This Important update for Red Hat Enterprise Linux 9's image-builder tool addresses multiple vulnerabilities in its underlying Go components, including a critical (CVSS 10.0) session resumption flaw in crypto/tls (CVE-2025-68121) and high-severity issues like a memory exhaustion bug in net/url (CVE-2025-61726, CVSS 7.5). The affected image-builder packages contain Go versions prior to the fixes, specifically versions before Go 1.24.12/1.25.6 for some CVEs and before 1.24.13/1.25.7 for others. Red Hat has released patched packages, and administrators should apply the update immediately.
Red Hat Product Errata RHSA-2026:23228 - Security Advisory Issued: 2026-06-04 Updated: 2026-06-04 RHSA-2026:23228 - Security Advisory Overview Updated Packages Synopsis Important: image-builder security update Type/Severity Security Advisory: Important Red Hat Lightspeed patch analysis Identify and remediate systems affected by this advisory. View affected systems Topic An update for image-builder is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Description A local binary for building customized OS artifacts such as VM images and OSTree commits. Uses osbuild under the hood. Security Fix(es): golang: net/url: Memory exhaustion in query parameter parsing in net/url (CVE-2025-61726) crypto/tls: Unexpected session resumption in crypto/tls (CVE-2025-68121) crypto/x509: Incorrect enforcement of email constraints in crypto/x509 (CVE-2026-27137) net/url: Incorrect parsing of IPv6 host literals in net/url (CVE-2026-25679) google.golang.org/grpc/grpc-go: google.golang.org/grpc/authz: gRPC-Go: Authorization bypass due to improper HTTP/2 path validation (CVE-2026-33186) github.com/go-jose/go-jose/v3: github.com/go-jose/go-jose/v4: Go JOSE: Denial of Service via crafted JSON Web Encryption (JWE) object (CVE-2026-34986) golang: internal/syscall/unix: Root.Chmod can follow symlinks out of the root (CVE-2026-32282) crypto/tls: golang: Go crypto/tls: Denial of Service via multiple TLS 1.3 key update messages (CVE-2026-32283) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Solution For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 Affected Products Red Hat Enterprise Linux for x86_64 9 x86_64 Red Hat Enterprise Linux for x86_64 - Extended Update Support 9.8 x86_64 Red Hat Enterprise Linux for IBM z Systems 9 s390x Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 9.8 s390x Red Hat Enterprise Linux for Power, little endian 9 ppc64le Red Hat Enterprise Linux for Power, little endian - Extended Update Support 9.8 ppc64le Red Hat Enterprise Linux for ARM 64 9 aarch64 Red Hat Enterprise Linux for ARM 64 - Extended Update Support 9.8 aarch64 Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.8 ppc64le Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.8 x86_64 Red Hat Enterprise Linux for ARM 64 - 4 years of updates 9.8 aarch64 Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 9.8 s390x Red Hat Enterprise Linux for x86_64 - Extended Life Cycle 9.8 x86_64 Red Hat Enterprise Linux for ARM 64 - Extended Life Cycle 9.8 aarch64 Red Hat Enterprise Linux for Power, little endian - Extended Life Cycle 9.8 ppc64le Red Hat Enterprise Linux for IBM z Systems - Extended Life Cycle 9.8 s390x Fixes BZ - 2434432 - CVE-2025-61726 golang: net/url: Memory exhaustion in query parameter parsing