Fedora Security Advisories

FEDORA-2026-67c20bfb74 Packages in this update:

• libpng-1.6.56-1.fc43

Update description:

1.6.56 is release fixes for the following two security vulnerabilities:

• CVE-2026-33416 (high severity): Use-after-free memory bug in the transparency and palette-handling code. Similar to its predecessor CVE-2026-25646, this latent bug has existed for 25 years. Both Halil Oktay and Ryo Shimada discovered it within days of one another.

• CVE-2026-33636 (high severity): Out-of-bounds read and write vulnerability in the ARM Neon palette-expansion code. This one was found and fixed by Taegu Ha and has existed since 1.6.36.

The images that trigger these bugs are valid. Users are encouraged to update immediately.

FEDORA-2026-ba18a54554 Packages in this update:

• libpng-1.6.56-1.fc42

Update description:

1.6.56 is release fixes for the following two security vulnerabilities:

• CVE-2026-33416 (high severity): Use-after-free memory bug in the transparency and palette-handling code. Similar to its predecessor CVE-2026-25646, this latent bug has existed for 25 years. Both Halil Oktay and Ryo Shimada discovered it within days of one another.

• CVE-2026-33636 (high severity): Out-of-bounds read and write vulnerability in the ARM Neon palette-expansion code. This one was found and fixed by Taegu Ha and has existed since 1.6.36.

The images that trigger these bugs are valid. Users are encouraged to update immediately.

FEDORA-2026-abd4c1829d Packages in this update:

• usd-26.03-2.fc45

Update description:

Automatic update for usd-26.03-2.fc45.

Changelog * Mon Apr 6 2026 Benjamin A. Beasley <code@musicinmybrain.net> - 26.03-2 - Backport fix for CVE-2026-34544 in OpenEXRCore - Fixes RHBZ#2454226

FEDORA-2026-a9017d0297 Packages in this update:

• incus-6.23-2.fc42

Update description:

Update to 6.23

FEDORA-2026-5af38b7ecb Packages in this update:

• incus-6.23-2.fc43

Update description:

Update to 6.23

FEDORA-EPEL-2026-1ce4512bd4 Packages in this update:

• prometheus-3.11.0-1.el10_3

Update description:

Update to 3.11.0

FEDORA-2026-8b0a672383 Packages in this update:

• glab-1.91.0-1.fc44

Update description:

Update to 1.91.0

FEDORA-2026-868e266938 Packages in this update:

• trivy-0.69.3-1.fc43

Update description:

Update to 0.69.3

FEDORA-2026-6fc2f11089 Packages in this update:

• trivy-0.69.3-1.fc44

Update description:

Update to 0.69.3

FEDORA-2026-7c83223889 Packages in this update:

• NetworkManager-ssh-1.4.3-1.fc43

Update description:

Fix CVE-2025-9615

FEDORA-2026-87e30fe05b Packages in this update:

• NetworkManager-ssh-1.4.3-1.fc45

Update description:

Automatic update for NetworkManager-ssh-1.4.3-1.fc45.

Changelog * Fri Apr 3 2026 Dan Fruehauf <malkodan@gmail.com> - 1.4.3-1 - Always run autoreconf -fvi - Fix file access for private key and known hosts (rhbz#2428396) - Fix pkg-config macro - Move D-Bus policy file to /usr/share/dbus-1/system.d/

FEDORA-2026-11097124bf Packages in this update:

• mingw-openexr-3.4.9-1.fc44

Update description:

Update to 3.4.9.

Update to 3.4.8.

FEDORA-EPEL-2026-f68290c016 Packages in this update:

• libopenmpt-0.8.6-1.el9

Update description: libopenmpt 0.8.6 (2026-03-24)

• [Sec] The security fix in libopenmpt 0.8.5 (r25042) was incomplete, causing a regression when playing short looped (“chip”) samples (r25084).

libopenmpt 0.8.5 (2026-03-22)

• [Sec] Possible out-of-bounds sample data read in a specific combination of reverse sample playback + offset past sample loop. (r25042).
• MOD: ProTracker arpeggio wrapraound results in an effective period of 65536 on Paula, not pausing the sample entirely.
• ULT: Loop points were incorrectly limited for 16-bit samples.
• zlib: Update to v1.3.2 (2026-02-17).
• miniz: Update to v3.1.1 (2026-02-03).

