ALSA-2026:13578: kernel-rt security update (Important)
ALSA-2026:13537: thunderbird security update (Important)
ALSA-2026:13414: tigervnc security update (Important)
ALSA-2026:13577: kernel security update (Important)
ALSA-2026:13284: LibRaw security update (Important)
ALSA-2026:13677: systemd security update (Moderate)
ALSA-2026:13671: image-builder security update (Important)
ALSA-2026:13830: dovecot security update (Important)
ALSA-2026:3839: image-builder security update (Important)
ALSA-2026:13578: kernel-rt security update (Important)
Hi,
You are receiving an AlmaLinux Security update email because you subscribed to receive errata notifications from AlmaLinux.
AlmaLinux: 8
Type: Security
Severity: Important
Release date: 2026-05-05
Summary:
The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements.
Security Fix(es):
* kernel: nvme: avoid double free special payload (CVE-2024-41073)
* kernel: net: qlogic/qede: fix potential out-of-bounds read in qede_tpa_cont() and qede_tpa_end() (CVE-2025-40252)
* kernel: crypto: asymmetric_keys - prevent overflow in asymmetric_key_generate_id (CVE-2025-68724)
* kernel: nfsd: fix heap overflow in NFSv4.0 LOCK replay cache (CVE-2026-31402)
* kernel: Linux kernel KVM: Privilege escalation or denial of service due to improper shadow page table entry handling (CVE-2026-23401)
* kernel: crypto: algif_aead - Revert to operating out-of-place (CVE-2026-31431)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Full details, updated packages, references, and other related information: https://errata.almalinux.org/8/ALSA-2026-13578.html
This message is automatically generated, please don’t reply. For further questions, please, contact us via the AlmaLinux community chat: https://chat.almalinux.org/.
Want to change your notification settings? Sign in and manage mailing lists on https://lists.almalinux.org.
Kind regards,
AlmaLinux Team
ALSA-2026:13537: thunderbird security update (Important)
Hi,
You are receiving an AlmaLinux Security update email because you subscribed to receive errata notifications from AlmaLinux.
AlmaLinux: 8
Type: Security
Severity: Important
Release date: 2026-05-05
Summary:
Mozilla Thunderbird is a standalone mail and newsgroup client.
Security Fix(es):
* firefox: thunderbird: Incorrect boundary conditions in the Libraries component in NSS (CVE-2026-6772)
* firefox: thunderbird: Use-after-free in the JavaScript Engine component (CVE-2026-6754)
* firefox: thunderbird: Spoofing issue in the DOM: Core & HTML component (CVE-2026-6762)
* firefox: thunderbird: Incorrect boundary conditions in the WebRTC component (CVE-2026-6752)
* firefox: thunderbird: Other issue in the Storage: IndexedDB component (CVE-2026-6770)
* firefox: thunderbird: Invalid pointer in the JavaScript: WebAssembly component (CVE-2026-6757)
* firefox: thunderbird: Other issue in the Libraries component in NSS (CVE-2026-6767)
* firefox: thunderbird: Memory safety bugs fixed in Firefox ESR 140.10, Thunderbird ESR 140.10, Firefox 150 and Thunderbird 150 (CVE-2026-6786)
* firefox: thunderbird: Incorrect boundary conditions in the WebRTC component (CVE-2026-6753)
* firefox: thunderbird: Use-after-free in the Widget: Cocoa component (CVE-2026-6759)
* firefox: thunderbird: Use-after-free in the WebRTC component (CVE-2026-6747)
* firefox: thunderbird: Information disclosure due to uninitialized memory in the Graphics: Canvas2D component (CVE-2026-6749)
* firefox: thunderbird: Incorrect boundary conditions in the Libraries component in NSS (CVE-2026-6766)
* firefox: thunderbird: Privilege escalation in the Networking component (CVE-2026-6761)
* firefox: thunderbird: Mitigation bypass in the File Handling component (CVE-2026-6763)
* firefox: thunderbird: Privilege escalation in the Graphics: WebRender component (CVE-2026-6750)
* firefox: thunderbird: Uninitialized memory in the Audio/Video: Web Codecs component (CVE-2026-6748)
* firefox: thunderbird: Memory safety bugs fixed in Firefox ESR 115.35, Firefox ESR 140.10, Thunderbird ESR 140.10, Firefox 150 and Thunderbird 150 (CVE-2026-6785)
* firefox: thunderbird: Mitigation bypass in the DOM: Security component (CVE-2026-6771)
* firefox: thunderbird: Incorrect boundary conditions in the DOM: Device Interfaces component (CVE-2026-6764)
* firefox: thunderbird: Information disclosure in the Form Autofill component (CVE-2026-6765)
* firefox: thunderbird: Privilege escalation in the Debugger component (CVE-2026-6769)
* firefox: thunderbird: Uninitialized memory in the Audio/Video: Web Codecs component (CVE-2026-6751)
* firefox: thunderbird: Incorrect boundary conditions in the WebRTC: Networking component (CVE-2026-6776)
* firefox: thunderbird: Use-after-free in the DOM: Core & HTML component (CVE-2026-6746)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Full details, updated packages, references, and other related information: https://errata.almalinux.org/8/ALSA-2026-13537.html
This message is automatically generated, please don’t reply. For further questions, please, contact us via the AlmaLinux community chat: https://chat.almalinux.org/.
