RHSA-2026:9388 - Security Advisory

Topic

Red Hat build of OpenTelemetry 3.9.2 has been released

Description

This release of the Red Hat build of OpenTelemetry provides security improvements.

Breaking changes:

• None

Deprecations:

• None

Technology Preview features:

• None

Enhancements:

• None

Bug fixes:

• XPath library vulnerability is fixed: Previously, the 'github.com/antchfx/xpath' library was vulnerable to a denial of service (DoS) attack. This issue occurred because specially crafted boolean XPath expressions that evaluated to true caused an infinite loop in the 'logicalQuery.Select' function, leading to 100% CPU utilization. With this update, the XPath library properly handles these expressions and prevents infinite loops. As a result, the system is no longer vulnerable to this DoS condition. For more information, see https://access.redhat.com/security/cve/cve-2026-32287.
• gRPC-Go authorization bypass vulnerability is fixed: Previously, gRPC-Go was vulnerable to an authorization bypass attack. This issue occurred because the HTTP/2 ':path' pseudo-header was not properly validated. Remote attackers could send raw HTTP/2 frames with a malformed ':path' that omitted the mandatory leading slash to bypass defined security policies. With this update, gRPC-Go properly validates the ':path' pseudo-header and rejects malformed requests. As a result, attackers can no longer bypass security policies to gain unauthorized access to services or disclose information. For more information, see https://access.redhat.com/security/cve/cve-2026-33186.
• Go JOSE denial of service vulnerability is fixed: Previously, the Go JOSE library for handling JSON Web Encryption (JWE) objects was vulnerable to a denial of service (DoS) attack. This issue occurred because the application failed when decrypting a specially crafted JWE object that specified a key wrapping algorithm but contained an empty encrypted key field. With this update, Go JOSE properly validates the encrypted key field before decryption. As a result, the application no longer crashes when processing malformed JWE objects, and the service remains available to legitimate users. For more information, see https://access.redhat.com/security/cve/cve-2026-34986.

Known issues:

• The filesystem scraper does not produce the `system.filesystem.inodes.usage` and `system.filesystem.usage` metrics in the Host Metrics Receiver after upgrading from Collector version 0.142.0 to 0.143.0 or later. No known workaround exists. For more information, see https://issues.redhat.com/browse/TRACING-5963.

Solution

For details on how to apply this update, refer to:

https://docs.redhat.com/en/documentation/openshift_container_platform/latest/html/operators/administrator-tasks#olm-upgrading-operators

Affected Products

• Red Hat OpenShift distributed tracing

Fixes

CVEs

• CVE-2026-32287
• CVE-2026-33186
• CVE-2026-34986

References

• https://access.redhat.com/security/updates/classification/
• https://docs.redhat.com/en/documentation/openshift_container_platform/latest/html/red_hat_build_of_opentelemetry