Fedora Security Advisories

FEDORA-2026-cf9e55a7a0 Packages in this update:

• xorg-x11-server-21.1.22-1.fc44

Update description:

Update to xserver 21.1.22, CVE fix for: CVE-2026-33999, CVE-2026-34000, CVE-2026-34001, CVE-2026-34002, CVE-2026-34003

FEDORA-2026-e0c31e9e7e Packages in this update:

• cef-146.0.11^chromium146.0.7680.177-2.fc42

Update description:

Update to 146.0.7680.177 + cef-146.0.11+g8e1262b

• High CVE-2026-5273: Use after free in CSS
• High CVE-2026-5272: Heap buffer overflow in GPU
• High CVE-2026-5274: Integer overflow in Codecs
• High CVE-2026-5275: Heap buffer overflow in ANGLE
• High CVE-2026-5276: Insufficient policy enforcement in WebUSB
• High CVE-2026-5277: Integer overflow in ANGLE
• High CVE-2026-5278: Use after free in Web MIDI
• High CVE-2026-5279: Object corruption in V8
• High CVE-2026-5280: Use after free in WebCodecs
• High CVE-2026-5281: Use after free in Dawn
• High CVE-2026-5282: Out of bounds read in WebCodecs
• High CVE-2026-5283: Inappropriate implementation in ANGLE
• High CVE-2026-5284: Use after free in Dawn
• High CVE-2026-5285: Use after free in WebGL
• High CVE-2026-5286: Use after free in Dawn
• High CVE-2026-5287: Use after free in PDF
• High CVE-2026-5288: Use after free in WebView
• High CVE-2026-5289: Use after free in Navigation
• High CVE-2026-5290: Use after free in Compositing
• Medium CVE-2026-5291: Inappropriate implementation in WebGL
• Medium CVE-2026-5292: Out of bounds read in WebCodecs

FEDORA-2026-83fdfd7e0e Packages in this update:

• cef-146.0.11^chromium146.0.7680.177-2.fc44

Update description:

Update to 146.0.7680.177 + cef-146.0.11+g8e1262b

• High CVE-2026-5273: Use after free in CSS
• High CVE-2026-5272: Heap buffer overflow in GPU
• High CVE-2026-5274: Integer overflow in Codecs
• High CVE-2026-5275: Heap buffer overflow in ANGLE
• High CVE-2026-5276: Insufficient policy enforcement in WebUSB
• High CVE-2026-5277: Integer overflow in ANGLE
• High CVE-2026-5278: Use after free in Web MIDI
• High CVE-2026-5279: Object corruption in V8
• High CVE-2026-5280: Use after free in WebCodecs
• High CVE-2026-5281: Use after free in Dawn
• High CVE-2026-5282: Out of bounds read in WebCodecs
• High CVE-2026-5283: Inappropriate implementation in ANGLE
• High CVE-2026-5284: Use after free in Dawn
• High CVE-2026-5285: Use after free in WebGL
• High CVE-2026-5286: Use after free in Dawn
• High CVE-2026-5287: Use after free in PDF
• High CVE-2026-5288: Use after free in WebView
• High CVE-2026-5289: Use after free in Navigation
• High CVE-2026-5290: Use after free in Compositing
• Medium CVE-2026-5291: Inappropriate implementation in WebGL
• Medium CVE-2026-5292: Out of bounds read in WebCodecs

FEDORA-2026-ffdca48c25 Packages in this update:

• cef-146.0.11^chromium146.0.7680.177-2.fc43

Update description:

Update to 146.0.7680.177 + cef-146.0.11+g8e1262b

• High CVE-2026-5273: Use after free in CSS
• High CVE-2026-5272: Heap buffer overflow in GPU
• High CVE-2026-5274: Integer overflow in Codecs
• High CVE-2026-5275: Heap buffer overflow in ANGLE
• High CVE-2026-5276: Insufficient policy enforcement in WebUSB
• High CVE-2026-5277: Integer overflow in ANGLE
• High CVE-2026-5278: Use after free in Web MIDI
• High CVE-2026-5279: Object corruption in V8
• High CVE-2026-5280: Use after free in WebCodecs
• High CVE-2026-5281: Use after free in Dawn
• High CVE-2026-5282: Out of bounds read in WebCodecs
• High CVE-2026-5283: Inappropriate implementation in ANGLE
• High CVE-2026-5284: Use after free in Dawn
• High CVE-2026-5285: Use after free in WebGL
• High CVE-2026-5286: Use after free in Dawn
• High CVE-2026-5287: Use after free in PDF
• High CVE-2026-5288: Use after free in WebView
• High CVE-2026-5289: Use after free in Navigation
• High CVE-2026-5290: Use after free in Compositing
• Medium CVE-2026-5291: Inappropriate implementation in WebGL
• Medium CVE-2026-5292: Out of bounds read in WebCodecs

FEDORA-2026-631b9d535c Packages in this update:

• flatpak-builder-1.4.8-1.fc42

Update description:

This update includes a fix for CVE-2026-39977. See also: the upstream advisory

FEDORA-2026-25ff246b4f Packages in this update:

• flatpak-builder-1.4.8-1.fc43

Update description:

This update includes a fix for CVE-2026-39977. See also: the upstream advisory

FEDORA-2026-5e62b78a0c Packages in this update:

• flatpak-builder-1.4.8-1.fc44

Update description:

This update includes a fix for CVE-2026-39977. See also: the upstream advisory

FEDORA-2026-2af3865ebf Packages in this update:

• pypy-7.3.21-8.fc43

Update description:

JIT translation fix for bootstraping, require openssl 3 and fix CVE-2026-25645 and CVE-2025-8869