in net/url BZ - 2437111 - CVE-2025-68121 crypto/tls: crypto/tls: Incorrect certificate validation during TLS session resumption BZ - 2445345 - CVE-2026-27137 crypto/x509: Incorrect enforcement of email constraints in crypto/x509 BZ - 2445356 - CVE-2026-25679 net/url: Incorrect parsing of IPv6 host literals in net/url BZ - 2449833 - CVE-2026-33186 google.golang.org/grpc/grpc-go: google.golang.org/grpc/authz: gRPC-Go: Authorization bypass due to improper HTTP/2 path validation BZ - 2455470 - CVE-2026-34986 github.com/go-jose/go-jose/v3: github.com/go-jose/go-jose/v4: Go JOSE: Denial of Service via crafted JSON Web Encryption (JWE) object BZ - 2456336 - CVE-2026-32282 golang: internal/syscall/unix: Root.Chmod can follow symlinks out of the root BZ - 2456338 - CVE-2026-32283 crypto/tls: golang: Go crypto/tls: Denial of Service via multiple TLS 1.3 key update messages RHEL-141689 - images: Generate RHEL manifests with the appropriate options for handling PQC keys CVEs CVE-2025-61726 CVE-2025-68121 CVE-2026-25679 CVE-2026-27137 CVE-2026-32282 CVE-2026-32283 CVE-2026-33186 CVE-2026-34986 References https://access.redhat.com/security/updates/classification/#important Note: More recent versions of these packages may be available. Click a package name for more details. Red Hat Enterprise Linux for x86_64 9 SRPM image-builder-52.1-1.el9_8.src.rpm SHA-256: de7e838368961323ae01f8b8d9911cedf44491376b2dc10a4fc4f1ac6a8dac5c x86_64 image-builder-52.1-1.el9_8.x86_64.rpm SHA-256: ce5be8c5d90e3b5dad913c2ef734134cd04d8693ebc6802c8d3d9513644c0a25 image-builder-debuginfo-52.1-1.el9_8.x86_64.rpm SHA-256: 1369394ae9d19665fa430f345425c7eaafdd9fcfc624a8e1ffa49c1befc3e64f image-builder-debugsource-52.1-1.el9_8.x86_64.rpm SHA-256: cae018aaf728a62d603f67fde8f8fde3f9d2988c0aa618759a281163dce241ba Red Hat Enterprise Linux for x86_64 - Extended Update Support 9.8 SRPM image-builder-52.1-1.el9_8.src.rpm SHA-256: de7e838368961323ae01f8b8d9911cedf44491376b2dc10a4fc4f1ac6a8dac5c x86_64 image-builder-52.1-1.el9_8.x86_64.rpm SHA-256: ce5be8c5d90e3b5dad913c2ef734134cd04d8693ebc6802c8d3d9513644c0a25 image-builder-debuginfo-52.1-1.el9_8.x86_64.rpm SHA-256: 1369394ae9d19665fa430f345425c7eaafdd9fcfc624a8e1ffa49c1befc3e64f image-builder-debugsource-52.1-1.el9_8.x86_64.rpm SHA-256: cae018aaf728a62d603f67fde8f8fde3f9d2988c0aa618759a281163dce241ba Red Hat Enterprise Linux for IBM z Systems 9 SRPM image-builder-52.1-1.el9_8.src.rpm SHA-256: de7e838368961323ae01f8b8d9911cedf44491376b2dc10a4fc4f1ac6a8dac5c s390x image-builder-52.1-1.el9_8.s390x.rpm SHA-256: 762fbf10557f9ce43c940b7dc3e9063a97a8181a0a168942c01ab4cbcb4fd430 image-builder-debuginfo-52.1-1.el9_8.s390x.rpm SHA-256: b56d6c80e8966e09f4a21c1f913e033a9d460c1e893acfed50095d4fb3f6ee1c image-builder-debugsource-52.1-1.el9_8.s390x.rpm SHA-256: 8208e0a517636bff049e704039021172bbb7ea09e5f4a1b378b0fa2988ad002e Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 9.8 SRPM image-builder-52.1-1.el9_8.src.rpm SHA-256: de7e838368961323ae01f8b8d9911cedf44491376b2dc10a4fc4f1ac6a8dac5c s390x image-builder-52.1-1.el9_8.s390x.rpm SHA-256: 762fbf10557f9ce43c940b7dc3e9063a97a8181a0a168942c01ab4cbcb4fd430 image-builder-debuginfo-52.1-1.el9_8.s390x.rpm SHA-256: b56d6c80e8966e09f4a21c1f913e033a9d460c1e893acfed50095d4fb3f6ee1c image-builder-debugsource-52.1-1.el9_8.s390x.rpm