This security update for osbuild-composer addresses multiple vulnerabilities in its underlying Go components and dependencies, including critical and high-severity issues such as a TLS session resumption flaw (CVE-2025-68121, CVSS 10.0) allowing unauthorized access, a memory exhaustion bug in URL parsing (CVE-2025-61726, CVSS 7.5), and authorization bypasses in gRPC-Go. The vulnerabilities affect osbuild-composer on Red Hat Enterprise Linux 10. The fix is delivered via the Red Hat errata RHSA-2026:22450, and systems should be updated using the standard Red Hat patch management process.
Red Hat Product Errata RHSA-2026:22450 - Security Advisory Issued: 2026-06-02 Updated: 2026-06-02 RHSA-2026:22450 - Security Advisory Overview Updated Packages Synopsis Important: osbuild-composer security update Type/Severity Security Advisory: Important Red Hat Lightspeed patch analysis Identify and remediate systems affected by this advisory. View affected systems Topic An update for osbuild-composer is now available for Red Hat Enterprise Linux 10. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Description A service for building customized OS artifacts, such as VM images and OSTree commits, that uses osbuild under the hood. Besides building images for local usage, it can also upload images directly to cloud. It is compatible with composer-cli and cockpit-composer clients. Security Fix(es): golang: archive/zip: Excessive CPU consumption when building archive index in archive/zip (CVE-2025-61728) golang: net/url: Memory exhaustion in query parameter parsing in net/url (CVE-2025-61726) crypto/tls: Unexpected session resumption in crypto/tls (CVE-2025-68121) crypto/x509: Incorrect enforcement of email constraints in crypto/x509 (CVE-2026-27137) net/url: Incorrect parsing of IPv6 host literals in net/url (CVE-2026-25679) github.com/jackc/pgproto3: pgproto3: Denial of Service via negative field length in DataRow message (CVE-2026-4427,GHSA-jqcq-xjh3-6g23) google.golang.org/grpc/grpc-go: google.golang.org/grpc/authz: gRPC-Go: Authorization bypass due to improper HTTP/2 path validation (CVE-2026-33186) github.com/jackc/pgproto3/v2: github.com/jackc/pgproto3/v2: Denial of Service via malicious PostgreSQL server (CVE-2026-32286) github.com/go-jose/go-jose/v3: github.com/go-jose/go-jose/v4: Go JOSE: Denial of Service via crafted JSON Web Encryption (JWE) object (CVE-2026-34986) golang: internal/syscall/unix: Root.Chmod can follow symlinks out of the root (CVE-2026-32282) crypto/tls: golang: Go crypto/tls: Denial of Service via multiple TLS 1.3 key update messages (CVE-2026-32283) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Solution For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 Affected Products Red Hat Enterprise Linux for x86_64 10 x86_64 Red Hat Enterprise Linux for x86_64 - Extended Update Support 10.2 x86_64 Red Hat Enterprise Linux for IBM z Systems 10 s390x Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 10.2 s390x Red Hat Enterprise Linux for Power, little endian 10 ppc64le Red Hat Enterprise Linux for Power, little endian - Extended Update Support 10.2 ppc64le Red Hat Enterprise Linux for ARM 64 10 aarch64 Red Hat Enterprise Linux for ARM 64 - Extended Update Support 10.2 aarch64 Red Hat Enterprise Linux for ARM 64 - 4 years of updates 10.2 aarch64 Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 