FEDORA-2026-fdc024ddc3 Packages in this update:

• pypy-7.3.21-8.fc44

Update description:

JIT translation fix for bootstraping, require openssl 3 and fix CVE-2026-25645 and CVE-2025-8869

FEDORA-2026-ae330775b9 Packages in this update:

• pypy-7.3.21-8.fc45

Update description:

JIT translation fix for bootstraping, require openssl 3 and fix CVE-2026-25645 and CVE-2025-8869

FEDORA-2026-adc66b374a Packages in this update:

• xdg-dbus-proxy-0.1.7-1.fc42

Update description:

Update the package, including fix for CVE-2026-34080. See also: upstream security advisory

FEDORA-2026-9518314403 Packages in this update:

• xdg-dbus-proxy-0.1.7-1.fc43

Update description:

Update the package, including fix for CVE-2026-34080. See also: upstream security advisory

FEDORA-2026-205fd328d2 Packages in this update:

• xdg-dbus-proxy-0.1.7-1.fc44

Update description:

Update the package, including fix for CVE-2026-34080. See also: upstream security advisory

FEDORA-2026-78adb25141 Packages in this update:

• libexif-0.6.26-1.fc43

Update description:

Update to 0.6.26, fixing several CVEs

https://github.com/libexif/libexif/releases/tag/v0.6.26

FEDORA-2026-fd361a6f7f Packages in this update:

• libexif-0.6.26-1.fc44

Update description:

Update to 0.6.26, fixing several CVEs

https://github.com/libexif/libexif/releases/tag/v0.6.26

FEDORA-2026-b01307dc4d Packages in this update:

• libexif-0.6.26-1.fc42

Update description:

Update to 0.6.26, fixing several CVEs

https://github.com/libexif/libexif/releases/tag/v0.6.26

FEDORA-2026-156e6bfb27 Packages in this update:

• buildah-1.43.1-1.fc42
• podman-5.8.2-1.fc42
• skopeo-1.22.2-1.fc42

Update description:

Automatic update for buildah-1.43.1-1.fc42, skopeo-1.22.2-1.fc42, podman-5.8.2-1.fc42.

Changelog for buildah * Wed Apr 08 2026 Packit <hello@packit.dev> - 2:1.43.1-1 - Update to 1.43.1 upstream release Changelog for skopeo * Tue Apr 14 2026 Packit <hello@packit.dev> - 1:1.22.2-1 - Update to 1.22.2 upstream release * Fri Apr 10 2026 Lokesh Mandvekar <lsm5@redhat.com> - 1:1.22.1-2 - TMT: fix ref in plan * Thu Apr 09 2026 Packit <hello@packit.dev> - 1:1.22.1-1 - Update to 1.22.1 upstream release Changelog for podman * Tue Apr 14 2026 Packit <hello@packit.dev> - 5:5.8.2-1 - Update to 5.8.2 upstream release

Security fix for CVE-2026-34986

FEDORA-2026-75c2b7868a Packages in this update:

• buildah-1.43.1-1.fc43
• podman-5.8.2-1.fc43
• skopeo-1.22.2-1.fc43

Update description:

Automatic update for skopeo-1.22.2-1.fc43, podman-5.8.2-1.fc43, buildah-1.43.1-1.fc43.

Changelog for skopeo * Tue Apr 14 2026 Packit <hello@packit.dev> - 1:1.22.2-1 - Update to 1.22.2 upstream release * Fri Apr 10 2026 Lokesh Mandvekar <lsm5@redhat.com> - 1:1.22.1-2 - TMT: fix ref in plan * Thu Apr 09 2026 Packit <hello@packit.dev> - 1:1.22.1-1 - Update to 1.22.1 upstream release Changelog for podman * Tue Apr 14 2026 Packit <hello@packit.dev> - 5:5.8.2-1 - Update to 5.8.2 upstream release Changelog for buildah * Wed Apr 08 2026 Packit <hello@packit.dev> - 2:1.43.1-1 - Update to 1.43.1 upstream release

Security fix for CVE-2026-34986

FEDORA-2026-605559bfe2 Packages in this update:

• buildah-1.43.1-1.fc44
• podman-5.8.2-1.fc44
• skopeo-1.22.2-1.fc44

Update description:

Automatic update for buildah-1.43.1-1.fc44, podman-5.8.2-1.fc44, skopeo-1.22.2-1.fc44.

Changelog for buildah * Wed Apr 08 2026 Packit <hello@packit.dev> - 2:1.43.1-1 - Update to 1.43.1 upstream release Changelog for podman * Tue Apr 14 2026 Packit <hello@packit.dev> - 5:5.8.2-1 - Update to 5.8.2 upstream release Changelog for skopeo * Tue Apr 14 2026 Packit <hello@packit.dev> - 1:1.22.2-1 - Update to 1.22.2 upstream release * Fri Apr 10 2026 Lokesh Mandvekar <lsm5@redhat.com> - 1:1.22.1-2 - TMT: fix ref in plan * Thu Apr 09 2026 Packit <hello@packit.dev> - 1:1.22.1-1 - Update to 1.22.1 upstream release

Security fix for CVE-2026-34986

FEDORA-2026-3b2063832d Packages in this update:

• pie-1.4.1-1.fc42

Update description:

Version 1.4.1

• Update bundled Composer to 2.9.7

Version 1.4.0

New features!

• Prompt to install missing system dependencies
• Prompt to install build toolchain
• Support pre-packaged-binary for download-url-method
• Support INSTALL_ROOT environment variable to override destination

For more information, see Upstream annoucenement