VDB
RHSA-2026%3A22689
RHSA-2026%3A22689
PUBLISHED
CVSS 7.5 HIGH
A flaw was found in kin-openapi. This vulnerability allows excessive memory consumption via upload of a crafted ZIP file (a "ZIP bomb").
Risk Scores
CVSS 3.1
7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Red Hat | registry.redhat.io/multicluster-engine/backplane-rhel9-operator@sha256:6f8ad1c7816c085afe63afc086f23e7651865c8397aea1c9ff59d0b3990b8646_s390x as a component of multicluster engine for Kubernetes 2.8 | *, *, * |
| Red Hat | registry.redhat.io/multicluster-engine/cluster-curator-controller-rhel9@sha256:6c2148a6a037f97f1cb2bb57b0d7e791dd027e04a55c8519015ae066a27c2cf4_amd64 as a component of multicluster engine for Kubernetes 2.8 | *, *, * |
| Red Hat | registry.redhat.io/multicluster-engine/cluster-api-provider-agent-rhel9@sha256:44ad772241a2bdf7b22e391abe0ac82beeb5f69d4f2d3230607009e0b1a35cef_s390x as a component of multicluster engine for Kubernetes 2.8 | *, *, * |
| Red Hat | registry.redhat.io/multicluster-engine/console-mce-rhel9@sha256:ecc06b5309b9d426c6e8702f5e5e56d5335e3647095b7ca152ee57aadf0ed874_amd64 as a component of multicluster engine for Kubernetes 2.8 | *, *, * |
| Red Hat | registry.redhat.io/multicluster-engine/multicloud-manager-rhel9@sha256:81aa07fa1a1eb08d66d2fa2bb76b06c21fee7a37de45180c976ebe564f69b28a_ppc64le as a component of multicluster engine for Kubernetes 2.8 | *, *, * |
| Red Hat | registry.redhat.io/multicluster-engine/cluster-image-set-controller-rhel9@sha256:2ecab1cef8696f2c0e400e25b9d45d32cd198a3e168b4534fcbb3c46b0327363_arm64 as a component of multicluster engine for Kubernetes 2.8 | *, *, * |
| Red Hat | registry.redhat.io/multicluster-engine/cluster-image-set-controller-rhel9@sha256:68e56d8b9e2715117e3dd89abfc9d7220a45fda0965086abcda4c1ad2b00fa36_amd64 as a component of multicluster engine for Kubernetes 2.8 | *, *, * |
| Red Hat | registry.redhat.io/multicluster-engine/hypershift-addon-rhel9-operator@sha256:785ed1b58358014fc49b30872dfa27382773da3c38d2031695132cb59a1f8c73_ppc64le as a component of multicluster engine for Kubernetes 2.8 | *, *, * |
| Red Hat | registry.redhat.io/multicluster-engine/hypershift-addon-rhel9-operator@sha256:cfcf71f40ad66d8c16d108109abc23a12020a6ee02ca4cdf058e29ce0c5a0ea3_amd64 as a component of multicluster engine for Kubernetes 2.8 | *, *, * |
| Red Hat | registry.redhat.io/multicluster-engine/clusterclaims-controller-rhel9@sha256:0143ee81f30ed9b6f656e1fbab78dbd4b914984f98e9107ae571f018b624503b_ppc64le as a component of multicluster engine for Kubernetes 2.8 | *, *, * |
| Red Hat | registry.redhat.io/multicluster-engine/image-based-install-rhel9@sha256:8386d98f9678df55c55572d30d222a3213384a68a62c2ae31a874b8f856defdf_amd64 as a component of multicluster engine for Kubernetes 2.8 | *, *, * |
| Red Hat | registry.redhat.io/multicluster-engine/hypershift-rhel9-operator@sha256:f401146b51e99537f38a4c86bd74cbd9c5651d7763dff41687e3170823612018_s390x as a component of multicluster engine for Kubernetes 2.8 | *, *, * |
| Red Hat | registry.redhat.io/multicluster-engine/console-mce-rhel9@sha256:07da3babe8c8dace85d419ecb6d7fdd94a5b261139932531f99b7b0c6e24e6c6_ppc64le as a component of multicluster engine for Kubernetes 2.8 | *, *, * |
