Lector de Feeds

Publication date: 24 Mar 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2006-10002 , CVE-2006-10003 Description XML::Parser versions through 2.47 for Perl could overflow the pre-allocated buffer size causing a heap corruption (double free or corruption) and crashes. (CVE-2006-10002) XML::Parser versions through 2.47 for Perl has an off-by-one heap buffer overflow in st_serial_stack. (CVE-2006-10003) References

• https://bugs.mageia.org/show_bug.cgi?id=35238
• https://www.openwall.com/lists/oss-security/2026/03/19/1
• https://www.openwall.com/lists/oss-security/2026/03/19/2
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-10002
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-10003

SRPMS 9/core

• perl-XML-Parser-2.460.0-6.1.mga9

Publication date: 24 Mar 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-33412 Description Command injection via newline in glob() affects Vim < 9.2.0202. (CVE-2026-33412) References

• https://bugs.mageia.org/show_bug.cgi?id=35239
• https://www.openwall.com/lists/oss-security/2026/03/19/10
• https://github.com/vim/vim/security/advisories/GHSA-w5jw-f54h-x46c
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33412

SRPMS 9/core

• vim-9.2.209-1.mga9

Publication date: 24 Mar 2026
Type: bugfix
Affected Mageia releases : 9
Description Add kwin-x11 subpackage to smooth upgrades to cauldron (and the future Mageia 10). References

• https://bugs.mageia.org/show_bug.cgi?id=34966

SRPMS 9/core

• kwin-5.27.10-1.4.mga9

Publication date: 20 Mar 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-32776 , CVE-2026-32777 , CVE-2026-32778 Description libexpat before 2.7.5 allows a NULL pointer dereference with empty external parameter entity content. (CVE-2026-32776) libexpat before 2.7.5 allows an infinite loop while parsing DTD content. (CVE-2026-32777) libexpat before 2.7.5 allows a NULL pointer dereference in the function setContext on retry after an earlier out-of-memory condition. (CVE-2026-32778) References

• https://bugs.mageia.org/show_bug.cgi?id=35227
• https://www.openwall.com/lists/oss-security/2026/03/17/10
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-32776
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-32777
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-32778

SRPMS 9/core

• expat-2.7.5-1.mga9

Tras haber sido aprobadas por el Consejo, las imágenes ISO de la beta 1 de Mageia 10 ya están disponibles para que el público las pruebe. En total, unos 26 GB de imágenes ISO han llegado a la rama ../mageia/iso/10/ de nuestros servidores de réplica.

Se han añadido muchas correcciones y nuevas actualizaciones desde que llegó la alpha 1 de Mageia 10 en Enero.

Tras la congelación de la versión, estos son los cambios más destacados con respecto a Mageia 9:

• Kernel 6.18 (LTS)
• Plasma 6.5
• Gnome 49
• Xfce 4.20
• LibreOffice 26.2
• Firefox ESR 140.8
• Mesa 26.0.2 – que habilita los controladores más recientes para AMD, Intel y nouveau (también están disponibles los controladores propietarios de nVidia)

El plan sigue siendo tener lista la versión oficial de Mageia 10 en abril de 2026.

Los próximos pasos incluyen:

• Publicar una beta 2 que contenga el material gráfico y la documentación actualizados para mga10.
• Aumentar las pruebas, especialmente para las actualizaciones desde mga9.
• Centrarse en corregir los errores que impiden el lanzamiento.

El conjunto de Mageia 10 Beta1 inlcuye una amplia colección de formatos de instalación:

• Imágenes ISO de instalación clásica para instalaciones tradicionales en sistemas de 32 bits (i686) y 64 bits.
• Imágenes Live Desktop con entornos de escritorio populares como Plasma, Gnome y Xfce.

Las imágenes ISO se pueden encontrar aquí o en el directorio ../mageia/iso/10/ de tu servidor espejo favorito.

¡Disfruta de las pruebas _o/!

This is a slightly edited version of a post written by BAud.

Having been approved by the Council, the Mageia 10 beta1 ISOs are now available for public testing.  All together about 26GB of ISOs have landed in the ../mageia/iso/10/ branch of our mirrors.

A lot of fixes and new updates have been added since Mageia 10 alpha1 arrived back in January.

Following version freeze, here are notable changes from Mageia 9:

• kernel 6.18 (LTS)
• Plasma 6.5
• GNOME 49
• Xfce 4.20
• LibreOffice 26.2
• Firefox ESR 140.8
• Mesa 26.0.2 – enabling latest drivers for AMD, Intel and nouveau (nVidia proprietary drivers are available too)

The plan is still to have the official Mageia 10 release ready in April 2026.

