{
  "threat_severity" : "Important",
  "public_date" : "2026-04-28T09:20:44Z",
  "bugzilla" : {
    "description" : "Apache Thrift: Apache Thrift: Integer Overflow or Wraparound Vulnerability",
    "id" : "2463418",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2463418"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.7",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-190",
  "details" : [ "Integer Overflow or Wraparound vulnerability in Apache Thrift.\nThis issue affects Apache Thrift: before 0.23.0.\nUsers are recommended to upgrade to version 0.23.0, which fixes the issue.", "A flaw was found in Apache Thrift. This integer overflow or wraparound vulnerability could potentially lead to unexpected behavior or resource exhaustion, which may impact the availability or integrity of the system. The exact consequences depend on how the overflow is triggered and handled within the application." ],
  "affected_release" : [ {
    "product_name" : "Multicluster Global Hub 1.3.4",
    "release_date" : "2026-06-02T00:00:00Z",
    "advisory" : "RHSA-2026:22423",
    "cpe" : "cpe:/a:redhat:multicluster_globalhub:1.3::el9",
    "package" : "multicluster-globalhub/multicluster-globalhub-grafana-rhel9:1779212259"
  }, {
    "product_name" : "Multicluster Global Hub 1.4.5",
    "release_date" : "2026-06-01T00:00:00Z",
    "advisory" : "RHSA-2026:22347",
    "cpe" : "cpe:/a:redhat:multicluster_globalhub:1.4::el9",
    "package" : "multicluster-globalhub/multicluster-globalhub-grafana-rhel9:1779579439"
  }, {
    "product_name" : "Multicluster Global Hub 1.5.4",
    "release_date" : "2026-05-28T00:00:00Z",
    "advisory" : "RHSA-2026:21769",
    "cpe" : "cpe:/a:redhat:multicluster_globalhub:1.5::el9",
    "package" : "multicluster-globalhub/multicluster-globalhub-grafana-rhel9:1778867753"
  }, {
    "product_name" : "Multicluster Global Hub 1.6.2",
    "release_date" : "2026-06-04T00:00:00Z",
    "advisory" : "RHSA-2026:23345",
    "cpe" : "cpe:/a:redhat:multicluster_globalhub:1.6::el9",
    "package" : "multicluster-globalhub/multicluster-globalhub-grafana-rhel9:1780167118"
  }, {
    "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2.15",
    "release_date" : "2026-06-08T00:00:00Z",
    "advisory" : "RHSA-2026:24539",
    "cpe" : "cpe:/a:redhat:acm:2.15::el9",
    "package" : "rhacm2/acm-grafana-rhel9:1780677003"
  }, {
    "product_name" : "Red Hat OpenShift distributed tracing 3.9.3",
    "release_date" : "2026-05-07T00:00:00Z",
    "advisory" : "RHSA-2026:14885",
    "cpe" : "cpe:/a:redhat:openshift_distributed_tracing:3.9::el9",
    "package" : "rhosdt/tempo-jaeger-query-rhel9:1778158391"
  }, {
    "product_name" : "Red Hat OpenShift distributed tracing 3.9.3",
    "release_date" : "2026-05-07T00:00:00Z",
    "advisory" : "RHSA-2026:14885",
    "cpe" : "cpe:/a:redhat:openshift_distributed_tracing:3.9::el9",
    "package" : "rhosdt/tempo-query-rhel9:1778158343"
  }, {
    "product_name" : "Red Hat OpenShift distributed tracing 3.9.3",
    "release_date" : "2026-05-07T00:00:00Z",
    "advisory" : "RHSA-2026:14885",
    "cpe" : "cpe:/a:redhat:openshift_distributed_tracing:3.9::el9",
    "package" : "rhosdt/tempo-rhel9:1778158374"
  } ],
  "package_state" : [ {
    "product_name" : "OpenShift Service Mesh 2",
    "fix_state" : "Not affected",
    "package_name" : "openshift-service-mesh/istio-rhel8-operator",
    "cpe" : "cpe:/a:redhat:service_mesh:2"
  }, {
    "product_name" : "Red Hat AI Inference Server",
    "fix_state" : "Will not fix",
    "package_name" : "rhaiis/vllm-cpu-rhel9",
    "cpe" : "cpe:/a:redhat:ai_inference_server:3"
  }, {
