openSUSE News

Tumbleweed Monthly Update - April 2026

admin@opensuse.org (Douglas DeMaio) — Mon, 04 May 2026 11:00:00 +0000

There were several software package updates for openSUSE Tumbleweed during April and the later half of the month brought some urgency with Copy Fail, which is now safe for users of the rolling release and Slowroll for those who have done a zypper dup at the end of the month.

The information about affected flavors of openSUSE was covered in a blog by the security team.

April brought a major desktop release of GNOME 50 and there was a fourth Plasma 6.6 point release. PHP, GTK4 with the new native GtkSvg renderer, SQLite, iproute2, and nano were among some of the develop packages updated this month. The Linux kernel advances to 7.0.2, and Mesa progressed through 26.0.4 and 26.0.5 with raytracing fixes ahead of upcoming game releases. Security received heavy attention with WebKitGTK, Python, CUPS, Flatpak, sudo, and OpenEXR all receiving multiple Common Vulnerabilities and Exposures fixes.

As always, be sure to roll back using snapper if any issues arise.

For more details on the change logs for the month, visit the openSUSE Factory mailing list.

New Features and Enhancements

KDE Gear 26.04.0: This major release updates 129 packages from the 25.12.3 series across the core PIM suite (Akonadi, KMail, Kontact, KOrganizer), graphics tools (Gwenview, Okular), development tools (Kate, Kompare, Umbrello), and system utilities (Dolphin, Konsole, Kleopatra). Dolphin prevents re-entrant signal activation across multiple view states, and Ark prevents silent replacement of existing files by directory entries during extraction. Okular avoids processing HTML with QDomDocument and improves certificate selection, and kdegraphics-thumbnailers addresses multiple crashes for malformed files. Infrastructure-wide changes include CMake modernization, a port to QDoc documentation, and migration toward modern C++ patterns such as std::shared_ptr over QSharedPointer. The companion ktextaddons library jumps from 1.8.0 to 2.0.1.

KDE Frameworks 6.25.0: This release emphasizes code quality, memory safety, and developer experience. KIO reverts a problematic permissions-based readability check, restores proper FTP UTF-8 negotiation, fixes WebDAV copy/move headers, and resolves multiple memory leaks across file operations and preview jobs. KCodecs streamlines encoding detection with safer initialization, improved codec lookup performance, and removes obsolete code since Qt 6.8+ is required.Kirigami enhances component reliability by preventing dialog layer leaks and adds a configurable textFormat property to TitleSubtitle, while Breeze Icons expands the icon set with new status icons. KTextEditor improves document handling by using the first line as a fallback title and adding relevant MIME types to save dialogs.

GNOME 50 for developers: This release brings significant improvements to the development stack. Builder gains a new save delegate system for better draft handling, refined dark theme colors matching the Adwaita palette, and more integrated help documentation. Flatpak support now moves deleted files to the trash, the LSP client better handles delete notifications, and the build pipeline supports more flexible post-install commands. Mutter Devkit receives a major feature expansion including HiDPI and fractional scaling simulation, multi-monitor support within a single session, clipboard integration between host and Devkit, and resizable virtual displays with emulated monitor modes — reducing the need for physical multi-monitor test setups. GTK 4.22 introduces GtkSvg, a new native in-process SVG renderer integrated with the GTK Scene Graph that supports SVG animations, passes over 1,250 tests in the resvg test suite, and maintains 60fps+ performance for trusted system icons and application resources (untrusted SVGs should still use the sandboxed Glycin library). Libadwaita 1.9 introduces new sidebar widgets including AdwSidebar and AdwViewSwitcherSidebar (replacing GtkStackSidebar), automatic support for the system-wide reduced motion preference across most widgets, context menus on AdwAboutDialog link rows, and GTK_DEBUG=builder diagnostics for all standard widgets. Autoloaded style resources are deprecated in favor of standard CSS media queries.

GDM 50.0: The most significant change for this in the GNOME 50 release is the complete removal of X11 support for GDM’s own sessions, which now always run on Wayland. Features like XDMCP and the system-wide Xserver are gone, though launching other desktops’ X11 sessions via per-user X servers is still possible. Compiling GDM without Wayland support is no longer possible. With systemd v260+, remote desktop sessions and local background sessions are now granted GPU access, enabling accelerated graphics for remote sessions on distributions that restrict GPU device node permissions. service simplifies starting headless graphical sessions for RDP purposes. The gdm/gdm3` user is no longer needed since GDM now fully relies on dynamically allocated users. Wtmp/utmp/btmp records now contain more useful values, especially for Wayland and headless RDP sessions.

Plasma 6.6.4: KWin fixes blur flickering after wobbly windows, improves startup feedback icon clarity, resolves crashes with accessibility keyboards, and enhances pointer scaling and key repeat handling on Wayland. The Oxygen theme addresses pixelated buttons under fractional scaling, restores missing menu shadows, and adds a missing switch SVG. Usability improvements include better RTL support in Kicker, proper drag initiation only after pointer movement, and refined shortcut conflict prevention in keyboard settings. Plasma Keyboard hardens virtual input handling with UTF-8 length fixes and disables predictive text during capture. Other fixes improve Discover by correcting how it tracks the number of active transactions, Dr Konqi with more reliable crash debugging, and Spectacle with a workaround for an overlay issue introduced in Qt 6.11. Several system tray and menu rendering glitches across multiple applets are also resolved, resulting in a smoother and more resilient desktop experience.

w3m 0.5.6: This is a major update for the terminal web browser. New features include commands to scroll the current line to top/bottom, a change directory (CD) command, a vim-like smartcase search option, recognition of aria-label for buttons, gopher protocol support, and experimental session store and restore. The image display in the kitty terminal is fixed, and slow backward search in long lines is improved.

LibreOffice 26.2.2.2: This is a major version upgrade with completely new features, improvements, and bug fixes across Writer, Calc, Impress, Draw, Math, and Base. Detailed release notes are available at The Document Foundation wiki. Bundled components are refreshed including PDFium updated from 7012 to 7471 and 2D Graphics Library Skia updated from milestone 136 to 142.

SDL3 3.4.2: This update adds SDL_HINT_OPENGL_FORCE_SRGB_FRAMEBUFFER to control sRGB behavior for OpenGL and OpenGL ES contexts. A long startup time on Windows caused by non-compliant input devices was fixed, along with a divide-by-zero when using Nintendo Switch 2 controllers and improved GameCube adapter handling in PC mode. Support for the Razer Raiju V5 Pro is added.

cryptsetup 2.8.6: This update has several disk encryption fixes. The resumed device UUID is now verified against the UUID stored in metadata, and the LUKS2 reencryption lock name was corrected. FileVault (fvault2) metadata parsing is fixed, including reading from the correct image offset. The OpenSSL crypto backend works again when built with LibreSSL and allows up to 64 concurrent threads.

Mozilla Firefox 149.0.2: This update addresses multiple security vulnerabilities, including integer overflow and memory safety bugs in Graphics: Text and Graphics: WebGPU components. The update also includes enterprise-related features such as AI-feature management, prevention of built-in VPN and IP protection, and correct application of browser homepage and start page policies. Other fixes include resolution of layout issues with graphics (SVG), crash prevention for security keys and WebAuthn features, and improved handling of web page printing and website error pages. Additionally, the build process is updated to be compatible with clang-based building on Leap, with the necessary libraries specified. [Linux]

PHP 8.5.5: This minor version bump from the 8.4 series brings numerous bug fixes across the core, DOM, Opcache, and OpenSSL modules. Notable fixes address JIT compiler arithmetic errors, memory leaks, and use-after-free vulnerabilities. The package now requires libcapstone as a dependency.

nano 9.0: This is a major version bump for the popular terminal text editor. The release improves horizontal scrolling, changes how macro recording is handled, and brings other usability refinements that build on the 8.x series.

iproute2 7.0: A major version bump for the Linux network configuration toolkit. New features include CAN XL support and DPLL mode setting, both of which extend networking and timing capabilities for newer hardware platforms.

iw 6.17: This wireless configuration tool sees a significant jump from 6.9. It adds support for WPA3 SAE association, EHT rate and bitrate handling for Wi-Fi 7, multi-radio RTS configuration, and endianness fixes across the wireless stack.

GIMP 3.2.4: This minor update to the GNU Image Manipulation Program continues the 3.2 series with bug fixes and incremental improvements following the 3.2.2 release.

xterm 407: New private modes for UTF-8 and character width reporting are introduced, and Unicode handling and window resizing functionality are improved.

gnome-remote-desktop 50.1: This minor update to the GNOME 50 release fixes a black-screen issue when using NVIDIA GPUs.

Key Package Updates

Linux kernel 6.19.11 - 7.0.2: The 7.0.2 update fixes an SMB client out-of-bounds read in smb2_ioctl_query_info, DACL validation in cifsacl, and directory separator handling in SMB1 UNIX mounts. F2FS receives multiple fixes including a use-after-free in f2fs_compress_write_end_io() and f2fs_write_end_io(), a memory leak in f2fs_rename(), and improved sanity checks. FUSE fixes several issues including rejection of oversized dirents in page cache, aborting on fatal signals during sync init, and ensuring device file initialization before cloning. A TOCTOU race in net/packet on mmap’d vnet_hdr in tpacket_snd() is corrected, and crypto fixes address async decrypt skipping hash verification in krb5enc and failed PSP command handling in the CCP driver. The 7.0.1 version sees KVM SEV receive several hardening fixes including locking all vCPUs when synchronizing VMSAs for SNP launch finish, disallowing LAUNCH_FINISH if vCPUs are actively being created, and protecting sev_mem_enc_register_region() with proper locking. Multiple use-after-free bugs are resolved across subsystems including bcache (crash in cached_dev.sb_bio), ocfs2 (fault handling with VM_FAULT_RETRY), the em28xx media driver, blk-cgroup writeback, and ALSA 6fire on USB disconnect. The 6.19.11 update brings several BPF fixes including reset of register ID for BPF_END value tracking, constant blinding for PROBE_MEM32 stores, undefined behavior in interpreter sdiv/smod for INT_MIN, and unsound scalar forking in maybe_fork_scalars(). CXL receives multiple corrections including a use-after-free of parent_port in cxl_detach_ep() and a leak in region construction. NVMe-PCI now caps queue creation to used queues, and platform support is expanded with several HP Omen and Victus laptops, OneXPlayer handheld variants, and Dell 14 Plus 2-in-1 keyboard support.

Mesa 26.0.4 & 26.0.5: The 26.0.4 out-of-schedule release combines bugfix updates and important raytracing fixes for an upcoming game. RADV corrects an invalid hitAttributeEXT value when using function-call RT pipelines, fixes a memory leak in radv_rt_nir_to_asm, and emits BOP events after every draw to work around a VRS bug on GFX12. RadeonSI fixes a missing ground texture and ANV (Intel) addresses flashing effects in Horizon Forbidden West. Nouveau fixes a segmentation fault in gm200_validate_sample_locations triggered by Firefox on GTX 1070 Ti, and NVK corrects barrier cache invalidation and viewport handling on Turing with FSR. The 26.0.5 follow-up is another bugfix release that refreshes the GL headers from libglvnd and disables Vulkan and Panfrost on armv6. Full release notes are available at the Mesa documentation site.

