This security update addresses multiple vulnerabilities in the `gvisor-tap-vsock` component for Red Hat Enterprise Linux 10.0 EUS, stemming from its underlying Go runtime. The flaws include critical and high-severity issues (CVSS up to 10.0) enabling denial of service, memory exhaustion, and incorrect certificate validation via crafted inputs. The article references specific Go version fixes (e.g., 1.24.13, 1.25.7) for the CVEs, and administrators should apply the referenced Red Hat update to remediate.
Red Hat Product Errata RHSA-2026:17084 - Security Advisory Issued: 2026-05-13 Updated: 2026-05-13 RHSA-2026:17084 - Security Advisory Overview Updated Packages Synopsis Important: gvisor-tap-vsock security update Type/Severity Security Advisory: Important Red Hat Lightspeed patch analysis Identify and remediate systems affected by this advisory. View affected systems Topic An update for gvisor-tap-vsock is now available for Red Hat Enterprise Linux 10.0 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Description A replacement for libslirp and VPNKit, written in pure Go. It is based on the network stack of gVisor. Compared to libslirp, gvisor-tap-vsock brings a configurable DNS server and dynamic port forwarding. Security Fix(es): crypto/x509: golang: Denial of Service due to excessive resource consumption via crafted certificate (CVE-2025-61729) golang: net/url: Memory exhaustion in query parameter parsing in net/url (CVE-2025-61726) crypto/tls: Unexpected session resumption in crypto/tls (CVE-2025-68121) net/url: Incorrect parsing of IPv6 host literals in net/url (CVE-2026-25679) golang: internal/syscall/unix: Root.Chmod can follow symlinks out of the root (CVE-2026-32282) crypto/tls: golang: Go crypto/tls: Denial of Service via multiple TLS 1.3 key update messages (CVE-2026-32283) crypto/x509: crypto/tls: golang: Go: Denial of Service vulnerability in certificate chain building (CVE-2026-32280) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Solution For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 Affected Products Red Hat Enterprise Linux for x86_64 - Extended Update Support 10.0 x86_64 Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 10.0 s390x Red Hat Enterprise Linux for Power, little endian - Extended Update Support 10.0 ppc64le Red Hat Enterprise Linux for ARM 64 - Extended Update Support 10.0 aarch64 Red Hat Enterprise Linux for ARM 64 - 4 years of updates 10.0 aarch64 Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 10.0 s390x Red Hat Enterprise Linux for Power, little endian - 4 years of support 10.0 ppc64le Red Hat Enterprise Linux for x86_64 - 4 years of updates 10.0 x86_64 Fixes BZ - 2418462 - CVE-2025-61729 crypto/x509: golang: Denial of Service due to excessive resource consumption via crafted certificate BZ - 2434432 - CVE-2025-61726 golang: net/url: Memory exhaustion in query parameter parsing in net/url BZ - 2437111 - CVE-2025-68121 crypto/tls: crypto/tls: Incorrect certificate validation during TLS session resumption BZ - 2445356 - CVE-2026-25679 net/url: Incorrect parsing of IPv6 host literals in net/url BZ - 2456336 - CVE-2026-32282 golang: internal/syscall/unix: Root.Chmod can follow symlinks out of the root BZ - 2456338 - CVE-2026-32283 crypto/tls: golang: Go crypto/tls: Denial of Service via multiple TLS 1.3 key update