Debian security teams have released urgent updates for firefox-esr, chromium, and libyaml-syck-perl across several distributions. Firefox users need to install the new version to stop flaws that might enable arbitrary code execution through browser exploits. Across stable distributions, Chromium requires a massive patch covering dozens of CVEs designed to prevent denial of service attacks or data leaks. The perl library update fixes critical memory issues where missing terminators could allow attackers to read adjacent variables unexpectedly.

Debian GNU/Linux 10 (Buster) ELTS:
ELA-1679-1 libyaml-syck-perl security update

Debian GNU/Linux 11 (Bullseye) LTS:
[DLA 4526-1] firefox-esr security update

Debian GNU/Linux 12 (Bookworm) and 13 (Trixie):
[DSA 6205-1] chromium security update

[SECURITY] [DLA 4526-1] firefox-esr security update

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4526-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Emilio Pozuelo Monfort
April 11, 2026 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : firefox-esr
Version : 140.9.1esr-1~deb11u1
CVE ID : CVE-2026-5731 CVE-2026-5732 CVE-2026-5734

Multiple security issues have been found in the Mozilla Firefox web
browser, which could potentially result in the execution of arbitrary
code.

For Debian 11 bullseye, these problems have been fixed in version
140.9.1esr-1~deb11u1.

We recommend that you upgrade your firefox-esr packages.

For the detailed security status of firefox-esr please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/firefox-esr

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[SECURITY] [DSA 6205-1] chromium security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6205-1 security@debian.org
https://www.debian.org/security/ Andres Salomon
April 10, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : chromium
CVE ID : CVE-2026-5858 CVE-2026-5859 CVE-2026-5860 CVE-2026-5861
CVE-2026-5862 CVE-2026-5863 CVE-2026-5864 CVE-2026-5865
CVE-2026-5866 CVE-2026-5867 CVE-2026-5868 CVE-2026-5869
CVE-2026-5870 CVE-2026-5871 CVE-2026-5872 CVE-2026-5873
CVE-2026-5874 CVE-2026-5875 CVE-2026-5876 CVE-2026-5877
CVE-2026-5878 CVE-2026-5879 CVE-2026-5880 CVE-2026-5881
CVE-2026-5882 CVE-2026-5883 CVE-2026-5884 CVE-2026-5885
CVE-2026-5886 CVE-2026-5887 CVE-2026-5888 CVE-2026-5889
CVE-2026-5890 CVE-2026-5891 CVE-2026-5892 CVE-2026-5893
CVE-2026-5894 CVE-2026-5895 CVE-2026-5896 CVE-2026-5897
CVE-2026-5898 CVE-2026-5899 CVE-2026-5900 CVE-2026-5901
CVE-2026-5902 CVE-2026-5903 CVE-2026-5904 CVE-2026-5905
CVE-2026-5906 CVE-2026-5907 CVE-2026-5908 CVE-2026-5909
CVE-2026-5910 CVE-2026-5911 CVE-2026-5912 CVE-2026-5913
CVE-2026-5914 CVE-2026-5915 CVE-2026-5918 CVE-2026-5919

Security issues were discovered in Chromium which could result
in the execution of arbitrary code, denial of service, or information
disclosure.

For the oldstable distribution (bookworm), these problems have been fixed
in version 147.0.7727.55-1~deb12u1.

For the stable distribution (trixie), these problems have been fixed in
version 147.0.7727.55-1~deb13u1.

We recommend that you upgrade your chromium packages.

For the detailed security status of chromium please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/chromium

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

ELA-1679-1 libyaml-syck-perl security update

Package : libyaml-syck-perl
Version : 1.31-1+deb10u1 (buster)

Related CVEs :
CVE-2025-11683
CVE-2026-4177

CVE-2025-11683
Missing null terminators in token.c leads to but-of-bounds read
which allows adjacent variable to be read. The issue is seen with
complex YAML files with a hash of all keys and empty values.

CVE-2026-4177
Several security vulnerabilities including a high-severity heap
buffer overflow in the YAML emitter. The heap overflow occurs when
class names exceed the initial 512-byte allocation. The base64
decoder could read past the buffer end on trailing newlines. strtok
mutated n->type_id in place, corrupting shared node data. A memory
leak occurred in syck_hdlr_add_anchor when a node already had an
anchor. The incoming anchor string 'a' was leaked on early return.

ELA-1679-1 libyaml-syck-perl security update