Update libexif, Corosync, PHP Twig, ImageMagick, Linux Kernel, and Exim4 to Patch Critical CVEs in Debian

Debian 10933 Published 2026-05-30 07:16 by Philipp Esselbach

News

Recent Debian security advisories address multiple critical vulnerabilities across essential system packages including libexif, corosync, php-twig, imagemagick, the Linux kernel, and exim4. Attackers could exploit these flaws to trigger application crashes or leak sensitive memory data through malformed inputs. The updates resolve dozens of tracked CVEs by patching integer overflows, improper input validation, and protocol handling errors that previously left systems exposed. System administrators should immediately apply the recommended package upgrades to their Debian stable environments before malicious actors can leverage these weaknesses.

ELA-1737-1 libexif security update (by )
[DLA 4608-1] corosync security update
[DSA 6311-1] php-twig security update
[DSA 6310-1] imagemagick security update
[DLA 4607-1] linux-6.1 security update
[DLA 4606-1] linux security update
[DSA 6309-1] exim4 security update

ELA-1737-1 libexif security update (by )

Package : libexif

Version : 0.6.21-2+deb9u6 (stretch), 0.6.21-5.1+deb10u6 (buster)

Related CVEs :
CVE-2026-32775
CVE-2026-40385
CVE-2026-40386

Three security vulnerabilities were discovered in libexif, a library to reads
and writes EXIF metainformation from and to images files, that can causes
crashes or information leaks.

CVE-2026-32775
If the exif_mnote_data_get_value function in MakerNotes gets passed
in a 0 size, the passed in-buffer would be overwritten due to an
integer underflow.

CVE-2026-40385
An unsigned 32bit integer overflow in Nikon MakerNote handling could
be used by local attackers to cause crashes or information leaks.

CVE-2026-40386
An integer underflow in size checking for Fuji and Olympus MakerNote
decoding could be used by attackers to crash or leak information out
of libexif-using programs.

ELA-1737-1 libexif security update (by )

[SECURITY] [DLA 4608-1] corosync security update

-------------------------------------------------------------------------
Debian LTS Advisory DLA-4608-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Emmanuel Arias
May 30, 2026 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : corosync
Version : 3.1.2-2+deb11u2
CVE ID : CVE-2026-35091 CVE-2026-35092
Debian Bug : 1133837 1133838

Two vulnerabilities have been found in corosync, a cluster engine daemon and
utilities, that allow a remote, unauthenticated attacker to cause a denial of
service.

CVE-2026-35091

A remote unauthenticated attacker can exploit a wrong return value
vulnerability in the Corosync membership commit token sanity check by
sending a specially crafted User Datagram Protocol (UDP) packet. This can
lead to an out-of-bounds read, causing a denial of service (DoS) and
potentially disclosing limited memory contents.

CVE-2026-35092

An integer overflow vulnerability in Corosync's join message sanity
validation allows a remote, unauthenticated attacker to send crafted User
Datagram Protocol (UDP) packets. This can cause the service to crash,
leading to a denial of service.

For Debian 11 bullseye, these problems have been fixed in version
3.1.2-2+deb11u2.

We recommend that you upgrade your corosync packages.

For the detailed security status of corosync please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/corosync

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[SECURITY] [DSA 6311-1] php-twig security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6311-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
May 29, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : php-twig
CVE ID : CVE-2026-24425 CVE-2026-46627 CVE-2026-46628 CVE-2026-46629
CVE-2026-46633 CVE-2026-46634 CVE-2026-46635 CVE-2026-46636
CVE-2026-46637 CVE-2026-46638 CVE-2026-46640 CVE-2026-47730
CVE-2026-47732 CVE-2026-48805

Multiple security vulnerabilities were discovered in Twig, a template
engine for PHP, which could result in PHP code injection, sandbox bypass
or cross-site scripting.

For the stable distribution (trixie), these problems have been fixed in
version 3.27.0-0+deb13u1.

We recommend that you upgrade your php-twig packages.