messages BZ - 2456339 - CVE-2026-32280 crypto/x509: crypto/tls: golang: Go: Denial of Service vulnerability in certificate chain building CVEs CVE-2025-61726 CVE-2025-61729 CVE-2025-68121 CVE-2026-25679 CVE-2026-32280 CVE-2026-32282 CVE-2026-32283 References https://access.redhat.com/security/updates/classification/#important Note: More recent versions of these packages may be available. Click a package name for more details. Red Hat Enterprise Linux for x86_64 - Extended Update Support 10.0 SRPM gvisor-tap-vsock-0.8.5-2.el10_0.1.src.rpm SHA-256: 3b9199d91c521a2709e369a249cd380e324f42e44f8ab06e00bdd20ab4523dc9 x86_64 gvisor-tap-vsock-0.8.5-2.el10_0.1.x86_64.rpm SHA-256: bda95b05fee7f626314654cb14a079ba2fcb10ecb4182de461ef42f7dcefb922 gvisor-tap-vsock-debuginfo-0.8.5-2.el10_0.1.x86_64.rpm SHA-256: d13cd1c34dc1ba9a5a6d34f854840b8abdf765b194c45d98860d1407ef759181 gvisor-tap-vsock-debugsource-0.8.5-2.el10_0.1.x86_64.rpm SHA-256: aa4c791c775c2c770cf50dbac7c0861fc6e092bec2b0adb35b9c94bc88367369 gvisor-tap-vsock-gvforwarder-0.8.5-2.el10_0.1.x86_64.rpm SHA-256: aa1bc0efa6ef08b4e44ad1a2a583fa264d91f358e637bb8253321995ea3c0a30 gvisor-tap-vsock-gvforwarder-debuginfo-0.8.5-2.el10_0.1.x86_64.rpm SHA-256: b4b2e3c9e07914cbd0366efd14fdec607a7b60c3f6db6d7b3f39c531c5bd3c8a Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 10.0 SRPM gvisor-tap-vsock-0.8.5-2.el10_0.1.src.rpm SHA-256: 3b9199d91c521a2709e369a249cd380e324f42e44f8ab06e00bdd20ab4523dc9 s390x gvisor-tap-vsock-0.8.5-2.el10_0.1.s390x.rpm SHA-256: bf3a72d1c43aaf230e0bd667eafdbea8d58c0970f0014520b2111077ee5a7859 gvisor-tap-vsock-debuginfo-0.8.5-2.el10_0.1.s390x.rpm SHA-256: d3fb05d3dff9dfee59f4f305c401f671ff83efc93180d6ec4a4a8bb03a057e2a gvisor-tap-vsock-debugsource-0.8.5-2.el10_0.1.s390x.rpm SHA-256: 4c53cc716da7dffc85085b424cfc0d6ab3be45d3d7da608f0a567ec46b6c4489 gvisor-tap-vsock-gvforwarder-0.8.5-2.el10_0.1.s390x.rpm SHA-256: 4877d8dc33aca071bd5f721f543597ec9ff7a300e41b0276f9015bd7fdec90c6 gvisor-tap-vsock-gvforwarder-debuginfo-0.8.5-2.el10_0.1.s390x.rpm SHA-256: 5043145fd7c90d515f219e35edbd70ee4b73cbcb1e0d86253a3515a85567867b Red Hat Enterprise Linux for Power, little endian - Extended Update Support 10.0 SRPM gvisor-tap-vsock-0.8.5-2.el10_0.1.src.rpm SHA-256: 3b9199d91c521a2709e369a249cd380e324f42e44f8ab06e00bdd20ab4523dc9 ppc64le gvisor-tap-vsock-0.8.5-2.el10_0.1.ppc64le.rpm SHA-256: e373dde8f82d01c4473513abc8e18d3351ea33849d7a0d701d0cc2249c8eb601 gvisor-tap-vsock-debuginfo-0.8.5-2.el10_0.1.ppc64le.rpm SHA-256: 118b136475e36004bca4078403aa1948839a766eb776910b76b16ea31a13f3ab gvisor-tap-vsock-debugsource-0.8.5-2.el10_0.1.ppc64le.rpm SHA-256: 9e8171919c8b89aac9841e013f8b45ced73529e17162573c3eb5e64d4a1bae62 gvisor-tap-vsock-gvforwarder-0.8.5-2.el10_0.1.ppc64le.rpm SHA-256: 07e98c726e2c70cddc97ab1b601d5082a9973609531e9729a98e6a527d6059d7 gvisor-tap-vsock-gvforwarder-debuginfo-0.8.5-2.el10_0.1.ppc64le.rpm SHA-256: ad4e20ca4c3eed93b4679426171fbda7aced53cd06fff4cb47c2b94717d232c6 Red Hat Enterprise Linux for ARM 64 - Extended Update Support 10.0 SRPM gvisor-tap-vsock-0.8.5-2.el10_0.1.src.rpm SHA-256: 3b9199d91c521a2709e369a249cd380e324f42e44f8ab06e00bdd20ab4523dc9 aarch64 gvisor-tap-vsock-0.8.5-2.el10_0.1.aarch64.rpm SHA-256: 7b31aa9b77202ef84586d442a2988a6125bf9124d42c82c34e3d013bf0dd17ed gvisor-tap-vsock-debuginfo-0.8.5-2.el10_0.1.aarch64.rpm