| Red Hat | registry.redhat.io/multicluster-engine/registration-operator-rhel9@sha256:fa0b4aa1820680d60cb408dc45a8cc0ecd0843c4196a69548b6afb226060db21_s390x as a component of multicluster engine for Kubernetes 2.8 | *, *, * |
| Red Hat | registry.redhat.io/multicluster-engine/hypershift-cli-rhel9@sha256:747606aa5c88f6c4a444b0eb526f6a600f8a2a514a7b7c8988ec4f161d925936_arm64 as a component of multicluster engine for Kubernetes 2.8 | *, *, * |
| Red Hat | registry.redhat.io/multicluster-engine/managedcluster-import-controller-rhel9@sha256:8cdabccc29e206490c69aeb2ce0e0e0211067fd2dc124f2c9593c456e313249d_arm64 as a component of multicluster engine for Kubernetes 2.8 | *, *, * |
| Red Hat | registry.redhat.io/multicluster-engine/clusterclaims-controller-rhel9@sha256:1dd2991d68ecc5ac62e2e57ae44f3a8181e23c82be9307f445b7b4579accb984_s390x as a component of multicluster engine for Kubernetes 2.8 | *, *, * |
| Red Hat | registry.redhat.io/multicluster-engine/managed-serviceaccount-rhel9@sha256:24bf8efae0cc2002e4475b2f228e75b39a3146923a3c5c33a0750a8d69a5c7d1_amd64 as a component of multicluster engine for Kubernetes 2.8 | *, *, * |
| Red Hat | registry.redhat.io/multicluster-engine/managed-serviceaccount-rhel9@sha256:5cb7e29a813c814150b2fccbd067b33666aba266c259bba576dfe2f3b7a73dbe_ppc64le as a component of multicluster engine for Kubernetes 2.8 | *, *, * |
| Red Hat | registry.redhat.io/multicluster-engine/clusterlifecycle-state-metrics-rhel9@sha256:f2adca072912dc7faacee6eda7be79425302b60dc3560fe50a40e5e64f940160_amd64 as a component of multicluster engine for Kubernetes 2.8 | *, *, * |
…and 91 more
Timeline
- Jun 2, 2026 CVE Published
- Jun 3, 2026 Distribution Patch
- Jun 3, 2026 Distribution Patch
- Jun 3, 2026 Security Advisory
- Jun 3, 2026 Security Advisory
- Jun 3, 2026 Security Advisory
- Jul 15, 2026 CVE Updated
References
- https://access.redhat.com/errata/RHSA-2026:22689 advisory
- https://access.redhat.com/security/cve/CVE-2025-30153 advisory
- https://access.redhat.com/security/cve/CVE-2026-33186 advisory
- https://access.redhat.com/security/updates/classification/ advisory
- https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_22689.json advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=2353383 issue
- https://www.cve.org/CVERecord?id=CVE-2025-30153 advisory
- https://nvd.nist.gov/vuln/detail/CVE-2025-30153 advisory
- https://github.com/getkin/kin-openapi/blob/6da871e0e170b7637eb568c265c08bc2b5d6e7a3/openapi3filter/req_resp_decoder.go#L1275 advisory
- https://github.com/getkin/kin-openapi/blob/6da871e0e170b7637eb568c265c08bc2b5d6e7a3/openapi3filter/req_resp_decoder.go#L1523 advisory
- https://github.com/getkin/kin-openapi/commit/67f0b233ffc01332f7d993f79490fbea5f4455f1 advisory
- https://github.com/getkin/kin-openapi/security/advisories/GHSA-wq9g-9vfc-cfq9 advisory
- https://github.com/getkin/kin-openapi?tab=readme-ov-file#custom-content-type-for-body-of-http-requestresponse advisory
- https://pkg.go.dev/vuln/GO-2025-3533 advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=2449833 issue
- https://www.cve.org/CVERecord?id=CVE-2026-33186 advisory
- https://nvd.nist.gov/vuln/detail/CVE-2026-33186 advisory
- https://github.com/grpc/grpc-go/security/advisories/GHSA-p77j-4mvh-x3m3 advisory