The buildah tool used for building OCI and Docker container images in Red Hat Enterprise Linux 10.0 is affected by multiple vulnerabilities stemming from underlying Go libraries. These include an SSH client panic caused by unexpected SSH agent responses (CVE-2025-47913), denial of service through crafted X.509 certificates causing excessive resource consumption (CVE-2025-61729), memory exhaustion during URL query parameter parsing (CVE-2025-61726), improper TLS session resumption validation allowing unexpected session resumption (CVE-2025-68121), and incorrect parsing of IPv6 host literals in URL processing (CVE-2026-25679). Red Hat has issued security updates for buildah version 1.39.8-1.el10_0 across multiple architectures to address these issues. The advisory references specific bugzilla entries and provides updated packages for remediation.

Successful exploitation of these vulnerabilities could lead to denial of service conditions (via resource exhaustion or panics) and potential security bypasses in TLS session validation. These issues affect the buildah tool and its underlying Go libraries, potentially impacting container image building workflows. No known active exploitation has been reported. The overall security impact is rated as Important by Red Hat Product Security.

Red Hat has released updated buildah packages (version 1.39.8-1.el10_0) for Red Hat Enterprise Linux 10.0 Extended Update Support across multiple architectures. Users should apply these official updates promptly to remediate the vulnerabilities. Detailed update instructions are available at https://access.redhat.com/articles/11258. Since this is an on-premises product, remediation requires manual package updates. No additional mitigation steps are indicated by the vendor advisory.