CVE-2026-34043
high
CVSS v3
β
CVSS v4 NEW
β
VIR risk
8.0
Description
RHSA-2026:21291: .NET 8.0 security update (Important)
Predictions
Exploit likelihood
30%
Patch ETA
β
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Mitigation details
Source: Red Hat Errata β Red Hat Inc. Β· View original β Β· Open-Errata-API
Description serialize-javascript: serialize-javascript: Denial of Service via specially crafted array-like object serialization Red Hat statement Red Hat products in their default configurations do not accept input from unauthenticated users. CVSS v3: 5.9 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) Errata / fixed releases ProductPackageAdvisoryReleased Red Hat Enterprise Linuxβ¦
Description
serialize-about:blocked: serialize-about:blocked: Denial of Service via specially crafted array-like object serialization
Red Hat statement
Red Hat products in their default configurations do not accept input from unauthenticated users.
CVSS v3: 5.9 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)
Errata / fixed releases
| Product | Package | Advisory | Released |
|---|---|---|---|
| Red Hat Enterprise Linux 10 | dotnet8.0-0:8.0.127-1.el10_2 | RHSA-2026:21286 | 2026-05-27T00:00:00Z |
| Red Hat Enterprise Linux 8 | dotnet8.0-0:8.0.127-1.el8_10 | RHSA-2026:21291 | 2026-05-27T00:00:00Z |
| Red Hat Enterprise Linux 9 | dotnet8.0-0:8.0.127-1.el9_8 | RHSA-2026:21293 | 2026-05-27T00:00:00Z |
| Red Hat OpenShift Container Platform 4.18 | openshift4/ose-networking-console-plugin-rhel9:1778256287 | RHSA-2026:17448 | 2026-05-20T00:00:00Z |
| Red Hat OpenShift Container Platform 4.19 | openshift4/ose-networking-console-plugin-rhel9:1779256322 | RHSA-2026:20041 | 2026-05-27T00:00:00Z |
| Red Hat OpenShift Container Platform 4.2 | openshift4/ose-networking-console-plugin-rhel9:1778644858 | RHSA-2026:17468 | 2026-05-20T00:00:00Z |
| Red Hat OpenShift Container Platform 4.21 | openshift4/ose-networking-console-plugin-rhel9:1778532500 | RHSA-2026:17474 | 2026-05-19T00:00:00Z |
Package state
| Product | Package | State |
|---|---|---|
| Cryostat 4 | cryostat-openshift-console-plugin-npm | Affected |
| Cryostat 4 | serialize-javascript | Not affected |
| Gatekeeper 3 | gatekeeper/gatekeeper-rhel9 | Not affected |
| Logging Subsystem for Red Hat OpenShift | openshift-logging/elasticsearch6-rhel9 | Fix deferred |
| Logging Subsystem for Red Hat OpenShift | openshift-logging/elasticsearch-operator-bundle | Fix deferred |
| Logging Subsystem for Red Hat OpenShift | openshift-logging/elasticsearch-proxy-rhel9 | Fix deferred |
| Logging Subsystem for Red Hat OpenShift | openshift-logging/elasticsearch-rhel9-operator | Fix deferred |
| Logging Subsystem for Red Hat OpenShift | openshift-logging/kibana6-rhel8 | Fix deferred |
| Logging Subsystem for Red Hat OpenShift | openshift-logging/logging-curator5-rhel9 | Fix deferred |
| Network Observability Operator | network-observability/network-observability-console-plugin-compat-rhel9 | Fix deferred |
| Network Observability Operator | network-observability/network-observability-console-plugin-rhel9 | Fix deferred |
| Node HealthCheck Operator | workload-availability/node-healthcheck-must-gather-rhel9 | Fix deferred |
| Node HealthCheck Operator | workload-availability/node-healthcheck-operator-bundle | Fix deferred |
