RHSA-2026:14162 Red Hat OpenTelemetry Security Advisory (CVE-2026-4878/41602/32280/32283/2911)

RHSA-2026:14162 - Security Advisory Summary Vulnerability Overview Red Hat has released OpenTelemetry version 3.9.3, which addresses multiple security vulnerabilities: 1. Race Condition in libc File Capabilities Update (CVE-2026-4878) - The function contains a Time-of-Check to Time-of-Use (TOCTOU) race condition. - An attacker could exploit this vulnerability to redirect file capability updates to a file under their control. 2. Integer Overflow in Apache Thrift TTransport Go (CVE-2026-41602) - The Go implementation of TTransport contains an integer overflow or wraparound vulnerability. - This can lead to unexpected behavior or resource exhaustion, resulting in a denial of service. 3. Certificate Chain Handling in Go crypto Package (CVE-2026-32280) - The and packages do not properly limit the number of intermediate certificates. - An attacker could provide an excessive number of intermediate certificates, causing a denial of service. 4. TLS 1.3 Connection Deadlock (CVE-2026-32283) - TLS 1.3 connections may deadlock when processing multiple key update messages within a single record. - This leads to uncontrolled resource consumption and denial of service. 5. systemd IPC API Vulnerability (CVE-2026-2911) - systemd contains a flaw in the validation of IPC API calls. - Older versions (v249 and earlier) may lead to stack overflow and arbitrary code execution. - Newer versions (v250 and later) may result in system assertion failures and freezing. Affected Scope Red Hat Build of OpenTelemetry version 3.9.3 Components involved include libc, Apache Thrift, Go standard library, TLS 1.3 implementation, and systemd. Remediation Upgrade to OpenTelemetry version 3.9.3. Reference documentation: https://docs.redhat.com/en/documentation/openshift_container_platform/latest/html/operators/administrator-tasks#olm-upgrading-operators Known Issues The filesystem scraper does not generate and metrics after upgrading from Collector version 0.142.0 to 0.143.0 or later. No known workaround. References https://access.redhat.com/security/updates/classification/ https://docs.redhat.com/en/documentation/openshift_container_platform/latest/html/red_hat_build_of_opentelemetry/

Goal Reached Thanks to every supporter — we hit 100%!

RHSA-2026:14162 Red Hat OpenTelemetry Security Advisory (CVE-2026-4878/41602/32280/32283/2911)

More from this source