NO-JIRA: Update registry.redhat.io/openshift4/ose-must-gather-rhel9:v4.20 Docker digest to a9135da [SECURITY]

[red-hat-konflux]

This PR contains the following updates:

Package	Type	Update	Change
registry.redhat.io/openshift4/ose-must-gather-rhel9	final	digest	d80f59f → a9135da

---

Warning

Some dependencies could not be looked up. Check the warning logs for more information.

---

axios: Axios: Remote Code Execution via Prototype Pollution escalation

CVE-2026-40175

More information

Details

A flaw was found in Axios, a promise-based HTTP client. This vulnerability, known as Prototype Pollution, can be exploited through a specific "Gadget" attack chain. This allows an attacker to escalate a Prototype Pollution vulnerability in a third-party dependency, potentially leading to remote code execution or a full cloud compromise, such as bypassing AWS IMDSv2.

Severity

Important

References

• https://access.redhat.com/security/cve/CVE-2026-40175
• https://bugzilla.redhat.com/show_bug.cgi?id=2457432
• https://www.cve.org/CVERecord?id=CVE-2026-40175
• https://nvd.nist.gov/vuln/detail/CVE-2026-40175
• https://github.com/axios/axios/commit/363185461b90b1b78845dc8a99a1f103d9b122a1
• https://github.com/axios/axios/pull/10660
• https://github.com/axios/axios/releases/tag/v1.15.0
• https://github.com/axios/axios/security/advisories/GHSA-fvcv-3m26-pcqx

---

Kubelet: CRI-O: kube-apiserver: Kubelet, CRI-O, kube-apiserver: Denial of Service via SPDY streaming code

CVE-2026-35469

More information

Details

A flaw was found in the SPDY streaming code used by Kubelet, CRI-O, and kube-apiserver. An attacker with specific cluster roles, such as those allowing access to pod port forwarding, execution, or attachment, or node proxying, could exploit this vulnerability. This could lead to a Denial of Service (DoS) by causing the affected components to become unresponsive.

Severity

Important

References

• https://access.redhat.com/security/cve/CVE-2026-35469
• https://bugzilla.redhat.com/show_bug.cgi?id=2457729
• https://www.cve.org/CVERecord?id=CVE-2026-35469
• https://nvd.nist.gov/vuln/detail/CVE-2026-35469

---

golang: cmd/compile: no-op interface conversion bypasses overlap checking

CVE-2026-27144

More information

Details

A flaw was found in the cmd/compile package in the Go standard library. A no-op interface conversion prevented the compiler from correctly identifying non-overlapping memory moves. As a result, the compiler allows unsafe memory move operations to occur at runtime, potentially causing data corruption, memory corruption or unexpected application behavior.

Severity

Important

References

• https://access.redhat.com/security/cve/CVE-2026-27144
• https://bugzilla.redhat.com/show_bug.cgi?id=2456340
• https://www.cve.org/CVERecord?id=CVE-2026-27144
• https://nvd.nist.gov/vuln/detail/CVE-2026-27144
• https://go.dev/cl/763764
• https://go.dev/issue/78371
• https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU
• https://pkg.go.dev/vuln/GO-2026-4867

---

lodash: lodash: Arbitrary code execution via untrusted input in template imports

CVE-2026-4800

More information

Details

A flaw was found in lodash. The fix for CVE-2021-23337 added validation for the variable option in _.template but did not apply the same validation to options.imports key names. Both paths flow into the same Function() constructor sink. Additionally, _.template uses assignInWith to merge imports, which enumerates inherited properties via for..in. If Object.prototype has been polluted by any other vector, the polluted keys are copied into the imports object and passed to Function().

Severity

Important

References

• https://access.redhat.com/security/cve/CVE-2026-4800
• https://bugzilla.redhat.com/show_bug.cgi?id=2453496
• https://www.cve.org/CVERecord?id=CVE-2026-4800
• https://nvd.nist.gov/vuln/detail/CVE-2026-4800
• https://cna.openjsf.org/security-advisories.html
• https://github.com/advisories/GHSA-35jh-r3h4-6jhm
• https://github.com/lodash/lodash/commit/3469357cff396a26c363f8c1b5a91dde28ba4b1c

---

golang: cmd/compile: possible memory corruption after bound check elimination

CVE-2026-27143

More information

Details

A flaw was found in the cmd/compile package in the Go standard library. The compiler fails to correctly check for integer overflow or underflow in arithmetic operations involving loop induction variables. As a result, the compiler allows invalid memory indexing to occur at runtime, potentially leading to memory corruption.