    "product_name" : "Red Hat AI Inference Server",
    "fix_state" : "Affected",
    "package_name" : "rhaiis/vllm-cuda-rhel9",
    "cpe" : "cpe:/a:redhat:ai_inference_server:3"
  }, {
    "product_name" : "Red Hat AI Inference Server",
    "fix_state" : "Affected",
    "package_name" : "rhaiis/vllm-rocm-rhel9",
    "cpe" : "cpe:/a:redhat:ai_inference_server:3"
  }, {
    "product_name" : "Red Hat AI Inference Server",
    "fix_state" : "Will not fix",
    "package_name" : "rhaiis/vllm-tpu-rhel9",
    "cpe" : "cpe:/a:redhat:ai_inference_server:3"
  }, {
    "product_name" : "Red Hat Enterprise Linux AI (RHEL AI) 3",
    "fix_state" : "Affected",
    "package_name" : "rhelai3/bootc-aws-cuda-rhel9",
    "cpe" : "cpe:/a:redhat:enterprise_linux_ai:3"
  }, {
    "product_name" : "Red Hat Enterprise Linux AI (RHEL AI) 3",
    "fix_state" : "Affected",
    "package_name" : "rhelai3/bootc-azure-cuda-rhel9",
    "cpe" : "cpe:/a:redhat:enterprise_linux_ai:3"
  }, {
    "product_name" : "Red Hat Enterprise Linux AI (RHEL AI) 3",
    "fix_state" : "Affected",
    "package_name" : "rhelai3/bootc-azure-rocm-rhel9",
    "cpe" : "cpe:/a:redhat:enterprise_linux_ai:3"
  }, {
    "product_name" : "Red Hat Enterprise Linux AI (RHEL AI) 3",
    "fix_state" : "Affected",
    "package_name" : "rhelai3/bootc-cuda-rhel9",
    "cpe" : "cpe:/a:redhat:enterprise_linux_ai:3"
  }, {
    "product_name" : "Red Hat Enterprise Linux AI (RHEL AI) 3",
    "fix_state" : "Affected",
    "package_name" : "rhelai3/bootc-gcp-cuda-rhel9",
    "cpe" : "cpe:/a:redhat:enterprise_linux_ai:3"
  }, {
    "product_name" : "Red Hat Enterprise Linux AI (RHEL AI) 3",
    "fix_state" : "Affected",
    "package_name" : "rhelai3/bootc-rocm-rhel9",
    "cpe" : "cpe:/a:redhat:enterprise_linux_ai:3"
  }, {
    "product_name" : "Red Hat OpenShift AI (RHOAI)",
    "fix_state" : "Not affected",
    "package_name" : "rhoai/odh-kf-notebook-controller-rhel8",
    "cpe" : "cpe:/a:redhat:openshift_ai"
  }, {
    "product_name" : "Red Hat OpenShift AI (RHOAI)",
    "fix_state" : "Not affected",
    "package_name" : "rhoai/odh-model-registry-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_ai"
  }, {
    "product_name" : "Red Hat OpenShift AI (RHOAI)",
    "fix_state" : "Not affected",
    "package_name" : "rhoai/odh-notebook-controller-rhel8",
    "cpe" : "cpe:/a:redhat:openshift_ai"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Affected",
    "package_name" : "openshift4/oc-mirror-plugin-rhel9",
    "cpe" : "cpe:/a:redhat:openshift:4"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Affected",
    "package_name" : "openshift4/ztp-site-generate-rhel8",
    "cpe" : "cpe:/a:redhat:openshift:4"
  }, {
    "product_name" : "Red Hat OpenShift distributed tracing 3",
    "fix_state" : "Not affected",
    "package_name" : "rhosdt/opentelemetry-collector-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_distributed_tracing:3"
  }, {
    "product_name" : "Red Hat OpenShift GitOps",
    "fix_state" : "Will not fix",
    "package_name" : "openshift-gitops-1/argocd-rhel8",
    "cpe" : "cpe:/a:redhat:openshift_gitops:1"
  }, {
    "product_name" : "Red Hat OpenShift GitOps",
    "fix_state" : "Will not fix",
    "package_name" : "openshift-gitops-1/argocd-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_gitops:1"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-41605\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-41605\nhttp://www.openwall.com/lists/oss-security/2026/04/28/4\nhttps://lists.apache.org/thread/lb4j0zyd5f3g36cos0wql925przpnwql" ],
  "name" : "CVE-2026-41605",
  "csaw" : false
}