SQLite 3.53.0: A new Query Result Formatter library is introduced in this release for the popular embedded database, and ALTER TABLE is enhanced with additional capabilities. The jump from 3.51.3 also brings query planner refinements and incremental improvements that benefit any application linking against the system SQLite.

libxml2 2.15.3: A point release follow-up to the major 2.15 update. Multiple security fixes are included for type confusion, double-free, and use-after-free issues in the XML parser.

libpng16 1.6.57: A small but security-relevant point release that fixes a use-after-free in chunk setters tracked as CVE-2026-34757.

libjpeg-turbo 3.1.4.1: This update to the widely used JPEG codec includes multiple API hardening fixes and improved buffer handling, providing a more robust foundation for image-processing software across the system.

libarchive 3.8.7: A heap buffer overflow in CAB archive handling is fixed, along with a buffer overflow in the ISO9660 reader. As libarchive is used by package managers and archive tools across the distribution, this update is broadly relevant.

mozilla-nss 3.122.1: This release of the Network Security Services library brings 30+ bug fixes, including patches for multiple heap use-after-free, integer overflow, and ASN.1 parsing vulnerabilities that affect TLS handling in Firefox, Thunderbird, and other consumers.

pipewire 1.6.4: This audio and video pipeline server resolves segmentation faults, improves JACK compatibility, and corrects regressions in the RAOP (AirPlay) module.

SSSD 2.13.0: The pam_sss_gss module can now read SIDs from the Kerberos ticket PAC and apply authentication indicators via the new pam_gssapi_indicators_apply option, supporting Active Directory’s Authentication Mechanism Assurance (AMA). Active Directory Foreign Security Principals (FSP) are now properly detected and ignored when reading nested group members. Support for the KDE Plasma Login Manager is added. New options include avoid_by_id_lookups for preferring name-based lookups, and interactive/interactive_prompt for customizing OAuth2 prompting behavior. Cache performance is optimized for large deployments.

mpc 1.4.1: This complex-number arithmetic library steps from 1.3.1 to 1.4.1 and adds new functions including mpc_exp10, mpc_exp2, and mpc_log2. Sign handling for imaginary parts is improved and pkg-config generation is included.

leancrypto 1.7.2: This cryptographic library jumps from 1.6.0 and adds post-quantum primitives ML-DSA, SLH-DSA, and ML-KEM along with an X.509 fix tracked as CVE-2026-34610.

SELinux Policy 20260410: This update contains a wide range of policy refinements. Missing Nextcloud file contexts are added, the openSUSE /var/lib/php8 path and /srv/www/htdocs Apache DocumentRoot are properly labeled. Cloud-init is now allowed to domtrans into ssh-keygen, and accountsd gains proper D-Bus communication with systemd-homed along with corrected file context labeling for /usr/share/accountsservice. OpenSSH receives a policy adjustment allowing sshd-session to send a generic signal to sshd-auth. Polkit support is updated for its agent helper. Additional permissions are granted for staff and sysadm users, including reading PID1 process state, connecting to systemd-logind and lvm over Unix stream sockets, mounting /proc, and gaining sandboxing features. Virtualization policies gain several adjustments for virtqemud and virtnetworkd, and a new local_login_allow_accountutils_fallback_mode boolean is introduced. The snapper sdbootutil plugin is allowed to read kernel modules. The embedded container-selinux is updated to v2.247.0.

texinfo 7.3: The documentation format package adds new title-page commands, flexible node headings, and cross-reference features. texi2any gains major HTML speedups, optional C implementation, improved diagnostics, and defaults updates. HTML, Info, LaTeX, XML, and info tool receive enhancements and cleanups. The updated deprecated @clickstyle and removed old patches.

XZ Utils 5.8.3: This update fixes a buffer overflow in lzma_index_append() and an invalid memory access in xz when using --files and --files0 options. Arabic man page translations are added.

GTK4 4.22.2: The headline change is native SVG rendering via the new GtkSvg renderer, which drops the librsvg dependency entirely for icon and image rendering. The new renderer supports animations, state names, and SVG filters, with filters now operating in linear RGB by default. The GStreamer media backend now supports gapless looping with GStreamer 1.28, and gtk4-rendernode-tool gains a new filter command for node manipulation. Several drag-and-drop fixes are included, notably restoring the DropTarget::leave signal emission when a drop finishes. Vulkan handling is improved with fixes for SWAPCHAIN_MAINTENANCE checks, pending offset resets on Wayland, and invalid reads. Symbolic icon fallback rendering is corrected, dmabuf support now handles fewer fds than planes, and drop shadow rendering no longer darkens transparent textures. For Tumbleweed users, this brings major rendering architecture improvements and broad stability fixes to GTK4 applications.

webkitgtk3 and webkitgtk4 2.52.1: Numerous security vulnerabilities are patched across both releases. Touch scrolling for small movements is smoother, and scrollend events are now correctly emitted after scroll animations. Async scrolling is improved when the main thread is busy by rendering scrollbars from the scrolling thread. The GPU process is disabled by default in this cycle. A build option to disable USE_GSTREAMER is added for configurations without multimedia support.

Security Updates

Python:

CVE-2026-25645: Addresses an issue in Python allowing a local attacker to pre-create malicious files that could be reused and loaded without validation.
CVE-2026-4519: Fixes a command-line option injection in Python’s webbrowser.open() where leading dashes in URLs could be interpreted as browser command-line arguments.
CVE-2025-13462: Addresses an issue where Python’s tarfile module can cause crafted archives to be misinterpreted.
CVE-2026-4224: Resolves a stack overflow that could lead to a crash.

python-cryptography 46.0.7:

CVE-2026-39892: Fixes a buffer overflow that can occurr when a non-contiguous buffer was passed to APIs accepting Python buffers.

w3m 0.5.6:

CVE-2023-38252: Fixes an out-of-bounds read that could allow a crafted HTML file to cause a denial of service.
CVE-2023-38253: Fixes an out-of-bounds read that could allow a crafted HTML file to cause a denial of service.

webkitgtk3 and webkitgtk4 2.52.1:

CVE-2025-43213: Fixes an issue where processing maliciously crafted web content could lead to an unexpected crash.
CVE-2025-43214: Addresses a flaw where processing maliciously crafted web content could cause an unexpected crash.
CVE-2025-43457: Resolves a vulnerability where processing maliciously crafted web content could lead to an unexpected crash.
CVE-2025-43511: Fixes an issue where processing maliciously crafted web content could lead to memory corruption.
CVE-2025-46299: Addresses a flaw in WebKit where processing maliciously crafted web content could lead to unexpected behavior.
CVE-2026-20608: Resolves a vulnerability where processing maliciously crafted web content could lead to memory corruption.
CVE-2026-20635: Fixes a WebKit flaw where processing maliciously crafted web content could cause an unexpected crash.
CVE-2026-20636: Addresses an issue where processing maliciously crafted web content could lead to memory corruption.
CVE-2026-20644: Resolves a WebKit vulnerability where processing maliciously crafted web content could lead to an unexpected crash.
CVE-2026-20652: Fixes an issue where processing maliciously crafted web content could cause memory corruption.
CVE-2026-20676: Addresses a WebKit flaw where processing maliciously crafted web content could lead to unexpected behavior or a crash.
CVE-2026-20643: Resolves a cross-origin issue in the Navigation API where processing maliciously crafted web content could bypass the Same Origin Policy.
CVE-2026-20664: Fixes a WebKit memory handling flaw where processing maliciously crafted web content could cause an unexpected process crash.
CVE-2026-20665: Addresses an issue where processing maliciously crafted web content could prevent Content Security Policy from being enforced.
CVE-2026-20691: Resolves an authorization flaw where a maliciously crafted webpage could be used to fingerprint the user.
CVE-2026-28857: Fixes a WebKit memory handling issue where processing maliciously crafted web content could cause an unexpected process crash.
CVE-2026-28859: Addresses a flaw where a malicious website could process restricted web content outside the sandbox.
CVE-2026-28861: Resolves a logic issue where a malicious website could access script message handlers intended for other origins.
CVE-2026-28871: Fixes a logic flaw where visiting a maliciously crafted website could lead to a cross-site scripting attack.

libcap 2.78:

CVE-2026-4878: Addresses a race condition that could lead to local privilege escalation.

OpenJDK 25 25.0.3:

CVE-2026-22007: Fixes an information disclosure vulnerability in the Security component of Java SE that could allow a local attacker to read a subset of accessible data.
CVE-2026-22008: Addresses a flaw in the Libraries component of Java SE that could allow an unauthenticated network attacker to modify some accessible data.
CVE-2026-22013: Resolves an information disclosure vulnerability in the JGSS component of Java SE that could expose critical data to an unauthenticated network attacker.
CVE-2026-22016: Fixes an information disclosure flaw in the JAXP component of Java SE that could allow an unauthenticated attacker to access critical data via network protocols.
CVE-2026-22018: Addresses a denial-of-service vulnerability in the Libraries component of Java SE that could be triggered by an unauthenticated network attacker.
CVE-2026-22021: Resolves a denial-of-service flaw in the JSSE component of Java SE exploitable via HTTPS by an unauthenticated attacker.
CVE-2026-23865: Fixes a vulnerability in the bundled FreeType library that could allow memory corruption when processing crafted font data.
CVE-2026-34268: A patch was added for an information disclosure issue in the Security component of Java SE that could allow a local attacker to read a subset of accessible data.
CVE-2026-34282: Addresses a denial-of-service vulnerability in the Networking component of Java SE that could allow an unauthenticated attacker to cause a complete crash or hang.

Flatpak 1.16.6:

CVE-2026-34078: Fixes a sandbox escape where the portal accepted app-controlled symlinks in sandbox-expose paths, allowing arbitrary host file access and code execution in the host context.
CVE-2026-34079: Addresses a path traversal flaw that could allow an app to delete arbitrary files on the host.

libinput 1.31.1:

CVE-2026-35093: Fixes a code injection flaw where a local attacker could place a crafted Lua bytecode file in system or user configuration directories to bypass security restrictions and execute code with the privileges of the affected program.
CVE-2026-35094: Addresses a dangling pointer that could leak memory contents to system logs.

opensc 0.27.1:

CVE-2025-49010: Fixes a stack buffer overflow that could cause memory corruption.
CVE-2025-66215: Fixes a stack buffer overflow that could cause memory corruption. .
CVE-2025-66038: Addresses an out-of-bounds read that could lead to memory corruption during smart card processing.
CVE-2025-66037: Addresses an out-of-bounds heap read that could lead to denial of service.
CVE-2025-13763: Fixes several uses of potentially uninitialized memory in OpenSC detected by fuzzers.