Severity

Important

References

• https://access.redhat.com/security/cve/CVE-2026-27143
• https://bugzilla.redhat.com/show_bug.cgi?id=2456342
• https://www.cve.org/CVERecord?id=CVE-2026-27143
• https://nvd.nist.gov/vuln/detail/CVE-2026-27143
• https://go.dev/cl/763765
• https://go.dev/issue/78333
• https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU
• https://pkg.go.dev/vuln/GO-2026-4868

---

serialize-javascript: serialize-javascript: Denial of Service via specially crafted array-like object serialization

CVE-2026-34043

More information

Details

A flaw was found in serialize-javascript. An attacker can exploit this vulnerability by providing a specially crafted "array-like" object with an excessively large length property during the serialization process. This action causes the application to enter an intensive loop, leading to 100% CPU consumption and an indefinite hang. The primary consequence is a Denial of Service (DoS), making the affected system unresponsive.

Severity

Important

References

• https://access.redhat.com/security/cve/CVE-2026-34043
• https://bugzilla.redhat.com/show_bug.cgi?id=2453284
• https://www.cve.org/CVERecord?id=CVE-2026-34043
• https://nvd.nist.gov/vuln/detail/CVE-2026-34043
• https://github.com/yahoo/serialize-javascript/commit/f147e90269b58bb6e539cfdf3d0e20d6ad14204b
• https://github.com/yahoo/serialize-javascript/releases/tag/v7.0.5
• https://github.com/yahoo/serialize-javascript/security/advisories/GHSA-qj8w-gfj5-8c6v

---

github.com/go-jose/go-jose/v3: github.com/go-jose/go-jose/v4: Go JOSE: Denial of Service via crafted JSON Web Encryption (JWE) object

CVE-2026-34986

More information

Details

A flaw was found in Go JOSE, a library for handling JSON Web Encryption (JWE) objects. A remote attacker could exploit this vulnerability by providing a specially crafted JWE object. When decrypting such an object, if a key wrapping algorithm is specified but the encrypted key field is empty, the application can crash. This leads to a denial of service (DoS), making the affected service unavailable to legitimate users.

Severity

Important

References

• https://access.redhat.com/security/cve/CVE-2026-34986
• https://bugzilla.redhat.com/show_bug.cgi?id=2455470
• https://www.cve.org/CVERecord?id=CVE-2026-34986
• https://nvd.nist.gov/vuln/detail/CVE-2026-34986
• https://github.com/go-jose/go-jose/security/advisories/GHSA-78h2-9frx-2jm8
• https://pkg.go.dev/github.com/go-jose/go-jose/v4#pkg-constants

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

To execute skipped test pipelines write comment /ok-to-test.

---

Documentation

Find out how to configure dependency updates in MintMaker documentation or see all available configuration options in Renovate documentation.

[openshift-ci-robot]

@red-hat-konflux[bot]: This pull request explicitly references no jira issue.

Details

In response to this:

This PR contains the following updates:

Package	Type	Update	Change
registry.redhat.io/openshift4/ose-must-gather-rhel9	final	digest	d80f59f → a9135da

---

axios: Axios: Remote Code Execution via Prototype Pollution escalation

CVE-2026-40175

More information

Details

A flaw was found in Axios, a promise-based HTTP client. This vulnerability, known as Prototype Pollution, can be exploited through a specific "Gadget" attack chain. This allows an attacker to escalate a Prototype Pollution vulnerability in a third-party dependency, potentially leading to remote code execution or a full cloud compromise, such as bypassing AWS IMDSv2.

