Fedora administrators should immediately apply a series of security patches released on May 5 to address critical vulnerabilities across multiple core packages in Fedora 43 and 44. The updates target nodejs20, chromium, uriparser, rust-sequoia-git, and insight by fixing dozens of severe flaws that could allow denial of service attacks or unauthorized system access. Many of these issues stem from memory corruption bugs and flawed input validation within widely used networking and rendering libraries. System owners can quickly deploy the fixes through standard package management tools using the specific advisory identifiers provided in each notification.

Fedora 43 Update: nodejs20-20.20.2-3.fc43
Fedora 43 Update: chromium-147.0.7727.137-1.fc43
Fedora 44 Update: uriparser-1.0.1-1.fc44
Fedora 44 Update: rust-sequoia-git-0.6.0-1.fc44
Fedora 44 Update: insight-18.0.50.20260306-3.fc44
Fedora 44 Update: nodejs20-20.20.2-3.fc44

[SECURITY] Fedora 43 Update: nodejs20-20.20.2-3.fc43

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-9dc3a61ad8
2026-05-05 01:12:48.425414+00:00
--------------------------------------------------------------------------------

Name : nodejs20
Product : Fedora 43
Version : 20.20.2
Release : 3.fc43
URL : https://nodejs.org
Summary : JavaScript runtime
Description :
Node.js is a platform built on Chrome's JavaScript runtime
for easily building fast, scalable network applications.
Node.js uses an event-driven, non-blocking I/O model that
makes it lightweight and efficient, perfect for data-intensive
real-time applications that run across distributed devices.

--------------------------------------------------------------------------------
Update Information:

Update to version 20.20.2
--------------------------------------------------------------------------------
ChangeLog:

* Tue Apr 14 2026 tjuhasz [tjuhasz@redhat.com] - 1:20.20.2-3
- Rework of update of nghttp2
* Tue Apr 14 2026 tjuhasz [tjuhasz@redhat.com] - 1:20.20.2-2
- Update bundled nghttp2 to 1.68.1
* Tue Apr 14 2026 tjuhasz [tjuhasz@redhat.com] - 1:20.20.2-1
- Update to version 20.20.2 (rhbz#2444850)
* Tue Apr 14 2026 tjuhasz [tjuhasz@redhat.com] - 1:20.20.1-1
- Update to version 20.20.1 (rhbz#2444850)
* Tue Apr 14 2026 Jan Stan??k [jstanek@redhat.com] - 1:20.20.0-5
- Disable flaky test on s390x
* Tue Apr 14 2026 Jan Stan??k [jstanek@redhat.com] - 1:20.20.0-4
- Own /usr/lib/node_modules again (rhbz#2438837)
* Tue Apr 14 2026 Jan Stan??k [jstanek@redhat.com] - 1:20.20.0-3
- Convert to next-gen packaging
- Use packaging scripts and spec file structure from current nodejs24
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2447158 - CVE-2026-1528 nodejs20: undici: Denial of Service via crafted WebSocket frame with large length [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2447158
[ 2 ] Bug #2447161 - CVE-2026-2229 nodejs20: Undici: Denial of Service via invalid WebSocket permessage-deflate extension parameter [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2447161
[ 3 ] Bug #2447168 - CVE-2026-1525 nodejs20: Undici: HTTP Request Smuggling and Denial of Service due to duplicate Content-Length headers [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2447168
[ 4 ] Bug #2447172 - CVE-2026-1527 nodejs20: Undici: HTTP header injection and request smuggling vulnerability [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2447172
[ 5 ] Bug #2447179 - CVE-2026-1526 nodejs20: undici: Denial of Service via unbounded memory consumption during WebSocket permessage-deflate decompression [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2447179
[ 6 ] Bug #2453563 - CVE-2026-21717 nodejs20: Node.js: Denial of Service via V8 string hashing mechanism due to predictable hash collisions [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2453563
[ 7 ] Bug #2453567 - CVE-2026-21714 nodejs20: Node.js: Memory leak and Denial of Service via crafted HTTP/2 WINDOW_UPDATE frames [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2453567
[ 8 ] Bug #2453570 - CVE-2026-21713 nodejs20: Node.js: Information disclosure via timing oracle in HMAC verification [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2453570
[ 9 ] Bug #2453592 - CVE-2026-21716 nodejs20: Node.js: Permission bypass allows unauthorized modification of file permissions and ownership via incomplete security fix. [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2453592
[ 10 ] Bug #2453596 - CVE-2026-21715 nodejs20: Node.js: Information disclosure due to `fs.realpathSync.native()` bypassing filesystem read restrictions [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2453596
[ 11 ] Bug #2453599 - CVE-2026-21710 nodejs20: Node.js: Denial of Service due to crafted HTTP `__proto__` header [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2453599
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-9dc3a61ad8' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

