Red Hat Product Errata RHSA-2026:22714 - Security Advisory Issued: 2026-06-03 Updated: 2026-06-03 RHSA-2026:22714 - Security Advisory Overview Updated Packages Synopsis Important: osbuild-composer security update Type/Severity Security Advisory: Important Red Hat Lightspeed patch analysis Identify and remediate systems affected by this advisory. View affected systems Topic An update for osbuild-composer is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Description A service for building customized OS artifacts, such as VM images and OSTree commits, that uses osbuild under the hood. Besides building images for local usage, it can also upload images directly to cloud. It is compatible with composer-cli and cockpit-composer clients. Security Fix(es): golang: archive/zip: Excessive CPU consumption when building archive index in archive/zip (CVE-2025-61728) golang: net/url: Memory exhaustion in query parameter parsing in net/url (CVE-2025-61726) crypto/tls: Unexpected session resumption in crypto/tls (CVE-2025-68121) crypto/x509: Incorrect enforcement of email constraints in crypto/x509 (CVE-2026-27137) net/url: Incorrect parsing of IPv6 host literals in net/url (CVE-2026-25679) github.com/jackc/pgproto3: pgproto3: Denial of Service via negative field length in DataRow message (CVE-2026-4427,GHSA-jqcq-xjh3-6g23) google.golang.org/grpc/grpc-go: google.golang.org/grpc/authz: gRPC-Go: Authorization bypass due to improper HTTP/2 path validation (CVE-2026-33186) github.com/jackc/pgproto3/v2: github.com/jackc/pgproto3/v2: Denial of Service via malicious PostgreSQL server (CVE-2026-32286) github.com/go-jose/go-jose/v3: github.com/go-jose/go-jose/v4: Go JOSE: Denial of Service via crafted JSON Web Encryption (JWE) object (CVE-2026-34986) golang: internal/syscall/unix: Root.Chmod can follow symlinks out of the root (CVE-2026-32282) crypto/tls: golang: Go crypto/tls: Denial of Service via multiple TLS 1.3 key update messages (CVE-2026-32283) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Solution For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 Affected Products Red Hat Enterprise Linux for x86_64 9 x86_64 Red Hat Enterprise Linux for x86_64 - Extended Update Support 9.8 x86_64 Red Hat Enterprise Linux for IBM z Systems 9 s390x Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 9.8 s390x Red Hat Enterprise Linux for Power, little endian 9 ppc64le Red Hat Enterprise Linux for Power, little endian - Extended Update Support 9.8 ppc64le Red Hat Enterprise Linux for ARM 64 9 aarch64 Red Hat Enterprise Linux for ARM 64 - Extended Update Support 9.8 aarch64 Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.8 ppc64le Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.8 x86_64 Red Hat Enterprise Linux for ARM 64 - 4 years of updates 9.8 aarch64 Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 9.8 s390x Red Hat Enterprise Linux for x86_64 - Extended Life Cycle 9.8 x86_64 Red Hat Enterprise Linux for ARM 64 - Extended Life Cycle 9.8 aarch64 Red Hat Enterprise Linux for Power, little endian - Extended Life Cycle 9.8 ppc64le Red Hat Enterprise Linux for IBM z Systems - Extended