Severity

Important

References

• https://access.redhat.com/security/cve/CVE-2026-40175
• https://bugzilla.redhat.com/show_bug.cgi?id=2457432
• https://www.cve.org/CVERecord?id=CVE-2026-40175
• https://nvd.nist.gov/vuln/detail/CVE-2026-40175
• https://github.com/axios/axios/commit/363185461b90b1b78845dc8a99a1f103d9b122a1
• https://github.com/axios/axios/pull/10660
• https://github.com/axios/axios/releases/tag/v1.15.0
• https://github.com/axios/axios/security/advisories/GHSA-fvcv-3m26-pcqx

---

Kubelet: CRI-O: kube-apiserver: Kubelet, CRI-O, kube-apiserver: Denial of Service via SPDY streaming code

CVE-2026-35469

More information

Details

A flaw was found in the SPDY streaming code used by Kubelet, CRI-O, and kube-apiserver. An attacker with specific cluster roles, such as those allowing access to pod port forwarding, execution, or attachment, or node proxying, could exploit this vulnerability. This could lead to a Denial of Service (DoS) by causing the affected components to become unresponsive.

Severity

Important

References

• https://access.redhat.com/security/cve/CVE-2026-35469
• https://bugzilla.redhat.com/show_bug.cgi?id=2457729
• https://www.cve.org/CVERecord?id=CVE-2026-35469
• https://nvd.nist.gov/vuln/detail/CVE-2026-35469

---

golang: cmd/compile: no-op interface conversion bypasses overlap checking

CVE-2026-27144

More information

Details

A flaw was found in the cmd/compile package in the Go standard library. A no-op interface conversion prevented the compiler from correctly identifying non-overlapping memory moves. As a result, the compiler allows unsafe memory move operations to occur at runtime, potentially causing data corruption, memory corruption or unexpected application behavior.

Severity

Important

References

• https://access.redhat.com/security/cve/CVE-2026-27144
• https://bugzilla.redhat.com/show_bug.cgi?id=2456340
• https://www.cve.org/CVERecord?id=CVE-2026-27144
• https://nvd.nist.gov/vuln/detail/CVE-2026-27144
• https://go.dev/cl/763764
• https://go.dev/issue/78371
• https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU
• https://pkg.go.dev/vuln/GO-2026-4867

---

lodash: lodash: Arbitrary code execution via untrusted input in template imports

CVE-2026-4800

More information

Details

A flaw was found in lodash. The fix for CVE-2021-23337 added validation for the variable option in _.template but did not apply the same validation to options.imports key names. Both paths flow into the same Function() constructor sink. Additionally, _.template uses assignInWith to merge imports, which enumerates inherited properties via for..in. If Object.prototype has been polluted by any other vector, the polluted keys are copied into the imports object and passed to Function().

Severity

Important

References

• https://access.redhat.com/security/cve/CVE-2026-4800
• https://bugzilla.redhat.com/show_bug.cgi?id=2453496
• https://www.cve.org/CVERecord?id=CVE-2026-4800
• https://nvd.nist.gov/vuln/detail/CVE-2026-4800
• https://cna.openjsf.org/security-advisories.html
• https://github.com/advisories/GHSA-35jh-r3h4-6jhm
• https://github.com/lodash/lodash/commit/3469357cff396a26c363f8c1b5a91dde28ba4b1c

---

golang: cmd/compile: possible memory corruption after bound check elimination

CVE-2026-27143

More information

Details

A flaw was found in the cmd/compile package in the Go standard library. The compiler fails to correctly check for integer overflow or underflow in arithmetic operations involving loop induction variables. As a result, the compiler allows invalid memory indexing to occur at runtime, potentially leading to memory corruption.

Severity

Important

References

• https://access.redhat.com/security/cve/CVE-2026-27143
• https://bugzilla.redhat.com/show_bug.cgi?id=2456342
• https://www.cve.org/CVERecord?id=CVE-2026-27143
• https://nvd.nist.gov/vuln/detail/CVE-2026-27143
• https://go.dev/cl/763765
• https://go.dev/issue/78333
• https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU
• https://pkg.go.dev/vuln/GO-2026-4868

---

serialize-javascript: serialize-javascript: Denial of Service via specially crafted array-like object serialization

CVE-2026-34043

More information

Details

A flaw was found in serialize-javascript. An attacker can exploit this vulnerability by providing a specially crafted "array-like" object with an excessively large length property during the serialization process. This action causes the application to enter an intensive loop, leading to 100% CPU consumption and an indefinite hang. The primary consequence is a Denial of Service (DoS), making the affected system unresponsive.

