BLFS Security Advisories for 13.0

BLFS Security Advisories for BLFS 13.0 and the current development books.

BLFS-13.0 was released on 2026-03-05

This page is in alphabetical order of packages, and if a package has multiple advisories the newer come first.

The links at the end of each item point to more details which have links to the development books.

In general, the severity is taken from upstream, if supplied, or from NVD (https://nvd.nist.gov/vuln/detail/) if an analysis is available there, but individual severity ratings at NVD can change over time. If no other information is available, 'High' will normally be assumed.

BIND

13.0 002 BIND Date: 2026-03-06 Severity: Low

In BIND-9.20.20, a security vulnerability was fixed in the delv utility that could allow for a remotely exploitable crash in the dns_client_resolve() function triggered by a DNAME response. The issue is due to a use after free, and relies on a user passing a very rare set of options to exploit. The only known impact is a crash, and the issue requires user interaction to exploit, so upstream has rated the vulnerability as Low. This utility is only installed in a full BIND installation, and does NOT affect the BIND Utilities package in BLFS. If you are not experiencing crashes in the 'delv' utility, there is no need to upgrade. Update to BIND-9.20.20. 13.0-002

cURL

13.0 009 cURL Date: 2026-03-21 Severity: Medium

In cURL-8.19.0, four security vulnerabilities were fixed that could allow for inappropriate HTTP Negoitation connection reuse, token leaks, inappropriate proxy connection reuse with credentials, and use-after-free operations via SMB connection reuse. Update to cURL-8.19.0. 13.0-009

Exiv2

13.0 004 Exiv2 Date: 2026-03-06 Severity: Low

In Exiv2-0.28.8, three security vulnerabilities were fixed that could allow for a denial of service (application crash) when using the exiv2 command line tool. The library itself is not affected. Users that are using the preview component (e.g. passing '-pp' to the exiv2 command line tool) or who are processing CRW videos should update, as the issues only affect those use cases. There is no need to update otherwise. Update to Exiv2-0.28.8. 13.0-004

Firefox

13.0 027 Firefox Date: 2026-04-01 Severity: High

In Firefox-140.9.0esr, 38 security vulnerabilities were fixed that could allow for arbitrary code execution, remote code execution, sandbox escapes, denial of service (application crashes and resource exhaustion), undefined behavior, mitigation bypasses, and privilege escalation. All users who have Firefox installed are urged to update immediately, especially because of the sandbox escape vulnerabilities which then amplify the impacts of the other vulnerabilities. Update to Firefox-140.9.0esr. 13.0-027

FreeRDP

FreeType

13.0 024 FreeType Date: 2026-04-01 Severity: High

In FreeType-2.14.3, several potential memory safety problems were resolved that could allow for arbitrary code execution (stack overflows) and denial of service (memory leaks and boundary problems). Upstream has been rather vague on the details of these issues, and the BLFS team was only able to find the exact problems by reviewing the commits for the 2.14.3 release. Upstream however recommends that users upgrade immediately to solve these problems, so we are filing an advisory even though there is not much in the way of details. Update to FreeType-2.14.3. 13.0-024

13.0 003 FreeType2 Date: 2026-03-06 Severity: Medium

In FreeType-2.14.2, a security vulnerability was fixed that could allow for arbitrary code execution, information disclosure, or a denial of service (application crash) when processing the HVAR, VVAR, or MVAR tables in an OpenType variable font. This problem occurs due to an out of bounds read, caused by an integer overflow problem. This update also has several other fixes for other potential security problems, and upstream recommends that all users update to this version of FreeType. Update to FreeType-2.14.2. 13.0-003

Fuse

13.0 014 Fuse Date: 2026-03-21 Severity: High

In Fuse-3.18.2, two security vulnerabilities were fixed that could allow for use-after-free operations, NULL pointer dereferencing, and memory leaks. Update to Fuse-3.18.2. 13.0-014

giflib

13.0 010 giflib Date: 2026-03-21 Severity: High

In giflib-6.1.2, three assigned security vulnerabilities, among many unassigned AI-audited vulnerabilties, were fixed that could allow for double-free operations, denial of service attacks via memory leaks, heap buffer overflow exploitation, path traversing, out-of-bounds write operations, and integer and buffer overflows. Update to giflib-6.1.2. 13.0-010