For the detailed security status of php-twig please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/php-twig

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[SECURITY] [DSA 6310-1] imagemagick security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6310-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
May 29, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : imagemagick
CVE ID : CVE-2026-42050 CVE-2026-42326 CVE-2026-45031 CVE-2026-45359
CVE-2026-45624 CVE-2026-45664 CVE-2026-46520 CVE-2026-46521
CVE-2026-46522 CVE-2026-46523 CVE-2026-46559 CVE-2026-46692
CVE-2026-46693 CVE-2026-47165 CVE-2026-47166

Multiple security vulnerabilities were discovered in imagemagick, a
software suite used for editing and manipulating digital images, which
could lead to denial of service, information disclosure or
potentially arbitrary code execution if malformed images are processed.

For the oldstable distribution (bookworm), these problems have been fixed
in version 8:6.9.11.60+dfsg-1.6+deb12u10.

We recommend that you upgrade your imagemagick packages.

For the detailed security status of imagemagick please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/imagemagick

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[SECURITY] [DLA 4607-1] linux-6.1 security update

-------------------------------------------------------------------------
Debian LTS Advisory DLA-4607-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Ben Hutchings
May 29, 2026 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : linux-6.1
Version : 6.1.174-1~deb11u1
CVE ID : CVE-2026-43503 CVE-2026-46174 CVE-2026-46300

Several vulnerabilities have been discovered in the Linux kernel that
may lead to a privilege escalation, denial of service or information
leaks.

For Debian 11 bullseye, these problems have been fixed in version
6.1.174-1~deb11u1.

We recommend that you upgrade your linux-6.1 packages.

For the detailed security status of linux-6.1 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/linux-6.1

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[SECURITY] [DLA 4606-1] linux security update

