This important security update addresses CVE-2026-25679 (CVSS 7.5 High), an incorrect parsing vulnerability in the Go `net/url` library affecting IPv6 host literals, which is embedded in the yggdrasil daemon. The underlying Go language vulnerability affects versions prior to Go 1.25.8 and version 1.26.0, requiring an update to the patched yggdrasil packages for Red Hat Enterprise Linux 10. Administrators should apply the provided yggdrasil update to all affected RHEL 10 systems.
Red Hat Product Errata RHSA-2026:11413 - Security Advisory Issued: 2026-04-28 Updated: 2026-04-28 RHSA-2026:11413 - Security Advisory Overview Updated Packages Synopsis Important: yggdrasil security update Type/Severity Security Advisory: Important Red Hat Lightspeed patch analysis Identify and remediate systems affected by this advisory. View affected systems Topic An update for yggdrasil is now available for Red Hat Enterprise Linux 10. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Description yggdrasil is a system daemon that subscribes to topics on an MQTT broker and routes any data received on the topics to an appropriate child "worker" process, exchanging data with its worker processes through a D-Bus message broker. Security Fix(es): net/url: Incorrect parsing of IPv6 host literals in net/url (CVE-2026-25679) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Solution For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 Affected Products Red Hat Enterprise Linux for x86_64 10 x86_64 Red Hat Enterprise Linux for IBM z Systems 10 s390x Red Hat Enterprise Linux for Power, little endian 10 ppc64le Red Hat Enterprise Linux for ARM 64 10 aarch64 Red Hat CodeReady Linux Builder for x86_64 10 x86_64 Red Hat CodeReady Linux Builder for Power, little endian 10 ppc64le Red Hat CodeReady Linux Builder for ARM 64 10 aarch64 Red Hat CodeReady Linux Builder for IBM z Systems 10 s390x Fixes BZ - 2445356 - CVE-2026-25679 net/url: Incorrect parsing of IPv6 host literals in net/url CVEs CVE-2026-25679 References https://access.redhat.com/security/updates/classification/#important Note: More recent versions of these packages may be available. Click a package name for more details. Red Hat Enterprise Linux for x86_64 10 SRPM yggdrasil-0.4.8-4.el10_1.src.rpm SHA-256: a5157dad4d61f4d41a732578505b61ae2593b007f184d1988906543bd46131a3 x86_64 yggdrasil-0.4.8-4.el10_1.x86_64.rpm SHA-256: 2c9c784ab416bd7b7c32aacdf3e35e4ff8dc08777b3c607799b131481c5372af yggdrasil-debuginfo-0.4.8-4.el10_1.x86_64.rpm SHA-256: 4711d6fcd5e04d64fbb4d7a883da5fe27b1cc77af1ebe26313ae9181afb042ea yggdrasil-debugsource-0.4.8-4.el10_1.x86_64.rpm SHA-256: 2eee1192436b465b16c279ab878e50a09941cbb2eda9adac9f6910c04330a11e yggdrasil-examples-debuginfo-0.4.8-4.el10_1.x86_64.rpm SHA-256: 3e1c8aa1cf813de03de5e2a39511d8acf46c7e217c5edf90fd876961fd75ff3c Red Hat Enterprise Linux for IBM z Systems 10 SRPM yggdrasil-0.4.8-4.el10_1.src.rpm SHA-256: a5157dad4d61f4d41a732578505b61ae2593b007f184d1988906543bd46131a3 s390x yggdrasil-0.4.8-4.el10_1.s390x.rpm SHA-256: 63891bf2bda1c16013d0b9666e278012b6bc09d1c395688714c8bdeaba8f2a36 yggdrasil-debuginfo-0.4.8-4.el10_1.s390x.rpm SHA-256: 137b6d0a1dcc8329cb610ecf0329f41ce8f302a74508d8f5e3b8716cdf15efb2 yggdrasil-debugsource-0.4.8-4.el10_1.s390x.rpm SHA-256: b7a907c3cf82cbca551b9dc653b2b9a4a7669e79f0ce70fdd9d840d9bbe30e08 yggdrasil-examples-debuginfo-0.4.8-4.el10_1.s390x.rpm SHA-256: f6243f81637203a528beabe0216299cb82bcbb2b2fe982fa96aa9abc61c3c876 Red Hat Enterprise Linux for Power, little endian 10 SRPM yggdrasil-0.4.8-4.el10_1.src.rpm