The Red Hat osbuild-composer service, which builds customized OS artifacts such as VM images and OSTree commits, is affected by four security vulnerabilities: CVE-2026-25679 involves incorrect parsing of IPv6 host literals in the net/url package; CVE-2026-32282 is a symlink traversal vulnerability in golang's internal/syscall/unix Root.Chmod function; CVE-2026-32283 and CVE-2026-32280 are denial of service vulnerabilities in Go's crypto/tls and crypto/x509 packages related to TLS 1.3 key update messages and certificate chain building, respectively. These vulnerabilities have been addressed in updated osbuild-composer packages for Red Hat Enterprise Linux 10.0 Extended Update Support across multiple architectures. The vendor advisory classifies the update as important and provides packages and instructions for remediation.

The vulnerabilities could allow attackers to cause denial of service conditions or potentially bypass security controls due to incorrect URL parsing or symlink handling. Specifically, denial of service could be triggered via malformed TLS key update messages or certificate chain building processes. The symlink issue could lead to unauthorized file permission changes outside the intended root directory. These impacts affect the reliability and security of the osbuild-composer service, which is critical for building and distributing OS images.

Red Hat has released updated osbuild-composer packages that address these vulnerabilities. Users of Red Hat Enterprise Linux 10.0 Extended Update Support should apply the security update as detailed in the Red Hat advisory RHSA-2026:19750 and the referenced article https://access.redhat.com/articles/11258. Applying these official patches is the recommended and effective mitigation. No additional vendor-recommended mitigations or workarounds are indicated.