FEDORA-EPEL-2026-3e5052fb10 Packages in this update:

• libopenmpt-0.8.6-1.el10_2

Update description: libopenmpt 0.8.6 (2026-03-24)

• [Sec] The security fix in libopenmpt 0.8.5 (r25042) was incomplete, causing a regression when playing short looped (“chip”) samples (r25084).

libopenmpt 0.8.5 (2026-03-22)

• [Sec] Possible out-of-bounds sample data read in a specific combination of reverse sample playback + offset past sample loop. (r25042).
• MOD: ProTracker arpeggio wrapraound results in an effective period of 65536 on Paula, not pausing the sample entirely.
• ULT: Loop points were incorrectly limited for 16-bit samples.
• zlib: Update to v1.3.2 (2026-02-17).
• miniz: Update to v3.1.1 (2026-02-03).

FEDORA-EPEL-2026-b529a37d50 Packages in this update:

• libopenmpt-0.8.6-1.el10_1

Update description: libopenmpt 0.8.6 (2026-03-24)

• [Sec] The security fix in libopenmpt 0.8.5 (r25042) was incomplete, causing a regression when playing short looped (“chip”) samples (r25084).

libopenmpt 0.8.5 (2026-03-22)

• [Sec] Possible out-of-bounds sample data read in a specific combination of reverse sample playback + offset past sample loop. (r25042).
• MOD: ProTracker arpeggio wrapraound results in an effective period of 65536 on Paula, not pausing the sample entirely.
• ULT: Loop points were incorrectly limited for 16-bit samples.
• zlib: Update to v1.3.2 (2026-02-17).
• miniz: Update to v3.1.1 (2026-02-03).

FEDORA-EPEL-2026-171a377c45 Packages in this update:

• libopenmpt-0.8.6-1.el10_3

Update description: libopenmpt 0.8.6 (2026-03-24)

• [Sec] The security fix in libopenmpt 0.8.5 (r25042) was incomplete, causing a regression when playing short looped (“chip”) samples (r25084).

libopenmpt 0.8.5 (2026-03-22)

• [Sec] Possible out-of-bounds sample data read in a specific combination of reverse sample playback + offset past sample loop. (r25042).
• MOD: ProTracker arpeggio wrapraound results in an effective period of 65536 on Paula, not pausing the sample entirely.
• ULT: Loop points were incorrectly limited for 16-bit samples.
• zlib: Update to v1.3.2 (2026-02-17).
• miniz: Update to v3.1.1 (2026-02-03).

FEDORA-EPEL-2026-4a5d8adc71 Packages in this update:

• libopenmpt-0.8.6-1.el8

Update description: libopenmpt 0.8.6 (2026-03-24)

• [Sec] The security fix in libopenmpt 0.8.5 (r25042) was incomplete, causing a regression when playing short looped (“chip”) samples (r25084).

libopenmpt 0.8.5 (2026-03-22)

• [Sec] Possible out-of-bounds sample data read in a specific combination of reverse sample playback + offset past sample loop. (r25042).
• MOD: ProTracker arpeggio wrapraound results in an effective period of 65536 on Paula, not pausing the sample entirely.
• ULT: Loop points were incorrectly limited for 16-bit samples.
• zlib: Update to v1.3.2 (2026-02-17).
• miniz: Update to v3.1.1 (2026-02-03).

FEDORA-2026-2490896a5d Packages in this update:

• pdns-recursor-5.2.8-1.fc42

Update description:

Update to latest 5.2 release, fixing multiple security issues

FEDORA-2026-9c582575e5 Packages in this update:

• pdns-recursor-5.2.8-1.fc43

Update description:

Update to latest 5.2 release, fixing multiple security issues

FEDORA-2026-db1ef256e0 Packages in this update:

• pdns-recursor-5.4.0-1.fc44

Update description:

Update to latest upstream