SHA-256: a5157dad4d61f4d41a732578505b61ae2593b007f184d1988906543bd46131a3 ppc64le yggdrasil-0.4.8-4.el10_1.ppc64le.rpm SHA-256: 25a969e6d07f14666c5fbd0ec450e064e93c3a119e652bad848d7689f4af086d yggdrasil-debuginfo-0.4.8-4.el10_1.ppc64le.rpm SHA-256: e5507c3b0350a52b92a8489cb113e9e0f7aa44e23333cc92fc1c7f6ea0f9f586 yggdrasil-debugsource-0.4.8-4.el10_1.ppc64le.rpm SHA-256: 92777a130b1ed958b90bfde86ce27436acb7e25887d36fa6dffa8033bf81712f yggdrasil-examples-debuginfo-0.4.8-4.el10_1.ppc64le.rpm SHA-256: 54314ded02aacbda8481cc426ea6ef053f560de145921cdaaa61ec437bd83330 Red Hat Enterprise Linux for ARM 64 10 SRPM yggdrasil-0.4.8-4.el10_1.src.rpm SHA-256: a5157dad4d61f4d41a732578505b61ae2593b007f184d1988906543bd46131a3 aarch64 yggdrasil-0.4.8-4.el10_1.aarch64.rpm SHA-256: 57499402722f11861aa4f88e3037d16cc1079daffe8a97121f9bb10c3acababe yggdrasil-debuginfo-0.4.8-4.el10_1.aarch64.rpm SHA-256: 78d11f2ba76c12163759487fd99f4df95bdf2f17b76feb07fa486f00a90d3929 yggdrasil-debugsource-0.4.8-4.el10_1.aarch64.rpm SHA-256: 4fa26cc6b13ccb11ad44b2569c8c890ee003d218c5692f800881ed5d916b0848 yggdrasil-examples-debuginfo-0.4.8-4.el10_1.aarch64.rpm SHA-256: 2aa4dbe291190f0a0e67cd380ecc5254b76bebcac306882968b64d8aa6bebf56 Red Hat CodeReady Linux Builder for x86_64 10 SRPM x86_64 yggdrasil-debuginfo-0.4.8-4.el10_1.x86_64.rpm SHA-256: 4711d6fcd5e04d64fbb4d7a883da5fe27b1cc77af1ebe26313ae9181afb042ea yggdrasil-debugsource-0.4.8-4.el10_1.x86_64.rpm SHA-256: 2eee1192436b465b16c279ab878e50a09941cbb2eda9adac9f6910c04330a11e yggdrasil-devel-0.4.8-4.el10_1.x86_64.rpm SHA-256: 3a732f4a7eab7926a200495a80538c9c4ee0eb03be07557e65b561c14623cd1d yggdrasil-examples-debuginfo-0.4.8-4.el10_1.x86_64.rpm SHA-256: 3e1c8aa1cf813de03de5e2a39511d8acf46c7e217c5edf90fd876961fd75ff3c Red Hat CodeReady Linux Builder for Power, little endian 10 SRPM ppc64le yggdrasil-debuginfo-0.4.8-4.el10_1.ppc64le.rpm SHA-256: e5507c3b0350a52b92a8489cb113e9e0f7aa44e23333cc92fc1c7f6ea0f9f586 yggdrasil-debugsource-0.4.8-4.el10_1.ppc64le.rpm SHA-256: 92777a130b1ed958b90bfde86ce27436acb7e25887d36fa6dffa8033bf81712f yggdrasil-devel-0.4.8-4.el10_1.ppc64le.rpm SHA-256: b4b8a361082cd26550c2e2ded966a2576b7b5b64fadad8f82c288fafb7392986 yggdrasil-examples-debuginfo-0.4.8-4.el10_1.ppc64le.rpm SHA-256: 54314ded02aacbda8481cc426ea6ef053f560de145921cdaaa61ec437bd83330 Red Hat CodeReady Linux Builder for ARM 64 10 SRPM aarch64 yggdrasil-debuginfo-0.4.8-4.el10_1.aarch64.rpm SHA-256: 78d11f2ba76c12163759487fd99f4df95bdf2f17b76feb07fa486f00a90d3929 yggdrasil-debugsource-0.4.8-4.el10_1.aarch64.rpm SHA-256: 4fa26cc6b13ccb11ad44b2569c8c890ee003d218c5692f800881ed5d916b0848 yggdrasil-devel-0.4.8-4.el10_1.aarch64.rpm SHA-256: a400bedb3ded05ae9fc3741a6374c9d9a875e4fc691df757fc2c5a851d2261c2 yggdrasil-examples-debuginfo-0.4.8-4.el10_1.aarch64.rpm SHA-256: 2aa4dbe291190f0a0e67cd380ecc5254b76bebcac306882968b64d8aa6bebf56 Red Hat CodeReady Linux Builder for IBM z Systems 10 SRPM s390x yggdrasil-debuginfo-0.4.8-4.el10_1.s390x.rpm SHA-256: 137b6d0a1dcc8329cb610ecf0329f41ce8f302a74508d8f5e3b8716cdf15efb2 yggdrasil-debugsource-0.4.8-4.el10_1.s390x.rpm SHA-256: b7a907c3cf82cbca551b9dc653b2b9a4a7669e79f0ce70fdd9d840d9bbe30e08 yggdrasil-devel-0.4.8-4.el10_1.s390x.rpm SHA-256: ffcf6db905c964bbd5d5091107c72809216ec5ac74c5e47f649114a05b6a1f32 yggdrasil-examples-debuginfo-0.4.8-4.el10_1.s390x.rpm SHA-256: f6243f81637203a528beabe0216299cb82bcbb2b2fe982fa96aa9abc61c3c876 The Red Hat security contact is secalert@redhat.com . More contact details at https://access.redhat.com/security/team/contact/ .