Red Hat Product Errata RHSA-2026:14200 - Security Advisory Issued: 2026-05-06 Updated: 2026-05-06 RHSA-2026:14200 - Security Advisory Overview Updated Packages Synopsis Important: git-lfs security update Type/Severity Security Advisory: Important Red Hat Lightspeed patch analysis Identify and remediate systems affected by this advisory. View affected systems Topic An update for git-lfs is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Description Git Large File Storage (LFS) replaces large files such as audio samples, videos, datasets, and graphics with text pointers inside Git, while storing the file contents on a remote server. Security Fix(es): golang: internal/syscall/unix: Root.Chmod can follow symlinks out of the root (CVE-2026-32282) crypto/tls: golang: Go crypto/tls: Denial of Service via multiple TLS 1.3 key update messages (CVE-2026-32283) crypto/x509: crypto/tls: golang: Go: Denial of Service vulnerability in certificate chain building (CVE-2026-32280) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Solution For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 Affected Products Red Hat Enterprise Linux for x86_64 9 x86_64 Red Hat Enterprise Linux for IBM z Systems 9 s390x Red Hat Enterprise Linux for Power, little endian 9 ppc64le Red Hat Enterprise Linux for ARM 64 9 aarch64 Fixes BZ - 2456336 - CVE-2026-32282 golang: internal/syscall/unix: Root.Chmod can follow symlinks out of the root BZ - 2456338 - CVE-2026-32283 crypto/tls: golang: Go crypto/tls: Denial of Service via multiple TLS 1.3 key update messages BZ - 2456339 - CVE-2026-32280 crypto/x509: crypto/tls: golang: Go: Denial of Service vulnerability in certificate chain building CVEs CVE-2026-32280 CVE-2026-32282 CVE-2026-32283 References https://access.redhat.com/security/updates/classification/#important Note: More recent versions of these packages may be available. Click a package name for more details. Red Hat Enterprise Linux for x86_64 9 SRPM git-lfs-3.6.1-8.el9_7.1.src.rpm SHA-256: 6fd0634f3d7343031d07196deb746d9f0550d01a03dadc543a840fcb83be08da x86_64 git-lfs-3.6.1-8.el9_7.1.x86_64.rpm SHA-256: b378209fce43e61bd10a9e2ee7b32992169e1e9afff3f3d940a427481cec52f8 git-lfs-debuginfo-3.6.1-8.el9_7.1.x86_64.rpm SHA-256: c43e8825ea67e015414da04262c8ab66d649409d7c3add1084be106d2a4884e0 git-lfs-debugsource-3.6.1-8.el9_7.1.x86_64.rpm SHA-256: a60c3cac8dd9fef18010b0cbeecbd9c0396f600fe5c3962f849ef057c61fd7b6 Red Hat Enterprise Linux for IBM z Systems 9 SRPM git-lfs-3.6.1-8.el9_7.1.src.rpm SHA-256: 6fd0634f3d7343031d07196deb746d9f0550d01a03dadc543a840fcb83be08da s390x git-lfs-3.6.1-8.el9_7.1.s390x.rpm SHA-256: 0b0d9d94ca63344adc2b2d4c010a04b54b38842eabfca27b395d7905dddc55c2 git-lfs-debuginfo-3.6.1-8.el9_7.1.s390x.rpm SHA-256: bf92b046a81438beff5f24200261e3e077ba637da02a1362864e495f8cc89df9 git-lfs-debugsource-3.6.1-8.el9_7.1.s390x.rpm SHA-256: d123fa08dbc88f7533f918b81d772f5e1b2c12b5bace963505dbb5f44df81350 Red Hat Enterprise Linux for Power, little endian 9 SRPM git-lfs-3.6.1-8.el9_7.1.src.rpm SHA-256: 6fd0634f3d7343031d07196deb746d9f0550d01a03dadc543a840fcb83be08da ppc64le git-lfs-3.6.1-8.el9_7.1.ppc64le.rpm SHA-256: 8f1f57c1b395a7827f5f177ad1de45ef4c9859be93c5552976111b563ced1c95 git-lfs-debuginfo-3.6.1-8.el9_7.1.ppc64le.rpm SHA-256: b00fbbda320d7b19af6cbd48a1a71961f5f59eea02395676a5a597b6815dbfb3 git-lfs-debugsource-3.6.1-8.el9_7.1.ppc64le.rpm SHA-256: 0d54ef6aaea5c46a58cb59d4f66543743f3f5c5848b071ddaf3caa4cf460c397 Red Hat Enterprise Linux for ARM 64 9 SRPM git-lfs-3.6.1-8.el9_7.1.src.rpm SHA-256: 6fd0634f3d7343031d07196deb746d9f0550d01a03dadc543a840fcb83be08da aarch64 git-lfs-3.6.1-8.el9_7.1.aarch64.rpm SHA-256: ff8e1a9a4811d4cae7c871b35c17b99b2d5e3b7bbfe552cd5f74e09dad409082 git-lfs-debuginfo-3.6.1-8.el9_7.1.aarch64.rpm SHA-256: 75b304ef21e402a6e2e302bcb9454caf08269684ec80b765828599e9fbd21d08 git-lfs-debugsource-3.6.1-8.el9_7.1.aarch64.rpm SHA-256: 927302cea77ef1de8c28dab483b5ccc450231e891b776411926ac13bb3d90e49 The Red Hat security contact is secalert@redhat.com . More contact details at https://access.redhat.com/security/team/contact/ .