## This update for buildah fixes the following issues * CVE-2026-25680,CVE-2026-25681,CVE-2026-27136,CVE-2026-42502,CVE-2026-42506: golang.org/x/net/html: multiple issues when parsing HTML files (bsc#1267179). * CVE-2026-34986: github.com/go-jose/go-jose/v4,github.com/go-jose/go-jose/v3: crafted JWE input with a missing encrypted key can lead to a denial of service (bsc#1262953). * CVE-2026-39821: golang.org/x/net/idna: failure to reject ASCII-only Punycode-encoded labels allows for validation bypass and privilege escalation (bsc#1266648). * CVE-2026-39827: Invoking memory leak when rejecting channels can lead to DoS in golang.org/x/crypto/ssh (bsc#1266191). * CVE-2026-39828: Invoking bypass of certificate restrictions in golang.org/x/crypto/ssh (bsc#1266191).
* bsc#1262953
* bsc#1266191
* bsc#1266648
* bsc#1267179
Cross-
* CVE-2025-22869
* CVE-2025-27144
* CVE-2025-47913
* CVE-2025-47914
* CVE-2025-52881
* CVE-2026-25680
* CVE-2026-25681
* CVE-2026-27136
* CVE-2026-34986
* CVE-2026-39821
* CVE-2026-39827
* CVE-2026-39828
* CVE-2026-39829
* CVE-2026-39830
* CVE-2026-39831
* CVE-2026-39832
* CVE-2026-39833
* CVE-2026-39834
* CVE-2026-39835
* CVE-2026-42502
* CVE-2026-42506
* CVE-2026-42508
* CVE-2026-46595
* CVE-2026-46597
* CVE-2026-46598
CVSS scores:
* CVE-2025-22869 ( SUSE ): 8.2
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2025-22869 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2025-22869 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2025-27144 ( SUSE ): 8.7
Get the latest Linux and open source security news straight to your inbox.