XZ Utils 5.8.3:

CVE-2026-34743: Fixes a heap buffer overflow in XZ Utils where decoding an empty Index left lzma_index in a state that caused undersized allocation in a subsequent lzma_index_append() call.

389ds 3.1.4+e2562f589:

CVE-2025-14905: Fixes a heap buffer overflow caused by incorrect buffer size calculation that could potentially lead to denial of service or remote code execution.

openexr 3.4.9:

CVE-2026-34589: Fixes a heap out-of-bounds write that could lead to memory corruption.
CVE-2026-34588: Addresses a signed 32-bit overflow leading to out-of-bounds read/write.
CVE-2026-34380: Resolves a signed integer overflow that could allow bounds-check bypass during PXR24 decompression.
CVE-2026-34379: Fixes a misaligned write leading to undefined behavior.
CVE-2026-34378: Addresses a signed integer overflow in generic_unpack() when parsing EXR files with crafted negative dataWindow.min.x values.
CVE-2026-34543: Resolves a heap information disclosure that could cause uninitialized heap memory to leak into output pixel data.
CVE-2026-34544: Fixes a signed integer overflow that could lead to an out-of-bounds write and memory corruption.

evolution-data-server 3.60.0:

CVE-2026-2604: The advisory for this vulnerability indicates it involves an insecure local cache file removal.

SSSD 2.13.0:

CVE-2026-6245: Fixes an out-of-bounds read in the PAM passkey responder.

glib2 2.88.0:

CVE-2026-23868: Fixes a vulnerability caused by a shallow copy that may lead to memory corruption.
CVE-2026-32776: Fixes a NULL pointer dereference when processing empty external parameter entity content.
CVE-2026-32777: Addresses an issue that could result in an infinite loop while parsing DTD content, potentially leading to a denial of service.
CVE-2026-32778: Resolves a NULL pointer dereference following an earlier out-of-memory condition.

sudo:

CVE-2026-35535: Fixes a privilege escalation in sudo where a failed setuid, setgid, or setgroups call during the privilege drop was not treated as a fatal error.

CUPS 2.4.17:

CVE-2026-27447: Fixes a case-sensitivity vulnerability in user/group handling that could allow access bypass.
CVE-2026-34978: Addresses a directory traversal flaw in the RSS notifier.
CVE-2026-34979: Resolves insufficient memory allocation for job options that could lead to buffer issues.
CVE-2026-34980: Fixes incomplete control character filtering in option values.
CVE-2026-34990: Addresses missing certificate validation over loopback connections.
CVE-2026-39314: Resolves a job password range check flaw.
CVE-2026-39316: Fixes a scheduler subscription bug that could be abused to disrupt printing.

mozilla-nss 3.122.1:

This release rolls up more than 30 fixes across the Network Security Services library, including patches for multiple heap use-after-free, integer overflow, and ASN.1 parsing vulnerabilities affecting TLS handling.

ruby4.0 4.0.3:

CVE-2026-41316: Fixes a vulnerability in the ERB component affecting Marshal.load operations with untrusted data.

python-lxml 6.1.0:

CVE-2026-41066: Fixes an external entity injection (XXE) vulnerability in iterparse() that could allow disclosure of local files or server-side request forgery.

libXpm:

CVE-2026-4367: Addresses an out-of-bounds read when parsing crafted XPM image files that could lead to information disclosure or a crash.

dnsmasq:

CVE-2026-6507: Fixes an out-of-bounds write in DHCP BOOTREPLY processing that could be triggered by a malicious DHCP server response.

libpng16 1.6.57:

CVE-2026-34757: Fixes a use-after-free in chunk setters that could lead to memory corruption.

libarchive 3.8.7:

Fixes a heap buffer overflow in CAB archive handling and a buffer overflow in the ISO9660 reader. Both flaws could be triggered by crafted archive files and are relevant given libarchive’s broad use across packaging and extraction tools.

libxml2 2.15.3:

This release rolls up multiple security fixes including a type confusion issue, a double-free, and a use-after-free in the XML parser.

ImageMagick 7.1.2.19:

CVE-2026-33905: Fixes a flaw that could be triggered by crafted images and lead to a crash or memory corruption.

GraphicsMagick:

CVE-2026-33535: Addresses an out-of-bounds write in X11 display interaction that could lead to a crash or potential code execution.
CVE-2026-26284: Fixes a heap overflow that could be triggered while processing crafted images.

leancrypto 1.7.2:

CVE-2026-34610: Fixes an X.509 parsing flaw that could lead to certificate validation bypass.

openldap2 2.6.13:

Addresses a heap buffer overflow in parse_whsp and a potential NULL pointer dereference, both of which could be triggered by malformed input to the LDAP server.

Users are advised to update to the latest versions to mitigate these vulnerabilities.

Conclusion

April 2026 was a busy month for openSUSE Tumbleweed with two of the largest desktop releases of the year landing back to back: GNOME 50 and KDE Gear 26.04.0. GTK4 4.22 introduced the new native GtkSvg renderer and dropped the librsvg dependency for icon rendering, while LibreOffice 26.2 brought a fresh major office suite. Developers received major version bumps across PHP 8.5, SQLite 3.53, iproute2 7.0, nano 9.0, and the iw wireless tool. Security continued to be a heavy theme with WebKitGTK, CUPS, Python, Flatpak, sudo, and OpenEXR all receiving multiple CVE fixes alongside a steady cadence of cryptographic library hardening from mozilla-nss, libgcrypt, and leancrypto.

Slowroll Arrivals

Please note that these updates also apply to Slowroll and arrive between an average of 5 to 10 days after being released in Tumbleweed snapshot. This monthly approach has been consistent for many months, ensuring stability and timely enhancements for users. Updated packages for Slowroll are regularly published in emails on openSUSE Factory mailing list.

Contributing to openSUSE Tumbleweed

Stay updated with the latest snapshots by subscribing to the openSUSE Factory mailing list. For those Tumbleweed users who want to contribute or want to engage with detailed technological discussions, subscribe to the openSUSE Factory mailing list . The openSUSE team encourages users to continue participating through bug reports, feature suggestions and discussions.

Your contributions and feedback make openSUSE Tumbleweed better with every update. Whether reporting bugs, suggesting features, or participating in community discussions, your involvement is highly valued.

openSUSE Asia Summit 2026 Call for Speakers

admin@opensuse.org (openSUSE Asia Summit Team) — Wed, 29 Apr 2026 17:30:00 +0000

We are excited to announce that the Call for Speakers for openSUSE.Asia Summit 2026 is now open! This year, the Summit will take place on October 3–4, 2026, at the Teaching Industry Learning Center (TILC), Vocational School, Universitas Gadjah Mada (UGM), Yogyakarta, Indonesia. For more details, stay tuned to our official channels and news portal.

The openSUSE.Asia committee invites speakers from all backgrounds to share their knowledge, experience, and passion for openSUSE and open source. Speakers may also apply for support from the openSUSE Travel Support Program (TSP). We encourage everyone, near or far, to submit their proposals and join us in Yogyakarta!

Topics

The examples of the topics (not limited to) are as the following:

openSUSE (e.g., Leap, Tumbleweed, Micro OS, Open Build Services, openQA, YaST)
Desktop environments and applications (e.g., GNOME, KDE, XFCE)
Office suite, graphic art, multimedia (e.g., LibreOffice, Calligra, GIMP, Inkscape)
Multilingualization support (e.g., input methods, translation)
Cloud, Virtualization, Container, and Container Orchestration (e.g., Kubernetes, Rancher)
Package supply-chain security, vulnerability management
Embedded and IoT
Other applications running on openSUSE

Topics that are not related to a specific technology are also welcome. For example:

An overview of FLOSS technologies
Development, Quality Assurance, Translation
Tips & Tricks, Experience stories (success or fail), Best practice
Marketing and community management
Education

Types of sessions

We are inviting proposals for these two types of sessions.

Long talks with presentation (45 min. + Q&A)
Short talks with presentation (30 min. + Q&A)

Lighting talk sessions (5 min.) will be announced later.

Schedule

Proposal submission deadline: 1 July, 2026
Notification to speakers: 21 July, 2026

How to submit your proposal document

Please submit your proposal at events.opensuse.org. If you do not have a SUSE community account, please sign up before submitting your proposal.

You must follow the openSUSE Conference Code of Conduct.
Your proposal should be written in English, between 130 and 250 words, and have a clear, relevant title.
Please check for spelling and grammar before submitting, using tools like LibreOffice, Google Docs, or Grammarly.
See our guide for tips on writing a great proposal.
If you need help, contact committee members in your country or region.

Requirements for your presentation

You may present in English or Bahasa Indonesia, but all documents and slides must be in English.
Speakers must be present at the venue; prerecorded videos and remote presentations are not allowed.

Quantum-Resilient Cryptography in the openSUSE Ecosystem

admin@opensuse.org (Alessandro de Oliveira Faria) — Tue, 28 Apr 2026 04:00:00 +0000

It is with great joy that I officially announce the release in the openSUSE family (Leap and Tumbleweed) of the new package focused on cryptography resistant to the post-quantum era.

The libzupt library is designed to offer encryption and decryption of files and binary data in memory using a hybrid approach based on ML-KEM-768 + X25519.

libzupt is a modern SDK that simplifies the adoption of post-quantum cryptography in real-world applications. Currently, it has initial support for C++, Python, and Java, with support for Node.js (under development). Its goal is to make the implementation of advanced cryptographic mechanisms accessible without compromising usability for developers.

libzupt, created by Alessandro de Oliveira Faria, is a modern SDK that simplifies the adoption of post-quantum cryptography in real-world applications. Currently, it has initial support for C++, Python, and Java, with Node.js support (under development). Its goal is to make the implementation of advanced cryptographic mechanisms accessible without compromising usability for developers.

The project originates from the Zupt initiative, conceived by Cristian Cezar Moisés. As a tribute, the library inherited the name of the original project. Zupt, in turn, is a compression and backup tool that already incorporated advanced concepts such as authenticated AES-256 encryption and post-quantum key encapsulation.

The motivation behind libzupt is directly linked to the evolution of modern cryptography. The ML-KEM algorithm was standardized by NIST on August 13, 2024, as a secure key encapsulation mechanism for post-quantum scenarios. It allows for the secure establishment of keys even in insecure channels, anticipating future threats.

Below is a simple example of using libzupt in Python:

import zupt
encryptor = zupt.Encryptor(keypair.public_key)
message = b"Hello, Post-Quantum World! This is a secret message."
ciphertext, enc_header = encryptor.encrypt(message)

The main benefit of natively providing this library in openSUSE, is that it allows current applications to be prepared for a scenario where quantum computing could compromise classical algorithms, such as Shor’s Algorithm.

By combining traditional cryptography with mechanisms resistant to quantum computing, libzupt adds a strategic layer of protection. This enables the development of more resilient systems, ensuring the confidentiality and integrity of data in the long term, even in the face of technological evolution.

