Red Hat Product Errata RHSA-2026:19750 - Security Advisory Issued: 2026-05-20 Updated: 2026-05-20 RHSA-2026:19750 - Security Advisory Overview Updated Packages Synopsis Important: osbuild-composer security update Type/Severity Security Advisory: Important Red Hat Lightspeed patch analysis Identify and remediate systems affected by this advisory. View affected systems Topic An update for osbuild-composer is now available for Red Hat Enterprise Linux 10.0 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Description A service for building customized OS artifacts, such as VM images and OSTree commits, that uses osbuild under the hood. Besides building images for local usage, it can also upload images directly to cloud. It is compatible with composer-cli and cockpit-composer clients. Security Fix(es): net/url: Incorrect parsing of IPv6 host literals in net/url (CVE-2026-25679) golang: internal/syscall/unix: Root.Chmod can follow symlinks out of the root (CVE-2026-32282) crypto/tls: golang: Go crypto/tls: Denial of Service via multiple TLS 1.3 key update messages (CVE-2026-32283) crypto/x509: crypto/tls: golang: Go: Denial of Service vulnerability in certificate chain building (CVE-2026-32280) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Solution For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 Affected Products Red Hat Enterprise Linux for x86_64 - Extended Update Support 10.0 x86_64 Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 10.0 s390x Red Hat Enterprise Linux for Power, little endian - Extended Update Support 10.0 ppc64le Red Hat Enterprise Linux for ARM 64 - Extended Update Support 10.0 aarch64 Red Hat Enterprise Linux for ARM 64 - 4 years of updates 10.0 aarch64 Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 10.0 s390x Red Hat Enterprise Linux for Power, little endian - 4 years of support 10.0 ppc64le Red Hat Enterprise Linux for x86_64 - 4 years of updates 10.0 x86_64 Fixes BZ - 2445356 - CVE-2026-25679 net/url: Incorrect parsing of IPv6 host literals in net/url BZ - 2456336 - CVE-2026-32282 golang: internal/syscall/unix: Root.Chmod can follow symlinks out of the root BZ - 2456338 - CVE-2026-32283 crypto/tls: golang: Go crypto/tls: Denial of Service via multiple TLS 1.3 key update messages BZ - 2456339 - CVE-2026-32280 crypto/x509: crypto/tls: golang: Go: Denial of Service vulnerability in certificate chain building CVEs CVE-2026-25679 CVE-2026-32280 CVE-2026-32282 CVE-2026-32283 References https://access.redhat.com/security/updates/classification/#important Note: More recent versions of these packages may be available. Click a package name for more details. Red Hat Enterprise Linux for x86_64 - Extended Update Support 10.0 SRPM osbuild-composer-134.1-7.el10_0.src.rpm SHA-256: d9208bdb1a38c0407722d3603b97654bd99b2746fee16347b479ef651ed33cc4 x86_64 osbuild-composer-134.1-7.el10_0.x86_64.rpm SHA-256: fb37afc455a6ae88fd85049121e107d0cb8a367f744eb8bdb7523cf1e93360ea osbuild-composer-core-134.1-7.el10_0.x86_64.rpm SHA-256: 5df1fe11878b06b63b88569f811d6e1fb5e6892471af8829548580f19552352c osbuild-composer-core-debuginfo-134.1-7.el10_0.x86_64.rpm SHA-256: 