VDB
RHSA-2026%3A6554
RHSA-2026%3A6554
PUBLISHED
CVSS 7.5 HIGH
A flaw was found in the archive/tar package in the Go standard library. tar.Reader does not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A specially crafted tar archive with a pax header indicating a big number of sparse regions can cause a Go program to try to allocate a large amount of memory, causing an out-of-memory condition and resulting in a denial of service.
Risk Scores
CVSS 3.1
7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Red Hat | registry.redhat.io/openshift4/ose-csi-livenessprobe-rhel9@sha256:c9939d14d04be600248c2cc4158d304822f8253032121f13795140cb1e8e9850_amd64 as a component of Red Hat OpenShift Container Platform 4.18 | registry.redhat.io/openshift4/ose-csi-livenessprobe-rhel9@sha256:c9939d14d04be600248c2cc4158d304822f8253032121f13795140cb1e8e9850_amd64, registry.redhat.io/openshift4/ose-csi-livenessprobe-rhel9@sha256:c9939d14d04be600248c2cc4158d304822f8253032121f13795140cb1e8e9850_amd64, registry.redhat.io/openshift4/ose-csi-livenessprobe-rhel9@sha256:c9939d14d04be600248c2cc4158d304822f8253032121f13795140cb1e8e9850_amd64 |
| Red Hat | registry.redhat.io/openshift4/aws-kms-encryption-provider-rhel9@sha256:3b35d574708fb00c479227aba40e3fffe79b631899681b16a08c76e91cd102b2_ppc64le as a component of Red Hat OpenShift Container Platform 4.18 | registry.redhat.io/openshift4/aws-kms-encryption-provider-rhel9@sha256:3b35d574708fb00c479227aba40e3fffe79b631899681b16a08c76e91cd102b2_ppc64le, registry.redhat.io/openshift4/aws-kms-encryption-provider-rhel9@sha256:3b35d574708fb00c479227aba40e3fffe79b631899681b16a08c76e91cd102b2_ppc64le, registry.redhat.io/openshift4/aws-kms-encryption-provider-rhel9@sha256:3b35d574708fb00c479227aba40e3fffe79b631899681b16a08c76e91cd102b2_ppc64le |
| Red Hat | registry.redhat.io/openshift4/ose-machine-config-rhel9-operator@sha256:c3333a9969367f1adc605ac2ef49fb5dbc7e080fe0ba31c7e88e54f48e40cf90_amd64 as a component of Red Hat OpenShift Container Platform 4.18 | registry.redhat.io/openshift4/ose-machine-config-rhel9-operator@sha256:c3333a9969367f1adc605ac2ef49fb5dbc7e080fe0ba31c7e88e54f48e40cf90_amd64, *, registry.redhat.io/openshift4/ose-machine-config-rhel9-operator@sha256:c3333a9969367f1adc605ac2ef49fb5dbc7e080fe0ba31c7e88e54f48e40cf90_amd64 |
| Red Hat | registry.redhat.io/openshift4/ose-aws-cluster-api-controllers-rhel9@sha256:d54b9a5402b28eaf19373943ca2d13c3d0fb5ad6fcc3106b1334bc5d1eaf4fa9_arm64 as a component of Red Hat OpenShift Container Platform 4.18 | registry.redhat.io/openshift4/ose-aws-cluster-api-controllers-rhel9@sha256:d54b9a5402b28eaf19373943ca2d13c3d0fb5ad6fcc3106b1334bc5d1eaf4fa9_arm64, *, * |
| Red Hat | registry.redhat.io/openshift4/azure-service-rhel9-operator@sha256:360bb7bca74dcddbd1c73a7c3bf8cd8684ee4bdf8f7a974bfde2852553abea78_amd64 as a component of Red Hat OpenShift Container Platform 4.18 | *, *, * |
| Red Hat | registry.redhat.io/openshift4/ose-azure-cloud-node-manager-rhel9@sha256:23b9c9466353bf6a969780a7647febf6050a61612eb22e5a97ec7a81148fc04a_arm64 as a component of Red Hat OpenShift Container Platform 4.18 | registry.redhat.io/openshift4/ose-azure-cloud-node-manager-rhel9@sha256:23b9c9466353bf6a969780a7647febf6050a61612eb22e5a97ec7a81148fc04a_arm64, registry.redhat.io/openshift4/ose-azure-cloud-node-manager-rhel9@sha256:23b9c9466353bf6a969780a7647febf6050a61612eb22e5a97ec7a81148fc04a_arm64, * |
| Red Hat | registry.redhat.io/openshift4/oc-mirror-plugin-rhel9@sha256:531b4827b1c82009b93b32fc2695434c648e4ef41525a2ee6ce08348c27328de_arm64 as a component of Red Hat OpenShift Container Platform 4.18 | *, *, * |
| Red Hat | registry.redhat.io/openshift4/ose-cluster-olm-rhel9-operator@sha256:b245369b51604ea52ab3eff6427982483606b83dcc5a00ce6e351eef55642051_amd64 as a component of Red Hat OpenShift Container Platform 4.18 | *, *, * |
