VDB
RHSA-2026%3A6341
RHSA-2026%3A6341
PUBLISHED
CVSS 7.5 HIGH
The Go standard library function net/url.Parse insufficiently validated the host/authority component and accepted some invalid URLs by effectively treating garbage before an IP-literal as ignorable. The function should have rejected this as invalid.
Risk Scores
CVSS 3.1
7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Red Hat | cryostat/cryostat-storage-rhel9@sha256:ce8aaa6975d322e9eb9ef2d3b822b2bd29a8d8ebccfe0ec668fd76a57b61a736_arm64 as a component of Cryostat 4 on RHEL 9 | *, cryostat/cryostat-storage-rhel9@sha256:ce8aaa6975d322e9eb9ef2d3b822b2bd29a8d8ebccfe0ec668fd76a57b61a736_arm64 |
| Red Hat | cryostat/cryostat-rhel9@sha256:900f94e2359940f703669dd8c62490a1392afadb666ca1b0b494184772085020_arm64 as a component of Cryostat 4 on RHEL 9 | *, cryostat/cryostat-rhel9@sha256:900f94e2359940f703669dd8c62490a1392afadb666ca1b0b494184772085020_arm64, cryostat/cryostat-rhel9@sha256:900f94e2359940f703669dd8c62490a1392afadb666ca1b0b494184772085020_arm64 |
| Red Hat | cryostat/jfr-datasource-rhel9@sha256:6da38459c39df5db65c75202dcfcd675094590fb4b21ed8c0789b8a16b053016_arm64 as a component of Cryostat 4 on RHEL 9 | cryostat/jfr-datasource-rhel9@sha256:6da38459c39df5db65c75202dcfcd675094590fb4b21ed8c0789b8a16b053016_arm64, cryostat/jfr-datasource-rhel9@sha256:6da38459c39df5db65c75202dcfcd675094590fb4b21ed8c0789b8a16b053016_arm64 |
| Red Hat | cryostat/cryostat-rhel9-operator@sha256:92edd503080b2c35cf513ddbbecacdc0942f9e9b0576c860b373078683503119_arm64 as a component of Cryostat 4 on RHEL 9 | cryostat/cryostat-rhel9-operator@sha256:92edd503080b2c35cf513ddbbecacdc0942f9e9b0576c860b373078683503119_arm64, * |
| Red Hat | cryostat/cryostat-openshift-console-plugin-rhel9@sha256:ce8f7a591e017ab963337694227ed32d75bc4832f3a338159d3011f96859ffd4_amd64 as a component of Cryostat 4 on RHEL 9 | *, *, * |
| Red Hat | cryostat/cryostat-agent-init-rhel9 | |
| Red Hat | cryostat/cryostat-operator-bundle@sha256:0281e3fd6d501df5d67246044f98243e7ed88ee4a61c32b42be261a9aa116290_arm64 as a component of Cryostat 4 on RHEL 9 | cryostat/cryostat-operator-bundle@sha256:0281e3fd6d501df5d67246044f98243e7ed88ee4a61c32b42be261a9aa116290_arm64, cryostat/cryostat-operator-bundle@sha256:0281e3fd6d501df5d67246044f98243e7ed88ee4a61c32b42be261a9aa116290_arm64 |
| Red Hat | cryostat/cryostat-storage-rhel9@sha256:1465752cc44bc548eb638a098bb6638b31e1b68f681831d76119529127a7b219_amd64 as a component of Cryostat 4 on RHEL 9 | *, *, * |
| Red Hat | cryostat/cryostat-db-rhel9@sha256:142758ed9e3576cb133c5644caf836ad71e5e0d7b704e628995f4a636464414c_amd64 as a component of Cryostat 4 on RHEL 9 | *, cryostat/cryostat-db-rhel9@sha256:142758ed9e3576cb133c5644caf836ad71e5e0d7b704e628995f4a636464414c_amd64, * |
| Red Hat | cryostat/cryostat-reports-rhel9@sha256:655d96e92b777adc08edf16ff72c1cb6622b52a701fd928bd82ff901003f8e07_arm64 as a component of Cryostat 4 on RHEL 9 | cryostat/cryostat-reports-rhel9@sha256:655d96e92b777adc08edf16ff72c1cb6622b52a701fd928bd82ff901003f8e07_arm64, cryostat/cryostat-reports-rhel9@sha256:655d96e92b777adc08edf16ff72c1cb6622b52a701fd928bd82ff901003f8e07_arm64 |
| Red Hat | cryostat/jfr-datasource-rhel9@sha256:6da38459c39df5db65c75202dcfcd675094590fb4b21ed8c0789b8a16b053016_arm64 as a component of Cryostat 4 on RHEL 9 | *, cryostat/jfr-datasource-rhel9@sha256:6da38459c39df5db65c75202dcfcd675094590fb4b21ed8c0789b8a16b053016_arm64, * |
