Fedora has issued security updates for the Chromium Embedded Framework on both Fedora 43 and 44, bumping the packages to version 145.0.28 with chromium 145.0.7632.159 and addressing a range of CVEs that include integer overflows in ANGLE, Skia and V8, as well as heap buffer overflows in PDFium, WebCodecs and Media. The cef updates also note changes such as the adoption of C++20 for libcef and link to Bug #2437035 for more details. In addition, Fedora 43 received a patch for Vim 9.2.112 that fixes multiple CVEs (CVE‑2026‑28417 through CVE‑2026‑28422) involving command injection, buffer overflows and information disclosure in plugins and terminal handling, and users can apply these advisories with the dnf command dnf upgrade --advisory; all packages are signed with the Fedora Project GPG key.

Fedora 43 Update: cef-145.0.28^chromium145.0.7632.159-1.fc43
Fedora 43 Update: vim-9.2.112-2.fc43
Fedora 44 Update: cef-145.0.28^chromium145.0.7632.159-1.fc44

[SECURITY] Fedora 43 Update: cef-145.0.28^chromium145.0.7632.159-1.fc43

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-b5f8adc627
2026-03-08 01:26:02.293241+00:00
--------------------------------------------------------------------------------

Name : cef
Product : Fedora 43
Version : 145.0.28^chromium145.0.7632.159
Release : 1.fc43
URL : https://bitbucket.org/chromiumembedded/cef
Summary : Chromium Embedded Framework
Description :
CEF is an embeddable build of Chromium, powered by WebKit (Blink).

--------------------------------------------------------------------------------
Update Information:

Bump to cef-145.0.28+g51162e8 + chromium 145.0.7632.159 (rhbz#2437035)
CVE-2026-3536: Integer overflow in ANGLE
CVE-2026-3537: Object lifecycle issue in PowerVR
CVE-2026-3538: Integer overflow in Skia
CVE-2026-3539: Object lifecycle issue in DevTools
CVE-2026-3540: Inappropriate implementation in WebAudio
CVE-2026-3541: Inappropriate implementation in CSS
CVE-2026-3542: Inappropriate implementation in WebAssembly
CVE-2026-3543: Inappropriate implementation in V8
CVE-2026-3544: Heap buffer overflow in WebCodecs
CVE-2026-3545: Insufficient data validation in Navigation
CVE-2026-3061: Out of bounds read in Media
CVE-2026-3062: Out of bounds read and write in Tint
CVE-2026-3063: Inappropriate implementation in DevTools
CVE-2026-2648: Heap buffer overflow in PDFium
CVE-2026-2649: Integer overflow in V8
CVE-2026-2650: Heap buffer overflow in Media
--------------------------------------------------------------------------------
ChangeLog:

* Sat Mar 7 2026 Hoshino Lina [lina@lina.yt] - 145.0.28^chromium145.0.7632.159-1
- Bump to cef-145.0.28+g51162e8 (rhbz#2437035)
* Sat Mar 7 2026 Than Ngo [than@redhat.com] - 145.0.25^chromium145.0.7632.159-1
- Update to 145.0.7632.159
- * CVE-2026-3536: Integer overflow in ANGLE
- * CVE-2026-3537: Object lifecycle issue in PowerVR
- * CVE-2026-3538: Integer overflow in Skia
- * CVE-2026-3539: Object lifecycle issue in DevTools
- * CVE-2026-3540: Inappropriate implementation in WebAudio
- * CVE-2026-3541: Inappropriate implementation in CSS
- * CVE-2026-3542: Inappropriate implementation in WebAssembly
- * CVE-2026-3543: Inappropriate implementation in V8
- * CVE-2026-3544: Heap buffer overflow in WebCodecs
- * CVE-2026-3545: Insufficient data validation in Navigation
* Sat Mar 7 2026 Than Ngo [than@redhat.com] - 145.0.25^chromium145.0.7632.116-1
- Update to 145.0.7632.116
- * CVE-2026-3061: Out of bounds read in Media
- * CVE-2026-3062: Out of bounds read and write in Tint
- * CVE-2026-3063: Inappropriate implementation in DevTools
* Sat Mar 7 2026 Than Ngo [than@redhat.com] - 145.0.25^chromium145.0.7632.109-1
- Update to 145.0.7632.109
- * CVE-2026-2648: Heap buffer overflow in PDFium
- * CVE-2026-2649: Integer overflow in V8
- * CVE-2026-2650: Heap buffer overflow in Media
* Sat Mar 7 2026 Hoshino Lina [lina@lina.yt] - 145.0.25^chromium145.0.7632.75-5
- Use C++20 for libcef target
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2437035 - cef-145.0.28 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2437035
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-b5f8adc627' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new

[SECURITY] Fedora 43 Update: vim-9.2.112-2.fc43

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-651ba4626f
2026-03-08 01:26:02.293213+00:00
--------------------------------------------------------------------------------

Name : vim
Product : Fedora 43
Version : 9.2.112
Release : 2.fc43
URL : https://www.vim.org/
Summary : The VIM editor
Description :
VIM (VIsual editor iMproved) is an updated and improved version of the
vi editor. Vi was the first real screen-based editor for UNIX, and is
still very popular. VIM improves on vi by adding new features:
multiple windows, multi-level undo, block highlighting and more.

