Linux Security Roundup for Week 17, 2026

Security 10945 Published 2026-04-26 08:02 by Philipp Esselbach

News

This week's Linux security roundup delivers critical patches across nearly every major distribution, targeting widely used tools like ImageMagick, web browsers, PackageKit, and the core kernel. Administrators should prioritize these updates immediately because several fixes address memory corruption, privilege escalation risks, and sandbox bypasses that attackers actively exploit. High-priority releases also secure remote management platforms like Grafana while resolving dangerous race conditions in system package managers.

Weekly Linux Security Updates: Critical Fixes for ImageMagick, Kernels, and Browsers

This week's batch of linux security updates delivers a massive wave of patches across major distributions. Administrators running Debian, RHEL, or Fedora have urgent work ahead as critical flaws in image processing libraries, browsers, and core system utilities get addressed. The fixes target memory corruption issues, sandbox bypasses, and privilege escalation vectors that attackers are actively exploiting.

AlmaLinux 8 Through 10 Addresses Memory Corruption and Kernel Leaks

AlmaLinux rolled out broad patches for versions eight through ten to fix memory corruption flaws and improper parsing routines in essential components. The kernel updates resolve storage driver leaks that often cause systems to hang or lose data under heavy load, which is a common headache for admins managing busy servers. FreeRDP, Wireshark, Thunderbird, and OSBuild Composer also receive corrections, ensuring remote desktop sessions and network analysis tools stay secure. Version nine administrators must apply specific fixes for IPv6 URL handling alongside the kernel improvements to prevent traffic scheduling bugs from disrupting operations.

Debian Users Must Patch ImageMagick and Browser Sandboxes Immediately

Debian security teams pushed critical patches targeting serious flaws in widely used software packages across the distribution. The updates hit image processing libraries like Pillow and ImageMagick hard, closing vulnerabilities that allow attackers to run malicious code or bypass sandbox protections when handling corrupted files. System administrators managing LTS environments should install these fixes right away because unpatched image handlers are a favorite target for web-based exploits. Browsers including Firefox ESR, Chromium, and Thunderbird also get secured, while utilities like ntfs-3g and xdg-dbus-proxy receive updates to plug local privilege escalation risks.

Fedora 42 to 44 Updates Fix Sudo Flaws and PackageKit Race Conditions

Fedora Linux versions 42 through 44 received multiple batches of security updates targeting dozens of packages. The patches address critical flaws in Python, CUPS, Sudo, Firefox, and Nginx that could lead to remote code execution or unauthorized root access. A targeted fix for PackageKit resolves a dangerous race condition that allows unprivileged users to interfere with system package management during the update window. Users should install these releases immediately because race conditions in package managers often result in file corruption or privilege escalation if left unpatched.

Oracle Linux 7-10 Requires Rebuilds for go-rpm-macros and Kernel Fixes

Oracle Linux administrators need to apply a broad wave of advisories covering versions seven through ten, with special attention required for the Unbreakable Enterprise Kernel. Teams managing releases nine and ten must update go-rpm-macros to fix a Go compiler flaw that forces a full package rebuild, which is tedious but necessary to close the security gap. The maintenance push also closes serious gaps in ImageMagick, FreeRDP, and OpenEXR across the entire supported lineup. .NET updates and Scap-Security-Guide fixes round out the release for enterprise environments relying on Oracle's long-term support.

Red Hat Enterprise Linux Patches Grafana, libarchive, and Core Kernels in Latest Linux Security Updates

Red Hat delivered a steady stream of critical security patches for Enterprise Linux platforms spanning versions eight through ten. The updates touch nearly every major software category available for enterprise deployment, including fixes for libarchive, OpenEXR, Grafana, Python modules, and the core kernel. Grafana administrators should prioritize this update because exposed dashboards without current patches are frequent targets for data exfiltration attacks. System owners must deploy these changes quickly to keep networks safe from known exploits that could compromise sensitive enterprise data.

Rocky Linux 8-10 Updates Mirror RHEL with Kernel and Browser Fixes

Rocky Linux administrators need to install several urgent security patches across versions eight through ten to address vulnerabilities in widely used tools. The updates fix flaws in go-rpm-macros, delve, giflib, OpenEXR, Thunderbird, FreeRDP, Wireshark, and WebKit2GTK3. System owners running version eight should prioritize critical kernel upgrades for both standard and real-time builds to prevent storage driver leaks and traffic scheduling bugs from disrupting operations. Ignoring these fixes leaves networks open to moderate or critical exploits that could compromise sensitive data stored on Rocky Linux servers.

