Red Hat shipped security advisory RHSA-2026:7674 on 13 April 2026 for the rhc tool, the client and daemon that connects your systems to Red Hat’s managed services (Insights, subscriptions, remote management). The reason is CVE-2026-25679, an incorrect parsing of IPv6 host literals in net/url, the Go standard library that rhc is built on. Red Hat rates the impact as Important.
What actually goes wrong
rhc is written in Go and, like many tools in that language, relies on net/url to break apart the URLs it uses to talk to Red Hat’s servers. The bug is in how that library reads an IPv6 address written as a bracketed literal, such as https://[2001:db8::1]:443/path. When the literal host doesn’t match what the parser expects, the URL is split differently from how a correct client would split it. Host, port and path can end up assigned to the wrong fields.
The danger here isn’t an overflow or direct code execution. It’s parser confusion: if rhc reads a URL one way and another component in the chain (a proxy, a validator, a layer enforcing allow-lists) reads it another way, an attacker who controls part of the input can route requests to unintended destinations or slip past host-based checks. That mismatch is why Red Hat treats this as Important rather than a routine fix.
Who is affected
Red Hat Enterprise Linux 8 systems with the rhc package installed, including the Extended Life Cycle 8.10 variants. The update covers the usual architectures: x86_64, aarch64, ppc64le and s390x. If you manage your machines with Red Hat Insights or have fleets registered through rhc, this package is in scope. Red Hat has also issued parallel advisories for RHEL 9 and RHEL 10 with the same root cause.
This is not a zero-day, and there is no public evidence of active exploitation. It’s a robustness fix in a component that sits right on the connection between your systems and Red Hat’s infrastructure, which is reason enough to apply it without leaving it in the backlog.
Mitigation and patch
The correct path is to update. On RHEL 8 the fixed package is rhc-0.2.5-5.el8_10. Run:
sudo dnf update rhcThen restart the daemon so the patched build is the one in use:
sudo systemctl restart rhcdThere’s no sensible workaround beyond the patch: the flaw lives inside the binary, so you can’t disable it through configuration. If you run a large estate, push the update with your usual tooling (Satellite, Ansible or Insights itself) and confirm the installed version is the fixed one on every node.
Source
- Official advisory: RHSA-2026:7674
- CVE detail: CVE-2026-25679 on NVD