This security update for the buildah container tool addresses multiple vulnerabilities in its underlying Go components, including denial-of-service via crafted certificates (CVE-2025-61729), memory exhaustion in URL parsing (CVE-2025-61726), and an SSH client panic (CVE-2025-47913), all rated with a CVSS score of 7.5 (High). The affected versions include Go versions prior to 1.24.11/1.24.12 and between 1.25.0 and 1.25.5/1.25.6, as well as the golang.org/x/crypto/ssh package prior to version 0.43.0. The fix is applied by updating the buildah package per the Red Hat advisory.
Red Hat Product Errata RHSA-2026:16102 - Security Advisory Issued: 2026-05-11 Updated: 2026-05-11 RHSA-2026:16102 - Security Advisory Overview Updated Packages Synopsis Important: buildah security update Type/Severity Security Advisory: Important Red Hat Lightspeed patch analysis Identify and remediate systems affected by this advisory. View affected systems Topic An update for buildah is now available for Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Description The buildah package provides a tool for facilitating building OCI container images. Among other things, buildah enables you to: Create a working container, either from scratch or using an image as a starting point; Create an image, either from a working container or using the instructions in a Dockerfile; Build both Docker and OCI images. Security Fix(es): golang.org/x/crypto/ssh/agent: golang.org/x/crypto/ssh/agent: SSH client panic due to unexpected SSH_AGENT_SUCCESS (CVE-2025-47913) crypto/x509: golang: Denial of Service due to excessive resource consumption via crafted certificate (CVE-2025-61729) golang: net/url: Memory exhaustion in query parameter parsing in net/url (CVE-2025-61726) crypto/tls: Unexpected session resumption in crypto/tls (CVE-2025-68121) net/url: Incorrect parsing of IPv6 host literals in net/url (CVE-2026-25679) crypto/tls: golang: Go crypto/tls: Denial of Service via multiple TLS 1.3 key update messages (CVE-2026-32283) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Solution For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 Affected Products Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.0 ppc64le Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.0 x86_64 Red Hat Enterprise Linux for ARM 64 - 4 years of updates 9.0 aarch64 Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 9.0 s390x Fixes BZ - 2414943 - CVE-2025-47913 golang.org/x/crypto/ssh/agent: golang.org/x/crypto/ssh/agent: SSH client panic due to unexpected SSH_AGENT_SUCCESS BZ - 2418462 - CVE-2025-61729 crypto/x509: golang: Denial of Service due to excessive resource consumption via crafted certificate BZ - 2434432 - CVE-2025-61726 golang: net/url: Memory exhaustion in query parameter parsing in net/url BZ - 2437111 - CVE-2025-68121 crypto/tls: crypto/tls: Incorrect certificate validation during TLS session resumption BZ - 2445356 - CVE-2026-25679 net/url: Incorrect parsing of IPv6 host literals in net/url BZ - 2456338 - CVE-2026-32283 crypto/tls: golang: Go crypto/tls: Denial of Service via multiple TLS 1.3 key update messages CVEs CVE-2025-47913 CVE-2025-61726 CVE-2025-61729 CVE-2025-68121 CVE-2026-25679 CVE-2026-32283 References https://access.redhat.com/security/updates/classification/#important Note: More recent versions of these packages may be available. Click a package name for more details. Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.0 SRPM buildah-1.26.11-1.el9_0.src.rpm SHA-256: e9a2e0d8b7560b4bb533d727268118d449c9b5b3eebc16b4f7f481451a640bc5 ppc64le buildah-1.26.11-1.el9_0.ppc64le.rpm SHA-256: ab18a86b3fc8890660ee1546657a765c4960a40ae94161f09488badda79098da buildah-debuginfo-1.26.11-1.el9_0.ppc64le.rpm SHA-256: 405461914ed2cbc689dc3c2a99434682877d455f972d55ccc06a7010def386c8 buildah-debugsource-1.26.11-1.el9_0.ppc64le.rpm SHA-256: 83044384c7976ac8ebd9ecba6a17b623ea2b7d1f71984a9cd6a39450818011a2 buildah-tests-1.26.11-1.el9_0.ppc64le.rpm SHA-256: 16e845b8d6ce3e7bbb1b1f249a862ecd043bf84950f3ac1631808405927783bf buildah-tests-debuginfo-1.26.11-1.el9_0.ppc64le.rpm SHA-256: a5c6840bf72c0739e30fff99793731af3b7a8a16ab2cea5989a6bb8cfd447419 Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.0 SRPM buildah-1.26.11-1.el9_0.src.rpm SHA-256: e9a2e0d8b7560b4bb533d727268118d449c9b5b3eebc16b4f7f481451a640bc5 x86_64 buildah-1.26.11-1.el9_0.x86_64.rpm SHA-256: 0beb8192345e80ae4834114ea84013de655d7aa9fdf80b02152f8199dbe8f0e3 buildah-debuginfo-1.26.11-1.el9_0.x86_64.rpm SHA-256: 0a6c67acd308111e32568e6b3ac01d94fd67e6293f094a0d8a6d2ba3b363c0af buildah-debugsource-1.26.11-1.el9_0.x86_64.rpm SHA-256: 5104efa0a553fc78f0c75990b635135d6a4e38a248847ebbd888b600bbdf1665 buildah-tests-1.26.11-1.el9_0.x86_64.rpm SHA-256: a9d5be154d507c2fe548c47f58c0b13b2334fb4e8416af31c3ceeb9d03e6e881 buildah-tests-debuginfo-1.26.11-1.el9_0.x86_64.rpm SHA-256: f725148907a45421583b6465db546836472fb5c38297f0ea67ac40f9405aca96 Red Hat Enterprise Linux for ARM 64 - 4 years of updates 9.0 SRPM buildah-1.26.11-1.el9_0.src.rpm SHA-256: e9a2e0d8b7560b4bb533d727268118d449c9b5b3eebc16b4f7f481451a640bc5 aarch64 buildah-1.26.11-1.el9_0.aarch64.rpm SHA-256: 1402af3804855a576e30f33dcf4d227d48e23d148e6b985cf6c249d1d1f88bcb buildah-debuginfo-1.26.11-1.el9_0.aarch64.rpm SHA-256: 0b1f51b930bf3e00acc9988c65cfb44de14a8229db5b71c0b5654b887af15d08 buildah-debugsource-1.26.11-1.el9_0.aarch64.rpm SHA-256: 68678f81d1922cf9fb9b5f9dd85f8f5fb75fe3dbc321ac7dfd9f3f1ebbea782a buildah-tests-1.26.11-1.el9_0.aarch64.rpm SHA-256: 9ac2c45c0f88750d802b52dd274de68a9d7d79dbd92badefd12bb2a51c8b8b66 buildah-tests-debuginfo-1.26.11-1.el9_0.aarch64.rpm SHA-256: 248ce3a6e002b67d1f761cebb740a79e7cd8fa9df81ce3883824dcc6be215b3b Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 9.0 SRPM buildah-1.26.11-1.el9_0.src.rpm SHA-256: e9a2e0d8b7560b4bb533d727268118d449c9b5b3eebc16b4f7f481451a640bc5 s390x buildah-1.26.11-1.el9_0.s390x.rpm SHA-256: defc165413767e20d3829a001602cb702543f36bd7188f769f4203a72ec96ab0 buildah-debuginfo-1.26.11-1.el9_0.s390x.rpm SHA-256: 414e3a6f4d60c0512fd2291ab3aa7ee6f71f6bf5248abed3dbbbad6596954fb5 buildah-debugsource-1.26.11-1.el9_0.s390x.rpm SHA-256: 1a189ff1d1c8ee00ffcebf96b8523bc353d58919327aa83471d1dcac5434b8d5 buildah-tests-1.26.11-1.el9_0.s390x.rpm SHA-256: 9f82e08040a09ea1c5086273f988cbfe2abdc4e46ee949abe315b6b193ce021c buildah-tests-debuginfo-1.26.11-1.el9_0.s390x.rpm SHA-256: e23cb975281f4646d5158e894270ceed15c24230098ad793cfec0507d8fe643d The Red Hat security contact is secalert@redhat.com . More contact details at https://access.redhat.com/security/team/contact/ .