Next steps include:

• Publish a beta 2 containing artwork and documentation updated for mga10
• Increase tests, especially for upgrades from mga9
• Concentrate on fixing release blocker bugs

The Mageia 10 Beta1 set includes a comprehensive collection of installation formats:

• Classical Installation ISOs for traditional installs on 32-bit (i686) and 64-bit systems
• Live Desktop Images featuring popular desktops such as Plasma, GNOME, and Xfce

The ISOs can be found here or in the ../mageia/iso/10/ directory of your favourite mirror.

Enjoy your testing _o/!

Publication date: 19 Mar 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-25799 Description Division-by-Zero in YUV sampling factor validation leads to crash. (CVE-2026-25799) References

• https://bugs.mageia.org/show_bug.cgi?id=35199
• https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/A4HXQ3URGVXBE42UAP5YCPCA63KZZPJ3/
• https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-543g-8grm-9cw6
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-25799

SRPMS 9/core

• graphicsmagick-1.3.40-1.3.mga9
• imagemagick-7.1.1.29-1.2.mga9

9/tainted

• graphicsmagick-1.3.40-1.3.mga9.tainted
• imagemagick-7.1.1.29-1.2.mga9.tainted

Publication date: 19 Mar 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-61984 , CVE-2025-61985 Description ssh in OpenSSH before 10.1 allows control characters in usernames that originate from certain possibly untrusted sources, potentially leading to code execution when a ProxyCommand is used. The untrusted sources are the command line and %-sequence expansion of a configuration file. (CVE-2025-61984) ssh in OpenSSH before 10.1 allows the '0' character in an ssh:// URI, potentially leading to code execution when a ProxyCommand is used. (CVE-2025-61985) References

• https://bugs.mageia.org/show_bug.cgi?id=35202
• https://ubuntu.com/security/notices/USN-8090-1
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-61984
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-61985

SRPMS 9/core

• openssh-9.3p1-2.6.mga9

Publication date: 19 Mar 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-4177 Description YAML::Syck versions through 1.36 for Perl has several potential security vulnerabilities including a high-severity heap buffer overflow in the YAML emitter. (CVE-2026-4177) References

• https://bugs.mageia.org/show_bug.cgi?id=35219
• https://www.openwall.com/lists/oss-security/2026/03/16/6
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-4177

SRPMS 9/core

• perl-YAML-Syck-1.340.0-4.1.mga9

Publication date: 19 Mar 2026
Type: bugfix
Affected Mageia releases : 9
Description The updated packages fix some regressions appeared in 18.2 and 15.16. References

• https://bugs.mageia.org/show_bug.cgi?id=35198
• https://www.postgresql.org/about/news/postgresql-183-179-1613-1517-and-1422-released-3246/

SRPMS 9/core

• postgresql15-15.17-1.mga9

Publication date: 17 Mar 2026
Type: bugfix
Affected Mageia releases : 9
Description OpenCPN has seen lots of improvement since version 5.10.2. This update is necessary for the safety of sailors. References

• https://bugs.mageia.org/show_bug.cgi?id=35208

SRPMS 9/core

• opencpn-5.12.4-3.mga9

Publication date: 17 Mar 2026
Type: bugfix
Affected Mageia releases : 9
Description OpenCPN plugins have seen lots of improvement since the versions already present in Mageia 9. They have been updated for Cauldron but sailors can't wait for Mageia 10 being published since these updates are necessary for their safety as early as this spring time. References

• https://bugs.mageia.org/show_bug.cgi?id=35209

SRPMS 9/core

• opencpn-ais-radar-plugin-1.4.20.0-1.mga9
• opencpn-celestial-navigation-plugin-2.4.66.0-1.mga9
• opencpn-climatology-plugin-1.6.35.0-1.mga9
• opencpn-dashboardsk-plugin-0.3.4-1.mga9
• opencpn-iacfleet-plugin-0.33.0-1.mga9
• opencpn-logbookkonni-plugin-1.5.00.0-2.mga9
• opencpn-nsk-plugin-0.2.4.1-1.mga9
• opencpn-objsearch-plugin-0.28.0-1.mga9
• opencpn-polar-plugin-1.2.37.0-1.mga9
• opencpn-radar-plugin-5.6.0~beta-1.mga9
• opencpn-sar-plugin-4.2.2-1.mga9
• opencpn-squiddio-plugin-1.3.99.0-1.mga9
• opencpn-watchdog-plugin-2.5.2.0-1.mga9
• opencpn-weather-routing-plugin-1.15.45.7-1.mga9

