Debian released a security advisory for Chromium that patches several vulnerabilities capable of triggering arbitrary code execution, denial of service attacks, or unauthorized data leaks. A separate update for Thunderbird tackles a long list of flaws that could similarly allow attackers to run malicious code on affected systems. The Python image library Pillow also received two distinct fixes addressing memory exhaustion bugs, infinite loops, and a dangerous file deletion issue caused by mishandled temporary paths.

Debian GNU/Linux 9 (Stretch) Extended LTS:
ELA-1694-1 pillow security update

Debian GNU/Linux 10 (Buster) Extended LTS:
ELA-1695-1 pillow security update

Debian GNU/Linux 12 (Bookworm) and 13 (Trixie):
[DSA 6230-1] chromium security update
[DSA 6229-1] thunderbird security update

[SECURITY] [DSA 6230-1] chromium security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6230-1 security@debian.org
https://www.debian.org/security/ Andres Salomon
April 24, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : chromium
CVE ID : CVE-2026-6919 CVE-2026-6920 CVE-2026-6921

Security issues were discovered in Chromium which could result
in the execution of arbitrary code, denial of service, or information
disclosure.

For the oldstable distribution (bookworm), these problems have been fixed
in version 147.0.7727.116-1~deb12u1.

For the stable distribution (trixie), these problems have been fixed in
version 147.0.7727.116-1~deb13u1.

We recommend that you upgrade your chromium packages.

For the detailed security status of chromium please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/chromium

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[SECURITY] [DSA 6229-1] thunderbird security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6229-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
April 24, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : thunderbird
CVE ID : CVE-2026-6746 CVE-2026-6747 CVE-2026-6748 CVE-2026-6749
CVE-2026-6750 CVE-2026-6751 CVE-2026-6752 CVE-2026-6753
CVE-2026-6754 CVE-2026-6757 CVE-2026-6761 CVE-2026-6762
CVE-2026-6763 CVE-2026-6764 CVE-2026-6765 CVE-2026-6766
CVE-2026-6767 CVE-2026-6769 CVE-2026-6770 CVE-2026-6771
CVE-2026-6772 CVE-2026-6776 CVE-2026-6785 CVE-2026-6786

Multiple security issues were discovered in Thunderbird, which could
result in the execution of arbitrary code.

For the oldstable distribution (bookworm), these problems have been fixed
in version 1:140.10.0esr-1~deb12u1.

For the stable distribution (trixie), these problems have been fixed in
version 1:140.10.0esr-1~deb13u1.

We recommend that you upgrade your thunderbird packages.

For the detailed security status of thunderbird please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/thunderbird

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

ELA-1695-1 pillow security update (by )

Package : pillow

Version : 5.4.1-2+deb10u7 (buster)

Related CVEs :
CVE-2021-25293
CVE-2021-28675
CVE-2021-28676
CVE-2022-24303

Multiple vulnerabilties have been found in pillow, an image processing library for Python with potential effects of denial of service due to resource exhaustion or infinite loop.
CVE-2021-25293
There is an out-of-bounds read in SGIRleDecode.c.

CVE-2021-28675
PSDImagePlugin.PsdImageFile lacked a sanity check on the number of input layers relative to the size of the data block. This could lead to a DoS on Image.open prior to Image.load.

CVE-2021-28676
For FLI data, FliDecode did not properly check that the block advance was non-zero, potentially leading to an infinite loop on load.

CVE-2022-24303
Allows attackers to delete files because spaces in temporary pathnames are mishandled.

ELA-1695-1 pillow security update (by )

ELA-1694-1 pillow security update (by )

Package : pillow

Version : 4.0.0-4+deb9u7 (stretch)

Related CVEs :
CVE-2019-16865
CVE-2021-27922
CVE-2021-27923
CVE-2021-28675

Multiple vulnerabilties have been found in pillow, an image processing library for Python with potential effects of denial of service due to resource exhaustion.

CVE-2019-16865
When reading specially crafted invalid image files, the library can either allocate very large amounts of memory or take an extremely long period of time to process the image.

CVE-2021-27922
Denial of service (memory consumption) because the reported size of a contained image is not properly checked for an ICNS container, and thus an attempted memory allocation can be very large.

CVE-2021-27923
Denial of service (memory consumption) because the reported size of a contained image is not properly checked for an ICO container, and thus an attempted memory allocation can be very large.

CVE-2021-28675
PSDImagePlugin.PsdImageFile lacked a sanity check on the number of input layers relative to the size of the data block. This could lead to a DoS on Image.open prior to Image.load.

ELA-1694-1 pillow security update (by )