[SECURITY] Fedora 43 Update: chromium-147.0.7727.137-1.fc43

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-af3f470d38
2026-05-05 01:12:48.425423+00:00
--------------------------------------------------------------------------------

Name : chromium
Product : Fedora 43
Version : 147.0.7727.137
Release : 1.fc43
URL : http://www.chromium.org/Home
Summary : A WebKit (Blink) powered web browser that Google doesn't want you to use
Description :
Chromium is an open-source web browser, powered by WebKit (Blink).

--------------------------------------------------------------------------------
Update Information:

The updates include fixes for:
Critical CVE-2026-7363: Use after free in Canvas
Critical CVE-2026-7361: Use after free in iOS
Critical CVE-2026-7344: Use after free in Accessibility
Critical CVE-2026-7343: Use after free in Views
High CVE-2026-7333: Use after free in GPU
High CVE-2026-7360: Insufficient validation of untrusted input in Compositing
High CVE-2026-7359: Use after free in ANGLE
High CVE-2026-7358: Use after free in Animation
High CVE-2026-7334: Use after free in Views
High CVE-2026-7357: Use after free in GPU
High CVE-2026-7356: Use after free in Navigation
High CVE-2026-7354: Out of bounds read and write in Angle
High CVE-2026-7353: Heap buffer overflow in Skia
High CVE-2026-7352: Use after free in Media
High CVE-2026-7351: Race in MHTML
High CVE-2026-7350: Use after free in WebMIDI
High CVE-2026-7349: Use after free in Cast
High CVE-2026-7348: Use after free in Codecs
High CVE-2026-7335: Use after free in media
High CVE-2026-7336: Use after free in WebRTC
High CVE-2026-7337: Type Confusion in V8
High CVE-2026-7347: Use after free in Chromoting
High CVE-2026-7346: Inappropriate implementation in Tint
High CVE-2026-7345: Insufficient validation of untrusted input in Feedback
High CVE-2026-7338: Use after free in Cast
High CVE-2026-7342: Use after free in WebView
High CVE-2026-7341: Use after free in WebRTC
Medium CVE-2026-7339: Heap buffer overflow in WebRTC
Medium CVE-2026-7340: Integer overflow in ANGLE
Medium CVE-2026-7355: Use after free in Media
--------------------------------------------------------------------------------
ChangeLog:

