RHSA-2026:22450
Advisory lineage Upstream: 11 Downstream: 0
Published: 03 Jun 2026, 10:20
Last modified:05 Jun 2026, 10:06
Vulnerability Summary
Overall Risk (default)
high
70/100 CVSS Score
9.1 CRITICAL
3.1 (osv_red_hat)
EPSS Score
No data
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected
Timeline
03 Jun 2026, 10:20
Published
Vulnerability first disclosed
05 Jun 2026, 10:06
Last Modified
Vulnerability information updated
Description
Red Hat Security Advisory: osbuild-composer security update
CVSS Metrics
- v3.1•CRITICAL•Score: 9.1CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Affected Systems
- redhat•osbuild-composer
< 0:165.1-2.el10_2
- redhat•osbuild-composer-core
< 0:165.1-2.el10_2
- redhat•osbuild-composer-core-debuginfo
< 0:165.1-2.el10_2
- redhat•osbuild-composer-debuginfo
< 0:165.1-2.el10_2
- redhat•osbuild-composer-debugsource
< 0:165.1-2.el10_2
- redhat•osbuild-composer-tests-debuginfo
< 0:165.1-2.el10_2
- redhat•osbuild-composer-worker
< 0:165.1-2.el10_2
- redhat•osbuild-composer-worker-debuginfo
< 0:165.1-2.el10_2
References (79)
- https://access.redhat.com/errata/RHSA-2026:22450
- https://access.redhat.com/security/updates/classification/#important
- https://bugzilla.redhat.com/show_bug.cgi?id=2434431
- https://bugzilla.redhat.com/show_bug.cgi?id=2434432
- https://bugzilla.redhat.com/show_bug.cgi?id=2437111
- https://bugzilla.redhat.com/show_bug.cgi?id=2445345
- https://bugzilla.redhat.com/show_bug.cgi?id=2445356
- https://bugzilla.redhat.com/show_bug.cgi?id=2448626
- https://bugzilla.redhat.com/show_bug.cgi?id=2449833
- https://bugzilla.redhat.com/show_bug.cgi?id=2451847
- https://bugzilla.redhat.com/show_bug.cgi?id=2455470
- https://bugzilla.redhat.com/show_bug.cgi?id=2456336
- https://bugzilla.redhat.com/show_bug.cgi?id=2456338
- https://issues.redhat.com/browse/RHEL-179244
- https://issues.redhat.com/browse/RHEL-180005
- https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_22450.json
- https://access.redhat.com/security/cve/CVE-2025-61726
- https://www.cve.org/CVERecord?id=CVE-2025-61726
- https://nvd.nist.gov/vuln/detail/CVE-2025-61726
- https://go.dev/cl/736712
- https://go.dev/issue/77101
- https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc
- https://pkg.go.dev/vuln/GO-2026-4341
- https://access.redhat.com/security/cve/CVE-2025-61728
- https://www.cve.org/CVERecord?id=CVE-2025-61728
- https://nvd.nist.gov/vuln/detail/CVE-2025-61728
- https://go.dev/cl/736713
- https://go.dev/issue/77102
- https://pkg.go.dev/vuln/GO-2026-4342
- https://access.redhat.com/security/cve/CVE-2025-68121
- https://www.cve.org/CVERecord?id=CVE-2025-68121
- https://nvd.nist.gov/vuln/detail/CVE-2025-68121
- https://go.dev/cl/737700
- https://go.dev/issue/77217
- https://groups.google.com/g/golang-announce/c/K09ubi9FQFk
- https://pkg.go.dev/vuln/GO-2026-4337
- https://access.redhat.com/security/cve/CVE-2026-4427
- https://www.cve.org/CVERecord?id=CVE-2026-4427
- https://access.redhat.com/security/cve/CVE-2026-25679
- https://www.cve.org/CVERecord?id=CVE-2026-25679
- https://nvd.nist.gov/vuln/detail/CVE-2026-25679
- https://go.dev/cl/752180
- https://go.dev/issue/77578
- https://groups.google.com/g/golang-announce/c/EdhZqrQ98hk
- https://pkg.go.dev/vuln/GO-2026-4601
- https://access.redhat.com/security/cve/CVE-2026-27137
- https://www.cve.org/CVERecord?id=CVE-2026-27137
- https://nvd.nist.gov/vuln/detail/CVE-2026-27137
- https://go.dev/cl/752182
- https://go.dev/issue/77952
- https://pkg.go.dev/vuln/GO-2026-4599
- https://access.redhat.com/security/cve/CVE-2026-32282
- https://www.cve.org/CVERecord?id=CVE-2026-32282
- https://nvd.nist.gov/vuln/detail/CVE-2026-32282
- https://go.dev/cl/763761
- https://go.dev/issue/78293
- https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU
- https://pkg.go.dev/vuln/GO-2026-4864
- https://access.redhat.com/security/cve/CVE-2026-32283
- https://www.cve.org/CVERecord?id=CVE-2026-32283
- https://nvd.nist.gov/vuln/detail/CVE-2026-32283
- https://go.dev/cl/763767
- https://go.dev/issue/78334
- https://pkg.go.dev/vuln/GO-2026-4870
- https://access.redhat.com/security/cve/CVE-2026-32286
- https://www.cve.org/CVERecord?id=CVE-2026-32286
- https://nvd.nist.gov/vuln/detail/CVE-2026-32286
- https://github.com/golang/vulndb/issues/4518
- https://github.com/jackc/pgx/issues/2507
- https://pkg.go.dev/vuln/GO-2026-4518
- https://access.redhat.com/security/cve/CVE-2026-33186
- https://www.cve.org/CVERecord?id=CVE-2026-33186
- https://nvd.nist.gov/vuln/detail/CVE-2026-33186
- https://github.com/grpc/grpc-go/security/advisories/GHSA-p77j-4mvh-x3m3
- https://access.redhat.com/security/cve/CVE-2026-34986
- https://www.cve.org/CVERecord?id=CVE-2026-34986
- https://nvd.nist.gov/vuln/detail/CVE-2026-34986
- https://github.com/go-jose/go-jose/security/advisories/GHSA-78h2-9frx-2jm8
- https://pkg.go.dev/github.com/go-jose/go-jose/v4#pkg-constants