| Red Hat | registry.redhat.io/openshift4/ose-cluster-version-rhel9-operator@sha256:f8b264fe1d17c364fd597314285f1de453d5006c464d10f892b72d92e4be1a97_s390x as a component of Red Hat OpenShift Container Platform 4.18 | registry.redhat.io/openshift4/ose-cluster-version-rhel9-operator@sha256:f8b264fe1d17c364fd597314285f1de453d5006c464d10f892b72d92e4be1a97_s390x, *, * |
| Red Hat | registry.redhat.io/openshift4/azure-service-rhel9-operator@sha256:b9a0fed36ec0557a938659dae4ff53c7f29a686c884f622a2c2752dc79201000_arm64 as a component of Red Hat OpenShift Container Platform 4.18 | *, *, * |
| Red Hat | registry.redhat.io/openshift4/ose-console-rhel9-operator@sha256:e93f5dbafdc1243f42e7cc208794d0ffaeca32e3de64cd9d3e69cc2607b92666_arm64 as a component of Red Hat OpenShift Container Platform 4.18 | registry.redhat.io/openshift4/ose-console-rhel9-operator@sha256:e93f5dbafdc1243f42e7cc208794d0ffaeca32e3de64cd9d3e69cc2607b92666_arm64, registry.redhat.io/openshift4/ose-console-rhel9-operator@sha256:e93f5dbafdc1243f42e7cc208794d0ffaeca32e3de64cd9d3e69cc2607b92666_arm64, registry.redhat.io/openshift4/ose-console-rhel9-operator@sha256:e93f5dbafdc1243f42e7cc208794d0ffaeca32e3de64cd9d3e69cc2607b92666_arm64 |
| Red Hat | registry.redhat.io/openshift4/ose-ibm-vpc-block-csi-driver-rhel9@sha256:e6c36fa49e555ce2546651db02351931fa884c53754ea8e8af3debc6c2ceacbf_amd64 as a component of Red Hat OpenShift Container Platform 4.18 | registry.redhat.io/openshift4/ose-ibm-vpc-block-csi-driver-rhel9@sha256:e6c36fa49e555ce2546651db02351931fa884c53754ea8e8af3debc6c2ceacbf_amd64, registry.redhat.io/openshift4/ose-ibm-vpc-block-csi-driver-rhel9@sha256:e6c36fa49e555ce2546651db02351931fa884c53754ea8e8af3debc6c2ceacbf_amd64, registry.redhat.io/openshift4/ose-ibm-vpc-block-csi-driver-rhel9@sha256:e6c36fa49e555ce2546651db02351931fa884c53754ea8e8af3debc6c2ceacbf_amd64 |
| Red Hat | registry.redhat.io/openshift4/ose-kube-state-metrics-rhel9@sha256:a686b7330b04572b42009bbe845ca2795b126dd1612f83529d8d828da0945c24_amd64 as a component of Red Hat OpenShift Container Platform 4.18 | registry.redhat.io/openshift4/ose-kube-state-metrics-rhel9@sha256:a686b7330b04572b42009bbe845ca2795b126dd1612f83529d8d828da0945c24_amd64, registry.redhat.io/openshift4/ose-kube-state-metrics-rhel9@sha256:a686b7330b04572b42009bbe845ca2795b126dd1612f83529d8d828da0945c24_amd64, registry.redhat.io/openshift4/ose-kube-state-metrics-rhel9@sha256:a686b7330b04572b42009bbe845ca2795b126dd1612f83529d8d828da0945c24_amd64 |
| Red Hat | registry.redhat.io/openshift4/egress-router-cni-rhel9@sha256:0423c2bc5bc949c627e9044a2666b29b65979a68fa0496aee63fda75edfb5d3d_amd64 as a component of Red Hat OpenShift Container Platform 4.18 | *, *, * |
| Red Hat | registry.redhat.io/openshift4/ose-etcd-rhel9@sha256:b6a1b1ecf3cc62071e1c3abde7d316acfa7b6a148945bc47daa36e82f6694ac7_ppc64le as a component of Red Hat OpenShift Container Platform 4.18 | registry.redhat.io/openshift4/ose-etcd-rhel9@sha256:b6a1b1ecf3cc62071e1c3abde7d316acfa7b6a148945bc47daa36e82f6694ac7_ppc64le, registry.redhat.io/openshift4/ose-etcd-rhel9@sha256:b6a1b1ecf3cc62071e1c3abde7d316acfa7b6a148945bc47daa36e82f6694ac7_ppc64le, registry.redhat.io/openshift4/ose-etcd-rhel9@sha256:b6a1b1ecf3cc62071e1c3abde7d316acfa7b6a148945bc47daa36e82f6694ac7_ppc64le |
| Red Hat | registry.redhat.io/openshift4/ose-machine-api-provider-gcp-rhel9@sha256:8e86a742b7b8a4f3310cd8650610f0065fcaf96625ca32f0467a40a535001d25_ppc64le as a component of Red Hat OpenShift Container Platform 4.18 | registry.redhat.io/openshift4/ose-machine-api-provider-gcp-rhel9@sha256:8e86a742b7b8a4f3310cd8650610f0065fcaf96625ca32f0467a40a535001d25_ppc64le, registry.redhat.io/openshift4/ose-machine-api-provider-gcp-rhel9@sha256:8e86a742b7b8a4f3310cd8650610f0065fcaf96625ca32f0467a40a535001d25_ppc64le, registry.redhat.io/openshift4/ose-machine-api-provider-gcp-rhel9@sha256:8e86a742b7b8a4f3310cd8650610f0065fcaf96625ca32f0467a40a535001d25_ppc64le |
