BLFS Security Advisories for BLFS 13.0 and the current development books.
BLFS-13.0 was released on 2026-03-05
This page is in alphabetical order of packages, and if a package has multiple advisories the newer come first.
The links at the end of each item point to more details which have links to the development books.
In general, the severity is taken from upstream, if supplied, or from NVD (https://nvd.nist.gov/vuln/detail/) if an analysis is available there, but individual severity ratings at NVD can change over time. If no other information is available, 'High' will normally be assumed.
BIND
13.0 002 BIND Date: 2026-03-06 Severity: Low
In BIND-9.20.20, a security vulnerability was fixed in the delv utility that could allow for a remotely exploitable crash in the dns_client_resolve() function triggered by a DNAME response. The issue is due to a use after free, and relies on a user passing a very rare set of options to exploit. The only known impact is a crash, and the issue requires user interaction to exploit, so upstream has rated the vulnerability as Low. This utility is only installed in a full BIND installation, and does NOT affect the BIND Utilities package in BLFS. If you are not experiencing crashes in the 'delv' utility, there is no need to upgrade. Update to BIND-9.20.20. 13.0-002
cURL
13.0 009 cURL Date: 2026-03-21 Severity: Medium
In cURL-8.19.0, four security vulnerabilities were fixed that could allow for inappropriate HTTP Negoitation connection reuse, token leaks, inappropriate proxy connection reuse with credentials, and use-after-free operations via SMB connection reuse. Update to cURL-8.19.0. 13.0-009
Exiv2
13.0 004 Exiv2 Date: 2026-03-06 Severity: Low
In Exiv2-0.28.8, three security vulnerabilities were fixed that could allow for a denial of service (application crash) when using the exiv2 command line tool. The library itself is not affected. Users that are using the preview component (e.g. passing '-pp' to the exiv2 command line tool) or who are processing CRW videos should update, as the issues only affect those use cases. There is no need to update otherwise. Update to Exiv2-0.28.8. 13.0-004
FreeRDP
13.0 012 FreeRDP-3.24.0 Date: 2026-03-21 Severity: Critical
In FreeRDP-3.24.0, eight security vulnerabilities were fixed that could allow for heap buffer overflows, out-of-bounds read and write operations, integer underflows, heap overwrites, gigantic while-loop iterations, and denial of service attacks via divisions by zero. Update immediately to FreeRDP-3.24.0. 13.0-012
13.0 001 FreeRDP Date: 2026-03-06 Severity: High
In FreeRDP-3.23.0, twelve security vulnerabilities were fixed that could allow for remotely exploitable client and server crashes, information disclosure, and remote code execution. This can occur in a large variety of situations, including when using the clipboard redirection feature, connecting to a server, and resizing the window. Users who have FreeRDP installed should consider updating immediately if they connect to untrusted servers or are hosting a publicly-accessible RDP server. Update to FreeRDP-3.23.0. 13.0-001
FreeType
13.0 003 FreeType2 Date: 2026-03-06 Severity: Medium
In FreeType-2.14.2, a security vulnerability was fixed that could allow for arbitrary code execution, information disclosure, or a denial of service (application crash) when processing the HVAR, VVAR, or MVAR tables in an OpenType variable font. This problem occurs due to an out of bounds read, caused by an integer overflow problem. This update also has several other fixes for other potential security problems, and upstream recommends that all users update to this version of FreeType. Update to FreeType-2.14.2. 13.0-003
Fuse
13.0 014 Fuse Date: 2026-03-21 Severity: High
In Fuse-3.18.2, two security vulnerabilities were fixed that could allow for use-after-free operations, NULL pointer dereferencing, and memory leaks. Update to Fuse-3.18.2. 13.0-014
giflib
13.0 010 giflib Date: 2026-03-21 Severity: High
In giflib-6.1.2, three assigned security vulnerabilities, among many unassigned AI-audited vulnerabilties, were fixed that could allow for double-free operations, denial of service attacks via memory leaks, heap buffer overflow exploitation, path traversing, out-of-bounds write operations, and integer and buffer overflows. Update to giflib-6.1.2. 13.0-010
libde265
13.0 011 libde265 Date: 2026-03-21 Severity: High
