RHSA-2026:14162 - Security Advisory

Topic

Red Hat build of OpenTelemetry 3.9.3 has been released

Description

This release of the Red Hat build of OpenTelemetry provides security improvements.

Breaking changes:

• None

Deprecations:

• None

Technology Preview features:

• None

Enhancements:

• None

Bug fixes:

• TOCTOU race condition in libcap cap_set_file() function is fixed. Previously, the cap_set_file() function in libcap contained a Time-of-check-to-time-of-use (TOCTOU) race condition. A local unprivileged user with write access to a parent directory could exploit this vulnerability to redirect file capability updates to an attacker-controlled file. This flaw allowed an attacker to inject capabilities into or strip capabilities from unintended executables, leading to privilege escalation. With this update, the race condition in cap_set_file() is fixed. As a result, file capability updates are applied to the intended target files, and the vulnerability is no longer exploitable. For more information, see https://access.redhat.com/security/cve/CVE-2026-4878.
• Integer overflow vulnerability in Apache Thrift TFramedTransport Go implementation is fixed. Previously, the Apache Thrift TFramedTransport Go language implementation contained an integer overflow or wraparound vulnerability. An attacker could exploit this flaw to cause unexpected behavior or resource exhaustion, leading to a denial of service. With this update, the integer overflow issue is fixed. As a result, TFramedTransport correctly handles integer values, and the vulnerability is no longer exploitable. For more information, see https://access.redhat.com/security/cve/CVE-2026-41602.
• Denial of service vulnerability in Go crypto/x509 and crypto/tls packages is fixed. Previously, the Go standard library packages crypto/x509 and crypto/tls did not properly limit the number of intermediate certificates processed during certificate chain building. An attacker could provide an excessive number of intermediate certificates, causing an uncontrolled amount of work. This flaw could result in a denial of service (DoS) condition, making the affected system or application unavailable to legitimate users. With this update, the number of intermediate certificates processed during certificate chain building is properly limited. As a result, the packages handle certificate chains efficiently, and the vulnerability is no longer exploitable. For more information, see https://access.redhat.com/security/cve/CVE-2026-32280.
• TLS 1.3 connection deadlock vulnerability is fixed. Previously, if one side of a TLS 1.3 connection sent multiple key update messages post-handshake in a single record, the connection could deadlock. This deadlock caused uncontrolled consumption of resources and could lead to a denial of service. With this update, TLS 1.3 connections correctly handle multiple key update messages in a single record. As a result, connections no longer deadlock, and the vulnerability is no longer exploitable. For more information about CVE-2026-32283, see https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU.
• IPC API vulnerability in systemd is fixed. Previously, system and service manager systemd contained a flaw that an unprivileged user could exploit by making an Inter-Process Communication (IPC) API call with spurious data. In older versions (v249 and earlier), this flaw could lead to stack overwriting with attacker-controlled content, potentially enabling arbitrary code execution or privilege escalation. In newer versions (v250 and later), this flaw caused systemd to assert and freeze, resulting in a denial of service (DoS). With this update, systemd correctly validates IPC API calls. As a result, the vulnerability is no longer exploitable. For more information, see https://access.redhat.com/security/cve/CVE-2026-29111.

Known issues:

• The filesystem scraper does not produce the system.filesystem.inodes.usage and system.filesystem.usage metrics in the Host Metrics Receiver after upgrading from Collector version 0.142.0 to 0.143.0 or later. No known workaround exists. For more information, see https://issues.redhat.com/browse/TRACING-5963.

Solution

For details on how to apply this update, refer to:

https://docs.redhat.com/en/documentation/openshift_container_platform/latest/html/operators/administrator-tasks#olm-upgrading-operators

Fixes

CVEs

• CVE-2026-29111
• CVE-2026-32280
• CVE-2026-32283
• CVE-2026-41602
• CVE-2026-4878

References

• https://access.redhat.com/security/updates/classification/
• https://docs.redhat.com/en/documentation/openshift_container_platform/latest/html/red_hat_build_of_opentelemetry