Debian released a batch of security advisories that address critical flaws across several widely used software packages. The updates target chromium, dovecot, imagemagick, the Linux kernel, thunderbird, and a few other libraries that could allow attackers to execute arbitrary code or crash systems through denial of service exploits. Some vulnerabilities stem from improper memory handling and integer overflows while others involve authentication bypasses or unsafe file path traversal that might expose sensitive data. System administrators should apply the recommended package upgrades right away to patch these issues before malicious actors can take advantage of them.

[DSA 6239-1] chromium security update
[DLA 4556-1] dovecot security update
[DSA 6141-1] python-aiohttp security update
[DSA 6240-1] imagemagick security update
[DLA 4558-1] libexif security update
[DLA 4557-1] pyasn1 security update
[DSA 6197-3] dovecot regression update
[DLA 4559-1] imagemagick security update
[DSA 6243-1] linux security update
[DSA 6242-1] thunderbird security update

[SECURITY] [DSA 6239-1] chromium security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6239-1 security@debian.org
https://www.debian.org/security/ Andres Salomon
May 01, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : chromium
CVE ID : CVE-2026-7333 CVE-2026-7334 CVE-2026-7335 CVE-2026-7336
CVE-2026-7337 CVE-2026-7338 CVE-2026-7339 CVE-2026-7340
CVE-2026-7341 CVE-2026-7342 CVE-2026-7343 CVE-2026-7344
CVE-2026-7345 CVE-2026-7346 CVE-2026-7347 CVE-2026-7348
CVE-2026-7349 CVE-2026-7350 CVE-2026-7351 CVE-2026-7352
CVE-2026-7353 CVE-2026-7354 CVE-2026-7355 CVE-2026-7356
CVE-2026-7357 CVE-2026-7358 CVE-2026-7359 CVE-2026-7360
CVE-2026-7361 CVE-2026-7363

Security issues were discovered in Chromium which could result
in the execution of arbitrary code, denial of service, or information
disclosure.

For the oldstable distribution (bookworm), these problems have been fixed
in version 147.0.7727.137-1~deb12u1.

For the stable distribution (trixie), these problems have been fixed in
version 147.0.7727.137-1~deb13u1.

We recommend that you upgrade your chromium packages.

For the detailed security status of chromium please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/chromium

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[SECURITY] [DLA 4556-1] dovecot security update

-------------------------------------------------------------------------
Debian LTS Advisory DLA-4556-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Guilhem Moulin
May 01, 2026 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : dovecot
Version : 1:2.3.13+dfsg1-2+deb11u3
CVE ID : CVE-2025-59031 CVE-2025-59032 CVE-2026-0394 CVE-2026-27855
CVE-2026-27856 CVE-2026-27857 CVE-2026-27858 CVE-2026-27859

Multiple vulnerabilities were discovered in dovecot, a POP3/IMAP server,
which could lead to Denial of Service, information leak, path traversal,
authentication bypass, replay attacks or timing side channel attacks.

CVE-2025-59031

The decode2text.sh example script, which was installed into
dovecot-core/examples, was found handle zip-style attachment in an
unsafe manner. In particular, OOXML extraction may follow symlinks
and read unintended files during indexing. The script is no longer
installed.

CVE-2025-59032

It was found that the ManageSieve AUTHENTICATE command crashes the
ManageSieve service when using literal as SASL initial response,
leading to Denial of Service.

CVE-2026-0394

A pass traversal vulnerability was discovered in the passwd-file
passdb/userdb when dovecot has been configured to use per-domain
passwd files, allowing inadvertently reading /etc/passwd in some
situations. If this file contains passwords, it can be used to
authenticate wrongly, or if this is userdb, it can incorrectly make
system users appear valid users.

CVE-2026-27855

The OTP authentication driver was found to be vulnerable to replay
attack if auth cache is enabled the and username is altered in
passdb. An attacker able to observe an OTP exchange is therefore
able to impersonate the user.

CVE-2026-27856

Doveadm credentials were not checked using timing-safe checking
functions. An attacker can exploit this issue to discover configured
credentials, leading into full access to the affected component.

CVE-2026-27857

It was discovered that sending excessive parenthesis caused the
imap-login process to use excessive memory, leading to Denial of
Service.

CVE-2026-27858

It was discovered that the managesieve-login process could allocate
large amount of memory during authentication via specifically crafted
message, leading to Denial of Service.

CVE-2026-27859

It was discovered that excessive RFC 2231 MIME parameters in email
would cause excessive CPU usage, which could lead to Denial of
Service. Dovecot now limits the number of parameters to process.

For Debian 11 bullseye, these problems have been fixed in version
1:2.3.13+dfsg1-2+deb11u3.

