Red Hat Security Advisory: Red Hat build of Cryostat 4.2.0: new RHEL 9 container image security update

CVE-2026-1002 — io.vertx/vertx-core: static handler component cache can be manipulated to deny the access to static files CVE-2026-1525 — undici: Undici: HTTP Request Smuggling and Denial of Service due to duplicate Content-Length headers CVE-2026-1526 — undici: undici: Denial of Service via unbounded memory consumption during WebSocket permessage-deflate decompression CVE-2026-1528 — undici: undici: Denial of Service via crafted WebSocket frame with large length CVE-2026-2229 — undici: Undici: Denial of Service via invalid WebSocket permessage-deflate extension parameter CVE-2026-4800 — lodash: lodash: Arbitrary code execution via untrusted input in template imports CVE-2026-4926 — path-to-regexp: path-to-regexp: Denial of Service via crafted regular expressions CVE-2026-33186 — google.golang.org/grpc/grpc-go: google.golang.org/grpc/authz: gRPC-Go: Authorization bypass due to improper HTTP/2 path validation CVE-2026-33813 — golang.org/x/image: golang: golang.org/x/image: Denial of Service via malformed WEBP image parsing CVE-2026-33815 — github.com/jackc/pgx/v5: github.com/jackc/pgx: Memory-safety vulnerability CVE-2026-33816 — github.com/jackc/pgx/v5: github.com/jackc/pgx: Memory-safety vulnerability CVE-2026-33870 — io.netty/netty-codec-http: Netty: Request smuggling via incorrect parsing of HTTP/1.1 chunked transfer encoding extension values CVE-2026-33871 — netty: Netty: Denial of Service via HTTP/2 CONTINUATION frame flood CVE-2026-34986 — github.com/go-jose/go-jose/v3: github.com/go-jose/go-jose/v4: Go JOSE: Denial of Service via crafted JSON Web Encryption (JWE) object CVE-2026-39852 — io.quarkus:quarkus-vertx-http: io.quarkus:quarkus-vertx-http: Authorization bypass via semicolons in HTTP requests CVE-2026-40895 — follow-redirects: follow-redirects: Information disclosure via cross-domain redirects