This security update addresses CVE-2026-25679 (CVSS 7.5 High), an incorrect parsing flaw for IPv6 host literals in the Go `net/url` library, which could be exploited via crafted URLs. The vulnerability affects the `yggdrasil-worker-package-manager` component on Red Hat Enterprise Linux 10.0 EUS. According to authoritative NVD data, the underlying Go language fix is in version 1.25.8, and Red Hat has released updated packages for the affected RHEL systems.
Red Hat Product Errata RHSA-2026:10701 - Security Advisory Issued: 2026-04-27 Updated: 2026-04-27 RHSA-2026:10701 - Security Advisory Overview Updated Packages Synopsis Important: yggdrasil-worker-package-manager security update Type/Severity Security Advisory: Important Red Hat Lightspeed patch analysis Identify and remediate systems affected by this advisory. View affected systems Topic An update for yggdrasil-worker-package-manager is now available for Red Hat Enterprise Linux 10.0 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Description yggdrasil-worker-package-manager is a simple package manager yggd worker. It knows how to install and remove packages, add, remove, enable and disable repositories, and does rudimentary detection of the host it is running on to guess the package manager to use. It only installs packages that match one of the provided allow-pattern regular expressions. Security Fix(es): net/url: Incorrect parsing of IPv6 host literals in net/url (CVE-2026-25679) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Solution For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 Affected Products Red Hat Enterprise Linux for x86_64 - Extended Update Support 10.0 x86_64 Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 10.0 s390x Red Hat Enterprise Linux for Power, little endian - Extended Update Support 10.0 ppc64le Red Hat Enterprise Linux for ARM 64 - Extended Update Support 10.0 aarch64 Red Hat Enterprise Linux for ARM 64 - 4 years of updates 10.0 aarch64 Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 10.0 s390x Red Hat Enterprise Linux for Power, little endian - 4 years of support 10.0 ppc64le Red Hat Enterprise Linux for x86_64 - 4 years of updates 10.0 x86_64 Fixes BZ - 2445356 - CVE-2026-25679 net/url: Incorrect parsing of IPv6 host literals in net/url CVEs CVE-2026-25679 References https://access.redhat.com/security/updates/classification/#important Note: More recent versions of these packages may be available. Click a package name for more details. Red Hat Enterprise Linux for x86_64 - Extended Update Support 10.0 SRPM yggdrasil-worker-package-manager-0.2.3-5.el10_0.src.rpm SHA-256: a6186e0f7c1aea4a2a376acf69b451227fcb3297bf016840fa4e84493e32ab17 x86_64 yggdrasil-worker-package-manager-0.2.3-5.el10_0.x86_64.rpm SHA-256: ea0833dc1febca890f10961b043d47eb8a1b925d363fb0970014a7a6588b696c yggdrasil-worker-package-manager-debuginfo-0.2.3-5.el10_0.x86_64.rpm SHA-256: 039da141be2e7604048ecd66afac790cc38835da95e35c27d17bacc15ba09d69 yggdrasil-worker-package-manager-debugsource-0.2.3-5.el10_0.x86_64.rpm SHA-256: cbd4a300ca23f114bc3a9353d223d08ebedd9e8a43199d456654228fde6a8136 Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 10.0 SRPM yggdrasil-worker-package-manager-0.2.3-5.el10_0.src.rpm SHA-256: a6186e0f7c1aea4a2a376acf69b451227fcb3297bf016840fa4e84493e32ab17 s390x yggdrasil-worker-package-manager-0.2.3-5.el10_0.s390x.rpm SHA-256: 5f7a1701012fd46ec852afbe1eb4940a4646e1b4a4017b9546b2d61fd15a9c3c yggdrasil-worker-package-manager-debuginfo-0.2.3-5.el10_0.s390x.rpm SHA-256: e2ab551f6338bd2e1caf32ea48fa8d93bd44225cd7069383fb2e262dbb6435db yggdrasil-worker-package-manager-debugsource-0.2.3-5.el10_0.s390x.rpm SHA-256: c564a7da6e606a5ae818ce49de2dc7786e20f1364e946b22964e559768bbee0d Red Hat Enterprise Linux for Power, little endian - Extended Update Support 10.0 SRPM