Fedora Security Advisories

FEDORA-EPEL-2026-6d455368fd Packages in this update:

• chromium-147.0.7727.101-1.el10_3

Update description:

Update to 147.0.7727.101

• Critical CVE-2026-6296: Heap buffer overflow in ANGLE
• Critical CVE-2026-6297: Use after free in Proxy
• Critical CVE-2026-6298: Heap buffer overflow in Skia
• Critical CVE-2026-6299: Use after free in Prerender
• Critical CVE-2026-6358: Use after free in XR
• High CVE-2026-6359: Use after free in Video
• High CVE-2026-6300: Use after free in CSS
• High CVE-2026-6301: Type Confusion in Turbofan
• High CVE-2026-6302: Use after free in Video
• High CVE-2026-6303: Use after free in Codecs
• High CVE-2026-6304: Use after free in Graphite
• High CVE-2026-6305: Heap buffer overflow in PDFium
• High CVE-2026-6306: Heap buffer overflow in PDFium
• High CVE-2026-6307: Type Confusion in Turbofan
• High CVE-2026-6308: Out of bounds read in Media
• High CVE-2026-6309: Use after free in Viz
• High CVE-2026-6360: Use after free in FileSystem
• High CVE-2026-6310: Use after free in Dawn
• High CVE-2026-6311: Uninitialized Use in Accessibility
• High CVE-2026-6312: Insufficient policy enforcement in Passwords
• High CVE-2026-6313: Insufficient policy enforcement in CORS
• High CVE-2026-6314: Out of bounds write in GPU
• High CVE-2026-6315: Use after free in Permissions
• High CVE-2026-6316: Use after free in Forms
• High CVE-2026-6361: Heap buffer overflow in PDFium
• High CVE-2026-6362: Use after free in Codecs
• High CVE-2026-6317: Use after free in Cast
• Medium CVE-2026-6363: Type Confusion in V8
• Medium CVE-2026-6318: Use after free in Codecs
• Medium CVE-2026-6319: Use after free in Payments
• Medium CVE-2026-6364: Out of bounds read in Skia

FEDORA-2026-ca6321e5f1 Packages in this update:

• chromium-147.0.7727.101-1.fc44

Update description:

Update to 147.0.7727.101

• Critical CVE-2026-6296: Heap buffer overflow in ANGLE
• Critical CVE-2026-6297: Use after free in Proxy
• Critical CVE-2026-6298: Heap buffer overflow in Skia
• Critical CVE-2026-6299: Use after free in Prerender
• Critical CVE-2026-6358: Use after free in XR
• High CVE-2026-6359: Use after free in Video
• High CVE-2026-6300: Use after free in CSS
• High CVE-2026-6301: Type Confusion in Turbofan
• High CVE-2026-6302: Use after free in Video
• High CVE-2026-6303: Use after free in Codecs
• High CVE-2026-6304: Use after free in Graphite
• High CVE-2026-6305: Heap buffer overflow in PDFium
• High CVE-2026-6306: Heap buffer overflow in PDFium
• High CVE-2026-6307: Type Confusion in Turbofan
• High CVE-2026-6308: Out of bounds read in Media
• High CVE-2026-6309: Use after free in Viz
• High CVE-2026-6360: Use after free in FileSystem
• High CVE-2026-6310: Use after free in Dawn
• High CVE-2026-6311: Uninitialized Use in Accessibility
• High CVE-2026-6312: Insufficient policy enforcement in Passwords
• High CVE-2026-6313: Insufficient policy enforcement in CORS
• High CVE-2026-6314: Out of bounds write in GPU
• High CVE-2026-6315: Use after free in Permissions
• High CVE-2026-6316: Use after free in Forms
• High CVE-2026-6361: Heap buffer overflow in PDFium
• High CVE-2026-6362: Use after free in Codecs
• High CVE-2026-6317: Use after free in Cast
• Medium CVE-2026-6363: Type Confusion in V8
• Medium CVE-2026-6318: Use after free in Codecs
• Medium CVE-2026-6319: Use after free in Payments
• Medium CVE-2026-6364: Out of bounds read in Skia

