Red Hat Service Interconnect
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Red Hat Service Interconnect.
Recent Red Hat Service Interconnect Security Advisories
| Advisory | Title | Published |
|---|---|---|
| RHSA-2025:9895 | (RHSA-2025:9895) Important: Red Hat Service Interconnect security update | June 30, 2025 |
| RHSA-2024:4865 | (RHSA-2024:4865) Moderate: Red Hat Service Interconnect security update | July 25, 2024 |
| RHSA-2024:4126 | (RHSA-2024:4126) Important: Red Hat Service Interconnect 1.4.5 Release security update | June 26, 2024 |
| RHSA-2024:4125 | (RHSA-2024:4125) Important: Red Hat Service Interconnect 1.4.5 Release security update | June 26, 2024 |
| RHSA-2024:4034 | (RHSA-2024:4034) Important: Red Hat Service Interconnect 1.5.4 Release security update (images) | June 20, 2024 |
| RHSA-2024:1901 | (RHSA-2024:1901) Moderate: Red Hat Service Interconnect 1.5.3 Release (images) | April 18, 2024 |
| RHSA-2023:6219 | (RHSA-2023:6219) Important: Red Hat Service Interconnect security update | October 31, 2023 |
| RHSA-2023:4003 | (RHSA-2023:4003) Moderate: Red Hat Service Interconnect 1.4 Release security update | July 10, 2023 |
By the Year
In 2026 there have been 13 vulnerabilities in Red Hat Service Interconnect with an average score of 8.0 out of ten. Service Interconnect did not have any published security vulnerabilities last year. That is, 13 more vulnerabilities have already been reported in 2026 as compared to last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 13 | 7.95 |
| 2025 | 0 | 0.00 |
| 2024 | 4 | 6.60 |
| 2023 | 2 | 7.15 |
It may take a day or so for new Service Interconnect vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Red Hat Service Interconnect Security Vulnerabilities
Go crypto/x509 VerifyHostname DNS SAN quadratic overhead
CVE-2026-27145
7.5 - High
- June 02, 2026
(*x509.Certificate).VerifyHostname previously called matchHostnames in a loop over all DNS Subject Alternative Name (SAN) entries. This caused strings.Split(host, ".") to execute repeatedly on the same input hostname. With a large DNS SAN list, verification costs scaled quadratically based on the number of SAN entries multiplied by the hostname's label count. Because x509.Verify validates hostnames before building the certificate chain, this overhead occurred even for untrusted certificates.
Unchecked Input for Loop Condition
golang.org/x/net/idna pre-0.55.0 IDN bug allows silent ASCII/Unicode mix
CVE-2026-39821
8.2 - High
- May 22, 2026
The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example, ToUnicode("xn--example-.com") incorrectly returns the name "example.com" rather than an error. This behavior can lead to privilege escalation in programs using the idna package. For example, a program which performs privilege checks on the ASCII hostname may reject "example.com" but permit "xn--example-.com". If that program subsequently converts the ASCII hostname to Unicode, it will inadvertently permits access to the Unicode name "example.com".
Improper Validation of Unsafe Equivalence in Input
Go net/mail 1.25.x-1.26.3: ParseAddress/Date CPU/Memory Exhaustion
CVE-2026-39820
7.5 - High
- May 07, 2026
Well-crafted inputs reaching ParseAddress, ParseAddressList, and ParseDate were able to trigger excessive CPU exhaustion and memory allocations.
Unchecked Input for Loop Condition
DoS via consumePhrase in Go net/mail RFC 5322 parsing <1.26.3
CVE-2026-42499
7.5 - High
- May 07, 2026
Pathological inputs could cause DoS through consumePhrase when parsing an email address according to RFC 5322.
Creation of Immutable Text Using String Concatenation
Double-free CVE-2026-33811 via LookupCNAME in Go net (<=1.26.2)
CVE-2026-33811
7.5 - High
- May 07, 2026
When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a crash.
