Red Hat Security Advisory: RHACS 4.9.9 security and bug fix update
🔗 CVE IDs covered (17)
📋 Description
CVE-2026-9165 — stackrox: stackrox: Unbounded GraphQL query depth allows authenticated denial of service CVE-2026-12143 — form-data: form-data: Form field override via CRLF injection CVE-2026-25679 — net/url: Incorrect parsing of IPv6 host literals in net/url CVE-2026-25681 — golang.org/x/net/html: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting CVE-2026-32280 — crypto/x509: crypto/tls: golang: Go: Denial of Service vulnerability in certificate chain building CVE-2026-32281 — crypto/x509: golang: Go crypto/x509: Denial of Service via inefficient certificate chain validation CVE-2026-33811 — net: golang: Go net package: Denial of Service via long CNAME response in LookupCNAME CVE-2026-39820 — net/mail: golang: Go net/mail: Denial of Service via crafted email inputs CVE-2026-39828 — golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions CVE-2026-39829 — golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters CVE-2026-39830 — golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses CVE-2026-39831 — golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Security key bypass due to missing user presence check CVE-2026-39832 — golang.org/x/crypto/ssh/agent: golang.org/x/crypto/ssh/agent: Security bypass due to improper handling of key restrictions CVE-2026-39835 — golang.org/x/crypto/ssh: golang: golang.org/x/crypto/ssh: Denial of Service via crafted SSH certificate CVE-2026-42499 — net/mail: golang: net/mail: Denial of Service via pathological email address parsing CVE-2026-46597 — golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Denial of Service via crafted AES-GCM packet decoder inputs CVE-2026-53488 — github.com/containerd/containerd: containerd: Host-root command execution via unvalidated image config labels in CRI plugin
🔗 References (21)
- selfhttps://access.redhat.com/errata/RHSA-2026:36319
- externalhttps://access.redhat.com/security/cve/CVE-2026-12143
- externalhttps://access.redhat.com/security/cve/CVE-2026-25679
- externalhttps://access.redhat.com/security/cve/CVE-2026-25681
- externalhttps://access.redhat.com/security/cve/CVE-2026-32280
- externalhttps://access.redhat.com/security/cve/CVE-2026-32281
- externalhttps://access.redhat.com/security/cve/CVE-2026-33811
- externalhttps://access.redhat.com/security/cve/CVE-2026-39820
- externalhttps://access.redhat.com/security/cve/CVE-2026-39828
- externalhttps://access.redhat.com/security/cve/CVE-2026-39829
- externalhttps://access.redhat.com/security/cve/CVE-2026-39830
- externalhttps://access.redhat.com/security/cve/CVE-2026-39831
- externalhttps://access.redhat.com/security/cve/CVE-2026-39832
- externalhttps://access.redhat.com/security/cve/CVE-2026-39835
- externalhttps://access.redhat.com/security/cve/CVE-2026-42499
- externalhttps://access.redhat.com/security/cve/CVE-2026-46597
- externalhttps://access.redhat.com/security/cve/CVE-2026-53488
- externalhttps://access.redhat.com/security/cve/CVE-2026-9165
- externalhttps://access.redhat.com/security/updates/classification/
- externalhttps://docs.redhat.com/en/documentation/red_hat_advanced_cluster_security_for_kubernetes/4.9/html-single/release_notes/index#about-this-release-499_release-notes-49
- selfhttps://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_36319.json