GIMP

13.0 050 GIMP Date: 2026-04-16 Severity: High

In GIMP-3.2.2, twelve security vulnerabilities were fixed that could allow for arbitrary code execution, remote code execution, information disclosure, and denial of service (application crashes). These occur due to integer overflows and heap buffer overflows. The PCX, PSD, ICO, JP2, PSP, XPM, FITS, TIM, ICNS, PVR, Seattle Filmworks, and GIF image parsers are affected by these vulnerabilities. All users who work with these image types should update GIMP to 3.2.2 immediately, especially if you are working with untrusted image files. Update to GIMP-3.2.2. 13.0-050

glib

13.0 033 glib Date: 2026-04-03 Severity: High

In glib-2.86.5, five security vulnerabilities were fixed that could allow for information disclosure or denial of service (application crashes). These vulnerabilities all occur due to small out-of-bounds reads and buffer over-reads in a variety of crucial functions. Update to glib-2.86.5. 13.0-033

gstreamer

13.0 036 gstreamer Date: 2026-04-08 Severity: High

In gst-plugins-base, gst-plugins-bad, and gst-plugins-good 1.28.2, eleven security vulnerabilities were fixed that could allow for information disclosure, denial of service (memory exhaustion and application crashes), and arbitrary code execution. These occur in a variety of functions, including the SRT/WebVTT parser, the Matroska demuxer, the WAV parser when decoding CUE files, the FLV demuxer, the mDVDsub subtitle parser, the MOV/MP4 demuxer, the H.266/VVC parser, the JPEG 2000 decimator, the AV1 LEB128 parser, and the H.264 video parser. Because of the variety of circumstances where gstreamer is used (including web browsers and media players), all users who have it installed are advised to update the stack to 1.28.2 immediately. 13.0-036

libarchive

13.0 046 libarchive Date: 2026-04-15 Severity: High

In libarchive-3.8.7, seven security vulnerabilities were fixed that could allow for denial of service (application crashes and memory exhaustion) as well as arbitrary code execution. These vulnerabilities occur in the CAB, CPIO, and ISO9660 formats, as well as in the 'untar' contrib script (which is not installed by default and is sample code). If you use libarchive to process ISO9660 formats (e.g. ISOs), CAB files, or for processing CPIO formatted files, you should consider updating. There isn't much reason for users who don't process those formats to update. Update to libarchive-3.8.7. 13.0-046

libde265

13.0 011 libde265 Date: 2026-03-21 Severity: High

In libde265-1.0.18, two security vulnerabilities were fixed that could allow for denial of service attacks and out-of-bounds heap write operations. Update to libde265-1.0.18. 13.0-011

libexif

13.0 044 libexif Date: 2026-04-15 Severity: High

In libexif-0.6.26, three security vulnerabilities were fixed that could allow for arbitrary code execution, denial of service (application crashes), and information disclosure. Update to libexif-0.6.26 especially if you are processing untrusted images or EXIF metadata regularly. 13.0-044

libinput

13.0 034 libinput Date: 2026-04-06 Severity: High

In libinput-1.31.1, two security vulnerabilities were fixed that could allow for a sandbox escape and information disclosure. Both of these issues occur in libinput's plugins subsystem. Update to libinput-1.31.1. 13.0-034

libpng

13.0 047 libpng Date: 2026-04-15 Severity: Medium

In libpng-1.6.57, a security vulnerability was fixed that could allow for a denial of service (application crash) or possibly heap information disclosure. This can occur with valid PNG files conforming to the PNG specification, as any image that contains an affected chunk can trigger the vulnerability. However, it is rated as Medium because only applications that utilize the png_set_PLTE, png_set_tRNS, and png_set_hIST functions are affected and only if they pass a pointer on an identical struct pair. Most users should still consider upgrading though because this issue occurs with valid PNG files. Update to libpng-1.6.57. 13.0-047