Want to change your notification settings? Sign in and manage mailing lists on https://lists.almalinux.org.
Kind regards,
AlmaLinux Team
ALSA-2026:13414: tigervnc security update (Important)
Hi,
You are receiving an AlmaLinux Security update email because you subscribed to receive errata notifications from AlmaLinux.
AlmaLinux: 8
Type: Security
Severity: Important
Release date: 2026-05-05
Summary:
Virtual Network Computing (VNC) is a remote display system which allows users to view a computing desktop environment not only on the machine where it is running, but from anywhere on the Internet and from a wide variety of machine architectures. TigerVNC is a suite of VNC servers and clients.
Security Fix(es):
* xorg: xwayland: X.Org X server: Denial of Service via integer underflow in XKB compatibility map handling (CVE-2026-33999)
* xorg: xwayland: X.Org X server: Use-after-free vulnerability leads to server crash and potential memory corruption (CVE-2026-34001)
* xorg: xwayland: X.Org X server: Information exposure and denial of service via out-of-bounds memory access (CVE-2026-34003)
* TigerVNC: x0vncserver: TigerVNC x0vncserver: Information disclosure, data manipulation, and denial of service via incorrect permissions (CVE-2026-34352)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Full details, updated packages, references, and other related information: https://errata.almalinux.org/8/ALSA-2026-13414.html
This message is automatically generated, please don’t reply. For further questions, please, contact us via the AlmaLinux community chat: https://chat.almalinux.org/.
Want to change your notification settings? Sign in and manage mailing lists on https://lists.almalinux.org.
Kind regards,
AlmaLinux Team
ALSA-2026:13577: kernel security update (Important)
Hi,
You are receiving an AlmaLinux Security update email because you subscribed to receive errata notifications from AlmaLinux.
AlmaLinux: 8
Type: Security
Severity: Important
Release date: 2026-05-05
Summary:
The kernel packages contain the Linux kernel, the core of any Linux operating system.
Security Fix(es):
* kernel: nvme: avoid double free special payload (CVE-2024-41073)
* kernel: net: qlogic/qede: fix potential out-of-bounds read in qede_tpa_cont() and qede_tpa_end() (CVE-2025-40252)
* kernel: crypto: asymmetric_keys - prevent overflow in asymmetric_key_generate_id (CVE-2025-68724)
* kernel: nfsd: fix heap overflow in NFSv4.0 LOCK replay cache (CVE-2026-31402)
* kernel: Linux kernel KVM: Privilege escalation or denial of service due to improper shadow page table entry handling (CVE-2026-23401)
* kernel: crypto: algif_aead - Revert to operating out-of-place (CVE-2026-31431)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Full details, updated packages, references, and other related information: https://errata.almalinux.org/8/ALSA-2026-13577.html
This message is automatically generated, please don’t reply. For further questions, please, contact us via the AlmaLinux community chat: https://chat.almalinux.org/.
Want to change your notification settings? Sign in and manage mailing lists on https://lists.almalinux.org.
Kind regards,
AlmaLinux Team
ALSA-2026:13284: LibRaw security update (Important)
Hi,
You are receiving an AlmaLinux Security update email because you subscribed to receive errata notifications from AlmaLinux.
AlmaLinux: 8
Type: Security
Severity: Important
Release date: 2026-05-05
Summary:
LibRaw is a library for reading RAW files obtained from digital photo cameras (CRW/CR2, NEF, RAF, DNG, and others).
Security Fix(es):
* LibRaw: LibRaw: Memory Corruption via Malicious File Processing (CVE-2026-24660)
* LibRaw: LibRaw: Arbitrary code execution via heap-based buffer overflow in lossless JPEG loading (CVE-2026-21413)
* LibRaw: LibRaw: Arbitrary code execution via specially crafted image file (CVE-2026-20889)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Full details, updated packages, references, and other related information: https://errata.almalinux.org/8/ALSA-2026-13284.html
This message is automatically generated, please don’t reply. For further questions, please, contact us via the AlmaLinux community chat: https://chat.almalinux.org/.