For more information, go to software opensuse or the source.

Planet News Roundup

admin@opensuse.org (Douglas DeMaio) — Mon, 27 Apr 2026 08:00:00 +0000

This is a roundup of articles from the openSUSE community listed on planet.opensuse.org.

The community blog feed aggregator lists the featured highlights below from April 17 to 23.

Blogs this week cover a Tumbleweed weekly review delivering seven snapshots with notable updates including GNOME 50, KDE Plasma 6.6.4, and Linux kernel 6.19.12. The week also features the venue announcement for openSUSE.Asia Summit 2026 in Yogyakarta, a SUSE Security Team winter spotlight, performance tuning improvements in syslog-ng, a hands-on look at Cockpit as a YaST replacement, and more.

Here is a summary and links for each post:

Kookbook Updates to Version 0.3.0

The KDE Blog covers the 0.3.0 release of Kookbook, a recipe management application created by KDE developer Sune Vuorela. The update brings minor bug fixes along with a migration to Qt6. The application stores recipes as Markdown files and offers ingredient indexing, tag-based organization, and flexible synchronization through external tools like Git or Nextcloud.

Testing Cockpit, the YaST Replacement in openSUSE Tumbleweed

Victorhck in the Free World explores Cockpit, the web-based system management tool that is replacing YaST in openSUSE. After installing the cockpit-client-launcher and resolving missing GTK dependencies, the author found the interface clean and well-organized with familiar configuration options alongside modern features for managing storage, networks, and software repositories.

New Performance Tuning Possibilities in syslog-ng

Peter Czánik’s Blog discusses performance enhancements coming to syslog-ng 4.12 that achieved seven million events per second under laboratory conditions. While the figure represents a benchmark rather than a real-world deployment number, Peter explains that the underlying technologies are already available on the development branch or have existed for some time but lacked sufficient promotion and testing.

Best JPG to PDF Converters for Speed and Ease

The KDE Blog evaluates a range of JPG to PDF conversion tools, from desktop options like KDE Plasma’s Service Menus to online platforms such as Adobe Acrobat Online and iLovePDF. The post weighs each tool’s strengths regarding conversion speed, ease of use, and privacy, and also covers mobile solutions like CamScanner for document digitization.

AI Workshop at Linux Center Valencia

The KDE Blog announces a free AI-focused event organized by Slimbook at their Linux Center facility in Paterna, Valencia on April 25, 2026. The workshop features three sessions: an overview of current AI tools, a hands-on tutorial for running AI locally using Ollama and Fox, and an advanced session on creating autonomous AI assistants for personal computers.

From Virtual Desktop Deployment to Running Local AI – New Barcelona Free Software Talk

The KDE Blog announces a Barcelona Free Software talk on Tuesday April 28, 2026 at 19:00 at Akasha Hub in Barcelona, featuring Alberto Larraz, co-founder of IsardVDI. The talk traces IsardVDI’s 14-year journey from a Free Software alternative to Citrix and VMware Horizon in educational settings to a versatile platform that now leverages GPU management to run local AI inference workloads. Attendees will learn how IsardVDI can be used to generate images, run LLM chats, and power local code assistants using sovereign AI models.

SUSE Security Team Spotlight Winter 2025/2026

The SUSE Security Team winter report documents code review activities across multiple software projects. The team examined systemd releases v258 through v260, snapd transparency features, various D-Bus services including bootkitd and rtkit, and investigated SteamOS and Deepin desktop components. A revisit of Deepin software revealed persistent vulnerabilities in the accounts service, prompting the team to deprioritize future Deepin reviews.

openSUSE.Asia Summit 2026 Announces Venue at Universitas Gadjah Mada

openSUSE News announces that the openSUSE.Asia Summit 2026 will be held October 3–4 at the Teaching Industry Learning Center of Universitas Gadjah Mada in Yogyakarta, Indonesia. Organizers anticipate around 350 participants over two days of talks, workshops, and community activities. The venue was selected for its modern facilities and the university’s strong reputation as a leading Indonesian institution focused on education, research, and innovation.

Per-Screen Virtual Desktops and Wayland Session Restore – This Week in Plasma

The KDE Blog covers the latest This Week in Plasma highlights, including a major new feature in Plasma 6.7 that allows each monitor to independently switch between virtual desktops. KWin has also gained support for the Wayland session management protocol, paving the way for applications to remember their size and position after a system restart. The edition also rounds up numerous UI improvements, such as drag-and-drop support for app launchers, a new standard Badge component in Kirigami, and a range of bug fixes across Plasma 6.6.4, 6.6.5, and 6.7.

Hello Old New ‘Projects’ Directory!

Matthias Klumpp’s Blog introduces the xdg-user-dirs 0.20 release, which now enables a Projects directory by default in Linux home folders. The folder offers a standardized location for project files that do not cleanly belong in existing categories like Documents or Music. Users who prefer the old layout can simply delete the folder and the utility will adjust accordingly, while administrators can customize default locations through configuration files.

Tumbleweed – Review of the Week 2026/16

Victorhck and dimstar cover a busy week with seven Tumbleweed snapshots delivered in seven days across snapshots 0410 through 0416. Major updates included GNOME 50, KDE Plasma 6.6.4, Samba 4.23.6, PHP 8.4.20, GStreamer 1.28.2, and Linux kernel 6.19.12, along with improvements to transactional-update’s soft-reboot functionality. Looking ahead, the team is preparing significant upgrades such as Linux kernel 7.0, LLVM 22, and GCC 16 as the system compiler.

Episode 72 of KDE Express: Plasma 6.6.4, Gear 26.04 and More News

The KDE Blog shares the latest episode of KDE Express, a Spanish-language podcast covering the KDE community and open source software. The episode highlights significant releases including Plasma 6.6.4 and KDE Gear 26.04, along with developments across various KDE applications and distributions.

View more blogs or learn to publish your own on planet.opensuse.org.

openSUSE.Asia Summit 2026 Announces Venue at Universitas Gadjah Mada

admin@opensuse.org (openSUSE Asia Summit Team) — Sun, 19 Apr 2026 17:30:00 +0000

The openSUSE.Asia Summit 2026 team is excited to announce the official venue for this year’s conference. The summit will be held at Universitas Gadjah Mada (UGM) in Yogyakarta, Indonesia.

The event will take place at the Teaching Industry Learning Center (TILC) of the Vocational School, a modern facility designed to support collaboration, learning, and industry engagement. The summit is expected to welcome around 350 participants over two days of talks, workshops, and community activities.

Date & Venue

Dates: 3–4 October 2026
Venue: Teaching Industry Learning Center (TILC), Vocational School
Universitas Gadjah Mada (UGM)
Jl. Blimbingsari No.37, Caturtunggal, Depok, Sleman
Special Region of Yogyakarta, Indonesia
OpenStreetMap

We look forward to welcoming you to the UGM campus — a place where academic excellence meets a vibrant student and technology community.

About Universitas Gadjah Mada

Founded in 1949, Universitas Gadjah Mada is one of Indonesia’s leading universities and a symbol of national education and cultural identity. Starting with just six faculties, UGM has grown into a comprehensive institution with 18 faculties, a graduate school, and a vocational school. Today, UGM continues to play a key role in education, research, and innovation, making it an ideal setting for the openSUSE.Asia Summit.

Who Should Attend

We expect more than 350 participants, including:

openSUSE contributors and users
ICT professionals and industry representatives
Free and Open Source Software (FOSS) enthusiasts
Students interested in open-source technologies and development

We can’t wait to welcome you to Yogyakarta — see you on campus at Universitas Gadjah Mada! 🦎🌏

Planet News Roundup

admin@opensuse.org (Douglas DeMaio) — Fri, 17 Apr 2026 08:00:00 +0000

This is a roundup of articles from the openSUSE community listed on planet.opensuse.org.

The community blog feed aggregator lists the featured highlights below from April 10 to 16.

Blogs this week cover a combined two-week Tumbleweed review delivering 10 snapshots with notable updates including the Linux kernel, Qt 6.11.0, and GIMP 3.2.2. A follow-up on the growing ARMv9 build infrastructure, an updated version of OpenVINO, KDE Akademy 2026 in Graz, and more.

Here is a summary and links for each post:

OpenVINO 2026.1: More Models, Performance and a Real Jump in Multimodal AI

Alessandro’s Blog covers the release of OpenVINO 2026.1. The post highlights expanded support for large and multimodal models like GPT-OSS 120B running on CPU and Qwen3-VL across CPU and GPU while pointing out improvements to the OpenVINO Model Server. Alessandro emphasizes the practical value of dynamic LoRA for vision-language models, which lets teams swap adapters at runtime without reloading the base model, which helps cut memory overhead and latency in production.

Discussing RTO in My Genesi T-Shirt

Peter Czánik’s Blog reflects on a conversation with friends about return-to-office policies, prompted by wearing a t-shirt from Genesi, the US company where he first experienced fully remote work in the early days of his career. The post contrasts that flexible, asynchronous work culture with the rigid schedules of other professions like teachers.

New Configurator for Plasma 6.6

The KDE Blog highlights the new Plasma Setup wizard introduced in Plasma 6.6, which is a first-run tool that creates and configures user accounts independently of the operating system installation process. The separation of technical installation steps from user setup steps makes it easier to hand off a device. It is part of Plasma 6.6’s broader focus on improving usability and accessibility for new and reconditioned hardware.

Streaming syslog-ng Data to Your Lakehouse Using OpenTelemetry

Peter Czánik’s Blog explains how Databricks contributed OAuth2 authentication improvements to syslog-ng 4.11.0, which enables customers to stream logs to data lakehouses via the OpenTelemetry protocol. The contributions extended OAuth2 support to gRPC-based destinations including OpenTelemetry, Loki, BigQuery, and ClickHouse.

LibreCan 2026: The meeting of free software in the Canary Islands grows

Victorhck in the Free World promotes the second edition of LibreCan, a free software and hacker culture meetup taking place in the Canary Islands in May 2026. The event has grown since its first edition in 2025 and brings together free software enthusiasts from across the islands.

La Palma Tech Tagoror regresa este 2026

The KDE Blog discusses a series of meetups of the group “San Miguel de la Palma Tech”. The event is planned for April 23, 2026, from 18:00 to 20:00 (Canary time) and is being nicknamed “La Palma Tech Spring 2026”.

eQuest Icon Theme – Elegant Grey and Orange (or Blue or Green) Icons for Your PC

The KDE Blog presents the eQuest icon theme by Thalic with a set of elegant desktop icons combining grey with a vivid accent color such as orange, blue, or green. The pack is designed to complement desktops with matching wallpaper tones and is available through the KDE Store.

120+ Icons and Counting

Jakub Steiner’s Blog celebrates the milestone of over 120 completed app icon requests through the GNOME app-icon-requests project on GitLab. Each icon represents a collaborative design process between a contributor and an app developer following the modern GNOME icon style introduced in 2019.