13.0 016 libpng Date: 2026-03-26 Severity: High

In libpng-1.6.56, two security vulnerabilities were fixed that could allow for remote code execution and information disclosure. The first vulnerability is in the png_set_PLTE and png_set_tRNS functions, where a 100% valid PNG file can trigger a use-after-free which can leak sensitive heap contents, write attacker-influenced information to freed heap memory, and on systems which use glibc (like LFS systems), cause trivial remote code execution when loading the PNG file in contexts such as a web browser. The other vulnerability is an out-of-bounds read/write that only occurs on ARM/AArch64 systems which use the Neon optimizations. All users who have libpng installed are urged to update immediately. 13.0-016

libraw

13.0 045 libraw Date: 2026-04-15 Severity: Critical

In libraw-0.22.1, eight security vulnerabilities were fixed that could allow for remote code execution, arbitrary code execution, and denial of service (application crash and memory exhaustion). These vulnerabilities are mostly classified as heap buffer overflows and integer overflows, and they occur in a large variety of different functions and contexts. Any user that processes untrusted RAW images should update to this version immediately to protect their system. Update to libraw-0.22.1. 13.0-045

libxml2

13.0 005 libxml2 Date: 2026-03-06 Severity: Medium

In libxml2-2.15.2, five security vulnerabilities were fixed that could allow for a denial of service (resource exhaustion and application crashes) when using the xmllint utility in some rare conditions, when an application calls the xmlCatalogXMLResolveURI function when an XML catalog contains a URI entry that references itself, when processing XML catalogs with repeated nextCatalog elements pointing to the same downstream catalog, when parsing XSL nodes, and when using the RelaxNG parser to include external schemas. Update to libxml2-2.15.2. 13.0-005

nfs-utils

13.0 007 nfs-utils Date: 2026-03-09 Severity: Medium

In nfs-utils-2.8.6, a security vulnerability was fixed that could allow for a NFSv3 client to escalate privileges assigned to it in the /etc/exports file at mount time. It allows a client to access any subdirectory or subtree of an exported directory regardless of file permissions or other attributes that would normally be expected to apply to the client. This primarily affects servers running NFS, but all users should update due to other bugfixes in this package. Update to nfs-utils-2.8.6. 13.0-007

nghttp2

13.0 013 nghttp2 Date: 2026-03-21 Severity: High

In nghttp2-1.68.1, a security vulnerability was fixed that could allow for a denial of service via an assertion failure. Update to nghttp2-1.68.1. 13.0-013

Node.js

13.0 030 Node.js Date: 2026-04-01 Severity: High

In Node.js-24.14.1, 8 security vulnerabilities were fixed that could allow for permission bypasses, remotely exploitable denial of service (resource exhaustion and application crashes), and potential MAC forgery. These can occur in a variety of situations, including when processing HTTP requests, parsing URLs, performing cryptography operations, and accessing files on the system. Note that the potential MAC forgery vulnerability occurs due to a timing side-channel problem. Update to Node.js-24.14.1. 13.0-030.

OpenSSH

13.0 032 OpenSSH Date: 2026-04-03 Severity: High

In OpenSSH-10.3p1, five security vulnerabilities were fixed that could allow for inappropriate matching of the authorized_keys file in some rare circumstances, for downloads from SCP to be installed SUID/SGID in some situations, for unexpected command execution to occur via shell metacharacters in a username, for OpenSSH to use unintended ECSDA algorithms, and for OpenSSH to omit connection multiplexing confirmation for proxy-mode multiplexing sessions. Most of these vulnerabilities rely on non-standard configurations or specific actions to take place. If you have modified the default BLFS configuration for OpenSSH, review the consolidated advisory to ensure that you are not affected. If you are affected, update to OpenSSH-10.3p1. There is no reason to upgrade if you are not affected. 13.0-032

pytest

13.0 035 pytest Date: 2026-04-08 Severity: Medium

In pytest-9.0.3, a security vulnerability was fixed that could allow for a denial of service (application crash) or possibly privilege escalation. This is due to an unsafe use of temporary directories, where previous versions allowed all users to write to the /tmp/pytest-of-${USER} directory. Note that this would only be exploitable locally per upstream, and can only be exploited while a test suite is running. Update to pytest-9.0.3. 13.0-035

