{ "threat_severity" : "Important", "public_date" : "2026-04-28T09:20:44Z", "bugzilla" : { "description" : "Apache Thrift: Apache Thrift: Integer Overflow or Wraparound Vulnerability", "id" : "2463418", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2463418" }, "cvss3" : { "cvss3_base_score" : "7.7", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:H", "status" : "verified" }, "cwe" : "CWE-190", "details" : [ "A flaw was found in Apache Thrift. This integer overflow or wraparound vulnerability could potentially lead to unexpected behavior or resource exhaustion, which may impact the availability or integrity of the system. The exact consequences depend on how the overflow is triggered and handled within the application." ], "affected_release" : [ { "product_name" : "Red Hat OpenShift distributed tracing 3.9.3", "release_date" : "2026-05-07T00:00:00Z", "advisory" : "RHSA-2026:14885", "cpe" : "cpe:/a:redhat:openshift_distributed_tracing:3.9::el9", "package" : "rhosdt/tempo-jaeger-query-rhel9:1778158391" }, { "product_name" : "Red Hat OpenShift distributed tracing 3.9.3", "release_date" : "2026-05-07T00:00:00Z", "advisory" : "RHSA-2026:14885", "cpe" : "cpe:/a:redhat:openshift_distributed_tracing:3.9::el9", "package" : "rhosdt/tempo-query-rhel9:1778158343" }, { "product_name" : "Red Hat OpenShift distributed tracing 3.9.3", "release_date" : "2026-05-07T00:00:00Z", "advisory" : "RHSA-2026:14885", "cpe" : "cpe:/a:redhat:openshift_distributed_tracing:3.9::el9", "package" : "rhosdt/tempo-rhel9:1778158374" } ], "package_state" : [ { "product_name" : "Multicluster Global Hub", "fix_state" : "Affected", "package_name" : "multicluster-globalhub/multicluster-globalhub-grafana-rhel9", "cpe" : "cpe:/a:redhat:multicluster_globalhub" }, { "product_name" : "OpenShift Service Mesh 2", "fix_state" : "Not affected", "package_name" : "openshift-service-mesh/istio-rhel8-operator", "cpe" : "cpe:/a:redhat:service_mesh:2" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Affected", "package_name" : "rhacm2/acm-grafana-rhel9", "cpe" : "cpe:/a:redhat:acm:2" }, { "product_name" : "Red Hat AI Inference Server", "fix_state" : "Affected", "package_name" : "rhaiis/vllm-cpu-rhel9", "cpe" : "cpe:/a:redhat:ai_inference_server:3" }, { "product_name" : "Red Hat AI Inference Server", "fix_state" : "Affected", "package_name" : "rhaiis/vllm-cuda-rhel9", "cpe" : "cpe:/a:redhat:ai_inference_server:3" }, { "product_name" : "Red Hat AI Inference Server", "fix_state" : "Affected", "package_name" : "rhaiis/vllm-rocm-rhel9", "cpe" : "cpe:/a:redhat:ai_inference_server:3" }, { "product_name" : "Red Hat AI Inference Server", "fix_state" : "Affected", "package_name" : "rhaiis/vllm-tpu-rhel9", "cpe" : "cpe:/a:redhat:ai_inference_server:3" }, { "product_name" : "Red Hat Enterprise Linux AI (RHEL AI) 3", "fix_state" : "Affected", "package_name" : "rhelai3/bootc-aws-cuda-rhel9", "cpe" : "cpe:/a:redhat:enterprise_linux_ai:3" }, { "product_name" : "Red Hat Enterprise Linux AI (RHEL AI) 3", "fix_state" : "Affected", "package_name" : "rhelai3/bootc-azure-cuda-rhel9", "cpe" : "cpe:/a:redhat:enterprise_linux_ai:3" }, { "product_name" : "Red Hat Enterprise Linux AI (RHEL AI) 3", "fix_state" : "Affected", "package_name" : "rhelai3/bootc-azure-rocm-rhel9", "cpe" : "cpe:/a:redhat:enterprise_linux_ai:3" }, { "product_name" : "Red Hat Enterprise Linux AI (RHEL AI) 3", "fix_state" : "Affected", "package_name" : "rhelai3/bootc-cuda-rhel9", "cpe" : "cpe:/a:redhat:enterprise_linux_ai:3" }, { "product_name" : "Red Hat Enterprise Linux AI (RHEL AI) 3", "fix_state" : "Affected", "package_name" : "rhelai3/bootc-gcp-cuda-rhel9", "cpe" : "cpe:/a:redhat:enterprise_linux_ai:3" }, { "product_name" : "Red Hat Enterprise Linux AI (RHEL AI) 3", "fix_state" : "Affected", "package_name" : "rhelai3/bootc-rocm-rhel9", "cpe" : "cpe:/a:redhat:enterprise_linux_ai:3" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Not affected", "package_name" : "rhoai/odh-kf-notebook-controller-rhel8", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Not affected", "package_name" : "rhoai/odh-model-registry-rhel9", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Not affected", "package_name" : "rhoai/odh-notebook-controller-rhel8", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Affected", "package_name" : "openshift4/oc-mirror-plugin-rhel9", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Affected", "package_name" : "openshift4/ztp-site-generate-rhel8", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift distributed tracing 3", "fix_state" : "Not affected", "package_name" : "rhosdt/opentelemetry-collector-rhel9", "cpe" : "cpe:/a:redhat:openshift_distributed_tracing:3" }, { "product_name" : "Red Hat OpenShift GitOps", "fix_state" : "Will not fix", "package_name" : "openshift-gitops-1/argocd-rhel8", "cpe" : "cpe:/a:redhat:openshift_gitops:1" }, { "product_name" : "Red Hat OpenShift GitOps", "fix_state" : "Will not fix", "package_name" : "openshift-gitops-1/argocd-rhel9", "cpe" : "cpe:/a:redhat:openshift_gitops:1" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-41605\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-41605\nhttp://www.openwall.com/lists/oss-security/2026/04/28/4\nhttps://lists.apache.org/thread/lb4j0zyd5f3g36cos0wql925przpnwql" ], "name" : "CVE-2026-41605", "csaw" : false }