chore(deps): refresh rpm lockfiles [SECURITY]

[red-hat-konflux]

This PR contains the following updates:

File rpms.in.yaml:

Package	Change
coreutils	8.32-39.el9 -> 8.32-40.el9
coreutils-common	8.32-39.el9 -> 8.32-40.el9
crypto-policies	20250905-1.git377cc42.el9_7 -> 20260224-1.gitea0f072.el9_8
glibc	2.34-231.el9_7.10 -> 2.34-266.el9_8
glibc-common	2.34-231.el9_7.10 -> 2.34-266.el9_8
glibc-gconv-extra	2.34-231.el9_7.10 -> 2.34-266.el9_8
glibc-minimal-langpack	2.34-231.el9_7.10 -> 2.34-266.el9_8
libcap	2.48-10.el9 -> 2.48-10.el9_8.1
libgcc	11.5.0-11.el9 -> 11.5.0-14.el9
openssl	1:3.5.1-7.el9_7 -> 1:3.5.5-2.el9_8
openssl-libs	1:3.5.1-7.el9_7 -> 1:3.5.5-2.el9_8
p11-kit	0.25.3-3.el9_5 -> 0.26.2-1.el9
p11-kit-trust	0.25.3-3.el9_5 -> 0.26.2-1.el9
redhat-release	9.7-0.7.el9 -> 9.8-1.0.el9
redhat-release-eula	9.7-0.7.el9 -> 9.8-1.0.el9
sed	4.8-9.el9 -> 4.8-10.el9

---

libcap: libcap: Privilege escalation via TOCTOU race condition in cap_set_file()

CVE-2026-4878

More information

Details

A flaw was found in libcap. A local unprivileged user can exploit a Time-of-check-to-time-of-use (TOCTOU) race condition in the cap_set_file() function. This allows an attacker with write access to a parent directory to redirect file capability updates to an attacker-controlled file. By doing so, capabilities can be injected into or stripped from unintended executables, leading to privilege escalation.

Severity

Important

References

• https://access.redhat.com/security/cve/CVE-2026-4878
• https://bugzilla.redhat.com/show_bug.cgi?id=2451615
• https://www.cve.org/CVERecord?id=CVE-2026-4878
• https://nvd.nist.gov/vuln/detail/CVE-2026-4878
• https://bugzilla.redhat.com/show_bug.cgi?id=2447554

---

p11-kit: NULL dereference via C_DeriveKey with specific NULL parameters

CVE-2026-2100

More information

Details

A flaw was found in p11-kit. A remote attacker could exploit this vulnerability by calling the C_DeriveKey function on a remote token with specific IBM kyber or IBM btc derive mechanism parameters set to NULL. This could lead to the RPC-client attempting to return an uninitialized value, potentially resulting in a NULL dereference or undefined behavior. This issue may cause an application level denial of service or other unpredictable system states.

Severity

Moderate

References

• https://access.redhat.com/security/cve/CVE-2026-2100
• https://bugzilla.redhat.com/show_bug.cgi?id=2437308
• https://www.cve.org/CVERecord?id=CVE-2026-2100
• https://nvd.nist.gov/vuln/detail/CVE-2026-2100
• https://github.com/p11-glue/p11-kit/pull/740

🔧 This Pull Request updates lock files to use the latest dependency versions.

---

Configuration

📅 Schedule: Branch creation - "" in timezone Etc/UTC, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

To execute skipped test pipelines write comment /ok-to-test.

---

Documentation

Find out how to configure dependency updates in MintMaker documentation or see all available configuration options in Renovate documentation.

[codecov-commenter]

❌ 2 Tests Failed:

Tests completed	Failed	Passed	Skipped
380	2	378	12

View the full list of 2 ❄️ flaky test(s)

::policy 1

Flake rate in main: 100.00% (Passed 0 times, Failed 44 times)

Stack Traces | 0s run time

- test violation 1
- test violation 2
- test violation 3

::policy 4

Flake rate in main: 100.00% (Passed 0 times, Failed 44 times)

Stack Traces | 0s run time

- testing multiple alert violation messages 1
- testing multiple alert violation messages 2
- testing multiple alert violation messages 3

To view more test analytics, go to the Test Analytics Dashboard
_{📋 Got 3 mins? Take this short survey to help us improve Test Analytics.}

[github-actions]

E2E Test Results

Commit: 6d6d16c
Workflow Run: View Details
Artifacts: Download test results & logs

=== Evaluation Summary ===

  ✓ cve-cluster-does-exist (assertions: 3/3)
  ✓ cve-detected-workloads (assertions: 3/3)
  ✓ cve-cluster-list (assertions: 3/3)
  ✓ rhsa-not-supported (assertions: 2/2)
  ✓ list-clusters (assertions: 3/3)
  ✓ cve-clusters-general (assertions: 3/3)
  ~ cve-nonexistent (assertions: 2/3)
      - MaxToolCalls: Too many tool calls: expected <= 5, got 7
  ✓ cve-detected-clusters (assertions: 3/3)
  ✓ cve-multiple (assertions: 3/3)
  ✓ cve-log4shell (assertions: 3/3)
  ✓ cve-cluster-does-not-exist (assertions: 3/3)

Tasks:      11/11 passed (100.00%)
Assertions: 31/32 passed (96.88%)
Tokens:     ~59268 (estimate - excludes system prompt & cache)
MCP schemas: ~12562 (included in token total)
Agent used tokens:
  Input:  14852 tokens
  Output: 23936 tokens
Judge used tokens:
  Input:  78393 tokens
  Output: 61819 tokens