1341
Go crypto/x509 Intermediates DoS (<=1.26.2)
CVE-2026-32280
7.5 - High
- April 08, 2026
During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions.Intermediates, which can lead to a denial of service. This affects both direct users of crypto/x509 and users of crypto/tls.
Allocation of Resources Without Limits or Throttling
Go crypto/tls TLS 1.3 KeyUpdate deadlock DoS (1.25.9 & <1.26.2)
CVE-2026-32283
7.5 - High
- April 08, 2026
If one side of the TLS connection sends multiple key update messages post-handshake in a single record, the connection can deadlock, causing uncontrolled consumption of resources. This can lead to a denial of service. This only affects TLS 1.3.
Multiple Locks of a Critical Resource
Go 1.26.x crypto/x509 DNS Constraint Case Sensitivity
CVE-2026-33810
8.8 - High
- April 08, 2026
When verifying a certificate chain containing excluded DNS constraints, these constraints are not correctly applied to wildcard DNS SANs which use a different case than the constraint. This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool.
Improper Validation of Unsafe Equivalence in Input
gRPC-Go Auth Bypass (1.79.2) via noncanonical :path
CVE-2026-33186
9.1 - Critical
- March 20, 2026
gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omitted the mandatory leading slash (e.g., `Service/Method` instead of `/Service/Method`). While the server successfully routed these requests to the correct handler, authorization interceptors (including the official `grpc/authz` package) evaluated the raw, non-canonical path string. Consequently, "deny" rules defined using canonical paths (starting with `/`) failed to match the incoming request, allowing it to bypass the policy if a fallback "allow" rule was present. This affects gRPC-Go servers that use path-based authorization interceptors, such as the official RBAC implementation in `google.golang.org/grpc/authz` or custom interceptors relying on `info.FullMethod` or `grpc.Method(ctx)`; AND that have a security policy contains specific "deny" rules for canonical paths but allows other requests by default (a fallback "allow" rule). The vulnerability is exploitable by an attacker who can send raw HTTP/2 frames with malformed `:path` headers directly to the gRPC server. The fix in version 1.79.3 ensures that any request with a `:path` that does not start with a leading slash is immediately rejected with a `codes.Unimplemented` error, preventing it from reaching authorization interceptors or handlers with a non-canonical path string. While upgrading is the most secure and recommended path, users can mitigate the vulnerability using one of the following methods: Use a validating interceptor (recommended mitigation); infrastructure-level normalization; and/or policy hardening.
AuthZ
Go <1.26: crypto/x509 Email Constraint Bug
CVE-2026-27137
7.5 - High
- March 06, 2026
When verifying a certificate chain which contains a certificate containing multiple email address constraints which share common local portions but different domain portions, these constraints will not be properly applied, and only the last constraint will be considered.
Improper Certificate Validation
Go net/url Host Validation Flaw in Parse (v<1.25.8, <1.26.1)
CVE-2026-25679
7.5 - High
- March 06, 2026
url.Parse insufficiently validated the host/authority component and accepted some invalid URLs.
Improper Validation of Syntactic Correctness of Input
Go net/url: MEM BOMB via Unlimited Query Param Count
CVE-2025-61726
7.5 - High
- January 28, 2026
The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a large form containing many unique query parameters can cause excessive memory consumption.
