Issued:
2026-04-21
Updated:
2026-04-21

RHSA-2026:9440 - Red Hat OpenShift Service Mesh 3.0.10

Synopsis

Red Hat OpenShift Service Mesh 3.0.10

Type/Severity

Security Advisory Important

Topic

Red Hat OpenShift Service Mesh 3.0.10

This update has a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Red Hat OpenShift Service Mesh 3.0.10, which is based on the open source Istio project, addresses a variety of problems in a microservice architecture by creating a centralized point of control in an application.

Fixes/Improvements:

Security Fix(es):

  • istio-rhel9-operator: Incorrect parsing of IPv6 host literals in net/url (CVE-2026-25679)

  • istio-cni-rhel9: Incorrect parsing of IPv6 host literals in net/url (CVE-2026-25679)

  • istio-pilot-rhel9: Incorrect parsing of IPv6 host literals in net/url (CVE-2026-25679)

  • istio-proxyv2-rhel9: Incorrect parsing of IPv6 host literals in net/url (CVE-2026-25679)

  • istio-proxyv2-rhel9: gRPC-Go: Authorization bypass due to improper HTTP/2 path validation (CVE-2026-33186)

  • istio-proxyv2-rhel9: BuildKit: Arbitrary file write and code execution via untrusted frontend (CVE-2026-33747)

  • istio-proxyv2-rhel9: BuildKit: Unauthorized file access via Git URL fragment subdir components (CVE-2026-33748)

Solution

See Red Hat OpenShift Service Mesh 3.0.10 documentation at https://docs.redhat.com/en/documentation/red_hat_openshift_service_mesh/3.0

Affected Products

ProductVersionArch
Red Hat OpenShift Service Mesh3x86_64

Fixes

(none)

CVEs

References

Additional information