FEDORA-2026-3675ac2066 Packages in this update:

• chromium-147.0.7727.101-1.fc42

Update description:

Update to 147.0.7727.101

• Critical CVE-2026-6296: Heap buffer overflow in ANGLE
• Critical CVE-2026-6297: Use after free in Proxy
• Critical CVE-2026-6298: Heap buffer overflow in Skia
• Critical CVE-2026-6299: Use after free in Prerender
• Critical CVE-2026-6358: Use after free in XR
• High CVE-2026-6359: Use after free in Video
• High CVE-2026-6300: Use after free in CSS
• High CVE-2026-6301: Type Confusion in Turbofan
• High CVE-2026-6302: Use after free in Video
• High CVE-2026-6303: Use after free in Codecs
• High CVE-2026-6304: Use after free in Graphite
• High CVE-2026-6305: Heap buffer overflow in PDFium
• High CVE-2026-6306: Heap buffer overflow in PDFium
• High CVE-2026-6307: Type Confusion in Turbofan
• High CVE-2026-6308: Out of bounds read in Media
• High CVE-2026-6309: Use after free in Viz
• High CVE-2026-6360: Use after free in FileSystem
• High CVE-2026-6310: Use after free in Dawn
• High CVE-2026-6311: Uninitialized Use in Accessibility
• High CVE-2026-6312: Insufficient policy enforcement in Passwords
• High CVE-2026-6313: Insufficient policy enforcement in CORS
• High CVE-2026-6314: Out of bounds write in GPU
• High CVE-2026-6315: Use after free in Permissions
• High CVE-2026-6316: Use after free in Forms
• High CVE-2026-6361: Heap buffer overflow in PDFium
• High CVE-2026-6362: Use after free in Codecs
• High CVE-2026-6317: Use after free in Cast
• Medium CVE-2026-6363: Type Confusion in V8
• Medium CVE-2026-6318: Use after free in Codecs
• Medium CVE-2026-6319: Use after free in Payments
• Medium CVE-2026-6364: Out of bounds read in Skia

Update to 147.0.7727.55

• Critical CVE-2026-5858: Heap buffer overflow in WebML
• Critical CVE-2026-5859: Integer overflow in WebML
• High CVE-2026-5860: Use after free in WebRTC
• High CVE-2026-5861: Use after free in V8
• High CVE-2026-5862: Inappropriate implementation in V8
• High CVE-2026-5863: Inappropriate implementation in V8
• High CVE-2026-5864: Heap buffer overflow in WebAudio
• High CVE-2026-5865: Type Confusion in V8
• High CVE-2026-5866: Use after free in Media
• High CVE-2026-5867: Heap buffer overflow in WebML
• High CVE-2026-5868: Heap buffer overflow in ANGLE
• High CVE-2026-5869: Heap buffer overflow in WebML
• High CVE-2026-5870: Integer overflow in Skia
• High CVE-2026-5871: Type Confusion in V8
• High CVE-2026-5872: Use after free in Blink
• High CVE-2026-5873: Out of bounds read and write in V8
• Medium CVE-2026-5874: Use after free in PrivateAI
• Medium CVE-2026-5875: Policy bypass in Blink
• Medium CVE-2026-5876: Side-channel information leakage in Navigation
• Medium CVE-2026-5877: Use after free in Navigation
• Medium CVE-2026-5878: Incorrect security UI in Blink
• Medium CVE-2026-5879: Insufficient validation of untrusted input in ANGLE
• Medium CVE-2026-5880: Incorrect security UI in browser UI
• Medium CVE-2026-5881: Policy bypass in LocalNetworkAccess
• Medium CVE-2026-5882: Incorrect security UI in Fullscreen
• Medium CVE-2026-5883: Use after free in Media
• Medium CVE-2026-5884: Insufficient validation of untrusted input in Media
• Medium CVE-2026-5885: Insufficient validation of untrusted input in WebML
• Medium CVE-2026-5886: Out of bounds read in WebAudio
• Medium CVE-2026-5887: Insufficient validation of untrusted input in Downloads
• Medium CVE-2026-5888: Uninitialized Use in WebCodecs
• Medium CVE-2026-5889: Cryptographic Flaw in PDFium
• Medium CVE-2026-5890: Race in WebCodecs
• Medium CVE-2026-5891: Insufficient policy enforcement in browser UI
• Medium CVE-2026-5892: Insufficient policy enforcement in PWAs
• Medium CVE-2026-5893: Race in V8
• Low CVE-2026-5894: Inappropriate implementation in PDF
• Low CVE-2026-5895: Incorrect security UI in Omnibox
• Low CVE-2026-5896: Policy bypass in Audio
• Low CVE-2026-5897: Incorrect security UI in Downloads
• Low CVE-2026-5898: Incorrect security UI in Omnibox
• Low CVE-2026-5899: Incorrect security UI in History Navigation
• Low CVE-2026-5900: Policy bypass in Downloads
• Low CVE-2026-5901: Policy bypass in DevTools
• Low CVE-2026-5902: Race in Media
• Low CVE-2026-5903: Policy bypass in IFrameSandbox
• Low CVE-2026-5904: Use after free in V8
• Low CVE-2026-5905: Incorrect security UI in Permissions
• Low CVE-2026-5906: Incorrect security UI in Omnibox
• Low CVE-2026-5907: Insufficient data validation in Media
• Low CVE-2026-5908: Integer overflow in Media
• Low CVE-2026-5909: Integer overflow in Media
• Low CVE-2026-5910: Integer overflow in Media
• Low CVE-2026-5911: Policy bypass in ServiceWorkers
• Low CVE-2026-5912: Integer overflow in WebRTC
• Low CVE-2026-5913: Out of bounds read in Blink
• Low CVE-2026-5914: Type Confusion in CSS
• Low CVE-2026-5915: Insufficient validation of untrusted input in WebML
• Low CVE-2026-5918: Inappropriate implementation in Navigation
• Low CVE-2026-5919: Insufficient validation of untrusted input in WebSockets

