Several security updates have been released for Debian systems, including updates for Roundcube webmail and libpng image library. These updates address multiple vulnerabilities that could lead to information disclosure or denial-of-service attacks, including issues with HTML sanitization and buffer overflows. The updates are available for various Debian versions, including Bullseye, Bookworm, and Trixie, and users are advised to upgrade their packages as soon as possible. Additionally, a security update has been released for Ceph distributed storage and file system, which fixed an issue with SSL certificate checking in the Python bindings.

Debian GNU/Linux 9 (Stretch) and 10 (Buster) Extended LTS:
ELA-1647-1 libpng1.6 security update

Debian GNU/Linux 11 (Bullseye) LTS:
[DLA 4480-1] roundcube security update
[DLA 4481-1] libpng1.6 security update
[DLA 4482-1] ceph security update

Debian GNU/Linux 12 (Bookworm) and 13 (Trixie):
[DSA 6137-1] roundcube security update
[DSA 6138-1] libpng1.6 security update

[SECURITY] [DLA 4480-1] roundcube security update

-------------------------------------------------------------------------
Debian LTS Advisory DLA-4480-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Guilhem Moulin
February 17, 2026 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : roundcube
Version : 1.4.15+dfsg.1-1+deb11u7
CVE ID : CVE-2026-25916 CVE-2026-26079
Debian Bug : 1127447

Vulnerabilities were discovered in Roundcube, a skinnable AJAX based
webmail solution for IMAP servers, which might lead to information
disclosure or privilege escalation.

CVE-2026-25916

NULL CATHEDRAL discovered that the HTML sanitizer doesn't treat SVG
`` as an image source. This allows attackers to
bypass remote image blocking to track email open action or
potentially bypass access control.

CVE-2026-26079

CERT Polska discovered that CSS code in text/html emails were
insufficiently sanitized, allowing an attacker to inject malicious
stylesheet rules.

For Debian 11 bullseye, these problems have been fixed in version
1.4.15+dfsg.1-1+deb11u7.

We recommend that you upgrade your roundcube packages.

For the detailed security status of roundcube please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/roundcube

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[SECURITY] [DSA 6137-1] roundcube security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6137-1 security@debian.org
https://www.debian.org/security/ Sebastien Delafond
February 17, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : roundcube
CVE ID : CVE-2026-25916 CVE-2026-26079
Debian Bug : 1127447

CERT Polska and nullcathedral discovered that roundcube, a skinnable
AJAX based webmail solution for IMAP servers, did not correctly
process and sanitize requests. This would allow an attacker to perform
CSS injection attacks, or leak sensitive information.

For the oldstable distribution (bookworm), these problems have been fixed
in version 1.6.5+dfsg-1+deb12u7.

For the stable distribution (trixie), these problems have been fixed in
version 1.6.13+dfsg-0+deb13u1.

We recommend that you upgrade your roundcube packages.

For the detailed security status of roundcube please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/roundcube

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[SECURITY] [DLA 4481-1] libpng1.6 security update

-------------------------------------------------------------------------
Debian LTS Advisory DLA-4481-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Tobias Frost
February 17, 2026 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : libpng1.6
Version : 1.6.37-3+deb11u2
CVE ID : CVE-2026-22695 CVE-2026-22801 CVE-2026-25646
Debian Bug : 1125443 1125444 1127566

Multiple vulnerabilties have been found in libpng, the official PNG
reference library, allowing information disclosure via out-of-bounds
read, denial of service via infinite loop.

CVE-2026-22695

There is a heap buffer over-read in the libpng simplified API function
png_image_finish_read when processing interlaced 16-bit PNGs with 8-bit
output format and non-minimal row stride. This is a regression
introduced by the fix for CVE-2025-65018.

CVE-2026-22801

There is an integer truncation in the libpng simplified write API
functions png_write_image_16bit and png_write_image_8bit causes heap
buffer over-read when the caller provides a negative row stride (for
bottom-up image layouts) or a stride exceeding 65535 bytes. The bug was
introduced in libpng 1.6.26 (October 2016) by casts added to silence
compiler warnings on 16-bit systems.

CVE-2026-25646

A out-of-bounds read vulnerability exists in the png_set_quantize() API
function. When the function is called with no histogram and the number
of colors in the palette is more than twice the maximum supported by the
user's display, certain palettes will cause the function to enter into
an infinite loop that reads past the end of an internal heap-allocated
buffer. The images that trigger this vulnerability are valid per the PNG
specification.

For Debian 11 bullseye, these problems have been fixed in version
1.6.37-3+deb11u2.

We recommend that you upgrade your libpng1.6 packages.

For the detailed security status of libpng1.6 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libpng1.6

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[SECURITY] [DLA 4482-1] ceph security update

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4482-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Chris Lamb
February 17, 2026 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : ceph
Version : 14.2.21-1+deb11u3
CVE ID : CVE-2024-31884
Debian Bug : 1126573

It was discovered that there was an issue in Ceph, the distributed
storage and file system, where the Python bindings did not correctly
implement SSL certificate checking.

For Debian 11 bullseye, this problem has been fixed in version
14.2.21-1+deb11u3.

We recommend that you upgrade your ceph packages.

For the detailed security status of ceph please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/ceph

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[SECURITY] [DSA 6138-1] libpng1.6 security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6138-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
February 17, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : libpng1.6
CVE ID : CVE-2026-25646

A buffer overflow was discovered in libpng, a library implementing an
interface for reading and writing PNG (Portable Network Graphics) files,
which could result in denial of service or potentially the execution
of arbitrary code.

For the oldstable distribution (bookworm), this problem has been fixed
in version 1.6.39-2+deb12u3. This update also includes two additional
security fixes (CVE-2026-22801 and CVE-2026-22695), which had been
lined up for the next Bookworm point release.

For the stable distribution (trixie), this problem has been fixed in
version 1.6.48-1+deb13u3. This update also includes two additional
security fixes (CVE-2026-22801 and CVE-2026-22695), which had been
lined up for the next Trixie point release.

We recommend that you upgrade your libpng1.6 packages.

For the detailed security status of libpng1.6 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libpng1.6

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

ELA-1647-1 libpng1.6 security update

Package : libpng1.6
Version : 1.6.28-1+deb9u3 (stretch), 1.6.36-6+deb10u2 (buster)

Related CVEs :
CVE-2026-22695
CVE-2026-22801
CVE-2026-25646

Multiple vulnerabilties have been found in libpng, the official PNG reference library, potentially allowing information disclosure via out-of-bounds read or denial of service via infinite loop.

CVE-2026-22695
There is a heap buffer over-read in the libpng simplified API function png_image_finish_read when processing interlaced 16-bit PNGs with 8-bit output format and non-minimal row stride. This is a regression introduced by the fix for CVE-2025-65018.

CVE-2026-22801
There is an integer truncation in the libpng simplified write API functions png_write_image_16bit and png_write_image_8bit causes heap buffer over-read when the caller provides a negative row stride (for bottom-up image layouts) or a stride exceeding 65535 bytes. The bug was introduced in libpng 1.6.26 (October 2016) by casts added to silence compiler warnings on 16-bit systems.

CVE-2026-25646
A out-of-bounds read vulnerability exists in the png_set_quantize() API function. When the function is called with no histogram and the number of colors in the palette is more than twice the maximum supported by the user's display, certain palettes will cause the function to enter into an infinite loop that reads past the end of an internal heap-allocated buffer. The images that trigger this vulnerability are valid per the PNG specification.

ELA-1647-1 libpng1.6 security update