{ "threat_severity" : "Important", "public_date" : "2026-04-28T09:19:06Z", "bugzilla" : { "description" : "github.com/apache/thrift: Apache Thrift: Integer Overflow in TFramedTransport Go implementation", "id" : "2463407", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2463407" }, "cvss3" : { "cvss3_base_score" : "7.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status" : "verified" }, "cwe" : "CWE-190", "details" : [ "A flaw was found in the Apache Thrift TFramedTransport Go language implementation. This integer overflow or wraparound vulnerability could potentially allow an attacker to cause unexpected behavior or resource exhaustion, leading to a denial of service." ], "affected_release" : [ { "product_name" : "Red Hat OpenShift distributed tracing 3.9.3", "release_date" : "2026-05-06T00:00:00Z", "advisory" : "RHSA-2026:14162", "cpe" : "cpe:/a:redhat:openshift_distributed_tracing:3.9::el9", "package" : "rhosdt/opentelemetry-collector-rhel9:1778056267" }, { "product_name" : "Red Hat OpenShift distributed tracing 3.9.3", "release_date" : "2026-05-07T00:00:00Z", "advisory" : "RHSA-2026:14885", "cpe" : "cpe:/a:redhat:openshift_distributed_tracing:3.9::el9", "package" : "rhosdt/tempo-jaeger-query-rhel9:1778158391" }, { "product_name" : "Red Hat OpenShift distributed tracing 3.9.3", "release_date" : "2026-05-07T00:00:00Z", "advisory" : "RHSA-2026:14885", "cpe" : "cpe:/a:redhat:openshift_distributed_tracing:3.9::el9", "package" : "rhosdt/tempo-query-rhel9:1778158343" }, { "product_name" : "Red Hat OpenShift distributed tracing 3.9.3", "release_date" : "2026-05-07T00:00:00Z", "advisory" : "RHSA-2026:14885", "cpe" : "cpe:/a:redhat:openshift_distributed_tracing:3.9::el9", "package" : "rhosdt/tempo-rhel9:1778158374" } ], "package_state" : [ { "product_name" : "Multicluster Global Hub", "fix_state" : "Affected", "package_name" : "multicluster-globalhub/multicluster-globalhub-grafana-rhel8", "cpe" : "cpe:/a:redhat:multicluster_globalhub" }, { "product_name" : "Multicluster Global Hub", "fix_state" : "Affected", "package_name" : "multicluster-globalhub/multicluster-globalhub-grafana-rhel9", "cpe" : "cpe:/a:redhat:multicluster_globalhub" }, { "product_name" : "OpenShift Service Mesh 2", "fix_state" : "Not affected", "package_name" : "openshift-service-mesh/istio-rhel8-operator", "cpe" : "cpe:/a:redhat:service_mesh:2" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Affected", "package_name" : "rhacm2/acm-grafana-rhel9", "cpe" : "cpe:/a:redhat:acm:2" }, { "product_name" : "Red Hat AI Inference Server", "fix_state" : "Affected", "package_name" : "rhaiis/vllm-cpu-rhel9", "cpe" : "cpe:/a:redhat:ai_inference_server:3" }, { "product_name" : "Red Hat AI Inference Server", "fix_state" : "Affected", "package_name" : "rhaiis/vllm-tpu-rhel9", "cpe" : "cpe:/a:redhat:ai_inference_server:3" }, { "product_name" : "Red Hat Ceph Storage 5", "fix_state" : "Out of support scope", "package_name" : "rhceph/snmp-notifier-rhel8", "cpe" : "cpe:/a:redhat:ceph_storage:5" }, { "product_name" : "Red Hat Ceph Storage 6", "fix_state" : "Out of support scope", "package_name" : "rhceph/rhceph-6-dashboard-rhel9", "cpe" : "cpe:/a:redhat:ceph_storage:6" }, { "product_name" : "Red Hat Ceph Storage 6", "fix_state" : "Out of support scope", "package_name" : "rhceph/snmp-notifier-rhel9", "cpe" : "cpe:/a:redhat:ceph_storage:6" }, { "product_name" : "Red Hat Ceph Storage 9", "fix_state" : "Out of support scope", "package_name" : "rhceph/alloy-rhel10", "cpe" : "cpe:/a:redhat:ceph_storage:9" }, { "product_name" : "Red Hat Ceph Storage 9", "fix_state" : "Out of support scope", "package_name" : "rhceph/grafana-rhel10", "cpe" : "cpe:/a:redhat:ceph_storage:9" }, { "product_name" : "Red Hat Ceph Storage 9", "fix_state" : "Out of support scope", "package_name" : "rhceph/snmp-notifier-rhel10", "cpe" : "cpe:/a:redhat:ceph_storage:9" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Not affected", "package_name" : "rhoai/odh-model-registry-rhel9", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Affected", "package_name" : "openshift4/oc-mirror-plugin-rhel9", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift GitOps", "fix_state" : "Will not fix", "package_name" : "openshift-gitops-1/argocd-rhel8", "cpe" : "cpe:/a:redhat:openshift_gitops:1" }, { "product_name" : "Red Hat OpenShift GitOps", "fix_state" : "Will not fix", "package_name" : "openshift-gitops-1/argocd-rhel9", "cpe" : "cpe:/a:redhat:openshift_gitops:1" }, { "product_name" : "Red Hat OpenStack Platform 18.0", "fix_state" : "Not affected", "package_name" : "rhoso-operators/openstack-operator-bundle", "cpe" : "cpe:/a:redhat:openstack:18.0" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-41602\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-41602\nhttp://www.openwall.com/lists/oss-security/2026/04/28/6\nhttps://lists.apache.org/thread/lb4j0zyd5f3g36cos0wql925przpnwql" ], "name" : "CVE-2026-41602", "csaw" : false }