Red Hat Security Advisory: Red Hat Quay 3.16.2

CVE-2024-34156 — encoding/gob: golang: Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion CVE-2024-45337 — golang.org/x/crypto/ssh: Misuse of ServerConfig.PublicKeyCallback may cause authorization bypass in golang.org/x/crypto CVE-2024-45338 — golang.org/x/net/html: Non-linear parsing of case-insensitive content in golang.org/x/net/html CVE-2025-15284 — qs: qs: Denial of Service via improper input validation in array parsing CVE-2025-31133 — runc: container escape via 'masked path' abuse due to mount race conditions CVE-2025-52881 — runc: opencontainers/selinux: container escape and denial of service due to arbitrary write gadgets and procfs write redirects CVE-2025-61726 — golang: net/url: Memory exhaustion in query parameter parsing in net/url CVE-2025-61729 — crypto/x509: golang: Denial of Service due to excessive resource consumption via crafted certificate CVE-2025-65945 — node-jws: auth0/node-jws: Improper signature verification in HS256 algorithm CVE-2025-66418 — urllib3: urllib3: Unbounded decompression chain leads to resource exhaustion CVE-2025-66471 — urllib3: urllib3 Streaming API improperly handles highly compressed data CVE-2026-21441 — urllib3: urllib3 vulnerable to decompression-bomb safeguard bypass when following HTTP redirects (streaming API) CVE-2026-24049 — wheel: wheel: Privilege Escalation or Arbitrary Code Execution via malicious wheel file unpacking