AlmaLinux 2598 Published by

AlmaLinux issued important security errata for versions 8 and 10. Grafana and Grafana-PCP packages for AlmaLinux 8 address privilege escalation risks in the golang idna module, while Node.js 22 and 24 for AlmaLinux 10 patch dozens of vulnerabilities including cross-site scripting, denial of service, and authentication bypasses. The AlmaLinux 10 kernel update fixes multiple issues such as out-of-bounds reads and use-after-free flaws, and AlmaLinux requests community testing for patched kernels addressing the Januscape KVM escape vulnerability and the Bad Epoll local privilege escalation bug. Administrators should install the recommended kernel versions immediately to mitigate guest-to-host escape risks on x86 systems and ensure service stability across their infrastructure.

ALSA-2026:35830: grafana security update (Important)
ALSA-2026:35831: grafana-pcp security update (Important)
ALSA-2026:34911: kernel security, bug fix, and enhancement update (Important)
ALSA-2026:35841: nodejs24 security, bug fix, and enhancement update (Important)
ALSA-2026:35842: nodejs22 security, bug fix, and enhancement update (Important)
Call for testing: patched kernels for two vulnerabilities (Januscape & Bad Epoll)




ALSA-2026:35830: grafana security update (Important)


Hi,

You are receiving an AlmaLinux Security update email because you subscribed to receive errata notifications from AlmaLinux.

AlmaLinux: 8
Type: Security
Severity: Important
Release date: 2026-07-06

Summary:

Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB & OpenTSDB.

Security Fix(es):

* golang.org/x/net/idna: golang: golang.org/x/net/idna: Privilege escalation via incorrect Punycode label processing (CVE-2026-39821)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Full details, updated packages, references, and other related information: https://errata.almalinux.org/8/ALSA-2026-35830.html

This message is automatically generated, please don’t reply. For further questions, please, contact us via the AlmaLinux community chat: https://chat.almalinux.org/.
Want to change your notification settings? Sign in and manage mailing lists on https://lists.almalinux.org.

Kind regards,
AlmaLinux Team



ALSA-2026:35831: grafana-pcp security update (Important)


Hi,

You are receiving an AlmaLinux Security update email because you subscribed to receive errata notifications from AlmaLinux.

AlmaLinux: 8
Type: Security
Severity: Important
Release date: 2026-07-06

Summary:

The Grafana plugin for Performance Co-Pilot includes datasources for scalable time series from pmseries and Redis, live PCP metrics and bpftrace scripts from pmdabpftrace, as well as several dashboards.

Security Fix(es):

* golang.org/x/net/idna: golang: golang.org/x/net/idna: Privilege escalation via incorrect Punycode label processing (CVE-2026-39821)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Full details, updated packages, references, and other related information: https://errata.almalinux.org/8/ALSA-2026-35831.html

This message is automatically generated, please don’t reply. For further questions, please, contact us via the AlmaLinux community chat: https://chat.almalinux.org/.
Want to change your notification settings? Sign in and manage mailing lists on https://lists.almalinux.org.

Kind regards,
AlmaLinux Team



ALSA-2026:34911: kernel security, bug fix, and enhancement update (Important)


Hi,

You are receiving an AlmaLinux Security update email because you subscribed to receive errata notifications from AlmaLinux.

AlmaLinux: 10
Type: Security
Severity: Important
Release date: 2026-07-04

Summary:

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fix(es):

* kernel: fs/smb/client: fix out-of-bounds read in cifs_sanitize_prepath (CVE-2026-43112)
* kernel: rxrpc: Fix potential UAF after skb_unshare() failure (CVE-2026-45998)
* kernel: drm/gem: Fix inconsistent plane dimension calculation in drm_gem_fb_init_with_funcs() (CVE-2026-46209)
* kernel: netfilter: nft_inner: Fix IPv6 inner_thoff desync (CVE-2026-46244)
* kernel: Arm Processors: Privilege escalation or information disclosure via writes to higher exception level resources (CVE-2025-10263)
* kernel: KVM: arm64: vgic-its: Drop the translation cache reference only for the erased entry (CVE-2026-46316)
* kernel: kernel: ipv6 frag escape ()

Bug Fix(es) and Enhancement(s):

