RHSA-2026:5952 - Security Advisory

Topic

Red Hat OpenShift Service Mesh 3.2.3

This update has a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Red Hat OpenShift Service Mesh 3.2.3, which is based on the open source Istio project, addresses a variety of problems in a microservice architecture by creating a centralized point of control in an application.

Fixes/Improvements:

• Updated to Istio version 1.27.8
• Multiple InferencePools on same Gateway - ext_proc lost for all but first (OSSM-12585)

Security Fix(es):

• istio-rhel9-operator: Unexpected session resumption in crypto/tls (CVE-2025-68121)
• istio-cni-rhel9: Unexpected session resumption in crypto/tls (CVE-2025-68121)
• istio-pilot-rhel9: Unexpected session resumption in crypto/tls (CVE-2025-68121)
• istio-proxyv2-rhel9: Unexpected session resumption in crypto/tls (CVE-2025-68121)
• istio-rhel9-operator: Potential code smuggling via doc comments in cmd/cgo (CVE-2025-61732)
• istio-cni-rhel9: Potential code smuggling via doc comments in cmd/cgo (CVE-2025-61732)
• istio-pilot-rhel9: Potential code smuggling via doc comments in cmd/cgo (CVE-2025-61732)
• istio-proxyv2-rhel9: Potential code smuggling via doc comments in cmd/cgo (CVE-2025-61732)
• istio-rhel9-operator: cmd/go: Arbitrary file write via malicious pkg-config directive (CVE-2025-61731)
• istio-cni-rhel9: cmd/go: Arbitrary file write via malicious pkg-config directive (CVE-2025-61731)
• istio-pilot-rhel9: cmd/go: Arbitrary file write via malicious pkg-config directive (CVE-2025-61731)
• istio-proxyv2-rhel9: cmd/go: Arbitrary file write via malicious pkg-config directive (CVE-2025-61731)
• istio-rhel9-operator: Excessive CPU consumption when building archive index in archive/zip (CVE-2025-61728)
• istio-cni-rhel9: Excessive CPU consumption when building archive index in archive/zip (CVE-2025-61728)
• istio-pilot-rhel9: Excessive CPU consumption when building archive index in archive/zip (CVE-2025-61728)
• istio-proxyv2-rhel9: Excessive CPU consumption when building archive index in archive/zip (CVE-2025-61728)
• istio-rhel9-operator: Memory exhaustion in query parameter parsing in net/url (CVE-2025-61726)
• istio-cni-rhel9: Memory exhaustion in query parameter parsing in net/url (CVE-2025-61726)
• istio-pilot-rhel9: Memory exhaustion in query parameter parsing in net/url (CVE-2025-61726)
• istio-proxyv2-rhel9: Memory exhaustion in query parameter parsing in net/url (CVE-2025-61726)
• istio-pilot-rhel9: JWKS Resolver Failure May Expose Hardcoded Default Keys (CVE-2026-31837)
• istio-proxyv2-rhel9: JWKS Resolver Failure May Expose Hardcoded Default Keys (CVE-2026-31837)

Solution

See Red Hat OpenShift Service Mesh 3.2.3 documentation at https://docs.redhat.com/en/documentation/red_hat_openshift_service_mesh/3.2

Fixes

• OSSM-12585 - Multiple InferencePools on same Gateway - ext_proc lost for all but first

CVEs

• CVE-2025-61726
• CVE-2025-61728
• CVE-2025-61731
• CVE-2025-61732
• CVE-2025-68121
• CVE-2026-31837
• CVE-2025-61726
• CVE-2025-61728
• CVE-2025-61731
• CVE-2025-61732
• CVE-2025-68121
• CVE-2026-31837

References

• https://access.redhat.com/security/updates/classification
• https://access.redhat.com/security/updates/classification/