Debian 10997 Published by

Debian and Freexian released four security advisories, that address critical flaws in libxfont, grub2, dhcpcd5, and ntfs-3g. The patched vulnerabilities include heap buffer overflows, unauthorized privilege escalation, and potential bypasses of UEFI Secure Boot protections. Malicious users could exploit these issues to execute arbitrary code, crash systems, or corrupt data while operating within X server or local user contexts.

[DSA 6388-1] libxfont security update
[DLA 4685-1] grub2 security update
[DLA 4686-1] dhcpcd5 security update
[DSA 6389-1] ntfs-3g security update
ELA-1774-1 libxfont security update




[SECURITY] [DSA 6388-1] libxfont security update


- -------------------------------------------------------------------------
Debian Security Advisory DSA-6388-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
July 15, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : libxfont
CVE ID : CVE-2026-56001 CVE-2026-56002 CVE-2026-56003
Debian Bug : 1141702

Several vulnerabilities were discovered in libXfont, the X11 font
rasterisation library, which may result in arbitrary code execution in
the X server context for authenticated X clients.

For the stable distribution (trixie), these problems have been fixed in
version 1:2.0.6-1+deb13u1.

We recommend that you upgrade your libxfont packages.

For the detailed security status of libxfont please refer to its
security tracker page at:
https://security-tracker.debian.org/tracker/libxfont

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/


[SECURITY] [DLA 4685-1] grub2 security update


- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4685-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Emilio Pozuelo Monfort
July 15, 2026 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : grub2
Version : 2.06-3~deb11u7
CVE ID : CVE-2024-45774 CVE-2024-45775 CVE-2024-45776 CVE-2024-45777
CVE-2024-45778 CVE-2024-45779 CVE-2024-45780 CVE-2024-45781
CVE-2024-45782 CVE-2024-45783 CVE-2025-0622 CVE-2025-0624
CVE-2025-0677 CVE-2025-0678 CVE-2025-0684 CVE-2025-0685
CVE-2025-0686 CVE-2025-0689 CVE-2025-0690 CVE-2025-1118
CVE-2025-1125

Several issues were found in the GRUB2 bootloader, which could result
in crashes and potentially execution of arbitrary code. These could
lead to bypass of UEFI Secure Boot on affected systems.

For Debian 11 bullseye, these problems have been fixed in version
2.06-3~deb11u7.

We recommend that you upgrade your grub2 packages.

For the detailed security status of grub2 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/grub2

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



[SECURITY] [DLA 4686-1] dhcpcd5 security update


- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4686-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Martin-Éric Racine
July 15, 2026 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : dhcpcd5
Version : 7.1.0-2+deb11u1
CVE ID : CVE-2025-70102 CVE-2026-56114
Debian Bug : 1140767

Two vulnerabilities were discovered in dhcpcd5, a DHCP client, which
may result in denial of service and possibly data corruption.

For Debian 11 bullseye, these problems have been fixed in version
7.1.0-2+deb11u1.

We recommend that you upgrade your dhcpcd5 packages.

For the detailed security status of dhcpcd5 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/dhcpcd5

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



[SECURITY] [DSA 6389-1] ntfs-3g security update


- -------------------------------------------------------------------------
Debian Security Advisory DSA-6389-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
July 15, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : ntfs-3g
CVE ID : CVE-2026-42616 CVE-2026-42617 CVE-2026-42618 CVE-2026-46569
CVE-2026-46570 CVE-2026-46571 CVE-2026-46572 CVE-2026-56135
CVE-2026-56136
Debian Bug : 1142144

Several vulnerabilities were discovered in NTFS-3G, a read-write NTFS
driver for FUSE. A local user can take advantage of these flaws for
local root privilege escalation.

For the stable distribution (trixie), these problems have been fixed in
version 1:2022.10.3-5+deb13u2.

We recommend that you upgrade your ntfs-3g packages.

For the detailed security status of ntfs-3g please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/ntfs-3g

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/


ELA-1774-1 libxfont security update (by )


Package : libxfont

Version : 1:2.0.3-1+deb10u1 (buster)

Related CVEs :
CVE-2026-56001
CVE-2026-56002
CVE-2026-56003

CVE-2026-56001
A heap buffer overflow in BitmapScaleBitmaps in due to an overflowing
32-bit size.

CVE-2026-56002
A heap bufferflow in pcfReadFont() due to missing glyph bounds
checking.

CVE-2026-56003
A heap buffer overflow due to missing size checking in the property
buffer when parsing PCF files in ComputeScaledProperties().


ELA-1774-1 libxfont security update (by )