Unauthenticated code execution in buildah, affecting Linux systems

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

7.5

Unauthenticated code execution in buildah, affecting Linux systems

RHSA-2026:3297

Summary

A security issue was found in buildah, a tool for building and working with Docker images, on Linux systems. If exploited, it could allow an attacker to execute code on the system without a password. Users should update their buildah packages to the latest version to fix this issue.

What to do

Update redhat buildah to version 2:1.41.8-2.el10_1.
Update redhat buildah-debuginfo to version 2:1.41.8-2.el10_1.
Update redhat buildah-debugsource to version 2:1.41.8-2.el10_1.
Update redhat buildah-tests to version 2:1.41.8-2.el10_1.
Update redhat buildah-tests-debuginfo to version 2:1.41.8-2.el10_1.

Affected software

Vendor	Product	Affected versions	Fix available
redhat	buildah	<= 2:1.41.8-2.el10_1	2:1.41.8-2.el10_1
redhat	buildah-debuginfo	<= 2:1.41.8-2.el10_1	2:1.41.8-2.el10_1
redhat	buildah-debugsource	<= 2:1.41.8-2.el10_1	2:1.41.8-2.el10_1
redhat	buildah-tests	<= 2:1.41.8-2.el10_1	2:1.41.8-2.el10_1
redhat	buildah-tests-debuginfo	<= 2:1.41.8-2.el10_1	2:1.41.8-2.el10_1

Original title

Red Hat Security Advisory: buildah security update

osv CVSS3.1 7.5

https://go.dev/cl/737700 Third Party Advisory
https://access.redhat.com/errata/RHSA-2026:3297 Vendor Advisory
https://access.redhat.com/security/updates/classification/#important Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2418462 Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2434432 Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2437111 Third Party Advisory
https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_3297.j... Vendor Advisory
https://access.redhat.com/security/cve/CVE-2025-61726 Third Party Advisory
https://www.cve.org/CVERecord?id=CVE-2025-61726 Vendor Advisory
https://nvd.nist.gov/vuln/detail/CVE-2025-61726 Vendor Advisory
https://go.dev/cl/736712 Third Party Advisory
https://go.dev/issue/77101 Third Party Advisory
https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc Third Party Advisory
https://pkg.go.dev/vuln/GO-2026-4341 Vendor Advisory
https://access.redhat.com/security/cve/CVE-2025-61729 Third Party Advisory
https://www.cve.org/CVERecord?id=CVE-2025-61729 Vendor Advisory
https://nvd.nist.gov/vuln/detail/CVE-2025-61729 Vendor Advisory
https://go.dev/cl/725920 Third Party Advisory
https://go.dev/issue/76445 Third Party Advisory
https://groups.google.com/g/golang-announce/c/8FJoBkPddm4 Third Party Advisory
https://pkg.go.dev/vuln/GO-2025-4155 Vendor Advisory
https://access.redhat.com/security/cve/CVE-2025-68121 Third Party Advisory
https://www.cve.org/CVERecord?id=CVE-2025-68121 Vendor Advisory
https://nvd.nist.gov/vuln/detail/CVE-2025-68121 Vendor Advisory
https://go.dev/issue/77217 Third Party Advisory
https://groups.google.com/g/golang-announce/c/K09ubi9FQFk Third Party Advisory
https://pkg.go.dev/vuln/GO-2026-4337 Vendor Advisory

Published: 25 Feb 2026 · Updated: 7 Mar 2026 · First seen: 6 Mar 2026