CVE-2026-33487

high Red Hat
CVSS v3 Base Score
7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS Score
0.0%
Exploitation probability in 30 days
Top 92% most likely to be exploited
Attack Characteristics
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Confidentiality
None
Integrity
High
Availability
None
Published: March 26, 2026 (106 days ago)
Last Modified: March 26, 2026
Vendor: Red Hat
Fix Available: ✓ Yes
Source: REDHAT

Description

goxmlsig provides XML Digital Signatures implemented in Go. Prior to version 1.6.0, the `validateSignature` function in `validate.go` goes through the references in the `SignedInfo` block to find one that matches the signed element's ID. In Go versions before 1.22, or when `go.mod` uses an older version, there is a loop variable capture issue. The code takes the address of the loop variable `_ref` instead of its value. As a result, if more than one reference matches the ID or if the loop logic is incorrect, the `ref` pointer will always end up pointing to the last element in the `SignedInfo.References` slice after the loop. goxmlsig version 1.6.0 contains a patch.

CWE

CWE-347

Affected Products

Multicluster Global HubRed Hat Advanced Cluster Security 4Red Hat Enterprise Linux 10Red Hat Enterprise Linux 8Red Hat Enterprise Linux 9Red Hat Advanced Cluster Management for Kubernetes 2.15Red Hat OpenShift GitOps 1.18Red Hat OpenShift GitOps 1.19

Fix Status

✅ Fix Available

References