VDB

ALSA-2026%3A3752

ALSA-2026%3A3752 PUBLISHED CVSS 9.300000190734863 CRITICAL

A service for building customized OS artifacts, such as VM images and OSTree commits, that uses osbuild under the hood. Besides building images for local usage, it can also upload images directly to cloud. It is compatible with composer-cli and cockpit-composer clients. Security Fix(es): * crypto/x509: golang: Denial of Service due to excessive resource consumption via crafted certificate (CVE-2025-61729) * golang: archive/zip: Excessive CPU consumption when building archive index in archive/zip (CVE-2025-61728) * golang: net/url: Memory exhaustion in query parameter parsing in net/url (CVE-2025-61726) * crypto/tls: Unexpected session resumption in crypto/tls (CVE-2025-68121) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Risk Scores

CVSS 4.0
9.300000190734863
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected Products

VendorProductVersions
AlmaLinux:10osbuild-composer-worker0
AlmaLinux:10osbuild-composer0
AlmaLinux:10osbuild-composer-core0

Timeline

  • Mar 4, 2026 CVE Published
  • Apr 18, 2026 Distribution Patch
  • Apr 18, 2026 Distribution Patch
  • Apr 18, 2026 Security Advisory
Open in Interactive Console →
$ Console Community · 100/wk Open console ›