This update addresses three vulnerabilities in the Go programming language bundled within the `rhc-worker-playbook` component: CVE-2026-32282 (CVSS 6.4) allows symlink traversal out of a chroot root, while CVE-2026-32283 and CVE-2026-32280 (both CVSS 7.5) enable denial-of-service attacks via TLS 1.3 key update messages and certificate chain building, respectively. The underlying Go versions affected are those prior to 1.25.9 and versions 1.26.0 through 1.26.1. The fix is contained within the updated `rhc-worker-playbook` package for Red Hat Enterprise Linux 10.0 Extended Update Support, which incorporates the patched Go versions 1.25.9 or 1.26.2.
Red Hat Product Errata RHSA-2026:19714 - Security Advisory Issued: 2026-05-20 Updated: 2026-05-20 RHSA-2026:19714 - Security Advisory Overview Updated Packages Synopsis Important: rhc-worker-playbook security update Type/Severity Security Advisory: Important Red Hat Lightspeed patch analysis Identify and remediate systems affected by this advisory. View affected systems Topic An update for rhc-worker-playbook is now available for Red Hat Enterprise Linux 10.0 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Description A worker for yggdrasil that receives Ansible playbooks and executes them against the local host. Security Fix(es): golang: internal/syscall/unix: Root.Chmod can follow symlinks out of the root (CVE-2026-32282) crypto/tls: golang: Go crypto/tls: Denial of Service via multiple TLS 1.3 key update messages (CVE-2026-32283) crypto/x509: crypto/tls: golang: Go: Denial of Service vulnerability in certificate chain building (CVE-2026-32280) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Solution For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 Affected Products Red Hat Enterprise Linux for x86_64 - Extended Update Support 10.0 x86_64 Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 10.0 s390x Red Hat Enterprise Linux for Power, little endian - Extended Update Support 10.0 ppc64le Red Hat Enterprise Linux for ARM 64 - Extended Update Support 10.0 aarch64 Red Hat Enterprise Linux for ARM 64 - 4 years of updates 10.0 aarch64 Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 10.0 s390x Red Hat Enterprise Linux for Power, little endian - 4 years of support 10.0 ppc64le Red Hat Enterprise Linux for x86_64 - 4 years of updates 10.0 x86_64 Fixes BZ - 2456336 - CVE-2026-32282 golang: internal/syscall/unix: Root.Chmod can follow symlinks out of the root BZ - 2456338 - CVE-2026-32283 crypto/tls: golang: Go crypto/tls: Denial of Service via multiple TLS 1.3 key update messages BZ - 2456339 - CVE-2026-32280 crypto/x509: crypto/tls: golang: Go: Denial of Service vulnerability in certificate chain building CVEs CVE-2026-32280 CVE-2026-32282 CVE-2026-32283 References https://access.redhat.com/security/updates/classification/#important Note: More recent versions of these packages may be available. Click a package name for more details. Red Hat Enterprise Linux for x86_64 - Extended Update Support 10.0 SRPM rhc-worker-playbook-0.2.3-5.el10_0.src.rpm SHA-256: f084650464a529f8596398cff250c2c893a538197e9aa8990d0195623b06bd85 x86_64 rhc-worker-playbook-0.2.3-5.el10_0.x86_64.rpm SHA-256: ec5595ce14e2d982bbb83bed6293b27849ddb5b593ebe6385b35bf274dc54403 rhc-worker-playbook-debuginfo-0.2.3-5.el10_0.x86_64.rpm SHA-256: 21ad05e20f7c8a409c1a777569f1bea8a8d2ff25bb0fd8a5800f146637feb28b rhc-worker-playbook-debugsource-0.2.3-5.el10_0.x86_64.rpm SHA-256: 30746316f8322b1f311a9671ce7747a360998351971137f6ad070b7a4434c005 Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 10.0 SRPM rhc-worker-playbook-0.2.3-5.el10_0.src.rpm SHA-256: f084650464a529f8596398cff250c2c893a538197e9aa8990d0195623b06bd85 s390x rhc-worker-playbook-0.2.3-5.el10_0.s390x.rpm SHA-256: ff8234b5e895c81ed543540da288252eec2fb35080b1c7587cfb170e3ec716b6 