{
  "threat_severity" : "Important",
  "public_date" : "2026-04-28T09:19:06Z",
  "bugzilla" : {
    "description" : "github.com/apache/thrift: Apache Thrift: Integer Overflow in TFramedTransport Go implementation",
    "id" : "2463407",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2463407"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-190",
  "details" : [ "Integer Overflow or Wraparound vulnerability in Apache Thrift TFramedTransport Go language implementation\nThis issue affects Apache Thrift: before 0.23.0.\nUsers are recommended to upgrade to version 0.23.0, which fixes the issue.", "A flaw was found in the Apache Thrift TFramedTransport Go language implementation. This integer overflow or wraparound vulnerability could potentially allow an attacker to cause unexpected behavior or resource exhaustion, leading to a denial of service." ],
  "affected_release" : [ {
    "product_name" : "Multicluster Global Hub 1.3.4",
    "release_date" : "2026-06-02T00:00:00Z",
    "advisory" : "RHSA-2026:22423",
    "cpe" : "cpe:/a:redhat:multicluster_globalhub:1.3::el9",
    "package" : "multicluster-globalhub/multicluster-globalhub-grafana-rhel9:1779212259"
  }, {
    "product_name" : "Multicluster Global Hub 1.4.5",
    "release_date" : "2026-06-01T00:00:00Z",
    "advisory" : "RHSA-2026:22347",
    "cpe" : "cpe:/a:redhat:multicluster_globalhub:1.4::el9",
    "package" : "multicluster-globalhub/multicluster-globalhub-grafana-rhel9:1779579439"
  }, {
    "product_name" : "Multicluster Global Hub 1.5.4",
    "release_date" : "2026-05-28T00:00:00Z",
    "advisory" : "RHSA-2026:21769",
    "cpe" : "cpe:/a:redhat:multicluster_globalhub:1.5::el9",
    "package" : "multicluster-globalhub/multicluster-globalhub-grafana-rhel9:1778867753"
  }, {
    "product_name" : "Multicluster Global Hub 1.6.2",
    "release_date" : "2026-06-04T00:00:00Z",
    "advisory" : "RHSA-2026:23345",
    "cpe" : "cpe:/a:redhat:multicluster_globalhub:1.6::el9",
    "package" : "multicluster-globalhub/multicluster-globalhub-grafana-rhel9:1780167118"
  }, {
    "product_name" : "Multicluster Global Hub 1.7.1",
    "release_date" : "2026-06-08T00:00:00Z",
    "advisory" : "RHSA-2026:24503",
    "cpe" : "cpe:/a:redhat:multicluster_globalhub:1.7::el9",
    "package" : "multicluster-globalhub/multicluster-globalhub-grafana-rhel9:1779925273"
  }, {
    "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2.15",
    "release_date" : "2026-06-08T00:00:00Z",
    "advisory" : "RHSA-2026:24539",
    "cpe" : "cpe:/a:redhat:acm:2.15::el9",
    "package" : "rhacm2/acm-grafana-rhel9:1780677003"
  }, {
    "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2.16",
    "release_date" : "2026-06-11T00:00:00Z",
    "advisory" : "RHSA-2026:25273",
    "cpe" : "cpe:/a:redhat:acm:2.16::el9",
    "package" : "rhacm2/acm-grafana-rhel9:1780926805"
  }, {
    "product_name" : "Red Hat OpenShift distributed tracing 3.9.3",
    "release_date" : "2026-05-06T00:00:00Z",
    "advisory" : "RHSA-2026:14162",
    "cpe" : "cpe:/a:redhat:openshift_distributed_tracing:3.9::el9",
    "package" : "rhosdt/opentelemetry-collector-rhel9:1778056267"
  }, {
    "product_name" : "Red Hat OpenShift distributed tracing 3.9.3",
    "release_date" : "2026-05-07T00:00:00Z",
    "advisory" : "RHSA-2026:14885",
    "cpe" : "cpe:/a:redhat:openshift_distributed_tracing:3.9::el9",
    "package" : "rhosdt/tempo-jaeger-query-rhel9:1778158391"
  }, {
    "product_name" : "Red Hat OpenShift distributed tracing 3.9.3",
    "release_date" : "2026-05-07T00:00:00Z",
    "advisory" : "RHSA-2026:14885",