Life Cycle 9.8 s390x Fixes BZ - 2434431 - CVE-2025-61728 golang: archive/zip: Excessive CPU consumption when building archive index in archive/zip BZ - 2434432 - CVE-2025-61726 golang: net/url: Memory exhaustion in query parameter parsing in net/url BZ - 2437111 - CVE-2025-68121 crypto/tls: crypto/tls: Incorrect certificate validation during TLS session resumption BZ - 2445345 - CVE-2026-27137 crypto/x509: Incorrect enforcement of email constraints in crypto/x509 BZ - 2445356 - CVE-2026-25679 net/url: Incorrect parsing of IPv6 host literals in net/url BZ - 2448626 - CVE-2026-4427 github.com/jackc/pgproto3: pgproto3: Denial of Service via negative field length in DataRow message BZ - 2449833 - CVE-2026-33186 google.golang.org/grpc/grpc-go: google.golang.org/grpc/authz: gRPC-Go: Authorization bypass due to improper HTTP/2 path validation BZ - 2451847 - CVE-2026-32286 github.com/jackc/pgproto3/v2: github.com/jackc/pgproto3/v2: Denial of Service via malicious PostgreSQL server BZ - 2455470 - CVE-2026-34986 github.com/go-jose/go-jose/v3: github.com/go-jose/go-jose/v4: Go JOSE: Denial of Service via crafted JSON Web Encryption (JWE) object BZ - 2456336 - CVE-2026-32282 golang: internal/syscall/unix: Root.Chmod can follow symlinks out of the root BZ - 2456338 - CVE-2026-32283 crypto/tls: golang: Go crypto/tls: Denial of Service via multiple TLS 1.3 key update messages RHEL-179251 - osbuild-composer host executor eats all output in case of failure RHEL-180018 - images: Generate manifests with the appropriate options for handling PQC keys CVEs CVE-2025-61726 CVE-2025-61728 CVE-2025-68121 CVE-2026-4427 CVE-2026-25679 CVE-2026-27137 CVE-2026-32282 CVE-2026-32283 CVE-2026-32286 CVE-2026-33186 CVE-2026-34986 References https://access.redhat.com/security/updates/classification/#important Note: More recent versions of these packages may be available. Click a package name for more details. Red Hat Enterprise Linux for x86_64 9 SRPM osbuild-composer-165.1-2.el9_8.src.rpm SHA-256: 5e3bc871a61d64318e64281730c9cfe0a1ba0dbd1ae1c849486fc5e6ba34da0e x86_64 osbuild-composer-165.1-2.el9_8.x86_64.rpm SHA-256: 11500404df6d677bb7e5b61b19df44cb7387a2de353d5657f11f7f2280738c40 osbuild-composer-core-165.1-2.el9_8.x86_64.rpm SHA-256: 0424b77989121f280463963c48e27b69c0f213f83c3efec3df26c45911f4241b osbuild-composer-core-debuginfo-165.1-2.el9_8.x86_64.rpm SHA-256: d523d03f1dd912e59caf0eb6075a7bcb97e2b0d1ea291db34810a0fb11d6ecfb osbuild-composer-debuginfo-165.1-2.el9_8.x86_64.rpm SHA-256: f21941f209d0022d0fe296f4f7083f067b6b34c1276e2b57fca158a9f0dbed17 osbuild-composer-debugsource-165.1-2.el9_8.x86_64.rpm SHA-256: c856bf734bb5d85ced1072e399df23d692cf9f50edee3419a9b4c1ee3da67d12 osbuild-composer-tests-debuginfo-165.1-2.el9_8.x86_64.rpm SHA-256: 2bc46d7ac81457254bc70945080a41070511687189cb569a41e255aeabbb309f osbuild-composer-worker-165.1-2.el9_8.x86_64.rpm SHA-256: 2a1a53cee930bc3a15d16772efdca89a981a71e63bfee108f6079051144550bc osbuild-composer-worker-debuginfo-165.1-2.el9_8.x86_64.rpm SHA-256: 3910b9eb483e959d85917d2434ead9299d3bc6af1afc6ecd64e0e0bd398110a8 Red Hat Enterprise Linux for x86_64 - Extended Update Support 