2cc5c935b8b6f7ffda5beac8d58e3370051cb704dcba9f7fc2c446c4_ppc64le",
            "multicluster engine for Kubernetes 2.6:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:d9d180f6958fbaf250b99cb10d3c955dde07037c01fc39936b74e9cd2484d486_arm64",
            "multicluster engine for Kubernetes 2.6:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:ea5ac20c57933b17e55ae6e629ec272f385c3c61d12d0cf91678b6bda12396c8_s390x"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "multicluster engine for Kubernetes 2.6:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:0dea3f88818977c2392172f46f00c2298360811d7f1d8a8878a947ee986f68e9_amd64",
            "multicluster engine for Kubernetes 2.6:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:88a25f8f2cc5c935b8b6f7ffda5beac8d58e3370051cb704dcba9f7fc2c446c4_ppc64le",
            "multicluster engine for Kubernetes 2.6:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:d9d180f6958fbaf250b99cb10d3c955dde07037c01fc39936b74e9cd2484d486_arm64",
            "multicluster engine for Kubernetes 2.6:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:ea5ac20c57933b17e55ae6e629ec272f385c3c61d12d0cf91678b6bda12396c8_s390x"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions"
    },
    {
      "cve": "CVE-2026-53488",
      "cwe": {
        "id": "CWE-78",
        "name": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)"
      },
      "discovery_date": "2026-07-01T02:01:09.589815+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2495815"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in containerd, an open-source container runtime. The Container Runtime Interface (CRI) plugin, which manages container operations, fails to validate labels propagated from an image configuration to a container. This oversight could enable an attacker to execute arbitrary commands on the host system through a plugin that processes these unvalidated labels. The primary impact is host-root command execution, allowing unauthorized control over the underlying system.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "github.com/containerd/containerd: containerd: Host-root command execution via unvalidated image config labels in CRI plugin",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "A flaw was found in containerd where the CRI plugin propagates labels from an image configuration (LABEL instruction in a Dockerfile) to a container without validation. This may result in executing an arbitrary command on the host via a plugin that consumes container labels for operations, such as the restart-monitor binary:// logger. An attacker who can cause a crafted container image to be pulled and run can achieve host-level code execution.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "multicluster engine for Kubernetes 2.6:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:0dea3f88818977c2392172f46f00c2298360811d7f1d8a8878a947ee986f68e9_amd64",
          "multicluster engine for Kubernetes 2.6:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:88a25f8f2cc5c935b8b6f7ffda5beac8d58e3370051cb704dcba9f7fc2c446c4_ppc64le",
          "multicluster engine for Kubernetes 2.6:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:d9d180f6958fbaf250b99cb10d3c955dde07037c01fc39936b74e9cd2484d486_arm64",
          "multicluster engine for Kubernetes 2.6:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:ea5ac20c57933b17e55ae6e629ec272f385c3c61d12d0cf91678b6bda12396c8_s390x"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-53488"
        },
        {
          "category": "external",
          "summary": "RHBZ#2495815",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2495815"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-53488",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-53488"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-53488",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53488"
        },
        {
          "category": "external",
          "summary": "https://github.com/containerd/containerd/security/advisories/GHSA-xhf5-7wjv-pqxp",
          "url": "https://github.com/containerd/containerd/security/advisories/GHSA-xhf5-7wjv-pqxp"
        }
      ],
      "release_date": "2026-07-01T00:11:20.610000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-07-07T08:06:49+00:00",
          "details": "For more information about Assisted Installer, see the following documentation:\n\nhttps://docs.redhat.com/en/documentation/red_hat_advanced_cluster_management_for_kubernetes/2.11/html/clusters/cluster_mce_overview#cim-intro\n\nFor multicluster engine for Kubernetes, see the following documentation for\ndetails on how to install the images:\n\nhttps://docs.redhat.com/en/documentation/red_hat_advanced_cluster_management_for_kubernetes/2.11/html/clusters/cluster_mce_overview#mce-install-intro\n\nThis documentation will be available after the general availability release of Red Hat Advanced Cluster Management 2.11.",
          "product_ids": [
            "multicluster engine for Kubernetes 2.6:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:0dea3f88818977c2392172f46f00c2298360811d7f1d8a8878a947ee986f68e9_amd64",
            "multicluster engine for Kubernetes 2.6:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:88a25f8f2cc5c935b8b6f7ffda5beac8d58e3370051cb704dcba9f7fc2c446c4_ppc64le",
            "multicluster engine for Kubernetes 2.6:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:d9d180f6958fbaf250b99cb10d3c955dde07037c01fc39936b74e9cd2484d486_arm64",
            "multicluster engine for Kubernetes 2.6:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:ea5ac20c57933b17e55ae6e629ec272f385c3c61d12d0cf91678b6bda12396c8_s390x"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:36167"
        },
        {
          "category": "workaround",
          "details": "Restrict container image pulls to trusted registries using admission policies or image signature verification. Where containerd is used as the container runtime, disable or restrict the binary:// logger URI scheme in the containerd configuration to prevent the label-to-logger attack path.",
          "product_ids": [
            "multicluster engine for Kubernetes 2.6:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:0dea3f88818977c2392172f46f00c2298360811d7f1d8a8878a947ee986f68e9_amd64",
            "multicluster engine for Kubernetes 2.6:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:88a25f8f2cc5c935b8b6f7ffda5beac8d58e3370051cb704dcba9f7fc2c446c4_ppc64le",
            "multicluster engine for Kubernetes 2.6:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:d9d180f6958fbaf250b99cb10d3c955dde07037c01fc39936b74e9cd2484d486_arm64",
            "multicluster engine for Kubernetes 2.6:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:ea5ac20c57933b17e55ae6e629ec272f385c3c61d12d0cf91678b6bda12396c8_s390x"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "multicluster engine for Kubernetes 2.6:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:0dea3f88818977c2392172f46f00c2298360811d7f1d8a8878a947ee986f68e9_amd64",
            "multicluster engine for Kubernetes 2.6:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:88a25f8f2cc5c935b8b6f7ffda5beac8d58e3370051cb704dcba9f7fc2c446c4_ppc64le",
            "multicluster engine for Kubernetes 2.6:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:d9d180f6958fbaf250b99cb10d3c955dde07037c01fc39936b74e9cd2484d486_arm64",
            "multicluster engine for Kubernetes 2.6:registry.redhat.io/multicluster-engine/assisted-service-9-rhel9@sha256:ea5ac20c57933b17e55ae6e629ec272f385c3c61d12d0cf91678b6bda12396c8_s390x"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "github.com/containerd/containerd: containerd: Host-root command execution via unvalidated image config labels in CRI plugin"
    }
  ]
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…