RHSA-2026:36319HighCVSS 8.8

Red Hat Security Advisory: RHACS 4.9.9 security and bug fix update

Published
July 7, 2026
Last Modified
July 10, 2026

🔗 CVE IDs covered (17)

📋 Description

CVE-2026-9165 — stackrox: stackrox: Unbounded GraphQL query depth allows authenticated denial of service CVE-2026-12143 — form-data: form-data: Form field override via CRLF injection CVE-2026-25679 — net/url: Incorrect parsing of IPv6 host literals in net/url CVE-2026-25681 — golang.org/x/net/html: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting CVE-2026-32280 — crypto/x509: crypto/tls: golang: Go: Denial of Service vulnerability in certificate chain building CVE-2026-32281 — crypto/x509: golang: Go crypto/x509: Denial of Service via inefficient certificate chain validation CVE-2026-33811 — net: golang: Go net package: Denial of Service via long CNAME response in LookupCNAME CVE-2026-39820 — net/mail: golang: Go net/mail: Denial of Service via crafted email inputs CVE-2026-39828 — golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions CVE-2026-39829 — golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters CVE-2026-39830 — golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses CVE-2026-39831 — golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Security key bypass due to missing user presence check CVE-2026-39832 — golang.org/x/crypto/ssh/agent: golang.org/x/crypto/ssh/agent: Security bypass due to improper handling of key restrictions CVE-2026-39835 — golang.org/x/crypto/ssh: golang: golang.org/x/crypto/ssh: Denial of Service via crafted SSH certificate CVE-2026-42499 — net/mail: golang: net/mail: Denial of Service via pathological email address parsing CVE-2026-46597 — golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Denial of Service via crafted AES-GCM packet decoder inputs CVE-2026-53488 — github.com/containerd/containerd: containerd: Host-root command execution via unvalidated image config labels in CRI plugin

🔗 References (21)