RHBA-2026:26554 - Bug Fix Advisory

Topic

Updated jboss-eap/eap-rhel9-operator container image is now available for RHEL-9 based Middleware Containers.

Description

The jboss-eap/eap-rhel9-operator container image has been updated for RHEL-9 based Middleware Containers to address the following security advisory: RHSA-2026:25239 (see References)

Users of jboss-eap/eap-rhel9-operator container images are advised to upgrade to these updated images, which contain backported patches to correct these security issues, fix these bugs and add these enhancements. Users of these images are also encouraged to rebuild all container images that depend on these images.

You can find images updated by this advisory in Red Hat Container Catalog (see References).

Solution

The RHEL-9 based Middleware Containers container image provided by this update can be downloaded from the Red Hat Container Registry at registry.access.redhat.com. Installation instructions for your platform are available at Red Hat Container Catalog (see References).

Dockerfiles and scripts should be amended either to refer to this new image specifically, or to the latest image generally.

Affected Products

• Red Hat JBoss Middleware 1 x86_64

Fixes

• BZ - 2481879 - CVE-2026-7383 openssl: OpenSSL: Heap buffer overflow due to signed integer overflow in Unicode output sizing
• BZ - 2481880 - CVE-2026-9076 openssl: OpenSSL: Denial of Service due to heap out-of-bounds read in CMS password-based decryption
• BZ - 2481881 - CVE-2026-34180 openssl: OpenSSL: Heap buffer over-read in ASN.1 decoding can lead to denial of service or information disclosure.
• BZ - 2481882 - CVE-2026-34181 openssl: PKCS#12 Files with PBMAC1 Are Accepted with Short HMAC Keys
• BZ - 2481884 - CVE-2026-34182 openssl: CMS AuthEnvelopedData Processing May Accept Forged Messages
• BZ - 2481885 - CVE-2026-34183 openssl: Unbounded Memory Growth in the QUIC PATH_CHALLENGE Handler
• BZ - 2481887 - CVE-2026-42764 openssl: NULL pointer dereference in QUIC server initial packet handling
• BZ - 2481890 - CVE-2026-42766 openssl: Possible NULL Dereference in Password-Based CMS Decryption
• BZ - 2481891 - CVE-2026-42767 openssl: NULL Pointer Dereference in CRMF EncryptedValue Decryption
• BZ - 2481892 - CVE-2026-42768 openssl: Multi-RecipientInfo Bleichenbacher Oracle in CMS_decrypt() and PKCS7_decrypt()
• BZ - 2481893 - CVE-2026-42769 openssl: Trust-Anchor Substitution via cert/issuer Typo in CMP rootCaKeyUpdate
• BZ - 2481894 - CVE-2026-42770 openssl: FFC-DH Peer Validation Uses Attacker-Supplied q
• BZ - 2481896 - CVE-2026-45445 openssl: AES-OCB IV Ignored on EVP_Cipher() Path
• BZ - 2481897 - CVE-2026-45446 openssl: Incorrect Tag Processing for Empty Messages in AES-GCM-SIV and AES-SIV modes
• BZ - 2481898 - CVE-2026-45447 openssl: Heap Use-After-Free in OpenSSL PKCS7_verify()

CVEs

• CVE-2026-7383
• CVE-2026-9076
• CVE-2026-34180
• CVE-2026-34181
• CVE-2026-34182
• CVE-2026-34183
• CVE-2026-42764
• CVE-2026-42766
• CVE-2026-42767
• CVE-2026-42768
• CVE-2026-42769
• CVE-2026-42770
• CVE-2026-45445
• CVE-2026-45446
• CVE-2026-45447

References

• https://access.redhat.com/errata/RHSA-2026:25239
• https://catalog.redhat.com/software/containers/registry/registry.access.redhat.com/repository/jboss-eap/eap-rhel9-operator