A vulnerability (CVE-2026-32283, CVSS 7.5 HIGH) in the Go crypto/tls library allows a denial-of-service attack via multiple TLS 1.3 key update messages. The flaw affects Go versions earlier than 1.25.9, and versions 1.26.0 through 1.26.1. Red Hat has issued an Important security update for the host-metering package on RHEL 7 Extended Lifecycle Support to address this vulnerability.
Red Hat Product Errata RHSA-2026:16101 - Security Advisory Issued: 2026-05-11 Updated: 2026-05-11 RHSA-2026:16101 - Security Advisory Overview Updated Packages Synopsis Important: host-metering security update Type/Severity Security Advisory: Important Red Hat Lightspeed patch analysis Identify and remediate systems affected by this advisory. View affected systems Topic An update for host-metering is now available for Red Hat Enterprise Linux 7 Extended Lifecycle Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Description Host metering service Security Fix(es): crypto/tls: golang: Go crypto/tls: Denial of Service via multiple TLS 1.3 key update messages (CVE-2026-32283) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Solution For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 Affected Products Red Hat Enterprise Linux Server - Extended Life Cycle Support 7 x86_64 Red Hat Enterprise Linux Server - Extended Life Cycle Support for IBM Power, little endian 7 ppc64le Fixes BZ - 2456338 - CVE-2026-32283 crypto/tls: golang: Go crypto/tls: Denial of Service via multiple TLS 1.3 key update messages CVEs CVE-2026-32283 References https://access.redhat.com/security/updates/classification/#important Note: More recent versions of these packages may be available. Click a package name for more details. Red Hat Enterprise Linux Server - Extended Life Cycle Support 7 SRPM host-metering-1.4.0-7.el7_9.src.rpm SHA-256: 945905ca25109515cd4ae9f643f7d121b90b3008df09a5bc7e36ec52f94aa0b5 x86_64 host-metering-1.4.0-7.el7_9.x86_64.rpm SHA-256: 90dc34ad94a0cd21bdd05875ab705a7df5803831a1cc6c0dd1d514ec84dc8566 host-metering-debuginfo-1.4.0-7.el7_9.x86_64.rpm SHA-256: b0c5a8f951a6f1507417f26b7e00543d832cbe7d1e72edf2d3973cf7371503f3 host-metering-debugsource-1.4.0-7.el7_9.x86_64.rpm SHA-256: c2c6cf290c4d5233df3442a7b8d0798ecd88c61e0a892085dea33c058a92a903 host-metering-selinux-1.4.0-7.el7_9.noarch.rpm SHA-256: fe789b74521756861b9616bfa7f5f9482bfff628fb2ceb357bec9800ffdd51c8 Red Hat Enterprise Linux Server - Extended Life Cycle Support for IBM Power, little endian 7 SRPM host-metering-1.4.0-7.el7_9.src.rpm SHA-256: 945905ca25109515cd4ae9f643f7d121b90b3008df09a5bc7e36ec52f94aa0b5 ppc64le host-metering-1.4.0-7.el7_9.ppc64le.rpm SHA-256: 065d456559c4ee3206f4105817c5fb7905d7ef7c63cafa9df21682dbcfa13cfd host-metering-debuginfo-1.4.0-7.el7_9.ppc64le.rpm SHA-256: 5eeacc5086f5ac6a06447fc37b8ee7534916440c655390025dfdec2553605964 host-metering-debugsource-1.4.0-7.el7_9.ppc64le.rpm SHA-256: ea3f9d3a3c44c661dde75d1a605e202c42421035197c7f91661bbe4531285342 host-metering-selinux-1.4.0-7.el7_9.noarch.rpm SHA-256: fe789b74521756861b9616bfa7f5f9482bfff628fb2ceb357bec9800ffdd51c8 The Red Hat security contact is secalert@redhat.com . More contact details at https://access.redhat.com/security/team/contact/ .