SHA-256: 8208e0a517636bff049e704039021172bbb7ea09e5f4a1b378b0fa2988ad002e Red Hat Enterprise Linux for Power, little endian 9 SRPM image-builder-52.1-1.el9_8.src.rpm SHA-256: de7e838368961323ae01f8b8d9911cedf44491376b2dc10a4fc4f1ac6a8dac5c ppc64le image-builder-52.1-1.el9_8.ppc64le.rpm SHA-256: 51562634f6136aacad6d6e2f90d5322ba24902ad4294b752fba5201c3d0c88c6 image-builder-debuginfo-52.1-1.el9_8.ppc64le.rpm SHA-256: 2a900253db8782b8803d01c5efd1517af3d0e7cf243681a325e644a789088ef0 image-builder-debugsource-52.1-1.el9_8.ppc64le.rpm SHA-256: 8ee09b36f9afb85535d7da245e1e5166697a46d97c03ec34ea7d0f00c566c78d Red Hat Enterprise Linux for Power, little endian - Extended Update Support 9.8 SRPM image-builder-52.1-1.el9_8.src.rpm SHA-256: de7e838368961323ae01f8b8d9911cedf44491376b2dc10a4fc4f1ac6a8dac5c ppc64le image-builder-52.1-1.el9_8.ppc64le.rpm SHA-256: 51562634f6136aacad6d6e2f90d5322ba24902ad4294b752fba5201c3d0c88c6 image-builder-debuginfo-52.1-1.el9_8.ppc64le.rpm SHA-256: 2a900253db8782b8803d01c5efd1517af3d0e7cf243681a325e644a789088ef0 image-builder-debugsource-52.1-1.el9_8.ppc64le.rpm SHA-256: 8ee09b36f9afb85535d7da245e1e5166697a46d97c03ec34ea7d0f00c566c78d Red Hat Enterprise Linux for ARM 64 9 SRPM image-builder-52.1-1.el9_8.src.rpm SHA-256: de7e838368961323ae01f8b8d9911cedf44491376b2dc10a4fc4f1ac6a8dac5c aarch64 image-builder-52.1-1.el9_8.aarch64.rpm SHA-256: d0a70a7d6c47201da373535379e8107d474e104f9195a5e85916604be34cf7fd image-builder-debuginfo-52.1-1.el9_8.aarch64.rpm SHA-256: 1ec4346f824372085e0a969c581eb14b284cb784b1481f8e826564df482d1689 image-builder-debugsource-52.1-1.el9_8.aarch64.rpm SHA-256: cace3a8633ac1fafe041df2076954a6550d508cc24c308c8a31ce6acf4260f37 Red Hat Enterprise Linux for ARM 64 - Extended Update Support 9.8 SRPM image-builder-52.1-1.el9_8.src.rpm SHA-256: de7e838368961323ae01f8b8d9911cedf44491376b2dc10a4fc4f1ac6a8dac5c aarch64 image-builder-52.1-1.el9_8.aarch64.rpm SHA-256: d0a70a7d6c47201da373535379e8107d474e104f9195a5e85916604be34cf7fd image-builder-debuginfo-52.1-1.el9_8.aarch64.rpm SHA-256: 1ec4346f824372085e0a969c581eb14b284cb784b1481f8e826564df482d1689 image-builder-debugsource-52.1-1.el9_8.aarch64.rpm SHA-256: cace3a8633ac1fafe041df2076954a6550d508cc24c308c8a31ce6acf4260f37 Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.8 SRPM image-builder-52.1-1.el9_8.src.rpm SHA-256: de7e838368961323ae01f8b8d9911cedf44491376b2dc10a4fc4f1ac6a8dac5c ppc64le image-builder-52.1-1.el9_8.ppc64le.rpm SHA-256: 51562634f6136aacad6d6e2f90d5322ba24902ad4294b752fba5201c3d0c88c6 image-builder-debuginfo-52.1-1.el9_8.ppc64le.rpm SHA-256: 2a900253db8782b8803d01c5efd1517af3d0e7cf243681a325e644a789088ef0 image-builder-debugsource-52.1-1.el9_8.ppc64le.rpm SHA-256: 8ee09b36f9afb85535d7da245e1e5166697a46d97c03ec34ea7d0f00c566c78d Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.8 SRPM image-builder-52.1-1.el9_8.src.rpm SHA-256: de7e838368961323ae01f8b8d9911cedf44491376b2dc10a4fc4f1ac6a8dac5c x86_64 image-builder-52.1-1.el9_8.x86_64.rpm SHA-256: ce5be8c5d90e3b5dad913c2ef734134cd04d8693ebc6802c8d3d9513644c0a25 image-builder-debuginfo-52.1-1.el9_8.x86_64.rpm SHA-256: 1369394ae9d19665fa430f345425c7eaafdd9fcfc624a8e1ffa49c1befc3e64f image-builder-debugsource-52.1-1.el9_8.x86_64.rpm SHA-256: cae018aaf728a62d603f67fde8f8fde3f9d2988c0aa618759a281163dce241ba Red