Magic Folder – Automatically Sort Files with This Plasmoid for Plasma 6 (28)

The KDE Blog presents Magic Folder, the 28th entry in their Plasma 6 plasmoid series, which automatically moves files dropped onto its panel icon into predefined folders. The widget is aimed at users who want to bring order to a cluttered desktop without manual file management. It is a practical addition to the growing library of Plasma 6-native widgets available in the KDE Store.

Following Up on ARMv9 Build Infrastructure

openSUSE News provides an update on the native ARMv9 build capacity added to the Open Build Service following the arrival of NVIDIA Grace Hopper hardware last June. OBS worker dashboards now show active ARMv9 builds across a wide range of packages including the Linux kernel, LLVM, GCC, Python, and Qt. The post also invites hardware vendors to donate or lend equipment to expand multi-architecture coverage further.

release.gnome.org Refactor

Jakub Steiner’s Blog describes porting the GNOME Release Notes website from Jekyll to Zola after his successful migration of his personal blog. The move unlocks two long-missing features: a native RSS feed for GNOME releases and a fully navigable archive of release notes going all the way back to GNOME 2.x. The site now runs as a single binary with zero dependency management, making it far easier for contributors who just want to write markdown.

Submit Your Talk for Akademy 2026 in Graz, Austria

The KDE Blog encourages readers to submit talk proposals for KDE community conference Akademy 2026, which will be held in Graz, Austria from September 19 to 24 as a special edition marking KDE’s 30th anniversary. The event follows a hybrid format, with in-person and online participation. The talks will take place on the first two days with the remainder reserved for working sessions and BoFs. .

Linux Saloon 195 | Open Mic Night

CubicleNate’s Blog recaps episode 195 of the Linux Saloon podcast, which covered a range of tech topics. The episode also touched on critical security flaws in Telegram, and discusses Android malware. The open mic format allowed contributors to share their own perspectives on the week’s developments.

25th Update of KDE Frameworks 6 and the BluezQt Library

The KDE Blog announces the release of KDE Frameworks 6.25. As part of an ongoing series, the post also profiles the BluezQt library, which provides Bluetooth management for KDE Plasma and enables everyday tasks like connecting wireless headphones and monitoring peripheral battery levels.

openSUSE Tumbleweed Weekly Review – Week 14 & 15

Victorhck and dimstar publish a combined two-week Tumbleweed review covering weeks 14 and 15. Ten snapshots were released during the fortnight, delivering updates including the Linux kernel 6.19.10 and 6.19.11, Mozilla Firefox 149.0, Qt 6.11.0, Mesa 26.0.4, GIMP 3.2.2, and LibreOffice 26.2.2.2. Looking ahead, the post previews upcoming changes such as GNOME 50, KDE Plasma 6.6.4, GCC 16 as the default compiler, and LLVM 22.

Moving to Zola

Jakub Steiner’s Blog details the migration of his personal blog from Jekyll to the Rust-based static site generator Zola, driven by frustration with Ruby dependency management. Key benefits highlighted include near-instant build times, a single binary with no external dependencies, and native support for asset colocation keeping images alongside their posts. The post also notes CSS-only dark mode theming and improved font legibility as welcome side effects of the overhaul.

View more blogs or learn to publish your own on planet.opensuse.org.

Following Up on ARMv9 Build Infrastructure

admin@opensuse.org (Douglas DeMaio) — Mon, 13 Apr 2026 11:00:00 +0000

The arrival of NVIDIA Grace Hopper in the Open Build Service (OBS) infrastructure last June signaled more than new hardware; it launched a new era of native ARMv9 build capacity for the openSUSE Project.

The results are becoming visible and more meaningful months later.

The OBS worker monitoring dashboards shows a picture that tells the story better than any changelog. Across dozens of build workers spanning architectures from x86_64 and aarch64 to ppc64le, s390x, and the newer armv9-class machine is humming with activity.

Projects have been underway rebuilding a subset of Tumbleweed packages for ARMv9, and the worker dashboard reflects these efforts.

The dashboard reveals not only the heavy load on aarch64 and armv9 workers but also the remarkable diversity of packages building for the target. From the Linux kernel and compiler toolchains like LLVM and GNU Compiler Collection (GCC), Python packages, Qt frameworks, and more, the workers are compiling these complex workloads with good success rates.

This activity is instrumental to ARMv9, demonstrating that it is evolving beyond its proof-of-concept into an active development distribution path alongside the main Tumbleweed tree.

NVIDIA Grace uses high-performance arm-based CPU cores with the Hopper GPU architecture, linked by NVIDIA’s NVLink™-C2C (Chip-to-Chip) interface. The architecture allows both processors to access data in place, which results in significantly faster compilation and reduced latency for complex workloads. It provides better efficiency across OBS pipelines.

The architectural difference is not an abstract specification point. It translates directly into shorter queue times for contributors, faster feedback loops for package maintainers, and the ability to handle the kinds of large, parallel builds that a rolling-release distribution like Tumbleweed demands.

Integrating native ARMv9 hardware within OBS was essential to unlock maximum performance gains and successfully validate builds optimized for the architecture.

Native builds eliminate the risks of emulated cross-compilation, which often masks critical Application Binary Interface mismatches, instruction scheduling errors, and performance regressions. Deploying the Grace Hopper in production ensures ARMv9 targets are validated on actual silicon, guaranteeing real-world reliability and peak performance.

Collaboration that made this possible is a model worth repeating in its structure, a template. The efforts reflect a shared commitment to open-source and the need for cutting-edge build capabilities. This isn’t just a philosophical framing but a practical argument other hardware companies across the industry can consider.

The openSUSE Project actively welcomes hardware vendors who may want to lend or donate hardware to enable openSUSE on their systems, test openSUSE on their systems, or add more build power to the build system.

Consider what lent or donated hardware to OBS actually achieves for a company. When a vendor’s silicon appears in OBS as a native build target, thousands of open-source packages begin being compiled, tested, and validated continuously and automatically against that architecture. It’s a hardware vendors QA dream!

Every successful build validates software readiness on contributed hardware, while every failure proactively resolves compatibility issues before impacting end users. Continuous integration coverage delivers critical risk mitigation for new processor launches at a negligible infrastructure cost.

The OBS worker pool has comprehensive multi-architecture coverage as seen with Intel/AMD handling the bulk load alongside dedicated ARM, POWER, and Z Systems nodes. The diverse infrastructure, secured through partnerships and community contributions, ensures validation across a large hardware spectrum.

A machine lent, donated or co-located with the project becomes a continuous, automated test bed for software compatibility, running 24 hours a day, maintained by the community, and producing results visible to every Linux developer who watches the Tumbleweed package feed.

The NVIDIA collaboration demonstrates this in practice. OBS’ thriving build farm benefits every distribution user, every application developer, and every hardware vendor whose products run Linux.

If your company makes chips, accelerators, or servers and you want your products to run on Linux, get your hardware into the hands of the people who build the software. The openSUSE Project is ready to put it to work.

For more information, email ddemaio@opensuse.org

Planet News Roundup

admin@opensuse.org (Douglas DeMaio) — Fri, 10 Apr 2026 07:00:00 +0000

This is a roundup of articles from the openSUSE community listed on planet.opensuse.org.

The community blog feed aggregator lists the featured highlights below from April 3 to 9.

Blogs this week cover the fourth bugfix update to KDE Plasma 6.6, Slimbook’s refreshed Creative ultrabook featuring the AMD Ryzen AI 9 365 with a dedicated AI NPU, and the promotion of Slimbook Days 2026, which the sales help support donations to KDE. Blogs also highlight two new Plasmoids for Plasma 6. One is the Aero Weather weather viewer and the other is Battery Plasmoid Boero. There were also practical tips for openSUSE users on using Rufus in DD mode when writing USB install media.

Here is a summary and links for each post:

Use DD Mode When Creating an openSUSE DVD Image with Rufus

The Geeko Blog warns openSUSE users that writing a DVD image to a USB drive using Rufus in ISO mode can silently skip files, resulting in a broken installer that fails to boot mid-installation. The author discovered this when attempting a fresh install of openSUSE 16.0 on physical hardware and confirmed the issue across multiple machines. Switching Rufus to DD mode resolved the problem entirely, and readers are advised to always use DD mode when creating openSUSE USB media.

The KDE Blog presents Aero Weather; it’s a desktop weather viewer widget for KDE Plasma. The plasmoid displays current conditions and a multi-day weather forecast directly on the desktop. It also has support for automatic IP-based location detection or manual coordinates along with customizable font colors.

New Slimbook Creative, Renewing its High-End Model

The KDE Blog covers Slimbook’s 2026 refresh of its Creative ultrabook that features the AMD Ryzen AI 9 365 processor with a dedicated NPU designed for local AI workloads. The updated model also brings improvements in performance, design, personalization, and portability.

Fourth Update of Plasma 6.6

The KDE Blog announces the fourth bugfix update of KDE Plasma 6.6, released on April 7, 2026, continuing the project’s regular maintenance cadence following the feature release. The post recaps the major new features introduced in the full Plasma 6.6 release, including the new Plasma Keyboard on-screen keyboard, OCR text extraction in Spectacle, and a new Plasma Setup configuration wizard. As with all bugfix updates, the release is strongly recommended for all users.

Battery Plasmoid Boero – Visual Plasmoids for Plasma 6 (27)

The KDE Blog presents Battery Plasmoid Boero, which is a widget that provides detailed battery monitoring including charge/discharge graphs and power mode settings. The plasmoid is aimed at laptop users who want more granular control over battery status than the default widget provides. Users interested in energy-efficient computing should visit eco.kde.org.

Interface and Stability Improvements – This Week in Plasma

The KDE Blog translates and summarizes the latest “This Week in Plasma” development report, covering ongoing work on interface refinements and stability fixes headed toward Plasma 6.7. The post highlights improvements across several Plasma components aimed at making the desktop feel more polished and reliable for daily use. This is part of the blog’s ongoing series of Spanish-language translations of Nate Graham’s weekly KDE development updates.

Linux Saloon 194 | News Flight Night

CubicleNate’s Blog recaps episode 194 of the Linux Saloon podcast, which focused on a range of current tech topics including Google’s Android ecosystem changes and sideloading restrictions. Participants also discussed the Claude Code source leak, critical security vulnerabilities in Telegram, and a notable increase in Steam’s reported Linux usage share. Yay!

Japan

Jakub Steiner’s Blog shares a personal travel post about a return trip to Japan. This time focused on Tokyo and a short excursion to Kawaguchiko during cherry blossom season. The post reflects on shooting with a Fuji X-T20 camera rather than relying solely on a smartphone, and includes a link to a full photo gallery on the author’s photo website.

Slimbook Days 2026

The KDE Blog announces the arrival of Slimbook Days 2026, which is a promotional sale period for the GNU/Linux hardware brand happening between April 8 to 12. The post encourages readers to take advantage of the event, noting that Slimbook devices come fully pre-configured for GNU/Linux and come with a portion of each sale supporting the KDE community.