Update to 146.0.7680.177

• High CVE-2026-5273: Use after free in CSS
• High CVE-2026-5272: Heap buffer overflow in GPU
• High CVE-2026-5274: Integer overflow in Codecs
• High CVE-2026-5275: Heap buffer overflow in ANGLE
• High CVE-2026-5276: Insufficient policy enforcement in WebUSB
• High CVE-2026-5277: Integer overflow in ANGLE
• High CVE-2026-5278: Use after free in Web MIDI
• High CVE-2026-5279: Object corruption in V8
• High CVE-2026-5280: Use after free in WebCodecs
• High CVE-2026-5281: Use after free in Dawn
• High CVE-2026-5282: Out of bounds read in WebCodecs
• High CVE-2026-5283: Inappropriate implementation in ANGLE
• High CVE-2026-5284: Use after free in Dawn
• High CVE-2026-5285: Use after free in WebGL
• High CVE-2026-5286: Use after free in Dawn
• High CVE-2026-5287: Use after free in PDF
• High CVE-2026-5288: Use after free in WebView
• High CVE-2026-5289: Use after free in Navigation
• High CVE-2026-5290: Use after free in Compositing
• Medium CVE-2026-5291: Inappropriate implementation in WebGL
• Medium CVE-2026-5292: Out of bounds read in WebCodecs

FEDORA-EPEL-2026-f2ac7803f9 Packages in this update:

• chromium-147.0.7727.101-1.el10_1

Update description:

Update to 147.0.7727.101

• Critical CVE-2026-6296: Heap buffer overflow in ANGLE
• Critical CVE-2026-6297: Use after free in Proxy
• Critical CVE-2026-6298: Heap buffer overflow in Skia
• Critical CVE-2026-6299: Use after free in Prerender
• Critical CVE-2026-6358: Use after free in XR
• High CVE-2026-6359: Use after free in Video
• High CVE-2026-6300: Use after free in CSS
• High CVE-2026-6301: Type Confusion in Turbofan
• High CVE-2026-6302: Use after free in Video
• High CVE-2026-6303: Use after free in Codecs
• High CVE-2026-6304: Use after free in Graphite
• High CVE-2026-6305: Heap buffer overflow in PDFium
• High CVE-2026-6306: Heap buffer overflow in PDFium
• High CVE-2026-6307: Type Confusion in Turbofan
• High CVE-2026-6308: Out of bounds read in Media
• High CVE-2026-6309: Use after free in Viz
• High CVE-2026-6360: Use after free in FileSystem
• High CVE-2026-6310: Use after free in Dawn
• High CVE-2026-6311: Uninitialized Use in Accessibility
• High CVE-2026-6312: Insufficient policy enforcement in Passwords
• High CVE-2026-6313: Insufficient policy enforcement in CORS
• High CVE-2026-6314: Out of bounds write in GPU
• High CVE-2026-6315: Use after free in Permissions
• High CVE-2026-6316: Use after free in Forms
• High CVE-2026-6361: Heap buffer overflow in PDFium
• High CVE-2026-6362: Use after free in Codecs
• High CVE-2026-6317: Use after free in Cast
• Medium CVE-2026-6363: Type Confusion in V8
• Medium CVE-2026-6318: Use after free in Codecs
• Medium CVE-2026-6319: Use after free in Payments
• Medium CVE-2026-6364: Out of bounds read in Skia

FEDORA-EPEL-2026-9ce82c1a41 Packages in this update:

• chromium-147.0.7727.101-1.el9

Update description:

Update to 147.0.7727.101

• Critical CVE-2026-6296: Heap buffer overflow in ANGLE
• Critical CVE-2026-6297: Use after free in Proxy
• Critical CVE-2026-6298: Heap buffer overflow in Skia
• Critical CVE-2026-6299: Use after free in Prerender
• Critical CVE-2026-6358: Use after free in XR
• High CVE-2026-6359: Use after free in Video
• High CVE-2026-6300: Use after free in CSS
• High CVE-2026-6301: Type Confusion in Turbofan
• High CVE-2026-6302: Use after free in Video
• High CVE-2026-6303: Use after free in Codecs
• High CVE-2026-6304: Use after free in Graphite
• High CVE-2026-6305: Heap buffer overflow in PDFium
• High CVE-2026-6306: Heap buffer overflow in PDFium
• High CVE-2026-6307: Type Confusion in Turbofan
• High CVE-2026-6308: Out of bounds read in Media
• High CVE-2026-6309: Use after free in Viz
• High CVE-2026-6360: Use after free in FileSystem
• High CVE-2026-6310: Use after free in Dawn
• High CVE-2026-6311: Uninitialized Use in Accessibility
• High CVE-2026-6312: Insufficient policy enforcement in Passwords
• High CVE-2026-6313: Insufficient policy enforcement in CORS
• High CVE-2026-6314: Out of bounds write in GPU
• High CVE-2026-6315: Use after free in Permissions
• High CVE-2026-6316: Use after free in Forms
• High CVE-2026-6361: Heap buffer overflow in PDFium
• High CVE-2026-6362: Use after free in Codecs
• High CVE-2026-6317: Use after free in Cast
• Medium CVE-2026-6363: Type Confusion in V8
• Medium CVE-2026-6318: Use after free in Codecs
• Medium CVE-2026-6319: Use after free in Payments
• Medium CVE-2026-6364: Out of bounds read in Skia

FEDORA-EPEL-2026-5f723f26cd Packages in this update:

• gum-0.17.0-3.el10_3

Update description:

Update from version 0.16.1 to version 0.17.0. This update also resolves CVE-2025-47906 and CVE-2026-5160.

• https://github.com/charmbracelet/gum/releases/tag/v0.16.2
• https://github.com/charmbracelet/gum/releases/tag/v0.17.0

FEDORA-2026-10cf6ce616 Packages in this update:

• gum-0.17.0-3.fc44

Update description:

Update vendored goldmark to 1.7.17 to resolve CVE-2026-5160.

FEDORA-2026-bebf3b0544 Packages in this update:

• gum-0.16.1-2.fc42

Update description:

Rebuild with latest golang to resolve CVE-2025-47906.

