Linux Security Roundup for Week 26, 2026

Security 10965 Published by

Here is the weekly Linux security roundup with a massive wave of security patches. Critical remote code execution flaws hit Nginx and Firefox ESR, while kernel memory corruption and PostgreSQL credential leaks forced emergency updates across RHEL, Debian, and Ubuntu.





Linux Security Roundup: Critical Patches Hit Nginx, Firefox, PostgreSQL, and the Kernel Across Major Distributions

Another massive wave of advisories rolls out for RHEL, Ubuntu, Fedora, Debian, and Oracle Linux. Time to run your update commands.

If you haven't executed a package manager update in the last forty-eight hours, you're probably already behind. This week's security bulletin is a mouthful: critical remote code execution flaws in Nginx and Firefox ESR, memory corruption in the kernel, privilege escalation vectors in PostgreSQL, and DNS cache poisoning across Debian and Ubuntu. Nine major distributions shipped fixes, and the severity ratings are stacking up fast.

Let's cut through the noise. Debian issued emergency advisories for bullseye, bookworm, and trixie, targeting Chromium, FFmpeg, and OpenVPN. Ubuntu pushed patches for containerd, xrdp, and the Linux kernel across LTS releases spanning 22.04 to 26.04. Red Hat and Oracle both called out high-severity kernel memory corruption alongside Firefox ESR flaws, while Fedora locked down twenty-nine separate memory corruption issues in Chromium alone.

Tuxrepair

The Usual Suspects, Upgraded

Nginx and PostgreSQL showed up on almost every single bulletin this week. Oracle Linux bumped PostgreSQL to 16.14, fixed Samba, patched Redis, and shipped Go 1.26.3 alongside PHP 8. RHEL's advisory list stretches into the high hundreds, covering .NET 8.0, OpenShift 4.18.45, and Keycloak 26.6.4. If your stack runs those, the clock is ticking.

Slackware kept things quiet this time around. Just one advisory: libarchive 3.8.8 for the 15.0 stable branch and current. Not bad for a release cycle that moves at its own pace. Meanwhile, SUSE and openSUSE rolled out a staggering number of kernel live patches for SLES 15 SP4 through SP7, alongside fixes for Podman, Apptainer, Node.js 22, and a string of Python libraries. You can live-patch the kernel on SUSE, which means fewer reboot windows this quarter.

Patch fatigue is real. I've seen sysadmins skip whole weeks because the bulletin boards look like a grocery list. The volume this time is genuinely higher than average, though. Debian's DSA and DLA numbers are climbing past the 6300s and 4600s. RHEL's RHSA IDs are pushing into the 30000s. That's not a coincidence. Someone found a lot of overlapping vulnerabilities across the board.

What Actually Needs Your Attention Today

Start with the kernel and your web stack. RHEL flagged a critical kernel patch, RHSA-2026:27719, for RHEL 9. Ubuntu's USN-8469-1 targets FFmpeg vulnerabilities, and Debian's DSA 6361-1 does the same. If you're running Nginx anywhere in your DMZ, Oracle Linux marked their nginx update as Critical (ELSA-2026:19374). Fedora's chromium update is already sitting at 149.0.7827.196, which closes those twenty-nine memory corruption CVEs.

PostgreSQL is another non-negotiable. RHEL shipped fixes for versions 12 through 18, and Rocky Linux is patching the exact same range. Credential recovery leaks and arbitrary code execution risks are the headline vulnerabilities here. Skip them at your peril.

On the container side, Red Hat, Oracle, Rocky, and SUSE all shipped runc, buildah, and containernetworking-plugins patches. Podman got its own round of fixes from SUSE. If you're building images or running Kubernetes on any of these boxes, treat this like a Tuesday morning task.

The severity spread is wide. Debian calls their updates emergency. Ubuntu's USN list runs into the double digits. RHEL and Oracle both mark multiple kernel and nginx patches as Critical. That's not a drill.

Run your package managers. Reboot where necessary. Use live patching where it's available. Keep an eye on Fedora and RHEL's bulletin boards over the next few days, since some advisories roll out in waves. Head to your distribution's security page for the exact advisory links and checksums.

Latest Security Updates by Distribution

Here’s a complete breakdown of the security updates for AlmaLinux, Debian GNU/Linux, Fedora Linux, Oracle Linux, Red Hat Enterprise Linux, Rocky Linux, Slackware Linux, SUSE Linux, and Ubuntu Linux.

