Three security updates have been released for Fedora 42 and Fedora 43. The first update is for Chromium, a web browser that has been updated to version 144.0.7559.59 to fix several vulnerabilities (CVE-2026-0899 through CVE-2026-0908). The second update is for the libtpms library, which provides Trusted Platform Module functionality for VMs and has also been updated to version 0.10.2 to fix a vulnerability (CVE-2026-21444).

Fedora 42 Update: chromium-144.0.7559.59-1.fc42
Fedora 42 Update: musescore-4.3.2-20.fc42
Fedora 42 Update: libtpms-0.10.2-1.fc42
Fedora 43 Update: chromium-144.0.7559.59-1.fc43
Fedora 43 Update: libtpms-0.10.2-1.fc43

[SECURITY] Fedora 42 Update: chromium-144.0.7559.59-1.fc42

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-3736e2ff1a
2026-01-18 01:43:54.890050+00:00
--------------------------------------------------------------------------------

Name : chromium
Product : Fedora 42
Version : 144.0.7559.59
Release : 1.fc42
URL : http://www.chromium.org/Home
Summary : A WebKit (Blink) powered web browser that Google doesn't want you to use
Description :
Chromium is an open-source web browser, powered by WebKit (Blink).

--------------------------------------------------------------------------------
Update Information:

Update to 144.0.7559.59
* CVE-2026-0899: Out of bounds memory access in V8
* CVE-2026-0900: Inappropriate implementation in V8
* CVE-2026-0901: Inappropriate implementation in Blink
* CVE-2026-0902: Inappropriate implementation in V8
* CVE-2026-0903: Insufficient validation of untrusted input in Downloads
* CVE-2026-0904: Incorrect security UI in Digital Credentials
* CVE-2026-0905: Insufficient policy enforcement in Network
* CVE-2026-0906: Incorrect security UI
* CVE-2026-0907: Incorrect security UI in Split View
* CVE-2026-0908: Use after free in ANGLE
--------------------------------------------------------------------------------
ChangeLog:

* Wed Jan 14 2026 Than Ngo [than@redhat.com] - 144.0.7559.59-1
- Update to 144.0.7559.59
* CVE-2026-0899: Out of bounds memory access in V8
* CVE-2026-0900: Inappropriate implementation in V8
* CVE-2026-0901: Inappropriate implementation in Blink
* CVE-2026-0902: Inappropriate implementation in V8
* CVE-2026-0903: Insufficient validation of untrusted input in Downloads
* CVE-2026-0904: Incorrect security UI in Digital Credentials
* CVE-2026-0905: Insufficient policy enforcement in Network
* CVE-2026-0906: Incorrect security UI
* CVE-2026-0907: Incorrect security UI in Split View
* CVE-2026-0908: Use after free in ANGLE
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-3736e2ff1a' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

--

[SECURITY] Fedora 42 Update: musescore-4.3.2-20.fc42

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-23b7799e1f
2026-01-18 01:43:54.890045+00:00
--------------------------------------------------------------------------------

Name : musescore
Product : Fedora 42
Version : 4.3.2
Release : 20.fc42
URL : https://musescore.org/
Summary : Music Composition & Notation Software
Description :
MuseScore is a free cross platform WYSIWYG music notation program. Some
highlights:

* WYSIWYG, notes are entered on a "virtual note sheet"
* Unlimited number of staves
* Up to four voices per staff
* Easy and fast note entry with mouse, keyboard or MIDI
* Integrated sequencer and FluidSynth software synthesizer
* Import and export of MusicXML and Standard MIDI Files (SMF)
* Translated in 26 languages

--------------------------------------------------------------------------------
Update Information:

This update adds a patch to fix CVE-2025-56225, a flaw in the bundled version of
fluidsynth.
--------------------------------------------------------------------------------
ChangeLog:

* Fri Jan 9 2026 Jerry James [loganjerry@gmail.com] - 4.3.2-20
- Patch for CVE-2025-56225
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2428301 - CVE-2025-56225 musescore: FluidSynth: Denial of Service via invalid MIDI file processing [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2428301
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-23b7799e1f' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

--

[SECURITY] Fedora 42 Update: libtpms-0.10.2-1.fc42

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-14ecf2c0cd
2026-01-18 01:43:54.889957+00:00
--------------------------------------------------------------------------------

Name : libtpms
Product : Fedora 42
Version : 0.10.2
Release : 1.fc42
URL : https://github.com/stefanberger/libtpms
Summary : Library providing Trusted Platform Module (TPM) functionality
Description :
A library providing TPM functionality for VMs. Targeted for integration
into Qemu.

