Linux Security Roundup for Week 19, 2026

Security 10949 Published by

This week brings a massive wave of critical security patches across major Linux distributions, with urgent fixes targeting sudo privilege escalation risks and the newly flagged CopyFail vulnerability. Administrators managing Red Hat derivatives need to prioritize kernel and OpenSSH updates while verifying boot configurations after installation. Debian and Ubuntu users should carefully apply timezone database refreshes alongside cloud-specific kernel packages to prevent silent script failures or hardware mismatches. Running your distribution's package manager immediately is essential since delaying these installations leaves enterprise networks and edge devices wide open to exploitation.





Linux Security Updates: CopyFail CVE, Sudo Fixes, and Kernel Patches You Need Now

This week's patch pile is heavy enough to make even seasoned sysadmins groan. Critical fixes for sudo, a new vulnerability labeled CopyFail in Rocky Linux, and timezone database updates that can break logging scripts dominate the release cycle. The Red Hat family pushes hard on OpenSSH and kernel patches, while Debian and Ubuntu cover cloud flavors and browser holes. Package managers should be running immediately to close these gaps before attackers exploit them.

CopyFail CVE and Sudo Panic Across Red Hat Distributions

Rocky Linux flagged a vulnerability labeled CopyFail with CVE-2026-31431, which appears to target memory safety issues that could allow unauthorized access or system crashes. RHEL also released multiple advisories updating sudo across enterprise releases. Sudo vulnerabilities frequently escalate into full root compromises within minutes, making these patches non-negotiable for any system handling privileged commands.

AlmaLinux and Oracle Linux joined the fray with broad updates targeting versions 7 through 10. The kernel receives heavy attention alongside OpenSSH and systemd fixes. Oracle Linux included patches for the Unbreakable Enterprise Kernel, so administrators running UEK must verify boot configurations after installation to avoid boot failures. RHEL also updated .NET versions 8.0 and 9.0, plus LibRaw and image-builder tools.

The volume of corosync and fence-agents updates suggests high-availability clusters are under scrutiny. Skipping these patches leaves clustered workloads exposed to serious exploits.

Debian Timezone Refreshes and Ubuntu Cloud Kernel Flavors

Debian administrators must install tzdata updates alongside fixes for OpenJDK, ImageMagick, Apache2, and the Linux kernel. The timezone database refresh for 2026 is a routine maintenance task that often causes headaches when cron jobs or logging scripts assume static offsets.

A common failure mode involves backup scripts failing silently because a timezone update shifts the UTC alignment unexpectedly. Ubuntu covers all bases with kernel updates for Azure, GCP, Raspberry Pi, and Xilinx flavors. Systems running on edge devices or cloud instances require specific kernel packages that match their hardware abstraction layers. Applying generic updates without checking the flavor can break boot processes on specialized hardware. Both distros also patched Thunderbird and Firefox variants, so desktop environments need attention alongside server workloads.

Fedora 42 to 44 Developer Tools and Rust Sequoia

Fedora pushes Python 3.14 and Rust Sequoia for versions 43 and 44, signaling a clear cue for developers to test build pipelines before deployment. The distro also updated Chromium, NodeJS, Squid, and PowerDNS across the supported releases. Fedora 42 through 44 kernel updates cover versions 6.19 and 7.0, addressing memory safety flaws that could compromise entire networks. The inclusion of forgejo-runner and nextcloud patches indicates self-hosted services on Fedora require immediate attention. Python-tornado and pyOpenSSL fixes round out a developer-heavy release cycle that balances bleeding-edge tools with critical security hardening.

SUSE Live Patches and Slackware Manual Verification

SUSE released updates for openSUSE Tumbleweed, Leap 15, and enterprise systems while offering live kernel patches for SLES 15 SP4 through SP6. These live patches allow administrators to apply critical security fixes without rebooting production servers, preserving uptime for sensitive environments. The advisory covers Xen, curl, Java libraries, and Python frameworks alongside routine system utilities.

