Red Hat Product Errata RHSA-2026:3186 - Security Advisory
Issued:
2026-02-26
Updated:
2026-02-26

RHSA-2026:3186 - Security Advisory

Synopsis

Important: Red Hat build of Cryostat 4.1.1: new RHEL 9 container image security update

Type/Severity

Security Advisory: Important

Topic

New Red Hat build of Cryostat 4.1.1 on RHEL 9 container images are now available.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

The Cryostat 4 on RHEL 9 container images have been updated to fix several bugs.

Users of Cryostat 4 on RHEL 9 container images are advised to upgrade to these updated images, which contain backported patches to fix these bugs and add these enhancements. Users of these images are also encouraged to rebuild all container images that depend on these images.

Security Fix(es):

  • golang: archive/zip: Excessive CPU consumption when building archive index in archive/zip (CVE-2025-61728)
  • golang: net/url: Memory exhaustion in query parameter parsing in net/url (CVE-2025-61726)
  • crypto/tls: Unexpected session resumption in crypto/tls (CVE-2025-68121)

You can find images updated by this advisory in the Red Hat Container Catalog (see the References section).

Solution

You can download the Cryostat 4 on RHEL 9 container images that this update provides from the Red Hat Container Registry at registry.access.redhat.com. Installation instructions for your platform are available in the Red Hat Container Catalog (see the References section).

Dockerfiles and scripts should be amended to refer to this new image specifically or to the latest image generally.

Affected Products

  • Cryostat 4 x86_64

Fixes

  • BZ - 2434431 - CVE-2025-61728 golang: archive/zip: Excessive CPU consumption when building archive index in archive/zip
  • BZ - 2434432 - CVE-2025-61726 golang: net/url: Memory exhaustion in query parameter parsing in net/url
  • BZ - 2437111 - CVE-2025-68121 crypto/tls: Unexpected session resumption in crypto/tls

aarch64

cryostat/cryostat-agent-init-rhel9@sha256:ba711294dc42ddc4bf9ebfc663f56cbfd583a146c5d2726b04807e38c4a12e24
cryostat/cryostat-db-rhel9@sha256:f2b48d6dea021ff7848d051f586306c92b7db9dd2678bd7911c4fcf25cceea74
cryostat/cryostat-grafana-dashboard-rhel9@sha256:7d3316244a4c218c69a6f9eee6490d8852f20fd8d271b553e6f1f504ece84ff4
cryostat/cryostat-openshift-console-plugin-rhel9@sha256:171536e7fbce24727dfedf83c0068d05ef6a8f98fbe296165d30d84b1eefa718
cryostat/cryostat-operator-bundle@sha256:9dbb055afdbc7291bb59bc818e4a12bebbf249af9f1453e0e9c4ea47e8bbf4ec
cryostat/cryostat-reports-rhel9@sha256:a240e1b80eee3114ce64c27ca9afbb66e8c1f820816023dfb2f4b7d394b0d07c
cryostat/cryostat-rhel9@sha256:85a96d049a3feeab643966aa9e8eef2f4592051cd0f49c536f92fe5d272f4f03
cryostat/cryostat-rhel9-operator@sha256:3dac77f627d8dcacaa45498a63a12f7b76c5086a9ac13877b9ccab7571545438
cryostat/cryostat-storage-rhel9@sha256:3d32c82c26a425e5f952664bba8e2262a51de740aed8dc58dc51d5058a2e9670
cryostat/jfr-datasource-rhel9@sha256:476cfce49a28a07afb6e9d9cf01554773d7c2d67a8a8dee8f11883461b68abc6

x86_64

cryostat/cryostat-agent-init-rhel9@sha256:c27fea43f5c8ad8df258d0bf8c751bc9a59cb6013fad82542e01a1a0d25387b4
cryostat/cryostat-db-rhel9@sha256:b79cc2a7dfd2b0c0f532a884b2abd1c0c9b460709ecb897646f1cc105a8f10f9
cryostat/cryostat-grafana-dashboard-rhel9@sha256:77b9eb8a7f42a2695b3add2809c52a99098dbebb3d4208e4edcec2cb66feceb8
cryostat/cryostat-openshift-console-plugin-rhel9@sha256:3750c0350aa3d27d97562d8c82d80900bf9f876335e0e6879bd8728d88df2a02
cryostat/cryostat-operator-bundle@sha256:94a88599a40d8bff8dc852371669a3c36b8fb6ecfbfd17ec4e0ff6f65f5fe435
cryostat/cryostat-reports-rhel9@sha256:4090fc0f5fedf0c99537885c6562ed4f457898580795bc3ff06c36b305c1d254
cryostat/cryostat-rhel9@sha256:d1db787820f7f60a76341f72641a0ec653b29b048b3dccf348f2026379321391
cryostat/cryostat-rhel9-operator@sha256:bde24dc6b2e929bf96be268ed1a171505d2b042723bbbaf43c2549b37ff2a6c9
cryostat/cryostat-storage-rhel9@sha256:90119c056c8ce60631fef02c4a3df39e3b17de535bf26963ff4931b39cc0f61d
cryostat/jfr-datasource-rhel9@sha256:ee3530b61cba41519ac6b29aea39cb6f39c4e2c379d891ce8d9fe4914f5892dd

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.