We recommend that you upgrade your dovecot packages.

For the detailed security status of dovecot please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/dovecot

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[SECURITY] [DSA 6141-1] python-aiohttp security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6241-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
May 01, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : python-aiohttp
CVE ID : CVE-2025-69223 CVE-2025-69224 CVE-2025-69225
CVE-2025-69226 CVE-2025-69227 CVE-2025-69228
CVE-2025-69229

Multiple security vulnerabilities were discovered in Python aiohttp, an
asynchronous HTTP client/server for asyncio, which could result in
denial of service, HTTP request smuggling or information disclosure.

For the stable distribution (trixie), these problems have been fixed in
version 3.11.16-1+deb13u1.

We recommend that you upgrade your python-aiohttp packages.

For the detailed security status of python-aiohttp please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/python-aiohttp

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[SECURITY] [DSA 6240-1] imagemagick security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6240-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
May 01, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : imagemagick
CVE ID : CVE-2026-32636 CVE-2026-33535 CVE-2026-33536 CVE-2026-33899
CVE-2026-33900 CVE-2026-33901 CVE-2026-33902 CVE-2026-33905
CVE-2026-33908 CVE-2026-34238 CVE-2026-40169 CVE-2026-40183
CVE-2026-40310 CVE-2026-40311 CVE-2026-40312

Multiple security vulnerabilities were discovered in imagemagick, a
software suite used for editing and manipulating digital images, which
could lead to denial of service, information disclosure or potentially
arbitrary code execution if malformed images are processed.

For the stable distribution (trixie), these problems have been fixed in
version 8:7.1.1.43+dfsg1-1+deb13u8.

We recommend that you upgrade your imagemagick packages.

For the detailed security status of imagemagick please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/imagemagick

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[SECURITY] [DLA 4558-1] libexif security update

-------------------------------------------------------------------------
Debian LTS Advisory DLA-4558-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Emmanuel Arias
May 01, 2026 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : libexif
Version : 0.6.22-3+deb11u1
CVE ID : CVE-2026-32775 CVE-2026-40385 CVE-2026-40386
Debian Bug : 1131116 1133922 1133923

Three security vulnerabilities were discovered in libexif, a library to reads
and writes EXIF metainformation from and to images files, that can causes
crashes or information leaks.

CVE-2026-32775

If the exif_mnote_data_get_value function in MakerNotes gets passed
in a 0 size, the passed in-buffer would be overwritten due to an
integer underflow.

CVE-2026-40385

An unsigned 32bit integer overflow in Nikon MakerNote handling could
be used by local attackers to cause crashes or information leaks.

CVE-2026-40386

An integer underflow in size checking for Fuji and Olympus MakerNote
decoding could be used by attackers to crash or leak information out
of libexif-using programs.

For Debian 11 bullseye, these problems have been fixed in version
0.6.22-3+deb11u1.

We recommend that you upgrade your libexif packages.

For the detailed security status of libexif please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libexif

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[SECURITY] [DLA 4557-1] pyasn1 security update

-------------------------------------------------------------------------
Debian LTS Advisory DLA-4557-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Emmanuel Arias
May 01, 2026 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : pyasn1
Version : 0.4.8-1+deb11u2
CVE ID : CVE-2026-30922
Debian Bug : 1131371

It was discovered that pyasn1, a generic ASN.1 library for Python, is vulnerable
to a Denial of Service (DoS) attack caused by uncontrolled recursion when
decoding ASN.1 data with deeply nested structures. This vulnerability can force
the decoder to recursively call itself until the Python interpreter crashes with a
`RecursionError` or consumes all available memory, crashing the host application.

For Debian 11 bullseye, this problem has been fixed in version
0.4.8-1+deb11u2.

We recommend that you upgrade your pyasn1 packages.

For the detailed security status of pyasn1 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/pyasn1

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[SECURITY] [DSA 6197-3] dovecot regression update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6197-3 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
May 01, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : dovecot
Debian Bug : 1134464

The oldstable (bookworm) backport of the security fix for CVE-2026-0394
introduced a regression in the passwd-file path normalization. Updated
packages are now available to correct this issue.

For the oldstable distribution (bookworm), this problem has been fixed
in version 1:2.3.19.1+dfsg1-2.1+deb12u4.

We recommend that you upgrade your dovecot packages.