9.8 SRPM osbuild-composer-165.1-2.el9_8.src.rpm SHA-256: 5e3bc871a61d64318e64281730c9cfe0a1ba0dbd1ae1c849486fc5e6ba34da0e x86_64 osbuild-composer-165.1-2.el9_8.x86_64.rpm SHA-256: 11500404df6d677bb7e5b61b19df44cb7387a2de353d5657f11f7f2280738c40 osbuild-composer-core-165.1-2.el9_8.x86_64.rpm SHA-256: 0424b77989121f280463963c48e27b69c0f213f83c3efec3df26c45911f4241b osbuild-composer-core-debuginfo-165.1-2.el9_8.x86_64.rpm SHA-256: d523d03f1dd912e59caf0eb6075a7bcb97e2b0d1ea291db34810a0fb11d6ecfb osbuild-composer-debuginfo-165.1-2.el9_8.x86_64.rpm SHA-256: f21941f209d0022d0fe296f4f7083f067b6b34c1276e2b57fca158a9f0dbed17 osbuild-composer-debugsource-165.1-2.el9_8.x86_64.rpm SHA-256: c856bf734bb5d85ced1072e399df23d692cf9f50edee3419a9b4c1ee3da67d12 osbuild-composer-tests-debuginfo-165.1-2.el9_8.x86_64.rpm SHA-256: 2bc46d7ac81457254bc70945080a41070511687189cb569a41e255aeabbb309f osbuild-composer-worker-165.1-2.el9_8.x86_64.rpm SHA-256: 2a1a53cee930bc3a15d16772efdca89a981a71e63bfee108f6079051144550bc osbuild-composer-worker-debuginfo-165.1-2.el9_8.x86_64.rpm SHA-256: 3910b9eb483e959d85917d2434ead9299d3bc6af1afc6ecd64e0e0bd398110a8 Red Hat Enterprise Linux for IBM z Systems 9 SRPM osbuild-composer-165.1-2.el9_8.src.rpm SHA-256: 5e3bc871a61d64318e64281730c9cfe0a1ba0dbd1ae1c849486fc5e6ba34da0e s390x osbuild-composer-165.1-2.el9_8.s390x.rpm SHA-256: 25df1f3235a2d6c5703757852fee283d75f6e7d045d461bd39bc648171f29090 osbuild-composer-core-165.1-2.el9_8.s390x.rpm SHA-256: b9a4eea7eb5e06afa53ab1e2a4d2ff9b730bb0865d94468848ae27d09afb20f8 osbuild-composer-core-debuginfo-165.1-2.el9_8.s390x.rpm SHA-256: ced1826369c5cab7a317119abe4a4163fefbf0e59290abac5a9c8b1b64db60af osbuild-composer-debuginfo-165.1-2.el9_8.s390x.rpm SHA-256: 7841db657aede2423f518df98b38abf1b6c13e2a858a1200d6dc55d207a899e4 osbuild-composer-debugsource-165.1-2.el9_8.s390x.rpm SHA-256: 90e0d1ec993c0963172a595cd801ec8f145f0b3ed56a0c5b72540fdbfdd2f70a osbuild-composer-tests-debuginfo-165.1-2.el9_8.s390x.rpm SHA-256: 0f3aada4117312455acd8fc3831f2fd5c1d4b4a889c3827890a442997500eadd osbuild-composer-worker-165.1-2.el9_8.s390x.rpm SHA-256: 40ab002c6bda38af61c33cb33c51613c48b8df73bf2400967b67bc0d84839ec4 osbuild-composer-worker-debuginfo-165.1-2.el9_8.s390x.rpm SHA-256: df44f6a343f270baff15a76259ddf7cc1d763266076bc29886683f9a0ef1f0d7 Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 9.8 SRPM osbuild-composer-165.1-2.el9_8.src.rpm SHA-256: 5e3bc871a61d64318e64281730c9cfe0a1ba0dbd1ae1c849486fc5e6ba34da0e s390x osbuild-composer-165.1-2.el9_8.s390x.rpm SHA-256: 25df1f3235a2d6c5703757852fee283d75f6e7d045d461bd39bc648171f29090 osbuild-composer-core-165.1-2.el9_8.s390x.rpm SHA-256: b9a4eea7eb5e06afa53ab1e2a4d2ff9b730bb0865d94468848ae27d09afb20f8 osbuild-composer-core-debuginfo-165.1-2.el9_8.s390x.rpm SHA-256: ced1826369c5cab7a317119abe4a4163fefbf0e59290abac5a9c8b1b64db60af osbuild-composer-debuginfo-165.1-2.el9_8.s390x.rpm SHA-256: 7841db657aede2423f518df98b38abf1b6c13e2a858a1200d6dc55d207a899e4 osbuild-composer-debugsource-165.1-2.el9_8.s390x.rpm SHA-256: 90e0d1ec993c0963172a595cd801ec8f145f0b3ed56a0c5b72540fdbfdd2f70a osbuild-composer-tests-debugi