CVE Vulnerabilities

CVE-2026-32281

Improper Certificate Validation

Published: Apr 08, 2026 | Modified: Jun 17, 2026
CVSS 3.x
7.5
HIGH
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS 2.x
RedHat/V2
RedHat/V3
5.9 MODERATE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Ubuntu
MEDIUM
root.io logo minimus.io logo echo.ai logo

Validating certificate chains which use policies is unexpectedly inefficient when certificates in the chain contain a very large number of policy mappings, possibly causing denial of service. This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool.

Weakness

The product does not validate, or incorrectly validates, a certificate.

Affected Software

NameVendorStart VersionEnd Version
GoGolang*1.25.9 (excluding)
GoGolang1.26.0 (including)1.26.2 (excluding)
Cryostat 4 on RHEL 9RedHatcryostat/cryostat-rhel9-operator:4.2.0-15*
Cryostat 4 on RHEL 9RedHatcryostat/cryostat-storage-rhel9:4.2.0-16*
HawtIO HawtIO 4.4.0RedHatrhbac-4-tech-preview/hawtio-rhel8-operator*
Red Hat Enterprise Linux 10RedHatgolang-0:1.25.9-3.el10_1*
Red Hat Enterprise Linux 10RedHatopentelemetry-collector-0:0.144.0-2.el10_2*
Red Hat Enterprise Linux 10RedHatgo-fdo-client-0:1.0.0-4.el10_2*
Red Hat Enterprise Linux 10RedHatgo-fdo-server-0:1.0.1-2.el10_2*
Red Hat Enterprise Linux 10RedHatdelve-0:1.26.1-2.el10_2*
Red Hat Enterprise Linux 10RedHatpodman-7:5.8.2-3.el10_2*
Red Hat Enterprise Linux 10RedHatyggdrasil-0:0.4.9-5.el10_2*
Red Hat Enterprise Linux 10RedHatgolang-github-openprinting-ipp-usb-0:0.9.27-7.el10_2.1*
Red Hat Enterprise Linux 10RedHatskopeo-2:1.22.2-2.el10_2*
Red Hat Enterprise Linux 10RedHatbuildah-2:1.43.1-2.el10_2*
Red Hat Enterprise Linux 10.0 Extended Update SupportRedHatgolang-0:1.25.9-1.el10_0*
Red Hat Enterprise Linux 10.0 Extended Update SupportRedHatgrafana-pcp-0:5.2.2-6.el10_0*
Red Hat Enterprise Linux 10.0 Extended Update SupportRedHatgrafana-0:10.2.6-24.el10_0*
Red Hat Enterprise Linux 10.0 Extended Update SupportRedHatyggdrasil-0:0.4.7-4.el10_0*
Red Hat Enterprise Linux 10.0 Extended Update SupportRedHatopentelemetry-collector-0:0.144.0-2.el10_0*
Red Hat Enterprise Linux 10.0 Extended Update SupportRedHatbuildah-2:1.39.9-1.el10_0*
Red Hat Enterprise Linux 10.0 Extended Update SupportRedHatpodman-6:5.4.0-15.el10_0.2*
Red Hat Enterprise Linux 10.0 Extended Update SupportRedHatskopeo-2:1.18.1-3.el10_0.2*
Red Hat Enterprise Linux 10.0 Extended Update SupportRedHatrhc-1:0.3.2-4.el10_0*
Red Hat Enterprise Linux 10.0 Extended Update SupportRedHatdelve-0:1.25.2-4.el10_0*
Red Hat Enterprise Linux 10.0 Extended Update SupportRedHatosbuild-composer-0:134.1-8.el10_0*
Red Hat Enterprise Linux 7 Extended Lifecycle SupportRedHathost-metering-0:1.4.0-7.el7_9*
Red Hat Enterprise Linux 8RedHatcontainer-tools:rhel8-8100020260520103055.afee755d*
Red Hat Enterprise Linux 9RedHatgolang-0:1.25.9-1.el9_7*
Red Hat Enterprise Linux 9RedHatopentelemetry-collector-0:0.144.0-2.el9_8*
Red Hat Enterprise Linux 9RedHatrhc-1:0.2.7-7.el9_8*
Red Hat Enterprise Linux 9RedHatpodman-6:5.8.2-3.el9_8*
Red Hat Enterprise Linux 9RedHatskopeo-2:1.22.2-6.el9_8*
Red Hat Enterprise Linux 9RedHatbuildah-2:1.43.1-2.el9_8*
Red Hat Enterprise Linux 9RedHatrunc-4:1.4.2-2.el9_8*
Red Hat Enterprise Linux 9RedHatcontainernetworking-plugins-1:1.9.0-3.el9_8*
