Two vulnerabilities affect the Go Toolset in Red Hat Enterprise Linux 8. CVE-2025-61731 allows arbitrary file write via a malicious pkg-config directive in the cmd/go tool, potentially enabling unauthorized file modifications. CVE-2026-25679 involves incorrect parsing of IPv6 host literals in the net/url package, which could lead to improper handling of network addresses. Red Hat has issued an important security update (RHSA-2026:6949) that addresses these issues by updating the go-toolset packages. The advisory covers multiple architectures and provides updated RPM packages for installation. The vendor advisory does not provide CVSS scores but rates the impact as important/high. No exploits are currently known in the wild.

The arbitrary file write vulnerability (CVE-2025-61731) could allow an attacker to write files arbitrarily via a crafted pkg-config directive, potentially leading to unauthorized code execution or system compromise if exploited. The incorrect IPv6 parsing vulnerability (CVE-2026-25679) may cause improper handling of IPv6 host literals, which could affect applications relying on net/url for network address parsing. Both vulnerabilities affect the Go Toolset used in Red Hat Enterprise Linux 8 and could impact systems that compile or run Go code using the affected packages. No public exploits have been reported to date.

Red Hat has released an official security update for the go-toolset module in Red Hat Enterprise Linux 8 that addresses these vulnerabilities. Users should apply the update as soon as possible by following the instructions in the Red Hat advisory (https://access.redhat.com/articles/11258). The update includes patched versions of the go-toolset packages for all affected architectures. There are no indications that additional mitigation steps are required beyond applying the official update.