10.2 s390x Red Hat Enterprise Linux for Power, little endian - 4 years of support 10.2 ppc64le Red Hat Enterprise Linux for x86_64 - 4 years of updates 10.2 x86_64 Red Hat Enterprise Linux for x86_64 - Extended Life Cycle 10.2 x86_64 Red Hat Enterprise Linux for ARM 64 - Extended Life Cycle 10.2 aarch64 Red Hat Enterprise Linux for Power, little endian - Extended Life Cycle 10.2 ppc64le Red Hat Enterprise Linux for IBM z Systems - Extended Life Cycle 10.2 s390x Fixes BZ - 2434431 - CVE-2025-61728 golang: archive/zip: Excessive CPU consumption when building archive index in archive/zip BZ - 2434432 - CVE-2025-61726 golang: net/url: Memory exhaustion in query parameter parsing in net/url BZ - 2437111 - CVE-2025-68121 crypto/tls: crypto/tls: Incorrect certificate validation during TLS session resumption BZ - 2445345 - CVE-2026-27137 crypto/x509: Incorrect enforcement of email constraints in crypto/x509 BZ - 2445356 - CVE-2026-25679 net/url: Incorrect parsing of IPv6 host literals in net/url BZ - 2448626 - CVE-2026-4427 github.com/jackc/pgproto3: pgproto3: Denial of Service via negative field length in DataRow message BZ - 2449833 - CVE-2026-33186 google.golang.org/grpc/grpc-go: google.golang.org/grpc/authz: gRPC-Go: Authorization bypass due to improper HTTP/2 path validation BZ - 2451847 - CVE-2026-32286 github.com/jackc/pgproto3/v2: github.com/jackc/pgproto3/v2: Denial of Service via malicious PostgreSQL server BZ - 2455470 - CVE-2026-34986 github.com/go-jose/go-jose/v3: github.com/go-jose/go-jose/v4: Go JOSE: Denial of Service via crafted JSON Web Encryption (JWE) object BZ - 2456336 - CVE-2026-32282 golang: internal/syscall/unix: Root.Chmod can follow symlinks out of the root BZ - 2456338 - CVE-2026-32283 crypto/tls: golang: Go crypto/tls: Denial of Service via multiple TLS 1.3 key update messages RHEL-179244 - osbuild-composer host executor eats all output in case of failure RHEL-180005 - CLONE - images: Generate manifests with the appropriate options for handling PQC keys CVEs CVE-2025-61726 CVE-2025-61728 CVE-2025-68121 CVE-2026-4427 CVE-2026-25679 CVE-2026-27137 CVE-2026-32282 CVE-2026-32283 CVE-2026-32286 CVE-2026-33186 CVE-2026-34986 References https://access.redhat.com/security/updates/classification/#important Note: More recent versions of these packages may be available. Click a package name for more details. Red Hat Enterprise Linux for x86_64 10 SRPM osbuild-composer-165.1-2.el10_2.src.rpm SHA-256: b2beb9fbc43e2b0c22877916d3b1c47b5ba96018f892338acd50dd6de18f7aba x86_64 osbuild-composer-165.1-2.el10_2.x86_64.rpm SHA-256: 935de8fb3517dffbb90b6304e23cfe4f43b617ccff9f6aacf0fab967c3b14f2f osbuild-composer-core-165.1-2.el10_2.x86_64.rpm SHA-256: e3ea429188f2a9f9584062114f782ee9b22437a95c6c2d6e610744f59c8fa46a osbuild-composer-core-debuginfo-165.1-2.el10_2.x86_64.rpm SHA-256: 6cde934b23a7d5e48884406e17612847d5dc1ebf7534e3cd4bbae9437b009495 osbuild-composer-debuginfo-165.1-2.el10_2.x86_64.rpm SHA-256: 363679008119f90439f9c77eb3fa9b89a71cad0a1a8304edd942fe1ae9bd5517 osbuild-composer-debugsource-165.1-2.el10_2.x86_64.rpm SHA-256: fcf7ba6b109ce8ee969c3d07b16118e65ee2ff59cf05c7839eafe1bc24417a97 osbuild-composer-tests-debuginfo-165.1-2.el10_2.x86_64.rpm SHA-256: b6260c64a98602610e0dd832e1c37c78f7b9f3fb62a30c512262db44bf25e8fe osbuild-composer-worker-165.1-2.el10_2.x86_64.rpm SHA-256: 