Screenshots and Screen Recording in Plasma 6.6

The KDE Blog examines the screenshot and screen recording improvements in KDE Plasma 6.6, with a particular focus on Spectacle’s new ability to recognize and extract text from captured images using OCR. This addition is highlighted as a significant usability and accessibility improvement and makes it easier to create alt text for visual content.

View more blogs or learn to publish your own on planet.opensuse.org.

Planet News Roundup

admin@opensuse.org (Douglas DeMaio) — Sat, 04 Apr 2026 06:00:00 +0000

This is a roundup of articles from the openSUSE community listed on planet.opensuse.org.

The community blog feed aggregator lists the featured highlights below from March 27 to April 2.

Blogs this week highlight the end of the nearly eight-year openSUSE Leap 15 era with Leap 15.6 reaching end of life, the March 2026 Tumbleweed monthly update covering three Plasma 6.6 point releases and kernel advances to 6.19.9, and the switch to systemd-boot as the default bootloader for fresh Tumbleweed installations. Blogs also cover the Claude Code source leak and its supply chain security lessons, syslog-ng benchmarks hitting 7 million events per second, accessibility improvements in Plasma 6.6, progress on Thunderbird’s Linux system tray integration and more.

Here is a summary and links for each post:

Victorhck compiles and translates highlights from the Free Software Foundation’s April 2026 newsletter, which marks the FSF’s 40th anniversary this month. Topics include Discord’s controversial age verification policies, Google’s friction-heavy process for installing unverified Android apps, and payment provider Nexi terminating its contract with the FSFE after the organization refused to hand over donor data without explanation.

Tumbleweed Monthly Update - March 2026

The openSUSE News publishes its March 2026 Tumbleweed monthly summary. The month saw three Plasma 6.6 point releases, kernel updates from 6.19.5 to 6.19.9, Mesa 26.0.2 fixing RDNA 4 visual corruption, and significant CVE attention for FreeRDP, curl, and the kernel.

The KDE Blog presents Aero Weather, a desktop weather viewer widget for KDE Plasma created by XcurcX. The plasmoid displays current conditions and multi-day forecasts with customizable font colors and supports automatic IP-based location or manual coordinates.

Tahoe Launcher – A macOS-Style Launcher for KDE Plasma – Plasmoids for Plasma 6 (25)

The KDE Blog showcases Tahoe Launcher, which is a minimalist macOS-style application launcher for KDE Plasma featuring a grid layout with transparency and blur effects. The widget is built natively in QML for low resource consumption and allows users to customize the grid dimensions, icon sizes, and search bar design.

Quick Update on the Package Version Tracking Feature in OBS

The Open Build Service Blog shares updates to the package version tracking feature as part of the Foster Collaboration beta program. The API now allows querying upstream and local package versions, and individual packages can opt out of version tracking when upstream monitoring is not relevant.

Closing Out a Roughly 8-Year Era

The openSUSE News announces that the openSUSE Leap 15 series is reaching its end of life after nearly eight years, starting with 15.0 on May 25, 2018. Leap 15.6 will stop receiving maintenance and security updates at the end of this month.

My New Toy: April 1 syslog-ng Performance Tests

Peter Czánik’s Blog presents benchmark results showing syslog-ng reaching 7 million events per second, though he immediately clarifies this is a synthetic lab measurement that does not represent real-world production performance. The post introduces sngbench, his open-source benchmarking tool for comparing syslog-ng performance across architectures and operating systems.

This Month in KDE Linux: March 2026

The KDE Blog summarizes Nate Graham’s March 2026 progress report on Adventures in Linux and KDE. Key improvements include better automatic rollback after failed updates, improved memory management to prevent total system freezes, and easier iPhone/iPad connectivity for photo transfers.

Thunderbird and the System Tray on Linux

Victorhck highlights progress from Thunderbird’s March 2026 development digest regarding the long-requested system tray integration for Linux. Contributor Christophe Henry has been working on a cross-platform approach spanning JavaScript, C++, and Rust to unify unread mail indicators and tray icon behavior.

Automating Test Management with QASE

Zoltán Balogh’s Blog breaks from his usual open-source focus to review QASE, a cloud-based test management tool, finding its API to be its strongest feature. He explains why the open-source world generally lacks dedicated test management tools, which he notes that community-driven projects like openSUSE and Debian tend to crowdsource quality engineering through staged releases rather than formal test plans.

Claude Code Leak: Exposes Half a Million Lines of AI

Alessandro’s Blog analyzes the March 31 incident in which a source map file accidentally published to npm exposed the entire Claude Code codebase, which was roughly 1,900 files and over 512,000 lines of TypeScript. Alessandro frames the incident as a cautionary lesson about build pipeline security and supply chain risks, arguing that the future of AI lies in mastering the orchestration layer around models, not just the models themselves.

My New Toy: Back to High-End Audio

Peter Czánik’s Blog shares how installing software synthesizers and connecting his HP Z2 Mini AI workstation to his HiFi system reminded him of how much better high-end audio sounds compared to the laptop speakers and meeting-oriented headphones he had been using for months. The post is part of his ongoing series about adventures with his AI mini workstation.

KDE Express Episode 71: esLibre2026 – Digital Self-Defense Guide with Enxeñería Sen Fronteiras

The KDE Blog covers episode 71 of the KDE Express podcast featuring Laura Salgueiro Sánchez from Enxeñería Sen Fronteiras promoting a talk at esLibre2026. The session will present a digital self-defense guide aimed at helping anyone improve their online security and recover digital sovereignty without requiring prior cybersecurity knowledge.

What is Better, Windows or Linux? My Experience 1 Year Later

The KDE Blog highlights a video by content creator GCtech sharing his experience after a full year of using Linux as his primary operating system. He praises Linux’s resource efficiency for reviving older hardware, its transparency and security model, while acknowledging gaps in professional software like Adobe and some limitations with AAA gaming.

Accessibility Improvements in Plasma 6.6

The KDE Blog details the accessibility enhancements in Plasma 6.6, including a new grayscale filter joining three existing color blindness correction filters. The magnification feature gains a new tracking mode that keeps the pointer centered on screen, and Slow Keys returns on Wayland to help users with motor difficulties avoid accidental keypresses.

Easy Microphone Sensitivity Adjustment – This Week in Plasma

The KDE Blog translates and covers the latest “This Week in Plasma” development report. Plasma 6.7 gains a microphone test-and-adjust feature, notification portal support for Flatpak apps, and a multi-GPU swapchain implementation in KWin.

openSUSE Tumbleweed Weekly Review – Week 13 of 2026

Victorhck and dimstar report on a slow week for Tumbleweed with only two snapshots (0324 and 0326) reaching the mirrors due to the transition from grub2-bls to systemd-boot as the default bootloader for fresh installations. Notable updates delivered include KDE Plasma 6.6.3, ffmpeg 8.1, FreeRDP 3.24.1, Linux kernel 6.19.9, and qemu 10.2.2. Upcoming changes in the pipeline include GNOME 50, Qt 6.11.0, Mozilla Firefox 149.0, GCC 16, and glibc 2.43.

View more blogs or learn to publish your own on planet.opensuse.org.

Tumbleweed Monthly Update - March 2026

admin@opensuse.org (Douglas DeMaio) — Thu, 02 Apr 2026 08:00:00 +0000

There were several software package updates for openSUSE Tumbleweed during March.

Tumbleweed saw three Plasma 6.6 updates bringing progressive bugfixes to KWin, the system tray, Spectacle, and the Kicker launcher. KDE Frameworks advanced to 6.24.0 with nanosecond-precision timestamps in KIO and a new Kirigami StyleHints API. The Linux kernel moved from 6.19.5 to 6.19.9 with broad fixes across audio, display, and filesystem drivers. Both the Linux Kernel and FreeRDP fixed several Common Vulnerabilities and Exposures, and Mesa 26.0.2 resolved visual corruption on RDNA 4 hardware and a Counter-Strike 2 regression on Intel Arc.

As always, be sure to roll back using snapper if any issues arise.

For more details on the change logs for the month, visit the openSUSE Factory mailing list.

New Features and Enhancements

Plasma 6.6.1, 6.6.2 & Plasma 6.6.3: Version 6.6.3 finished the month with the third update. Application launcher Kicker receives several fixes for the sidebar, icon display, and expanded root list width calculations. The Task Manager now keeps thumbnails properly aligned in horizontal group tooltips. Spectacle resolves a crash on quick region selection and fixes a pixel-off error in the magnifier tool. The system tray sees improved popup placement on Wayland. PowerDevil restores the battery badge for 100 percent charge and syncs the manual inhibition switch with external changes. Plasma 6.6.2 has KWin resolve crashes in DRM output handling, improves mouse tracking with caret-based zoom, and fixes input region gaps in window decorations. The Kicker applet sees refinements in visual search, scrollbar behavior, and hover logic. Spectacle fixes a crash when exporting via KDE Connect, and System Settings now correctly navigates to subcategories from search results. In version 6.6.1, KWin sees the most changes with fixes for corner rounding applying to both decorations and window surfaces, zoom now works correctly on rotated outputs, and software brightness dimming on external screens on screens were enhanced. The tile editor no longer triggers on key repeat, and interactive move-resize no longer unconditionally raises windows. Clipboard and drag-and-drop teardown under XWayland is improved, and*Wine/Proton color management gains better compatibility. The Kicker application launcher for the Plasma Desktop receives multiple fixes for the icon display, layout margins, and search field behavior. The Task Manager corrects tooltip sizing. The digital clock now properly localizes digits, and the media controller fixes premature label truncation. Plasma Network Manager improves icon accuracy for Wi-Fi disabled states and now responds to external configuration changes. Discover improves Flatpak app resolution and exposes proper star count ratings. Powerdevil adds a power level check before executing critical actions that prevent premature shutdowns.

GNOME Control Center 49.5: The Display and Power panels now handle a missing UPower service instead of failing. An infinite loop when switching battery charge modes on systems with multiple batteries was fixed. Sound and Bluetooth device switching regressions are resolved through an updated libgnome-volume-control.

libxml2 2.15.2: A significant version jump that removes the built-in HTTP client and LZMA compression support, and the parser option XML_PARSE_UNZIP is now required to read compressed data. HTML serialization and character encoding handling are brought more in line with the HTML5 specification, and additional accessors for xmlParserCtxt were added for developers. Several previously patched CVEs are now resolved upstream, including fixes for attribute normalization and standalone checks. Python bindings are no longer built as they are scheduled for removal in 2.16, and Schematron support has similarly been dropped.