AlmaLinux

AlmaLinux published multiple security advisories for versions 8, 9, and 10 that patch critical flaws across widely deployed system packages. The updates target sandbox escapes and memory safety issues in Firefox, use-after-free errors in libpng, arbitrary code execution risks in Nginx, and credential recovery leaks in PostgreSQL. Additional patches address remote denial-of-service vulnerabilities in the 389 Directory Server, input injection flaws in Golang, and base kernel security hardening. These errata deliver immediate fixes for moderate and important severity ratings to protect AlmaLinux production environments from unauthorized access and resource exhaustion.

Debian GNU/Linux

Debian issued a series of emergency security advisories to patch dozens of vulnerabilities across widely used system components and third-party applications. The updates target flaws in packages including the Linux kernel, FFmpeg, Chromium, OpenVPN, ImageMagick, and PostgreSQL that could otherwise allow attackers to escalate privileges, crash services, poison DNS caches, or execute arbitrary code. System administrators should apply these patches right away to block remote exploitation on active trixie, bullseye, and bookworm installations.

Fedora Linux

Fedora 43 and 44 issued multiple security advisories to patch known vulnerabilities across dozens of widely used Linux packages. The updates resolve eleven separate CVEs in TigerVNC, close twenty-nine memory corruption flaws in Chromium, and fix six protocol-layer issues in FreeRDP. Administrators will also need to apply patches for Nginx, Docker BuildKit, FFmpeg 8, Python 3.14, and several core Perl modules to fully secure their systems. Rolling out these advisories promptly removes active exploit paths and keeps production environments stable ahead of upcoming Fedora maintenance windows.

Oracle Linux

Oracle Linux administrators should apply a series of security advisories for versions 7, 8, and 9, which address critical vulnerabilities across the UEK kernel, core system libraries, and major application packages. The updates include version upgrades for PostgreSQL to 16.14, MySQL to 8, .NET spanning 8.0 through 10.0, Go 1.26.3, and PHP 8, alongside fixes for Nginx, Samba, Redis, Kubernetes tools, and Opencryptoki. High-severity issues resolve memory corruption and race conditions in the kernel, memory leaks in 389-ds, remote code execution risks in Firefox ESR, and flaws in glibc and gnutls that affect the base environment. These patches protect server infrastructure by closing open holes that could allow remote attacks, ensuring stability and security for both database servers and container environments running on Oracle Linux.

Red Hat Enterprise Linux

Red Hat issued multiple security advisories for RHEL 8, 9, and 10 covering packages like the kernel, Firefox, PostgreSQL, Python, OpenShift, Keycloak, and nginx. These updates address newly discovered vulnerabilities with impact ratings that range from moderate to important. Live patching tools let administrators apply fixes directly into memory, so teams can skip server reboots and keep services running.

Rocky Linux

Rocky Linux administrators must install a series of RLSA security advisories across versions 8, 9, and 10 to patch known vulnerabilities. The latest releases address high-profile packages like kernel and kernel-rt, PostgreSQL versions 13 through 18, Nginx 1.24, Firefox, and Python 3.14. Severity ratings run from moderate to important, with certain advisories demanding immediate action on the newest Rocky Linux 10 systems. System operators should apply these fixes right away to keep core infrastructure and dependent software secure.

Slackware Linux

The Slackware Linux Security Team released libarchive 3.8.8 to patch multiple vulnerabilities across the 15.0 stable branch and the current development line. Users should install the package immediately to keep their compression utilities secure. Libarchive continues to handle nonstandard archive formats more reliably than competing tools on the platform.

SUSE Linux

SUSE and openSUSE have rolled out a massive wave of critical and important security patches spanning dozens of widely used enterprise packages. The advisories target core infrastructure components including the Linux kernel, OpenSSL, Node.js, Podman, Apptainer, and various Python libraries across SLES and openSUSE Leap releases. Each release closes dozens of independently tracked vulnerabilities affecting network routing tools, document rendering engines, and container management utilities. System administrators managing these distributions must download and apply the latest package builds immediately to prevent potential exploitation.

Ubuntu Linux

Ubuntu distributed a fresh batch of security patches for LTS releases ranging from 22.04 through 26.04 to fix serious flaws in widely deployed infrastructure tools. The notices target packages including Nginx, MySQL, HAProxy, ImageMagick, containerd, xrdp, and the Linux kernel, addressing issues that span memory corruption, authentication bypasses, and arbitrary code execution. Administrators running these systems should install the updates right away, since unauthenticated attackers can crash databases, hijack sessions, or run malicious payloads without proper credentials.