| Node HealthCheck Operator | workload-availability/node-healthcheck-rhel9-operator | Fix deferred |
| Node HealthCheck Operator | workload-availability/node-remediation-console-rhel9 | Fix deferred |
| Red Hat 3scale API Management Platform 2 | 3scale-amp20/system | Will not fix |
| Red Hat 3scale API Management Platform 2 | 3scale-amp21/system | Will not fix |
| Red Hat 3scale API Management Platform 2 | 3scale-amp22/system | Will not fix |
| Red Hat 3scale API Management Platform 2 | 3scale-amp24/system | Will not fix |
| Red Hat 3scale API Management Platform 2 | 3scale-amp25/system | Will not fix |
| Red Hat 3scale API Management Platform 2 | 3scale-amp26/system | Will not fix |
| Red Hat 3scale API Management Platform 2 | 3scale-amp2/system-rhel7 | Will not fix |
| Red Hat 3scale API Management Platform 2 | 3scale-amp2/system-rhel8 | Will not fix |
| Red Hat 3scale API Management Platform 2 | 3scale-amp2/system-rhel9 | Affected |
| Red Hat AMQ Broker 7 | serialize-javascript | Not affected |
| Red Hat Ansible Automation Platform 2 | ansible-on-clouds/aoc-azure-aap-installer-rhel9 | Affected |
| Red Hat Ansible Automation Platform 2 | automation-eda-controller | Fix deferred |
| Red Hat Ansible Automation Platform 2 | automation-gateway | Fix deferred |
| Red Hat Ansible Automation Platform 2 | automation-platform-ui | Affected |
| Red Hat build of Apache Camel - HawtIO 4 | serialize-javascript | Affected |
| Red Hat build of Apicurio Registry 2 | serialize-javascript | Fix deferred |
| Red Hat Build of Keycloak | serialize-javascript | Will not fix |
| Red Hat Build of Podman Desktop | podman-desktop-macos-1-0 | Affected |
| Red Hat Build of Podman Desktop | podman-desktop-windows-1-0 | Affected |
| Red Hat Data Grid 8 | serialize-javascript | Not affected |
| Red Hat Enterprise Linux 8 | grafana | Affected |
| Red Hat Enterprise Linux 8 | pcs | Not affected |
| Red Hat Enterprise Linux 9 | dotnet6.0 | Not affected |
| Red Hat Enterprise Linux 9 | dotnet7.0 | Not affected |
| Red Hat Enterprise Linux 9 | grafana | Affected |
| Red Hat Enterprise Linux 9 | pcs | Not affected |
| Red Hat Fuse 7 | serialize-javascript | Fix deferred |
| Red Hat JBoss Enterprise Application Platform 8 | serialize-javascript | Not affected |
| Red Hat JBoss Enterprise Application Platform Expansion Pack | serialize-javascript | Not affected |
| Red Hat OpenShift Container Platform 4 | openshift4/ose-console-rhel9 | Affected |
| Red Hat OpenShift Container Platform 4 | openshift4/ose-monitoring-plugin-rhel9 | Affected |
| Red Hat Openshift Data Foundation 4 | odf4/ocs-client-console-rhel9 | Fix deferred |
| Red Hat Openshift Data Foundation 4 | odf4/odf-console-rhel9 | Fix deferred |
| Red Hat Openshift Data Foundation 4 | odf4/odf-multicluster-console-rhel9 | Fix deferred |
| Red Hat OpenShift GitOps | openshift-gitops-1/argocd-rhel8 | Affected |
| Red Hat OpenShift GitOps | openshift-gitops-1/argocd-rhel9 | Affected |
| Red Hat OpenShift Virtualization 4 | container-native-virtualization/kubevirt-console-plugin-rhel9 | Fix deferred |
| Red Hat Process Automation 7 | serialize-javascript | Fix deferred |
| Red Hat Quay 3 | quay/quay-rhel8 | Fix deferred |
| Red Hat Satellite 6 | nodejs-compression-webpack-plugin | Not affected |
| Red Hat Satellite 6 | nodejs-webpack | Not affected |
| Red Hat Single Sign-On 7 | serialize-javascript | Fix deferred |