Red Hat Enterprise Linux 9.4 Extended Update SupportRedHatopentelemetry-collector-0:0.144.0-2.el9_4*
Red Hat Enterprise Linux 9.4 Update Services for SAP SolutionsRedHatbuildah-2:1.33.15-1.el9_4.1*
Red Hat Enterprise Linux 9.4 Update Services for SAP SolutionsRedHatpodman-4:4.9.4-20.el9_4.3*
Red Hat Enterprise Linux 9.4 Update Services for SAP SolutionsRedHatskopeo-2:1.14.6-1.el9_4*
Red Hat Enterprise Linux 9.6 Extended Update SupportRedHatgolang-0:1.25.9-1.el9_6*
Red Hat Enterprise Linux 9.6 Extended Update SupportRedHatopentelemetry-collector-0:0.144.0-2.el9_6*
Red Hat Enterprise Linux 9.6 Extended Update SupportRedHatgrafana-pcp-0:5.1.1-14.el9_6*
Red Hat Enterprise Linux 9.6 Extended Update SupportRedHatgrafana-0:10.2.6-21.el9_6*
Red Hat Enterprise Linux 9.6 Extended Update SupportRedHatrhc-1:0.2.7-1.el9_6.4*
Red Hat Enterprise Linux 9.6 Extended Update SupportRedHatosbuild-composer-0:132.2-8.el9_6*
Red Hat Satellite 6.16 for RHEL 8RedHatyggdrasil-worker-forwarder-0:0.0.3-5.el8sat*
Red Hat Satellite 6.16 for RHEL 9RedHatyggdrasil-worker-forwarder-0:0.0.3-5.el9sat*
Red Hat Satellite 6.19 for RHEL 9RedHatyggdrasil-worker-forwarder-0:0.0.3-5.el9sat*
Custom Metric Autoscaler 2.19RedHatcustom-metrics-autoscaler/custom-metrics-autoscaler-adapter-rhel9:1780101236*
Logging Subsystem for Red Hat OpenShift 6.0RedHatopenshift-logging/logging-loki-rhel9:1781193075*
Logging Subsystem for Red Hat OpenShift 6.4RedHatopenshift-logging/logging-loki-rhel9:1780051809*
Mirror registry for Red Hat OpenShift 2.0RedHatopenshift/mirror-registry-rhel8:1782177012*
Multicluster Global Hub 1.4.5RedHatmulticluster-globalhub/multicluster-globalhub-grafana-rhel9:1779579439*
Multicluster Global Hub 1.5.4RedHatmulticluster-globalhub/multicluster-globalhub-grafana-rhel9:1778867753*
Multicluster Global Hub 1.6.2RedHatmulticluster-globalhub/multicluster-globalhub-grafana-rhel9:1780167118*
Multicluster Global Hub 1.7.1RedHatmulticluster-globalhub/multicluster-globalhub-grafana-rhel9:1779925273*
Network Observability (NETOBSERV) 1.12.0RedHatnetwork-observability/network-observability-flowlogs-pipeline-rhel9:1780555437*
OpenShift API for Data Protection 1.4RedHatoadp/oadp-kubevirt-velero-plugin-rhel9:1779243307*
OpenShift API for Data Protection 1.4RedHatoadp/oadp-mustgather-rhel9:1779770049*
OpenShift API for Data Protection 1.4RedHatoadp/oadp-rhel9-operator:1779847451*
OpenShift API for Data Protection 1.4RedHatoadp/oadp-velero-plugin-for-aws-rhel9:1779243113*
OpenShift API for Data Protection 1.4RedHatoadp/oadp-velero-plugin-for-gcp-rhel9:1779243915*
OpenShift API for Data Protection 1.4RedHatoadp/oadp-velero-plugin-for-legacy-aws-rhel9:1779243074*
OpenShift API for Data Protection 1.4RedHatoadp/oadp-velero-plugin-for-microsoft-azure-rhel9:1779243128*
OpenShift API for Data Protection 1.4RedHatoadp/oadp-velero-plugin-rhel9:1779243793*
OpenShift API for Data Protection 1.4RedHatoadp/oadp-velero-restic-restore-helper-rhel9:1779809597*
OpenShift API for Data Protection 1.4RedHatoadp/oadp-velero-rhel9:1779809598*
OpenShift API for Data Protection 1.5RedHatoadp/oadp-velero-rhel9:1779808027*
OpenShift Compliance Operator 1RedHatcompliance/openshift-compliance-operator-bundle:1781605005*
OpenShift Developer Tools and Services 1.6.2RedHatsource-to-image/source-to-image-rhel8:1780247935*