How to apply these Linux security updates safely

Before running any update commands, check which services are currently active on your system. If Nginx or Apache is handling live traffic, schedule a brief maintenance window or use rolling restarts to minimize downtime during the patching process. Desktop users can usually apply these fixes by opening a terminal and running the standard package manager command for their distribution followed by an upgrade flag. A reboot will be necessary if the kernel received updates to ensure the new security modules load correctly.

Power users who rely on command-line tools like jq should verify the patch level after installation. Regression bugs can occasionally break scripts that depend on specific JSON parsing behavior, so a quick test run is worth the few minutes it takes. If you use PackageKit or other GUI package managers and prefer to skip them because they sometimes hang or try to install junk, do not let that stop you from running the command-line equivalent to get these critical patches applied.

Applying these patches requires distribution-specific package management commands. RHEL-based systems typically use dnf update or yum update, while Debian and Ubuntu rely on apt upgrade. SUSE users should run zypper patch to properly address all security advisories, and Slackware administrators can manage updates with upgradepkg or slackpkg. After executing the commands, a reboot is usually necessary for kernel changes to take effect. Finally, review your package manager’s logs to verify that all patches installed successfully and no dependencies were disrupted.

Debian/Ubuntu (apt)

The first thing to do is refresh the local package index; running sudo apt update contacts all configured repositories and pulls in the newest lists of available versions. Skipping this step leaves the system blind to any recent uploads, which explains why “upgrade” sometimes claims there’s nothing to do even after a security advisory has been published. Once the index is current, invoke sudo apt upgrade -y; the -y flag answers every prompt automatically so the process doesn’t pause for user input. This command upgrades all installed packages that have newer versions in the repositories while preserving configuration files.

sudo apt update
sudo apt upgrade -y

Fedora/RedHat/Rocky/Alma/Oracle (dnf or yum)

On modern Fedora and recent Red Hat derivatives, dnf is the package manager; older RHEL releases still rely on yum. Begin with a check‑update operation—sudo dnf check-update or sudo yum check-update—to see exactly which packages are awaiting an upgrade. This preview step can be useful for spotting unexpected kernel bumps before they land. To actually apply the updates, run sudo dnf upgrade -y (or sudo yum update if you prefer the older tool). The upgrade command pulls down the new binaries and runs any necessary post‑install scripts, such as rebuilding initramfs when a kernel changes.

sudo dnf check-update
sudo dnf upgrade -y

or on older releases

sudo yum check-update
sudo yum update

SUSE (zypper)

SUSE’s command line front‑end is called zypper. First execute sudo zypper refresh so that the metadata for all enabled repos gets updated; without this, zypper will happily report “No updates available” even though newer packages sit on the mirror. After a fresh refresh, issue sudo zypper update -y; this upgrades every package to the latest version in the configured repositories and automatically handles service restarts when required.

sudo zypper refresh
sudo zypper update -y

Slackware (slackpkg and pkgtool)

Slackware doesn’t have a single unified updater, but the official way to pull updates is through slackpkg. Start with sudo slackpkg update to download the newest package list from the chosen mirror. Then run sudo slackpkg upgrade-all; this command walks through each installed package and replaces it with the most recent build available in the official repository. For users who prefer a more granular approach, specifying a package name after upgrade limits the operation to that single item. When dealing with community‑maintained repositories, pkgtool takes over: a combined sudo pkgtool update && sudo pkgtool upgrade will sync and apply updates from the mirrors listed in /etc/slackpkg/mirrors.

sudo slackpkg update
sudo slackpkg upgrade-all

This week's bulletin is a textbook case of patch fatigue hitting head-on. The sheer volume of Critical and Important ratings across RHEL, Oracle, Debian, and Ubuntu leaves no room for procrastination. Nginx and PostgreSQL showed up on nearly every single list, which means your DMZ and your databases are sitting on unpatched RCE and privilege escalation vectors if you haven't run a dnf upgrade or apt full-upgrade yet.

Not cheap in terms of operational overhead, but the alternative is letting attackers test those Chromium memory corruption flaws and kernel race conditions against your infrastructure. Prioritize the kernel and web stack first. Lean on live patching for SUSE and RHEL to keep your SLAs intact, and don't wait for the weekend maintenance window. The attack surface this week is wider than usual. Patch early, patch hard.

XanMod Linux Kernel 7.1.2, 7.0.14, and 6.18.37 LTS Released

Windows

Linux

macOS

Community

  • Lexonight
    Hey everyone,Wanted to share a project I've been b ...
  • SeveG
    need some help here... situationPC= Packard BellOS= win1 ...
  • dhamu
    Hello Phil, I have a Linux Tutorial website that curre ...