Recent Debian security advisories highlight critical flaws across several widely used software packages including webkit2gtk, node-tar, and various DNS tools. Attackers could exploit these weaknesses to bypass security restrictions, trigger system crashes, or execute arbitrary code through malicious web content or archives. The fixes are already available for current stable distributions while older releases like Debian 11 receive targeted patches from the long term support team.

Debian GNU/Linux 9 (Stretch) Extended LTS:
ELA-1699-1 ffmpeg security update

Debian GNU/Linux 11 (Bullseye) LTS:
[DLA 4552-1] node-tar security update

Debian GNU/Linux 13 (Trixie):
[DSA 6232-1] webkit2gtk security update
[DSA 6235-1] dnsdist security update
[DSA 6234-1] pdns-recursor security update
[DSA 6233-1] pdns security update

[SECURITY] [DSA 6232-1] webkit2gtk security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6232-1 security@debian.org
https://www.debian.org/security/ Alberto Garcia
April 28, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : webkit2gtk
CVE ID : CVE-2025-46299 CVE-2026-20643 CVE-2026-20664 CVE-2026-20665
CVE-2026-20691 CVE-2026-28857 CVE-2026-28859 CVE-2026-28861
CVE-2026-28871

The following vulnerabilities have been discovered in the WebKitGTK
web engine:

CVE-2025-46299

Google Big Sleep discovered that processing maliciously crafted
web content may disclose internal states of the app.

CVE-2026-20643

Thomas Espach discovered that processing maliciously crafted web
content may bypass Same Origin Policy.

CVE-2026-20664

Daniel Rhea, Soehnke Benedikt Fischedick, Emrovsky & Switch, and
Yevhen Pervushyn discovered that processing maliciously crafted
web content may lead to an unexpected process crash

CVE-2026-20665

webb discovered that processing maliciously crafted web content
may prevent Content Security Policy from being enforced.

CVE-2026-20691

Gongyu Ma discovered that a maliciously crafted webpage may be
able to fingerprint the user.

CVE-2026-28857

Narcis Oliveras Fontas, Soehnke Benedikt Fischedick, Daniel Rhea,
and Nathaniel Oh discovered that processing maliciously crafted
web content may lead to an unexpected process crash.

CVE-2026-28859

greenbynox and Arni Hardarson discovered that a malicious website
may be able to process restricted web content outside the sandbox.

CVE-2026-28861

Hongze Wu and Shuaike Dong discovered that a malicious website may
be able to access script message handlers intended for other
origins.

CVE-2026-28871

@hamayanhamayan discovered that visiting a maliciously crafted
website may lead to a cross- site scripting attack.

Starting from version 2.52.0, WebKitGTK can no longer be backported to
the oldstable distribution (bookworm). Because of that, the webkit2gtk
packages are no longer covered by security support in bookworm.

For the stable distribution (trixie), these problems have been fixed in
version 2.52.1-1~deb13u1.

We recommend that you upgrade your webkit2gtk packages.

For the detailed security status of webkit2gtk please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/webkit2gtk

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[SECURITY] [DLA 4552-1] node-tar security update

-------------------------------------------------------------------------
Debian LTS Advisory DLA-4552-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Daniel Leidert
April 29, 2026 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : node-tar
Version : 6.0.5+ds1+~cs11.3.9-1+deb11u3
CVE ID : CVE-2024-28863 CVE-2026-23745 CVE-2026-24842 CVE-2026-26960
CVE-2026-29786 CVE-2026-31802

Multiple vulnerabilities have been discovered in node-tar, a Node.js
module to read and write portable tar archives.

CVE-2024-28863

Generating a large number of sub-folders can consume memory on the
system and even crash the Node.js client within a few seconds using
a path with too many sub-folders inside.

CVE-2026-23745

When preservePaths is false, the linkpath of Link (hardlink) and
SymbolicLink entries fail to be sanitized, allowing malicious
archives to bypass the extraction root restriction, leading to
arbitrary file overwrites via hardlinks and symlink poisoning via
absolute symlink targets.

The fix for this issue introduces multiple of the following
vulnerabilties.

CVE-2026-24842

The security check for hardlink entries allows an attacker to craft
a malicious TAR archive that bypasses path traversal protections and
creates hardlinks to arbitrary files outside the extraction
directory.

CVE-2026-26960

An attacker-controlled archive can create a hardlink inside the
extraction directory that points to a file outside the extraction
root, enabling arbitrary file read and write as the extracting user.

CVE-2026-29786

An attacker-controlled archive can create a hardlink that points
outside the extraction directory by using a drive-relative link
target.