For the detailed security status of dovecot please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/dovecot

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[SECURITY] [DLA 4559-1] imagemagick security update

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4559-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Bastien Roucari??s
May 01, 2026 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : imagemagick
Version : 8:6.9.11.60+dfsg-1.3+deb11u12
CVE ID : CVE-2026-33899 CVE-2026-33900 CVE-2026-33901 CVE-2026-33905
CVE-2026-33908 CVE-2026-34238 CVE-2026-40310 CVE-2026-40311
Debian Bug : 1134627

Multiple security vulnerabilities were discovered in imagemagick, a
software suite used for editing and manipulating digital images, which
could lead to denial of service, information disclosure or potentially
arbitrary code execution if malformed images are processed.

For Debian 11 bullseye, these problems have been fixed in version
8:6.9.11.60+dfsg-1.3+deb11u12.

We recommend that you upgrade your imagemagick packages.

For the detailed security status of imagemagick please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/imagemagick

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[SECURITY] [DSA 6243-1] linux security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6243-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
May 01, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : linux
CVE ID : CVE-2023-53228 CVE-2023-53510 CVE-2023-53545 CVE-2024-47736
CVE-2024-47809 CVE-2024-49998 CVE-2024-50298 CVE-2024-56719
CVE-2025-21676 CVE-2025-21682 CVE-2025-37945 CVE-2025-37980
CVE-2025-38105 CVE-2025-38162 CVE-2025-38192 CVE-2025-38250
CVE-2025-38303 CVE-2025-38436 CVE-2025-38626 CVE-2025-38659
CVE-2025-38704 CVE-2025-39748 CVE-2025-39764 CVE-2025-39863
CVE-2025-40005 CVE-2025-40016 CVE-2025-40135 CVE-2025-40219
CVE-2025-40242 CVE-2025-40261 CVE-2025-40358 CVE-2025-68206
CVE-2025-68239 CVE-2025-68265 CVE-2025-71067 CVE-2025-71161
CVE-2025-71221 CVE-2025-71265 CVE-2025-71266 CVE-2025-71267
CVE-2025-71269 CVE-2026-23100 CVE-2026-23113 CVE-2026-23141
CVE-2026-23154 CVE-2026-23157 CVE-2026-23204 CVE-2026-23227
CVE-2026-23231 CVE-2026-23242 CVE-2026-23243 CVE-2026-23245
CVE-2026-23253 CVE-2026-23270 CVE-2026-23271 CVE-2026-23273
CVE-2026-23274 CVE-2026-23277 CVE-2026-23279 CVE-2026-23281
CVE-2026-23284 CVE-2026-23286 CVE-2026-23287 CVE-2026-23289
CVE-2026-23290 CVE-2026-23291 CVE-2026-23292 CVE-2026-23293
CVE-2026-23296 CVE-2026-23298 CVE-2026-23300 CVE-2026-23303
CVE-2026-23304 CVE-2026-23306 CVE-2026-23307 CVE-2026-23312
CVE-2026-23315 CVE-2026-23317 CVE-2026-23318 CVE-2026-23319
CVE-2026-23321 CVE-2026-23324 CVE-2026-23335 CVE-2026-23336
CVE-2026-23339 CVE-2026-23340 CVE-2026-23343 CVE-2026-23351
CVE-2026-23352 CVE-2026-23356 CVE-2026-23357 CVE-2026-23359
CVE-2026-23362 CVE-2026-23364 CVE-2026-23365 CVE-2026-23367
CVE-2026-23368 CVE-2026-23370 CVE-2026-23372 CVE-2026-23378
CVE-2026-23379 CVE-2026-23381 CVE-2026-23382 CVE-2026-23388
CVE-2026-23391 CVE-2026-23392 CVE-2026-23395 CVE-2026-23396
CVE-2026-23397 CVE-2026-23398 CVE-2026-23401 CVE-2026-23414
CVE-2026-23420 CVE-2026-23422 CVE-2026-23426 CVE-2026-23428
CVE-2026-23434 CVE-2026-23438 CVE-2026-23439 CVE-2026-23446
CVE-2026-23449 CVE-2026-23450 CVE-2026-23452 CVE-2026-23454
CVE-2026-23455 CVE-2026-23456 CVE-2026-23457 CVE-2026-23458
CVE-2026-23460 CVE-2026-23462 CVE-2026-23463 CVE-2026-23474
CVE-2026-23475 CVE-2026-31389 CVE-2026-31391 CVE-2026-31392
CVE-2026-31393 CVE-2026-31396 CVE-2026-31399 CVE-2026-31400
CVE-2026-31402 CVE-2026-31403 CVE-2026-31405 CVE-2026-31408
CVE-2026-31409 CVE-2026-31411 CVE-2026-31412 CVE-2026-31414