yggdrasil-worker-package-manager-0.2.3-5.el10_0.src.rpm SHA-256: a6186e0f7c1aea4a2a376acf69b451227fcb3297bf016840fa4e84493e32ab17 ppc64le yggdrasil-worker-package-manager-0.2.3-5.el10_0.ppc64le.rpm SHA-256: 2e8d64770588fe412b03958256f179dfd159a715fbda179a17ebe2aec3244dea yggdrasil-worker-package-manager-debuginfo-0.2.3-5.el10_0.ppc64le.rpm SHA-256: c20614730d70be98127ce1dab12cd278a63bcd8b0507d0ab094e4ed9a1accb59 yggdrasil-worker-package-manager-debugsource-0.2.3-5.el10_0.ppc64le.rpm SHA-256: a44f4c81782d49cd37421e261b7b5caf4be5792d84ba2a5c6110a1992b92ae9b Red Hat Enterprise Linux for ARM 64 - Extended Update Support 10.0 SRPM yggdrasil-worker-package-manager-0.2.3-5.el10_0.src.rpm SHA-256: a6186e0f7c1aea4a2a376acf69b451227fcb3297bf016840fa4e84493e32ab17 aarch64 yggdrasil-worker-package-manager-0.2.3-5.el10_0.aarch64.rpm SHA-256: 5508db170ad0ff07511795241371c252521367d482322c72bd38751cddc99013 yggdrasil-worker-package-manager-debuginfo-0.2.3-5.el10_0.aarch64.rpm SHA-256: dccf77371a74aee9c22aa2d7eea0d1e9c433046fd00f0da4d6a0185aedb9e0ae yggdrasil-worker-package-manager-debugsource-0.2.3-5.el10_0.aarch64.rpm SHA-256: 5526b3114938057c3ad64ef97cad095033f264ec6abcd7ded7a45ad4e3388d78 Red Hat Enterprise Linux for ARM 64 - 4 years of updates 10.0 SRPM yggdrasil-worker-package-manager-0.2.3-5.el10_0.src.rpm SHA-256: a6186e0f7c1aea4a2a376acf69b451227fcb3297bf016840fa4e84493e32ab17 aarch64 yggdrasil-worker-package-manager-0.2.3-5.el10_0.aarch64.rpm SHA-256: 5508db170ad0ff07511795241371c252521367d482322c72bd38751cddc99013 yggdrasil-worker-package-manager-debuginfo-0.2.3-5.el10_0.aarch64.rpm SHA-256: dccf77371a74aee9c22aa2d7eea0d1e9c433046fd00f0da4d6a0185aedb9e0ae yggdrasil-worker-package-manager-debugsource-0.2.3-5.el10_0.aarch64.rpm SHA-256: 5526b3114938057c3ad64ef97cad095033f264ec6abcd7ded7a45ad4e3388d78 Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 10.0 SRPM yggdrasil-worker-package-manager-0.2.3-5.el10_0.src.rpm SHA-256: a6186e0f7c1aea4a2a376acf69b451227fcb3297bf016840fa4e84493e32ab17 s390x yggdrasil-worker-package-manager-0.2.3-5.el10_0.s390x.rpm SHA-256: 5f7a1701012fd46ec852afbe1eb4940a4646e1b4a4017b9546b2d61fd15a9c3c yggdrasil-worker-package-manager-debuginfo-0.2.3-5.el10_0.s390x.rpm SHA-256: e2ab551f6338bd2e1caf32ea48fa8d93bd44225cd7069383fb2e262dbb6435db yggdrasil-worker-package-manager-debugsource-0.2.3-5.el10_0.s390x.rpm SHA-256: c564a7da6e606a5ae818ce49de2dc7786e20f1364e946b22964e559768bbee0d Red Hat Enterprise Linux for Power, little endian - 4 years of support 10.0 SRPM yggdrasil-worker-package-manager-0.2.3-5.el10_0.src.rpm SHA-256: a6186e0f7c1aea4a2a376acf69b451227fcb3297bf016840fa4e84493e32ab17 ppc64le yggdrasil-worker-package-manager-0.2.3-5.el10_0.ppc64le.rpm SHA-256: 2e8d64770588fe412b03958256f179dfd159a715fbda179a17ebe2aec3244dea yggdrasil-worker-package-manager-debuginfo-0.2.3-5.el10_0.ppc64le.rpm SHA-256: c20614730d70be98127ce1dab12cd278a63bcd8b0507d0ab094e4ed9a1accb59 yggdrasil-worker-package-manager-debugsource-0.2.3-5.el10_0.ppc64le.rpm SHA-256: a44f4c81782d49cd37421e261b7b5caf4be5792d84ba2a5c6110a1992b92ae9b Red Hat Enterprise Linux for x86_64 - 4 years of updates 10.0 SRPM yggdrasil-worker-package-manager-0.2.3-5.el10_0.src.rpm SHA-256: a6186e0f7c1aea4a2a376acf69b451227fcb3297bf016840fa4e84493e32ab17 x86_64 yggdrasil-worker-package-manager-0.2.3-5.el10_0.x86_64.rpm SHA-256: ea0833dc1febca890f10961b043d47eb8a1b925d363fb0970014a7a6588b696c yggdrasil-worker-package-manager-debuginfo-0.2.3-5.el10_0.x86_64.rpm SHA-256: 039da141be2e7604048ecd66afac790cc38835da95e35c27d17bacc15ba09d69 yggdrasil-worker-package-manager-debugsource-0.2.3-5.el10_0.x86_64.rpm SHA-256: cbd4a300ca23f114bc3a9353d223d08ebedd9e8a43199d456654228fde6a8136 The Red Hat security contact is secalert@redhat.com . More contact details at https://access.redhat.com/security/team/contact/ .