    "cpe" : "cpe:/a:redhat:openshift_distributed_tracing:3.9::el9",
    "package" : "rhosdt/tempo-query-rhel9:1778158343"
  }, {
    "product_name" : "Red Hat OpenShift distributed tracing 3.9.3",
    "release_date" : "2026-05-07T00:00:00Z",
    "advisory" : "RHSA-2026:14885",
    "cpe" : "cpe:/a:redhat:openshift_distributed_tracing:3.9::el9",
    "package" : "rhosdt/tempo-rhel9:1778158374"
  } ],
  "package_state" : [ {
    "product_name" : "Multicluster Global Hub",
    "fix_state" : "Affected",
    "package_name" : "multicluster-globalhub/multicluster-globalhub-grafana-rhel8",
    "cpe" : "cpe:/a:redhat:multicluster_globalhub"
  }, {
    "product_name" : "OpenShift Service Mesh 2",
    "fix_state" : "Not affected",
    "package_name" : "openshift-service-mesh/istio-rhel8-operator",
    "cpe" : "cpe:/a:redhat:service_mesh:2"
  }, {
    "product_name" : "Red Hat AI Inference Server",
    "fix_state" : "Will not fix",
    "package_name" : "rhaiis/vllm-cpu-rhel9",
    "cpe" : "cpe:/a:redhat:ai_inference_server:3"
  }, {
    "product_name" : "Red Hat AI Inference Server",
    "fix_state" : "Will not fix",
    "package_name" : "rhaiis/vllm-tpu-rhel9",
    "cpe" : "cpe:/a:redhat:ai_inference_server:3"
  }, {
    "product_name" : "Red Hat Ceph Storage 5",
    "fix_state" : "Out of support scope",
    "package_name" : "rhceph/snmp-notifier-rhel8",
    "cpe" : "cpe:/a:redhat:ceph_storage:5"
  }, {
    "product_name" : "Red Hat Ceph Storage 6",
    "fix_state" : "Out of support scope",
    "package_name" : "rhceph/rhceph-6-dashboard-rhel9",
    "cpe" : "cpe:/a:redhat:ceph_storage:6"
  }, {
    "product_name" : "Red Hat Ceph Storage 6",
    "fix_state" : "Out of support scope",
    "package_name" : "rhceph/snmp-notifier-rhel9",
    "cpe" : "cpe:/a:redhat:ceph_storage:6"
  }, {
    "product_name" : "Red Hat Ceph Storage 9",
    "fix_state" : "Out of support scope",
    "package_name" : "rhceph/alloy-rhel10",
    "cpe" : "cpe:/a:redhat:ceph_storage:9"
  }, {
    "product_name" : "Red Hat Ceph Storage 9",
    "fix_state" : "Out of support scope",
    "package_name" : "rhceph/grafana-rhel10",
    "cpe" : "cpe:/a:redhat:ceph_storage:9"
  }, {
    "product_name" : "Red Hat Ceph Storage 9",
    "fix_state" : "Out of support scope",
    "package_name" : "rhceph/snmp-notifier-rhel10",
    "cpe" : "cpe:/a:redhat:ceph_storage:9"
  }, {
    "product_name" : "Red Hat OpenShift AI (RHOAI)",
    "fix_state" : "Not affected",
    "package_name" : "rhoai/odh-model-registry-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_ai"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Affected",
    "package_name" : "openshift4/oc-mirror-plugin-rhel9",
    "cpe" : "cpe:/a:redhat:openshift:4"
  }, {
    "product_name" : "Red Hat OpenShift GitOps",
    "fix_state" : "Will not fix",
    "package_name" : "openshift-gitops-1/argocd-rhel8",
    "cpe" : "cpe:/a:redhat:openshift_gitops:1"
  }, {
    "product_name" : "Red Hat OpenShift GitOps",
    "fix_state" : "Will not fix",
    "package_name" : "openshift-gitops-1/argocd-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_gitops:1"
  }, {
    "product_name" : "Red Hat OpenStack Platform 18.0",
    "fix_state" : "Not affected",
    "package_name" : "rhoso-operators/openstack-operator-bundle",
    "cpe" : "cpe:/a:redhat:openstack:18.0"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-41602\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-41602\nhttp://www.openwall.com/lists/oss-security/2026/04/28/6\nhttps://lists.apache.org/thread/lb4j0zyd5f3g36cos0wql925przpnwql" ],
  "name" : "CVE-2026-41602",
  "csaw" : false
}