Debian released multiple security advisories to patch critical vulnerabilities in mbedtls, libde265, and openjdk-21. The mbedtls update resolves a timing discrepancy that could expose cryptographic secrets alongside a flawed random number fallback mechanism. Libde265 receives essential memory safety corrections after developers found stack and heap overflow bugs capable of triggering severe system crashes or unauthorized execution. OpenJDK 21 also gets fixed against numerous authentication flaws and denial of service risks, prompting administrators to upgrade all affected systems right away.

[DLA 4551-1] mbedtls security update
ELA-1698-1 libde265 security update
[DLA 4550-1] libde265 security update
[DSA 6231-1] openjdk-21 security update

[SECURITY] [DLA 4551-1] mbedtls security update

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4551-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Andrej Shadura
April 27, 2026 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : mbedtls
Version : 2.16.9-0.1+deb11u4
CVE ID : CVE-2025-59438 CVE-2026-34871

CVE-2025-59438

Observable Timing Discrepancy. The presence of a padding error could
leak through timings, enabling the attacker to recover information
about the secret.

CVE-2026-34871

On systems where getrandom() was not available, /dev/urandom would be
used a fallback instead of /dev/random.

For Debian 11 bullseye, these problems have been fixed in version
2.16.9-0.1+deb11u4.

We recommend that you upgrade your mbedtls packages.

For the detailed security status of mbedtls please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/mbedtls

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

ELA-1698-1 libde265 security update (by )

Package : libde265
Version : 1.0.11-0+deb9u7 (stretch), 1.0.11-0+deb10u7 (buster)

Related CVEs :
CVE-2023-51792
CVE-2026-33164
CVE-2026-33165

It was found that libde265, an open source implementation of the H.265 video
codec, had multiple vulnerabilities which included both stack and heap out of
bound writes that could lead to denial of service, etc.

ELA-1698-1 libde265 security update (by )

[SECURITY] [DLA 4550-1] libde265 security update

-------------------------------------------------------------------------
Debian LTS Advisory DLA-4550-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Andreas Henriksson
April 27, 2026 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : libde265
Version : 1.0.11-0+deb11u4
CVE ID : CVE-2023-51792 CVE-2026-33164 CVE-2026-33165
Debian Bug : 1131468 1131469

It was found that libde265, an open source implementation of the H.265 video
codec, had multiple vulnerabilities which could lead to both stack and heap
out of bound writes that could lead to denial of service, etc.

For Debian 11 bullseye, these problems have been fixed in version
1.0.11-0+deb11u4.

We recommend that you upgrade your libde265 packages.

For the detailed security status of libde265 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libde265

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[SECURITY] [DSA 6231-1] openjdk-21 security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6231-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
April 27, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : openjdk-21
CVE ID : CVE-2026-22007 CVE-2026-22013 CVE-2026-22016 CVE-2026-22018
CVE-2026-22021 CVE-2026-34268 CVE-2026-34282

Several vulnerabilities have been discovered in the OpenJDK Java runtime,
which may result in incorrect generation of cryptographic keys, denial
of service, information disclosure, XEE/XEE attacks or incorrect
validation of Kerberos credentials.

For the stable distribution (trixie), these problems have been fixed in
version 21.0.11+10-1~deb13u2.

We recommend that you upgrade your openjdk-21 packages.

For the detailed security status of openjdk-21 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/openjdk-21

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/