The yggdrasil system daemon in Red Hat Enterprise Linux subscribes to MQTT topics and routes data to worker processes via D-Bus. It was found vulnerable to three security issues: a denial of service caused by excessive resource consumption from a crafted certificate (CVE-2025-61729), memory exhaustion during query parameter parsing in the Go net/url package (CVE-2025-61726), and unexpected TLS session resumption (CVE-2025-68121). These vulnerabilities stem from components in the Go language libraries used by yggdrasil. Red Hat has issued an update (RHSA-2026:3506) that addresses these flaws for multiple architectures and product variants within Red Hat Enterprise Linux 10.0 Extended Update Support. The advisory provides links to updated packages and instructions for applying the fix.

Successful exploitation of these vulnerabilities could cause denial of service conditions through excessive resource consumption or memory exhaustion, potentially disrupting the yggdrasil daemon's operation. The unexpected TLS session resumption issue could lead to unexpected behavior in secure communications. No evidence of active exploitation in the wild has been reported. The overall security impact is rated as Important by Red Hat, indicating a high severity level.

Red Hat has released updated yggdrasil packages that fix the identified vulnerabilities. Users running affected versions of Red Hat Enterprise Linux 10.0 Extended Update Support should apply these updates promptly following Red Hat's published guidance at https://access.redhat.com/articles/11258. Since this is an official fix, applying the update fully mitigates the vulnerabilities. No additional mitigation steps are indicated by the vendor advisory.