- Issued:
- 2026-07-08
- Updated:
- 2026-07-08
RHSA-2026:36796 - Security Advisory
Synopsis
Important: Red Hat Edge Manager Version 1.0.3 Security Update
Type/Severity
Security Advisory: Important
Red Hat Lightspeed patch analysis
Identify and remediate systems affected by this advisory.
Topic
Red Hat Edge Manager Version 1.0.3 Security Update
Description
Red Hat Edge Manager (RHEM) provides simple, scalable, and security-focused
management of edge devices and applications. It supports image-mode RHEL and
container workloads that run on Podman/Docker or Kubernetes.
RHEM is now available as a standalone feature, providing greater flexibility for
edge deployments. In addition to the standalone version, RHEM continues to be
offered as a plugin for the following platforms:
Red Hat Advanced Cluster Management (RHACM): Extends fleet management to edge
devices.
Red Hat Ansible Automation Platform (AAP): Integrates edge management with
Ansible automation.
This integration enables organizations to optimize the management and
orchestration of their fleets of edge devices; whether its thousands of
dispersed retail point-of-sale systems or industrial machinery on remote factory
floors.
Value for customers and partners:
- This solution not only helps customers manage thousands of devices but helps
scale operations.
- To manage large-scale deployments, customers need to be able to integrate with
their existing management systems, support remote configuration and over-the-air
updates, and collect telemetry data for advanced analytics.
- Red Hat Edge Manager offers a simple and security-focused lifecycle
management, from onboarding to decommissioning of edge devices.
This complete end-to-end solution empowers organizations to gain the most value
from the fleets of devices that generate data, all from a centralized location.
Security fixes:
- golang.org/x/crypto/ssh: Denial of Service via crafted SSH certificate (CVE-2026-39835)
- golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses (CVE-2026-39830)
- golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters (CVE-2026-39829)
- golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions (CVE-2026-39828)
- golang.org/x/crypto/ssh: Authorization bypass due to skipped source-address validation (CVE-2026-46595)
- golang.org/x/crypto/ssh/agent: Security bypass due to improper handling of key restrictions (CVE-2026-39832)
- golang.org/x/crypto/ssh/knownhosts: Revocation bypass via unchecked SignatureKey (CVE-2026-42508)
- golang.org/x/net/idna: Privilege escalation via incorrect Punycode label processing (CVE-2026-39821)
- Go net package: Denial of Service via long CNAME response in LookupCNAME (CVE-2026-33811)
- Go crypto/x509: Denial of Service via inefficient certificate chain validation (CVE-2026-32281)
- Go crypto/x509: Certificate validation bypass due to incorrect DNS constraint application (CVE-2026-33810)
- Go crypto/tls: Denial of Service via multiple TLS 1.3 key update messages (CVE-2026-32283)
- Go: Denial of Service vulnerability in certificate chain building (CVE-2026-32280)
- Go crypto/x509: Incorrect enforcement of email constraints (CVE-2026-27137)
- Go net/url: Incorrect parsing of IPv6 host literals (CVE-2026-25679)
- golang: Denial of Service due to excessive resource consumption via crafted certificate (CVE-2025-61729)
- github.com/jackc/pgx: Memory-safety vulnerability (CVE-2026-33815)
- github.com/jackc/pgx: Memory-safety vulnerability (CVE-2026-33816)
- gRPC-Go: Authorization bypass due to improper HTTP/2 path validation (CVE-2026-33186)
- Prometheus: Information disclosure of Azure OAuth client secret via config API (CVE-2026-42151)
- Prometheus: Denial of Service via uncontrolled memory allocation in remote read endpoint (CVE-2026-42154)
