Skip to navigation Skip to main content

Utilities

  • Subscriptions
  • Downloads
  • Red Hat Console
  • Get Support
Red Hat Customer Portal
  • Subscriptions
  • Downloads
  • Red Hat Console
  • Get Support
  • Products

    Top Products

    • Red Hat Enterprise Linux
    • Red Hat OpenShift
    • Red Hat Ansible Automation Platform
    All Products

    Downloads and Containers

    • Downloads
    • Packages
    • Containers

    Top Resources

    • Documentation
    • Product Life Cycles
    • Product Compliance
    • Errata
  • Knowledge

    Red Hat Knowledge Center

    • Knowledgebase Solutions
    • Knowledgebase Articles
    • Customer Portal Labs
    • Errata

    Top Product Docs

    • Red Hat Enterprise Linux
    • Red Hat OpenShift
    • Red Hat Ansible Automation Platform
    All Product Docs

    Training and Certification

    • About
    • Course Index
    • Certification Index
    • Skill Assessment
  • Security

    Red Hat Product Security Center

    • Security Updates
    • Security Advisories
    • Red Hat CVE Database
    • Errata

    References

    • Security Bulletins
    • Severity Ratings
    • Security Data

    Top Resources

    • Security Labs
    • Backporting Policies
    • Security Blog
  • Support

    Red Hat Support

    • Support Cases
    • Troubleshoot
    • Get Support
    • Contact Red Hat Support

    Red Hat Community Support

    • Customer Portal Community
    • Community Discussions
    • Red Hat Accelerator Program

    Top Resources

    • Product Life Cycles
    • Customer Portal Labs
    • Red Hat JBoss Supported Configurations
    • Red Hat Lightspeed
Or troubleshoot an issue.

Select Your Language

  • English
  • Français
  • 한국어
  • 日本語
  • 中文 (中国)

Infrastructure and Management

  • Red Hat Enterprise Linux
  • Red Hat Satellite
  • Red Hat Subscription Management
  • Red Hat Lightspeed
  • Red Hat Ansible Automation Platform

Cloud Computing

  • Red Hat OpenShift
  • Red Hat OpenStack Platform
  • Red Hat OpenShift
  • Red Hat OpenShift AI
  • Red Hat OpenShift Dedicated
  • Red Hat Advanced Cluster Security for Kubernetes
  • Red Hat Advanced Cluster Management for Kubernetes
  • Red Hat Quay
  • Red Hat OpenShift Dev Spaces
  • Red Hat OpenShift Service on AWS

Storage

  • Red Hat Gluster Storage
  • Red Hat Hyperconverged Infrastructure
  • Red Hat Ceph Storage
  • Red Hat OpenShift Data Foundation

Runtimes

  • Red Hat Runtimes
  • Red Hat JBoss Enterprise Application Platform
  • Red Hat Data Grid
  • Red Hat JBoss Web Server
  • Red Hat build of Keycloak
  • Red Hat support for Spring Boot
  • Red Hat build of Node.js
  • Red Hat build of Quarkus

Integration and Automation

  • Red Hat Application Foundations
  • Red Hat Fuse
  • Red Hat AMQ
  • Red Hat 3scale API Management
All Products
Red Hat Product Errata RHSA-2026:27856 - Security Advisory
Issued:
2026-06-22
Updated:
2026-06-22

RHSA-2026:27856 - Security Advisory

  • Overview
  • Updated Packages

Synopsis

Important: osbuild-composer security update

Type/Severity

Security Advisory: Important

Red Hat Lightspeed patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for osbuild-composer is now available for Red Hat Enterprise Linux 10.0 Extended Update Support.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

A service for building customized OS artifacts, such as VM images and OSTree commits, that uses osbuild under the hood. Besides building images for local usage, it can also upload images directly to cloud. It is compatible with composer-cli and cockpit-composer clients.