Python

13.0 038 Python (LFS and BLFS) Date: 2026-04-15 Severity: Critical

In Python-3.14.4 (and 3.13.13), four security vulnerabilities were fixed. After release though, an additional four were resolved. These vulnerabilities can allow for a variety of impacts, including denial of service (application crashes), allowing data to be accepted by the base64 module that should've been processed differently, for input validation bypasses when working with cookies in http.Cookies.Morsel (allowing injection of control characters into cookies), for legacy *.pyc files to be incorrectly handled (leading to unintentional behavior at runtime for various programs), for arbitrary code execution when processing LZMA, BZ2, or GZIP compressed files in Python, for CR/LF bytes to not be rejected by HTTP client proxy tunnel headers, for commands to be injected into the underlying shell when a Python script opens a web browser, and for memory corruption to occur when using the remote debugging feature in Python 3.14 and later. Update to Python-3.14.4 with the security fixes patch. BLFS 12.4 users can safely use 3.13.13 with the patch but will need to skip a missing file during the patch process. 13.0-038

13.0 022 Python (LFS and BLFS) Date: 2026-04-01 Severity: High

In Python-3.14.3, three security vulnerabilities were found that could allow for a denial of service (application crash), for control characters to be allowed inside of HTTP cookies, and for Python to accidentally pass unexpected options to web browsers. Rebuild Python with the security fixes patch. BLFS 12.4 users can safely use the patch against Python 3.13 with the note that a new test failure will occur due to the test depending on newer testing API from Python 3.14. 13.0-022

QtWebEngine

13.0 026 QtWebEngine Updated: 2026-04-03 Severity: Critical

In QtWebEngine-6.11.0, 47 security vulnerabilities were fixed that could allow for remote code execution, object corruption, sensitive information disclosure, cross-origin data exfiltration, sandbox escapes, for malicious extensions to inject scripts or HTML into privileged pages, for same-origin policy bypasses, and for navigation restriction bypasses. Two of these vulnerabilities are known to be actively exploited by a threat actor, and it is thus recommended that you update to Qt6 and QtWebEngine 6.11.0 immediately. 13.0-026

LXQt users will need to update to lxqt-panel-2.3.3 and lxqt-config-2.3.2 to fix compatibility problems with Qt6-6.11.0 which cause problems with loading icons from icon themes.

Updated on 2026-04-03 to include information about LXQt icon theme issues.

requests

13.0 017 requests Date: 2026-03-26 Severity: Medium

In requests-2.33.0, a security vulnerability was fixed that could allow for a local attacker with write access to /tmp to pre-create a malicious file that would be loaded in place of a legitimate file. This only affects the requests.utils.extract_zipped_paths() utility function, and not the standard usage of the requests library. Only applications which use this function directly are impacted, and none in BLFS at the moment use it. However, if you have third party modules installed which may use requests, you should update to requests-2.33.0 when it is convenient to do so. 13.0-017

Spidermonkey

13.0 028 Spidermonkey Date: 2026-04-01 Severity: High

In Spidermonkey from Firefox-140.9.0esr, four security vulnerabilities were fixed that could result in arbitrary code execution, denial of service, or unexpected behavior. These issues are a result of JIT miscompilation, use-after-free problems, usage of uninitialized memory, and incorrect boundary conditions. Update to Spidermonkey-140.9.0. 13.0-028

systemd

13.0 008 systemd (LFS and BLFS) Date: 2026-03-21 Severity: Medium

In systemd-259.5, a security vulnerability was fixed that could allow for local privilege escalation. This vulnerability was found in systemd-machined, which can be triggered by a regular user logged into a graphical environment who can escalate to the root user through an IPC call. Update to systemd-259.5. 13.0-008

Thunderbird

13.0 029 Thunderbird Date: 2026-04-01 Severity: High

In Thunderbird-140.9.0esr, 40 security vulnerabilities were fixed that could allow for arbitrary code execution, remote code execution, sandbox escapes, denial of service (application crashes and resource exhaustion), undefined behavior, mitigation bypasses, UI spoofing, sensitive data disclosure, and privilege escalation. All users who have Thunderbird installed are urged to update immediately, especially because of the sandbox escape vulnerabilities which then amplify the impacts of the other vulnerabilities. Note that two issues here are also Thunderbird specific, notably a UI spoofing vulnerability and sensitive data disclosure when connecting to a malicious IMAP server. Update to Thunderbird-140.9.0esr. 13.0-029

vim

13.0 037 vim (LFS and BLFS) Date: 2026-04-15 Severity: High

In vim-9.2.0340, two security vulnerabilities were fixed that could allow for operating system command injection (resulting from a sandbox escape in the modeline functionality), and for path traversal issues when modifying the contents of Zip archives to cause vim to overwrite files on the underlying system rather than the intended contents of the Zip archive. All users are urged to update to vim-9.2.0340 immediately due to the risk of arbitrary command execution. 13.0-037

