Debian issued a series of security patches on May 9 that address critical flaws across several widely used software packages including the Linux kernel, OpenJDK, Firefox ESR, PyJWT, and libpng1.6. These updates fix vulnerabilities that could allow attackers to escalate privileges locally, execute arbitrary code, leak sensitive information, or bypass authentication mechanisms. System administrators should apply these upgrades right away since unpatched systems remain exposed to serious exploitation risks. The fixes cover both current stable releases and older support branches to keep a wide range of Debian environments secure.

ELA-1715-1 linux-6.1 security update
ELA-1714-1 openjdk-8 security update
[DLA 4575-1] firefox-esr security update
[DLA 4574-1] linux-6.1 security update
[DSA 6259-1] pyjwt security update
[DLA 4573-1] libpng1.6 security update
[DSA 6258-1] linux security update

ELA-1715-1 linux-6.1 security update (by )

Package : linux-6.1

Version : 6.1.170-3~deb9u1 (stretch), 6.1.170-3~deb10u1 (buster)

Related CVEs :
CVE-2026-43284
CVE-2026-43500

Two vulnerabilities have been discovered in the Linux kernel that may
lead to local privilege escalation.

ELA-1715-1 linux-6.1 security update (by )

ELA-1714-1 openjdk-8 security update (by )

Package : openjdk-8

Version : 8u492-ga-1~deb9u1 (stretch)

Related CVEs :
CVE-2026-22007
CVE-2026-22013
CVE-2026-22016
CVE-2026-22018
CVE-2026-22021
CVE-2026-34268

Several vulnerabilities have been discovered in the OpenJDK Java runtime,
which may result in incorrect generation of cryptographic keys, denial of
service, information disclosure, XXE/XEE attacks or incorrect validation
of Kerberos credentials.

ELA-1714-1 openjdk-8 security update (by )

[SECURITY] [DLA 4575-1] firefox-esr security update

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4575-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Emilio Pozuelo Monfort
May 09, 2026 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : firefox-esr
Version : 140.10.2esr-1~deb11u1
CVE ID : CVE-2026-8090 CVE-2026-8092 CVE-2026-8094

Multiple security issues have been found in the Mozilla Firefox
web browser, which could potentially result in the execution
of arbitrary code.

For Debian 11 bullseye, these problems have been fixed in version
140.10.2esr-1~deb11u1.

We recommend that you upgrade your firefox-esr packages.

For the detailed security status of firefox-esr please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/firefox-esr

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[SECURITY] [DLA 4574-1] linux-6.1 security update

-------------------------------------------------------------------------
Debian LTS Advisory DLA-4574-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Ben Hutchings
May 09, 2026 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : linux-6.1
Version : 6.1.170-3~deb11u1
CVE ID : CVE-2026-43284 CVE-2026-43500
Debian Bug : 1135514 1135599

Two vulnerabilities have been discovered in the Linux kernel that may
lead to local privilege escalation.

For Debian 11 bullseye, these problems have been fixed in version
6.1.170-3~deb11u1. This version also fixes some regressions found in
the previous update.

We recommend that you upgrade your linux-6.1 packages.

For the detailed security status of linux-6.1 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/linux-6.1

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[SECURITY] [DSA 6259-1] pyjwt security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6259-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
May 09, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : pyjwt
CVE ID : CVE-2026-32597

It was discovered that PyJWT, a Python implementation of JSON web tokens
insufficiently validated the "crit" header parameter, which could result
in incomplete enforcement of authentication settings.

For the oldstable distribution (bookworm), this problem has been fixed
in version 2.6.0-1+deb12u1.

For the stable distribution (trixie), this problem has been fixed in
version 2.10.1-2+deb13u1.

We recommend that you upgrade your pyjwt packages.

For the detailed security status of pyjwt please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/pyjwt

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[SECURITY] [DLA 4573-1] libpng1.6 security update

-------------------------------------------------------------------------
Debian LTS Advisory DLA-4573-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Tobias Frost
May 09, 2026 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : libpng1.6
Version : 1.6.37-3+deb11u4
CVE ID : CVE-2026-34757
Debian Bug : 1133051

A security vulnerability has been discovered in libpng, a library
implementing an interface for reading and writing PNG (Portable Network
Graphics) files, which could leading to corrupted chunk data and potential
heap information disclosure.

For Debian 11 bullseye, this problem has been fixed in version
1.6.37-3+deb11u4.

We recommend that you upgrade your libpng1.6 packages.

For the detailed security status of libpng1.6 please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/libpng1.6

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[SECURITY] [DSA 6258-1] linux security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6258-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
May 09, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : linux
CVE ID : CVE-2026-43284 CVE-2026-43500
Debian Bug : 1135514

Two vulnerabilities have been discovered in the Linux kernel that may
lead to local privilege escalation.

For the oldstable distribution (bookworm), these problems have been fixed
in version 6.1.170-3.

We recommend that you upgrade your linux packages.

For the detailed security status of linux please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/linux

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/