Want to change your notification settings? Sign in and manage mailing lists on https://lists.almalinux.org.
Kind regards,
AlmaLinux Team
ALSA-2026:13677: systemd security update (Moderate)
Hi,
You are receiving an AlmaLinux Security update email because you subscribed to receive errata notifications from AlmaLinux.
AlmaLinux: 9
Type: Security
Severity: Moderate
Release date: 2026-05-05
Summary:
The systemd packages contain systemd, a system and service manager for Linux, compatible with the SysV and LSB init scripts. It provides aggressive parallelism capabilities, uses socket and D-Bus activation for starting services, offers on-demand starting of daemons, and keeps track of processes using Linux cgroups. In addition, it supports snapshotting and restoring of the system state, maintains mount and automount points, and implements an elaborate transactional dependency-based service control logic. It can also work as a drop-in replacement for sysvinit.
Security Fix(es):
* systemd: systemd: Arbitrary code execution or Denial of Service via spurious IPC API call data (CVE-2026-29111)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Full details, updated packages, references, and other related information: https://errata.almalinux.org/9/ALSA-2026-13677.html
This message is automatically generated, please don’t reply. For further questions, please, contact us via the AlmaLinux community chat: https://chat.almalinux.org/.
Want to change your notification settings? Sign in and manage mailing lists on https://lists.almalinux.org.
Kind regards,
AlmaLinux Team
ALSA-2026:13671: image-builder security update (Important)
Hi,
You are receiving an AlmaLinux Security update email because you subscribed to receive errata notifications from AlmaLinux.
AlmaLinux: 9
Type: Security
Severity: Important
Release date: 2026-05-05
Summary:
A local binary for building customized OS artifacts such as VM images and OSTree commits. Uses osbuild under the hood.
Security Fix(es):
* net/url: Incorrect parsing of IPv6 host literals in net/url (CVE-2026-25679)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Full details, updated packages, references, and other related information: https://errata.almalinux.org/9/ALSA-2026-13671.html
This message is automatically generated, please don’t reply. For further questions, please, contact us via the AlmaLinux community chat: https://chat.almalinux.org/.
Want to change your notification settings? Sign in and manage mailing lists on https://lists.almalinux.org.
Kind regards,
AlmaLinux Team
ALSA-2026:13830: dovecot security update (Important)
Hi,
You are receiving an AlmaLinux Security update email because you subscribed to receive errata notifications from AlmaLinux.
AlmaLinux: 8
Type: Security
Severity: Important
Release date: 2026-05-05
Summary:
Dovecot is an IMAP server for Linux and other UNIX-like systems, written primarily with security in mind. It also contains a small POP3 server, and supports e-mail in either the maildir or mbox format. The SQL drivers and authentication plug-ins are provided as subpackages.
Security Fix(es):
* dovecot: ManageSieve: Denial of Service via crafted SASL initial response in AUTHENTICATE command (CVE-2025-59032)
* dovecot: denial of service via crafted message before authentication (CVE-2026-27858)
* dovecot: denial of service via specially crafted NOOP command (CVE-2026-27857)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Full details, updated packages, references, and other related information: https://errata.almalinux.org/8/ALSA-2026-13830.html
This message is automatically generated, please don’t reply. For further questions, please, contact us via the AlmaLinux community chat: https://chat.almalinux.org/.
Want to change your notification settings? Sign in and manage mailing lists on https://lists.almalinux.org.
Kind regards,
AlmaLinux Team
ALSA-2026:3839: image-builder security update (Important)
Hi,
You are receiving an AlmaLinux Security update email because you subscribed to receive errata notifications from AlmaLinux.
AlmaLinux: 9
Type: Security
Severity: Important
Release date: 2026-05-05
Summary:
A local binary for building customized OS artifacts such as VM images and OSTree commits. Uses osbuild under the hood.
Security Fix(es):
* crypto/x509: golang: Denial of Service due to excessive resource consumption via crafted certificate (CVE-2025-61729)
* golang: net/url: Memory exhaustion in query parameter parsing in net/url (CVE-2025-61726)
* crypto/tls: Unexpected session resumption in crypto/tls (CVE-2025-68121)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Full details, updated packages, references, and other related information: https://errata.almalinux.org/9/ALSA-2026-3839.html
This message is automatically generated, please don’t reply. For further questions, please, contact us via the AlmaLinux community chat: https://chat.almalinux.org/.
Want to change your notification settings? Sign in and manage mailing lists on https://lists.almalinux.org.
Kind regards,
AlmaLinux Team
