VDB
RHSA-2026%3A3906
RHSA-2026%3A3906
PUBLISHED
CVSS 7.5 HIGH
A flaw was found in the net/url package in the Go standard library. The package does not enforce a limit on the number of unique query parameters it parses. A Go application using the net/http.Request.ParseForm method will try to process all parameters provided in the request. A specially crafted HTTP request containing a massive number of query parameters will cause the application to consume an excessive amount of memory, eventually causing the application to crash or become unresponsive, resulting in a denial of service.
Risk Scores
CVSS 3.1
7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Red Hat | registry.redhat.io/openshift4/nmstate-console-plugin-rhel9@sha256:87f78791e5c076f183d1be00ec3c70261f075ae9bf662e6e1a1be564cbddc071_ppc64le as a component of Red Hat OpenShift Container Platform 4.18 | *, registry.redhat.io/openshift4/nmstate-console-plugin-rhel9@sha256:87f78791e5c076f183d1be00ec3c70261f075ae9bf662e6e1a1be564cbddc071_ppc64le, registry.redhat.io/openshift4/nmstate-console-plugin-rhel9@sha256:87f78791e5c076f183d1be00ec3c70261f075ae9bf662e6e1a1be564cbddc071_ppc64le |
| Red Hat | registry.redhat.io/openshift4/ose-kubernetes-nmstate-handler-rhel9@sha256:fd9b01338bb1df1ee996f7d22cbe780be11b18c2beaeb8333d26091ca07ea77a_arm64 as a component of Red Hat OpenShift Container Platform 4.18 | registry.redhat.io/openshift4/ose-kubernetes-nmstate-handler-rhel9@sha256:fd9b01338bb1df1ee996f7d22cbe780be11b18c2beaeb8333d26091ca07ea77a_arm64, *, registry.redhat.io/openshift4/ose-kubernetes-nmstate-handler-rhel9@sha256:fd9b01338bb1df1ee996f7d22cbe780be11b18c2beaeb8333d26091ca07ea77a_arm64 |
| Red Hat | registry.redhat.io/openshift4/ose-vertical-pod-autoscaler-rhel9-operator@sha256:b0f946698719b28d05b457d3ee67cd2309ca1ab882f9af90b1728bdf29e3a285_ppc64le as a component of Red Hat OpenShift Container Platform 4.18 | *, *, * |
| Red Hat | registry.redhat.io/openshift4/ose-vertical-pod-autoscaler-rhel9-operator@sha256:d270adeb3be579d58716a1819b29c02706aa52d5625af5db98a487b51b7f52f1_arm64 as a component of Red Hat OpenShift Container Platform 4.18 | *, *, * |
| Red Hat | registry.redhat.io/openshift4/ose-operator-sdk-rhel9@sha256:6527f9d894647a8c1edc72e83d7557c2d216a33ff85441a19d9c7746164eb754_s390x as a component of Red Hat OpenShift Container Platform 4.18 | *, registry.redhat.io/openshift4/ose-operator-sdk-rhel9@sha256:6527f9d894647a8c1edc72e83d7557c2d216a33ff85441a19d9c7746164eb754_s390x, registry.redhat.io/openshift4/ose-operator-sdk-rhel9@sha256:6527f9d894647a8c1edc72e83d7557c2d216a33ff85441a19d9c7746164eb754_s390x |
| Red Hat | registry.redhat.io/openshift4/ose-smb-csi-driver-rhel9@sha256:ed880beb590821b0729a8600ae24f8facabea073b84542236e07abd2f3b1c87b_arm64 as a component of Red Hat OpenShift Container Platform 4.18 | registry.redhat.io/openshift4/ose-smb-csi-driver-rhel9@sha256:ed880beb590821b0729a8600ae24f8facabea073b84542236e07abd2f3b1c87b_arm64, *, registry.redhat.io/openshift4/ose-smb-csi-driver-rhel9@sha256:ed880beb590821b0729a8600ae24f8facabea073b84542236e07abd2f3b1c87b_arm64 |
| Red Hat | registry.redhat.io/openshift4/ose-sriov-network-config-daemon-rhel9@sha256:f90fc5aa2803ac5276e75209f86e7facca112a63563152cfe7ae7ad2543ff5de_amd64 as a component of Red Hat OpenShift Container Platform 4.18 | registry.redhat.io/openshift4/ose-sriov-network-config-daemon-rhel9@sha256:f90fc5aa2803ac5276e75209f86e7facca112a63563152cfe7ae7ad2543ff5de_amd64, registry.redhat.io/openshift4/ose-sriov-network-config-daemon-rhel9@sha256:f90fc5aa2803ac5276e75209f86e7facca112a63563152cfe7ae7ad2543ff5de_amd64, registry.redhat.io/openshift4/ose-sriov-network-config-daemon-rhel9@sha256:f90fc5aa2803ac5276e75209f86e7facca112a63563152cfe7ae7ad2543ff5de_amd64 |