* Wed Apr 29 2026 Than Ngo [than@redhat.com] - 147.0.7727.137-1
- Update to 147.0.7727.137
* Critical CVE-2026-7363: Use after free in Canvas
* Critical CVE-2026-7361: Use after free in iOS
* Critical CVE-2026-7344: Use after free in Accessibility
* Critical CVE-2026-7343: Use after free in Views
* High CVE-2026-7333: Use after free in GPU
* High CVE-2026-7360: Insufficient validation of untrusted input in Compositing
* High CVE-2026-7359: Use after free in ANGLE
* High CVE-2026-7358: Use after free in Animation
* High CVE-2026-7334: Use after free in Views
* High CVE-2026-7357: Use after free in GPU
* High CVE-2026-7356: Use after free in Navigation
* High CVE-2026-7354: Out of bounds read and write in Angle
* High CVE-2026-7353: Heap buffer overflow in Skia
* High CVE-2026-7352: Use after free in Media
* High CVE-2026-7351: Race in MHTML
* High CVE-2026-7350: Use after free in WebMIDI
* High CVE-2026-7349: Use after free in Cast
* High CVE-2026-7348: Use after free in Codecs
* High CVE-2026-7335: Use after free in media
* High CVE-2026-7336: Use after free in WebRTC
* High CVE-2026-7337: Type Confusion in V8
* High CVE-2026-7347: Use after free in Chromoting
* High CVE-2026-7346: Inappropriate implementation in Tint
* High CVE-2026-7345: Insufficient validation of untrusted input in Feedback
* High CVE-2026-7338: Use after free in Cast
* High CVE-2026-7342: Use after free in WebView
* High CVE-2026-7341: Use after free in WebRTC
* Medium CVE-2026-7339: Heap buffer overflow in WebRTC
* Medium CVE-2026-7340: Integer overflow in ANGLE
* Medium CVE-2026-7355: Use after free in Media
* Sun Apr 26 2026 Than Ngo [than@redhat.com] - 147.0.7727.116-2
- Fix FTBFS with rust 1.95
- Backport the upstream fix GL native pixmap import support reset in GpuInit
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2463710 - CVE-2026-7333 CVE-2026-7334 CVE-2026-7335 CVE-2026-7336 CVE-2026-7337 CVE-2026-7338 CVE-2026-7339 CVE-2026-7340 CVE-2026-7341 CVE-2026-7342 CVE-2026-7343 CVE-2026-7344 CVE-2026-7345 CVE-2026-7346 CVE-2026-7347 ... chromium: various flaws [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2463710
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-af3f470d38' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new

[SECURITY] Fedora 44 Update: uriparser-1.0.1-1.fc44

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-57515ed8b1
2026-05-05 00:53:44.303273+00:00
--------------------------------------------------------------------------------

Name : uriparser
Product : Fedora 44
Version : 1.0.1
Release : 1.fc44
URL : https://uriparser.github.io/
Summary : URI parsing library - RFC 3986
Description :
Uriparser is a strictly RFC 3986 compliant URI parsing library written
in C. uriparser is cross-platform, fast, supports Unicode and is
licensed under the New BSD license.

--------------------------------------------------------------------------------
Update Information:

Update to uriparser-1.0.1.
--------------------------------------------------------------------------------
ChangeLog:

* Thu Apr 30 2026 Sandro Mani [manisandro@gmail.com] - 1.0.1-1
- Update to 1.0.1
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2463210 - CVE-2026-42371 uriparser: uriparser: Denial of Service via numeric truncation with oversized URIs [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2463210
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-57515ed8b1' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new

[SECURITY] Fedora 44 Update: rust-sequoia-git-0.6.0-1.fc44

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-0a72408e1b
2026-05-05 00:53:44.303259+00:00
--------------------------------------------------------------------------------

Name : rust-sequoia-git
Product : Fedora 44
Version : 0.6.0
Release : 1.fc44
URL : https://crates.io/crates/sequoia-git
Summary : Tool for managing and enforcing a commit signing policy
Description :
A tool for managing and enforcing a commit signing policy.

--------------------------------------------------------------------------------
Update Information:

Update to version 0.6.0. Addresses RUSTSEC-2026-0109.
--------------------------------------------------------------------------------
ChangeLog:

* Thu Apr 23 2026 Fabio Valentini [decathorpe@gmail.com] - 0.6.0-1
- Update to version 0.6.0; Fixes RHBZ#2460155
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-0a72408e1b' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new

[SECURITY] Fedora 44 Update: insight-18.0.50.20260306-3.fc44

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-f72d44d09e
2026-05-05 00:53:44.303240+00:00
--------------------------------------------------------------------------------

Name : insight
Product : Fedora 44
Version : 18.0.50.20260306
Release : 3.fc44
URL : https://www.sourceware.org/insight/
Summary : Graphical debugger based on GDB
Description :
Insight is a tight graphical user interface to GDB written in Tcl/Tk.
It provides a comprehensive interface that enables users to harness
most of GDB's power. It's also probably the only up-to-date UI for
the latest GDB version.

