This security update for skopeo addresses multiple high-severity vulnerabilities in its underlying Go components, including a critical (CVSS 10.0) TLS session resumption flaw (CVE-2025-68121) and high-severity (CVSS 7.5) issues causing denial of service via crafted certificates and memory exhaustion in URL parsing. The affected versions are skopeo packages built with Go versions earlier than the fixed ranges specified in the NVD data (e.g., Go < 1.24.11 for CVE-2025-61729). The advisory provides updated skopeo packages to remediate these vulnerabilities.
Red Hat Product Errata RHSA-2026:25250 - Security Advisory Issued: 2026-06-11 Updated: 2026-06-11 RHSA-2026:25250 - Security Advisory Overview Updated Packages Synopsis Important: skopeo security update Type/Severity Security Advisory: Important Red Hat Lightspeed patch analysis Identify and remediate systems affected by this advisory. View affected systems Topic An update for skopeo is now available for Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Description The skopeo command lets you inspect images from container image registries, get images and image layers, and use signatures to create and verify files. Security Fix(es): crypto/x509: golang: Denial of Service due to excessive resource consumption via crafted certificate (CVE-2025-61729) golang: net/url: Memory exhaustion in query parameter parsing in net/url (CVE-2025-61726) crypto/tls: Unexpected session resumption in crypto/tls (CVE-2025-68121) net/url: Incorrect parsing of IPv6 host literals in net/url (CVE-2026-25679) github.com/go-jose/go-jose/v3: github.com/go-jose/go-jose/v4: Go JOSE: Denial of Service via crafted JSON Web Encryption (JWE) object (CVE-2026-34986) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Solution For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 Affected Products Red Hat Enterprise Linux Server - AUS 9.2 x86_64 Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.2 ppc64le Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.2 x86_64 Red Hat Enterprise Linux for ARM 64 - 4 years of updates 9.2 aarch64 Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 9.2 s390x Red Hat Enterprise Linux for x86_64 - Extended Life Cycle 9.2 x86_64 Red Hat Enterprise Linux for ARM 64 - Extended Life Cycle 9.2 aarch64 Red Hat Enterprise Linux for Power, little endian - Extended Life Cycle 9.2 ppc64le Red Hat Enterprise Linux for IBM z Systems - Extended Life Cycle 9.2 s390x Fixes BZ - 2418462 - CVE-2025-61729 crypto/x509: golang: Denial of Service due to excessive resource consumption via crafted certificate BZ - 2434432 - CVE-2025-61726 golang: net/url: Memory exhaustion in query parameter parsing in net/url BZ - 2437111 - CVE-2025-68121 crypto/tls: crypto/tls: Incorrect certificate validation during TLS session resumption BZ - 2445356 - CVE-2026-25679 net/url: Incorrect parsing of IPv6 host literals in net/url BZ - 2455470 - CVE-2026-34986 github.com/go-jose/go-jose/v3: github.com/go-jose/go-jose/v4: Go JOSE: Denial of Service via crafted JSON Web Encryption (JWE) object CVEs CVE-2025-61726 CVE-2025-61729 CVE-2025-68121 