| Red Hat | registry.redhat.io/openshift4/ose-cloud-event-proxy-rhel9@sha256:649859256dd9c3d5a13e4a2cc8bbe3178a8fa354c46dbc5bdfb7e21a490a8499_arm64 as a component of Red Hat OpenShift Container Platform 4.18 | *, registry.redhat.io/openshift4/ose-cloud-event-proxy-rhel9@sha256:649859256dd9c3d5a13e4a2cc8bbe3178a8fa354c46dbc5bdfb7e21a490a8499_arm64, registry.redhat.io/openshift4/ose-cloud-event-proxy-rhel9@sha256:649859256dd9c3d5a13e4a2cc8bbe3178a8fa354c46dbc5bdfb7e21a490a8499_arm64 |
| Red Hat | registry.redhat.io/openshift4/ose-sriov-network-webhook-rhel9@sha256:a9b40c9aee1c749c827a33d7ecfc5458597d6e3aed5fa071d6a388ee9d336504_amd64 as a component of Red Hat OpenShift Container Platform 4.18 | registry.redhat.io/openshift4/ose-sriov-network-webhook-rhel9@sha256:a9b40c9aee1c749c827a33d7ecfc5458597d6e3aed5fa071d6a388ee9d336504_amd64, *, registry.redhat.io/openshift4/ose-sriov-network-webhook-rhel9@sha256:a9b40c9aee1c749c827a33d7ecfc5458597d6e3aed5fa071d6a388ee9d336504_amd64 |
| Red Hat | registry.redhat.io/openshift4/ose-dpu-rhel9-operator@sha256:849856be6a8b91fc29f2600bed1397873abd7ce4c98dce85ae0c954e2c6ac987_ppc64le as a component of Red Hat OpenShift Container Platform 4.18 | *, registry.redhat.io/openshift4/ose-dpu-rhel9-operator@sha256:849856be6a8b91fc29f2600bed1397873abd7ce4c98dce85ae0c954e2c6ac987_ppc64le, * |
| Red Hat | registry.redhat.io/openshift4/ose-vertical-pod-autoscaler-rhel9-operator@sha256:0eda6895d37e02112bb551221585d690c084edee6e4fc5a84dbcd8b52f3dda47_s390x as a component of Red Hat OpenShift Container Platform 4.18 | registry.redhat.io/openshift4/ose-vertical-pod-autoscaler-rhel9-operator@sha256:0eda6895d37e02112bb551221585d690c084edee6e4fc5a84dbcd8b52f3dda47_s390x, *, registry.redhat.io/openshift4/ose-vertical-pod-autoscaler-rhel9-operator@sha256:0eda6895d37e02112bb551221585d690c084edee6e4fc5a84dbcd8b52f3dda47_s390x |
| Red Hat | registry.redhat.io/openshift4/ose-local-storage-mustgather-rhel9@sha256:88742ac27f083e7441a0dfe1d6b7d218f83164c2deb7efc703a703bfc63c3112_ppc64le as a component of Red Hat OpenShift Container Platform 4.18 | *, registry.redhat.io/openshift4/ose-local-storage-mustgather-rhel9@sha256:88742ac27f083e7441a0dfe1d6b7d218f83164c2deb7efc703a703bfc63c3112_ppc64le, registry.redhat.io/openshift4/ose-local-storage-mustgather-rhel9@sha256:88742ac27f083e7441a0dfe1d6b7d218f83164c2deb7efc703a703bfc63c3112_ppc64le |
| Red Hat | registry.redhat.io/openshift4/ose-aws-efs-csi-driver-rhel9-operator@sha256:b40bf58c730bcad14083d1f8d77af19e8efa5a0f6cb41306246b1e6ed8db3caa_amd64 as a component of Red Hat OpenShift Container Platform 4.18 | registry.redhat.io/openshift4/ose-aws-efs-csi-driver-rhel9-operator@sha256:b40bf58c730bcad14083d1f8d77af19e8efa5a0f6cb41306246b1e6ed8db3caa_amd64, *, registry.redhat.io/openshift4/ose-aws-efs-csi-driver-rhel9-operator@sha256:b40bf58c730bcad14083d1f8d77af19e8efa5a0f6cb41306246b1e6ed8db3caa_amd64 |
| Red Hat | registry.redhat.io/openshift4/ose-vertical-pod-autoscaler-rhel9-operator@sha256:bbb45eb295ec8e0c7ccdf4a4c6d5b549aae1814a285e2064e25ebfe6dd813d8c_amd64 as a component of Red Hat OpenShift Container Platform 4.18 | registry.redhat.io/openshift4/ose-vertical-pod-autoscaler-rhel9-operator@sha256:bbb45eb295ec8e0c7ccdf4a4c6d5b549aae1814a285e2064e25ebfe6dd813d8c_amd64, registry.redhat.io/openshift4/ose-vertical-pod-autoscaler-rhel9-operator@sha256:bbb45eb295ec8e0c7ccdf4a4c6d5b549aae1814a285e2064e25ebfe6dd813d8c_amd64, registry.redhat.io/openshift4/ose-vertical-pod-autoscaler-rhel9-operator@sha256:bbb45eb295ec8e0c7ccdf4a4c6d5b549aae1814a285e2064e25ebfe6dd813d8c_amd64 |