13.0 025 vim (LFS and BLFS) Date: 2026-04-01 Severity: Critical

In vim-9.2.0272, a security vulnerability was fixed that could allow for arbitrary OS Command Injection when loading a crafted file. Note that the file just needs to be loaded by VIM, a user does not need to edit it or perform any special commands for the vulnerabiltiy to trigger. All users should update to vim-9.2.0272 immediately, especially if they are regularly viewing source code or other files from untrusted or external sources. 13.0-025

WebKitGTK

13.0 015 WebKitGTK Updated: 2026-03-26 Severity: Critical

In WebKitGTK-2.52.0, eight security vulnerabilities were fixed that could allow for use-after-free operations, internal application state disclosure, remote and local denial of service attacks, and user tracking. Update to WebKitGTK-2.52.0. 13.0-015

Wireshark

13.0 006 Wireshark Date: 2026-03-08 Severity: Medium

In Wireshark-4.6.4, three security vulnerabilities were fixed that could allow for a denial of service (memory exhaustion and remotely exploitable crash) when dissecting USB HID packets, RF4CE Profile packets, or NTS-KE packets. Users who are using Wireshark but are not operating a network with NTS-KE or RF4CE Profile packets, or who are not using the USB HID dissector, do not need to upgrade. However, if you are on a network where those packet types are in use, or are using Wireshark to dissect USB HID traffic, you should update Wireshark if you are experiencing crashes. Update to Wireshark-4.6.4. 13.0-006

xdg-dbus-proxy

13.0 042 xdg-dbus-proxy Date: 2026-04-15 Severity: High

In xdg-dbus-proxy-0.1.7, a security vulnerability was fixed that could allow for D-Bus clients to intercept messages that they should not have access to. It was fixed by adjusting the policy parser to be able to handle settings with quotation marks and other cases. In BLFS, the only known package to use xdg-dbus-proxy is WebKitGTK. Update to xdg-dbus-proxy-0.1.7. 13.0-042

xdg-desktop-portal

13.0 043 xdg-desktop-portal Date: 2026-04-15 Severity: Medium

In xdg-desktop-portal-1.20.4, a security vulnerability was fixed that could allow for an application which uses the Trash portal to delete any arbitrary file off of the host that it has permissions to access. This is identical to the recent Flatpak security vulnerability relating to this, but affects any program that uses the Trash portal - not just in a Flatpak context. In BLFS, this primarily includes file managers and some web browsers, but could affect other programs as well depending on whether they routinely create or delete files. Update to xdg-desktop-portal-1.20.4. 13.0-043

Xorg-Server

13.0 048 Xorg-Server Date: 2026-04-15 Severity: High

In Xorg-Server-21.1.22, five security vulnerabilities were fixed that could allow for arbitrary code execution or denial of service (Xorg crashes). These vulnerabilities occur in the XKB and XSYNC extensions. The first vulnerability is an integer underflow in the XkbSetCompatMap() function in the XKB extension, while the second is an out of bounds read in the CheckSetGeom() function (also in the XKB extension). The next vulnerability occurs in the XSYNC extension's miSyncTriggerFence() function, and is classified as a use after free. The next issue is an out of bounds read in the CheckModifierMap() function in the XKB extension, and the final issue is a buffer overflow in the CheckKeyTypes() function in the XKB extension. Update to Xorg-Server-21.1.22, and rebuild TigerVNC against 21.1.22 if it is installed. 13.0-048

Xwayland

13.0 049 Xwayland Date: 2026-04-15 Severity: High

In Xwayland-24.1.10, five security vulnerabilities were fixed that could allow for arbitrary code execution or denial of service (Xorg crashes). These vulnerabilities occur in the XKB and XSYNC extensions. The first vulnerability is an integer underflow in the XkbSetCompatMap() function in the XKB extension, while the second is an out of bounds read in the CheckSetGeom() function (also in the XKB extension). The next vulnerability occurs in the XSYNC extension's miSyncTriggerFence() function, and is classified as a use after free. The next issue is an out of bounds read in the CheckModifierMap() function in the XKB extension, and the final issue is a buffer overflow in the CheckKeyTypes() function in the XKB extension. Update to Xwayland-24.1.10. 13.0-049