rhc-worker-playbook-debuginfo-0.2.3-5.el10_0.s390x.rpm SHA-256: e3c3ef9f2c8f39075a7b598d8aa5c96c4ab47ee5a0c225b7f3ef5c8f9127e032 rhc-worker-playbook-debugsource-0.2.3-5.el10_0.s390x.rpm SHA-256: 3838b4a62b4fb20b9eb354a4a0f3c22ccc9b42a567821d70a341a348da463237 Red Hat Enterprise Linux for Power, little endian - Extended Update Support 10.0 SRPM rhc-worker-playbook-0.2.3-5.el10_0.src.rpm SHA-256: f084650464a529f8596398cff250c2c893a538197e9aa8990d0195623b06bd85 ppc64le rhc-worker-playbook-0.2.3-5.el10_0.ppc64le.rpm SHA-256: 8273568d62395bc943077f1f11186d5e0437cd7d9229f95a364b35effec4962d rhc-worker-playbook-debuginfo-0.2.3-5.el10_0.ppc64le.rpm SHA-256: 8d4f1723cbdfd626b443df113b15277bf4110c534762bbc2aba3a918addafc0f rhc-worker-playbook-debugsource-0.2.3-5.el10_0.ppc64le.rpm SHA-256: 8a03190095c833d369666e9b5ce319d092d40f486b115ef68991c093b8dd26ce Red Hat Enterprise Linux for ARM 64 - Extended Update Support 10.0 SRPM rhc-worker-playbook-0.2.3-5.el10_0.src.rpm SHA-256: f084650464a529f8596398cff250c2c893a538197e9aa8990d0195623b06bd85 aarch64 rhc-worker-playbook-0.2.3-5.el10_0.aarch64.rpm SHA-256: 48473271068f24b60feab2e9b2047ab8344a4f8b3452b2c5d31e479a475e68a2 rhc-worker-playbook-debuginfo-0.2.3-5.el10_0.aarch64.rpm SHA-256: caa545153a58aeec4440f1957cacc14a77bde1ab34aa3d735857bbb72ae7eb1b rhc-worker-playbook-debugsource-0.2.3-5.el10_0.aarch64.rpm SHA-256: a9cac9102bdb893fbcef2592322a4c9959247c7cc5618da2248ddd3a3e3c3792 Red Hat Enterprise Linux for ARM 64 - 4 years of updates 10.0 SRPM rhc-worker-playbook-0.2.3-5.el10_0.src.rpm SHA-256: f084650464a529f8596398cff250c2c893a538197e9aa8990d0195623b06bd85 aarch64 rhc-worker-playbook-0.2.3-5.el10_0.aarch64.rpm SHA-256: 48473271068f24b60feab2e9b2047ab8344a4f8b3452b2c5d31e479a475e68a2 rhc-worker-playbook-debuginfo-0.2.3-5.el10_0.aarch64.rpm SHA-256: caa545153a58aeec4440f1957cacc14a77bde1ab34aa3d735857bbb72ae7eb1b rhc-worker-playbook-debugsource-0.2.3-5.el10_0.aarch64.rpm SHA-256: a9cac9102bdb893fbcef2592322a4c9959247c7cc5618da2248ddd3a3e3c3792 Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 10.0 SRPM rhc-worker-playbook-0.2.3-5.el10_0.src.rpm SHA-256: f084650464a529f8596398cff250c2c893a538197e9aa8990d0195623b06bd85 s390x rhc-worker-playbook-0.2.3-5.el10_0.s390x.rpm SHA-256: ff8234b5e895c81ed543540da288252eec2fb35080b1c7587cfb170e3ec716b6 rhc-worker-playbook-debuginfo-0.2.3-5.el10_0.s390x.rpm SHA-256: e3c3ef9f2c8f39075a7b598d8aa5c96c4ab47ee5a0c225b7f3ef5c8f9127e032 rhc-worker-playbook-debugsource-0.2.3-5.el10_0.s390x.rpm SHA-256: 3838b4a62b4fb20b9eb354a4a0f3c22ccc9b42a567821d70a341a348da463237 Red Hat Enterprise Linux for Power, little endian - 4 years of support 10.0 SRPM rhc-worker-playbook-0.2.3-5.el10_0.src.rpm SHA-256: f084650464a529f8596398cff250c2c893a538197e9aa8990d0195623b06bd85 ppc64le rhc-worker-playbook-0.2.3-5.el10_0.ppc64le.rpm SHA-256: 8273568d62395bc943077f1f11186d5e0437cd7d9229f95a364b35effec4962d rhc-worker-playbook-debuginfo-0.2.3-5.el10_0.ppc64le.rpm SHA-256: 8d4f1723cbdfd626b443df113b15277bf4110c534762bbc2aba3a918addafc0f rhc-worker-playbook-debugsource-0.2.3-5.el10_0.ppc64le.rpm SHA-256: 8a03190095c833d369666e9b5ce319d092d40f486b115ef68991c093b8dd26ce Red Hat Enterprise Linux for x86_64 - 4 years of updates 10.0 SRPM rhc-worker-playbook-0.2.3-5.el10_0.src.rpm SHA-256: f084650464a529f8596398cff250c2c893a538197e9aa8990d0195623b06bd85 x86_64 rhc-worker-playbook-0.2.3-5.el10_0.x86_64.rpm SHA-256: ec5595ce14e2d982bbb83bed6293b27849ddb5b593ebe6385b35bf274dc54403 rhc-worker-playbook-debuginfo-0.2.3-5.el10_0.x86_64.rpm SHA-256: 21ad05e20f7c8a409c1a777569f1bea8a8d2ff25bb0fd8a5800f146637feb28b rhc-worker-playbook-debugsource-0.2.3-5.el10_0.x86_64.rpm SHA-256: 30746316f8322b1f311a9671ce7747a360998351971137f6ad070b7a4434c005 The Red Hat security contact is secalert@redhat.com . More contact details at https://access.redhat.com/security/team/contact/ .