Allocation of Resources Without Limits or Throttling
OpenSSL 3.x CMS AuthEnvelopedData AEAD IV stack overflow (v3.6+)
CVE-2025-15467
9.8 - Critical
- January 27, 2026
Issue summary: Parsing CMS AuthEnvelopedData or EnvelopedData message with maliciously crafted AEAD parameters can trigger a stack buffer overflow. Impact summary: A stack buffer overflow may lead to a crash, causing Denial of Service, or potentially remote code execution. When parsing CMS (Auth)EnvelopedData structures that use AEAD ciphers such as AES-GCM, the IV (Initialization Vector) encoded in the ASN.1 parameters is copied into a fixed-size stack buffer without verifying that its length fits the destination. An attacker can supply a crafted CMS message with an oversized IV, causing a stack-based out-of-bounds write before any authentication or tag verification occurs. Applications and services that parse untrusted CMS or PKCS#7 content using AEAD ciphers (e.g., S/MIME (Auth)EnvelopedData with AES-GCM) are vulnerable. Because the overflow occurs prior to authentication, no valid key material is required to trigger it. While exploitability to remote code execution depends on platform and toolchain mitigations, the stack-based write primitive represents a severe risk. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the CMS implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3 and 3.0 are vulnerable to this issue. OpenSSL 1.1.1 and 1.0.2 are not affected by this issue.
Memory Corruption
Skupper Console Authentication Bypass and Resource Exhaustion Vulnerability
CVE-2024-12582
7.1 - High
- December 24, 2024
A flaw was found in the skupper console, a read-only interface that renders cluster network, traffic details, and metrics for a network application that a user sets up across a hybrid multi-cloud environment. When the default authentication method is used, a random password is generated for the "admin" user and is persisted in either a Kubernetes secret or a podman volume in a plaintext file. This authentication method can be manipulated by an attacker, leading to the reading of any user-readable file in the container filesystem, directly impacting data confidentiality. Additionally, the attacker may induce skupper to read extremely large files into memory, resulting in resource exhaustion and a denial of service attack.
Authentication Bypass by Primary Weakness
Uninitialized Buffer in Go FIPS OpenSSL May Cause False HMAC Match
CVE-2024-9355
6.5 - Medium
- October 01, 2024
A vulnerability was found in Golang FIPS OpenSSL. This flaw allows a malicious user to randomly cause an uninitialized buffer length variable with a zeroed buffer to be returned in FIPS mode. It may also be possible to force a false positive match between non-equal hashes when comparing a trusted computed hmac sum to an untrusted input sum if an attacker can send a zeroed buffer in place of a pre-computed sum. It is also possible to force a derived key to be all zeros instead of an unpredictable value. This may have follow-on implications for the Go TLS stack.
Use of Uninitialized Variable
Skupper Console Bypass via Static Cookie-Secret in OAuth-Proxy
CVE-2024-6535
5.3 - Medium
- July 17, 2024
A flaw was found in Skupper. When Skupper is initialized with the console-enabled and with console-auth set to Openshift, it configures the openshift oauth-proxy with a static cookie-secret. In certain circumstances, this may allow an attacker to bypass authentication to the Skupper console via a specially-crafted cookie.
1392
Memory Leak in Go RSA (golang-fips/openssl) Leads to Resource Exhaustion
CVE-2024-1394
7.5 - High
- March 21, 2024
A memory leak flaw was found in Golang in the RSA encrypting/decrypting code, which might lead to a resource exhaustion vulnerability using attacker-controlled inputs. The memory leak happens in github.com/golang-fips/openssl/openssl/rsa.go#L113. The objects leaked are pkey and ctx. That function uses named return parameters to free pkey and ctx if there is an error initializing the context or setting the different properties. All return statements related to error cases follow the "return nil, nil, fail(...)" pattern, meaning that pkey and ctx will be nil inside the deferred function that should free them.
Memory Leak
Skupper Operator Auth Bypass Allows Cross-Cluster Deployment Visibility
CVE-2023-5056
6.8 - Medium
- December 18, 2023
A flaw was found in the Skupper operator, which may permit a certain configuration to create a service account that would allow an authenticated attacker in the adjacent cluster to view deployments in all namespaces in the cluster. This issue permits unauthorized viewing of information outside of the user's purview.
AuthZ
HTTP/2 DoS via Stream Reset in nginx
CVE-2023-44487
7.5 - High
- October 10, 2023
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
Resource Exhaustion
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Red Hat Service Interconnect or by Red Hat? Click the Watch button to subscribe.