Issued:

2026-04-21

Updated:

2026-04-21

RHSA-2026:9461 - Red Hat OpenShift Service Mesh 3.3.2

Synopsis

Red Hat OpenShift Service Mesh 3.3.2

Type/Severity

Security Advisory Important

Topic

Red Hat OpenShift Service Mesh 3.3.2

This update has a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Red Hat OpenShift Service Mesh 3.3.2, which is based on the open source Istio project, addresses a variety of problems in a microservice architecture by creating a centralized point of control in an application.

Fixes/Improvements:

Security Fix(es):

• istio-rhel9-operator: Incorrect parsing of IPv6 host literals in net/url (CVE-2026-25679)

• istio-cni-rhel9: Incorrect parsing of IPv6 host literals in net/url (CVE-2026-25679)

• istio-pilot-rhel9: Incorrect parsing of IPv6 host literals in net/url (CVE-2026-25679)

• istio-proxyv2-rhel9: Incorrect parsing of IPv6 host literals in net/url (CVE-2026-25679)

Bug Fix(es):

• Ztunnel default value in operator contains older istio version (OSSM-13103)

• OSSM operator metrics reader ClusterRole conflicts with other operators (OSSM-13106)

Solution

See Red Hat OpenShift Service Mesh 3.3.2 documentation at https://docs.redhat.com/en/documentation/red_hat_openshift_service_mesh/3.3

Affected Products

Fixes

(none)

CVEs

• CVE-2026-25679
• CVE-2026-25679

References

• https://access.redhat.com/security/updates/classification

Additional information

• The Red Hat security contact is This content is not included.secalert@redhat.com. More contact details at Security Contacts and Procedures.
• Offline Security Data data is available for integration with other systems. See Offline Security Data API to get started.