Fedora has rolled out urgent security patches for both the Chromium browser on Fedora 42 and Python 3.14 on Fedora 43. The Chromium release tackles a massive list of critical flaws, with memory management errors popping up in everything from the GPU engine to WebRTC support. Python users need to install a separate update that closes four specific vulnerabilities, including dangerous command injection risks and potential code execution through remote debugging features. You can apply both fixes right away by running the standard dnf upgrade command with the official advisory codes provided in the release notes.

Fedora 42 Update: chromium-147.0.7727.137-1.fc42
Fedora 43 Update: python3.14-3.14.4-2.fc43

[SECURITY] Fedora 42 Update: chromium-147.0.7727.137-1.fc42

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-36fb406407
2026-05-04 01:07:05.793304+00:00
--------------------------------------------------------------------------------

Name : chromium
Product : Fedora 42
Version : 147.0.7727.137
Release : 1.fc42
URL : http://www.chromium.org/Home
Summary : A WebKit (Blink) powered web browser that Google doesn't want you to use
Description :
Chromium is an open-source web browser, powered by WebKit (Blink).

--------------------------------------------------------------------------------
Update Information:

The updates include fixes for:
Critical CVE-2026-7363: Use after free in Canvas
Critical CVE-2026-7361: Use after free in iOS
Critical CVE-2026-7344: Use after free in Accessibility
Critical CVE-2026-7343: Use after free in Views
High CVE-2026-7333: Use after free in GPU
High CVE-2026-7360: Insufficient validation of untrusted input in Compositing
High CVE-2026-7359: Use after free in ANGLE
High CVE-2026-7358: Use after free in Animation
High CVE-2026-7334: Use after free in Views
High CVE-2026-7357: Use after free in GPU
High CVE-2026-7356: Use after free in Navigation
High CVE-2026-7354: Out of bounds read and write in Angle
High CVE-2026-7353: Heap buffer overflow in Skia
High CVE-2026-7352: Use after free in Media
High CVE-2026-7351: Race in MHTML
High CVE-2026-7350: Use after free in WebMIDI
High CVE-2026-7349: Use after free in Cast
High CVE-2026-7348: Use after free in Codecs
High CVE-2026-7335: Use after free in media
High CVE-2026-7336: Use after free in WebRTC
High CVE-2026-7337: Type Confusion in V8
High CVE-2026-7347: Use after free in Chromoting
High CVE-2026-7346: Inappropriate implementation in Tint
High CVE-2026-7345: Insufficient validation of untrusted input in Feedback
High CVE-2026-7338: Use after free in Cast
High CVE-2026-7342: Use after free in WebView
High CVE-2026-7341: Use after free in WebRTC
Medium CVE-2026-7339: Heap buffer overflow in WebRTC
Medium CVE-2026-7340: Integer overflow in ANGLE
Medium CVE-2026-7355: Use after free in Media
--------------------------------------------------------------------------------
ChangeLog:

* Wed Apr 29 2026 Than Ngo [than@redhat.com] - 147.0.7727.137-1
- Update to 147.0.7727.137
* Critical CVE-2026-7363: Use after free in Canvas
* Critical CVE-2026-7361: Use after free in iOS
* Critical CVE-2026-7344: Use after free in Accessibility
* Critical CVE-2026-7343: Use after free in Views
* High CVE-2026-7333: Use after free in GPU
* High CVE-2026-7360: Insufficient validation of untrusted input in Compositing
* High CVE-2026-7359: Use after free in ANGLE
* High CVE-2026-7358: Use after free in Animation
* High CVE-2026-7334: Use after free in Views
* High CVE-2026-7357: Use after free in GPU
* High CVE-2026-7356: Use after free in Navigation
* High CVE-2026-7354: Out of bounds read and write in Angle
* High CVE-2026-7353: Heap buffer overflow in Skia
* High CVE-2026-7352: Use after free in Media
* High CVE-2026-7351: Race in MHTML
* High CVE-2026-7350: Use after free in WebMIDI
* High CVE-2026-7349: Use after free in Cast
* High CVE-2026-7348: Use after free in Codecs
* High CVE-2026-7335: Use after free in media
* High CVE-2026-7336: Use after free in WebRTC
* High CVE-2026-7337: Type Confusion in V8
* High CVE-2026-7347: Use after free in Chromoting
* High CVE-2026-7346: Inappropriate implementation in Tint
* High CVE-2026-7345: Insufficient validation of untrusted input in Feedback
* High CVE-2026-7338: Use after free in Cast
* High CVE-2026-7342: Use after free in WebView
* High CVE-2026-7341: Use after free in WebRTC
* Medium CVE-2026-7339: Heap buffer overflow in WebRTC
* Medium CVE-2026-7340: Integer overflow in ANGLE
* Medium CVE-2026-7355: Use after free in Media
* Sun Apr 26 2026 Than Ngo [than@redhat.com] - 147.0.7727.116-2
- Fix FTBFS with rust 1.95
- Backport the upstream fix GL native pixmap import support reset in GpuInit
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2463710 - CVE-2026-7333 CVE-2026-7334 CVE-2026-7335 CVE-2026-7336 CVE-2026-7337 CVE-2026-7338 CVE-2026-7339 CVE-2026-7340 CVE-2026-7341 CVE-2026-7342 CVE-2026-7343 CVE-2026-7344 CVE-2026-7345 CVE-2026-7346 CVE-2026-7347 ... chromium: various flaws [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2463710
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-36fb406407' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new

[SECURITY] Fedora 43 Update: python3.14-3.14.4-2.fc43

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-97a8eb204a
2026-05-04 00:54:31.536589+00:00
--------------------------------------------------------------------------------

Name : python3.14
Product : Fedora 43
Version : 3.14.4
Release : 2.fc43
URL : https://www.python.org/
Summary : Version 3.14 of the Python interpreter
Description :
Python 3.14 is an accessible, high-level, dynamically typed, interpreted
programming language, designed with an emphasis on code readability.
It includes an extensive standard library, and has a vast ecosystem of
third-party libraries.

--------------------------------------------------------------------------------
Update Information:

Security fixes for CVE-2026-1502, CVE-2026-4786, CVE-2026-5713, CVE-2026-6100
--------------------------------------------------------------------------------
ChangeLog:

* Thu Apr 16 2026 Charalampos Stratakis [cstratak@redhat.com] - 3.14.4-2
- Security fixes for CVE-2026-1502, CVE-2026-4786, CVE-2026-5713, CVE-2026-6100
Resolves: rhbz#2457944, rhbz#2458224, rhbz#2458488, rhbz#2458016
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2457944 - CVE-2026-1502 python3.14: Python: HTTP header injection via CR/LF in proxy tunnel headers [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2457944
[ 2 ] Bug #2458016 - CVE-2026-6100 python3.14: Python: Arbitrary code execution or information disclosure via use-after-free in decompression modules [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2458016
[ 3 ] Bug #2458224 - CVE-2026-4786 python3.14: Python: Arbitrary code execution via command injection in webbrowser.open() API [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2458224
[ 4 ] Bug #2458488 - CVE-2026-5713 python3.14: Python: Information disclosure and arbitrary code execution via remote debugging with a malicious process. [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2458488
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-97a8eb204a' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new