From 94089257889ca909b5f5b93b5fa68c96e4f06615 Mon Sep 17 00:00:00 2001
From: Azure Linux Security Servicing Account
 <azurelinux-security@microsoft.com>
Date: Fri, 13 Feb 2026 18:50:50 +0000
Subject: [PATCH] Patch helm for CVE-2025-47911

---
 SPECS/helm/CVE-2025-47911.patch | 100 ++++++++++++++++++++++++++++++++
 SPECS/helm/helm.spec            |   6 +-
 2 files changed, 105 insertions(+), 1 deletion(-)
 create mode 100644 SPECS/helm/CVE-2025-47911.patch

diff --git a/SPECS/helm/CVE-2025-47911.patch b/SPECS/helm/CVE-2025-47911.patch
new file mode 100644
index 00000000000..415c0894033
--- /dev/null
+++ b/SPECS/helm/CVE-2025-47911.patch
@@ -0,0 +1,100 @@
+From dbd6184100b18166e122fea4d0ca3405af7d8145 Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker <roland@golang.org>
+Date: Mon, 29 Sep 2025 16:33:18 -0700
+Subject: [PATCH] html: impose open element stack size limit
+
+The HTML specification contains a number of algorithms which are
+quadratic in complexity by design. Instead of adding complicated
+workarounds to prevent these cases from becoming extremely expensive in
+pathological cases, we impose a limit of 512 to the size of the stack of
+open elements. It is extremely unlikely that non-adversarial HTML
+documents will ever hit this limit (but if we see cases of this, we may
+want to make the limit configurable via a ParseOption).
+
+Thanks to Guido Vranken and Jakub Ciolek for both independently
+reporting this issue.
+
+Fixes CVE-2025-47911
+Fixes golang/go#75682
+
+Change-Id: I890517b189af4ffbf427d25d3fde7ad7ec3509ad
+Reviewed-on: https://go-review.googlesource.com/c/net/+/709876
+Reviewed-by: Damien Neil <dneil@google.com>
+LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: https://github.com/golang/net/commit/59706cdaa8f95502fdec64b67b4c61d6ca58727d.patch
+---
+ vendor/golang.org/x/net/html/escape.go |  2 +-
+ vendor/golang.org/x/net/html/parse.go  | 21 +++++++++++++++++----
+ 2 files changed, 18 insertions(+), 5 deletions(-)
+
+diff --git a/vendor/golang.org/x/net/html/escape.go b/vendor/golang.org/x/net/html/escape.go
+index 04c6bec..12f2273 100644
+--- a/vendor/golang.org/x/net/html/escape.go
++++ b/vendor/golang.org/x/net/html/escape.go
+@@ -299,7 +299,7 @@ func escape(w writer, s string) error {
+ 		case '\r':
+ 			esc = "&#13;"
+ 		default:
+-			panic("unrecognized escape character")
++			panic("html: unrecognized escape character")
+ 		}
+ 		s = s[i+1:]
+ 		if _, err := w.WriteString(esc); err != nil {
+diff --git a/vendor/golang.org/x/net/html/parse.go b/vendor/golang.org/x/net/html/parse.go
+index 5b8374b..044da77 100644
+--- a/vendor/golang.org/x/net/html/parse.go
++++ b/vendor/golang.org/x/net/html/parse.go
+@@ -231,7 +231,14 @@ func (p *parser) addChild(n *Node) {
+ 	}
+ 
+ 	if n.Type == ElementNode {
+-		p.oe = append(p.oe, n)
++		p.insertOpenElement(n)
++	}
++}
++
++func (p *parser) insertOpenElement(n *Node) {
++	p.oe = append(p.oe, n)
++	if len(p.oe) > 512 {
++		panic("html: open stack of elements exceeds 512 nodes")
+ 	}
+ }
+ 
+@@ -810,7 +817,7 @@ func afterHeadIM(p *parser) bool {
+ 			p.im = inFramesetIM
+ 			return true
+ 		case a.Base, a.Basefont, a.Bgsound, a.Link, a.Meta, a.Noframes, a.Script, a.Style, a.Template, a.Title:
+-			p.oe = append(p.oe, p.head)
++			p.insertOpenElement(p.head)
+ 			defer p.oe.remove(p.head)
+ 			return inHeadIM(p)
+ 		case a.Head:
+@@ -2308,9 +2315,13 @@ func (p *parser) parseCurrentToken() {
+ 	}
+ }
+ 
+-func (p *parser) parse() error {
++func (p *parser) parse() (err error) {
++	defer func() {
++		if panicErr := recover(); panicErr != nil {
++			err = fmt.Errorf("%s", panicErr)
++		}
++	}()
+ 	// Iterate until EOF. Any other error will cause an early return.
+-	var err error
+ 	for err != io.EOF {
+ 		// CDATA sections are allowed only in foreign content.
+ 		n := p.oe.top()
+@@ -2339,6 +2350,8 @@ func (p *parser) parse() error {
+ // <tag>s. Conversely, explicit <tag>s in r's data can be silently dropped,
+ // with no corresponding node in the resulting tree.
+ //
++// Parse will reject HTML that is nested deeper than 512 elements.
++//
+ // The input is assumed to be UTF-8 encoded.
+ func Parse(r io.Reader) (*Node, error) {
+ 	return ParseWithOptions(r)
+-- 
+2.45.4
+
diff --git a/SPECS/helm/helm.spec b/SPECS/helm/helm.spec
index 9954e34be24..9444ec87271 100644
--- a/SPECS/helm/helm.spec
+++ b/SPECS/helm/helm.spec
@@ -2,7 +2,7 @@
 
 Name:          helm
 Version:       3.14.2
-Release:       9%{?dist}
+Release:       10%{?dist}
 Summary:       The Kubernetes Package Manager
 Group:         Applications/Networking
 License:       Apache 2.0
@@ -30,6 +30,7 @@ Patch2:        CVE-2025-32386.patch
 Patch3:        CVE-2025-22872.patch
 Patch4:        CVE-2025-53547.patch
 Patch5:        CVE-2025-55198.patch
+Patch6:        CVE-2025-47911.patch
 BuildRequires: golang
 
 %description
@@ -59,6 +60,9 @@ install -m 755 ./helm %{buildroot}%{_bindir}
 go test -v ./cmd/helm
 
 %changelog
+* Fri Feb 13 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 3.14.2-10
+- Patch for CVE-2025-47911
+
 * Fri Sep 19 2025 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 3.14.2-9
 - Patch for CVE-2025-55198