The Red Hat security advisory RHSA-2026:3470 addresses two vulnerabilities in the Go Toolset for Red Hat Enterprise Linux 8.4. The first, CVE-2025-61726, is a memory exhaustion vulnerability in the net/url package related to query parameter parsing, categorized under CWE-770. The second, CVE-2025-61732, involves potential code smuggling through doc comments in the cmd/cgo tool. Both vulnerabilities could impact the security of applications built or run with these Go tools. Red Hat has issued updated packages containing fixes for these issues. The advisory provides detailed package versions and SHA-256 checksums for verification. The vulnerabilities are rated as Important by Red Hat Product Security, indicating a high severity level. No CVSS scores are provided in the advisory, and no exploits are currently known in the wild.

The vulnerabilities could lead to memory exhaustion (CVE-2025-61726) and potential code smuggling (CVE-2025-61732) within the Go Toolset environment on affected Red Hat Enterprise Linux 8.4 systems. These issues may affect the stability and security of applications using the Go programming language tools and libraries. The advisory classifies the impact as Important, indicating a significant security concern. There are no reports of exploitation in the wild at this time.

Red Hat has released updated packages for the go-toolset module on Red Hat Enterprise Linux 8.4 that address these vulnerabilities. Users should apply these official updates as detailed in the Red Hat advisory RHSA-2026:3470 and the referenced article https://access.redhat.com/articles/11258. Applying these updates will remediate the memory exhaustion and code smuggling issues. No additional mitigation actions are indicated or required beyond applying the vendor-provided patches.