| Red Hat | cryostat/cryostat-rhel9@sha256:900f94e2359940f703669dd8c62490a1392afadb666ca1b0b494184772085020_arm64 as a component of Cryostat 4 on RHEL 9 | cryostat/cryostat-rhel9@sha256:900f94e2359940f703669dd8c62490a1392afadb666ca1b0b494184772085020_arm64, cryostat/cryostat-rhel9@sha256:900f94e2359940f703669dd8c62490a1392afadb666ca1b0b494184772085020_arm64 |
| Red Hat | cryostat/jfr-datasource-rhel9@sha256:6e42be9460b630cb44f31b01fc902a6a60a2cf2c28abbec3ecacf268603ae977_amd64 as a component of Cryostat 4 on RHEL 9 | cryostat/jfr-datasource-rhel9@sha256:6e42be9460b630cb44f31b01fc902a6a60a2cf2c28abbec3ecacf268603ae977_amd64, cryostat/jfr-datasource-rhel9@sha256:6e42be9460b630cb44f31b01fc902a6a60a2cf2c28abbec3ecacf268603ae977_amd64, * |
| Red Hat | cryostat/cryostat-reports-rhel9@sha256:7856d929beb9198f4d0139825ed65e9b24bb895e910d608ba91d0255f30f9844_amd64 as a component of Cryostat 4 on RHEL 9 | cryostat/cryostat-reports-rhel9@sha256:7856d929beb9198f4d0139825ed65e9b24bb895e910d608ba91d0255f30f9844_amd64, cryostat/cryostat-reports-rhel9@sha256:7856d929beb9198f4d0139825ed65e9b24bb895e910d608ba91d0255f30f9844_amd64 |
| Red Hat | cryostat/cryostat-operator-bundle@sha256:46677e38ae7f44d21676b7f44be842fdfa8242c3c96ced432e29c245b2fa483a_amd64 as a component of Cryostat 4 on RHEL 9 | *, *, * |
| Red Hat | cryostat/cryostat-agent-init-rhel9@sha256:ea94c84c3d002574b52a6cd077057eb624af4e033f2b0ca17788963bda0b8b99_arm64 as a component of Cryostat 4 on RHEL 9 | cryostat/cryostat-agent-init-rhel9@sha256:ea94c84c3d002574b52a6cd077057eb624af4e033f2b0ca17788963bda0b8b99_arm64, cryostat/cryostat-agent-init-rhel9@sha256:ea94c84c3d002574b52a6cd077057eb624af4e033f2b0ca17788963bda0b8b99_arm64 |
| Red Hat | cryostat/cryostat-rhel9-operator@sha256:ce134470d6345c43eba1f8b6d585118860ceb9bc5f7dae5d76db55c861e3db3e_amd64 as a component of Cryostat 4 on RHEL 9 | *, *, * |
| Red Hat | cryostat/cryostat-openshift-console-plugin-rhel9@sha256:ce8f7a591e017ab963337694227ed32d75bc4832f3a338159d3011f96859ffd4_amd64 as a component of Cryostat 4 on RHEL 9 | cryostat/cryostat-openshift-console-plugin-rhel9@sha256:ce8f7a591e017ab963337694227ed32d75bc4832f3a338159d3011f96859ffd4_amd64, cryostat/cryostat-openshift-console-plugin-rhel9@sha256:ce8f7a591e017ab963337694227ed32d75bc4832f3a338159d3011f96859ffd4_amd64 |
| Red Hat | cryostat/cryostat-openshift-console-plugin-rhel9@sha256:49687873862b452e4a3890663d3bbfe95412713088af9a2d5f32d256a4dc3f5e_arm64 as a component of Cryostat 4 on RHEL 9 | cryostat/cryostat-openshift-console-plugin-rhel9@sha256:49687873862b452e4a3890663d3bbfe95412713088af9a2d5f32d256a4dc3f5e_arm64, *, * |
…and 23 more
Timeline
- Apr 1, 2026 CVE Published
- Apr 28, 2026 Distribution Patch
- Apr 28, 2026 Distribution Patch
- Apr 28, 2026 Security Advisory
- Apr 28, 2026 Security Advisory
- Jun 17, 2026 CVE Updated
References
- https://access.redhat.com/errata/RHSA-2026:6341 advisory
- https://access.redhat.com/security/updates/classification/#important advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=2445356 issue
- https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_6341.json advisory
- https://access.redhat.com/security/cve/CVE-2026-25679 advisory
- https://www.cve.org/CVERecord?id=CVE-2026-25679 advisory
- https://nvd.nist.gov/vuln/detail/CVE-2026-25679 advisory
- https://go.dev/cl/752180 advisory
- https://go.dev/issue/77578 advisory
- https://groups.google.com/g/golang-announce/c/EdhZqrQ98hk advisory
- https://pkg.go.dev/vuln/GO-2026-4601 advisory