Slackware kept the release simple with stable and development builds targeting httpd, php, Firefox, Thunderbird, and the main kernel. Since Slackware lacks automated package managers like apt or dnf, manual verification of these advisories is required before applying patches to avoid dependency conflicts on minimalist systems.

Tuxrepair

Latest Security Patches by Distribution

Here’s a complete breakdown of recent security updates for AlmaLinux, Debian GNU/Linux, Fedora Linux, Oracle Linux, Red Hat Enterprise Linux, Rocky Linux, Slackware Linux, SUSE Linux, and Ubuntu Linux.

AlmaLinux

AlmaLinux has released a broad set of security patches for versions 8 through 10 of its operating system. These advisories target essential tools like the Linux kernel, Thunderbird, OpenSSH, and systemd while plugging critical vulnerabilities that could compromise entire networks. Without these fixes, attackers might exploit memory safety flaws or steal sensitive cookie data to gain unauthorized access. System administrators should prioritize installing the updates immediately to maintain a secure computing environment.

Debian GNU/Linux

Debian administrators need to install a fresh wave of security patches that target dozens of widely used packages across the operating system. These urgent updates fix critical flaws in essential tools like OpenJDK, ImageMagick, Apache2, and the Linux kernel, which could otherwise allow attackers to execute arbitrary code or crash systems entirely. Additional advisories cover important applications such as Thunderbird and LXD alongside newer versions of PHP and Firefox ESR, since those libraries contain dangerous memory leaks that trigger infinite loops. Beyond pure security fixes, the release cycle includes routine maintenance updates like refreshed timezone databases that adjust regional timekeeping rules for 2026.

Fedora Linux

Fedora users running versions 42 through 44 must prioritize installing a wave of urgent security patches released this week. These critical updates target dangerous vulnerabilities lurking in dozens of widely used packages that power everyday computing tasks. Administrators will find fixes covering everything from the Chromium browser and Python development environment to essential networking tools like Squid and PowerDNS alongside core system libraries such as OpenSSL and the Linux kernel. Delaying these installations leaves systems exposed to serious exploits so immediate action is strongly recommended across all affected releases.

Oracle Linux

Oracle Linux administrators should prioritize installing recent security patches that span versions seven through ten of the distribution. These updates target serious flaws in foundational components like the kernel, systemd, and OpenSSH that could allow attackers to crash systems or gain unauthorized access. Several packages also received stability improvements and were rebuilt using modern frameworks to close lingering cryptographic vulnerabilities. System administrators need to apply these fixes promptly to maintain a secure and reliable computing environment.

Red Hat Enterprise Linux

Red Hat recently pushed out a fresh wave of security advisories for its RHEL distribution. These updates tackle serious flaws in widely used software like the Linux kernel, Firefox, OpenSSH, and .NET across several enterprise releases. You will also notice targeted improvements for specialized platforms such as OpenShift alongside standard system libraries. Every patch blends critical vulnerability fixes with everyday maintenance to keep your infrastructure running smoothly.

Rocky Linux

Rocky Linux administrators must quickly install a series of critical security patches across versions eight through ten. These updates target widely used system libraries and utilities, including libcap, sudo, corosync, and the Linux kernel itself. Several of the fixes address severe vulnerabilities that could allow unprivileged users to escalate privileges or gain unauthorized root access. Delaying these installations leaves systems exposed to serious exploits, so prompt action is essential for maintaining a secure environment.

Slackware Linux

The Slackware Linux Security Team recently rolled out a series of critical security patches for users running either the stable or development versions of the operating system. These updates target several widely used applications and core components, including Apache HTTPd, Hunspell, Firefox, PHP, Thunderbird, and the main kernel. Each package has been carefully modified to close known vulnerabilities that could otherwise leave systems exposed to malicious attacks. Administrators should prioritize installing these upgrades as soon as possible to maintain a secure computing environment.

SUSE Linux

SUSE recently pushed out multiple rounds of security patches for its openSUSE Tumbleweed, Leap 15, and enterprise Linux systems. Many of these updates address severe memory corruption bugs and remote execution risks that could compromise entire networks. You will find fixes covering widely used software like Xen, curl, Python frameworks, Java libraries, and web browsers alongside routine system utilities. IT teams need to apply these releases quickly before attackers can exploit the unpatched weaknesses.