In libde265-1.0.18, two security vulnerabilities were fixed that could allow for denial of service attacks and out-of-bounds heap write operations. Update to libde265-1.0.18. 13.0-011
libpng
13.0 016 libpng Date: 2026-03-26 Severity: High
In libpng-1.6.56, two security vulnerabilities were fixed that could allow for remote code execution and information disclosure. The first vulnerability is in the png_set_PLTE and png_set_tRNS functions, where a 100% valid PNG file can trigger a use-after-free which can leak sensitive heap contents, write attacker-influenced information to freed heap memory, and on systems which use glibc (like LFS systems), cause trivial remote code execution when loading the PNG file in contexts such as a web browser. The other vulnerability is an out-of-bounds read/write that only occurs on ARM/AArch64 systems which use the Neon optimizations. All users who have libpng installed are urged to update immediately. 13.0-016
libxml2
13.0 005 libxml2 Date: 2026-03-06 Severity: Medium
In libxml2-2.15.2, five security vulnerabilities were fixed that could allow for a denial of service (resource exhaustion and application crashes) when using the xmllint utility in some rare conditions, when an application calls the xmlCatalogXMLResolveURI function when an XML catalog contains a URI entry that references itself, when processing XML catalogs with repeated nextCatalog elements pointing to the same downstream catalog, when parsing XSL nodes, and when using the RelaxNG parser to include external schemas. Update to libxml2-2.15.2. 13.0-005
nfs-utils
13.0 007 nfs-utils Date: 2026-03-09 Severity: Medium
In nfs-utils-2.8.6, a security vulnerability was fixed that could allow for a NFSv3 client to escalate privileges assigned to it in the /etc/exports file at mount time. It allows a client to access any subdirectory or subtree of an exported directory regardless of file permissions or other attributes that would normally be expected to apply to the client. This primarily affects servers running NFS, but all users should update due to other bugfixes in this package. Update to nfs-utils-2.8.6. 13.0-007
nghttp2
13.0 013 nghttp2 Date: 2026-03-21 Severity: High
In nghttp2-1.68.1, a security vulnerability was fixed that could allow for a denial of service via an assertion failure. Update to nghttp2-1.68.1. 13.0-013
requests
13.0 017 requests Date: 2026-03-26 Severity: Medium
In requests-2.33.0, a security vulnerability was fixed that could allow for a local attacker with write access to /tmp to pre-create a malicious file that would be loaded in place of a legitimate file. This only affects the requests.utils.extract_zipped_paths() utility function, and not the standard usage of the requests library. Only applications which use this function directly are impacted, and none in BLFS at the moment use it. However, if you have third party modules installed which may use requests, you should update to requests-2.33.0 when it is convenient to do so. 13.0-017
systemd
13.0 008 systemd (LFS and BLFS) Date: 2026-03-21 Severity: Medium
In systemd-259.5, a security vulnerability was fixed that could allow for local privilege escalation. This vulnerability was found in systemd-machined, which can be triggered by a regular user logged into a graphical environment who can escalate to the root user through an IPC call. Update to systemd-259.5. 13.0-008
WebKitGTK
13.0 015 WebKitGTK Updated: 2026-03-26 Severity: Critical
In WebKitGTK-2.52.0, eight security vulnerabilities were fixed that could allow for use-after-free operations, internal application state disclosure, remote and local denial of service attacks, and user tracking. Update to WebKitGTK-2.52.0. 13.0-015
Wireshark
13.0 006 Wireshark Date: 2026-03-08 Severity: Medium
In Wireshark-4.6.4, three security vulnerabilities were fixed that could allow for a denial of service (memory exhaustion and remotely exploitable crash) when dissecting USB HID packets, RF4CE Profile packets, or NTS-KE packets. Users who are using Wireshark but are not operating a network with NTS-KE or RF4CE Profile packets, or who are not using the USB HID dissector, do not need to upgrade. However, if you are on a network where those packet types are in use, or are using Wireshark to dissect USB HID traffic, you should update Wireshark if you are experiencing crashes. Update to Wireshark-4.6.4. 13.0-006