Mageia Security

Publication date: 20 Feb 2026
Type: bugfix
Affected Mageia releases : 9
Description Minor fixes to our alternative sddm theme. References

• https://bugs.mageia.org/show_bug.cgi?id=35119

SRPMS 9/core

• sddm-theme-coffee-ng-2.0-1.2.mga9

Publication date: 18 Feb 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2024-24853 , CVE-2025-31648 Description The updated package updates AMD CPUs microcodes and fixes security vulnerabilities in Intel CPUs microcodes: Incorrect behavior order in transition between executive monitor and SMI transfer monitor (STM) in some Intel(R) Processor may allow a privileged user to potentially enable escalation of privilege via local access. (CVE-2024-24853) Improper handling of values in the microcode flow for some Intel(R) Processor Family may allow an escalation of privilege. Startup code and smm adversary with a privileged user combined with a high complexity attack may enable escalation of privilege. This result may potentially occur via local access when attack requirements are present with special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (low), integrity (low) and availability (none) of the vulnerable system, resulting in subsequent system confidentiality (low), integrity (low) and availability (none) impacts. (CVE-2025-31648) References

• https://bugs.mageia.org/show_bug.cgi?id=35130
• https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20260210-rev1
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24853
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-31648

SRPMS 9/nonfree

• microcode-0.20260210-1.mga9.nonfree

Publication date: 18 Feb 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-26269 Description Vim has a Netbeans specialKeys Stack Buffer Overflow. (CVE-2026-26269) References

• https://bugs.mageia.org/show_bug.cgi?id=35135
• https://www.openwall.com/lists/oss-security/2026/02/13/2
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-26269

SRPMS 9/core

• vim-9.1.2148-1.mga9

Publication date: 17 Feb 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-2003 , CVE-2026-2004 , CVE-2026-2005 , CVE-2026-2006 , CVE-2026-2007 Description PostgreSQL oidvector discloses a few bytes of memory. (CVE-2026-2003) PostgreSQL intarray missing validation of type of input to selectivity estimator executes arbitrary code. (CVE-2026-2004) PostgreSQL pgcrypto heap buffer overflow executes arbitrary code. (CVE-2026-2005) PostgreSQL missing validation of multibyte character length executes arbitrary code. (CVE-2026-2006) PostgreSQL pg_trgm heap buffer overflow writes pattern onto server memory. (CVE-2026-2007 References

• https://bugs.mageia.org/show_bug.cgi?id=35133
• https://www.postgresql.org/about/news/postgresql-182-178-1612-1516-and-1421-released-3235/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-2003
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-2004
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-2005
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-2006
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-2007

SRPMS 9/core

• postgresql15-15.16-1.mga9

Publication date: 16 Feb 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-14607 , CVE-2025-14841 Description OFFIS DCMTK dcmdata dcbytstr.cc makeDicomByteString memory corruption. (CVE-2025-14607) OFFIS DCMTK dcmqrscp dcmqrdbi.cc startMoveRequest null pointer dereference. (CVE-2025-14841) References

• https://bugs.mageia.org/show_bug.cgi?id=34946
• https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/WA2BG2LFPVCYESQA5KLHS3YDK74NTELX/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-14607
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-14841

SRPMS 9/core

• dcmtk-3.6.7-4.7.mga9

Publication date: 16 Feb 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-66004 Description Local privilege escalation in usbmuxd from arbitrary local user to usbmux. (CVE-2025-66004) References

• https://bugs.mageia.org/show_bug.cgi?id=35118
• https://lists.debian.org/debian-security-announce/2026/msg00034.html
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-66004

SRPMS 9/core

• usbmuxd-1.1.1-3.1.mga9

Publication date: 16 Feb 2026
Type: bugfix
Affected Mageia releases : 9
Description Regular update of mariadb which brings some bugfixes. References

• https://bugs.mageia.org/show_bug.cgi?id=35112
• https://mariadb.com/docs/release-notes/community-server/11.4/11.4.10

SRPMS 9/core

• mariadb-11.4.10-1.mga9

Publication date: 12 Feb 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-25646 Description Heap buffer overflow in png_set_quantize when called with no histogram and a palette larger than twice the requested maximum number of colors. (CVE-2026-25646) References

• https://bugs.mageia.org/show_bug.cgi?id=35115
• https://www.openwall.com/lists/oss-security/2026/02/09/7
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-25646

SRPMS 9/core

• libpng-1.6.38-1.4.mga9

Publication date: 11 Feb 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-68670 Description xrdp improperly checks bounds of domain string length, which leads to Stack-based Buffer Overflow. (CVE-2025-68670) References

• https://bugs.mageia.org/show_bug.cgi?id=35111
• https://lists.debian.org/debian-security-announce/2026/msg00032.html
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-68670

SRPMS 9/core

• xrdp-0.9.23.1-1.2.mga9

Publication date: 11 Feb 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-0818 Description CSS-based exfiltration of the content from partially encrypted emails when allowing remote content. (CVE-2026-0818) References

• https://bugs.mageia.org/show_bug.cgi?id=35100
• https://www.thunderbird.net/en-US/thunderbird/140.7.1esr/releasenotes/
• https://www.mozilla.org/en-US/security/advisories/mfsa2026-08/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-0818

SRPMS 9/core

• thunderbird-140.7.1-1.mga9
• thunderbird-l10n-140.7.1-1.mga9

Publication date: 11 Feb 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-61726 , CVE-2025-61728 , CVE-2025-61730 , CVE-2025-61731 , CVE-2025-61732 , CVE-2025-68119 , CVE-2025-68121 Description net/http: memory exhaustion in Request.ParseForm. (CVE-2025-61726) archive/zip: denial of service when parsing arbitrary ZIP archives. (CVE-2025-61728) crypto/tls: handshake messages may be processed at the incorrect encryption level. (CVE-2025-61730) cmd/go: bypass of flag sanitization can lead to arbitrary code execution. (CVE-2025-61731) Potential code smuggling via doc comments in cmd/cgo. (CVE-2025-61732) cmd/go: unexpected code execution when invoking toolchain. (CVE-2025-68119) crypto/tls: Config.Clone copies automatically generated session ticket keys, session resumption does not account for the expiration of full certificate chain. (CVE-2025-68121) References

• https://bugs.mageia.org/show_bug.cgi?id=35007
• https://www.openwall.com/lists/oss-security/2026/01/15/3
• https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc
• https://openwall.com/lists/oss-security/2026/01/17/2
• https://openwall.com/lists/oss-security/2026/01/17/3
• https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/NH2ETRY5I4475P2G36TA426YNBGAZLJM/
• https://www.openwall.com/lists/oss-security/2026/02/07/2
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-61726
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-61728
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-61730
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-61731
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-61732
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-68119
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-68121

SRPMS 9/core

• golang-1.24.13-1.mga9