523353e8e799a4abe78c4318009016d7a18e39f725acd83ba2fa063065653f21 osbuild-composer-worker-debuginfo-165.1-2.el10_2.x86_64.rpm SHA-256: fade9ed54ee1abf4d6e9d1532a4e24560cf4ac8aa8e5c46c3be2ea5879acbb95 Red Hat Enterprise Linux for x86_64 - Extended Update Support 10.2 SRPM osbuild-composer-165.1-2.el10_2.src.rpm SHA-256: b2beb9fbc43e2b0c22877916d3b1c47b5ba96018f892338acd50dd6de18f7aba x86_64 osbuild-composer-165.1-2.el10_2.x86_64.rpm SHA-256: 935de8fb3517dffbb90b6304e23cfe4f43b617ccff9f6aacf0fab967c3b14f2f osbuild-composer-core-165.1-2.el10_2.x86_64.rpm SHA-256: e3ea429188f2a9f9584062114f782ee9b22437a95c6c2d6e610744f59c8fa46a osbuild-composer-core-debuginfo-165.1-2.el10_2.x86_64.rpm SHA-256: 6cde934b23a7d5e48884406e17612847d5dc1ebf7534e3cd4bbae9437b009495 osbuild-composer-debuginfo-165.1-2.el10_2.x86_64.rpm SHA-256: 363679008119f90439f9c77eb3fa9b89a71cad0a1a8304edd942fe1ae9bd5517 osbuild-composer-debugsource-165.1-2.el10_2.x86_64.rpm SHA-256: fcf7ba6b109ce8ee969c3d07b16118e65ee2ff59cf05c7839eafe1bc24417a97 osbuild-composer-tests-debuginfo-165.1-2.el10_2.x86_64.rpm SHA-256: b6260c64a98602610e0dd832e1c37c78f7b9f3fb62a30c512262db44bf25e8fe osbuild-composer-worker-165.1-2.el10_2.x86_64.rpm SHA-256: 523353e8e799a4abe78c4318009016d7a18e39f725acd83ba2fa063065653f21 osbuild-composer-worker-debuginfo-165.1-2.el10_2.x86_64.rpm SHA-256: fade9ed54ee1abf4d6e9d1532a4e24560cf4ac8aa8e5c46c3be2ea5879acbb95 Red Hat Enterprise Linux for IBM z Systems 10 SRPM osbuild-composer-165.1-2.el10_2.src.rpm SHA-256: b2beb9fbc43e2b0c22877916d3b1c47b5ba96018f892338acd50dd6de18f7aba s390x osbuild-composer-165.1-2.el10_2.s390x.rpm SHA-256: 9209401720610a5019a3facbaec8c72125b3a08601c911b2e4da9e740dcf7322 osbuild-composer-core-165.1-2.el10_2.s390x.rpm SHA-256: 65df71367e8740bfd160c1488ee556200683e12fefc0d69fc22e9dc273149b60 osbuild-composer-core-debuginfo-165.1-2.el10_2.s390x.rpm SHA-256: 40314b3c44bbf1d52498425290fb1098d579706cdab778fe2288d900493b91ac osbuild-composer-debuginfo-165.1-2.el10_2.s390x.rpm SHA-256: 276f54a59d9f2d705bc66f90283387b8d738cd5e38e616119486c7fb4eb97753 osbuild-composer-debugsource-165.1-2.el10_2.s390x.rpm SHA-256: 24a99a4f02b4b8d7ce18bf91b6747cf10bbaf01a5dd9cb8d551ab54b5983002b osbuild-composer-tests-debuginfo-165.1-2.el10_2.s390x.rpm SHA-256: d1e0bd3bc078b32a3acb91e2745d48a73444a88dc63db7247026e59d7aab47c6 osbuild-composer-worker-165.1-2.el10_2.s390x.rpm SHA-256: e4aa7890008eabafed7d69099df50c9d973e7aa78370fc62bf1b2ce5695c069b osbuild-composer-worker-debuginfo-165.1-2.el10_2.s390x.rpm SHA-256: ca13ff743b62ce7361a877c7f452a449fdb1a3d18b46c3f7ecdf2188bf57c988 Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 10.2 SRPM osbuild-composer-165.1-2.el10_2.src.rpm SHA-256: b2beb9fbc43e2b0c22877916d3b1c47b5ba96018f892338acd50dd6de18f7aba s390x osbuild-composer-165.1-2.el10_2.s390x.rpm SHA-256: 9209401720610a5019a3facbaec8c72125b3a08601c911b2e4da9e740dcf7322 osbuild-composer-core-165.1-2.el10_2.s390x.rpm SHA-256: 65df71367e8740bfd160c1488ee556200683e12fefc0d69fc22e9dc273149b60 osbuild-composer-core-debuginfo-165.1-2.el10_2.s390x.rpm SHA-256: 40314b3c44bbf1d52498425290fb1098d579706cdab778fe2288d900493b91ac osbuild-composer-debuginfo-165.1-2.el10_2.s390x.rpm SHA-256: 276f54a59d9f2d705bc66f90283387b8d738cd5e38e616119486c7fb4eb97753 osbuild-composer-debugsource-165.1-2.el10_2.s390x.rpm SHA-256: 24a99a4f02b4b8d7ce18bf91b6747cf10bbaf01a5dd9cb8d551ab54b5