CVE-2026-32288

medium

Red Hat

CVSS v3 Base Score

4.3

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

EPSS Score

0.0%

Exploitation probability in 30 days

Top 99% most likely to be exploited

Attack Characteristics

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Confidentiality

None

Integrity

None

Availability

Low

Published: April 8, 2026 (36 days ago)

Last Modified: April 8, 2026

Vendor: Red Hat

Source: REDHAT

Description

A flaw was found in Go's `archive/tar` package. A remote attacker could exploit this vulnerability by providing a maliciously-crafted archive file. When the `tar.Reader` processes an archive containing a large number of sparse regions in the "old GNU sparse map" format, it can lead to unbounded memory allocation. This can result in a Denial of Service (DoS) condition, making the affected application unresponsive.

CWE

CWE-770

Affected Products

Assisted Installer for Red Hat OpenShift Container Platform 2Builds for Red Hat OpenShiftcert-manager Operator for Red Hat OpenShiftConfidential Compute AttestationCryostat 4Custom Metric Autoscaler operator for Red Hat OpenshiftDeployment Validation OperatorExternal Secrets Operator for Red Hat OpenShiftLogging Subsystem for Red Hat OpenShiftMigration Toolkit for Applications 8

References

🔗 bugzilla.redhat.com 🔗 www.cve.org 🔗 nvd.nist.gov 🔗 go.dev 🔗 go.dev

CVE-2026-32288

Vulnerability Report

Description

CWE

Affected Products

References