--------------------------------------------------------------------------------
Update Information:

Upgrade to libtpms 0.10.2 fixing CVE-2026-21444
--------------------------------------------------------------------------------
ChangeLog:

* Fri Jan 2 2026 Stefan Berger [stefanb@linux.ibm.com] - 0.10.2-1
- Upgrade to libtpms 0.10.2 fixing CVE-2026-21444
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2426838 - CVE-2026-21444 libtpms: return of wrong initialization vector when certain symmetric ciphers are used
https://bugzilla.redhat.com/show_bug.cgi?id=2426838
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-14ecf2c0cd' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

--

[SECURITY] Fedora 43 Update: chromium-144.0.7559.59-1.fc43

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-65945d88e4
2026-01-18 01:41:01.671147+00:00
--------------------------------------------------------------------------------

Name : chromium
Product : Fedora 43
Version : 144.0.7559.59
Release : 1.fc43
URL : http://www.chromium.org/Home
Summary : A WebKit (Blink) powered web browser that Google doesn't want you to use
Description :
Chromium is an open-source web browser, powered by WebKit (Blink).

--------------------------------------------------------------------------------
Update Information:

Update to 144.0.7559.59
* CVE-2026-0899: Out of bounds memory access in V8
* CVE-2026-0900: Inappropriate implementation in V8
* CVE-2026-0901: Inappropriate implementation in Blink
* CVE-2026-0902: Inappropriate implementation in V8
* CVE-2026-0903: Insufficient validation of untrusted input in Downloads
* CVE-2026-0904: Incorrect security UI in Digital Credentials
* CVE-2026-0905: Insufficient policy enforcement in Network
* CVE-2026-0906: Incorrect security UI
* CVE-2026-0907: Incorrect security UI in Split View
* CVE-2026-0908: Use after free in ANGLE
--------------------------------------------------------------------------------
ChangeLog:

* Wed Jan 14 2026 Than Ngo [than@redhat.com] - 144.0.7559.59-1
- Update to 144.0.7559.59
* CVE-2026-0899: Out of bounds memory access in V8
* CVE-2026-0900: Inappropriate implementation in V8
* CVE-2026-0901: Inappropriate implementation in Blink
* CVE-2026-0902: Inappropriate implementation in V8
* CVE-2026-0903: Insufficient validation of untrusted input in Downloads
* CVE-2026-0904: Incorrect security UI in Digital Credentials
* CVE-2026-0905: Insufficient policy enforcement in Network
* CVE-2026-0906: Incorrect security UI
* CVE-2026-0907: Incorrect security UI in Split View
* CVE-2026-0908: Use after free in ANGLE
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-65945d88e4' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

--

[SECURITY] Fedora 43 Update: libtpms-0.10.2-1.fc43

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-21a2a74849
2026-01-18 01:41:01.671057+00:00
--------------------------------------------------------------------------------

Name : libtpms
Product : Fedora 43
Version : 0.10.2
Release : 1.fc43
URL : https://github.com/stefanberger/libtpms
Summary : Library providing Trusted Platform Module (TPM) functionality
Description :
A library providing TPM functionality for VMs. Targeted for integration
into Qemu.

--------------------------------------------------------------------------------
Update Information:

Upgrade to libtpms 0.10.2 fixing CVE-2026-21444
--------------------------------------------------------------------------------
ChangeLog:

* Fri Jan 2 2026 Stefan Berger [stefanb@linux.ibm.com] - 0.10.2-1
- Upgrade to libtpms 0.10.2 fixing CVE-2026-21444
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2426838 - CVE-2026-21444 libtpms: return of wrong initialization vector when certain symmetric ciphers are used
https://bugzilla.redhat.com/show_bug.cgi?id=2426838
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-21a2a74849' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

--