--------------------------------------------------------------------------------
Update Information:

Fix CVE-2026-6846.
--------------------------------------------------------------------------------
ChangeLog:

* Fri Apr 24 2026 Patrick Monnerat [patrick@monnerat.net] 18.0.50.20260306-3
- Fix CVE-2026-6846.
https://sourceware.org/bugzilla/show_bug.cgi?id=34049
https://bugzilla.redhat.com/show_bug.cgi?id=2460525
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2460525 - CVE-2026-6846 insight: Binutils: Arbitrary code execution via malformed XCOFF object file processing [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2460525
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-f72d44d09e' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new

[SECURITY] Fedora 44 Update: nodejs20-20.20.2-3.fc44

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-c99f9dc3b1
2026-05-05 00:53:44.303222+00:00
--------------------------------------------------------------------------------

Name : nodejs20
Product : Fedora 44
Version : 20.20.2
Release : 3.fc44
URL : https://nodejs.org
Summary : JavaScript runtime
Description :
Node.js is a platform built on Chrome's JavaScript runtime
for easily building fast, scalable network applications.
Node.js uses an event-driven, non-blocking I/O model that
makes it lightweight and efficient, perfect for data-intensive
real-time applications that run across distributed devices.

--------------------------------------------------------------------------------
Update Information:

Update to version 20.20.2
Automatic update for nodejs20-20.20.0-7.fc44.
--------------------------------------------------------------------------------
ChangeLog:

* Wed Apr 1 2026 tjuhasz [tjuhasz@redhat.com] - 1:20.20.2-3
- Rework of update of nghttp2
* Mon Mar 30 2026 tjuhasz [tjuhasz@redhat.com] - 1:20.20.2-2
- Update bundled nghttp2 to 1.68.1
* Wed Mar 25 2026 tjuhasz [tjuhasz@redhat.com] - 1:20.20.2-1
- Update to version 20.20.2 (rhbz#2444850)
* Fri Mar 20 2026 tjuhasz [tjuhasz@redhat.com] - 1:20.20.1-1
- Update to version 20.20.1 (rhbz#2444850)
* Wed Mar 18 2026 Andrei Radchenko [aradchen@redhat.com] - 1:20.20.0-10
- introduce -bins sub-plan
* Tue Mar 10 2026 Andrei Radchenko [aradchen@redhat.com] - 1:20.20.0-9
- tests: share metadata for all plans
* Tue Feb 17 2026 Andrei Radchenko [aradchen@redhat.com] - 1:20.20.0-8
- spec: remove obsolete requires
* Tue Feb 17 2026 Jan Stan??k [jstanek@redhat.com] - 1:20.20.0-7
- Disable flaky test on s390x
* Mon Feb 16 2026 Jan Stan??k [jstanek@redhat.com] - 1:20.20.0-6
- Own /usr/lib/node_modules again (rhbz#2438837)
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2438837 - nodejs20 does not own/provide /usr/lib/node_modules directory
https://bugzilla.redhat.com/show_bug.cgi?id=2438837
[ 2 ] Bug #2453563 - CVE-2026-21717 nodejs20: Node.js: Denial of Service via V8 string hashing mechanism due to predictable hash collisions [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2453563
[ 3 ] Bug #2453567 - CVE-2026-21714 nodejs20: Node.js: Memory leak and Denial of Service via crafted HTTP/2 WINDOW_UPDATE frames [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2453567
[ 4 ] Bug #2453570 - CVE-2026-21713 nodejs20: Node.js: Information disclosure via timing oracle in HMAC verification [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2453570
[ 5 ] Bug #2453592 - CVE-2026-21716 nodejs20: Node.js: Permission bypass allows unauthorized modification of file permissions and ownership via incomplete security fix. [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2453592
[ 6 ] Bug #2453596 - CVE-2026-21715 nodejs20: Node.js: Information disclosure due to `fs.realpathSync.native()` bypassing filesystem read restrictions [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2453596
[ 7 ] Bug #2453599 - CVE-2026-21710 nodejs20: Node.js: Denial of Service due to crafted HTTP `__proto__` header [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2453599
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-c99f9dc3b1' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------