992132f1bbda2dc766070def42afbe26fa4ccf891638280a2af1aa75c843b498 osbuild-composer-debugsource-134.1-7.el10_0.x86_64.rpm SHA-256: e5a17c6e3f43821bd60615ba97d5b41fa38c6ee67d3c60576e5b0e2b13a746f1 osbuild-composer-tests-debuginfo-134.1-7.el10_0.x86_64.rpm SHA-256: 010fe985be5a3d2d8e761b0dbdceb7f321e30e59192867d60ff417dd9f71b7c5 osbuild-composer-worker-134.1-7.el10_0.x86_64.rpm SHA-256: 509a08affc76f1f5268e17562e3347e53396df2ba37b9dc8bde104450d5c83b1 osbuild-composer-worker-debuginfo-134.1-7.el10_0.x86_64.rpm SHA-256: 7d237deec17e15bff40edd64c182cb32274fd44dbca26f7a7957ed97069e7535 Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 10.0 SRPM osbuild-composer-134.1-7.el10_0.src.rpm SHA-256: d9208bdb1a38c0407722d3603b97654bd99b2746fee16347b479ef651ed33cc4 s390x osbuild-composer-134.1-7.el10_0.s390x.rpm SHA-256: cfe5f9aa48f6bd69839a9281b581fbdf19885a03dd9398d4f0616e7e3a0dd885 osbuild-composer-core-134.1-7.el10_0.s390x.rpm SHA-256: 3acbe5ea60ffe1df0ef52c39e432f8dc0f7fa1bf5cdf0048073aaf134dd2a3a2 osbuild-composer-core-debuginfo-134.1-7.el10_0.s390x.rpm SHA-256: 69921892e76f6f7367632f086f5b87b5eb1b40d1cc26dd4f9d6a42efbf60c77d osbuild-composer-debugsource-134.1-7.el10_0.s390x.rpm SHA-256: 450129bb0f1ddd2aa506808b084c0705db92da8cec4f20888ba44a69133973b9 osbuild-composer-tests-debuginfo-134.1-7.el10_0.s390x.rpm SHA-256: 14e7200ca06203f49fb9af6e1ca24043d17b791ca6100011e504e58cab75b048 osbuild-composer-worker-134.1-7.el10_0.s390x.rpm SHA-256: fd34c7b578193173004bdf71a71c3f997c6ae78dd3e99696ee362e9b2c1a1ff8 osbuild-composer-worker-debuginfo-134.1-7.el10_0.s390x.rpm SHA-256: 729f92e6ed86acb30a95bcda7d21b3c34579bfedd72244ed2ce9dc507bdaa331 Red Hat Enterprise Linux for Power, little endian - Extended Update Support 10.0 SRPM osbuild-composer-134.1-7.el10_0.src.rpm SHA-256: d9208bdb1a38c0407722d3603b97654bd99b2746fee16347b479ef651ed33cc4 ppc64le osbuild-composer-134.1-7.el10_0.ppc64le.rpm SHA-256: e3a40781963fdd135b7d2d4c383f7fc7676465f654f4296d5655428ecc47319c osbuild-composer-core-134.1-7.el10_0.ppc64le.rpm SHA-256: ed268f03895addd5bb3297ad471c059f334fac15785de22eeb8749acdb994ee5 osbuild-composer-core-debuginfo-134.1-7.el10_0.ppc64le.rpm SHA-256: 696d35fb4f01b230bb9625c9c61efa9478374a22cdba4a3637752152eef50ac7 osbuild-composer-debugsource-134.1-7.el10_0.ppc64le.rpm SHA-256: c5105106c486d7448e084bfb94c307f807dd0fd833b54cb918c522e6c351db4b osbuild-composer-tests-debuginfo-134.1-7.el10_0.ppc64le.rpm SHA-256: c2c656facc1c868d8a5dd73a9f67ae45fda6772b0626a337b38cc5315f308f39 osbuild-composer-worker-134.1-7.el10_0.ppc64le.rpm SHA-256: 4b71f922c017ed668642e0b97c7e383e80e1430b9f1ee0fe8cefe53d002ca784 osbuild-composer-worker-debuginfo-134.1-7.el10_0.ppc64le.rpm SHA-256: 85db4ae61e9a647535eacd9623b124c5c1d53ebd2ab41f1f45d3f9cf93de3656 Red Hat Enterprise Linux for ARM 64 - Extended Update Support 10.0 SRPM osbuild-composer-134.1-7.el10_0.src.rpm SHA-256: d9208bdb1a38c0407722d3603b97654bd99b2746fee16347b479ef651ed33cc4 aarch64 osbuild-composer-134.1-7.el10_0.aarch64.rpm SHA-256: a7b10e0119142511993133603dcb94906d43aa4cbae472433bb09cf10ac14349 osbuild-composer-core-134.1-7.el10_0.aarch64.rpm SHA-256: 6bd3f19207c35975675f107e3ee156e132d26248f43b6c9a8f6f0027a592521f