diff --git a/azure-pipelines.yml b/azure-pipelines.yml
index 4605adf7cf7..f4162f6af9a 100644
--- a/azure-pipelines.yml
+++ b/azure-pipelines.yml
@@ -863,7 +863,7 @@ jobs:
           pool: ${{ arch.pool }}
         Red Hat Universal Base Image 10 ${{ arch.name }}:
           dockerfile: ubi
-          image: registry.access.redhat.com/ubi10/ubi:10.0
+          image: registry.access.redhat.com/ubi10/ubi:10.0-1762765098
           artifact: rpm-ubi10-${{ arch.value }}
           python_package: python3.12
           pool: ${{ arch.pool }}
@@ -923,7 +923,7 @@ jobs:
         Red Hat Universal Base Image 10 ${{ arch.name }}:
           artifact: rpm-ubi10-${{ arch.value }}
           distro: el10
-          image: registry.access.redhat.com/ubi10/ubi:10.0
+          image: registry.access.redhat.com/ubi10/ubi:10.0-1762765098
           python_package: python3.12
           python_cmd: python3.12
           pip_cmd: pip3.12
diff --git a/scripts/release/rpm/fedora.dockerfile b/scripts/release/rpm/fedora.dockerfile
index 66f0295af42..62d9deefd8f 100644
--- a/scripts/release/rpm/fedora.dockerfile
+++ b/scripts/release/rpm/fedora.dockerfile
@@ -4,7 +4,14 @@ FROM ${image} AS build-env
 ARG cli_version=dev
 ARG python_package=python3
 
-RUN dnf update -y
+# Install build dependencies in a single dnf transaction so the resolver
+# picks a mutually consistent set of packages. A separate `dnf update -y`
+# step is intentionally avoided: if the configured repositories are
+# temporarily out of sync (e.g. a newer glibc-devel is published before
+# the matching glibc, or vice versa), updating first can pin a package
+# to a version whose tightly-coupled companion is not yet available,
+# breaking the subsequent install. The base image already ships with
+# updates, and any newer transitive dependencies will be pulled in here.
 RUN dnf install -y wget rpm-build gcc libffi-devel ${python_package}-devel openssl-devel make bash coreutils diffutils patch dos2unix perl
 
 WORKDIR /azure-cli
diff --git a/scripts/release/rpm/ubi.dockerfile b/scripts/release/rpm/ubi.dockerfile
index 596d757ef39..e3d5d3a0b62 100644
--- a/scripts/release/rpm/ubi.dockerfile
+++ b/scripts/release/rpm/ubi.dockerfile
@@ -7,7 +7,14 @@ FROM ${image} AS build-env
 ARG cli_version=dev
 ARG python_package=python3.12
 
-RUN yum update -y
+# Install build dependencies in a single yum transaction so the resolver
+# picks a mutually consistent set of packages. A separate `yum update -y`
+# step is intentionally avoided: when BaseOS and AppStream are temporarily
+# out of sync (e.g. AppStream ships glibc-devel-X but BaseOS has not yet
+# published the matching glibc-X), updating first pins glibc to a version
+# that no installable glibc-devel matches, which then breaks `gcc` install.
+# The base UBI image already ships with security updates; `yum install`
+# will pull any newer transitive dependencies it needs.
 RUN yum install -y wget rpm-build gcc libffi-devel ${python_package}-devel openssl-devel make bash diffutils patch dos2unix perl
 
 WORKDIR /azure-cli
@@ -25,8 +32,11 @@ RUN --mount=type=secret,id=PIP_INDEX_URL export PIP_INDEX_URL=$(cat /run/secrets
 
 FROM ${image} AS execution-env
 
-RUN yum update -y
-
+# Install the built RPM in a single yum transaction (no standalone
+# `yum update -y` beforehand) for the same reason as the build stage:
+# avoid BaseOS/AppStream repo-sync skew failures. The base UBI image
+# already ships with security updates, and any newer transitive
+# dependencies required by azure-cli will be pulled in by this install.
 COPY --from=build-env /azure-cli-dev.rpm ./
 RUN yum install -y ./azure-cli-dev.rpm && \
     az --version