- Issued:
- 2026-04-21
- Updated:
- 2026-04-21
RHSA-2026:9453 - Security Advisory
Synopsis
Red Hat OpenShift Service Mesh 3.2.4
Type/Severity
Security Advisory: Important
Topic
Red Hat OpenShift Service Mesh 3.2.4
This update has a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
Red Hat OpenShift Service Mesh 3.2.4, which is based on the open source Istio project, addresses a variety of problems in a microservice architecture by creating a centralized point of control in an application.
Fixes/Improvements:
Security Fix(es):
- istio-rhel9-operator: Incorrect parsing of IPv6 host literals in net/url (CVE-2026-25679)
- istio-cni-rhel9: Incorrect parsing of IPv6 host literals in net/url (CVE-2026-25679)
- istio-pilot-rhel9: Incorrect parsing of IPv6 host literals in net/url (CVE-2026-25679)
- istio-proxyv2-rhel9: Incorrect parsing of IPv6 host literals in net/url (CVE-2026-25679)
- istio-proxyv2-rhel9: gRPC-Go: Authorization bypass due to improper HTTP/2 path validation (CVE-2026-33186)
- istio-proxyv2-rhel9: BuildKit: Arbitrary file write and code execution via untrusted frontend (CVE-2026-33747)
- istio-proxyv2-rhel9: BuildKit: Unauthorized file access via Git URL fragment subdir components (CVE-2026-33748)
- istio-cni-rhel9: Go JOSE: Denial of Service via crafted JSON Web Encryption (JWE) object (CVE-2026-34986)
- istio-pilot-rhel9: Go JOSE: Denial of Service via crafted JSON Web Encryption (JWE) object (CVE-2026-34986)
Bug Fix(es):
- Ztunnel default value in operator contains older istio version (OSSM-13103)
- OSSM operator metrics reader ClusterRole conflicts with other operators (OSSM-13106)
Solution
See Red Hat OpenShift Service Mesh 3.2.4 documentation at https://docs.redhat.com/en/documentation/red_hat_openshift_service_mesh/3.2
Fixes
- OSSM-13103 - Ztunnel default value in operator contains older istio version
- OSSM-13106 - OSSM operator metrics reader ClusterRole conflicts with other operators
- OSSM-13263 - Add deprication note to OSSM3 FBC
CVEs
amd64
| registry.redhat.io/openshift-service-mesh/istio-sail-operator-bundle@sha256:615f4ab167e82d54f5cd9bea15e0673293ec42bf19cfa0ccc15eb1d20b7db18a |
| registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:4f5e7e28f111429e2c9376ac5f42d717f13eea1c3a80357fe001a9caf5c25fba |
| registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:284458d236e45ffa8a865917bf6253764dbe0f6602173ba3f6733b0a40c5a741 |
| registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:87953048140227569e7028187ed92cc0960bbc055d62a6755c5a1fdcf10510ec |
| registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:31e020f606b687b82712fe32823a392ed1abcc9563845ea81fbfce616b99e6b1 |
| registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:f62ae2005f3c153975695253d786a00a1a5827b92f96328a0be425fdd4125e69 |
| registry.redhat.io/openshift-service-mesh/istio-ztunnel-rhel9@sha256:cf5b5c9c6ba78281d0080d426f71c5b7b3e2b46db3644d153862268c0b4bf538 |
arm64
| registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:727908a49c6edf57609ac8a75d5aab182a79530e88819ea8a1df8a9610826c02 |
| registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:2b6f5aa276fe5848c6f377c51be574045b04ea784374bcb54e496f2a297f02b0 |
| registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:dfb94112b66ce7fe56a642371749bf87e979b0136652328b124cc384818ef6c3 |
| registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:193b36cc5bc389b68c6e8080e1d47c3860aab22f7a4ee262c90b864967e23a97 |
| registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:3e210dcd0cab9c18bc0629a3a20b27e75bc09c09decbfcc9f6ab69f7c29670e1 |
| registry.redhat.io/openshift-service-mesh/istio-ztunnel-rhel9@sha256:56140955dffe7c205dc944835637f83f04c5a82ba6f192dcfb034aa9cf800f8f |
ppc64le
| registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:4d39ae3b09ef2ee139705831bff3f9070d2590d59887a488bfdbb36b590dec13 |
| registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:5b95c5cfc63958a16f3b30a42f16b9ff26b2f2c9f8e3c539fcec75b721edfb88 |
| registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:6015e887371eed1bd162363ebd16ca4f20bd8077df166b455685579e808a9292 |
| registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:7e688abcea40cae3f552b2dc5abf0da092e8a0d7a3f04f3cb5d15c5b4fb1a1f2 |
| registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:9d1e9ff2ab9a3f84328cdbe49d4263d34e9ef1ef14d689a32d87534d7631cb0d |
| registry.redhat.io/openshift-service-mesh/istio-ztunnel-rhel9@sha256:62b18afbdedf572866fd0dca6aa9e2426608d0b1cf011acef9f9044f4fbe4711 |
s390x
| registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:1aa2834ce676ef21f5a67e3144fe62677d9bf7b57a9401d74fab7cf569da9911 |
| registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:c592a7d2b6b5997972ed7a2deda29c5e9bb03c2b28e42d1f6f57ae1639629c11 |
| registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:3f1d2206dea7630015fac80f8b8c6f7a6a1e1c17e477d1d54db4690b4453e6a0 |
| registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:8111afc971379ee93fef9ebddfccf75102309c134d25f9d6d3de46f59e809001 |
| registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:a2904680a45ff398adce27c1cbc539bf08e7f53aa64fadf0d6db74f1296421ad |
| registry.redhat.io/openshift-service-mesh/istio-ztunnel-rhel9@sha256:74b244e23b80d7996138a01814de1cb9d679ce7ed4156b5521fd76efc1bb5db5 |
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.