FEDORA-EPEL-2026-8022001aef Packages in this update:

• coturn-4.10.0-1.el10_3

Update description: Coturn 4.10.0 Performance

• Add Linux-only recvmmsg client receive path for DTLS/UDP listener
• Skip response buffer allocation for STUN indications
• Remove mutex from per-thread super_memory allocator
• Eliminate mutex and reduce copies on auth message dispatch
• Replace mutex_bps with lock-free atomics for bandwidth tracking
• Remove unused mutex from ur_map structure
• WebRTC Auth optimization path
• Improve worst case scenario - avoid memory allocation

Memory issues

• Fix null pointer dereferences in post_parse()
• Fix stack buffer overflow in OAuth token decoding
• Fix uint16_t truncation overflow in stun_get_message_len_str()
• Initialize variables before use

Security

• CVE-2026-40613 Misaligned Memory Access STUN Attribute Parser

General Improvements

• Disable reason string in response messages to reduce amplification factor
• Keep only NEV_UDP_SOCKET_PER_THREAD network engine
• Replace perror with logging
• Extend seed corpus and add more fuzzing scenarios
• Update config and Readme files about deprecated TLSv1/1.1
• Restore RFC 3489 (old STUN) backward compatibility broken since 4.7.0
• Change port identifiers to use uint16_t
• Fixes: run_tests.sh and no db
• Improve PostgreSQL.md clarity
• Add session usage reporting callback to TURN database driver
• CLI interface is disabled by default

FEDORA-2026-e673311164 Packages in this update:

• coturn-4.10.0-1.fc42

Update description: Coturn 4.10.0 Performance

• Add Linux-only recvmmsg client receive path for DTLS/UDP listener
• Skip response buffer allocation for STUN indications
• Remove mutex from per-thread super_memory allocator
• Eliminate mutex and reduce copies on auth message dispatch
• Replace mutex_bps with lock-free atomics for bandwidth tracking
• Remove unused mutex from ur_map structure
• WebRTC Auth optimization path
• Improve worst case scenario - avoid memory allocation

Memory issues

• Fix null pointer dereferences in post_parse()
• Fix stack buffer overflow in OAuth token decoding
• Fix uint16_t truncation overflow in stun_get_message_len_str()
• Initialize variables before use

Security

• CVE-2026-40613 Misaligned Memory Access STUN Attribute Parser

General Improvements

• Disable reason string in response messages to reduce amplification factor
• Keep only NEV_UDP_SOCKET_PER_THREAD network engine
• Replace perror with logging
• Extend seed corpus and add more fuzzing scenarios
• Update config and Readme files about deprecated TLSv1/1.1
• Restore RFC 3489 (old STUN) backward compatibility broken since 4.7.0
• Change port identifiers to use uint16_t
• Fixes: run_tests.sh and no db
• Improve PostgreSQL.md clarity
• Add session usage reporting callback to TURN database driver
• CLI interface is disabled by default

FEDORA-EPEL-2026-63737a3630 Packages in this update:

• coturn-4.10.0-1.el10_1

Update description: Coturn 4.10.0 Performance

• Add Linux-only recvmmsg client receive path for DTLS/UDP listener
• Skip response buffer allocation for STUN indications
• Remove mutex from per-thread super_memory allocator
• Eliminate mutex and reduce copies on auth message dispatch
• Replace mutex_bps with lock-free atomics for bandwidth tracking
• Remove unused mutex from ur_map structure
• WebRTC Auth optimization path
• Improve worst case scenario - avoid memory allocation

Memory issues

• Fix null pointer dereferences in post_parse()
• Fix stack buffer overflow in OAuth token decoding
• Fix uint16_t truncation overflow in stun_get_message_len_str()
• Initialize variables before use

Security

• CVE-2026-40613 Misaligned Memory Access STUN Attribute Parser

General Improvements

• Disable reason string in response messages to reduce amplification factor
• Keep only NEV_UDP_SOCKET_PER_THREAD network engine
• Replace perror with logging
• Extend seed corpus and add more fuzzing scenarios
• Update config and Readme files about deprecated TLSv1/1.1
• Restore RFC 3489 (old STUN) backward compatibility broken since 4.7.0
• Change port identifiers to use uint16_t
• Fixes: run_tests.sh and no db
• Improve PostgreSQL.md clarity
• Add session usage reporting callback to TURN database driver
• CLI interface is disabled by default

