A vulnerability (CVE-2026-25679, CVSS 7.5 HIGH) in the Go net/url package allows incorrect parsing of IPv6 host literals, which could be exploited via crafted URLs to cause security bypasses or other impacts. The flaw affects the go-rpm-macros package in Red Hat Enterprise Linux 10, and the security update provides the fix in version 3.6.0-8.el10_1.
Red Hat Product Errata RHSA-2026:8840 - Security Advisory Issued: 2026-04-20 Updated: 2026-04-20 RHSA-2026:8840 - Security Advisory Overview Updated Packages Synopsis Important: go-rpm-macros security update Type/Severity Security Advisory: Important Red Hat Lightspeed patch analysis Identify and remediate systems affected by this advisory. View affected systems Topic An update for go-rpm-macros is now available for Red Hat Enterprise Linux 10. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Description This package provides build-stage rpm automation to simplify the creation of Go language (golang) packages. It does not need to be included in the default build root: go-srpm-macros will pull it in for Go packages only. Security Fix(es): net/url: Incorrect parsing of IPv6 host literals in net/url (CVE-2026-25679) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Solution For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 Affected Products Red Hat Enterprise Linux for x86_64 10 x86_64 Red Hat Enterprise Linux for IBM z Systems 10 s390x Red Hat Enterprise Linux for Power, little endian 10 ppc64le Red Hat Enterprise Linux for ARM 64 10 aarch64 Fixes BZ - 2445356 - CVE-2026-25679 net/url: Incorrect parsing of IPv6 host literals in net/url CVEs CVE-2026-25679 References https://access.redhat.com/security/updates/classification/#important Note: More recent versions of these packages may be available. Click a package name for more details. Red Hat Enterprise Linux for x86_64 10 SRPM go-rpm-macros-3.6.0-8.el10_1.src.rpm SHA-256: b811e8b9bebc0c7b562b46b458a6654861121a3035ee02446a02b04cad7399c0 x86_64 go-filesystem-3.6.0-8.el10_1.x86_64.rpm SHA-256: f1e379c7a9714580a3ceba1035c1e68789fe3851c30113dd7a066b800714f371 go-rpm-macros-3.6.0-8.el10_1.x86_64.rpm SHA-256: b8fde8d83dd0ae1bc45cd0330e8b7357d9905321c68de5c0df972db2f4434b93 go-rpm-macros-debuginfo-3.6.0-8.el10_1.x86_64.rpm SHA-256: 373d9be11e658c99d3b7e4b27083e8d50cffad30f5e0aca74d572404cc668a37 go-rpm-macros-debugsource-3.6.0-8.el10_1.x86_64.rpm SHA-256: ef9e37773ceaf0ab7e1e13a44364fe52e5b0a4efdbeeab31cbd7cf6a84816570 go-rpm-templates-3.6.0-8.el10_1.x86_64.rpm SHA-256: 8cc6680cda47dc3e08014e9d0f870d6e001e650a0e9163bcf72d7b94207f116d go-srpm-macros-3.6.0-8.el10_1.noarch.rpm SHA-256: 1ceb98ddccc244e3e32ab79325967e3244e98d4a5d57512a0ae5186071c43289 Red Hat Enterprise Linux for IBM z Systems 10 SRPM go-rpm-macros-3.6.0-8.el10_1.src.rpm SHA-256: b811e8b9bebc0c7b562b46b458a6654861121a3035ee02446a02b04cad7399c0 s390x go-filesystem-3.6.0-8.el10_1.s390x.rpm SHA-256: 0c2a28e6b48c00928a55906f93fdfd8c9cddc02f3ffea63a9e137bda0760d7f8 go-rpm-macros-3.6.0-8.el10_1.s390x.rpm SHA-256: cf3c81e80ccb3d88342020da7011b866d337b49363442e5ae1a94569a10d6a91 go-rpm-macros-debuginfo-3.6.0-8.el10_1.s390x.rpm SHA-256: 15162973d944478f9c51631d81b1002af3cef2bef58f345457bfc897a50ad1d9 go-rpm-macros-debugsource-3.6.0-8.el10_1.s390x.rpm SHA-256: 98bd8070e7e5a85783ce31da619c22f73068dd219e35961e1f3b7a9156aea5b9 go-rpm-templates-3.6.0-8.el10_1.s390x.rpm SHA-256: 8593252d3d222fa95d6f16a4d7cd8087220debd5c6d7f484ae7c065d5bb562b4 go-srpm-macros-3.6.0-8.el10_1.noarch.rpm SHA-256: 1ceb98ddccc244e3e32ab79325967e3244e98d4a5d57512a0ae5186071c43289 Red Hat Enterprise Linux for Power, little endian 10 SRPM go-rpm-macros-3.6.0-8.el10_1.src.rpm SHA-256: b811e8b9bebc0c7b562b46b458a6654861121a3035ee02446a02b04cad7399c0 ppc64le go-filesystem-3.6.0-8.el10_1.ppc64le.rpm SHA-256: 697fa9df52b22fdd7685151af68148dc955eac7cae81bd781b7576022d7d8b85 go-rpm-macros-3.6.0-8.el10_1.ppc64le.rpm SHA-256: 9d02942527d3de46d0e515f39770fb9272911dcb3d3d592d4913248d2dce8e70 go-rpm-macros-debuginfo-3.6.0-8.el10_1.ppc64le.rpm SHA-256: ad3d2459e6266ba41908592d34bcb8e2fea512ef1707ada42714e56ccdca6db4 go-rpm-macros-debugsource-3.6.0-8.el10_1.ppc64le.rpm SHA-256: 3898695173de1db8c5698e476dbee170fed8a96ef88f88241853611d1d6d0618 go-rpm-templates-3.6.0-8.el10_1.ppc64le.rpm SHA-256: ad9606ebecd493ee1dbabebdbb9e65b53dfac47ddecb1770e609a12fbd76e3dd go-srpm-macros-3.6.0-8.el10_1.noarch.rpm SHA-256: 1ceb98ddccc244e3e32ab79325967e3244e98d4a5d57512a0ae5186071c43289 Red Hat Enterprise Linux for ARM 64 10 SRPM go-rpm-macros-3.6.0-8.el10_1.src.rpm SHA-256: b811e8b9bebc0c7b562b46b458a6654861121a3035ee02446a02b04cad7399c0 aarch64 go-filesystem-3.6.0-8.el10_1.aarch64.rpm SHA-256: 5455582db97514eb3476a4f0cd6e648ac70c88811c9f80a8336b0d74598c1c9e go-rpm-macros-3.6.0-8.el10_1.aarch64.rpm SHA-256: 343b42d6369239c399dcfd1abc1a6a29f7f59ec40631f528d36474d23c808a57 go-rpm-macros-debuginfo-3.6.0-8.el10_1.aarch64.rpm SHA-256: 61d84c030c71b7b154417aefa47199d82e7b4a521d8d715fe62cce459ecd88ec go-rpm-macros-debugsource-3.6.0-8.el10_1.aarch64.rpm SHA-256: 21b20b571ed0d397d18c1791888dc85fe43e69e303b63e5337dd2bbaf6631748 go-rpm-templates-3.6.0-8.el10_1.aarch64.rpm SHA-256: 3c4d8ed0df3e15a3c69d028c8d64962c37cc2d53539c15d7e5d62f5ae964f129 go-srpm-macros-3.6.0-8.el10_1.noarch.rpm SHA-256: 1ceb98ddccc244e3e32ab79325967e3244e98d4a5d57512a0ae5186071c43289 The Red Hat security contact is secalert@redhat.com . More contact details at https://access.redhat.com/security/team/contact/ .