Security Fix(es):

  • google.golang.org/grpc/grpc-go: google.golang.org/grpc/authz: gRPC-Go: Authorization bypass due to improper HTTP/2 path validation (CVE-2026-33186)
  • github.com/go-jose/go-jose/v3: github.com/go-jose/go-jose/v4: Go JOSE: Denial of Service via crafted JSON Web Encryption (JWE) object (CVE-2026-34986)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

  • Red Hat Enterprise Linux for x86_64 - Extended Update Support 10.0 x86_64
  • Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 10.0 s390x
  • Red Hat Enterprise Linux for Power, little endian - Extended Update Support 10.0 ppc64le
  • Red Hat Enterprise Linux for ARM 64 - Extended Update Support 10.0 aarch64
  • Red Hat Enterprise Linux for ARM 64 - 4 years of updates 10.0 aarch64
  • Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 10.0 s390x
  • Red Hat Enterprise Linux for Power, little endian - 4 years of support 10.0 ppc64le
  • Red Hat Enterprise Linux for x86_64 - 4 years of updates 10.0 x86_64

Fixes

  • BZ - 2449833 - CVE-2026-33186 google.golang.org/grpc/grpc-go: google.golang.org/grpc/authz: gRPC-Go: Authorization bypass due to improper HTTP/2 path validation
  • BZ - 2455470 - CVE-2026-34986 github.com/go-jose/go-jose/v3: github.com/go-jose/go-jose/v4: Go JOSE: Denial of Service via crafted JSON Web Encryption (JWE) object

CVEs

  • CVE-2026-33186
  • CVE-2026-34986

References

  • https://access.redhat.com/security/updates/classification/#important
Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat Enterprise Linux for x86_64 - Extended Update Support 10.0

SRPM
osbuild-composer-134.1-9.el10_0.src.rpm SHA-256: c80a35d7e5f296b07bbc0ba4871e8b2697fc574f7d00a27bc7af2050c4ff9e25
x86_64
osbuild-composer-134.1-9.el10_0.x86_64.rpm SHA-256: a423be03cf8acc04c1af264c0ecb01f86242bd8821dae2f3d6033c36adbeb760
osbuild-composer-core-134.1-9.el10_0.x86_64.rpm SHA-256: bf88b6cda83cfc78b48857bf87f9592ed1b93cad1312dc4ba12dfe3ca0235bcb
osbuild-composer-core-debuginfo-134.1-9.el10_0.x86_64.rpm SHA-256: 8bb6442f81298327b5d611050073161ec77b4379b7c4efbd89e70e178c70649c
osbuild-composer-debugsource-134.1-9.el10_0.x86_64.rpm SHA-256: 66c1048d9f82aa3570cb8051b768f9251059ad543886309147d942ff53d9d25e
osbuild-composer-tests-debuginfo-134.1-9.el10_0.x86_64.rpm SHA-256: fe3cc4ab50a224ad62543bcb323b0a2b2bd3875aed59a389a826801daae377de
osbuild-composer-worker-134.1-9.el10_0.x86_64.rpm SHA-256: 8f624033b8077dbf7c16a2bf03b971225b020a7e4294b3a7968850e01f954669
osbuild-composer-worker-debuginfo-134.1-9.el10_0.x86_64.rpm SHA-256: 2e5e002587dae89ae33c213f92a92b7a3e40e0066ede44d3246d0794a698e6f3

Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 10.0

SRPM
osbuild-composer-134.1-9.el10_0.src.rpm SHA-256: c80a35d7e5f296b07bbc0ba4871e8b2697fc574f7d00a27bc7af2050c4ff9e25
s390x
osbuild-composer-134.1-9.el10_0.s390x.rpm SHA-256: 109f8df26e8a1ac0bf4d6a719a657c9ddce66929e822ffa127237487e8e2c993
osbuild-composer-core-134.1-9.el10_0.s390x.rpm SHA-256: 56ee40e46721b957ec3af310b7b1b92b399298d006000f7c82d1e1bac4229461
osbuild-composer-core-debuginfo-134.1-9.el10_0.s390x.rpm SHA-256: 9496ca6607fd3238e05944fb5712b13c2897d7ef462af20a5c6ae958bb2167e9
osbuild-composer-debugsource-134.1-9.el10_0.s390x.rpm SHA-256: d7a93ee23c2099bcf689087800248194eb0f208b4a5e79271cef7bd3c6ae4477
osbuild-composer-tests-debuginfo-134.1-9.el10_0.s390x.rpm SHA-256: 7a1feed8a7b5e489af09284c865d66b4852d8808725abb1cf56cc0319310a635
osbuild-composer-worker-134.1-9.el10_0.s390x.rpm SHA-256: 328e4bff111f08012dd0736e6866a6f699b2a3b1ac9ea770b7b0a7563d77155d
osbuild-composer-worker-debuginfo-134.1-9.el10_0.s390x.rpm SHA-256: ad864519476000dda657c5e77ec23613cb1de0185964f412581bcac5a528f58b