-------------------------------------------------------------------------
Debian LTS Advisory DLA-4606-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Ben Hutchings
May 29, 2026 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : linux
Version : 5.10.257-1
CVE ID : CVE-2024-56584 CVE-2025-39748 CVE-2025-39764 CVE-2025-40219
CVE-2025-40261 CVE-2025-68206 CVE-2025-71274 CVE-2025-71292
CVE-2025-71304 CVE-2026-23100 CVE-2026-23112 CVE-2026-23227
CVE-2026-23242 CVE-2026-23243 CVE-2026-23245 CVE-2026-23253
CVE-2026-23273 CVE-2026-23274 CVE-2026-23277 CVE-2026-23279
CVE-2026-23281 CVE-2026-23286 CVE-2026-23289 CVE-2026-23290
CVE-2026-23291 CVE-2026-23293 CVE-2026-23298 CVE-2026-23300
CVE-2026-23303 CVE-2026-23304 CVE-2026-23307 CVE-2026-23312
CVE-2026-23318 CVE-2026-23336 CVE-2026-23339 CVE-2026-23351
CVE-2026-23352 CVE-2026-23356 CVE-2026-23357 CVE-2026-23362
CVE-2026-23365 CVE-2026-23367 CVE-2026-23368 CVE-2026-23372
CVE-2026-23379 CVE-2026-23381 CVE-2026-23382 CVE-2026-23388
CVE-2026-23391 CVE-2026-23395 CVE-2026-23396 CVE-2026-23397
CVE-2026-23398 CVE-2026-23420 CVE-2026-23434 CVE-2026-23439
CVE-2026-23446 CVE-2026-23452 CVE-2026-23455 CVE-2026-23456
CVE-2026-23457 CVE-2026-23458 CVE-2026-23460 CVE-2026-23462
CVE-2026-23463 CVE-2026-23474 CVE-2026-31391 CVE-2026-31393
CVE-2026-31396 CVE-2026-31399 CVE-2026-31400 CVE-2026-31402
CVE-2026-31403 CVE-2026-31405 CVE-2026-31411 CVE-2026-31415
CVE-2026-31416 CVE-2026-31417 CVE-2026-31418 CVE-2026-31421
CVE-2026-31422 CVE-2026-31423 CVE-2026-31424 CVE-2026-31425
CVE-2026-31427 CVE-2026-31428 CVE-2026-31447 CVE-2026-31450
CVE-2026-31452 CVE-2026-31454 CVE-2026-31455 CVE-2026-31466
CVE-2026-31469 CVE-2026-31473 CVE-2026-31485 CVE-2026-31494
CVE-2026-31495 CVE-2026-31497 CVE-2026-31498 CVE-2026-31504
CVE-2026-31507 CVE-2026-31508 CVE-2026-31509 CVE-2026-31510
CVE-2026-31512 CVE-2026-31515 CVE-2026-31518 CVE-2026-31523
CVE-2026-31524 CVE-2026-31545 CVE-2026-31546 CVE-2026-31550
CVE-2026-31552 CVE-2026-31555 CVE-2026-31570 CVE-2026-31628
CVE-2026-31649 CVE-2026-31651 CVE-2026-31658 CVE-2026-31659
CVE-2026-31660 CVE-2026-31661 CVE-2026-31662 CVE-2026-31665
CVE-2026-31667 CVE-2026-31668 CVE-2026-31670 CVE-2026-31671
CVE-2026-31672 CVE-2026-31674 CVE-2026-31679 CVE-2026-31680
CVE-2026-31682 CVE-2026-31683 CVE-2026-31720 CVE-2026-31721
CVE-2026-31726 CVE-2026-31728 CVE-2026-31737 CVE-2026-31738
CVE-2026-31747 CVE-2026-31748 CVE-2026-31749 CVE-2026-31751
CVE-2026-31752 CVE-2026-31758 CVE-2026-31759 CVE-2026-31761
CVE-2026-31762 CVE-2026-31763 CVE-2026-31770 CVE-2026-31773
CVE-2026-31778 CVE-2026-31780 CVE-2026-31781 CVE-2026-31786
CVE-2026-31787 CVE-2026-31788 CVE-2026-43011 CVE-2026-43014
CVE-2026-43015 CVE-2026-43020 CVE-2026-43024 CVE-2026-43026
CVE-2026-43027 CVE-2026-43028 CVE-2026-43030 CVE-2026-43032
CVE-2026-43035 CVE-2026-43037 CVE-2026-43038 CVE-2026-43040
CVE-2026-43041 CVE-2026-43043 CVE-2026-43047 CVE-2026-43050
CVE-2026-43051 CVE-2026-43060 CVE-2026-43061 CVE-2026-43062
CVE-2026-43066 CVE-2026-43068 CVE-2026-43069 CVE-2026-43077
CVE-2026-43078 CVE-2026-43124 CVE-2026-43130 CVE-2026-43132
CVE-2026-43134 CVE-2026-43135 CVE-2026-43136 CVE-2026-43139
CVE-2026-43140 CVE-2026-43141 CVE-2026-43147 CVE-2026-43149
CVE-2026-43152 CVE-2026-43156 CVE-2026-43158 CVE-2026-43159
CVE-2026-43163 CVE-2026-43168 CVE-2026-43171 CVE-2026-43180
CVE-2026-43183 CVE-2026-43184 CVE-2026-43187 CVE-2026-43190
CVE-2026-43194 CVE-2026-43196 CVE-2026-43202 CVE-2026-43203
CVE-2026-43206 CVE-2026-43207 CVE-2026-43209 CVE-2026-43211
CVE-2026-43218 CVE-2026-43223 CVE-2026-43226 CVE-2026-43227
CVE-2026-43230 CVE-2026-43231 CVE-2026-43232 CVE-2026-43233
CVE-2026-43236 CVE-2026-43241 CVE-2026-43242 CVE-2026-43246
CVE-2026-43251 CVE-2026-43255 CVE-2026-43257 CVE-2026-43261
CVE-2026-43264 CVE-2026-43266 CVE-2026-43268 CVE-2026-43269
CVE-2026-43270 CVE-2026-43273 CVE-2026-43277 CVE-2026-43283
CVE-2026-43287 CVE-2026-43289 CVE-2026-43295 CVE-2026-43296
CVE-2026-43314 CVE-2026-43316 CVE-2026-43327 CVE-2026-43328
CVE-2026-43334 CVE-2026-43336 CVE-2026-43339 CVE-2026-43340
CVE-2026-43342 CVE-2026-43343 CVE-2026-43355 CVE-2026-43357
CVE-2026-43363 CVE-2026-43370 CVE-2026-43373 CVE-2026-43381
CVE-2026-43382 CVE-2026-43383 CVE-2026-43386 CVE-2026-43387
CVE-2026-43407 CVE-2026-43411 CVE-2026-43420 CVE-2026-43424
CVE-2026-43425 CVE-2026-43426 CVE-2026-43427 CVE-2026-43428
CVE-2026-43429 CVE-2026-43430 CVE-2026-43432 CVE-2026-43437
CVE-2026-43439 CVE-2026-43445 CVE-2026-43449 CVE-2026-43450
CVE-2026-43451 CVE-2026-43452 CVE-2026-43453 CVE-2026-43458
CVE-2026-43459 CVE-2026-43466 CVE-2026-43472 CVE-2026-43475
CVE-2026-43480 CVE-2026-43503 CVE-2026-45848 CVE-2026-45852
CVE-2026-45856 CVE-2026-45857 CVE-2026-45860 CVE-2026-45862
CVE-2026-45866 CVE-2026-45867 CVE-2026-45868 CVE-2026-45869
CVE-2026-45870 CVE-2026-45871 CVE-2026-45873 CVE-2026-45875
CVE-2026-45879 CVE-2026-45883 CVE-2026-45885 CVE-2026-45890
CVE-2026-45899 CVE-2026-45904 CVE-2026-45912 CVE-2026-45914
CVE-2026-45915 CVE-2026-45916 CVE-2026-45919 CVE-2026-45920
CVE-2026-45923 CVE-2026-45936 CVE-2026-45941 CVE-2026-45948
CVE-2026-45954 CVE-2026-45956 CVE-2026-45958 CVE-2026-45960
CVE-2026-45964 CVE-2026-45965 CVE-2026-45968 CVE-2026-45970
CVE-2026-45974 CVE-2026-45978 CVE-2026-45981 CVE-2026-45983
CVE-2026-45984 CVE-2026-45985 CVE-2026-46028 CVE-2026-46174
CVE-2026-46300

