{ "threat_severity" : "Important", "public_date" : "2026-03-26T19:40:51Z", "bugzilla" : { "description" : "github.com/buger/jsonparser: github.com/buger/jsonparser: Denial of Service via malformed JSON input", "id" : "2451846", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2451846" }, "cvss3" : { "cvss3_base_score" : "7.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status" : "verified" }, "cwe" : "CWE-1285", "details" : [ "The Delete function fails to properly validate offsets when processing malformed JSON input. This can lead to a negative slice index and a runtime panic, allowing a denial of service attack.", "A flaw was found in github.com/buger/jsonparser. The Delete function, when processing malformed JSON input, fails to properly validate offsets. This vulnerability can lead to a negative slice index and a runtime panic, allowing a remote attacker to cause a denial of service (DoS) by providing specially crafted JSON data." ], "affected_release" : [ { "product_name" : "multicluster engine for Kubernetes 2.1", "release_date" : "2026-05-19T00:00:00Z", "advisory" : "RHSA-2026:19099", "cpe" : "cpe:/a:redhat:multicluster_engine:2.10::el9", "package" : "multicluster-engine/assisted-service-9-rhel9:1779135478" }, { "product_name" : "multicluster engine for Kubernetes 2.8", "release_date" : "2026-05-13T00:00:00Z", "advisory" : "RHSA-2026:17121", "cpe" : "cpe:/a:redhat:multicluster_engine:2.8::el8", "package" : "multicluster-engine/assisted-service-8-rhel8:1778288655" }, { "product_name" : "multicluster engine for Kubernetes 2.8", "release_date" : "2026-05-13T00:00:00Z", "advisory" : "RHSA-2026:17123", "cpe" : "cpe:/a:redhat:multicluster_engine:2.8::el9", "package" : "multicluster-engine/assisted-service-9-rhel9:1778288646" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2.15", "release_date" : "2026-05-04T00:00:00Z", "advisory" : "RHSA-2026:13548", "cpe" : "cpe:/a:redhat:acm:2.15::el9", "package" : "rhacm2/acm-grafana-rhel9:1777142269" }, { "product_name" : "Red Hat Hardened Images", "release_date" : "2026-04-09T00:00:00Z", "advisory" : "RHSA-2026:7191", "cpe" : "cpe:/a:redhat:hummingbird:1", "package" : "syft-main-1.42.4-0.1.hum1" }, { "product_name" : "Red Hat OpenShift distributed tracing 3.9.3", "release_date" : "2026-04-21T00:00:00Z", "advisory" : "RHSA-2026:9385", "cpe" : "cpe:/a:redhat:openshift_distributed_tracing:3.9::el9", "package" : "rhosdt/tempo-query-rhel9:1776435613" }, { "product_name" : "Red Hat OpenShift distributed tracing 3.9.3", "release_date" : "2026-04-21T00:00:00Z", "advisory" : "RHSA-2026:9385", "cpe" : "cpe:/a:redhat:openshift_distributed_tracing:3.9::el9", "package" : "rhosdt/tempo-rhel9:1776435680" } ], "package_state" : [ { "product_name" : "Logging Subsystem for Red Hat OpenShift", "fix_state" : "Will not fix", "package_name" : "openshift-logging/logging-loki-rhel9", "cpe" : "cpe:/a:redhat:logging:5" }, { "product_name" : "Logging Subsystem for Red Hat OpenShift", "fix_state" : "Will not fix", "package_name" : "openshift-logging/loki-operator-bundle", "cpe" : "cpe:/a:redhat:logging:5" }, { "product_name" : "Logging Subsystem for Red Hat OpenShift", "fix_state" : "Will not fix", "package_name" : "openshift-logging/loki-rhel9-operator", "cpe" : "cpe:/a:redhat:logging:5" }, { "product_name" : "Logging Subsystem for Red Hat OpenShift", "fix_state" : "Will not fix", "package_name" : "openshift-logging/lokistack-gateway-rhel9", "cpe" : "cpe:/a:redhat:logging:5" }, { "product_name" : "Logging Subsystem for Red Hat OpenShift", "fix_state" : "Will not fix", "package_name" : "openshift-logging/opa-openshift-rhel9", "cpe" : "cpe:/a:redhat:logging:5" }, { "product_name" : "Logging Subsystem for Red Hat OpenShift", "fix_state" : "Affected", "package_name" : "openshift-logging/logging-loki-rhel9", "cpe" : "cpe:/a:redhat:logging:6" }, { "product_name" : "Logging Subsystem for Red Hat OpenShift", "fix_state" : "Not affected", "package_name" : "openshift-logging/loki-rhel9-operator", "cpe" : "cpe:/a:redhat:logging:6" }, { "product_name" : "Multicluster Global Hub", "fix_state" : "Affected", "package_name" : "multicluster-globalhub/multicluster-globalhub-grafana-rhel9", "cpe" : "cpe:/a:redhat:multicluster_globalhub" }, { "product_name" : "Red Hat Ansible Automation Platform 2", "fix_state" : "Not affected", "package_name" : "ansible-automation-platform/platform-operator-bundle", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2" }, { "product_name" : "Red Hat Hardened Images", "fix_state" : "Affected", "package_name" : "trivy", "cpe" : "cpe:/a:redhat:hummingbird:1" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Not affected", "package_name" : "cri-tools", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Not affected", "package_name" : "openshift4/container-networking-plugins-microshift-rhel9", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Not affected", "package_name" : "openshift4/oc-mirror-plugin-rhel9", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Not affected", "package_name" : "openshift4/ose-agent-installer-api-server-rhel8", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Not affected", "package_name" : "openshift4/ose-agent-installer-api-server-rhel9", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Not affected", "package_name" : "openshift4/ose-container-networking-plugins-rhel9", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift for Windows Containers", "fix_state" : "Not affected", "package_name" : "openshift4-wincw/windows-machine-config-operator-bundle", "cpe" : "cpe:/a:redhat:windows_machine_config" }, { "product_name" : "Red Hat OpenShift for Windows Containers", "fix_state" : "Not affected", "package_name" : "openshift4-wincw/windows-machine-config-rhel9-operator", "cpe" : "cpe:/a:redhat:windows_machine_config" }, { "product_name" : "Red Hat OpenShift GitOps", "fix_state" : "Will not fix", "package_name" : "openshift-gitops-1/argocd-rhel8", "cpe" : "cpe:/a:redhat:openshift_gitops:1" }, { "product_name" : "Red Hat OpenShift GitOps", "fix_state" : "Affected", "package_name" : "openshift-gitops-1/argocd-rhel9", "cpe" : "cpe:/a:redhat:openshift_gitops:1" }, { "product_name" : "Red Hat OpenStack Platform 18.0", "fix_state" : "Not affected", "package_name" : "rhoso-operators/openstack-operator-bundle", "cpe" : "cpe:/a:redhat:openstack:18.0" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-32285\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-32285\nhttps://github.com/buger/jsonparser/issues/275\nhttps://github.com/golang/vulndb/issues/4514\nhttps://pkg.go.dev/vuln/GO-2026-4514" ], "name" : "CVE-2026-32285", "mitigation" : { "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", "lang" : "en:us" }, "csaw" : false }