Xfce 4.20.2: This update covers the screensaver, session manager, and display settings. xfce4-screensaver fixes a wrong conditional in the lock plug, improves theme preview rendering, and switches from pidof to pgrep for more reliable process detection. The overlay window handling is reworked to use a single permanent window, improving device reliability. xfce4-session fixes an idle function and prevents multiple logout dialogs from being created. It also adds gnome-keyring as a Secret portal provider and improves keyboard layout detection on Wayland. xfce4-settings improves display management by checking EDID to detect output list changes, adds a missing condition for new Wayland outputs, and falls back to output name when EDID data is duplicated.

KDE Frameworks 6.24.0: This updates see KIO gain nanosecond-precision timestamps across file operations, improved paste dialogs with proper titles, and refined trash handling. KCodecs overhauls encoding with safer memory management (using unique_ptr) and Kirigami introduces a new StyleHints API to unify theme behavior. Baloo fixes database access mode issues and KTextEditor adds search history clearing and safer clipboard handling.

7-Zip 26.00: The file manager now uses the file name as a secondary sorting key for more intuitive file list ordering, and the benchmark tool supports systems with more than 64 CPU threads. A bug preventing correct extraction of TAR archives containing sparse files is fixed.

KDE Gear 25.12.3: Kdenlive addresses numerous stability and usability issues, including crashes in the curve editor, audio scrubbing with “Pause on Seek” disabled, and provides better handling of multi-stream clips and improved effect management. Itinerary and Kitinerary expand travel support with new extractors for ferry tickets. NeoChat refines room list navigation, fixes emoticon editor layout issues, prevents timeline scrolling during reactions, and resolves a crash. KMail restores proper rendering of plain-text emails and Tokodon fixes alt-text editing and account switching after login failures.

ImageMagick 7.1.2.16 - 7.1.2.18: The image editor update for version 7.1.2.18 improves the reliability of animated image handling by fixing frame delay parsing and resolves a visual artifact where the -dissolve composite operation introduced random noise. Version 7.1.2.17 focused on addressing multiple vulnerabilities and security advisories are resolved along with out-of-band data handling improvements. Version 7.1.2.16 hardens security and adds overflow checks to several image write paths including JXL, PS3, sixel, SGI, and BMP/DIB. It fixes a heap over-read in BilateralBlurImage with even-dimension kernels, a NULL pointer dereference in HEIC NCLX color profile allocation, and a double-free in SVG gradientTransform parsing.

Ruby 4.0.2: This update fixes a YJIT bug. A segfault with argument forwarding combined with splat and positional arguments is resolved, along with a GC crash in String#% and a crash on signal raise. A 20 percent performance regression in Rails related to global allocatable slots and empty pages is addressed. Several Prism parser issues were corrected including misparsing of standalone in pattern matching and the and? predicate being confused with the and keyword.

FreeRDP 3.24.1: This update sees the API comprehensively marked with [[nodiscard]] to surface unchecked function return values. Smartcard support is improved including ECC key handling in PKCS#11 enumeration, proxy support is extended to RFX and NSC graphics modes, and SDL3 multi-monitor scaling is introduced. Numerous memory leaks across connection setup, settings copying, and smartcard paths were resolved.

libavif 1.4.0: This update adds support for Sample Transform schemes from the AVIF 1.2 specification, which enables 16-bit AVIF file handling and grid-based derived image items. Data behind a document for the software handles picture files was made with avifenc, which can now read PNG or JPEG files through stdin via --stdin-format and supports converting JPEG files with Apple-style gain maps. PNG decoding now respects cICP chunks for color information as per the PNG Third Edition specification. Encoding defaults have been refined; AOM_TUNE_IQ is now used for still color samples with libaom v3.13.0+, while AOM_TUNE_PSNR is used for alpha to avoid ringing artifacts from SSIM tuning. Support for libaom versions 2.0.0 and earlier is removed.

Key Package Updates

Linux kernel 6.19.5 - 6.19.9:: The 6.19.9 update improved audio with a speaker pop fix for Star Labs StarFighter hardware and the Btrfs filesystem resolves a space info lock issue during periodic reclaim. NFS3 now correctly returns EISDIR when a create operation encounters a directory alias. The 6.19.8 kernel was dominated by a major batch of AppArmor fixes and multiple CVE-tracked fixes that were backported. The 6.19.7 release receives multiple corrections for CFS/EEVDF scheduler including fixes for zero_vruntime tracking, lag clamping, and slice protection timing. The AMD XDNA accelerator driver resolves several issues including a crash when destroying suspended hardware contexts. The 6.19.6 kernel had fixes led by extensive perf tooling corrections including reference count leaks, srcline printing with inlines, and Zen 5 vendor event definitions for AMD. Btrfs replaces a BUG() call with proper error handling for unexpected delayed ref types, adds fallback to buffered IO for data profiles with duplication, and improves user interrupt handling in btrfs_trim_fs(). The 6.19.5 releases sees Btrfs correct a block_group_tree dirty list corruption and a chunk allocation abort caused by non-consecutive gaps. GFS2 resolves quota handling and an inline data write path. The SMB client fixes a potential use-after-free and double free in smb2_open_file(). A netfilter nf_tables fix adds an abort skip removal flag for set types to address tracked security-relevant issues.

GStreamer 1.28.1: This update includes a new whisper-based speech-to-text transcription element and the speechmatics element now supports detecting audio events like applause, laughter, and music. Reverse playback and gap handling are improved across multiple components. The V4L2 subsystem gains support for AV1 stateful decoding, and CUDA/GL interop copy paths in cudaupload and cudadownload are fixed. WebRTC components gain the ability to specify custom headers for signalling servers and negotiate H.264 profile and level for encoded input. Various memory leaks, build issues, and race conditions were resolved.

curl 8.19.0: This release addresses four security vulnerabilities and provides new features like initial support for MQTTS and fractional values for --limit-rate and --max-filesize. Support for OpenSSL-QUIC was dropped. A potential NULL dereference in Curl_h1_req_parse_read() was fixed along with a potential out-of-bounds read in OpenSSL debug logging. The build now enables NTLM authentication for compatibility with certain Exchange Server endpoints.

systemd 259.3 & 259.5: The 259.5 update had a notable fix and corrected systemd-update-helper from incorrectly skipping systemctl disable during package removal. A new clean-state command is introduced and triggered automatically at the end of any transaction installing unit files. The systemd-container subpackage now requires libarchive instead of tar for archive handling. Additional systemd-update-helper fixes address do_install_units() incorrectly returning an error when no units need preset, and the clean-state command itself is corrected to remove the full state directory rather than just a subdirectory. The 259.3 was a major version upgrade. The libcap dependency was removed entirely, with its system call wrappers reimplemented directly in systemd.

GnuPG 2.5.18: This update adds support for deleting composite secret keys in gpg-agent and fixes armor parsing when no CRC is found. A recent regression in pkdecrypt with TPM RSA keys is resolved, and scdaemon adds support for D-Trust Card 6.1/6.4. The dirmngr key server search now prints all UID records for a key, which fixes a regression dating back to 2015.

Mesa 26.0.2: The release fixes visual corruption on RDNA 4 in DX11/DXVK titles like Mafia III, a GPU hang with PS epilogs and secondary command buffers, and missing L2 cache invalidation with streamout on GFX12. A Counter-Strike 2 visual glitch regression on Intel A770 is resolved. The Panfrost Bifrost compiler fixes a failure from incorrect vectorization and spill placement issues. An OpenGL VRAM memory leak when setting uniform variables is corrected. X11 shared memory attachment checks are added across drisw, EGL, GLX, and Vulkan WSI paths to prevent allocation failures.

GTK3 3.24.52: This update fixes a Firefox crash at gdk_wayland_drag_context_manage_dnd() when a toplevel Wayland surface is missing, and resolves wild strobing in multi-window mode. A refresh rate calculation overflow on 32-bit targets is corrected, and recolored icon images are no longer constantly reloaded. Accessibility events for unfocused GtkTreeView widgets are fixed, and XKB initialization failures on Wayland are now handled more gracefully.

libtpms 0.10.2: This update fixes a memory leak by freeing the KDF context and resolves incorrect IV retrieval when using OpenSSL 3.0 or later. A build fix for compatibility with newer glibc is also included. For Tumbleweed users running TPM-based virtualization with QEMU or swtpm, this is a security-relevant update.

xfsprogs 6.18.0: This update spans three releases. The mkfs.xfs tool gains several improvements including the ability to configure desired maximum atomic write sizes, AG size alignment based on atomic write capabilities, autodetection of log stripe unit for external log devices, and new default features enabled out of the box with a 2025 LTS config file. Zoned filesystem support is refined with fixes for zone capacity checks on sequential zones and improved default maximum open zones. The proto subsystem adds the ability to populate a filesystem directly from a directory. xfs_scrub removes its EXPERIMENTAL warnings and fixes a null pointer crash in scrub_render_ino_descr. Cross-architecture log CRC mismatches between i386 and other architectures are corrected, and libxfs gains support for reproducible filesystems using deterministic time and seed values. Deprecated sysctl knobs and mount options are removed. The Python dependency is also dropped from the main package since the xfs_protofile script is not essential.

Security Updates

Python 3.11.15:

CVE-2025-11468: Fixes a header injection flaw in email header folding where long comments with unfoldable characters could allow injecting headers into email messages.
CVE-2025-12084: Addresses quadratic complexity that could lead to denial of service when processing deeply nested documents.
CVE-2025-6075: Resolves a performance degradation in os.path.expandvars() when user-controlled values are passed for environment variable expansion.
CVE-2026-2297: Fixes an issue where CPython’s import hook for legacy .pyc files did not trigger sys.audit handlers and could potentially allow a security monitoring bypass.

bind 9.20.21:

CVE-2026-1519: Fixes a flaw that could potentially lead to denial of service.
CVE-2026-3104: Addresses a memory leak that could cause unbounded memory growth and an out-of-memory condition.
CVE-2026-3119: Resolves an issue where an authenticated query could cause a termination unexpectedly.
CVE-2026-3591: Fixes a use-after-return flaw that could allow an attacker to bypass ACL restrictions via crafted DNS requests.