Publication date: 17 Mar 2026
Type: bugfix
Affected Mageia releases : 9
Description OpenCPN plugins have seen lots of improvement since the versions already present in Mageia 9. They have been updated for Cauldron but sailors can't wait for Mageia 10 being published since these updates are necessary for their safety as early as this spring time. These two updates concern plugins containing non free binaries necessary to use encrypted paid nautical charts from countries which don't provide them freely ! References

• https://bugs.mageia.org/show_bug.cgi?id=35210

SRPMS 9/nonfree

• opencpn-s63-plugin-1.30.9.1-1.mga9.nonfree
• opencpn-o-charts-plugin-2.1.9-1.mga9.nonfree

Publication date: 17 Mar 2026
Type: bugfix
Affected Mageia releases : 9
Description This update brings the last commits of this C++ library for MARitime NAVigation purposes. It may be needed to build or use programs for maritime navigation References

• https://bugs.mageia.org/show_bug.cgi?id=35211

SRPMS 9/core

• marnav-0.14.0-8.git20230504.mga9

Publication date: 14 Mar 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-0847 Description Path Traversal in nltk/nltk. (CVE-2026-0847) References

• https://bugs.mageia.org/show_bug.cgi?id=35188
• https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/UERV2PU6W5DFFKA4ORZASCPJ2ZDGYTBX/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-0847

SRPMS 9/core

• python-nltk-3.9.3-1.mga9

Publication date: 14 Mar 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-66614 , CVE-2026-24733 , CVE-2026-24734 Description Client certificate verification bypass due to virtual host mapping. (CVE-2025-66614) Security constraint bypass with HTTP/0.9. (CVE-2026-24733) OCSP revocation bypass. (CVE-2026-24734) References

• https://bugs.mageia.org/show_bug.cgi?id=35192
• https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/G27HXAIMRCGPRM6GBYQX7NUKNQS4RLJ4/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-66614
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-24733
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-24734

SRPMS 9/core

• tomcat-9.0.115-1.mga9

Publication date: 14 Mar 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-32249 Description NFA regex engine NULL pointer dereference affects Vim < 9.2.0137. (CVE-2026-32249) References

• https://bugs.mageia.org/show_bug.cgi?id=35197
• https://www.openwall.com/lists/oss-security/2026/03/11/6
• https://github.com/vim/vim/security/advisories/GHSA-9phh-423r-778r
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-32249

SRPMS 9/core

• vim-9.2.140-1.mga9

Publication date: 10 Mar 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-26331 Description When yt-dlp's --netrc-cmd command-line option (or netrc_cmd Python API parameter) is used, an attacker could achieve arbitrary command injection on the user's system with a maliciously crafted URL. References

• https://bugs.mageia.org/show_bug.cgi?id=35183
• https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-g3gw-q23r-pgqm
• https://github.com/yt-dlp/yt-dlp/compare/2026.02.04...2026.03.03
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-26331

