This Red Hat security advisory addresses multiple vulnerabilities in the containernetworking-plugins package for RHEL 9.4 EUS, stemming from flaws in the underlying Go runtime, including a critical (CVSS 10.0) unexpected session resumption bug in crypto/tls (CVE-2025-68121), high-severity denial-of-service issues in crypto/x509 and net/url parsing, and an IPv6 parsing error. The affected versions are Go (golang) prior to 1.24.13, 1.25.0 through 1.25.6, and version 1.26.0, with fixes provided in Go versions 1.24.13, 1.25.7, and 1.26.1 or later, which are included in the updated Red Hat packages.
Red Hat Product Errata RHSA-2026:12032 - Security Advisory Issued: 2026-04-30 Updated: 2026-04-30 RHSA-2026:12032 - Security Advisory Overview Updated Packages Synopsis Important: containernetworking-plugins security update Type/Severity Security Advisory: Important Red Hat Lightspeed patch analysis Identify and remediate systems affected by this advisory. View affected systems Topic An update for containernetworking-plugins is now available for Red Hat Enterprise Linux 9.4 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Description The Container Network Interface (CNI) project consists of a specification and libraries for writing plug-ins for configuring network interfaces in Linux containers, along with a number of supported plug-ins. CNI concerns itself only with network connectivity of containers and removing allocated resources when the container is deleted. Security Fix(es): crypto/x509: golang: Denial of Service due to excessive resource consumption via crafted certificate (CVE-2025-61729) golang: net/url: Memory exhaustion in query parameter parsing in net/url (CVE-2025-61726) crypto/tls: Unexpected session resumption in crypto/tls (CVE-2025-68121) net/url: Incorrect parsing of IPv6 host literals in net/url (CVE-2026-25679) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Solution For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 Affected Products Red Hat Enterprise Linux for x86_64 - Extended Update Support 9.4 x86_64 Red Hat Enterprise Linux Server - AUS 9.4 x86_64 Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 9.4 s390x Red Hat Enterprise Linux for Power, little endian - Extended Update Support 9.4 ppc64le Red Hat Enterprise Linux for ARM 64 - Extended Update Support 9.4 aarch64 Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.4 ppc64le Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.4 x86_64 Red Hat Enterprise Linux for ARM 64 - 4 years of updates 9.4 aarch64 Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 9.4 s390x Red Hat Enterprise Linux for x86_64 - Extended Life Cycle 9.4 x86_64 Red Hat Enterprise Linux for ARM 64 - Extended Life Cycle 9.4 aarch64 Red Hat Enterprise Linux for Power, little endian - Extended Life Cycle 9.4 ppc64le Red Hat Enterprise Linux for IBM z Systems - Extended Life Cycle 9.4 s390x Fixes BZ - 2418462 - CVE-2025-61729 crypto/x509: golang: Denial of Service due to excessive resource consumption via crafted certificate BZ - 2434432 - CVE-2025-61726 golang: net/url: Memory exhaustion in query parameter parsing in net/url BZ - 2437111 - CVE-2025-68121 crypto/tls: crypto/tls: Incorrect certificate validation during TLS session resumption BZ - 2445356 - CVE-2026-25679 net/url: Incorrect parsing of IPv6 host