--------------------------------------------------------------------------------
Update Information:

Security fixes for CVE-2026-28417, CVE-2026-28418, CVE-2026-28419,
CVE-2026-28420, CVE-2026-28421, CVE-2026-28422
Security fixes for CVE-2026-28417, CVE-2026-28418, CVE-2026-28419,
CVE-2026-28420, CVE-2026-28421, CVE-2026-28422
--------------------------------------------------------------------------------
ChangeLog:

* Fri Mar 6 2026 Zdenek Dohnal [zdohnal@redhat.com] - 2:9.2.112-2
- fix tests which expect mouse=a
* Fri Mar 6 2026 Zdenek Dohnal [zdohnal@redhat.com] - 2:9.2.112-1
- patchlevel 112
* Thu Feb 26 2026 Zdenek Dohnal [zdohnal@redhat.com] - 2:9.2.045-2
- rebuilt
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2443455 - CVE-2026-28417 vim: Vim: Arbitrary code execution via OS command injection in the netrw plugin
https://bugzilla.redhat.com/show_bug.cgi?id=2443455
[ 2 ] Bug #2443474 - CVE-2026-28421 vim: Vim: Denial of service and information disclosure via crafted swap file
https://bugzilla.redhat.com/show_bug.cgi?id=2443474
[ 3 ] Bug #2443475 - CVE-2026-28422 vim: Vim: Integrity impact due to stack-buffer-overflow via wide terminal statusline rendering
https://bugzilla.redhat.com/show_bug.cgi?id=2443475
[ 4 ] Bug #2443481 - CVE-2026-28418 vim: Vim: Information disclosure via heap-based buffer overflow in Emacs-style tags file parsing
https://bugzilla.redhat.com/show_bug.cgi?id=2443481
[ 5 ] Bug #2443482 - CVE-2026-28419 vim: Vim: Information disclosure and denial of service via malformed tags file
https://bugzilla.redhat.com/show_bug.cgi?id=2443482
[ 6 ] Bug #2443484 - CVE-2026-28420 vim: Vim: Information disclosure and denial of service via crafted Unicode characters in terminal emulator
https://bugzilla.redhat.com/show_bug.cgi?id=2443484
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-651ba4626f' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new

[SECURITY] Fedora 44 Update: cef-145.0.28^chromium145.0.7632.159-1.fc44

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-9834b25fc2
2026-03-08 00:14:49.474992+00:00
--------------------------------------------------------------------------------

Name : cef
Product : Fedora 44
Version : 145.0.28^chromium145.0.7632.159
Release : 1.fc44
URL : https://bitbucket.org/chromiumembedded/cef
Summary : Chromium Embedded Framework
Description :
CEF is an embeddable build of Chromium, powered by WebKit (Blink).

--------------------------------------------------------------------------------
Update Information:

Bump to cef-145.0.28+g51162e8 + chromium 145.0.7632.159 (rhbz#2437035)
CVE-2026-3536: Integer overflow in ANGLE
CVE-2026-3537: Object lifecycle issue in PowerVR
CVE-2026-3538: Integer overflow in Skia
CVE-2026-3539: Object lifecycle issue in DevTools
CVE-2026-3540: Inappropriate implementation in WebAudio
CVE-2026-3541: Inappropriate implementation in CSS
CVE-2026-3542: Inappropriate implementation in WebAssembly
CVE-2026-3543: Inappropriate implementation in V8
CVE-2026-3544: Heap buffer overflow in WebCodecs
CVE-2026-3545: Insufficient data validation in Navigation
CVE-2026-3061: Out of bounds read in Media
CVE-2026-3062: Out of bounds read and write in Tint
CVE-2026-3063: Inappropriate implementation in DevTools
CVE-2026-2648: Heap buffer overflow in PDFium
CVE-2026-2649: Integer overflow in V8
CVE-2026-2650: Heap buffer overflow in Media
--------------------------------------------------------------------------------
ChangeLog:

* Sat Mar 7 2026 Hoshino Lina [lina@lina.yt] - 145.0.28^chromium145.0.7632.159-1
- Bump to cef-145.0.28+g51162e8 (rhbz#2437035)
* Sat Mar 7 2026 Than Ngo [than@redhat.com] - 145.0.25^chromium145.0.7632.159-1
- Update to 145.0.7632.159
- * CVE-2026-3536: Integer overflow in ANGLE
- * CVE-2026-3537: Object lifecycle issue in PowerVR
- * CVE-2026-3538: Integer overflow in Skia
- * CVE-2026-3539: Object lifecycle issue in DevTools
- * CVE-2026-3540: Inappropriate implementation in WebAudio
- * CVE-2026-3541: Inappropriate implementation in CSS
- * CVE-2026-3542: Inappropriate implementation in WebAssembly
- * CVE-2026-3543: Inappropriate implementation in V8
- * CVE-2026-3544: Heap buffer overflow in WebCodecs
- * CVE-2026-3545: Insufficient data validation in Navigation
* Sat Mar 7 2026 Than Ngo [than@redhat.com] - 145.0.25^chromium145.0.7632.116-1
- Update to 145.0.7632.116
- * CVE-2026-3061: Out of bounds read in Media
- * CVE-2026-3062: Out of bounds read and write in Tint
- * CVE-2026-3063: Inappropriate implementation in DevTools
* Sat Mar 7 2026 Than Ngo [than@redhat.com] - 145.0.25^chromium145.0.7632.109-1
- Update to 145.0.7632.109
- * CVE-2026-2648: Heap buffer overflow in PDFium
- * CVE-2026-2649: Integer overflow in V8
- * CVE-2026-2650: Heap buffer overflow in Media
* Sat Mar 7 2026 Hoshino Lina [lina@lina.yt] - 145.0.25^chromium145.0.7632.75-5
- Use C++20 for libcef target
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2437035 - cef-145.0.28 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2437035
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-9834b25fc2' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new