CVE-2026-25679 CVE-2026-34986 References https://access.redhat.com/security/updates/classification/#important Note: More recent versions of these packages may be available. Click a package name for more details. Red Hat Enterprise Linux Server - AUS 9.2 SRPM skopeo-1.11.4-0.1.el9_2.6.src.rpm SHA-256: 4a49a6a42abe159fffa22e550a84641fc91542811799ea79dde344f365928e9a x86_64 skopeo-1.11.4-0.1.el9_2.6.x86_64.rpm SHA-256: 98576ca4bbf6040a05c47f60193672cc50473bea9839db74697805b750d16189 skopeo-debuginfo-1.11.4-0.1.el9_2.6.x86_64.rpm SHA-256: 60c12e18b95306ec5e21aa949f6979d556dbee21a594ebbeedf6bec28b39b617 skopeo-debugsource-1.11.4-0.1.el9_2.6.x86_64.rpm SHA-256: 9794ea8cdfebf2a26a1669a899b8a93212a6ce9daf0b61810f5528172a3b7315 skopeo-tests-1.11.4-0.1.el9_2.6.x86_64.rpm SHA-256: bb034c42167ff3f006e80c9376ba2fbdac1930933ad60c335016ea49ee39a47a Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.2 SRPM skopeo-1.11.4-0.1.el9_2.6.src.rpm SHA-256: 4a49a6a42abe159fffa22e550a84641fc91542811799ea79dde344f365928e9a ppc64le skopeo-1.11.4-0.1.el9_2.6.ppc64le.rpm SHA-256: 9a7fd9dc601d41e0215a4f36c29c98521c0f0cc95ab1de80d962044d8c2160ab skopeo-debuginfo-1.11.4-0.1.el9_2.6.ppc64le.rpm SHA-256: 417579bddee8de8b107da6b36df10e912c21a9e6f3de4d82dab300b0800be598 skopeo-debugsource-1.11.4-0.1.el9_2.6.ppc64le.rpm SHA-256: a98a08ba65f5fcd7a36672a60459df21879b87ef6b75ceb125305eed60e0b4f4 skopeo-tests-1.11.4-0.1.el9_2.6.ppc64le.rpm SHA-256: a9f54130115a9b5a01539ca359f5a2237ffb5e193a57063fbb8efb25c23a183e Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.2 SRPM skopeo-1.11.4-0.1.el9_2.6.src.rpm SHA-256: 4a49a6a42abe159fffa22e550a84641fc91542811799ea79dde344f365928e9a x86_64 skopeo-1.11.4-0.1.el9_2.6.x86_64.rpm SHA-256: 98576ca4bbf6040a05c47f60193672cc50473bea9839db74697805b750d16189 skopeo-debuginfo-1.11.4-0.1.el9_2.6.x86_64.rpm SHA-256: 60c12e18b95306ec5e21aa949f6979d556dbee21a594ebbeedf6bec28b39b617 skopeo-debugsource-1.11.4-0.1.el9_2.6.x86_64.rpm SHA-256: 9794ea8cdfebf2a26a1669a899b8a93212a6ce9daf0b61810f5528172a3b7315 skopeo-tests-1.11.4-0.1.el9_2.6.x86_64.rpm SHA-256: bb034c42167ff3f006e80c9376ba2fbdac1930933ad60c335016ea49ee39a47a Red Hat Enterprise Linux for ARM 64 - 4 years of updates 9.2 SRPM skopeo-1.11.4-0.1.el9_2.6.src.rpm SHA-256: 4a49a6a42abe159fffa22e550a84641fc91542811799ea79dde344f365928e9a aarch64 skopeo-1.11.4-0.1.el9_2.6.aarch64.rpm SHA-256: 7dc80c29b4a0fb22f53c21cc7e681f2484809305091f594db877c06f550148f9 skopeo-debuginfo-1.11.4-0.1.el9_2.6.aarch64.rpm SHA-256: 531aa2f5ebd86a179cf1a3b84e474d0ef480c0183d083de929eb589175a91b27 skopeo-debugsource-1.11.4-0.1.el9_2.6.aarch64.rpm SHA-256: 625cb9bef26605d7fa31e650c289770618a9aeb5137c8958d1796e2869d1461a skopeo-tests-1.11.4-0.1.el9_2.6.aarch64.rpm SHA-256: 3a47d7354866904352cd3a510f2f82cc55a27c620edca2bf3b0549df280082da Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 9.2 SRPM skopeo-1.11.4-0.1.el9_2.6.src.rpm SHA-256: 4a49a6a42abe159fffa22e550a84641fc91542811799ea79dde344f365928e9a s390x skopeo-1.11.4-0.1.el9_2.6.s390x.rpm SHA-256: 45db0127033c1699635bbc5f3f15fc734f82dd7a62a8aee9a9e6d445597f5606 