Several vulnerabilities have been discovered in the Linux kernel that
may lead to a privilege escalation, denial of service or information
leaks.

For Debian 11 bullseye, these problems have been fixed in version
5.10.257-1. This version additionally includes many more bug fixes
from stable updates 5.10.252-5.10.257.

We recommend that you upgrade your linux packages.

For the detailed security status of linux please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/linux

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[SECURITY] [DSA 6309-1] exim4 security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6309-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
May 29, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : exim4
CVE ID : CVE-2026-48840

Warisjeet Singh discovered that Exim, a mail transport agent, does not
properly handle PROXY frames whose declared payload length is too short
for the claimed address family, which may result in information
disclosure in configurations with SUPPORT_PROXY and 'host_proxy' set.

For the oldstable distribution (bookworm), this problem has been fixed
in version 4.96-15+deb12u10.

For the stable distribution (trixie), this problem has been fixed in
version 4.98.2-1+deb13u3.

We recommend that you upgrade your exim4 packages.

For the detailed security status of exim4 please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/exim4

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

.NET, Firefox, Thunderbird, Apache httpd, Flatpak and Cockpit CVE Patches for AlmaLinux

Xrdp, Pdns, Docker-Compose, LibSSH2, and more updates for Fedora

Update libexif, Corosync, PHP Twig, ImageMagick, Linux Kernel, and Exim4 to Patch Critical CVEs in Debian

ELA-1737-1 libexif security update (by )

[SECURITY] [DLA 4608-1] corosync security update

[SECURITY] [DSA 6311-1] php-twig security update

[SECURITY] [DSA 6310-1] imagemagick security update

[SECURITY] [DLA 4607-1] linux-6.1 security update

[SECURITY] [DLA 4606-1] linux security update

[SECURITY] [DSA 6309-1] exim4 security update

Windows

Linux

macOS

Community