Security 10970 Published by

Multiple major Linux distributions released coordinated security advisories this week to address critical vulnerabilities across their core stacks. The patches prioritize fixes for the GhostLock and Januscape kernel flaws, alongside dozens of high-severity issues affecting Chromium, OpenShift, and enterprise infrastructure tools. RHEL, Oracle, Rocky, and Fedora are rolling out extensive kpatch updates and system library fixes that span both legacy and current kernel streams. Administrators should prioritize immediate patching to secure production environments against active exploitation vectors.





GhostLock and Januscape Kernel Flaws Hit Multiple Distros as Linux Security Updates Pour In

AlmaLinux calls for testers while RHEL, Debian, and Ubuntu push critical patches for Chromium, OpenShift, and enterprise stacks.

The Linux kernel is under the scanner again. AlmaLinux has released emergency patches to address the GhostLock privilege escalation bug (CVE-2026-43499) and the Januscape memory corruption flaw. You won't be the only one waiting to apply them. In the same window, RHEL, Debian, and Ubuntu are rolling out coordinated security advisories that tackle dozens of critical vulnerabilities across everything from OpenShift and Chromium to core networking tools.

It is a busy week. If you run AlmaLinux 8, 9, or 10, the updates target the Linux kernel directly, alongside fixes for Grafana, Node.js, Nginx, PostgreSQL, and Tomcat. The patches close vulnerabilities that could allow arbitrary code execution, authentication bypasses, and denial of service attacks. AlmaLinux is actually calling for testing on the patched kernels right now, so keep an eye on their tracker if you are running production boxes.

Tuxrepair

Kernel and Core Infrastructure Updates

While GhostLock grabs headlines, the actual patching effort spans the entire ecosystem. Fedora is pushing out kernel 7.1.3 rebases across versions 43 and 44. That is alongside updates for rust-quick-xml, Podman, and a slew of Rust libraries. You will also want to grab the fixes for Tor 0.4.9.11, Docker Compose 5.3.0, and Helm 4.2.2. OpenSSH is getting patches for opkssh and memory leaks in that batch.

Over on the enterprise side, Red Hat has issued security advisories for RHEL versions 7 through 10. The list is exhaustive. It covers OpenShift Container Platform versions 4.15, 4.17, 4.18, 4.19, 4.20, 4.21, 4.22, and 4.23. There are kpatch updates for kernels dating all the way back to the 4.18 and 5.14 series. If you manage RHEL infrastructure, you are looking at a serious patching window. We have all seen what happens when kpatch scripts choke on a live system. The redundancy is necessary, though the execution leaves room for improvement.

Oracle Linux is not resting either. Administrators for versions 7, 8, and 9 need to install coordinated advisories that hit the Unbreakable Enterprise Kernel, container tools, OpenSSL, Python pip, and popular web applications like Ruby, PHP, MariaDB, and Nginx. Rocky Linux mirrors that effort, patching MariaDB, Node.js, Nginx, Python, and the kernel across its own 8, 9, and 10 branches.

Desktop, Browsers, and Dev Tools

The browser front is particularly heated. Debian is fixing 25 vulnerabilities in Chromium. That is alongside 16 flaws in ImageMagick and kernel privilege escalation risks. Ubuntu Linux is doing the same, addressing critical issues across LTS versions 14.04 through 26.04. Patches cover the Raspberry Pi and NVIDIA kernels, cloud infrastructure components, Python, Apache HTTP Server, curl, and ruby-addressable.

SUSE Linux is tackling a wide array of developer tools. You will find updates for the Linux Kernel, Apache, Go 1.26, Systemd, and Postfix. There is also a critical security update for perl-Crypt-SaltedHash, plus moderate patches for Python, gimp, and chromedriver. They are rolling out updates for podman, apache2, and go1.26-openssl across their stacks.

Slackware users typically get a quieter life, but this week brings PHP, Mutt, OpenSSH, C-Ares, Tftp-hpa, Proftpd, and P11-kit fixes. Memory corruption bugs, openssl processing errors, path traversal gaps, and silent argument truncation issues are all being closed up. Buffer overflows in Tftp-hpa and stack corruption in Proftpd round out the list.

Keep in mind that these are all live advisories. The RHEL kpatches alone target multiple active kernel streams simultaneously. If you rely on RHEL, Oracle, or Rocky, your maintenance window just got longer. Head to the AlmaLinux errata tracker if you want to dig into the specific CVE mappings for GhostLock and Januscape. Otherwise, run your package managers and apply the updates before you head to sleep.

Latest Security Updates by Distribution

Here’s a complete breakdown of the security updates for AlmaLinux, Debian GNU/Linux, Fedora Linux, Oracle Linux, Red Hat Enterprise Linux, Rocky Linux, Slackware Linux, SUSE Linux, and Ubuntu Linux.

AlmaLinux

AlmaLinux issued a series of important security errata across versions 8, 9, and 10 to patch critical flaws in widely used software packages. The updates target the Linux kernel with fixes for GhostLock privilege escalation and Januscape memory corruption bugs, while also addressing security issues in Grafana, Node.js, Nginx, PostgreSQL, and Tomcat. These patches close vulnerabilities that could allow arbitrary code execution, authentication bypasses, and denial of service attacks against affected systems.

Debian GNU/Linux

Debian and its Long Term Support partners recently issued multiple security advisories to fix critical vulnerabilities across widely used software packages. The latest patches address sixteen flaws in ImageMagick, twenty-five vulnerabilities in Chromium, and privilege escalation risks in the Linux kernel. These updates prevent attackers from executing arbitrary code, bypassing access controls, and triggering denial of service attacks on Debian 9, Debian 12, and older distribution branches.