OpenShift Developer Tools and Services 1.6.2RedHatsource-to-image/source-to-image-rhel9:1780247727*
Red Hat Advanced Cluster Security for Kubernetes 4.10RedHatadvanced-cluster-security/rhacs-main-rhel8:1777976489*
Red Hat Advanced Cluster Security for Kubernetes 4.10RedHatadvanced-cluster-security/rhacs-rhel8-operator:1777976489*
Red Hat Advanced Cluster Security for Kubernetes 4.10RedHatadvanced-cluster-security/rhacs-roxctl-rhel8:1777976489*
Red Hat Advanced Cluster Security for Kubernetes 4.10RedHatadvanced-cluster-security/rhacs-scanner-v4-rhel8:1777976489*
Red Hat Advanced Cluster Security for Kubernetes 4.10RedHatadvanced-cluster-security/rhacs-scanner-rhel8:1778755463*
Red Hat Advanced Cluster Security for Kubernetes 4.10RedHatadvanced-cluster-security/rhacs-scanner-slim-rhel8:1778755463*
Red Hat Advanced Cluster Security for Kubernetes 4.9RedHatadvanced-cluster-security/rhacs-main-rhel8:1777986630*
Red Hat Advanced Cluster Security for Kubernetes 4.9RedHatadvanced-cluster-security/rhacs-rhel8-operator:1777986630*
Red Hat Advanced Cluster Security for Kubernetes 4.9RedHatadvanced-cluster-security/rhacs-roxctl-rhel8:1777986630*
Red Hat Advanced Cluster Security for Kubernetes 4.9RedHatadvanced-cluster-security/rhacs-scanner-v4-rhel8:1777986630*
Red Hat Advanced Cluster Security for Kubernetes 4.9RedHatadvanced-cluster-security/rhacs-main-rhel8:1779371594*
Red Hat Developer Hub 1.8RedHatrhdh/rhdh-rhel9-operator:1779841292*
Red Hat Developer Hub 1.9RedHatrhdh/rhdh-rhel9-operator:1781187028*
Red Hat Hardened ImagesRedHatgolang1-26-main-1.26.2-1.hum1*
Red Hat Hardened ImagesRedHatgolang1-25-main-1.25.9-1.hum1*
Red Hat Lightspeed (formerly Insights) for Runtimes 1RedHatrh-lightspeed-runtimes/runtimes-inventory-rhel9-operator:1.0.3-1779996197*
Red Hat OpenShift distributed tracing 3.10.1RedHatrhosdt/tempo-rhel9:1781589494*
Red Hat OpenShift GitOps 1.18RedHatopenshift-gitops-1/dex-rhel8:1779116359*
Red Hat OpenShift GitOps 1.19RedHatopenshift-gitops-1/dex-rhel8:1779209965*
Red Hat OpenShift GitOps 1.2RedHatopenshift-gitops-1/dex-rhel9:1779284768*
Red Hat OpenShift Service Mesh 2.6RedHatopenshift-service-mesh/kiali-rhel8:1779520348*
Red Hat OpenShift Service Mesh 3.0RedHatopenshift-service-mesh/kiali-rhel9:1779520253*
Red Hat OpenShift Service Mesh 3.0RedHatopenshift-service-mesh/kiali-rhel9:1780916345*
Red Hat OpenShift Service Mesh 3.1RedHatopenshift-service-mesh/kiali-rhel9:1779520433*
Red Hat OpenShift Service Mesh 3.1RedHatopenshift-service-mesh/kiali-rhel9:1780916478*
Red Hat OpenShift Service Mesh 3.2RedHatopenshift-service-mesh/kiali-rhel9:1779520857*
Red Hat OpenShift Service Mesh 3.2RedHatopenshift-service-mesh/kiali-rhel9:1780916392*
Red Hat OpenShift Service Mesh 3.3RedHatopenshift-service-mesh/kiali-rhel9:1779520708*
Red Hat OpenShift Service Mesh 3.3RedHatopenshift-service-mesh/kiali-rhel9:1780997438*
Red Hat Quay 3.10RedHatquay/quay-rhel8:1779822261*
Red Hat Quay 3.12RedHatquay/quay-rhel8:1779811412*
Red Hat Quay 3.14RedHatquay/quay-rhel8:1779689392*
Red Hat Quay 3.17RedHatquay/quay-rhel9:1779922205*
Red Hat Quay 3.9RedHatquay/quay-rhel8:1779811473*
Red Hat Trusted Artifact Signer 1.3RedHatrhtas/gitsign-rhel9:1780052587*
Golang-1.10Ubuntuesm-infra/xenial*
Golang-1.13Ubuntuesm-apps/xenial*
Golang-1.18Ubuntuesm-apps/xenial*
Golang-1.6Ubuntuesm-infra/xenial*

Potential Mitigations

References