FEDORA-2026-1c11dc3e37 Packages in this update:

• coturn-4.10.0-1.fc44

Update description: Coturn 4.10.0 Performance

• Add Linux-only recvmmsg client receive path for DTLS/UDP listener
• Skip response buffer allocation for STUN indications
• Remove mutex from per-thread super_memory allocator
• Eliminate mutex and reduce copies on auth message dispatch
• Replace mutex_bps with lock-free atomics for bandwidth tracking
• Remove unused mutex from ur_map structure
• WebRTC Auth optimization path
• Improve worst case scenario - avoid memory allocation

Memory issues

• Fix null pointer dereferences in post_parse()
• Fix stack buffer overflow in OAuth token decoding
• Fix uint16_t truncation overflow in stun_get_message_len_str()
• Initialize variables before use

Security

• CVE-2026-40613 Misaligned Memory Access STUN Attribute Parser

General Improvements

• Disable reason string in response messages to reduce amplification factor
• Keep only NEV_UDP_SOCKET_PER_THREAD network engine
• Replace perror with logging
• Extend seed corpus and add more fuzzing scenarios
• Update config and Readme files about deprecated TLSv1/1.1
• Restore RFC 3489 (old STUN) backward compatibility broken since 4.7.0
• Change port identifiers to use uint16_t
• Fixes: run_tests.sh and no db
• Improve PostgreSQL.md clarity
• Add session usage reporting callback to TURN database driver
• CLI interface is disabled by default

FEDORA-EPEL-2026-e0c1b77ba1 Packages in this update:

• coturn-4.10.0-1.el9

Update description: Coturn 4.10.0 Performance

• Add Linux-only recvmmsg client receive path for DTLS/UDP listener
• Skip response buffer allocation for STUN indications
• Remove mutex from per-thread super_memory allocator
• Eliminate mutex and reduce copies on auth message dispatch
• Replace mutex_bps with lock-free atomics for bandwidth tracking
• Remove unused mutex from ur_map structure
• WebRTC Auth optimization path
• Improve worst case scenario - avoid memory allocation

Memory issues

• Fix null pointer dereferences in post_parse()
• Fix stack buffer overflow in OAuth token decoding
• Fix uint16_t truncation overflow in stun_get_message_len_str()
• Initialize variables before use

Security

• CVE-2026-40613 Misaligned Memory Access STUN Attribute Parser

General Improvements

• Disable reason string in response messages to reduce amplification factor
• Keep only NEV_UDP_SOCKET_PER_THREAD network engine
• Replace perror with logging
• Extend seed corpus and add more fuzzing scenarios
• Update config and Readme files about deprecated TLSv1/1.1
• Restore RFC 3489 (old STUN) backward compatibility broken since 4.7.0
• Change port identifiers to use uint16_t
• Fixes: run_tests.sh and no db
• Improve PostgreSQL.md clarity
• Add session usage reporting callback to TURN database driver
• CLI interface is disabled by default

FEDORA-EPEL-2026-5e71b7731b Packages in this update:

• coturn-4.10.0-1.el10_2

Update description: Coturn 4.10.0 Performance

• Add Linux-only recvmmsg client receive path for DTLS/UDP listener
• Skip response buffer allocation for STUN indications
• Remove mutex from per-thread super_memory allocator
• Eliminate mutex and reduce copies on auth message dispatch
• Replace mutex_bps with lock-free atomics for bandwidth tracking
• Remove unused mutex from ur_map structure
• WebRTC Auth optimization path
• Improve worst case scenario - avoid memory allocation

Memory issues

• Fix null pointer dereferences in post_parse()
• Fix stack buffer overflow in OAuth token decoding
• Fix uint16_t truncation overflow in stun_get_message_len_str()
• Initialize variables before use

