Aggregator

Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system. This update corrects flaws in the following subsystems: - Nios II architecture; - Sun Sparc architecture; - User-Mode Linux (UML); - x86 architecture; - Block layer subsystem; - Cryptographic API; - Drivers core; - Bus devices; - Hardware random number generator core; - Data acquisition framework and drivers; - CPU frequency scaling framework; - DMA engine subsystem; - GPU drivers; - HW tracing; - Input Device (Miscellaneous) drivers; - Multiple devices driver; - Media drivers; - MOST (Media Oriented Systems Transport) drivers; - MTD block device drivers; - Network drivers; - NVME drivers; - PCI subsystem; - Performance monitor drivers; - Pin controllers subsystem; - x86 platform drivers; - PPS (Pulse Per Second) driver; - PWM drivers; - SCSI subsystem; - TCM subsystem; - Userspace I/O drivers; - USB Gadget drivers; - USB Host Controller drivers; - Framebuffer layer; - BTRFS file system; - File systems infrastructure; - Ext4 file system; - Network file system (NFS) server daemon; - NTFS3 file system; - SMB network file system; - padata parallel execution mechanism; - IP tunnels definitions; - Network sockets; - XFRM subsystem; - Control group (cgroup); - Padata parallel execution mechanism; - PID allocator; - Tracing infrastructure; - Memory management; - 9P file system network protocol; - Ethernet bridge; - Ceph Core library; - Networking core; - IPv4 networking; - IPv6 networking; - NFC subsystem; - RF switch subsystem; - SCTP protocol; - Unix domain sockets; - VMware vSockets driver; - Intel ASoC drivers; - USB sound devices; (CVE-2024-53114, CVE-2024-56538, CVE-2024-58011, CVE-2025-21861, CVE-2025-22058, CVE-2025-23143, CVE-2025-38236, CVE-2025-38248, CVE-2025-38584, CVE-2025-39869, CVE-2025-39873, CVE-2025-39876, CVE-2025-39880, CVE-2025-39883, CVE-2025-39885, CVE-2025-39907, CVE-2025-39911, CVE-2025-39913, CVE-2025-39923, CVE-2025-39934, CVE-2025-39937, CVE-2025-39943, CVE-2025-39945, CVE-2025-39949, CVE-2025-39951, CVE-2025-39953, CVE-2025-39955, CVE-2025-39967, CVE-2025-39968, CVE-2025-39969, CVE-2025-39970, CVE-2025-39971, CVE-2025-39972, CVE-2025-39973, CVE-2025-39980, CVE-2025-39985, CVE-2025-39986, CVE-2025-39987, CVE-2025-39988, CVE-2025-39994, CVE-2025-39995, CVE-2025-39996, CVE-2025-39998, CVE-2025-40001, CVE-2025-40006, CVE-2025-40011, CVE-2025-40020, CVE-2025-40021, CVE-2025-40026, CVE-2025-40027, CVE-2025-40029, CVE-2025-40030, CVE-2025-40035, CVE-2025-40042, CVE-2025-40043, CVE-2025-40044, CVE-2025-40048, CVE-2025-40049, CVE-2025-40053, CVE-2025-40055, CVE-2025-40060, CVE-2025-40068, CVE-2025-40070, CVE-2025-40078, CVE-2025-40081, CVE-2025-40085, CVE-2025-40087, CVE-2025-40088, CVE-2025-40092, CVE-2025-40094, CVE-2025-40105, CVE-2025-40106, CVE-2025-40109, CVE-2025-40111, CVE-2025-40112, CVE-2025-40115, CVE-2025-40116, CVE-2025-40118, CVE-2025-40120, CVE-2025-40121, CVE-2025-40124, CVE-2025-40125, CVE-2025-40126, CVE-2025-40127, CVE-2025-40134, CVE-2025-40140, CVE-2025-40153, CVE-2025-40154, CVE-2025-40167, CVE-2025-40171, CVE-2025-40173, CVE-2025-40178, CVE-2025-40179, CVE-2025-40183, CVE-2025-40187, CVE-2025-40188, CVE-2025-40194, CVE-2025-40200, CVE-2025-40204, CVE-2025-40205, CVE-2025-40215, CVE-2025-40219, CVE-2025-40220, CVE-2025-40223, CVE-2025-40231, CVE-2025-40233, CVE-2025-40240, CVE-2025-40243, CVE-2025-40244, CVE-2025-40245, CVE-2025-40346, CVE-2025-40349, CVE-2025-40351, CVE-2025-68249)

FEDORA-2026-f4563b100f Packages in this update:

• vim-9.1.2146-1.fc42

Update description:

patchlevel 2146

Security fix for CVE-2026-25749

FEDORA-2026-7eda235f65 Packages in this update:

• vim-9.1.2146-1.fc43

Update description:

patchlevel 2146

Security fix for CVE-2026-25749

FEDORA-2026-6ee987bce2 Packages in this update:

• python3.13-3.13.12-1.fc43

Update description:

Update to 3.13.12

FEDORA-EPEL-2026-e148a6bb84 Packages in this update:

• python3.13-3.13.12-1.el10_1

Update description:

Update to 3.13.12

Charles Chan discovered that AIOHTTP incorrectly handled the decompression of compressed requests. A remote attacker could possibly use this issue to cause a denial of service. This issue was only addressed in Ubuntu 25.10. (CVE-2025-69223) Thomas Rinsma discovered that AIOHTTP incorrectly handled non-ASCII characters in HTTP headers. A remote attacker could possibly use this issue to perform a request smuggling attack to bypass certain proxy protections. This issue was only addressed in Ubuntu 22.04 LTS, Ubuntu 24.04 LTS and Ubuntu 25.10. (CVE-2025-69224) Thomas Rinsma discovered that AIOHTTP incorrectly handled non-ASCII characters in the Range header. A remote attacker could possibly use this issue to perform a request smuggling attack. (CVE-2025-69225) Thomas Rinsma discovered that AIOHTTP incorrectly handled path normalization when serving static files. A remote attacker could possibly use this issue to obtain sensitive information. (CVE-2025-69226) Thomas Rinsma discovered that AIOHTTP incorrectly handled certain POST request bodies. A remote attacker could possibly use this issue to cause a denial of service. (CVE-2025-69227) Thomas Rinsma discovered that AIOHTTP incorrectly handled large POST request payloads. A remote attacker could possibly use this issue to cause a denial of service. (CVE-2025-69228) It was discovered that AIOHTTP incorrectly handled chunked messages. A remote attacker could possibly use this issue to cause a denial of service. (CVE-2025-69229)

Yuhan Gao and Peng Zhou discovered that Dottie was vulnerable to prototype pollution when altering the __proto__ magical attribute. An attacker could possibly use this issue to achieve remote code execution.

Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system. This update corrects flaws in the following subsystems: - Cryptographic API; - Padata parallel execution mechanism; - Netfilter; (CVE-2022-49698, CVE-2025-21726, CVE-2025-40019)

Titouan Lazard discovered that MUNGE contained an exploitable buffer overflow in munged (the MUNGE authentication daemon). A local attacker could possibly use this issue to forge MUNGE credentials, leading to arbitrary code execution.

It was discovered that the libpng simplified API incorrectly handled quantizing RGB images. If a user or automated system were tricked into opening a specially crafted PNG file, an attacker could use this issue to cause libpng to crash, resulting in a denial of service.

It was discovered that nginx incorrectly handled proxying to upstream TLS servers. An attacker could possibly use this issue to insert plain text data into the response from an upstream proxied server.

Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system. This update corrects flaws in the following subsystems: - Media drivers; - NVME drivers; - File systems infrastructure; - Timer subsystem; - Memory management; - Packet sockets; (CVE-2022-48986, CVE-2024-27078, CVE-2024-49959, CVE-2024-50195, CVE-2024-56606, CVE-2024-56756, CVE-2025-39993)

FEDORA-2026-b1b37b00ef Packages in this update:

• python3.13-3.13.12-1.fc42
• python3-docs-3.13.12-1.fc42

Update description:

Update to 3.13.12

It was discovered that HTTP/2, which is used/vendored by DNSdist, did not properly account for resources when handling client-triggered stream resets. An attacker could possibly use this issue to cause a denial of service. (CVE-2025-8671) It was discovered that DNSdist did not properly manage memory limits when handling an unlimited number of queries on a single TCP connection. An attacker could possibly use this issue to cause a denial of service. (CVE-2025-30193) It was discovered that DNSdist, when configured with the nghttp2 library, did not correctly process certain DNS over HTTPS queries. An attacker could possibly use this cause a denial of service. (CVE-2025-30187)

FEDORA-EPEL-2026-2fbc90c446 Packages in this update:

• python3.13-3.13.12-1.el10_2

Update description:

Update to 3.13.12

FEDORA-EPEL-2026-7e7682c00c Packages in this update:

• python3.13-3.13.12-1.el9

Update description:

Update to 3.13.12

Asim Viladi Oglu Manizada discovered that HAProxy incorrectly handled certain INITIAL packets. A remote attacker could possibly use this issue to cause HAProxy to crash, resulting in a denial of service.

Version:next-20260212 (linux-next) Released:2026-02-12

It was discovered that the libpng simplified API incorrectly processed palette PNG images with partial transparency and gamma correction. If a user or automated system were tricked into opening a specially crafted PNG file, an attacker could use this issue to cause libpng to crash, resulting in a denial of service. (CVE-2025-66293) Petr Simecek, Stanislav Fort and Pavel Kohout discovered that the libpng simplified API incorrectly processed interlaced 16-bit PNGs with 8-bit output format and non-minimal row strides. If a user or automated system were tricked into opening a specially crafted PNG file, an attacker could use this issue to cause libpng to crash, resulting in a denial of service. (CVE-2026-22695) Cosmin Truta discovered that the libpng simplified API incorrectly handled invalid row strides. If a user or automated system were tricked into opening a specially crafted PNG file, an attacker could use this issue to cause libpng to crash, resulting in a denial of service. This issue only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. (CVE-2026-22801) It was discovered that the libpng simplified API incorrectly handled quantizing RGB images. If a user or automated system were tricked into opening a specially crafted PNG file, an attacker could use this issue to cause libpng to crash, resulting in a denial of service. (CVE-2026-25646)