| streams for Apache Kafka 2 | serialize-javascript | Fix deferred |
| streams for Apache Kafka 3 | serialize-javascript | Not affected |
Apply commands
Apply RHSA-2026:21286 for Red Hat Enterprise Linux 10
yum update -y dotnet8
# or:
dnf upgrade -y dotnet8Affected
| Vendor | Product | Version |
|---|---|---|
| redhat | Cryostat 4 | Affected |
| redhat | Cryostat 4 | Not affected |
| redhat | Gatekeeper 3 | Not affected |
| redhat | Red Hat 3scale API Management Platform 2 | Affected |
| redhat | Red Hat AMQ Broker 7 | Not affected |
| redhat | Red Hat Ansible Automation Platform 2 | Affected |
| redhat | Red Hat Ansible Automation Platform 2 | Affected |
| redhat | Red Hat build of Apache Camel - HawtIO 4 | Affected |
| redhat | Red Hat Build of Podman Desktop | Affected |
| redhat | Red Hat Build of Podman Desktop | Affected |
| redhat | Red Hat Data Grid 8 | Not affected |
| redhat | Red Hat Enterprise Linux 8 | Affected |
| redhat | Red Hat Enterprise Linux 8 | Not affected |
| redhat | Red Hat Enterprise Linux 9 | Not affected |
| redhat | Red Hat Enterprise Linux 9 | Not affected |
| redhat | Red Hat Enterprise Linux 9 | Affected |
| redhat | Red Hat Enterprise Linux 9 | Not affected |
| redhat | Red Hat JBoss Enterprise Application Platform 8 | Not affected |
| redhat | Red Hat JBoss Enterprise Application Platform Expansion Pack | Not affected |
| redhat | Red Hat OpenShift Container Platform 4 | Affected |
| redhat | Red Hat OpenShift Container Platform 4 | Affected |
| redhat | Red Hat OpenShift GitOps | Affected |
| redhat | Red Hat OpenShift GitOps | Affected |
| redhat | Red Hat Satellite 6 | Not affected |
| redhat | Red Hat Satellite 6 | Not affected |
| redhat | streams for Apache Kafka 3 | Not affected |
OS impact
Debian Mixed 5 releases
| Version | Status | Fixed in |
|---|---|---|
| trixie | Affected | β |
| sid | Fixed | 7.0.5+~5.0.4-1 |
| forky | Fixed | 7.0.5+~5.0.4-1 |
| bullseye | Affected | β |
| bookworm | Affected | β |
AlmaLinux Fixed 2 releases
| Version | Status | Fixed in |
|---|---|---|
| 9 | Fixed | aspnetcore-runtime-dbg-8.0-8.0.27-1.el9_8.aarch64.rpm |
| 8 | Fixed | dotnet-sdk-8.0-source-built-artifacts-8.0.127-1.el8_10.x86_64.rpm |
Red Hat Fixed 2 releases
| Version | Status | Fixed in |
|---|---|---|
| 9 | Fixed | β |
| 8 | Fixed | β |
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| npm | serialize-javascript | >=5.0.0,<7.0.5 | 7.0.5 |
| NPM | serialize-javascript | >= 5.0.0, < 7.0.5 | 7.0.5 |
References
- https://access.redhat.com/errata/RHSA-2026:21293
- https://github.com/yahoo/serialize-javascript/security/advisories/GHSA-qj8w-gfj5-8c6v
- https://nvd.nist.gov/vuln/detail/CVE-2026-34043
- https://github.com/yahoo/serialize-javascript/commit/f147e90269b58bb6e539cfdf3d0e20d6ad14204b
- https://github.com/yahoo/serialize-javascript
- https://github.com/yahoo/serialize-javascript/releases/tag/v5.0.0
- https://github.com/yahoo/serialize-javascript/releases/tag/v7.0.5
- https://security-tracker.debian.org/tracker/CVE-2026-34043
- https://github.com/advisories/GHSA-qj8w-gfj5-8c6v
- https://access.redhat.com/errata/RHSA-2026:21291
- https://bugzilla.redhat.com/2453284
- https://bugzilla.redhat.com/2476605
- https://errata.almalinux.org/8/ALSA-2026-21291.html
- https://errata.almalinux.org/9/ALSA-2026-21293.html
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.