- Root.Chmod can follow symlinks out of the root (CVE-2026-32282)
- Kubelet, CRI-O, kube-apiserver: Denial of Service via SPDY streaming code (CVE-2026-35469)
Solution
See the following documentation for details on how to enable Red Hat Edge Manager and more: https://docs.redhat.com/en/documentation/red_hat_edge_manager/1.0
Affected Products
- Red Hat Edge Manager 1.0 x86_64
- Red Hat Edge Manager 1.0 s390x
- Red Hat Edge Manager 1.0 ppc64le
- Red Hat Edge Manager 1.0 aarch64
Fixes
- BZ - 2418462 - CVE-2025-61729 crypto/x509: golang: Denial of Service due to excessive resource consumption via crafted certificate
- BZ - 2445345 - CVE-2026-27137 crypto/x509: Incorrect enforcement of email constraints in crypto/x509
- BZ - 2445356 - CVE-2026-25679 net/url: Incorrect parsing of IPv6 host literals in net/url
- BZ - 2449833 - CVE-2026-33186 google.golang.org/grpc/grpc-go: google.golang.org/grpc/authz: gRPC-Go: Authorization bypass due to improper HTTP/2 path validation
- BZ - 2455972 - CVE-2026-33816 github.com/jackc/pgx/v5: github.com/jackc/pgx: Memory-safety vulnerability
- BZ - 2455975 - CVE-2026-33815 github.com/jackc/pgx/v5: github.com/jackc/pgx: Memory-safety vulnerability
- BZ - 2456333 - CVE-2026-32281 crypto/x509: golang: Go crypto/x509: Denial of Service via inefficient certificate chain validation
- BZ - 2456335 - CVE-2026-33810 crypto/x509: golang: Go crypto/x509: Certificate validation bypass due to incorrect DNS constraint application
- BZ - 2456336 - CVE-2026-32282 golang: internal/syscall/unix: Root.Chmod can follow symlinks out of the root
- BZ - 2456338 - CVE-2026-32283 crypto/tls: golang: Go crypto/tls: Denial of Service via multiple TLS 1.3 key update messages
- BZ - 2456339 - CVE-2026-32280 crypto/x509: crypto/tls: golang: Go: Denial of Service vulnerability in certificate chain building
- BZ - 2457729 - CVE-2026-35469 Kubelet: CRI-O: kube-apiserver: Kubelet, CRI-O, kube-apiserver: Denial of Service via SPDY streaming code
- BZ - 2466505 - CVE-2026-42154 github.com/prometheus/prometheus: Prometheus: Denial of Service via uncontrolled memory allocation in remote read endpoint
- BZ - 2466507 - CVE-2026-42151 github.com/prometheus/prometheus: Prometheus: Information disclosure of Azure OAuth client secret via config API
- BZ - 2467822 - CVE-2026-33811 net: golang: Go net package: Denial of Service via long CNAME response in LookupCNAME
- BZ - 2480680 - CVE-2026-39835 golang.org/x/crypto/ssh: golang: golang.org/x/crypto/ssh: Denial of Service via crafted SSH certificate
- BZ - 2480681 - CVE-2026-39829 golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters
- BZ - 2480684 - CVE-2026-39830 golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses
- BZ - 2480685 - CVE-2026-39832 golang.org/x/crypto/ssh/agent: golang.org/x/crypto/ssh/agent: Security bypass due to improper handling of key restrictions
- BZ - 2480687 - CVE-2026-39828 golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions
- BZ - 2480688 - CVE-2026-42508 golang.org/x/crypto/ssh/knownhosts: golang: golang.org/x/crypto/ssh/knownhosts: Revocation bypass via unchecked SignatureKey
- BZ - 2480689 - CVE-2026-46595 golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Authorization bypass due to skipped source-address validation
- BZ - 2480756 - CVE-2026-39821 golang.org/x/net/idna: golang: golang.org/x/net/idna: Privilege escalation via incorrect Punycode label processing
CVEs
- CVE-2025-61729
- CVE-2026-25679
- CVE-2026-27137
- CVE-2026-32280
- CVE-2026-32281
- CVE-2026-32282
- CVE-2026-32283
- CVE-2026-33186
- CVE-2026-33810
- CVE-2026-33811
- CVE-2026-33815
- CVE-2026-33816
- CVE-2026-35469
- CVE-2026-39821
- CVE-2026-39828
- CVE-2026-39829
- CVE-2026-39830
- CVE-2026-39832