literals in net/url CVEs CVE-2025-61726 CVE-2025-61729 CVE-2025-68121 CVE-2026-25679 References https://access.redhat.com/security/updates/classification/#important Note: More recent versions of these packages may be available. Click a package name for more details. Red Hat Enterprise Linux for x86_64 - Extended Update Support 9.4 SRPM containernetworking-plugins-1.4.0-6.el9_4.3.src.rpm SHA-256: 6ee30de79f9a8a7d4174ce64dfda45c22f5eaa7eae5ae5a0cad1f5a8a4c9fb9d x86_64 containernetworking-plugins-1.4.0-6.el9_4.3.x86_64.rpm SHA-256: a3327fc3172cafc55bc03bbd293e679bc5ca16a9d87d2094dba3ca881f355dd8 containernetworking-plugins-debuginfo-1.4.0-6.el9_4.3.x86_64.rpm SHA-256: 79afbaa8270212f444b23d2132de0edb2ca5a5995d65d88f0f3c39daa22cdc1b containernetworking-plugins-debugsource-1.4.0-6.el9_4.3.x86_64.rpm SHA-256: a4c572a72b1caacefcda61135d9220e531a14745cea6b0c9de52e7da26af2f95 Red Hat Enterprise Linux Server - AUS 9.4 SRPM containernetworking-plugins-1.4.0-6.el9_4.3.src.rpm SHA-256: 6ee30de79f9a8a7d4174ce64dfda45c22f5eaa7eae5ae5a0cad1f5a8a4c9fb9d x86_64 containernetworking-plugins-1.4.0-6.el9_4.3.x86_64.rpm SHA-256: a3327fc3172cafc55bc03bbd293e679bc5ca16a9d87d2094dba3ca881f355dd8 containernetworking-plugins-debuginfo-1.4.0-6.el9_4.3.x86_64.rpm SHA-256: 79afbaa8270212f444b23d2132de0edb2ca5a5995d65d88f0f3c39daa22cdc1b containernetworking-plugins-debugsource-1.4.0-6.el9_4.3.x86_64.rpm SHA-256: a4c572a72b1caacefcda61135d9220e531a14745cea6b0c9de52e7da26af2f95 Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 9.4 SRPM containernetworking-plugins-1.4.0-6.el9_4.3.src.rpm SHA-256: 6ee30de79f9a8a7d4174ce64dfda45c22f5eaa7eae5ae5a0cad1f5a8a4c9fb9d s390x containernetworking-plugins-1.4.0-6.el9_4.3.s390x.rpm SHA-256: cc029de8e64577c4ef0ba8a41854f6febd31a25fbf5230475ee548fb6c67d076 containernetworking-plugins-debuginfo-1.4.0-6.el9_4.3.s390x.rpm SHA-256: acc701d909c3b68f3c84f3e3b0ca73b132b469bf7834b7b3412e0e38b87bb185 containernetworking-plugins-debugsource-1.4.0-6.el9_4.3.s390x.rpm SHA-256: 4410370eafe67860979cb98b7317611819ab98c41781da0ca9187dc97b915774 Red Hat Enterprise Linux for Power, little endian - Extended Update Support 9.4 SRPM containernetworking-plugins-1.4.0-6.el9_4.3.src.rpm SHA-256: 6ee30de79f9a8a7d4174ce64dfda45c22f5eaa7eae5ae5a0cad1f5a8a4c9fb9d ppc64le containernetworking-plugins-1.4.0-6.el9_4.3.ppc64le.rpm SHA-256: f85486317f2df09ce42988e1b52d8c0d5480c91cedbbfeb1863dde93650dbe4d containernetworking-plugins-debuginfo-1.4.0-6.el9_4.3.ppc64le.rpm SHA-256: 5783fd9cdbd39254f4d710d021dbdd032d1cc88a438e05f9b15d8512f6a4e5b2 containernetworking-plugins-debugsource-1.4.0-6.el9_4.3.ppc64le.rpm SHA-256: 0f88b71393c057385b9ef378749ab5a13f70eee4c848fbd8de7e82baa41f5ad8 Red Hat Enterprise Linux for ARM 64 - Extended Update Support 9.4 SRPM containernetworking-plugins-1.4.0-6.el9_4.3.src.rpm SHA-256: 6ee30de79f9a8a7d4174ce64dfda45c22f5eaa7eae5ae5a0cad1f5a8a4c9fb9d aarch64 containernetworking-plugins-1.4.0-6.el9_4.3.aarch64.rpm SHA-256: 37c1184cd8906d15eee1236ebc6901119085818927565bb96b55da76ec3e7501 containernetworking-plugins-debuginfo-1.4.0-6.el9_4.3.aarch64.rpm SHA-256: 86d43b9db21a68652b6f3876262a52bb57429cc495cc6a3caf3c7f13f1e1fc30 containernetworking-plugins-debugsource-1.4.0-6.el9_4.3.aarch64.rpm SHA-256: 1812862f6af114ee8bcf9c999b431d513402a01ea798df4bf4d808dd11f53c1f Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.4 