35137 – libvpx new security issue CVE-2026-2447

Bug 35137 - libvpx new security issue CVE-2026-2447

Summary: libvpx new security issue CVE-2026-2447

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	9
Hardware:	All Linux

Priority:	Normal Severity: major
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA9-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2026-02-17 11:18 CET by Nicolas Salguero
Modified:	2026-02-20 18:29 CET (History)
CC List:	4 users (show)

See Also:
Source RPM:	libvpx-1.12.0-1.4.mga9.src.rpm
CVE:	CVE-2026-2447
Status comment:

Flags:	herman.viaene: test_passed_mga9_64+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2026-02-17 11:18:55 CET

References:
https://www.mozilla.org/en-US/security/advisories/mfsa2026-10/
https://www.mozilla.org/en-US/security/advisories/mfsa2026-11/

Nicolas Salguero 2026-02-17 11:19:28 CET

Source RPM: (none) => libvpx-1.15.2-1.mga10.src.rpm, libvpx-1.12.0-1.4.mga9.src.rpm
CVE: (none) => CVE-2026-2447
Flags: (none) => affects_mga9+
Whiteboard: (none) => MGA9TOO

Comment 1 Nicolas Salguero 2026-02-17 11:33:20 CET

Suggested advisory:
========================

The updated packages fix a security vulnerability:

Heap buffer overflow in libvpx. (CVE-2026-2447)

References:
https://www.mozilla.org/en-US/security/advisories/mfsa2026-10/
https://www.mozilla.org/en-US/security/advisories/mfsa2026-11/
========================

Updated packages in core/updates_testing:
========================
lib(64)vpx7-1.12.0-1.5.mga9
lib(64)vpx-devel-1.12.0-1.5.mga9
libvpx-utils-1.12.0-1.5.mga9

from SRPM:
libvpx-1.12.0-1.5.mga9.src.rpm

Whiteboard: MGA9TOO => (none)
Assignee: bugsquad => qa-bugs
Source RPM: libvpx-1.15.2-1.mga10.src.rpm, libvpx-1.12.0-1.4.mga9.src.rpm => libvpx-1.12.0-1.4.mga9.src.rpm
Flags: affects_mga9+ => (none)
Version: Cauldron => 9
Status: NEW => ASSIGNED

Comment 2 PC LX 2026-02-17 15:21:09 CET

Installed and tested without issues.


Tested using handbrake, and vpxdec/vpxenc.
Encoded and decoded to/from VP8 and VP9.
Play produced videos with vlc and mpv.
All OK. No issues found.



System: Mageia 9, x86_64, Plasma DE, AMD Ryzen 5 5600G with Radeon Graphics using amdgpu driver.




$ uname -a
Linux jupiter 6.6.120-desktop-1.mga9 #1 SMP PREEMPT_DYNAMIC Wed Jan 14 01:59:53 UTC 2026 x86_64 GNU/Linux
$ rpm -qa | grep -P 'vpx.*-1\.12\.0-1\.5' | sort
lib64vpx7-1.12.0-1.5.mga9
lib64vpx-devel-1.12.0-1.5.mga9
libvpx-utils-1.12.0-1.5.mga9
$ inxi -b
System:
  Host: jupiter Kernel: 6.6.120-desktop-1.mga9 arch: x86_64 bits: 64
  Desktop: KDE Plasma v: 5.27.10 Distro: Mageia 9
Machine:
  Type: Desktop System: ASUS product: N/A v: N/A serial: <superuser required>
  Mobo: ASUSTeK model: TUF GAMING B450-PLUS II v: Rev X.0x
    serial: <superuser required> UEFI: American Megatrends v: 3802
    date: 04/28/2022
CPU:
  Info: 6-core AMD Ryzen 5 5600G with Radeon Graphics [MT MCP] speed (MHz):
    avg: 400 min/max: 400/4464
Graphics:
  Device-1: Advanced Micro Devices [AMD/ATI] Navi 24 [Radeon RX 6400/6500
    XT/6500M] driver: vfio-pci v: N/A
  Device-2: Advanced Micro Devices [AMD/ATI] Cezanne [Radeon Vega Series /
    Radeon Mobile Series] driver: amdgpu v: kernel
  Device-3: Microdia CameraA driver: snd-usb-audio,uvcvideo type: USB
  Display: x11 server: X.org v: 1.21.1.8 with: Xwayland v: 22.1.9 driver: X:
    loaded: amdgpu,v4l dri: radeonsi gpu: amdgpu resolution: 1920x1080~60Hz
  API: OpenGL v: 4.6 compat-v: 4.5 vendor: amd mesa v: 25.0.7 renderer: AMD
    Radeon Graphics (radeonsi renoir ACO DRM 3.54 6.6.120-desktop-1.mga9)
Network:
  Device-1: Realtek RTL8111/8168/8411 PCI Express Gigabit Ethernet
    driver: r8169
Drives:
  Local Storage: total: 465.76 GiB used: 57.29 GiB (12.3%)
Info:
  Memory: total: 32 GiB note: est. available: 30.64 GiB used: 5.89 GiB (19.2%)
  Processes: 392 Uptime: 5h 21m Shell: Bash inxi: 3.3.36

CC: (none) => mageia

katnatek 2026-02-17 20:58:41 CET

Keywords: (none) => advisory

Comment 3 Herman Viaene 2026-02-20 14:33:12 CET

MGA9-64 server Plasma Wayland on Compaq H000SB.
No installation issues.
Ref bug 34346 and tests above.
Run handbrake under strace to convert an avi file to mp4. Trace shows cals to libvpx, and resulting file plays OK in vlc.
Had another try at the CLI:
$ vpxenc -w 1280 -h 720 -o test.mkv PB030069.AVI 
Pass 1/2 frame  121/122    25376B    1677b/f   50332b/s   21360 ms (5.66 fps)
Pass 2/2 frame  121/97    992758B 4598255 ms 1.58 fpm [ETA  0:19:30]   23845F   3836F   9932F   5442F  12227F   5191F   4396F   9418F   4936F  14452FPass 2/2 frame  121/121  1146580B   75806b/f 2274208b/s 5204970 ms (0.02 fps)
but the resulting mkv file  opens in vlc but is just 4 seconds of grey shimmering originalavi is 48 seconds).
Wating for result of another try with vp9 codec.

CC: (none) => herman.viaene

Comment 4 Herman Viaene 2026-02-20 15:45:38 CET

$ vpxenc --codec=vp9 -w 1280 -h 720 -o test.mkv PB030069.AVI 
Pass 1/2 frame  121/122    25376B    1677b/f   50332b/s   21699 ms (5.58 fps)
Pass 2/2 frame  121/97    992758B 3689452 ms 1.97 fpm [ETA  0:15:29]   23845F   3836F   9932F   5442F  12227F   5191F   4396F   9418F   4936F  14452FPass 2/2 frame  121/121  1146580B   75806b/f 2274208b/s 4330164 ms (0.03 fps)
But result is the same.
So as in previous update, let go, not to withhold for my lack of knowledge.

Whiteboard: (none) => MGA9-64-OK
Flags: (none) => test_passed_mga9_64+

Comment 5 Thomas Andrews 2026-02-20 17:11:06 CET

Validating.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Comment 6 Mageia Robot 2026-02-20 18:29:07 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2026-0044.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.