SRPMS 9/core

• yt-dlp-2026.03.03-1.1.mga9

Publication date: 09 Mar 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-2757 , CVE-2026-2758 , CVE-2026-2759 , CVE-2026-2760 , CVE-2026-2761 , CVE-2026-2762 , CVE-2026-2763 , CVE-2026-2764 , CVE-2026-2765 , CVE-2026-2766 , CVE-2026-2767 , CVE-2026-2768 , CVE-2026-2769 , CVE-2026-2770 , CVE-2026-2771 , CVE-2026-2772 , CVE-2026-2773 , CVE-2026-2774 , CVE-2026-2775 , CVE-2026-2776 , CVE-2026-2777 , CVE-2026-2778 , CVE-2026-2779 , CVE-2026-2780 , CVE-2026-2782 , CVE-2026-2783 , CVE-2026-2784 , CVE-2026-2785 , CVE-2026-2786 , CVE-2026-2787 , CVE-2026-2788 , CVE-2026-2789 , CVE-2026-2790 , CVE-2026-2791 , CVE-2026-2792 , CVE-2026-2793 Description Incorrect boundary conditions in the WebRTC: Audio/Video component. (CVE-2026-2757) Use-after-free in the JavaScript: GC component. (CVE-2026-2758) Incorrect boundary conditions in the Graphics: ImageLib component. (CVE-2026-2759) Sandbox escape due to incorrect boundary conditions in the Graphics: WebRender component. (CVE-2026-2760) Sandbox escape in the Graphics: WebRender component. (CVE-2026-2761) Integer overflow in the JavaScript: Standard Library component. (CVE-2026-2762) Use-after-free in the JavaScript Engine component. (CVE-2026-2763) JIT miscompilation, use-after-free in the JavaScript Engine: JIT component. (CVE-2026-2764) Use-after-free in the JavaScript Engine component. (CVE-2026-2765) Use-after-free in the JavaScript Engine: JIT component. (CVE-2026-2766) Use-after-free in the JavaScript: WebAssembly component. (CVE-2026-2767) Sandbox escape in the Storage: IndexedDB component. (CVE-2026-2768) Use-after-free in the Storage: IndexedDB component. (CVE-2026-2769) Use-after-free in the DOM: Bindings (WebIDL) component. (CVE-2026-2770) Undefined behavior in the DOM: Core & HTML component. (CVE-2026-2771) Use-after-free in the Audio/Video: Playback component. (CVE-2026-2772) Incorrect boundary conditions in the Web Audio component. (CVE-2026-2773) Integer overflow in the Audio/Video component. (CVE-2026-2774) Mitigation bypass in the DOM: HTML Parser component. (CVE-2026-2775) Sandbox escape due to incorrect boundary conditions in the Telemetry component in External Software. (CVE-2026-2776) Privilege escalation in the Messaging System component. (CVE-2026-2777) Sandbox escape due to incorrect boundary conditions in the DOM: Core & HTML component. (CVE-2026-2778) Incorrect boundary conditions in the Networking: JAR component. (CVE-2026-2779) Privilege escalation in the Netmonitor component. (CVE-2026-2780) Privilege escalation in the Netmonitor component. (CVE-2026-2782) Information disclosure due to JIT miscompilation in the JavaScript Engine: JIT component. (CVE-2026-2783) Mitigation bypass in the DOM: Security component. (CVE-2026-2784) Invalid pointer in the JavaScript Engine component. (CVE-2026-2785) Use-after-free in the JavaScript Engine component. (CVE-2026-2786) Use-after-free in the DOM: Window and Location component. (CVE-2026-2787) Incorrect boundary conditions in the Audio/Video: GMP component. (CVE-2026-2788) Use-after-free in the Graphics: ImageLib component. (CVE-2026-2789) Same-origin policy bypass in the Networking: JAR component. (CVE-2026-2790) Mitigation bypass in the Networking: Cache component. (CVE-2026-2791) Memory safety bugs fixed in Firefox ESR 140.8, Thunderbird ESR 140.8, Firefox 148 and Thunderbird 148. (CVE-2026-2792) Memory safety bugs fixed in Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird ESR 140.8, Firefox 148 and Thunderbird 148. (CVE-2026-2793) References

• https://bugs.mageia.org/show_bug.cgi?id=35166
• https://www.thunderbird.net/en-US/thunderbird/140.8.0esr/releasenotes/
• https://www.mozilla.org/en-US/security/advisories/mfsa2026-17/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-2757
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-2758
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-2759
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-2760
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-2761
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-2762
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-2763
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-2764
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-2765
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-2766
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-2767
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-2768
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-2769
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-2770
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-2771
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-2772
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-2773
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-2774
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-2775
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-2776
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-2777
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-2778
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-2779
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-2780
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-2782
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-2783
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-2784
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-2785
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-2786
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-2787
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-2788
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-2789
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-2790
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-2791
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-2792
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-2793

