The golang packages in Red Hat Enterprise Linux 9 contain two security vulnerabilities: CVE-2026-27137 involves incorrect enforcement of email constraints in the crypto/x509 package, potentially affecting certificate validation processes; CVE-2026-25679 involves incorrect parsing of IPv6 host literals in the net/url package, which may lead to improper URL handling. Red Hat has issued an update to golang version 1.26.2-1.el9_8 that fixes these issues. The advisory covers multiple architectures and variants of Red Hat Enterprise Linux 9. The update is classified as Important by Red Hat Product Security. No CVSS scores are provided in the advisory, and no known exploits have been reported.

The vulnerabilities could lead to incorrect processing of email constraints in certificates and improper parsing of IPv6 URLs, which may affect applications relying on these golang packages for security-sensitive operations such as certificate validation and URL handling. The exact impact depends on how these packages are used in the environment. No known exploits in the wild have been reported, indicating limited or no active exploitation at this time.

Red Hat has released an updated golang package (version 1.26.2-1.el9_8) that addresses these vulnerabilities. Users of affected Red Hat Enterprise Linux 9 versions should apply this update promptly to remediate the issues. Detailed instructions for applying the update are available in the Red Hat advisory and article https://access.redhat.com/articles/11258. Since this is an official fix, applying the update is the recommended mitigation. No additional vendor guidance indicates that other mitigations are necessary.