Fedora Linux

Debian security teams distributed multiple advisories to patch vulnerabilities across widely used open source software. The updates include critical fixes for Chromium, Linux kernel versions 5.10 and 6.1, OpenVPN, and MediaWiki. Additional packages receiving security patches or regression corrections are ImageMagick, Postfix, dpkg, pgextwlist, rlottie, opam, and Tomcat 9.

Oracle Linux

Oracle Linux administrators must install coordinated security advisories across versions 7, 8, and 9 to address critical vulnerabilities in core system software. The patch set covers the Unbreakable Enterprise Kernel, container tools, OpenSSL, Python pip, and popular web applications like Ruby, PHP, MariaDB, and Nginx.

Red Hat Enterprise Linux

Red Hat issued security advisories for Red Hat Enterprise Linux versions 7 through 10 throughout 2026. These patches address vulnerabilities in the Linux kernel, OpenShift Container Platform, Python, Grafana, nginx, and Firefox.

Rocky Linux

Rocky Linux administrators must apply recent security advisories that address vulnerabilities across versions 8, 9, and 10. These updates patch critical flaws in widely used software including MariaDB, Node.js, Nginx, Python, and the Linux kernel.

Slackware Linux

The Slackware Linux Security Team distributed new packages for version 15.0 and the current branch to patch critical flaws across multiple applications. PHP and Mutt updates resolve memory corruption bugs and openssl processing errors, while OpenSSH and C-Ares patches eliminate path traversal gaps and silent argument truncation issues. Additional fixes target buffer overflows in Tftp-hpa, stack corruption in Proftpd, unbounded recursion in P11-kit, and two Xorg server vulnerabilities affecting TigerVNC.

SUSE Linux

SUSE deployed coordinated security patches to fix hundreds of vulnerabilities across core Linux distributions and developer tools. These updates target important software including the Linux Kernel, Chromium browser, Apache server, and Python libraries while also securing Go, Systemd, and Postfix.

Ubuntu Linux

Ubuntu released multiple security notices addressing critical vulnerabilities across LTS versions 14.04 through 26.04. Patches cover the Raspberry Pi and NVIDIA kernels, cloud infrastructure components, and widely used software like Python, Apache HTTP Server, curl, and ruby-addressable.

How to apply these Linux security updates

Before running any update commands, check which services are currently active on your system. If Nginx or Apache is handling live traffic, schedule a brief maintenance window or use rolling restarts to minimize downtime during the patching process. Desktop users can usually apply these fixes by opening a terminal and running the standard package manager command for their distribution followed by an upgrade flag. A reboot will be necessary if the kernel received updates to ensure the new security modules load correctly.

Power users who rely on command-line tools like jq should verify the patch level after installation. Regression bugs can occasionally break scripts that depend on specific JSON parsing behavior, so a quick test run is worth the few minutes it takes. If you use PackageKit or other GUI package managers and prefer to skip them because they sometimes hang or try to install junk, do not let that stop you from running the command-line equivalent to get these critical patches applied.

Applying these patches requires distribution-specific package management commands. RHEL-based systems typically use dnf update or yum update, while Debian and Ubuntu rely on apt upgrade. SUSE users should run zypper patch to properly address all security advisories, and Slackware administrators can manage updates with upgradepkg or slackpkg. After executing the commands, a reboot is usually necessary for kernel changes to take effect. Finally, review your package manager’s logs to verify that all patches installed successfully and no dependencies were disrupted.

Debian/Ubuntu (apt)

The first thing to do is refresh the local package index; running sudo apt update contacts all configured repositories and pulls in the newest lists of available versions. Skipping this step leaves the system blind to any recent uploads, which explains why “upgrade” sometimes claims there’s nothing to do even after a security advisory has been published. Once the index is current, invoke sudo apt upgrade -y; the -y flag answers every prompt automatically so the process doesn’t pause for user input. This command upgrades all installed packages that have newer versions in the repositories while preserving configuration files.

sudo apt update
sudo apt upgrade -y

Fedora/RedHat/Rocky/Alma/Oracle (dnf or yum)

On modern Fedora and recent Red Hat derivatives, dnf is the package manager; older RHEL releases still rely on yum. Begin with a check‑update operation—sudo dnf check-update or sudo yum check-update—to see exactly which packages are awaiting an upgrade. This preview step can be useful for spotting unexpected kernel bumps before they land. To actually apply the updates, run sudo dnf upgrade -y (or sudo yum update if you prefer the older tool). The upgrade command pulls down the new binaries and runs any necessary post‑install scripts, such as rebuilding initramfs when a kernel changes.

sudo dnf check-update
sudo dnf upgrade -y

or on older releases

sudo yum check-update
sudo yum update

SUSE (zypper)

SUSE’s command line front‑end is called zypper. First execute sudo zypper refresh so that the metadata for all enabled repos gets updated; without this, zypper will happily report “No updates available” even though newer packages sit on the mirror. After a fresh refresh, issue sudo zypper update -y; this upgrades every package to the latest version in the configured repositories and automatically handles service restarts when required.

sudo zypper refresh
sudo zypper update -y

Slackware (slackpkg and pkgtool)

Slackware doesn’t have a single unified updater, but the official way to pull updates is through slackpkg. Start with sudo slackpkg update to download the newest package list from the chosen mirror. Then run sudo slackpkg upgrade-all; this command walks through each installed package and replaces it with the most recent build available in the official repository. For users who prefer a more granular approach, specifying a package name after upgrade limits the operation to that single item. When dealing with community‑maintained repositories, pkgtool takes over: a combined sudo pkgtool update && sudo pkgtool upgrade will sync and apply updates from the mirrors listed in /etc/slackpkg/mirrors.

sudo slackpkg update
sudo slackpkg upgrade-all