SRPMS 9/core

• thunderbird-140.8.0-1.mga9
• thunderbird-l10n-140.8.0-1.mga9

Publication date: 09 Mar 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-2757 , CVE-2026-2758 , CVE-2026-2759 , CVE-2026-2760 , CVE-2026-2761 , CVE-2026-2762 , CVE-2026-2763 , CVE-2026-2764 , CVE-2026-2765 , CVE-2026-2766 , CVE-2026-2767 , CVE-2026-2768 , CVE-2026-2769 , CVE-2026-2770 , CVE-2026-2771 , CVE-2026-2772 , CVE-2026-2773 , CVE-2026-2774 , CVE-2026-2775 , CVE-2026-2776 , CVE-2026-2777 , CVE-2026-2778 , CVE-2026-2779 , CVE-2026-2780 , CVE-2026-2781 , CVE-2026-2782 , CVE-2026-2783 , CVE-2026-2784 , CVE-2026-2785 , CVE-2026-2786 , CVE-2026-2787 , CVE-2026-2788 , CVE-2026-2789 , CVE-2026-2790 , CVE-2026-2791 , CVE-2026-2792 , CVE-2026-2793 Description Incorrect boundary conditions in the WebRTC: Audio/Video component. (CVE-2026-2757) Use-after-free in the JavaScript: GC component. (CVE-2026-2758) Incorrect boundary conditions in the Graphics: ImageLib component. (CVE-2026-2759) Sandbox escape due to incorrect boundary conditions in the Graphics: WebRender component. (CVE-2026-2760) Sandbox escape in the Graphics: WebRender component. (CVE-2026-2761) Integer overflow in the JavaScript: Standard Library component. (CVE-2026-2762) Use-after-free in the JavaScript Engine component. (CVE-2026-2763) JIT miscompilation, use-after-free in the JavaScript Engine: JIT component. (CVE-2026-2764) Use-after-free in the JavaScript Engine component. (CVE-2026-2765) Use-after-free in the JavaScript Engine: JIT component. (CVE-2026-2766) Use-after-free in the JavaScript: WebAssembly component. (CVE-2026-2767) Sandbox escape in the Storage: IndexedDB component. (CVE-2026-2768) Use-after-free in the Storage: IndexedDB component. (CVE-2026-2769) Use-after-free in the DOM: Bindings (WebIDL) component. (CVE-2026-2770) Undefined behavior in the DOM: Core & HTML component. (CVE-2026-2771) Use-after-free in the Audio/Video: Playback component. (CVE-2026-2772) Incorrect boundary conditions in the Web Audio component. (CVE-2026-2773) Integer overflow in the Audio/Video component. (CVE-2026-2774) Mitigation bypass in the DOM: HTML Parser component. (CVE-2026-2775) Sandbox escape due to incorrect boundary conditions in the Telemetry component in External Software. (CVE-2026-2776) Privilege escalation in the Messaging System component. (CVE-2026-2777) Sandbox escape due to incorrect boundary conditions in the DOM: Core & HTML component. (CVE-2026-2778) Incorrect boundary conditions in the Networking: JAR component. (CVE-2026-2779) Privilege escalation in the Netmonitor component. (CVE-2026-2780) Integer overflow in the Libraries component in NSS. (CVE-2026-2781) Privilege escalation in the Netmonitor component. (CVE-2026-2782) Information disclosure due to JIT miscompilation in the JavaScript Engine: JIT component. (CVE-2026-2783) Mitigation bypass in the DOM: Security component. (CVE-2026-2784) Invalid pointer in the JavaScript Engine component. (CVE-2026-2785) Use-after-free in the JavaScript Engine component. (CVE-2026-2786) Use-after-free in the DOM: Window and Location component. (CVE-2026-2787) Incorrect boundary conditions in the Audio/Video: GMP component. (CVE-2026-2788) Use-after-free in the Graphics: ImageLib component. (CVE-2026-2789) Same-origin policy bypass in the Networking: JAR component. (CVE-2026-2790) Mitigation bypass in the Networking: Cache component. (CVE-2026-2791) Memory safety bugs fixed in Firefox ESR 140.8, Thunderbird ESR 140.8, Firefox 148 and Thunderbird 148. (CVE-2026-2792) Memory safety bugs fixed in Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird ESR 140.8, Firefox 148 and Thunderbird 148. (CVE-2026-2793) References

• https://bugs.mageia.org/show_bug.cgi?id=35165
• https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_121.html
• https://www.firefox.com/en-US/firefox/140.8.0/releasenotes/
• https://www.mozilla.org/en-US/security/advisories/mfsa2026-15/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-2757
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-2758
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-2759
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-2760
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-2761
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-2762
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-2763
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-2764
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-2765
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-2766
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-2767
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-2768
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-2769
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-2770
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-2771
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-2772
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-2773
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-2774
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-2775
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-2776
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-2777
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-2778
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-2779
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-2780
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-2781
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-2782
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-2783
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-2784
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-2785
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-2786
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-2787
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-2788
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-2789
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-2790
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-2791
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-2792
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-2793

SRPMS 9/core

• rootcerts-20260206.00-1.mga9
• nss-3.121.0-1.mga9
• firefox-140.8.0-1.mga9
• firefox-l10n-140.8.0-1.mga9