Slackware 15 Gets Firefox and Thunderbird Security Patches

The Slackware Linux Security Team pushed fresh updates to patch security holes in the stable fifteen release line. Firefox, Thunderbird, and libXpm all received fixes that apply directly to the current distribution, ensuring email clients and web browsers stay protected against known exploits. Administrators should roll these packages out quickly since unpatched versions remain vulnerable to remote code execution risks. Regular users will stay safe until the next major platform release arrives, but server admins need to act now.

SUSE Linux Fixes Critical Botan, Chromium, and Kernel Live Patches

SUSE pushed multiple batches of security patches across their distributions, covering everything from moderate issues to critical flaws in widely used tools. The updates target the kernel, Python, ImageMagick, Flatpak, and OpenSSL, with attackers potentially exploiting buffer overflows or authentication bypasses if administrators ignore them. Security teams should prioritize the Botan update on any SUSE box handling sensitive traffic because crypto library vulnerabilities compromise TLS connections. Critical fixes for Chromium, rclone, and cacti also appear in this round, alongside kernel live patches that allow administrators to apply security updates without rebooting production systems.

Ubuntu Patches PackageKit Privilege Escalation and Cloud Kernels

Ubuntu rolled out critical security patches to fix dangerous flaws across several widely used system libraries and cloud kernels. The updates target integer overflows in RapidJSON alongside local privilege escalation risks found in PackageKit, which allows attackers to gain root access on vulnerable systems. Specialized kernel builds for major cloud providers like Azure and Oracle, as well as Raspberry Pi devices, receive memory management error fixes that prevent denial of service attacks. GStreamer plugins also get secured against memory errors, ensuring media processing pipelines stay robust against malformed input.

A Closer Look at Recent Security Updates

Below is a comprehensive breakdown of the latest security patches released for AlmaLinux, Debian GNU/Linux, Fedora Linux, Red Hat Enterprise Linux, Rocky Linux, Slackware Linux, SUSE Linux, and Ubuntu Linux.

AlmaLinux

AlmaLinux has rolled out a broad wave of security patches across versions eight through ten to address critical vulnerabilities in essential system components. These updates fix memory corruption flaws and improper parsing routines within packages like the Linux kernel, FreeRDP, Wireshark, Thunderbird, and OSBuild Composer. Administrators managing version nine will also need to apply specific corrections for IPv6 URL handling alongside kernel improvements that resolve storage driver leaks and traffic scheduling bugs.

Debian GNU/Linux

Debian security teams recently rolled out critical patches for numerous widely used software packages across their distribution. These updates target serious flaws in popular image processing libraries alongside essential web browsers and system utilities. Attackers could easily exploit these weaknesses to run malicious code, trigger sudden application crashes, or bypass important sandbox protections when handling corrupted files. System administrators managing Debian LTS environments should install the fixes right away to keep their networks safe from potential breaches.

Fedora Linux

Fedora Linux versions 42, 43, and 44 recently received multiple batches of security updates targeting dozens of widely used packages. The patches address critical flaws in essential software like Python, CUPS, Sudo, Firefox, and Nginx that could otherwise lead to remote code execution or unauthorized root access. While PackageKit gets a targeted fix for a dangerous race condition, other releases simply tighten security across foundational utilities and web servers. Users should install these security releases immediately to protect their systems from known exploits before attackers can take advantage of the unpatched vulnerabilities.

Oracle Linux

Oracle Linux administrators should prioritize applying a broad wave of security advisories covering versions seven through ten. These patches target critical vulnerabilities in foundational components like the Unbreakable Enterprise Kernel alongside essential tools such as .NET and Scap-Security-Guide. Teams managing releases nine and ten must immediately update go-rpm-macros to fix a specific Go compiler flaw that requires a full package rebuild. The overall maintenance push also closes serious security gaps in popular utilities including ImageMagick, FreeRDP, and OpenEXR across the entire supported lineup.

Red Hat Enterprise Linux

Red Hat has rolled out a steady stream of critical security patches for its Enterprise Linux platforms spanning versions eight through ten. You will notice that this round of updates touches nearly every major software category available for enterprise deployment. The recent fixes address serious flaws in everyday utilities including libarchive, OpenEXR, Grafana, Python modules, and even the core kernel. System administrators need to deploy these changes quickly to keep their networks safe from potential exploits.