Red Hat Enterprise Linux for Power, little endian - Extended Update Support 10.0

SRPM
osbuild-composer-134.1-9.el10_0.src.rpm SHA-256: c80a35d7e5f296b07bbc0ba4871e8b2697fc574f7d00a27bc7af2050c4ff9e25
ppc64le
osbuild-composer-134.1-9.el10_0.ppc64le.rpm SHA-256: 016774d91ee07c3072a4158fda0271bffdddcfe7a650bd3ea58fff192d3d0555
osbuild-composer-core-134.1-9.el10_0.ppc64le.rpm SHA-256: dc86de22abe335199511a27a16ea1ed5dc545e263cc7869604ebede37a79a7f7
osbuild-composer-core-debuginfo-134.1-9.el10_0.ppc64le.rpm SHA-256: 2a4bc55e521f98856bc71a47f5d1108ab4c206b8db4ebfe5151ab6a102908d0f
osbuild-composer-debugsource-134.1-9.el10_0.ppc64le.rpm SHA-256: eabfc113e467e91251cfa7e8d40d82ab9cbea1e0cbc001d0a34905029a9d0eed
osbuild-composer-tests-debuginfo-134.1-9.el10_0.ppc64le.rpm SHA-256: 939c43a86fc8e6fa76b80d82ab83fe44ab9e0f3bdb6ea6d4e044bd50adb759a3
osbuild-composer-worker-134.1-9.el10_0.ppc64le.rpm SHA-256: 5e05f2e2bbfe06a963c0cf45819a6806aaa4ead5044c605de7caaca4cd78b3b3
osbuild-composer-worker-debuginfo-134.1-9.el10_0.ppc64le.rpm SHA-256: c1e0c2ed196b47ccedc756c31471313d5a7c34a9ae8a6fec08061687e3eb2c55

Red Hat Enterprise Linux for ARM 64 - Extended Update Support 10.0

SRPM
osbuild-composer-134.1-9.el10_0.src.rpm SHA-256: c80a35d7e5f296b07bbc0ba4871e8b2697fc574f7d00a27bc7af2050c4ff9e25
aarch64
osbuild-composer-134.1-9.el10_0.aarch64.rpm SHA-256: e26a01341fd75d8cfac425e83d6173a536283d9a133671bdb4e360ce562cd538
osbuild-composer-core-134.1-9.el10_0.aarch64.rpm SHA-256: 7b587b17c42674d8ad70bf0fe7264b6ecd0bcd6e9ea3ba61d280c6c64b6ca0ac
osbuild-composer-core-debuginfo-134.1-9.el10_0.aarch64.rpm SHA-256: 0fe3b526c3a5251691a33ae6bf954faf50c5732bf6abfcc056124ed5905b075a
osbuild-composer-debugsource-134.1-9.el10_0.aarch64.rpm SHA-256: 24d47ee12551a2908d58951a3c502c7c00b599bacb58b57b14a1f3e32cc1d573
osbuild-composer-tests-debuginfo-134.1-9.el10_0.aarch64.rpm SHA-256: 3c36e855064acface8e1f1832ef17754efce155a78b920f85d9ef59f629c9d1c
osbuild-composer-worker-134.1-9.el10_0.aarch64.rpm SHA-256: e41da3650d8bfcff330921f09f3e91d06899d95c5c10220201546ad2c4d14705
osbuild-composer-worker-debuginfo-134.1-9.el10_0.aarch64.rpm SHA-256: 0d7b331971f08538b448680f8fd3d4fec91989993a8eea237054aac0208d5159