| Red Hat | registry.redhat.io/openshift4/ose-powervs-machine-controllers-rhel9@sha256:d17803ab00c470f6a9ff971b41a5a67414ba982711e2eca0df749e0a818ba113_ppc64le as a component of Red Hat OpenShift Container Platform 4.18 | *, registry.redhat.io/openshift4/ose-powervs-machine-controllers-rhel9@sha256:d17803ab00c470f6a9ff971b41a5a67414ba982711e2eca0df749e0a818ba113_ppc64le, * |
| Red Hat | registry.redhat.io/openshift4/ose-gcp-workload-identity-federation-webhook-rhel9@sha256:8189a6e73b540ee8ed9e1a56846cc846cdef13ff8aa1242b3b98f230f7e33712_s390x as a component of Red Hat OpenShift Container Platform 4.18 | *, registry.redhat.io/openshift4/ose-gcp-workload-identity-federation-webhook-rhel9@sha256:8189a6e73b540ee8ed9e1a56846cc846cdef13ff8aa1242b3b98f230f7e33712_s390x, * |
| Red Hat | registry.redhat.io/openshift4/ose-cluster-autoscaler-rhel9-operator@sha256:0fca3996084db27453f1928844c3a51b67df6fd097d71424fc914751a2d3dc64_ppc64le as a component of Red Hat OpenShift Container Platform 4.18 | registry.redhat.io/openshift4/ose-cluster-autoscaler-rhel9-operator@sha256:0fca3996084db27453f1928844c3a51b67df6fd097d71424fc914751a2d3dc64_ppc64le, registry.redhat.io/openshift4/ose-cluster-autoscaler-rhel9-operator@sha256:0fca3996084db27453f1928844c3a51b67df6fd097d71424fc914751a2d3dc64_ppc64le, registry.redhat.io/openshift4/ose-cluster-autoscaler-rhel9-operator@sha256:0fca3996084db27453f1928844c3a51b67df6fd097d71424fc914751a2d3dc64_ppc64le |
| Red Hat | registry.redhat.io/openshift4/ose-multus-networkpolicy-rhel9@sha256:b039485680f09c50aff0c71f3976c8761403bc267c7284ccb29fd11763932a41_ppc64le as a component of Red Hat OpenShift Container Platform 4.18 | registry.redhat.io/openshift4/ose-multus-networkpolicy-rhel9@sha256:b039485680f09c50aff0c71f3976c8761403bc267c7284ccb29fd11763932a41_ppc64le, *, registry.redhat.io/openshift4/ose-multus-networkpolicy-rhel9@sha256:b039485680f09c50aff0c71f3976c8761403bc267c7284ccb29fd11763932a41_ppc64le |
…and 1303 more
Timeline
- Apr 9, 2026 CVE Published
- Apr 24, 2026 Distribution Patch
- Apr 24, 2026 Distribution Patch
- Apr 24, 2026 Security Advisory
- Apr 24, 2026 Security Advisory
- Apr 24, 2026 Security Advisory
- Jul 9, 2026 Security Advisory
- Jul 9, 2026 Security Advisory
- Jul 10, 2026 CVE Updated
References
- https://access.redhat.com/errata/RHSA-2026:6554 advisory
- https://access.redhat.com/security/cve/CVE-2025-61726 advisory
- https://access.redhat.com/security/cve/CVE-2025-61728 advisory
- https://access.redhat.com/security/updates/classification/ advisory
- https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_6554.json advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=2434432 issue
- https://www.cve.org/CVERecord?id=CVE-2025-61726 advisory
- https://nvd.nist.gov/vuln/detail/CVE-2025-61726 advisory
- https://go.dev/cl/736712 advisory
- https://go.dev/issue/77101 advisory
- https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc advisory
- https://pkg.go.dev/vuln/GO-2026-4341 advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=2434431 issue
- https://www.cve.org/CVERecord?id=CVE-2025-61728 advisory
- https://nvd.nist.gov/vuln/detail/CVE-2025-61728 advisory
- https://go.dev/cl/736713 advisory
- https://go.dev/issue/77102 advisory
- https://pkg.go.dev/vuln/GO-2026-4342 advisory
- https://access.redhat.com/security/cve/CVE-2025-58183 advisory
- https://access.redhat.com/security/cve/CVE-2025-61729 advisory
…and 14 more