CVE-2026-31802

An attacker-controlled archive can create a hardlink that points
outside the extraction directory by using a drive-relative link
target.

For Debian 11 bullseye, these problems have been fixed in version
6.0.5+ds1+~cs11.3.9-1+deb11u3.

We recommend that you upgrade your node-tar packages.

For the detailed security status of node-tar please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/node-tar

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[SECURITY] [DSA 6235-1] dnsdist security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6235-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
April 28, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : dnsdist
CVE ID : CVE-2026-0396 CVE-2026-0397 CVE-2026-24028
CVE-2026-24029 CVE-2026-24030 CVE-2026-27853
CVE-2026-27854 CVE-2026-33254 CVE-2026-33257
CVE-2026-33260 CVE-2026-33593 CVE-2026-33594
CVE-2026-33595 CVE-2026-33596 CVE-2026-33597
CVE-2026-33598 CVE-2026-33599 CVE-2026-33602

Multiple security vulnerabilities were discovered in the dnsdist
DNS loadbalancer, which could result in denial of service, information
disclosure or ACL bypass.

For the stable distribution (trixie), these problems have been fixed in
version 1.9.14-0+deb13u1.

We recommend that you upgrade your dnsdist packages.

For the detailed security status of dnsdist please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/dnsdist

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[SECURITY] [DSA 6234-1] pdns-recursor security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6234-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
April 28, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : pdns-recursor
CVE ID : CVE-2026-33257 CVE-2026-33258 CVE-2026-33259
CVE-2026-33260 CVE-2026-33261 CVE-2026-33600
CVE-2026-33601

Multiple vulnerabiliites have been discovered in PDNS Recursor, a
resolving name server, which could result in denial of service.

For the stable distribution (trixie), these problems have been fixed in
version 5.2.9-0+deb13u1.

We recommend that you upgrade your pdns-recursor packages.

For the detailed security status of pdns-recursor please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/pdns-recursor

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[SECURITY] [DSA 6233-1] pdns security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6233-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
April 28, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : pdns
CVE ID : CVE-2026-33257 CVE-2026-33260 CVE-2026-33608
CVE-2026-33609 CVE-2026-33610 CVE-2026-33611

Multiple security vulnerabilities were discovered in the dnsdist DNS
loadbalancer, which could result in denial of service, information
disclosure or ACL bypass.

For the stable distribution (trixie), these problems have been fixed in
version 4.9.14-0+deb13u1.

We recommend that you upgrade your pdns packages.

For the detailed security status of pdns please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/pdns

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

ELA-1699-1 ffmpeg security update (by )

Package : ffmpeg
Version : 7:3.2.19-0+deb9u8 (stretch)

Related CVEs :
CVE-2020-22027
CVE-2023-6603
CVE-2025-1594
CVE-2025-7700
CVE-2025-9951
CVE-2025-10256

Several issues have been found in ffmpeg, a library and tools for transcoding,
streaming and playing of multimedia files.

CVE-2020-22027

A heap-based Buffer Overflow vulnerability exits in FFmpeg 4.2 in
deflate16 at libavfilter/vf_neighbor.c, which might lead to memory
corruption and other potential consequences.

CVE-2023-6603

A flaw was found in FFmpeg’s HLS playlist parsing. This vulnerability
allows a denial of service via a maliciously crafted HLS playlist that
triggers a null pointer dereference during initialization.

CVE-2025-1594

A vulnerability, which was classified as critical, was found in FFmpeg up
to 7.1. This affects the function ff_aac_search_for_tns of the file
libavcodec/aacenc_tns.c of the component AAC Encoder. The manipulation
leads to stack-based buffer overflow. It is possible to initiate the
attack remotely. The exploit has been disclosed to the public and may be
used.

CVE-2025-7700

A flaw was found in FFmpeg’s ALS audio decoder, where it does not properly
check for memory allocation failures. This can cause the application to
crash when processing certain malformed audio files. While it does not
lead to data theft or system control, it can be used to disrupt services
and cause a denial of service.

CVE-2025-9951

A heap-buffer-overflow write exists in jpeg2000dec FFmpeg which allows an
attacker to potentially gain remote code execution or cause denial of
service via the channel definition cdef atom of JPEG2000.

CVE-2025-10256

A NULL pointer dereference vulnerability exists in FFmpeg’s Firequalizer
filter (libavfilter/af_firequalizer.c) due to a missing check on the
return value of av_malloc_array() in the config_input() function. An
attacker could exploit this by tricking a victim into processing a crafted
media file with the Firequalizer filter enabled, causing the application
to dereference a NULL pointer and crash, leading to denial of service.

ELA-1699-1 ffmpeg security update (by )