A Denial of Service vulnerability (CVE-2026-34986, CVSS 7.5 HIGH) exists in the `go-jose` library used by Buildah, triggered by processing a crafted JSON Web Encryption (JWE) object. The vulnerability affects Buildah packages for Red Hat Enterprise Linux 9, and the advisory provides updated packages, specifically version `buildah-1.41.8-3.el9_7`, to remediate the issue.
Red Hat Product Errata RHSA-2026:10135 - Security Advisory Issued: 2026-04-23 Updated: 2026-04-23 RHSA-2026:10135 - Security Advisory Overview Updated Packages Synopsis Important: buildah security update Type/Severity Security Advisory: Important Red Hat Lightspeed patch analysis Identify and remediate systems affected by this advisory. View affected systems Topic An update for buildah is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Description The buildah package provides a tool for facilitating building OCI container images. Among other things, buildah enables you to: Create a working container, either from scratch or using an image as a starting point; Create an image, either from a working container or using the instructions in a Dockerfile; Build both Docker and OCI images. Security Fix(es): github.com/go-jose/go-jose/v3: github.com/go-jose/go-jose/v4: Go JOSE: Denial of Service via crafted JSON Web Encryption (JWE) object (CVE-2026-34986) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Solution For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 Affected Products Red Hat Enterprise Linux for x86_64 9 x86_64 Red Hat Enterprise Linux for IBM z Systems 9 s390x Red Hat Enterprise Linux for Power, little endian 9 ppc64le Red Hat Enterprise Linux for ARM 64 9 aarch64 Fixes BZ - 2455470 - CVE-2026-34986 github.com/go-jose/go-jose/v3: github.com/go-jose/go-jose/v4: Go JOSE: Denial of Service via crafted JSON Web Encryption (JWE) object CVEs CVE-2026-34986 References https://access.redhat.com/security/updates/classification/#important Note: More recent versions of these packages may be available. Click a package name for more details. Red Hat Enterprise Linux for x86_64 9 SRPM buildah-1.41.8-3.el9_7.src.rpm SHA-256: d9e51949a74a870fa89c5e5f3704c89fdbad72da52790f100595baaa96ec8760 x86_64 buildah-1.41.8-3.el9_7.x86_64.rpm SHA-256: 4c18e0294fd76a629310336b427f171b4f0628de9eb0509436bb075904442c18 buildah-debuginfo-1.41.8-3.el9_7.x86_64.rpm SHA-256: 1aef3b443b9c30bab0454c0df9c887374f19dbe2fbfa40fca8ae60adc411c13d buildah-debugsource-1.41.8-3.el9_7.x86_64.rpm SHA-256: 90be6270d84d165545d5f8c37795cc6c356e63971a21853453b42b582e3fbc20 buildah-tests-1.41.8-3.el9_7.x86_64.rpm SHA-256: 5ada365df0ae90ebd17097d92e29f80b4febd7dc57a13f01d530bcbce82fcf38 buildah-tests-debuginfo-1.41.8-3.el9_7.x86_64.rpm SHA-256: 323e8171e43d6d52d9a977167ea2c7d02c971edea1d0d17abe88b0d9038b299f Red Hat Enterprise Linux for IBM z Systems 9 SRPM buildah-1.41.8-3.el9_7.src.rpm SHA-256: d9e51949a74a870fa89c5e5f3704c89fdbad72da52790f100595baaa96ec8760 s390x buildah-1.41.8-3.el9_7.s390x.rpm SHA-256: 3b1c68a0e4e9e677a11d5f76cb3377d32a7905281b9b45ca2a4aa59d8db24ed8 buildah-debuginfo-1.41.8-3.el9_7.s390x.rpm SHA-256: bcf83bccf5c27bb72a22c5eb497fb4f239e05330d00197096efb29e6a001f302 buildah-debugsource-1.41.8-3.el9_7.s390x.rpm SHA-256: 6db014765630e873f5e240fdfc5cade7e5d355e6d3b04f30413a6c3adf427f0a buildah-tests-1.41.8-3.el9_7.s390x.rpm SHA-256: 451550bfb0c8e16b9a1953880dca43fed872184b703acf864b1be99f3770f5d9 buildah-tests-debuginfo-1.41.8-3.el9_7.s390x.rpm SHA-256: 07799e2a3804dae2704cf4d744a10debd51bb5036b365954509c12e00b5a11ce Red Hat Enterprise Linux for Power, little endian 9 SRPM buildah-1.41.8-3.el9_7.src.rpm SHA-256: d9e51949a74a870fa89c5e5f3704c89fdbad72da52790f100595baaa96ec8760 ppc64le buildah-1.41.8-3.el9_7.ppc64le.rpm SHA-256: ac1547f1a943ffcac99b938178b4c525f7223da9339bf1d76f10130cc7b6728c buildah-debuginfo-1.41.8-3.el9_7.ppc64le.rpm SHA-256: a731c1f57d961bce23eee215eabdec5e48874e2294ad42bc0fd53463e1d91553 buildah-debugsource-1.41.8-3.el9_7.ppc64le.rpm SHA-256: 604cc6729b7a47efefa69ee48fa724e50a94c3d87c06013c62b1881a01a1b4fc buildah-tests-1.41.8-3.el9_7.ppc64le.rpm SHA-256: 1195671be2baf20dae40add281f55344b1c419433b0dba22ef2f7a388da2046b buildah-tests-debuginfo-1.41.8-3.el9_7.ppc64le.rpm SHA-256: 41f09c9b271f344478ff18044defdf7dc0c3397e8f3d22fda6a69513e8f9b30a Red Hat Enterprise Linux for ARM 64 9 SRPM buildah-1.41.8-3.el9_7.src.rpm SHA-256: d9e51949a74a870fa89c5e5f3704c89fdbad72da52790f100595baaa96ec8760 aarch64 buildah-1.41.8-3.el9_7.aarch64.rpm SHA-256: 15a067e7e31491c82fe7a3940e7fc1dfa1ab9965c92ef5f7ea8495ad16055214 buildah-debuginfo-1.41.8-3.el9_7.aarch64.rpm SHA-256: 37da3a0cf16cb1b0b9ff05033c5cd4e3df8ff6809b73a0017cc9f489376de9ae buildah-debugsource-1.41.8-3.el9_7.aarch64.rpm SHA-256: d68b6b6642b4f33707d67132f8bbf83d0d4ce69d13459ec052434153b72d48b7 buildah-tests-1.41.8-3.el9_7.aarch64.rpm SHA-256: b20921ae02dff4e3b3b711b5a686e590701658099db19cf949cb4c2e1753852e buildah-tests-debuginfo-1.41.8-3.el9_7.aarch64.rpm SHA-256: c06f813d76346290bbfbe1faf234e2fd8d9e25b2cc8507d5596442a0ea146173 The Red Hat security contact is secalert@redhat.com . More contact details at https://access.redhat.com/security/team/contact/ .