osbuild-composer-core-debuginfo-134.1-7.el10_0.aarch64.rpm SHA-256: eb9e28b9331d0e8ca55d71ec03108ac5437406c22716c068a942a43fba35acd0 osbuild-composer-debugsource-134.1-7.el10_0.aarch64.rpm SHA-256: 94d4724ec25c76f8c34095538982649838d15f91c67b24cd52c5817fff122b29 osbuild-composer-tests-debuginfo-134.1-7.el10_0.aarch64.rpm SHA-256: 065e0eac9d1365a868b6ec477bc0ab3bc59dfbdd5c75875dd79fbde2e635f65e osbuild-composer-worker-134.1-7.el10_0.aarch64.rpm SHA-256: bd6929bc071b6d98c35cbf269413d4867e9b18fe1da4075451b95dae4d635f15 osbuild-composer-worker-debuginfo-134.1-7.el10_0.aarch64.rpm SHA-256: 3f19e6df329c0fb74eb567fcfe8af58b38fa3300a2e4bf46067982b1f9947363 Red Hat Enterprise Linux for ARM 64 - 4 years of updates 10.0 SRPM osbuild-composer-134.1-7.el10_0.src.rpm SHA-256: d9208bdb1a38c0407722d3603b97654bd99b2746fee16347b479ef651ed33cc4 aarch64 osbuild-composer-134.1-7.el10_0.aarch64.rpm SHA-256: a7b10e0119142511993133603dcb94906d43aa4cbae472433bb09cf10ac14349 osbuild-composer-core-134.1-7.el10_0.aarch64.rpm SHA-256: 6bd3f19207c35975675f107e3ee156e132d26248f43b6c9a8f6f0027a592521f osbuild-composer-core-debuginfo-134.1-7.el10_0.aarch64.rpm SHA-256: eb9e28b9331d0e8ca55d71ec03108ac5437406c22716c068a942a43fba35acd0 osbuild-composer-debugsource-134.1-7.el10_0.aarch64.rpm SHA-256: 94d4724ec25c76f8c34095538982649838d15f91c67b24cd52c5817fff122b29 osbuild-composer-tests-debuginfo-134.1-7.el10_0.aarch64.rpm SHA-256: 065e0eac9d1365a868b6ec477bc0ab3bc59dfbdd5c75875dd79fbde2e635f65e osbuild-composer-worker-134.1-7.el10_0.aarch64.rpm SHA-256: bd6929bc071b6d98c35cbf269413d4867e9b18fe1da4075451b95dae4d635f15 osbuild-composer-worker-debuginfo-134.1-7.el10_0.aarch64.rpm SHA-256: 3f19e6df329c0fb74eb567fcfe8af58b38fa3300a2e4bf46067982b1f9947363 Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 10.0 SRPM osbuild-composer-134.1-7.el10_0.src.rpm SHA-256: d9208bdb1a38c0407722d3603b97654bd99b2746fee16347b479ef651ed33cc4 s390x osbuild-composer-134.1-7.el10_0.s390x.rpm SHA-256: cfe5f9aa48f6bd69839a9281b581fbdf19885a03dd9398d4f0616e7e3a0dd885 osbuild-composer-core-134.1-7.el10_0.s390x.rpm SHA-256: 3acbe5ea60ffe1df0ef52c39e432f8dc0f7fa1bf5cdf0048073aaf134dd2a3a2 osbuild-composer-core-debuginfo-134.1-7.el10_0.s390x.rpm SHA-256: 69921892e76f6f7367632f086f5b87b5eb1b40d1cc26dd4f9d6a42efbf60c77d osbuild-composer-debugsource-134.1-7.el10_0.s390x.rpm SHA-256: 450129bb0f1ddd2aa506808b084c0705db92da8cec4f20888ba44a69133973b9 osbuild-composer-tests-debuginfo-134.1-7.el10_0.s390x.rpm SHA-256: 14e7200ca06203f49fb9af6e1ca24043d17b791ca6100011e504e58cab75b048 osbuild-composer-worker-134.1-7.el10_0.s390x.rpm SHA-256: fd34c7b578193173004bdf71a71c3f997c6ae78dd3e99696ee362e9b2c1a1ff8 osbuild-composer-worker-debuginfo-134.1-7.el10_0.s390x.rpm SHA-256: 729f92e6ed86acb30a95bcda7d21b3c34579bfedd72244ed2ce9dc507bdaa331 Red Hat Enterprise Linux for Power, little endian - 4 years of support 10.0 SRPM osbuild-composer-134.1-7.el10_0.src.rpm SHA-256: d9208bdb1a38c0407722d3603b97654bd99b2746fee16347b479ef651ed33cc4 ppc64le osbuild-composer-134.1-7.el10_0.ppc64le.rpm SHA-256: e3a40781963fdd135b7d2d4c383f7fc7676465f654f4296d5655428ecc47319c osbuild-compo