- Issued:
- 2026-02-23
- Updated:
- 2026-02-23
RHSA-2026:3108 - Security Advisory
Synopsis
Red Hat OpenShift Service Mesh 3.1.5
Type/Severity
Security Advisory: Important
Topic
Red Hat OpenShift Service Mesh 3.1.5
This update has a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
Red Hat OpenShift Service Mesh 3.1.5, which is based on the open source Istio project, addresses a variety of problems in a microservice architecture by creating a centralized point of control in an application.
Fixes/Improvements:
- Updated to Istio version 1.26.8
- OCSP Memory Leak Check BSSL-Compatability
Security Fix(es):
- istio-rhel9-operator: Excessive resource consumption when printing error string for host certificate validation in crypto/x509 (CVE-2025-61729)
- istio-pilot-rhel9: Excessive resource consumption when printing error string for host certificate validation in crypto/x509 (CVE-2025-61729)
- istio-cni-rhel9: Excessive resource consumption when printing error string for host certificate validation in crypto/x509 (CVE-2025-61729)
- istio-cni-rhel9: Unbounded allocation when parsing GNU sparse map (CVE-2025-58183)
Solution
See Red Hat OpenShift Service Mesh 3.1.5 documentation at https://docs.redhat.com/en/documentation/red_hat_openshift_service_mesh/3.1
Fixes
- OSSM-12404 - Missing tar and rsync in istio must gather image (OSSM 3)
amd64
| registry.redhat.io/openshift-service-mesh/istio-sail-operator-bundle@sha256:c3cf1d5a1e6e5174e08cee465b1bee05ed731850e95ff95c06640dc00a1d2f3f |
| registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:88337ff2221d2a2695e6c5af167d5fda9aa5d7225daabea6a9a8b55e34a74f6e |
| registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:67e2792b5e898ff5fc26e3912b0e24f72e43842dfb0bda9fe070560d069ba8ce |
| registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:eadb7ac7d1bd9b873330de0a517a84a531913dddc306c8eb60645c18c6862250 |
| registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:405e86c83431f73186638cb43815ba0466f5e50689d2ee1d84327168412838a9 |
| registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:a873ca532169aaa3090340ae0b3deeea04d3b17407ec95ecb0979bdcd36ad205 |
| registry.redhat.io/openshift-service-mesh-tech-preview/istio-ztunnel-rhel9@sha256:32b0f17f22669860f4e0eb5b8dfaa78ffc67dd3559f45c9e93671d9f1855d35f |
arm64
| registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:8792cda826c9afc0ab5d67fe4c1abbacbc16005c3a407ade0f3bdbbf4d0e8649 |
| registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:892341ffbcdce3ff2f9723a3405af64c8c9879ab55857fd7561edb4b6782eb65 |
| registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:334fee8bd9a2631fcd66d3a3a14cb9fd06e8c4d71d2892886fd261f81361119e |
| registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:5a5e1f0807103b16c6b049319a7c176b1ebfb25f1287563bfda3bf1cd3182c1e |
| registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:846f1e23adabd88b30ced214c704280aa95f4a4d562768eb18599e3aaf6734f7 |
| registry.redhat.io/openshift-service-mesh-tech-preview/istio-ztunnel-rhel9@sha256:13c44791195db8621bb6bf7c2ee9d0c021100913ee084513ef9876683dd09db1 |
ppc64le
| registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:4ada91098d4f47784016abf7015e20e068b76ece37a2d2c054b3986d708ed30c |
| registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:d18dcd6a17e9b00b76f492e6062fd6067f4fa05f0493050224a1094e5552a0e4 |
| registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:013a6bda07e2be5a3ea5de72b94cd7cf0545c484a8ef2d4179d27dad323eb713 |
| registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:824ebba7a8e0b16337f72961263e46d073e1cbbfd436d637b7fa2a74ea28e029 |
| registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:7297923206f14165cd59aba37f007f824e4c6e18bbd8b6bd6522d7e007e5300f |
| registry.redhat.io/openshift-service-mesh-tech-preview/istio-ztunnel-rhel9@sha256:b20dd28ed5975d5fb6c6d01729168dd939d222098597e09c29f7430d179b46c4 |
s390x
| registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:6ced0b7d95cc8bec20d00adb2f7587202bacedd2d5b55b9e297a5bcc207089af |
| registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:2983464abf90f1ab085919cb0c2739fcd0cc4ffa8aadc1816005df91c8e2911f |
| registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:d6c4e8eb2725f89243cfecfdd1950401d2e73b3915ee6471dc9e880ab806f738 |
| registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:16cc994dd9eda1408da99798435236c88a177155d176904562fddd0d4fe1abc1 |
| registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:af46660dd2c97f3bbfeca8ba9f344f74ef93c58a956426998c3f23ffe74076d2 |
| registry.redhat.io/openshift-service-mesh-tech-preview/istio-ztunnel-rhel9@sha256:caab6cf1b57357bbcc58ae5b4c7bb0ea92c3e9fe142c543f6c2da1c8a2a7aaee |
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.