SHA-256: 78875747289000500801ef90cdc3031599371616e01891d0a54816f09d96f8bc gvisor-tap-vsock-debugsource-0.8.5-2.el10_0.1.aarch64.rpm SHA-256: 9c0adbecd56ed7e420aba16a9e40ce0ff73a390ce97fa5a7a050005ae9ab3dd3 gvisor-tap-vsock-gvforwarder-0.8.5-2.el10_0.1.aarch64.rpm SHA-256: 9d54a5acd2407cd12d83afe8f96e826191cc94ac1a18e17b0d5c0056f211814d gvisor-tap-vsock-gvforwarder-debuginfo-0.8.5-2.el10_0.1.aarch64.rpm SHA-256: bae2134e5cf16a7574f4dbb15a7e11d4a4bac674c5867f3dcf6d3139124ccece Red Hat Enterprise Linux for ARM 64 - 4 years of updates 10.0 SRPM gvisor-tap-vsock-0.8.5-2.el10_0.1.src.rpm SHA-256: 3b9199d91c521a2709e369a249cd380e324f42e44f8ab06e00bdd20ab4523dc9 aarch64 gvisor-tap-vsock-0.8.5-2.el10_0.1.aarch64.rpm SHA-256: 7b31aa9b77202ef84586d442a2988a6125bf9124d42c82c34e3d013bf0dd17ed gvisor-tap-vsock-debuginfo-0.8.5-2.el10_0.1.aarch64.rpm SHA-256: 78875747289000500801ef90cdc3031599371616e01891d0a54816f09d96f8bc gvisor-tap-vsock-debugsource-0.8.5-2.el10_0.1.aarch64.rpm SHA-256: 9c0adbecd56ed7e420aba16a9e40ce0ff73a390ce97fa5a7a050005ae9ab3dd3 gvisor-tap-vsock-gvforwarder-0.8.5-2.el10_0.1.aarch64.rpm SHA-256: 9d54a5acd2407cd12d83afe8f96e826191cc94ac1a18e17b0d5c0056f211814d gvisor-tap-vsock-gvforwarder-debuginfo-0.8.5-2.el10_0.1.aarch64.rpm SHA-256: bae2134e5cf16a7574f4dbb15a7e11d4a4bac674c5867f3dcf6d3139124ccece Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 10.0 SRPM gvisor-tap-vsock-0.8.5-2.el10_0.1.src.rpm SHA-256: 3b9199d91c521a2709e369a249cd380e324f42e44f8ab06e00bdd20ab4523dc9 s390x gvisor-tap-vsock-0.8.5-2.el10_0.1.s390x.rpm SHA-256: bf3a72d1c43aaf230e0bd667eafdbea8d58c0970f0014520b2111077ee5a7859 gvisor-tap-vsock-debuginfo-0.8.5-2.el10_0.1.s390x.rpm SHA-256: d3fb05d3dff9dfee59f4f305c401f671ff83efc93180d6ec4a4a8bb03a057e2a gvisor-tap-vsock-debugsource-0.8.5-2.el10_0.1.s390x.rpm SHA-256: 4c53cc716da7dffc85085b424cfc0d6ab3be45d3d7da608f0a567ec46b6c4489 gvisor-tap-vsock-gvforwarder-0.8.5-2.el10_0.1.s390x.rpm SHA-256: 4877d8dc33aca071bd5f721f543597ec9ff7a300e41b0276f9015bd7fdec90c6 gvisor-tap-vsock-gvforwarder-debuginfo-0.8.5-2.el10_0.1.s390x.rpm SHA-256: 5043145fd7c90d515f219e35edbd70ee4b73cbcb1e0d86253a3515a85567867b Red Hat Enterprise Linux for Power, little endian - 4 years of support 10.0 SRPM gvisor-tap-vsock-0.8.5-2.el10_0.1.src.rpm SHA-256: 3b9199d91c521a2709e369a249cd380e324f42e44f8ab06e00bdd20ab4523dc9 ppc64le gvisor-tap-vsock-0.8.5-2.el10_0.1.ppc64le.rpm SHA-256: e373dde8f82d01c4473513abc8e18d3351ea33849d7a0d701d0cc2249c8eb601 gvisor-tap-vsock-debuginfo-0.8.5-2.el10_0.1.ppc64le.rpm SHA-256: 118b136475e36004bca4078403aa1948839a766eb776910b76b16ea31a13f3ab gvisor-tap-vsock-debugsource-0.8.5-2.el10_0.1.ppc64le.rpm SHA-256: 9e8171919c8b89aac9841e013f8b45ced73529e17162573c3eb5e64d4a1bae62 gvisor-tap-vsock-gvforwarder-0.8.5-2.el10_0.1.ppc64le.rpm SHA-256: 07e98c726e2c70cddc97ab1b601d5082a9973609531e9729a98e6a527d6059d7 gvisor-tap-vsock-gvforwarder-debuginfo-0.8.5-2.el10_0.1.ppc64le.rpm SHA-256: ad4e20ca4c3eed93b4679426171fbda7aced53cd06fff4cb47c2b94717d232c6 Red Hat Enterprise Linux for x86_64 - 4 years of updates 10.0 SRPM gvisor-tap-vsock-0.8.5-2.el10_0.1.src.rpm SHA-256: 3b9199d91c521a2709e369a249cd380e324f42e44f8ab06e00bdd20ab4523dc9 x86_64 gvisor-tap-vsock-0.8.5-2.el10_0.1.x86_64.rpm SHA-256: bda95b05fee7f626314654cb14a079ba2fcb10ecb4182de46