SB2026041759 - Splunk Operator for Kubernetes Add-on update for third-party components
Published: April 17, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 16 secuirty vulnerabilities.
1) Resource exhaustion (CVE-ID: CVE-2025-58181)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources when parsing GSSAPI authentication requests. A remote attacker can send specially crafted GSSAPI authentication requests to the application, trigger resource exhaustion and perform a denial of service (DoS) attack.
2) Out-of-bounds read (CVE-ID: CVE-2025-5318)
The vulnerability allows a remote user to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition within the sftp_handle() function. A remote user can trigger an out-of-bounds read error and read contents of memory on the system.
3) Incorrect calculation (CVE-ID: CVE-2025-5372)
The vulnerability allows a remote user to perform MitM attack.
The vulnerability exist due to incorrect calculation within the ssh_kdf() function responsible for key derivation when built with OpenSSL versions older than 3.0. A remote user can compromise the integrity of the SSH session.
4) NULL pointer dereference (CVE-ID: CVE-2025-32990)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a NULL pointer dereference error when the certtool program is invoked with a template file with a number of string pairs for a single keyword. A remote attacker can pass specially crafted data to the application and perform a denial of service (DoS) attack.
5) NULL pointer dereference (CVE-ID: CVE-2025-6395)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a NULL pointer dereference error when a TLS 1.3 handshake involves a Hello Retry Request and the second Client Hello omits the PSK which was present in the first Client Hello. A remote attacker can pass specially crafted data to the application and perform a denial of service (DoS) attack.
6) Double free (CVE-ID: CVE-2025-32988)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when exporting a certificate with an otherName in the SAN (subject alternative name) extension. A remote attacker can trick the victim into export a specially crafted certificate, trigger a double free error on the ASN.1 structure and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
7) Out-of-bounds read (CVE-ID: CVE-2025-47914)
The vulnerability allows a remote attacker to perform a denial of service attack.
The vulnerability exists due to a boundary condition when processing new identity requests in SSH Agent servers. A remote attacker can send specially crafted GSSAPI authentication requests to the application, trigger an out-of-bounds read error and perform a denial of service (DoS) attack.
8) Integer overflow (CVE-ID: CVE-2025-13601)
The vulnerability allows a remote attacker to crash the application.
The vulnerability exists due to integer overflow within the g_escape_uri_string() function. A remote attacker can pass specially crafted data to the application, trigger an integer overflow and perform a denial of service attack.
9) Input validation error (CVE-ID: CVE-2025-47913)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input when handling SSH_AGENT_SUCCESS responses in ssh agent. A malicious server can send a specially crafted response to the ssh client and crash it.
10) Input validation error (CVE-ID: CVE-2025-61728)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input when parsing zip archives. A remote attacker can pass specially crafted zip archive to the application and perform a denial of service (DoS) attack.
11) Protection Mechanism Failure (CVE-ID: CVE-2025-22874)
The vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to an error in crypto/x509 when using ExtKeyUsageAny. When calling Verify with a VerifyOptions.KeyUsages that contains ExtKeyUsageAny it disables policy validation.
This only affected certificate chains which contain policy graphs, which are rather uncommon.
12) Link following (CVE-ID: CVE-2025-0913)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to an insecure link following issue within the os.OpenFile(path, os.O_CREATE|O_EXCL) method when handling dangling symlinks on Windows systems. A local user can create a specially crafted symbolic link and write arbitrary files to the system.
13) Information disclosure (CVE-ID: CVE-2025-4673)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to sensitive Proxy-Authorization and Proxy-Authenticate headers are not cleared on cross-origin redirect in net/http. A remote attacker can gain access to credentials passed via these headers.
14) Race condition (CVE-ID: CVE-2025-61730)
The vulnerability allows a remote attacker to perform MitM attack.
The vulnerability exists due to a race condition when handling multiple messages during TLS 1.3 handshake. A remote attacker with ability to inject messages during the handshake can gain access to sensitive information.
15) Resource exhaustion (CVE-ID: CVE-2025-61726)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources within the Request.ParseForm method in net/http when parsing a URL-encoded form. A remote attacker can pass an overly large request with a large number of key-value pairs and consume all available memory on the system.
16) Improper Certificate Validation (CVE-ID: CVE-2025-68121)
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to improper certificate validation within HTTP/3 connections. A remote attacker can cause cause a client to resume a session with a server that it would not have resumed with during the initial handshake
Remediation
Install update from vendor's website.