ALSA-2026%3A3752
A service for building customized OS artifacts, such as VM images and OSTree commits, that uses osbuild under the hood. Besides building images for local usage, it can also upload images directly to cloud. It is compatible with composer-cli and cockpit-composer clients. Security Fix(es): * crypto/x509: golang: Denial of Service due to excessive resource consumption via crafted certificate (CVE-2025-61729) * golang: archive/zip: Excessive CPU consumption when building archive index in archive/zip (CVE-2025-61728) * golang: net/url: Memory exhaustion in query parameter parsing in net/url (CVE-2025-61726) * crypto/tls: Unexpected session resumption in crypto/tls (CVE-2025-68121) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Risk Scores
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| AlmaLinux:10 | osbuild-composer-worker | 0 |
| AlmaLinux:10 | osbuild-composer | 0 |
| AlmaLinux:10 | osbuild-composer-core | 0 |
Timeline
- Mar 4, 2026 CVE Published
- Apr 18, 2026 Distribution Patch
- Apr 18, 2026 Distribution Patch
- Apr 18, 2026 Security Advisory
References
- https://access.redhat.com/errata/RHSA-2026:3752 advisory
- https://access.redhat.com/security/cve/CVE-2025-61726 report
- https://access.redhat.com/security/cve/CVE-2025-61728 report
- https://access.redhat.com/security/cve/CVE-2025-61729 report
- https://access.redhat.com/security/cve/CVE-2025-68121 report
- https://bugzilla.redhat.com/2418462 report
- https://bugzilla.redhat.com/2434431 report
- https://bugzilla.redhat.com/2434432 report
- https://bugzilla.redhat.com/2437111 report
- https://errata.almalinux.org/10/ALSA-2026-3752.html advisory