Rocky Linux

Rocky Linux administrators need to install several urgent security patches across versions eight through ten. These updates fix known vulnerabilities in widely used tools such as go-rpm-macros, delve, giflib, OpenEXR, Thunderbird, FreeRDP, Wireshark, and WebKit2GTK3. System owners running version eight should also prioritize critical kernel upgrades for both standard and real-time builds. Ignoring these security fixes leaves networks open to moderate or critical exploits that could compromise sensitive data.

Slackware Linux

The Slackware Linux Security Team just pushed out fresh updates to patch several security holes in the system. Firefox, Thunderbird, and libXpm all received fixes that apply directly to the stable 15 release line. Administrators ought to roll these packages out quickly since unpatched versions remain vulnerable to known exploits. Regular users will stay safe until the next major platform release arrives.

SUSE Linux

SUSE recently pushed out multiple batches of security patches across their Linux distributions. From moderate issues to critical flaws, these updates cover widely used tools like the kernel, Python, ImageMagick, Flatpak, and OpenSSL. Attackers could potentially exploit dangerous weaknesses such as buffer overflows or authentication bypasses if administrators ignore them. Rolling out these fixes quickly will keep your systems protected against a long list of known vulnerabilities.

Ubuntu Linux

Ubuntu recently rolled out critical security patches to fix dangerous flaws across several widely used system libraries. These updates target integer overflows in RapidJSON alongside local privilege escalation risks found in PackageKit. The team also secured specialized kernel builds for major cloud providers and Raspberry Pi devices while addressing memory management errors in GStreamer plugins. System administrators must apply these fixes promptly to prevent malicious exploitation of the identified vulnerabilities across Ubuntu environments.

How to upgrade packages

This quick overview shows exactly what commands you need to run so the latest security patches and bug fixes actually make it onto your system without hunting down individual .deb or .rpm files.

Debian/Ubuntu (apt)

The first thing to do is refresh the local package index; running sudo apt update contacts all configured repositories and pulls in the newest lists of available versions. Skipping this step leaves the system blind to any recent uploads, which explains why “upgrade” sometimes claims there’s nothing to do even after a security advisory has been published. Once the index is current, invoke sudo apt upgrade -y; the -y flag answers every prompt automatically so the process doesn’t pause for user input. This command upgrades all installed packages that have newer versions in the repositories while preserving configuration files.

sudo apt update
sudo apt upgrade -y

Fedora/RedHat/Rocky/Alma/Oracle (dnf or yum)

On modern Fedora and recent Red Hat derivatives, dnf is the package manager; older RHEL releases still rely on yum. Begin with a check‑update operation—sudo dnf check-update or sudo yum check-update—to see exactly which packages are awaiting an upgrade. This preview step can be useful for spotting unexpected kernel bumps before they land. To actually apply the updates, run sudo dnf upgrade -y (or sudo yum update if you prefer the older tool). The upgrade command pulls down the new binaries and runs any necessary post‑install scripts, such as rebuilding initramfs when a kernel changes.

sudo dnf check-update
sudo dnf upgrade -y

or on older releases

sudo yum check-update
sudo yum update

SUSE (zypper)

SUSE’s command line front‑end is called zypper. First execute sudo zypper refresh so that the metadata for all enabled repos gets updated; without this, zypper will happily report “No updates available” even though newer packages sit on the mirror. After a fresh refresh, issue sudo zypper update -y; this upgrades every package to the latest version in the configured repositories and automatically handles service restarts when required.

sudo zypper refresh
sudo zypper update -y

Slackware (slackpkg and pkgtool)

Slackware doesn’t have a single unified updater, but the official way to pull updates is through slackpkg. Start with sudo slackpkg update to download the newest package list from the chosen mirror. Then run sudo slackpkg upgrade-all; this command walks through each installed package and replaces it with the most recent build available in the official repository. For users who prefer a more granular approach, specifying a package name after upgrade limits the operation to that single item. When dealing with community‑maintained repositories, pkgtool takes over: a combined sudo pkgtool update && sudo pkgtool upgrade will sync and apply updates from the mirrors listed in /etc/slackpkg/mirrors.

sudo slackpkg update
sudo slackpkg upgrade-all

Keep those systems patched and the coffee brewing.

Mutt 2.3.2 released