skopeo-debuginfo-1.11.4-0.1.el9_2.6.s390x.rpm SHA-256: 296a4cd3b8947682a0923dba48155800cc26d4876239ca38fe68bd73f51f1374 skopeo-debugsource-1.11.4-0.1.el9_2.6.s390x.rpm SHA-256: 34587c279af9cd9a656ddf637c1e6a61d9a5f9ad2d253618ed731a705dda8036 skopeo-tests-1.11.4-0.1.el9_2.6.s390x.rpm SHA-256: 0098e5794d8a2881bb0398bf41001bd3ec3ebd79ba39b3d5097daa2e11eb61b2 Red Hat Enterprise Linux for x86_64 - Extended Life Cycle 9.2 SRPM skopeo-1.11.4-0.1.el9_2.6.src.rpm SHA-256: 4a49a6a42abe159fffa22e550a84641fc91542811799ea79dde344f365928e9a x86_64 skopeo-1.11.4-0.1.el9_2.6.x86_64.rpm SHA-256: 98576ca4bbf6040a05c47f60193672cc50473bea9839db74697805b750d16189 skopeo-debuginfo-1.11.4-0.1.el9_2.6.x86_64.rpm SHA-256: 60c12e18b95306ec5e21aa949f6979d556dbee21a594ebbeedf6bec28b39b617 skopeo-debugsource-1.11.4-0.1.el9_2.6.x86_64.rpm SHA-256: 9794ea8cdfebf2a26a1669a899b8a93212a6ce9daf0b61810f5528172a3b7315 skopeo-tests-1.11.4-0.1.el9_2.6.x86_64.rpm SHA-256: bb034c42167ff3f006e80c9376ba2fbdac1930933ad60c335016ea49ee39a47a Red Hat Enterprise Linux for ARM 64 - Extended Life Cycle 9.2 SRPM skopeo-1.11.4-0.1.el9_2.6.src.rpm SHA-256: 4a49a6a42abe159fffa22e550a84641fc91542811799ea79dde344f365928e9a aarch64 skopeo-1.11.4-0.1.el9_2.6.aarch64.rpm SHA-256: 7dc80c29b4a0fb22f53c21cc7e681f2484809305091f594db877c06f550148f9 skopeo-debuginfo-1.11.4-0.1.el9_2.6.aarch64.rpm SHA-256: 531aa2f5ebd86a179cf1a3b84e474d0ef480c0183d083de929eb589175a91b27 skopeo-debugsource-1.11.4-0.1.el9_2.6.aarch64.rpm SHA-256: 625cb9bef26605d7fa31e650c289770618a9aeb5137c8958d1796e2869d1461a skopeo-tests-1.11.4-0.1.el9_2.6.aarch64.rpm SHA-256: 3a47d7354866904352cd3a510f2f82cc55a27c620edca2bf3b0549df280082da Red Hat Enterprise Linux for Power, little endian - Extended Life Cycle 9.2 SRPM skopeo-1.11.4-0.1.el9_2.6.src.rpm SHA-256: 4a49a6a42abe159fffa22e550a84641fc91542811799ea79dde344f365928e9a ppc64le skopeo-1.11.4-0.1.el9_2.6.ppc64le.rpm SHA-256: 9a7fd9dc601d41e0215a4f36c29c98521c0f0cc95ab1de80d962044d8c2160ab skopeo-debuginfo-1.11.4-0.1.el9_2.6.ppc64le.rpm SHA-256: 417579bddee8de8b107da6b36df10e912c21a9e6f3de4d82dab300b0800be598 skopeo-debugsource-1.11.4-0.1.el9_2.6.ppc64le.rpm SHA-256: a98a08ba65f5fcd7a36672a60459df21879b87ef6b75ceb125305eed60e0b4f4 skopeo-tests-1.11.4-0.1.el9_2.6.ppc64le.rpm SHA-256: a9f54130115a9b5a01539ca359f5a2237ffb5e193a57063fbb8efb25c23a183e Red Hat Enterprise Linux for IBM z Systems - Extended Life Cycle 9.2 SRPM skopeo-1.11.4-0.1.el9_2.6.src.rpm SHA-256: 4a49a6a42abe159fffa22e550a84641fc91542811799ea79dde344f365928e9a s390x skopeo-1.11.4-0.1.el9_2.6.s390x.rpm SHA-256: 45db0127033c1699635bbc5f3f15fc734f82dd7a62a8aee9a9e6d445597f5606 skopeo-debuginfo-1.11.4-0.1.el9_2.6.s390x.rpm SHA-256: 296a4cd3b8947682a0923dba48155800cc26d4876239ca38fe68bd73f51f1374 skopeo-debugsource-1.11.4-0.1.el9_2.6.s390x.rpm SHA-256: 34587c279af9cd9a656ddf637c1e6a61d9a5f9ad2d253618ed731a705dda8036 skopeo-tests-1.11.4-0.1.el9_2.6.s390x.rpm SHA-256: 0098e5794d8a2881bb0398bf41001bd3ec3ebd79ba39b3d5097daa2e11eb61b2 The Red Hat security contact is secalert@redhat.com . More contact details at https://access.redhat.com/security/team/contact/ .