CVE-2026-31415 CVE-2026-31416 CVE-2026-31417 CVE-2026-31418
CVE-2026-31421 CVE-2026-31422 CVE-2026-31423 CVE-2026-31424
CVE-2026-31425 CVE-2026-31426 CVE-2026-31427 CVE-2026-31428
CVE-2026-31431 CVE-2026-31433 CVE-2026-31434 CVE-2026-31441
CVE-2026-31446 CVE-2026-31447 CVE-2026-31448 CVE-2026-31450
CVE-2026-31452 CVE-2026-31453 CVE-2026-31454 CVE-2026-31455
CVE-2026-31464 CVE-2026-31466 CVE-2026-31467 CVE-2026-31469
CVE-2026-31473 CVE-2026-31476 CVE-2026-31477 CVE-2026-31478
CVE-2026-31480 CVE-2026-31483 CVE-2026-31485 CVE-2026-31492
CVE-2026-31494 CVE-2026-31495 CVE-2026-31496 CVE-2026-31497
CVE-2026-31498 CVE-2026-31503 CVE-2026-31504 CVE-2026-31507
CVE-2026-31508 CVE-2026-31509 CVE-2026-31510 CVE-2026-31512
CVE-2026-31515 CVE-2026-31518 CVE-2026-31519 CVE-2026-31520
CVE-2026-31521 CVE-2026-31522 CVE-2026-31523 CVE-2026-31524
CVE-2026-31533 CVE-2026-31540 CVE-2026-31545 CVE-2026-31546
CVE-2026-31548 CVE-2026-31549 CVE-2026-31550 CVE-2026-31551
CVE-2026-31552 CVE-2026-31555 CVE-2026-31563 CVE-2026-31565
CVE-2026-31566 CVE-2026-31570 CVE-2026-31628 CVE-2026-31634
CVE-2026-31649 CVE-2026-31651 CVE-2026-31656 CVE-2026-31657
CVE-2026-31658 CVE-2026-31659 CVE-2026-31660 CVE-2026-31661
CVE-2026-31662 CVE-2026-31664 CVE-2026-31665 CVE-2026-31667
CVE-2026-31668 CVE-2026-31669 CVE-2026-31670 CVE-2026-31671
CVE-2026-31672 CVE-2026-31674 CVE-2026-31678 CVE-2026-31679
CVE-2026-31680 CVE-2026-31682 CVE-2026-31683 CVE-2026-31689
CVE-2026-31695 CVE-2026-31720 CVE-2026-31721 CVE-2026-31726
CVE-2026-31728 CVE-2026-31737 CVE-2026-31738 CVE-2026-31747
CVE-2026-31748 CVE-2026-31749 CVE-2026-31751 CVE-2026-31752
CVE-2026-31754 CVE-2026-31755 CVE-2026-31756 CVE-2026-31758
CVE-2026-31759 CVE-2026-31761 CVE-2026-31762 CVE-2026-31763
CVE-2026-31768 CVE-2026-31770 CVE-2026-31773 CVE-2026-31776
CVE-2026-31778 CVE-2026-31779 CVE-2026-31780 CVE-2026-31781
CVE-2026-31786 CVE-2026-31787 CVE-2026-31788 CVE-2026-43011
CVE-2026-43013 CVE-2026-43014 CVE-2026-43015 CVE-2026-43017
CVE-2026-43018 CVE-2026-43020 CVE-2026-43023 CVE-2026-43024
CVE-2026-43025 CVE-2026-43026 CVE-2026-43027 CVE-2026-43028
CVE-2026-43030 CVE-2026-43032 CVE-2026-43033 CVE-2026-43035
CVE-2026-43037 CVE-2026-43038 CVE-2026-43040 CVE-2026-43041
CVE-2026-43043 CVE-2026-43046 CVE-2026-43047 CVE-2026-43050
CVE-2026-43051 CVE-2026-43054 CVE-2026-43057

Several vulnerabilities have been discovered in the Linux kernel that
may lead to a privilege escalation, denial of service or information
leaks.

For the oldstable distribution (bookworm), these problems have been fixed
in version 6.1.170-1.

We recommend that you upgrade your linux packages.

For the detailed security status of linux please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/linux

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[SECURITY] [DSA 6242-1] thunderbird security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6242-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
May 01, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : thunderbird
CVE ID : CVE-2026-7320 CVE-2026-7321 CVE-2026-7322 CVE-2026-7323

Multiple security issues were discovered in Thunderbird, which could
result in the execution of arbitrary code.

For the oldstable distribution (bookworm), these problems have been fixed
in version 1:140.10.1esr-1~deb12u1.

For the stable distribution (trixie), these problems have been fixed in
version 1:140.10.1esr-1~deb13u1.

We recommend that you upgrade your thunderbird packages.

For the detailed security status of thunderbird please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/thunderbird

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/