This security update addresses three vulnerabilities in the containernetworking-plugins for RHEL 9, stemming from its underlying Go runtime: a denial of service via crafted certificates (CVE-2025-61729, CVSS 7.5 HIGH), memory exhaustion in URL parsing (CVE-2025-61726, CVSS 7.5 HIGH), and a critical certificate validation flaw during TLS session resumption (CVE-2025-68121, CVSS 10.0 CRITICAL). The affected Go versions are below 1.24.13, between 1.25.0 and 1.25.6, and version 1.26.0. The fix requires updating the containernetworking-plugins package to the version provided in the Red Hat advisory.
Red Hat Product Errata RHSA-2026:18913 - Security Advisory Issued: 2026-05-19 Updated: 2026-05-19 RHSA-2026:18913 - Security Advisory Overview Updated Packages Synopsis Important: containernetworking-plugins security update Type/Severity Security Advisory: Important Red Hat Lightspeed patch analysis Identify and remediate systems affected by this advisory. View affected systems Topic An update for containernetworking-plugins is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Description The Container Network Interface (CNI) project consists of a specification and libraries for writing plug-ins for configuring network interfaces in Linux containers, along with a number of supported plug-ins. CNI concerns itself only with network connectivity of containers and removing allocated resources when the container is deleted. Security Fix(es): crypto/x509: golang: Denial of Service due to excessive resource consumption via crafted certificate (CVE-2025-61729) golang: net/url: Memory exhaustion in query parameter parsing in net/url (CVE-2025-61726) crypto/tls: Unexpected session resumption in crypto/tls (CVE-2025-68121) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 9 Release Notes linked from the References section. Solution For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 Affected Products Red Hat Enterprise Linux for x86_64 9 x86_64 Red Hat Enterprise Linux for IBM z Systems 9 s390x Red Hat Enterprise Linux for Power, little endian 9 ppc64le Red Hat Enterprise Linux for ARM 64 9 aarch64 Fixes BZ - 2418462 - CVE-2025-61729 crypto/x509: golang: Denial of Service due to excessive resource consumption via crafted certificate BZ - 2434432 - CVE-2025-61726 golang: net/url: Memory exhaustion in query parameter parsing in net/url BZ - 2437111 - CVE-2025-68121 crypto/tls: crypto/tls: Incorrect certificate validation during TLS session resumption RHEL-146295 - Update containernetworking-plugins in RHEL9.8 CVEs CVE-2025-61726 CVE-2025-61729 CVE-2025-68121 References https://access.redhat.com/security/updates/classification/#important https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/9.8_release_notes/index Note: More recent versions of these packages may be available. Click a package name for more details. Red Hat Enterprise Linux for x86_64 9 SRPM containernetworking-plugins-1.9.0-2.el9.src.rpm SHA-256: 86195f486c8f9f72c5a10ab3c7e27d88d913c2993207b1beede1c7ce2684fbb2 x86_64 containernetworking-plugins-1.9.0-2.el9.x86_64.rpm SHA-256: 8cea5f6e90265df3e410fd58ec31135b70f04e5786a193efb62d3cbc044f4e1d containernetworking-plugins-debuginfo-1.9.0-2.el9.x86_64.rpm SHA-256: 8dc8aaa516ccf5e717d6395d0a1eaa0d757dc154c464aae160a521fcd86c2dc6 containernetworking-plugins-debugsource-1.9.0-2.el9.x86_64.rpm SHA-256: 308f97f760f494564039dabae150b0e3c7f2938eb51a8d3020ec2eac3727f26f Red Hat Enterprise Linux for IBM z Systems 9 SRPM containernetworking-plugins-1.9.0-2.el9.src.rpm SHA-256: 86195f486c8f9f72c5a10ab3c7e27d88d913c2993207b1beede1c7ce2684fbb2 s390x containernetworking-plugins-1.9.0-2.el9.s390x.rpm SHA-256: e996d8b425d8b4a684aba271e12828575d4c89037dc09c6e4845ebd4436489f4 containernetworking-plugins-debuginfo-1.9.0-2.el9.s390x.rpm SHA-256: 67f23ae1e1478f85f4e2d0ad3ea21a9d5d3962503f6c8b644373bdb4d6dc7d90 containernetworking-plugins-debugsource-1.9.0-2.el9.s390x.rpm SHA-256: 1ee6a14de0ff035931bb00ad9919f64091f3cdd568b8c065bbda64aeeb1172d2 Red Hat Enterprise Linux for Power, little endian 9 SRPM containernetworking-plugins-1.9.0-2.el9.src.rpm SHA-256: 86195f486c8f9f72c5a10ab3c7e27d88d913c2993207b1beede1c7ce2684fbb2 ppc64le containernetworking-plugins-1.9.0-2.el9.ppc64le.rpm SHA-256: 70f05218b7b90bd3e2f8e5c3d4706593474cfb0ec5c9502b2793fc207c1d17c2 containernetworking-plugins-debuginfo-1.9.0-2.el9.ppc64le.rpm SHA-256: 13465299ec083b900104c897c016667792dd41212e1bcaf07fd188dcb188f1f3 containernetworking-plugins-debugsource-1.9.0-2.el9.ppc64le.rpm SHA-256: b13feb1c434b32a19d0c68e000d9517b4abd9c30f328fb610856d535d5aec3ac Red Hat Enterprise Linux for ARM 64 9 SRPM containernetworking-plugins-1.9.0-2.el9.src.rpm SHA-256: 86195f486c8f9f72c5a10ab3c7e27d88d913c2993207b1beede1c7ce2684fbb2 aarch64 containernetworking-plugins-1.9.0-2.el9.aarch64.rpm SHA-256: b2c4b5de177f34db7d11f4fc548d4e4a32e9bf72d12a6d82748757a244cf03ee containernetworking-plugins-debuginfo-1.9.0-2.el9.aarch64.rpm SHA-256: 8863b2e58d5ff973315eaa43b4e2f49f29f0e302314fc50b2014dbb0618c10e8 containernetworking-plugins-debugsource-1.9.0-2.el9.aarch64.rpm SHA-256: 2d7f07ea983cb5808fae066a46e2df091b3d3102509d4d946b920570be1b5601 The Red Hat security contact is secalert@redhat.com . More contact details at https://access.redhat.com/security/team/contact/ .