* crypto: testmgr - allow authenc(hmac(sha{256,384}),cts(cbc(aes))) in FIPS mode [almalinux-10.2.z] (JIRA:AlmaLinux-182537)
* [ThinkPad Avon/Mario +AlmaLinux 10.2]The OS hang up with CapsLock fliker (JIRA:AlmaLinux-185110)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Full details, updated packages, references, and other related information: https://errata.almalinux.org/10/ALSA-2026-34911.html

This message is automatically generated, please don’t reply. For further questions, please, contact us via the AlmaLinux community chat: https://chat.almalinux.org/.
Want to change your notification settings? Sign in and manage mailing lists on https://lists.almalinux.org.

Kind regards,
AlmaLinux Team



ALSA-2026:35841: nodejs24 security, bug fix, and enhancement update (Important)


Hi,

You are receiving an AlmaLinux Security update email because you subscribed to receive errata notifications from AlmaLinux.

AlmaLinux: 10
Type: Security
Severity: Important
Release date: 2026-07-06

Summary:

Node.js is a platform built on Chrome's JavaScript runtime for easily building fast, scalable network applications. Node.js uses an event-driven, non-blocking I/O model that makes it lightweight and efficient, perfect for data-intensive real-time applications that run across distributed devices.

Security Fix(es):

* ip-address: ip-address: Cross-site scripting via improper HTML escaping of untrusted input (CVE-2026-42338)
* undici: undici: Denial of Service due to unbounded memory growth via WebSocket frames (CVE-2026-12151)
* undici: Undici: Information disclosure due to improper cache-control header parsing (CVE-2026-9678)
* undici: Undici: Response queue poisoning on reused keep-alive sockets can lead to incorrect response delivery. (CVE-2026-6733)
* undici: undici: Weakening of cookie SameSite policy due to incorrect parsing of Set-Cookie header (CVE-2026-11525)
* undici: undici: Man-in-the-Middle attack via ignored TLS options with SOCKS5 proxy (CVE-2026-9697)
* undici: undici: Information disclosure and data integrity issues due to incorrect Socks5ProxyAgent connection routing (CVE-2026-6734)
* nodejs: Node.js: Denial of Service via unlimited HTTP/2 ORIGIN frames (CVE-2026-48619)
* nodejs: Node.js: Silent authority rebinding due to embedded-nul hostnames in TLS handling (CVE-2026-48930)
* nodejs: Node.js: Unauthorized file metadata modification (CVE-2026-48935)
* nodejs: Node.js WebCrypto: Denial of Service via large input to subtle.encrypt() (CVE-2026-48933)
* nodejs: Node.js: Certification validation bypass in TLS host verification (CVE-2026-48934)
* Node.js: Node.js: Trust-policy bypass due to hostname matching inconsistency (CVE-2026-48928)
* nodejs: Node.js: Information disclosure of proxy credentials via proxy tunnel error handling (CVE-2026-48615)
* nodejs: Node.js: Authentication bypass due to TLS hostname handling and unicode dot separator mismatch (CVE-2026-48618)

Bug Fix(es) and Enhancement(s):

* nodejs24: Rebase to the latest Node.js 24 release [almalinux-10.2.z] (JIRA:AlmaLinux-186582)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Full details, updated packages, references, and other related information: https://errata.almalinux.org/10/ALSA-2026-35841.html

This message is automatically generated, please don’t reply. For further questions, please, contact us via the AlmaLinux community chat: https://chat.almalinux.org/.
Want to change your notification settings? Sign in and manage mailing lists on https://lists.almalinux.org.

Kind regards,
AlmaLinux Team



ALSA-2026:35842: nodejs22 security, bug fix, and enhancement update (Important)


Hi,

You are receiving an AlmaLinux Security update email because you subscribed to receive errata notifications from AlmaLinux.

AlmaLinux: 10
Type: Security
Severity: Important
Release date: 2026-07-06

Summary:

Node.js is a platform built on Chrome's JavaScript runtime \ for easily building fast, scalable network applications. \ Node.js uses an event-driven, non-blocking I/O model that \ makes it lightweight and efficient, perfect for data-intensive \ real-time applications that run across distributed devices.

