The buildah package in Red Hat Enterprise Linux 9.4 EUS has multiple security vulnerabilities stemming from underlying golang libraries. These include an SSH client panic caused by unexpected SSH_AGENT_SUCCESS messages (CVE-2025-47913), denial of service due to excessive resource consumption from crafted certificates (CVE-2025-61729), memory exhaustion during query parameter parsing in net/url (CVE-2025-61726), incorrect certificate validation during TLS session resumption (CVE-2025-68121), and incorrect parsing of IPv6 host literals in net/url (CVE-2026-25679). Red Hat Product Security has issued an important security advisory (RHSA-2026:12030) with updated buildah packages that address these issues across multiple supported architectures. The advisory includes detailed references and instructions for applying the update.

These vulnerabilities could lead to denial of service conditions (via resource exhaustion or panic), incorrect TLS session handling, and improper URL parsing, potentially affecting the stability and security of systems using buildah to build container images. The impact is rated as important by Red Hat, indicating significant security concerns but no confirmed exploitation in the wild at this time.

Red Hat has released updated buildah packages that fix the identified vulnerabilities. Users running affected versions of Red Hat Enterprise Linux 9.4 Extended Update Support should apply the security update as described in Red Hat advisory RHSA-2026:12030. Detailed instructions and package downloads are available at https://access.redhat.com/articles/11258. No additional mitigation steps are required beyond applying the official update.