Linux kernel 6.19.8::

CVE-2026-23230: Fixes a vulnerability in the ksmbd kernel SMB server.
CVE-2026-23220: Addresses an infinite loop caused by next_smb2_rc in ksmbd.
CVE-2026-23226: Resolves a missing lock to protect ksmbd channel list.
CVE-2026-23228: Fixes a leak of active_num_conn in the ksmbd SMB server.
CVE-2025-71231: Addresses an out-of-bounds index in the crypto IAA driver.
CVE-2026-23222: Fixes a memory allocation issue in the crypto OMAP driver.
CVE-2026-23229: Resolves a missing spinlock protection in the crypto virtio driver.
CVE-2025-71237: Fixes a potential block overflow in nilfs2 that could cause corruption.
CVE-2025-71230: Addresses an issue where HFS superblock info was not always cleaned up properly.
CVE-2025-71229: Resolves an alignment fault in the rtw88 WiFi driver.
CVE-2025-71236: Fixes missing validation before freeing resources in the qla2xxx SCSI driver.
CVE-2025-71235: Addresses a module unload race condition in the qla2xxx SCSI driver.
CVE-2025-71232: Resolves a memory leak in an error path in the qla2xxx SCSI driver.
CVE-2026-23225: Fixes an incorrect CID ownership assumption in the scheduler mmcid subsystem.
CVE-2026-23221: Addresses a use-after-free in the fsl-mc bus driver override handling.
CVE-2026-23224: Resolves a use-after-free in erofs for file-backed mounts.
CVE-2026-23223: Fixes a use-after-free in XFS btree block owner checking.
CVE-2026-23227: Addresses a missing lock protection in the Exynos VIDI DRM driver.
CVE-2025-71233: Resolves an issue with asynchronous sub-group creation in PCI endpoint.
CVE-2025-71234: Fixes a slab out-of-bounds access in the rtl8xxxu WiFi driver.
CVE-2025-71238: Addresses a double-free in the qla2xxx SCSI driver’s bsg_done handler.
CVE-2026-23236: Fixes improper ioctl memory copy in the smscufx framebuffer driver.
CVE-2026-23235: Resolves an out-of-bounds access in f2fs sysfs attribute handling.
CVE-2026-23234: Addresses a use-after-free in f2fs write end I/O handling.

libtpms 0.10.2:

CVE-2026-21444: Fixes a flaw in libtpms that weakened encryption and decryption.

LibVNCServer:

CVE-2026-32853: Fixes a vulnerability where a crafted message could lead to information disclosure or denial of service.
CVE-2026-32854: Addresses an issue where crafted requests could cause a denial of service.

freeipmi 1.6.17:

CVE-2026-33554: Resolves improper memory handling and data validation that could lead to stack buffer overflows and acceptance of malformed payloads.

nghttp2 1.68.1:

CVE-2026-27135: Addresses a vulnerability that fixes an assertion failure from missing state validation.

inkscape 7.1.2.15:

CVE-2026-24481: Fixes a heap information disclosure when processing malformed PSD files.
CVE-2026-25794: Addresses a heap buffer overflow via integer overflow when writing images with large dimensions.
CVE-2026-25796: Resolves a memory leak that could be exploited for denial of service.
CVE-2026-25637: Fixes a memory leak in the ASHLAR image writer that could lead to denial of service.
CVE-2026-25576: Addresses a heap buffer over-read in multiple raw image format handlers potentially disclosing sensitive information.
CVE-2026-26983: Fixes a NULL pointer dereference in the MSL interpreter that could cause a crash.
CVE-2026-26284: Resolves a use-after-free that could lead to denial of service or code execution.
CVE-2026-26283: Addresses an infinite loop in the JPEG encoder that could cause denial of service.
CVE-2026-25965: Fixes a path traversal that could allow reading arbitrary files on the system.
CVE-2026-25967: Addresses improper encoding or escaping of output that could allow arbitrary command execution.
CVE-2026-25989: Fixes an integer overflow in the internal SVG decoder that could cause denial of service.
CVE-2026-25968: Resolves a memory leak in coders that write raw pixel data potentially leading to denial of service.
CVE-2026-24485: Addresses an out-of-bounds read that could cause a crash.
CVE-2026-25985: Fixes unbounded resource allocation in the SVG decoder that could lead to denial of service.
CVE-2026-25987: Resolves an integer overflow in the SVG decoder potentially causing denial of service.
CVE-2026-25966: Addresses a security policy bypass via fd: pseudo-filenames allowing stdin/stdout access.
CVE-2026-25799: Fixes an out-of-bounds read that could disclose memory contents.
CVE-2026-25798: Resolves an out-of-bounds read potentially leading to information disclosure or a crash.
CVE-2026-25795: Fixes a NULL pointer dereference that could cause a denial of service.
CVE-2026-26066: Addresses resource exhaustion when writing IPTCTEXT that could lead to denial of service.
CVE-2026-25638: Resolves a memory leak that could be exploited for denial of service.
CVE-2026-25797: Fixes a code injection issue that could allow arbitrary code execution.
CVE-2026-25897: Addresses a heap buffer overflow in the sun decoder potentially causing a crash.
CVE-2026-25970: Resolves a memory leak that could lead to denial of service via image processing.
CVE-2026-25982: Fixes a use-after-free that could lead to denial of service or code execution.
CVE-2026-25983: Addresses an out-of-bounds read in the PCD coder that could disclose memory contents.
CVE-2026-25898: Resolves an out-of-bounds read that could cause a crash or information disclosure.
CVE-2026-25971: Fixes a memory leak in the text coder that could lead to denial of service.
CVE-2026-25988: Addresses a use-after-free in the meta coder potentially allowing code execution.
CVE-2026-25969: Resolves a memory leak that could lead to denial of service via image processing.
CVE-2026-25986: Fixes a vulnerability that could lead to denial of service when processing crafted images.

expat 2.7.5:

CVE-2026-32776: Fixes a NULL pointer when handling empty external parameter entity content.
CVE-2026-32777: Addresses an infinite loop that could lead to denial of service.
CVE-2026-32778: Resolves a NULL pointer after an earlier out-of-memory condition.

TigerVNC:

CVE-2026-34352: Fixes incorrect permissions that could allow other users to observe or manipulate screen contents, or cause a crash.

clamav 1.5.2:

CVE-2026-20031: Fixes an error handling bug that could crash the program and cause a denial of service.

FreeRDP 3.24.1:

CVE-2026-29774: Fixes a client-side heap buffer overflow.
CVE-2026-29775: Addresses an off-by-one boundary check in the bitmap cache subsystem that could cause out-of-bounds read/write.
CVE-2026-29776: Resolves an integer underflow that could lead to a crash.
CVE-2026-31806: Fixes a heap buffer overflow caused by unchecked bitmap dimensions from a malicious server.
CVE-2026-31883: Addresses a size_t underflow leading to a heap buffer overflow via the RDPSND channel.
CVE-2026-31884: Resolves a division-by-zero in the ADPCM decoders when nBlockAlign is 0, causing a crash.
CVE-2026-31885: Fixes an out-of-bounds read in the ADPCM decoders due to missing predictor and step_index bounds checks.

giflib:

CVE-2026-23868: Fixes a double-free vulnerability from a shallow copy that could lead to memory corruption.

curl 8.19.0:

CVE-2026-1965: Fixes bad reuse of HTTP Negotiate connections that could lead to authentication bypass with wrong credentials.
CVE-2026-3783: Addresses a token leak when following redirects with netrc credentials.
CVE-2026-3784: Resolves wrong proxy connection reuse with different credentials, potentially exposing authenticated sessions.
CVE-2026-3805: Fixes a use-after-free in SMB connection reuse that could lead to a crash or potential code execution.

QEMU 10.2.2:

CVE-2026-2243: Fixes an out-of-bounds read in QEMU’s VMDK image handling that could lead to information disclosure or denial of service.
CVE-2026-3196: Addresses an integer overflow that could allow a malicious guest to cause unbounded memory allocation and denial of service on the host.

udisks2:

CVE-2026-26104: Fixes a missing authorization check that allowed unprivileged users to back up LUKS encryption headers and potentially expose sensitive cryptographic metadata.
CVE-2026-26103: Addresses a missing authorization check that allowed unprivileged users to restore LUKS encryption headers, which could potentially render encrypted volumes inaccessible.

GVFS 1.58.2:

CVE-2026-28296: Fixes a CRLF injection flaw in the FTP backend that could allow a remote attacker to inject arbitrary FTP commands via crafted file paths.

python-tornado6

CVE-2026-31958: Fixes a denial-of-service vulnerability where requests with thousands of parts could cause excessive CPU consumption.

libjxl 0.11.2:

CVE-2026-1837: Fixes a memory corruption issue when processing crafted grayscale images with LCMS2 that could potentially lead to code execution or information disclosure.

util-linux:

CVE-2026-3184: Addresses improper hostname canonicalization that could allow bypass of host-based PAM access control rules.

sdbootutil:

CVE-2026-25701: Fixes an insecure temporary file vulnerability that could allow local users to access private information or manipulate boot configuration data.

ImageMagick 7.1.2.17:

CVE-2026-32259: Fixes a stack-based buffer overflow when a memory allocation fails that could potentially allow writes past the end of a buffer.

GraphicsMagick:

CVE-2026-25799: Provides a fix that could lead to a crash and denial of service.
CVE-2026-28690: Fixes a stack buffer overflow vulnerability that could lead to a crash or potential code execution.
CVE-2026-30883: Addresses a heap overflow when encoding a PNG image with an extremely large image profile.

libsoup2:

CVE-2026-1760: Fixes improper handling of HTTP requests combining certain headers that could lead to HTTP request smuggling and potential denial of service.
CVE-2026-1467: Addresses a lack of input sanitization that could lead to unintended or unauthorized HTTP requests.
CVE-2026-1539: Resolves proxy authentication credentials being leaked via the Proxy-Authorization header when handling HTTP redirects.
CVE-2026-0716: Fixes a flaw in WebSocket frame processing that could cause out-of-bounds memory reads, potentially leading to memory exposure or a crash.

freetype2 2.14.2:

CVE-2026-23865: Fixes an integer overflow in the FreeType library that could allow an out-of-bounds read when parsing OpenType variable fonts.

exiv2 0.28.8:

CVE-2026-25884: Fixes an out-of-bounds read in the CRW image parser when processing crafted image files.
CVE-2026-27631: Addresses an integer overflow causing an uncaught exception that could lead to a crash and denial of service.
CVE-2026-27596: Resolves an out-of-bounds read in preview handling that could cause a crash when processing crafted image files.
CVE-2025-54080: Fixes an out-of-bounds read triggered when writing metadata into a crafted image file, potentially causing a crash.
CVE-2025-55304: Addresses quadratic performance in ICC profile parsing that could lead to denial of service.
CVE-2025-26623: Resolves a heap buffer overflow when writing metadata into a crafted image file, potentially allowing code execution.

Salt:

CVE-2026-31958: Fixes a denial-of-service vulnerability where requests could cause excessive CPU consumption.

openexr 3.4.6:

CVE-2026-27622: Fixes an out-of-bounds write that could potentially lead to code execution when processing crafted EXR files.

Users are advised to update to the latest versions to mitigate these vulnerabilities.

Conclusion

March 2026 was a month defined by refinement and security hardening across the openSUSE Tumbleweed stack. The three Plasma 6.6 point releases demonstrated KDE’s steady cadence of desktop polish, while the kernel’s progression from 6.19.5 to 6.19.9 kept hardware support and filesystem reliability moving forward. Security was a clear theme throughout the month, with FreeRDP, curl, libsoup2, and the kernel itself all receiving significant CVE attention alongside a broad sweep of image processing fixes across GraphicsMagick, ImageMagick, and exiv2. Under the hood, the jump to libxml2 2.15.2 marked a meaningful step forward in web standards alignment, and GStreamer 1.28.1 pushed multimedia capabilities forward with speech-to-text transcription and AV1 decoding support.