Security Fix(es):

* ip-address: ip-address: Cross-site scripting via improper HTML escaping of untrusted input (CVE-2026-42338)
* undici: undici: Denial of Service due to unbounded memory growth via WebSocket frames (CVE-2026-12151)
* undici: Undici: Information disclosure due to improper cache-control header parsing (CVE-2026-9678)
* undici: Undici: Response queue poisoning on reused keep-alive sockets can lead to incorrect response delivery. (CVE-2026-6733)
* undici: undici: Weakening of cookie SameSite policy due to incorrect parsing of Set-Cookie header (CVE-2026-11525)
* nodejs: Node.js: Denial of Service via unlimited HTTP/2 ORIGIN frames (CVE-2026-48619)
* nodejs: Node.js: Silent authority rebinding due to embedded-nul hostnames in TLS handling (CVE-2026-48930)
* nodejs: Node.js: Unauthorized file metadata modification (CVE-2026-48935)
* nodejs: Node.js WebCrypto: Denial of Service via large input to subtle.encrypt() (CVE-2026-48933)
* nodejs: Node.js: Certification validation bypass in TLS host verification (CVE-2026-48934)
* Node.js: Node.js: Trust-policy bypass due to hostname matching inconsistency (CVE-2026-48928)
* nodejs: Node.js: Information disclosure of proxy credentials via proxy tunnel error handling (CVE-2026-48615)
* nodejs: Node.js: Authentication bypass due to TLS hostname handling and unicode dot separator mismatch (CVE-2026-48618)

Bug Fix(es) and Enhancement(s):

* nodejs22: Rebase to the latest Node.js 22 release [almalinux-10.2.z] (JIRA:AlmaLinux-186623)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Full details, updated packages, references, and other related information: https://errata.almalinux.org/10/ALSA-2026-35842.html

This message is automatically generated, please don’t reply. For further questions, please, contact us via the AlmaLinux community chat: https://chat.almalinux.org/.
Want to change your notification settings? Sign in and manage mailing lists on https://lists.almalinux.org.

Kind regards,
AlmaLinux Team



[Announce] Call for testing: patched kernels for two vulnerabilities (Januscape & Bad Epoll)


[Announce] Call for testing: patched kernels for two vulnerabilities (Januscape & Bad Epoll)


Hi all,

As you can tell from the subject, we're back again having shipped patched
kernels to the testing repository for two serious Linux kernel
vulnerabilities and are asking the community to help verify them before
they move to production.

Januscape (CVE-2026-53359) is a KVM/x86 flaw affecting all supported
releases (8, 9, and 10), on both Intel and AMD. In its most serious form it
is a guest-to-host escape: an attacker who can start a VM can break out and
run commands as root on the host, which puts nearly every multi-tenant x86
cloud host at risk. It can also crash the host kernel from inside a guest
(DoS), and because /dev/kvm is world-readable at 0666 by default, it
doubles as a local privilege escalation to root with no VM involved. The
bug went undetected for roughly 16 years and is now patched in mainline.

Bad Epoll (CVE-2026-46242) is a use-after-free race in the kernel's epoll
subsystem that gives an unprivileged local user a reliable escalation to
root. It affects AlmaLinux 9 and 10 (8 is not affected).

AlmaLinux's core team backported both fixes to every affected branch, and
ALESCo approved shipping ahead of the CentOS Stream / RHEL update.

How to test:

sudo dnf install -y almalinux-release-testing
sudo dnf update 'kernel*' --enablerepo=almalinux-testing
sudo reboot
uname -r && rpm -q kernel

Patched kernel versions (install this or higher):

AlmaLinux 8: kernel-4.18.0-553.139.4.el8_10 (Januscape only)
AlmaLinux 9: kernel-5.14.0-687.20.3.el9_8
AlmaLinux 10: kernel-6.12.0-211.30.3.el10_2

Disable the testing repo afterward on any production system:

sudo dnf config-manager --disable almalinux-testing

Report any problems in AlmaLinux chat ( https://chat.almalinux.org) or at
bugs.almalinux.org. The kernels will move to production once the community
has helped verify them.

Full details: https://almalinux.org/blog/2026-07-06-januscape-bad-epoll/

Jonathan Wright
AlmaLinux OS Foundation
Mattermost: chat ( https://chat.almalinux.org/almalinux/messages/@jonathan)