Red Hat Product Errata RHSA-2026:9435 - Security Advisory Issued: 2026-04-21 Updated: 2026-04-21 RHSA-2026:9435 - Security Advisory Overview Updated Packages Synopsis Important: git-lfs security update Type/Severity Security Advisory: Important Red Hat Lightspeed patch analysis Identify and remediate systems affected by this advisory. View affected systems Topic An update for git-lfs is now available for Red Hat Enterprise Linux 10.0 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Description Git Large File Storage (LFS) replaces large files such as audio samples, videos, datasets, and graphics with text pointers inside Git, while storing the file contents on a remote server. Security Fix(es): net/url: Incorrect parsing of IPv6 host literals in net/url (CVE-2026-25679) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Solution For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 Affected Products Red Hat Enterprise Linux for x86_64 - Extended Update Support 10.0 x86_64 Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 10.0 s390x Red Hat Enterprise Linux for Power, little endian - Extended Update Support 10.0 ppc64le Red Hat Enterprise Linux for ARM 64 - Extended Update Support 10.0 aarch64 Red Hat Enterprise Linux for ARM 64 - 4 years of updates 10.0 aarch64 Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 10.0 s390x Red Hat Enterprise Linux for Power, little endian - 4 years of support 10.0 ppc64le Red Hat Enterprise Linux for x86_64 - 4 years of updates 10.0 x86_64 Fixes BZ - 2445356 - CVE-2026-25679 net/url: Incorrect parsing of IPv6 host literals in net/url CVEs CVE-2026-25679 References https://access.redhat.com/security/updates/classification/#important Note: More recent versions of these packages may be available. Click a package name for more details. Red Hat Enterprise Linux for x86_64 - Extended Update Support 10.0 SRPM git-lfs-3.6.1-2.el10_0.3.src.rpm SHA-256: 3581ccd1fc7859a3ebce1c4ad937fcc855192520639eacb71c4518daa081aadc x86_64 git-lfs-3.6.1-2.el10_0.3.x86_64.rpm SHA-256: 9e9d85a2031b7c38c815ca70b8bc8982584899eb4409ee20c3ab3b6678c0ad30 git-lfs-debuginfo-3.6.1-2.el10_0.3.x86_64.rpm SHA-256: 54f89417d491adf7c908cd62b89e202dce0c7378bfe941a800c178e047d1aa79 git-lfs-debugsource-3.6.1-2.el10_0.3.x86_64.rpm SHA-256: b8dc238cdee96259779a31d91b2c3e202a17b59e350c6f39b5ad7054f7fb45a3 Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 10.0 SRPM git-lfs-3.6.1-2.el10_0.3.src.rpm SHA-256: 3581ccd1fc7859a3ebce1c4ad937fcc855192520639eacb71c4518daa081aadc s390x git-lfs-3.6.1-2.el10_0.3.s390x.rpm SHA-256: 48a2015913cbb8e8b87ce0d09ecfbc9400dd70ac232323ec1a8172724abeeb21 git-lfs-debuginfo-3.6.1-2.el10_0.3.s390x.rpm SHA-256: cc0ab32e29c040b40ea78113de090c27f1d9a44b768fd9523956b37114a5dbde git-lfs-debugsource-3.6.1-2.el10_0.3.s390x.rpm SHA-256: c65949a1ee9881f7c9764f78ecd6ffbd1bc842605806fd2d7ac52612f2586a79 Red Hat Enterprise Linux for Power, little endian - Extended Update Support 10.0 SRPM git-lfs-3.6.1-2.el10_0.3.src.rpm SHA-256: 3581ccd1fc7859a3ebce1c4ad937fcc855192520639eacb71c4518daa081aadc ppc64le git-lfs-3.6.1-2.el10_0.3.ppc64le.rpm SHA-256: f72344d43556b241fd56ff3ecb11c7c866149cd0e7e243615289c8bf601e2eb4 git-lfs-debuginfo-3.6.1-2.el10_0.3.ppc64le.rpm SHA-256: 41c20167e641441ccf2e0c53a8b1c5cc5edaf138169903ee5ffb547a34814e47 git-lfs-debugsource-3.6.1-2.el10_0.3.ppc64le.rpm SHA-256: c3a5bee4ac874074b336a10e50231159e09878d3fad14c8288bc7a3297ca20af Red Hat Enterprise Linux for ARM 64 - Extended Update Support 10.0 SRPM git-lfs-3.6.1-2.el10_0.3.src.rpm SHA-256: 3581ccd1fc7859a3ebce1c4ad937fcc855192520639eacb71c4518daa081aadc aarch64 git-lfs-3.6.1-2.el10_0.3.aarch64.rpm SHA-256: c73e327b1ba858e89c429760ccc4a768b5f2fa1b2f2f3c8e23a69a9c9a01a9bf git-lfs-debuginfo-3.6.1-2.el10_0.3.aarch64.rpm SHA-256: 1071144154e6cb94b9dfe1e5732dbeec622a9fbc1efdcb5199b9576b92ef6f23 git-lfs-debugsource-3.6.1-2.el10_0.3.aarch64.rpm SHA-256: d64e9e21d4ed7b7473a9b837594811692ce74ad238d1dfe80ddc5a159a83820c Red Hat Enterprise Linux for ARM 64 - 4 years of updates 10.0 SRPM git-lfs-3.6.1-2.el10_0.3.src.rpm SHA-256: 3581ccd1fc7859a3ebce1c4ad937fcc855192520639eacb71c4518daa081aadc aarch64 git-lfs-3.6.1-2.el10_0.3.aarch64.rpm SHA-256: c73e327b1ba858e89c429760ccc4a768b5f2fa1b2f2f3c8e23a69a9c9a01a9bf git-lfs-debuginfo-3.6.1-2.el10_0.3.aarch64.rpm SHA-256: 1071144154e6cb94b9dfe1e5732dbeec622a9fbc1efdcb5199b9576b92ef6f23 git-lfs-debugsource-3.6.1-2.el10_0.3.aarch64.rpm SHA-256: d64e9e21d4ed7b7473a9b837594811692ce74ad238d1dfe80ddc5a159a83820c Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 10.0 SRPM git-lfs-3.6.1-2.el10_0.3.src.rpm SHA-256: 3581ccd1fc7859a3ebce1c4ad937fcc855192520639eacb71c4518daa081aadc s390x git-lfs-3.6.1-2.el10_0.3.s390x.rpm SHA-256: 48a2015913cbb8e8b87ce0d09ecfbc9400dd70ac232323ec1a8172724abeeb21 git-lfs-debuginfo-3.6.1-2.el10_0.3.s390x.rpm SHA-256: cc0ab32e29c040b40ea78113de090c27f1d9a44b768fd9523956b37114a5dbde git-lfs-debugsource-3.6.1-2.el10_0.3.s390x.rpm SHA-256: c65949a1ee9881f7c9764f78ecd6ffbd1bc842605806fd2d7ac52612f2586a79 Red Hat Enterprise Linux for Power, little endian - 4 years of support 10.0 SRPM git-lfs-3.6.1-2.el10_0.3.src.rpm SHA-256: 3581ccd1fc7859a3ebce1c4ad937fcc855192520639eacb71c4518daa081aadc ppc64le git-lfs-3.6.1-2.el10_0.3.ppc64le.rpm SHA-256: f72344d43556b241fd56ff3ecb11c7c866149cd0e7e243615289c8bf601e2eb4 git-lfs-debuginfo-3.6.1-2.el10_0.3.ppc64le.rpm SHA-256: 41c20167e641441ccf2e0c53a8b1c5cc5edaf138169903ee5ffb547a34814e47 git-lfs-debugsource-3.6.1-2.el10_0.3.ppc64le.rpm SHA-256: c3a5bee4ac874074b336a10e50231159e09878d3fad14c8288bc7a3297ca20af Red Hat Enterprise Linux for x86_64 - 4 years of updates 10.0 SRPM git-lfs-3.6.1-2.el10_0.3.src.rpm SHA-256: 3581ccd1fc7859a3ebce1c4ad937fcc855192520639eacb71c4518daa081aadc x86_64 git-lfs-3.6.1-2.el10_0.3.x86_64.rpm SHA-256: 9e9d85a2031b7c38c815ca70b8bc8982584899eb4409ee20c3ab3b6678c0ad30 git-lfs-debuginfo-3.6.1-2.el10_0.3.x86_64.rpm SHA-256: 54f89417d491adf7c908cd62b89e202dce0c7378bfe941a800c178e047d1aa79 git-lfs-debugsource-3.6.1-2.el10_0.3.x86_64.rpm SHA-256: b8dc238cdee96259779a31d91b2c3e202a17b59e350c6f39b5ad7054f7fb45a3 The Red Hat security contact is secalert@redhat.com . More contact details at https://access.redhat.com/security/team/contact/ .