Ubuntu Linux

Ubuntu recently deployed critical security patches across its supported distributions to fix serious vulnerabilities in widely used software. These emergency updates target essential packages like curl, Apache, nghttp2, and the Linux kernel itself. Attackers could exploit these flaws to steal credentials or crash systems remotely. The comprehensive fixes span multiple operating system versions and include specialized cloud builds alongside standard desktop releases.

Keep Your Linux System Secure: Safely Applying Critical Updates

Applying these patches requires distribution-specific package management commands. RHEL-based systems typically use dnf update or yum update, while Debian and Ubuntu rely on apt upgrade. SUSE users should run zypper patch to properly address all security advisories, and Slackware administrators can manage updates with upgradepkg or slackpkg. After executing the commands, a reboot is usually necessary for kernel changes to take effect. Finally, review your package manager’s logs to verify that all patches installed successfully and no dependencies were disrupted.

Debian/Ubuntu (apt)

The first thing to do is refresh the local package index; running sudo apt update contacts all configured repositories and pulls in the newest lists of available versions. Skipping this step leaves the system blind to any recent uploads, which explains why “upgrade” sometimes claims there’s nothing to do even after a security advisory has been published. Once the index is current, invoke sudo apt upgrade -y; the -y flag answers every prompt automatically so the process doesn’t pause for user input. This command upgrades all installed packages that have newer versions in the repositories while preserving configuration files.

sudo apt update
sudo apt upgrade -y

Fedora/RedHat/Rocky/Alma/Oracle (dnf or yum)

On modern Fedora and recent Red Hat derivatives, dnf is the package manager; older RHEL releases still rely on yum. Begin with a check‑update operation—sudo dnf check-update or sudo yum check-update—to see exactly which packages are awaiting an upgrade. This preview step can be useful for spotting unexpected kernel bumps before they land. To actually apply the updates, run sudo dnf upgrade -y (or sudo yum update if you prefer the older tool). The upgrade command pulls down the new binaries and runs any necessary post‑install scripts, such as rebuilding initramfs when a kernel changes.

sudo dnf check-update
sudo dnf upgrade -y

or on older releases

sudo yum check-update
sudo yum update

SUSE (zypper)

SUSE’s command line front‑end is called zypper. First execute sudo zypper refresh so that the metadata for all enabled repos gets updated; without this, zypper will happily report “No updates available” even though newer packages sit on the mirror. After a fresh refresh, issue sudo zypper update -y; this upgrades every package to the latest version in the configured repositories and automatically handles service restarts when required.

sudo zypper refresh
sudo zypper update -y

Slackware (slackpkg and pkgtool)

Slackware doesn’t have a single unified updater, but the official way to pull updates is through slackpkg. Start with sudo slackpkg update to download the newest package list from the chosen mirror. Then run sudo slackpkg upgrade-all; this command walks through each installed package and replaces it with the most recent build available in the official repository. For users who prefer a more granular approach, specifying a package name after upgrade limits the operation to that single item. When dealing with community‑maintained repositories, pkgtool takes over: a combined sudo pkgtool update && sudo pkgtool upgrade will sync and apply updates from the mirrors listed in /etc/slackpkg/mirrors.

sudo slackpkg update
sudo slackpkg upgrade-all

Patching never makes for a fun afternoon, but skipping this week's updates leaves too many doors open for malicious actors. Check sudo versions, verify timezone settings on Debian servers, and ensure those cloud kernels match the hardware profile. Stay safe out there.

Libtree-Sitter, Redis, Semaphore, and more updates for SUSE

Windows

Linux

macOS

Community

  • Lexonight
    Hey everyone,Wanted to share a project I've been b ...
  • SeveG
    need some help here... situationPC= Packard BellOS= win1 ...
  • dhamu
    Hello Phil, I have a Linux Tutorial website that curre ...