Severity

Important

References

• https://access.redhat.com/security/cve/CVE-2026-34043
• https://bugzilla.redhat.com/show_bug.cgi?id=2453284
• https://www.cve.org/CVERecord?id=CVE-2026-34043
• https://nvd.nist.gov/vuln/detail/CVE-2026-34043
• https://github.com/yahoo/serialize-javascript/commit/f147e90269b58bb6e539cfdf3d0e20d6ad14204b
• https://github.com/yahoo/serialize-javascript/releases/tag/v7.0.5
• https://github.com/yahoo/serialize-javascript/security/advisories/GHSA-qj8w-gfj5-8c6v

---

github.com/go-jose/go-jose/v3: github.com/go-jose/go-jose/v4: Go JOSE: Denial of Service via crafted JSON Web Encryption (JWE) object

CVE-2026-34986

More information

Details

A flaw was found in Go JOSE, a library for handling JSON Web Encryption (JWE) objects. A remote attacker could exploit this vulnerability by providing a specially crafted JWE object. When decrypting such an object, if a key wrapping algorithm is specified but the encrypted key field is empty, the application can crash. This leads to a denial of service (DoS), making the affected service unavailable to legitimate users.

Severity

Important

References

• https://access.redhat.com/security/cve/CVE-2026-34986
• https://bugzilla.redhat.com/show_bug.cgi?id=2455470
• https://www.cve.org/CVERecord?id=CVE-2026-34986
• https://nvd.nist.gov/vuln/detail/CVE-2026-34986
• https://github.com/go-jose/go-jose/security/advisories/GHSA-78h2-9frx-2jm8
• https://pkg.go.dev/github.com/go-jose/go-jose/v4#pkg-constants

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

To execute skipped test pipelines write comment /ok-to-test.

---

Documentation

Find out how to configure dependency updates in MintMaker documentation or see all available configuration options in Renovate documentation.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Walkthrough

The must-gather Dockerfile base image digest was updated to a new pinned reference for ose-must-gather-rhel9:v4.20. All other Dockerfile instructions remain unchanged.

Changes

Base Image Update

Layer / File(s)	Summary
Base Image Digest Update release/must-gather/must-gather.konflux.Dockerfile	The FROM directive references a new pinned digest of the ose-must-gather-rhel9:v4.20 base image; all other Dockerfile content is unchanged.

---

🎯 1 (Trivial) | ⏱️ ~2 minutes

🚥 Pre-merge checks | ✅ 15

✅ Passed checks (15 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the main change: updating a Docker image digest for security purposes, referencing the image name, old/new digests, and security classification.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR only modifies a Dockerfile (release/must-gather/must-gather.konflux.Dockerfile), not test files; check for stable Ginkgo test names is not applicable.
Test Structure And Quality	✅ Passed	PR modifies only a Dockerfile (base image digest update), not Ginkgo test code; custom check for test quality is inapplicable to infrastructure changes.
Microshift Test Compatibility	✅ Passed	No Ginkgo e2e tests were added in this PR. The only change is a Dockerfile base image digest update, which is outside the scope of this test compatibility check.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	No Ginkgo e2e tests added in this PR—it only updates a Dockerfile base image digest for security patches. Check not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	PR only updates a Dockerfile base image digest; no deployment manifests, operator code, or controllers are added or modified, so topology-aware scheduling check is not applicable.
Ote Binary Stdout Contract	✅ Passed	PR only updates Dockerfile base image digest; no Go code or test files modified, so OTE stdout contract check is not applicable.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	Check not applicable: PR only updates a Dockerfile (must-gather base image digest), not adding new Ginkgo e2e tests.
No-Weak-Crypto	✅ Passed	PR is a base image digest update in a Dockerfile with no cryptographic code additions, weak crypto algorithms, or insecure secret comparisons introduced.
Container-Privileges	✅ Passed	Dockerfile runs as non-root (65532), with no privileged flags, hostPID/hostNetwork/hostIPC, SYS_ADMIN capability, or allowPrivilegeEscalation settings.
No-Sensitive-Data-In-Logs	✅ Passed	The Dockerfile change only updates a base image digest for security fixes. No logging statements expose passwords, tokens, API keys, PII, or other sensitive data.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch konflux/mintmaker/main/docker-registry.redhat.io-openshift4-ose-must-gather-rhel9-vulnerability

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: red-hat-konflux[bot]
Once this PR has been reviewed and has the lgtm label, please assign jaypoulz for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 0

[openshift-ci]

@red-hat-konflux[bot]: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.