Red Hat Enterprise Linux for ARM 64 - 4 years of updates 10.0

SRPM
osbuild-composer-134.1-9.el10_0.src.rpm SHA-256: c80a35d7e5f296b07bbc0ba4871e8b2697fc574f7d00a27bc7af2050c4ff9e25
aarch64
osbuild-composer-134.1-9.el10_0.aarch64.rpm SHA-256: e26a01341fd75d8cfac425e83d6173a536283d9a133671bdb4e360ce562cd538
osbuild-composer-core-134.1-9.el10_0.aarch64.rpm SHA-256: 7b587b17c42674d8ad70bf0fe7264b6ecd0bcd6e9ea3ba61d280c6c64b6ca0ac
osbuild-composer-core-debuginfo-134.1-9.el10_0.aarch64.rpm SHA-256: 0fe3b526c3a5251691a33ae6bf954faf50c5732bf6abfcc056124ed5905b075a
osbuild-composer-debugsource-134.1-9.el10_0.aarch64.rpm SHA-256: 24d47ee12551a2908d58951a3c502c7c00b599bacb58b57b14a1f3e32cc1d573
osbuild-composer-tests-debuginfo-134.1-9.el10_0.aarch64.rpm SHA-256: 3c36e855064acface8e1f1832ef17754efce155a78b920f85d9ef59f629c9d1c
osbuild-composer-worker-134.1-9.el10_0.aarch64.rpm SHA-256: e41da3650d8bfcff330921f09f3e91d06899d95c5c10220201546ad2c4d14705
osbuild-composer-worker-debuginfo-134.1-9.el10_0.aarch64.rpm SHA-256: 0d7b331971f08538b448680f8fd3d4fec91989993a8eea237054aac0208d5159

Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 10.0

SRPM
osbuild-composer-134.1-9.el10_0.src.rpm SHA-256: c80a35d7e5f296b07bbc0ba4871e8b2697fc574f7d00a27bc7af2050c4ff9e25
s390x
osbuild-composer-134.1-9.el10_0.s390x.rpm SHA-256: 109f8df26e8a1ac0bf4d6a719a657c9ddce66929e822ffa127237487e8e2c993
osbuild-composer-core-134.1-9.el10_0.s390x.rpm SHA-256: 56ee40e46721b957ec3af310b7b1b92b399298d006000f7c82d1e1bac4229461
osbuild-composer-core-debuginfo-134.1-9.el10_0.s390x.rpm SHA-256: 9496ca6607fd3238e05944fb5712b13c2897d7ef462af20a5c6ae958bb2167e9
osbuild-composer-debugsource-134.1-9.el10_0.s390x.rpm SHA-256: d7a93ee23c2099bcf689087800248194eb0f208b4a5e79271cef7bd3c6ae4477
osbuild-composer-tests-debuginfo-134.1-9.el10_0.s390x.rpm SHA-256: 7a1feed8a7b5e489af09284c865d66b4852d8808725abb1cf56cc0319310a635
osbuild-composer-worker-134.1-9.el10_0.s390x.rpm SHA-256: 328e4bff111f08012dd0736e6866a6f699b2a3b1ac9ea770b7b0a7563d77155d
osbuild-composer-worker-debuginfo-134.1-9.el10_0.s390x.rpm SHA-256: ad864519476000dda657c5e77ec23613cb1de0185964f412581bcac5a528f58b