Security

• CVE-2026-40613 Misaligned Memory Access STUN Attribute Parser

General Improvements

• Disable reason string in response messages to reduce amplification factor
• Keep only NEV_UDP_SOCKET_PER_THREAD network engine
• Replace perror with logging
• Extend seed corpus and add more fuzzing scenarios
• Update config and Readme files about deprecated TLSv1/1.1
• Restore RFC 3489 (old STUN) backward compatibility broken since 4.7.0
• Change port identifiers to use uint16_t
• Fixes: run_tests.sh and no db
• Improve PostgreSQL.md clarity
• Add session usage reporting callback to TURN database driver
• CLI interface is disabled by default

FEDORA-2026-1adc5f1ef8 Packages in this update:

• coturn-4.10.0-1.fc43

Update description: Coturn 4.10.0 Performance

• Add Linux-only recvmmsg client receive path for DTLS/UDP listener
• Skip response buffer allocation for STUN indications
• Remove mutex from per-thread super_memory allocator
• Eliminate mutex and reduce copies on auth message dispatch
• Replace mutex_bps with lock-free atomics for bandwidth tracking
• Remove unused mutex from ur_map structure
• WebRTC Auth optimization path
• Improve worst case scenario - avoid memory allocation

Memory issues

• Fix null pointer dereferences in post_parse()
• Fix stack buffer overflow in OAuth token decoding
• Fix uint16_t truncation overflow in stun_get_message_len_str()
• Initialize variables before use

Security

• CVE-2026-40613 Misaligned Memory Access STUN Attribute Parser

General Improvements

• Disable reason string in response messages to reduce amplification factor
• Keep only NEV_UDP_SOCKET_PER_THREAD network engine
• Replace perror with logging
• Extend seed corpus and add more fuzzing scenarios
• Update config and Readme files about deprecated TLSv1/1.1
• Restore RFC 3489 (old STUN) backward compatibility broken since 4.7.0
• Change port identifiers to use uint16_t
• Fixes: run_tests.sh and no db
• Improve PostgreSQL.md clarity
• Add session usage reporting callback to TURN database driver
• CLI interface is disabled by default

FEDORA-EPEL-2026-84fff0d811 Packages in this update:

• coturn-4.10.0-1.el8

Update description: Coturn 4.10.0 Performance

• Add Linux-only recvmmsg client receive path for DTLS/UDP listener
• Skip response buffer allocation for STUN indications
• Remove mutex from per-thread super_memory allocator
• Eliminate mutex and reduce copies on auth message dispatch
• Replace mutex_bps with lock-free atomics for bandwidth tracking
• Remove unused mutex from ur_map structure
• WebRTC Auth optimization path
• Improve worst case scenario - avoid memory allocation

Memory issues

• Fix null pointer dereferences in post_parse()
• Fix stack buffer overflow in OAuth token decoding
• Fix uint16_t truncation overflow in stun_get_message_len_str()
• Initialize variables before use

Security

• CVE-2026-40613 Misaligned Memory Access STUN Attribute Parser

General Improvements

• Disable reason string in response messages to reduce amplification factor
• Keep only NEV_UDP_SOCKET_PER_THREAD network engine
• Replace perror with logging
• Extend seed corpus and add more fuzzing scenarios
• Update config and Readme files about deprecated TLSv1/1.1
• Restore RFC 3489 (old STUN) backward compatibility broken since 4.7.0
• Change port identifiers to use uint16_t
• Fixes: run_tests.sh and no db
• Improve PostgreSQL.md clarity
• Add session usage reporting callback to TURN database driver
• CLI interface is disabled by default

FEDORA-2026-afe659aa4d Packages in this update:

• opam-2.5.1-1.fc44

Update description:

See https://github.com/ocaml/opam/releases/tag/2.5.1 for changes in version 2.5.1.

FEDORA-2026-42ff51d2c7 Packages in this update:

• opam-2.5.1-1.fc43

Update description:

See https://github.com/ocaml/opam/releases/tag/2.5.1 for changes in version 2.5.1.

FEDORA-2026-301505f38f Packages in this update:

• opam-2.5.1-1.fc42

Update description:

See https://github.com/ocaml/opam/releases/tag/2.5.1 for changes in version 2.5.1.

FEDORA-2026-036e523144 Packages in this update:

• minetest-5.15.2-1.fc42

Update description:

5.15.2