Red Hat Product Security has published an important security advisory (RHSA-2026:3473) for golang packages in Red Hat Enterprise Linux 9.0 addressing three vulnerabilities: CVE-2025-61728 involves excessive CPU consumption when building archive indexes in the archive/zip package; CVE-2025-61726 concerns memory exhaustion during query parameter parsing in net/url; and CVE-2025-61732 relates to potential code smuggling via doc comments in cmd/cgo. These issues affect the Go programming language compiler packages distributed by Red Hat. The advisory includes updated golang packages to fix these vulnerabilities across multiple architectures including x86_64, ppc64le, aarch64, and s390x. The vendor advisory provides detailed package versions and SHA-256 checksums for verification. No CVSS scores are provided in the advisory, but the severity is rated as important (high).

The vulnerabilities can lead to resource exhaustion conditions such as excessive CPU usage and memory exhaustion when processing specific inputs in golang packages, potentially impacting system stability or availability. The code smuggling vulnerability in cmd/cgo could allow unintended code execution paths via specially crafted doc comments. These issues affect systems running vulnerable versions of golang on Red Hat Enterprise Linux 9.0. There are no known exploits in the wild at the time of the advisory.

Red Hat has released updated golang packages for Red Hat Enterprise Linux 9.0 that address these vulnerabilities. Users should apply the official security update RHSA-2026:3473 as described in the Red Hat advisory and referenced update article (https://access.redhat.com/articles/11258). Applying these updates will remediate the vulnerabilities. No additional mitigation steps are indicated or required beyond installing the provided patches.