Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
Red Hat OS Composer Security Fix for Excessive Resource Consumption
ALSA-2026:3752
Summary
Red Hat released updates to fix security issues that could cause a service for building OS artifacts to consume excessive resources, potentially leading to a denial of service. This affects users who rely on the service for custom OS images and cloud uploads. To stay secure, update the service to the latest version.
What to do
- Update almalinux osbuild-composer to version 149-5.el10_1.alma.3.
- Update almalinux osbuild-composer-core to version 149-5.el10_1.alma.3.
- Update almalinux osbuild-composer-worker to version 149-5.el10_1.alma.3.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| almalinux | osbuild-composer | <= 149-5.el10_1.alma.3 | 149-5.el10_1.alma.3 |
| almalinux | osbuild-composer-core | <= 149-5.el10_1.alma.3 | 149-5.el10_1.alma.3 |
| almalinux | osbuild-composer-worker | <= 149-5.el10_1.alma.3 | 149-5.el10_1.alma.3 |
Original title
Important: osbuild-composer security update
Original description
A service for building customized OS artifacts, such as VM images and OSTree commits, that uses osbuild under the hood. Besides building images for local usage, it can also upload images directly to cloud. It is compatible with composer-cli and cockpit-composer clients.
Security Fix(es):
* crypto/x509: golang: Denial of Service due to excessive resource consumption via crafted certificate (CVE-2025-61729)
* golang: archive/zip: Excessive CPU consumption when building archive index in archive/zip (CVE-2025-61728)
* golang: net/url: Memory exhaustion in query parameter parsing in net/url (CVE-2025-61726)
* crypto/tls: Unexpected session resumption in crypto/tls (CVE-2025-68121)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Security Fix(es):
* crypto/x509: golang: Denial of Service due to excessive resource consumption via crafted certificate (CVE-2025-61729)
* golang: archive/zip: Excessive CPU consumption when building archive index in archive/zip (CVE-2025-61728)
* golang: net/url: Memory exhaustion in query parameter parsing in net/url (CVE-2025-61726)
* crypto/tls: Unexpected session resumption in crypto/tls (CVE-2025-68121)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
- https://access.redhat.com/errata/RHSA-2026:3752 Vendor Advisory
- https://access.redhat.com/security/cve/CVE-2025-61726 Third Party Advisory
- https://access.redhat.com/security/cve/CVE-2025-61728 Third Party Advisory
- https://access.redhat.com/security/cve/CVE-2025-61729 Third Party Advisory
- https://access.redhat.com/security/cve/CVE-2025-68121 Third Party Advisory
- https://bugzilla.redhat.com/2418462 Third Party Advisory
- https://bugzilla.redhat.com/2434431 Third Party Advisory
- https://bugzilla.redhat.com/2434432 Third Party Advisory
- https://bugzilla.redhat.com/2437111 Third Party Advisory
- https://errata.almalinux.org/10/ALSA-2026-3752.html Vendor Advisory
Published: 4 Mar 2026 · Updated: 13 Mar 2026 · First seen: 13 Mar 2026