| Red Hat | registry.redhat.io/openshift4/sriov-network-metrics-exporter-rhel9@sha256:49d7386e6f7ee45dd0f696a5379308a0427dd5877b488e301d29107cd8b244d2_amd64 as a component of Red Hat OpenShift Container Platform 4.18 | *, *, * |
| Red Hat | registry.redhat.io/openshift4/ose-sriov-infiniband-cni-rhel9@sha256:5c3efff4a5be713e5db9393eb95d74770fd4506235915b28d1fbac29c8b778a1_ppc64le as a component of Red Hat OpenShift Container Platform 4.18 | registry.redhat.io/openshift4/ose-sriov-infiniband-cni-rhel9@sha256:5c3efff4a5be713e5db9393eb95d74770fd4506235915b28d1fbac29c8b778a1_ppc64le, registry.redhat.io/openshift4/ose-sriov-infiniband-cni-rhel9@sha256:5c3efff4a5be713e5db9393eb95d74770fd4506235915b28d1fbac29c8b778a1_ppc64le, registry.redhat.io/openshift4/ose-sriov-infiniband-cni-rhel9@sha256:5c3efff4a5be713e5db9393eb95d74770fd4506235915b28d1fbac29c8b778a1_ppc64le |
| Red Hat | registry.redhat.io/openshift4/ose-helm-rhel9-operator@sha256:21056298779bc70126ec520f1871f55a9cb702914754558494005db2143382b1_ppc64le as a component of Red Hat OpenShift Container Platform 4.18 | *, registry.redhat.io/openshift4/ose-helm-rhel9-operator@sha256:21056298779bc70126ec520f1871f55a9cb702914754558494005db2143382b1_ppc64le, * |
| golang | Go | |
| Red Hat | registry.redhat.io/openshift4/rdma-cni-rhel9@sha256:6e05d5c6a6c4b2b2f95561348a35aaeb0569258d0d00861bea65aa0a99ac5d4d_arm64 as a component of Red Hat OpenShift Container Platform 4.18 | registry.redhat.io/openshift4/rdma-cni-rhel9@sha256:6e05d5c6a6c4b2b2f95561348a35aaeb0569258d0d00861bea65aa0a99ac5d4d_arm64, registry.redhat.io/openshift4/rdma-cni-rhel9@sha256:6e05d5c6a6c4b2b2f95561348a35aaeb0569258d0d00861bea65aa0a99ac5d4d_arm64, registry.redhat.io/openshift4/rdma-cni-rhel9@sha256:6e05d5c6a6c4b2b2f95561348a35aaeb0569258d0d00861bea65aa0a99ac5d4d_arm64 |
| Red Hat | registry.redhat.io/openshift4/ose-cluster-nfd-rhel9-operator@sha256:7a27d57c35d36b2ecdc4e00686f021a03dd1a87eb3448e96e3efc2b121ab15e8_arm64 as a component of Red Hat OpenShift Container Platform 4.18 | registry.redhat.io/openshift4/ose-cluster-nfd-rhel9-operator@sha256:7a27d57c35d36b2ecdc4e00686f021a03dd1a87eb3448e96e3efc2b121ab15e8_arm64, registry.redhat.io/openshift4/ose-cluster-nfd-rhel9-operator@sha256:7a27d57c35d36b2ecdc4e00686f021a03dd1a87eb3448e96e3efc2b121ab15e8_arm64, * |
…and 367 more
Timeline
- Mar 11, 2026 CVE Published
- Apr 24, 2026 Distribution Patch
- Apr 24, 2026 Distribution Patch
- Apr 24, 2026 Security Advisory
- Apr 24, 2026 Security Advisory
- Jul 12, 2026 CVE Updated
References
- https://access.redhat.com/errata/RHSA-2026:3906 advisory
- https://access.redhat.com/security/cve/CVE-2025-61726 advisory
- https://access.redhat.com/security/updates/classification/ advisory
- https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_3906.json advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=2434432 issue
- https://www.cve.org/CVERecord?id=CVE-2025-61726 advisory
- https://nvd.nist.gov/vuln/detail/CVE-2025-61726 advisory
- https://go.dev/cl/736712 advisory
- https://go.dev/issue/77101 advisory
- https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc advisory
- https://pkg.go.dev/vuln/GO-2026-4341 advisory