Recent Debian security advisories highlight critical updates for MediaWiki, Flatpak, and FFmpeg that address multiple vulnerabilities discovered in these tools. While the MediaWiki patch fixes issues regarding information disclosure and permission checks across oldstable and stable distributions, Flatpak requires an upgrade to prevent sandbox escapes or arbitrary host deletions. The most extensive list of flaws appears within the FFmpeg advisory, which covers buffer overflows and integer errors capable of triggering denial of service attacks remotely. System administrators are strongly urged to apply these specific package versions immediately to maintain security posture against disclosed exploits.

Debian GNU/Linux 10 (Buster) ELTS:
ELA-1681-1 ffmpeg security update

Debian GNU/Linux 12 (Bookworm) and 13 (Trixie):
[DSA 6208-1] mediawiki security update

Debian GNU/Linux 13 (Trixie):
[DSA 6207-1] flatpak security update

[SECURITY] [DSA 6208-1] mediawiki security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6208-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
April 12, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : mediawiki
CVE ID : CVE-2026-34086 CVE-2026-34087 CVE-2026-34088
CVE-2026-34091 CVE-2026-34092 CVE-2026-34093
CVE-2026-34094 CVE-2026-34095 CVE-2026-5266

Multiple security issues were discovered in MediaWiki, a website engine
for collaborative work, which could result in information disclosure or
incomplete permission checks.

For the oldstable distribution (bookworm), these problems have been fixed
in version 1:1.39.17-1+deb12u2.

For the stable distribution (trixie), these problems have been fixed in
version 1:1.43.8+dfsg-1~deb13u1.

We recommend that you upgrade your mediawiki packages.

For the detailed security status of mediawiki please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/mediawiki

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[SECURITY] [DSA 6207-1] flatpak security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6207-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
April 12, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : flatpak
CVE ID : CVE-2026-34078 CVE-2026-34079

Multiple security vulnerabilities were discovered in Flatpak, an
application deployment framework for desktop apps, which could allow a
Flatpak app to delete arbitrary hosts on the host or break out of the
sandbox resulting in code execution in the host context.

For the stable distribution (trixie), these problems have been fixed in
version 1.16.6-1~deb13u1.

We recommend that you upgrade your flatpak packages.

For the detailed security status of flatpak please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/flatpak

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

ELA-1681-1 ffmpeg security update

Package : ffmpeg
Version : 7:4.1.11-0+deb10u5 (buster)

Related CVEs :
CVE-2023-6603
CVE-2023-6605
CVE-2025-1594
CVE-2025-7700
CVE-2025-9951
CVE-2025-10256
CVE-2025-63757

Several issues have been found in ffmpeg, a library and tools for transcoding,
streaming and playing of multimedia files.

CVE-2023-6603

A flaw was found in FFmpeg’s HLS playlist parsing. This vulnerability
allows a denial of service via a maliciously crafted HLS playlist that
triggers a null pointer dereference during initialization.

CVE-2023-6605

A flaw was found in FFmpeg’s DASH playlist support. This vulnerability
allows arbitrary HTTP GET requests to be made on behalf of the machine
running FFmpeg via a crafted DASH playlist containing malicious URLs.

CVE-2025-1594

A vulnerability, which was classified as critical, was found in FFmpeg up
to 7.1. This affects the function ff_aac_search_for_tns of the file
libavcodec/aacenc_tns.c of the component AAC Encoder. The manipulation
leads to stack-based buffer overflow. It is possible to initiate the
attack remotely. The exploit has been disclosed to the public and may be
used.

CVE-2025-7700

A flaw was found in FFmpeg’s ALS audio decoder, where it does not properly
check for memory allocation failures. This can cause the application to
crash when processing certain malformed audio files. While it does not
lead to data theft or system control, it can be used to disrupt services
and cause a denial of service.

CVE-2025-9951

A heap-buffer-overflow write exists in jpeg2000dec FFmpeg which allows an
attacker to potentially gain remote code execution or cause denial of
service via the channel definition cdef atom of JPEG2000.

CVE-2025-10256

A NULL pointer dereference vulnerability exists in FFmpeg’s Firequalizer
filter (libavfilter/af_firequalizer.c) due to a missing check on the
return value of av_malloc_array() in the config_input() function. An
attacker could exploit this by tricking a victim into processing a crafted
media file with the Firequalizer filter enabled, causing the application
to dereference a NULL pointer and crash, leading to denial of service.

CVE-2025-63757

Integer overflow vulnerability in the yuv2ya16_X_c_template function in
libswscale/output.c in FFmpeg 8.0.

ELA-1681-1 ffmpeg security update