SRPM containernetworking-plugins-1.4.0-6.el9_4.3.src.rpm SHA-256: 6ee30de79f9a8a7d4174ce64dfda45c22f5eaa7eae5ae5a0cad1f5a8a4c9fb9d ppc64le containernetworking-plugins-1.4.0-6.el9_4.3.ppc64le.rpm SHA-256: f85486317f2df09ce42988e1b52d8c0d5480c91cedbbfeb1863dde93650dbe4d containernetworking-plugins-debuginfo-1.4.0-6.el9_4.3.ppc64le.rpm SHA-256: 5783fd9cdbd39254f4d710d021dbdd032d1cc88a438e05f9b15d8512f6a4e5b2 containernetworking-plugins-debugsource-1.4.0-6.el9_4.3.ppc64le.rpm SHA-256: 0f88b71393c057385b9ef378749ab5a13f70eee4c848fbd8de7e82baa41f5ad8 Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.4 SRPM containernetworking-plugins-1.4.0-6.el9_4.3.src.rpm SHA-256: 6ee30de79f9a8a7d4174ce64dfda45c22f5eaa7eae5ae5a0cad1f5a8a4c9fb9d x86_64 containernetworking-plugins-1.4.0-6.el9_4.3.x86_64.rpm SHA-256: a3327fc3172cafc55bc03bbd293e679bc5ca16a9d87d2094dba3ca881f355dd8 containernetworking-plugins-debuginfo-1.4.0-6.el9_4.3.x86_64.rpm SHA-256: 79afbaa8270212f444b23d2132de0edb2ca5a5995d65d88f0f3c39daa22cdc1b containernetworking-plugins-debugsource-1.4.0-6.el9_4.3.x86_64.rpm SHA-256: a4c572a72b1caacefcda61135d9220e531a14745cea6b0c9de52e7da26af2f95 Red Hat Enterprise Linux for ARM 64 - 4 years of updates 9.4 SRPM containernetworking-plugins-1.4.0-6.el9_4.3.src.rpm SHA-256: 6ee30de79f9a8a7d4174ce64dfda45c22f5eaa7eae5ae5a0cad1f5a8a4c9fb9d aarch64 containernetworking-plugins-1.4.0-6.el9_4.3.aarch64.rpm SHA-256: 37c1184cd8906d15eee1236ebc6901119085818927565bb96b55da76ec3e7501 containernetworking-plugins-debuginfo-1.4.0-6.el9_4.3.aarch64.rpm SHA-256: 86d43b9db21a68652b6f3876262a52bb57429cc495cc6a3caf3c7f13f1e1fc30 containernetworking-plugins-debugsource-1.4.0-6.el9_4.3.aarch64.rpm SHA-256: 1812862f6af114ee8bcf9c999b431d513402a01ea798df4bf4d808dd11f53c1f Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 9.4 SRPM containernetworking-plugins-1.4.0-6.el9_4.3.src.rpm SHA-256: 6ee30de79f9a8a7d4174ce64dfda45c22f5eaa7eae5ae5a0cad1f5a8a4c9fb9d s390x containernetworking-plugins-1.4.0-6.el9_4.3.s390x.rpm SHA-256: cc029de8e64577c4ef0ba8a41854f6febd31a25fbf5230475ee548fb6c67d076 containernetworking-plugins-debuginfo-1.4.0-6.el9_4.3.s390x.rpm SHA-256: acc701d909c3b68f3c84f3e3b0ca73b132b469bf7834b7b3412e0e38b87bb185 containernetworking-plugins-debugsource-1.4.0-6.el9_4.3.s390x.rpm SHA-256: 4410370eafe67860979cb98b7317611819ab98c41781da0ca9187dc97b915774 Red Hat Enterprise Linux for x86_64 - Extended Life Cycle 9.4 SRPM containernetworking-plugins-1.4.0-6.el9_4.3.src.rpm SHA-256: 6ee30de79f9a8a7d4174ce64dfda45c22f5eaa7eae5ae5a0cad1f5a8a4c9fb9d x86_64 containernetworking-plugins-1.4.0-6.el9_4.3.x86_64.rpm SHA-256: a3327fc3172cafc55bc03bbd293e679bc5ca16a9d87d2094dba3ca881f355dd8 containernetworking-plugins-debuginfo-1.4.0-6.el9_4.3.x86_64.rpm SHA-256: 79afbaa8270212f444b23d2132de0edb2ca5a5995d65d88f0f3c39daa22cdc1b containernetworking-plugins-debugsource-1.4.0-6.el9_4.3.x86_64.rpm SHA-256: a4c572a72b1caacefcda61135d9220e531a14745cea6b0c9de52e7da26af2f95 Red Hat Enterprise Linux for ARM 64 - Extended Life Cycle 9.4 SRPM containernetworking-plugins-1.4.0-6.el9_4.3.src.rpm SHA-256: 6ee30de79f9a8a7d4174ce64dfda45c22f5eaa7eae5ae5a0cad1f5a8a4c9fb9d aarch64 containernetworking-plugins-1.4.0-6.el9_4.3.aarch64.rpm SHA-256: 37c1184cd8906d15eee1236ebc690111908581892