- CVE-2026-39835
- CVE-2026-42151
- CVE-2026-42154
- CVE-2026-42508
- CVE-2026-46595
References
- https://access.redhat.com/security/updates/classification/#important
- https://docs.redhat.com/en/documentation/red_hat_ansible_automation_platform/2.5/html/managing_device_fleets_with_the_red_hat_edge_manager/assembly-edge-manager-intro
- https://docs.redhat.com/en/documentation/red_hat_advanced_cluster_management_for_kubernetes/2.15/html-single/edge_manager/index#edge-mgr-intro
Red Hat Edge Manager 1.0
| SRPM | |
|---|---|
| flightctl-1.0.3-1.el9em.src.rpm | SHA-256: 0ddb44e9a966bce0f801b14ab67cea76b79e73e75838681bddfbdc6f1a6d0489 |
| x86_64 | |
| flightctl-agent-1.0.3-1.el9em.x86_64.rpm | SHA-256: dbb774df07158ffdccc82cdb46bf20ce216b6af0c06261489e9644bc442d6cab |
| flightctl-cli-1.0.3-1.el9em.x86_64.rpm | SHA-256: a10b4bafa50ea7beefe23465364122153a45fe2ff3acbf125cb4f417bdede08d |
| flightctl-observability-1.0.3-1.el9em.x86_64.rpm | SHA-256: 2ca941fbe5f5f03e458fb6628e59ef1ebceb6341eca39b2ebaae94e28f50cbc6 |
| flightctl-selinux-1.0.3-1.el9em.noarch.rpm | SHA-256: 6b9ece14a0089a94f060e97c575ad276914ed12a6494521fac9a70fb7621c8c3 |
| flightctl-services-1.0.3-1.el9em.x86_64.rpm | SHA-256: 21e4f301f9abe2eb6c3b6fbc25294b032e1fc46cfe7ade4a3f8b1d03d24cbfe2 |
| flightctl-telemetry-gateway-1.0.3-1.el9em.x86_64.rpm | SHA-256: 891c6f1049f3c9f52796df6dbe0043f9d73a750b032b7a119ef24494d7b0f861 |
| s390x | |
| flightctl-agent-1.0.3-1.el9em.s390x.rpm | SHA-256: bf2a266aea42fc10a3294686c63ab2c6fee8f8b971aaa5e2f130f7d4080c8665 |
| flightctl-cli-1.0.3-1.el9em.s390x.rpm | SHA-256: dbd7d649b244fb4a6357e39e2dc6805e88c36a0ded9205df2ffb4cc52fb5bccf |
| flightctl-observability-1.0.3-1.el9em.s390x.rpm | SHA-256: 80187748adffb6c54da342a4bc4af243c9e7d66bcf6971381fd1e0334754ed95 |
| flightctl-selinux-1.0.3-1.el9em.noarch.rpm | SHA-256: 6b9ece14a0089a94f060e97c575ad276914ed12a6494521fac9a70fb7621c8c3 |
| flightctl-services-1.0.3-1.el9em.s390x.rpm | SHA-256: dd64ad9b280b77f3386b9bc246e0d2710299c7dcdb32975bb091e736801d2d67 |
| flightctl-telemetry-gateway-1.0.3-1.el9em.s390x.rpm | SHA-256: 8320ad15d7a1c76409ecf64ae03df51c8fd80af22f6b16dc03226892b52c99b9 |
| ppc64le | |
| flightctl-agent-1.0.3-1.el9em.ppc64le.rpm | SHA-256: 56658844a533cb10a6fc5a5f4c2a4553b7185b8110277725fa679925d4ac670d |
| flightctl-cli-1.0.3-1.el9em.ppc64le.rpm | SHA-256: 4d346bc3c1c0c8c227515c60e51ead1c56db4f420195f4d58c05547fff06c9cf |
| flightctl-observability-1.0.3-1.el9em.ppc64le.rpm | SHA-256: 1256a6ed1d2c5a26dd8fc5699b048dbedde5cdd4884cda4844f181c67271edf2 |
| flightctl-selinux-1.0.3-1.el9em.noarch.rpm | SHA-256: 6b9ece14a0089a94f060e97c575ad276914ed12a6494521fac9a70fb7621c8c3 |
| flightctl-services-1.0.3-1.el9em.ppc64le.rpm | SHA-256: 512c9da4888213e45d31580554ce1189c813f5e913033de9ad6a97c3e6d8bf0b |
| flightctl-telemetry-gateway-1.0.3-1.el9em.ppc64le.rpm | SHA-256: f79510d0324bdaafdb0f293a78873c26737c309c81c22012a0114684aecb9947 |
| aarch64 | |
| flightctl-agent-1.0.3-1.el9em.aarch64.rpm | SHA-256: 251ea5a059bec1562c4f28113349b19a62ba5be0610e8f0140297e6a4214b9fc |
| flightctl-cli-1.0.3-1.el9em.aarch64.rpm | SHA-256: ad01f12e95e5a30941a603b734da24b1b193e523dc32d1b4eeaf950df7cb5d7c |
| flightctl-observability-1.0.3-1.el9em.aarch64.rpm | SHA-256: bcc2b7495484f6e522fc260cfabbe829a764fcd04c63960fa2b4438e29457f4d |
| flightctl-selinux-1.0.3-1.el9em.noarch.rpm | SHA-256: 6b9ece14a0089a94f060e97c575ad276914ed12a6494521fac9a70fb7621c8c3 |
| flightctl-services-1.0.3-1.el9em.aarch64.rpm | SHA-256: 84577e0a53a6a3fd5c56efde6a8e55373d730b0585f55987941a7829ef2c085b |
| flightctl-telemetry-gateway-1.0.3-1.el9em.aarch64.rpm | SHA-256: 8b795f115cf0a383c206a7e1423c5d6b635749515c5246f35e71e51b9e4ccc67 |
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.