Merge PR "[AUTO-CHERRYPICK] [AutoPR- Security] Patch cri-o for CVE-2026-40890 [HIGH] - branch main" #16858

CBL-Mariner-Bot · azurelinux-security · web-flow · commit b19721ac37f0 · 2026-04-23T19:33:04.000-07:00
Co-authored-by: Azure Linux Security Servicing Account &lt;azurelinux-security@microsoft.com&gt;
diff --git a/SPECS/cri-o/CVE-2026-40890.patch b/SPECS/cri-o/CVE-2026-40890.patch
@@ -0,0 +1,30 @@
+From 8b227d190f1d61c41105ca5cd6f8db0611f07064 Mon Sep 17 00:00:00 2001
+From: Jules Denardou <14008484+JulesDT@users.noreply.github.com>
+Date: Fri, 10 Apr 2026 17:25:10 -0400
+Subject: [PATCH] fix oob read when no > is found
+
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: https://github.com/gomarkdown/markdown/commit/759bbc3e32073c3bc4e25969c132fc520eda2778.patch
+---
+ vendor/github.com/gomarkdown/markdown/html/smartypants.go | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/vendor/github.com/gomarkdown/markdown/html/smartypants.go b/vendor/github.com/gomarkdown/markdown/html/smartypants.go
+index a09866b..ee9890a 100644
+--- a/vendor/github.com/gomarkdown/markdown/html/smartypants.go
++++ b/vendor/github.com/gomarkdown/markdown/html/smartypants.go
+@@ -363,7 +363,10 @@ func (r *SPRenderer) smartLeftAngle(out *bytes.Buffer, previousChar byte, text [
+ 		i++
+ 	}
+ 
+-	out.Write(text[:i+1])
++	if i == len(text) { // No > found until the end of the text
++		return i
++	}
++	out.Write(text[:i+1]) // include the '>'
+ 	return i
+ }
+ 
+-- 
+2.45.4
+
diff --git a/SPECS/cri-o/cri-o.spec b/SPECS/cri-o/cri-o.spec
@@ -26,7 +26,7 @@ Summary:        OCI-based implementation of Kubernetes Container Runtime Interfa
 # Define macros for further referenced sources
 Name:           cri-o
 Version:        1.22.3
-Release:        20%{?dist}
+Release:        21%{?dist}
 License:        ASL 2.0
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -82,6 +82,7 @@ Patch26:        CVE-2025-58183.patch
 Patch27:        CVE-2025-65637.patch
 Patch28:        CVE-2025-11065.patch
 Patch29:        CVE-2025-47911.patch
+Patch30:        CVE-2026-40890.patch
 BuildRequires:  btrfs-progs-devel
 BuildRequires:  device-mapper-devel
 BuildRequires:  fdupes
@@ -232,6 +233,9 @@ mkdir -p /opt/cni/bin
 %{_fillupdir}/sysconfig.kubelet
 
 %changelog
+* Wed Apr 22 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 1.22.3-21
+- Patch for CVE-2026-40890
+
 * Wed Feb 18 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 1.22.3-20
 - Patch for CVE-2025-47911
 