Red Hat Enterprise Linux for Power, little endian - 4 years of support 10.0

SRPM
osbuild-composer-134.1-9.el10_0.src.rpm SHA-256: c80a35d7e5f296b07bbc0ba4871e8b2697fc574f7d00a27bc7af2050c4ff9e25
ppc64le
osbuild-composer-134.1-9.el10_0.ppc64le.rpm SHA-256: 016774d91ee07c3072a4158fda0271bffdddcfe7a650bd3ea58fff192d3d0555
osbuild-composer-core-134.1-9.el10_0.ppc64le.rpm SHA-256: dc86de22abe335199511a27a16ea1ed5dc545e263cc7869604ebede37a79a7f7
osbuild-composer-core-debuginfo-134.1-9.el10_0.ppc64le.rpm SHA-256: 2a4bc55e521f98856bc71a47f5d1108ab4c206b8db4ebfe5151ab6a102908d0f
osbuild-composer-debugsource-134.1-9.el10_0.ppc64le.rpm SHA-256: eabfc113e467e91251cfa7e8d40d82ab9cbea1e0cbc001d0a34905029a9d0eed
osbuild-composer-tests-debuginfo-134.1-9.el10_0.ppc64le.rpm SHA-256: 939c43a86fc8e6fa76b80d82ab83fe44ab9e0f3bdb6ea6d4e044bd50adb759a3
osbuild-composer-worker-134.1-9.el10_0.ppc64le.rpm SHA-256: 5e05f2e2bbfe06a963c0cf45819a6806aaa4ead5044c605de7caaca4cd78b3b3
osbuild-composer-worker-debuginfo-134.1-9.el10_0.ppc64le.rpm SHA-256: c1e0c2ed196b47ccedc756c31471313d5a7c34a9ae8a6fec08061687e3eb2c55

Red Hat Enterprise Linux for x86_64 - 4 years of updates 10.0

SRPM
osbuild-composer-134.1-9.el10_0.src.rpm SHA-256: c80a35d7e5f296b07bbc0ba4871e8b2697fc574f7d00a27bc7af2050c4ff9e25
x86_64
osbuild-composer-134.1-9.el10_0.x86_64.rpm SHA-256: a423be03cf8acc04c1af264c0ecb01f86242bd8821dae2f3d6033c36adbeb760
osbuild-composer-core-134.1-9.el10_0.x86_64.rpm SHA-256: bf88b6cda83cfc78b48857bf87f9592ed1b93cad1312dc4ba12dfe3ca0235bcb
osbuild-composer-core-debuginfo-134.1-9.el10_0.x86_64.rpm SHA-256: 8bb6442f81298327b5d611050073161ec77b4379b7c4efbd89e70e178c70649c
osbuild-composer-debugsource-134.1-9.el10_0.x86_64.rpm SHA-256: 66c1048d9f82aa3570cb8051b768f9251059ad543886309147d942ff53d9d25e
osbuild-composer-tests-debuginfo-134.1-9.el10_0.x86_64.rpm SHA-256: fe3cc4ab50a224ad62543bcb323b0a2b2bd3875aed59a389a826801daae377de
osbuild-composer-worker-134.1-9.el10_0.x86_64.rpm SHA-256: 8f624033b8077dbf7c16a2bf03b971225b020a7e4294b3a7968850e01f954669
osbuild-composer-worker-debuginfo-134.1-9.el10_0.x86_64.rpm SHA-256: 2e5e002587dae89ae33c213f92a92b7a3e40e0066ede44d3246d0794a698e6f3

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Red Hat LinkedIn YouTube Facebook X, formerly Twitter

Quick Links

  • Downloads
  • Subscriptions
  • Support Cases
  • Customer Service
  • Product Documentation

Help

  • Contact Us
  • Customer Portal FAQ
  • Log-in Assistance

Site Info

  • Trust Red Hat
  • Browser Support Policy
  • Accessibility
  • Awards and Recognition
  • Colophon

Related Sites

  • redhat.com
  • developers.redhat.com
  • connect.redhat.com
  • cloud.redhat.com

Red Hat legal and privacy links

  • About Red Hat
  • Jobs
  • Events
  • Locations
  • Contact Red Hat
  • Red Hat Blog
  • Inclusion at Red Hat
  • Cool Stuff Store
  • Red Hat Summit
© 2026 Red Hat

Red Hat legal and privacy links

  • Privacy statement
  • Terms of use
  • All policies and guidelines
  • Digital accessibility