[Buildroot] Buildroot 2026.02.3 released

[Arnout Vandecappelle via buildroot <buildroot@buildroot.org>]

Hi,

Buildroot is a simple tool for creating complete embedded Linux systems
(https://buildroot.org).

Buildroot 2026.02.3 is released - Go download it at:

https://buildroot.org/downloads/buildroot-2026.02.3.tar.gz

or

https://buildroot.org/downloads/buildroot-2026.02.3.tar.xz

Or get it from Git:

https://gitlab.com/buildroot.org/buildroot.git (2026.02.3 tag)

Buildroot 2026.02.3 is a bugfix release, fixing a number of important /
security related issues discovered since the 2026.02.2 release.

Important / security related fixes:

asterisk: GHSA-8fj4-fv9f-hjpc, GHSA-g88q-c2hm-q7p7,
  GHSA-j29p-pvh2-pvqp, GHSA-x5pq-qrp4-fmrj
bind: CVE-2026-3039, CVE-2026-3592, CVE-2026-5946, CVE-2026-5950
capnproto: CVE-2026-322, CVE-2026-32239, CVE-2026-32240
cups-filters: CVE-2025-64524
dnsmasq: CVE-2026-2291, CVE-2026-4890, CVE-2026-4891, CVE-2026-4892,
  CVE-2026-4893, CVE-2026-5172
docker-engine: CVE-2025-54388
dropbear: CVE-2019-6111, CVE-2026-35385
exim: (no CVE assigned), CVE-2026-48840
expat: CVE-2026-45186
freeipmi: CVE-2026-50031
glibc: CVE-2026-4046, CVE-2026-4437, CVE-2026-4438, CVE-2026-5450,
  CVE-2026-5928
gnupg2: (no CVE assigned)
haveged: CVE-2026-41054
imagemagick: CVE-2026-42326, CVE-2026-45031, CVE-2026-45358,
  CVE-2026-45359, CVE-2026-45624, CVE-2026-45664, CVE-2026-46520,
  CVE-2026-46521, CVE-2026-46522, CVE-2026-46523, CVE-2026-46557,
  CVE-2026-46559
intel-microcode: CVE-2025-35979
libde265: CVE-2026-45382, CVE-2026-45383, GHSA-ccfw-29x7-rrx3,
  GHSA-j2qq-x2xq-g9wr
libgpg-error: T8239
libheif: CVE-2026-32738, CVE-2026-32739, CVE-2026-32740,
  CVE-2026-32741, CVE-2026-32814, CVE-2026-32882, CVE-2026-3949,
  CVE-2026-41069, CVE-2026-41071, CVE-2026-47178, CVE-2026-47247,
  CVE-2026-47251, CVE-2026-47254, CVE-2026-47709, CVE-2026-47714,
  GHSA-5hqq-636x-r3cr, GHSA-6x5f-qchq-cxqv, GHSA-jvmp-j3cw-84mh,
  GHSA-r7qj-cg5r-r6vf
libmad: CVE-2017-837, CVE-2017-8372, CVE-2017-8373, CVE-2017-8374
libmodsecurity: CVE-2026-30923, CVE-2026-42268
libssh2: CVE-2026-7598
liburiparser: CVE-2026-44927, CVE-2026-44928
libusb: CVE-2026-23679, CVE-2026-47104
libvncserver: CVE-2026-3285, CVE-2026-32853, CVE-2026-32854
mariadb: CVE-2026-34303, CVE-2026-3494, CVE-2026-44168, CVE-2026-44169,
  CVE-2026-44170, CVE-2026-44171, CVE-2026-44172, CVE-2026-44173
memcached: (no CVE assigned)
nginx: CVE-2026-40460, CVE-2026-40701, CVE-2026-42926, CVE-2026-42934,
  CVE-2026-42945, CVE-2026-42946, CVE-2026-9256
php: CVE-2026-44927, CVE-2026-44928
postgresql: CVE-2026-6472, CVE-2026-6473, CVE-2026-6474, CVE-2026-6475,
  CVE-2026-6476, CVE-2026-6477, CVE-2026-6478, CVE-2026-6479,
  CVE-2026-6575, CVE-2026-6637, CVE-2026-6638
privoxy: OVE-20260515-0001, OVE-20260515-0002
putty: (no CVE assigned)
python-urllib3: CVE-2026-44431, CVE-2026-44432
python3: CVE-2026-3276, CVE-2026-7774, CVE-2026-8328, gh-146211,
  gh-146333, gh-148169, gh-148178, gh-148395, gh-149017, gh-149254,
  gh-90309
radvd: CVE-2026-48715
rsync: CVE-2026-29518, CVE-2026-43617, CVE-2026-43618, CVE-2026-43619,
  CVE-2026-43620, CVE-2026-45232
runc: CVE-2025-31133, CVE-2025-52565, CVE-2025-52881
samba4: CVE-2026-1933, CVE-2026-2340, CVE-2026-3012, CVE-2026-3238,
  CVE-2026-4408, CVE-2026-4480
sdl2_image: CVE-2026-35444
sed: CVE-2026-5958
sshfs: CVE-2026-47187, CVE-2026-48711
tor: TROVE-2026-013, TROVE-2026-014, TROVE-2026-015, TROVE-2026-016,
  TROVE-2026-017, TROVE-2026-018, TROVE-2026-019, TROVE-2026-020,
  TROVE-2026-021, TROVE-2026-022
unbound: CVE-2026-32792, CVE-2026-33278, CVE-2026-40622,
  CVE-2026-41292, CVE-2026-42534, CVE-2026-42923, CVE-2026-42944,
  CVE-2026-42959, CVE-2026-42960, CVE-2026-44390, CVE-2026-44608
unzip: CVE-2021-4217
xserver_xorg-server: (no CVE assigned)
xwayland: (no CVE assigned)

Toolchain:

- linux-headers: bump to 5.10.257, 5.15.208, 6.1.174, 6.6.141, 6.12.91,
  6.18.33

Infrastructure updates/fixes:

- cve-check: fix vulnerabilities with different analysis
- generate-cyclonedx: add hashes from .hash files to externalReferences
- generate-cyclonedx: hint at missing Buildroot host package on a
  specific error
- bump-stable-kernel-versions: update for split hash file
- kconfig: fix compiler warnings
- cve-check: add indication how to run
- Remove /usr/share/info/dir from target
- generate-cyclonedx: remove indirect dependencies from root component
- replicate IGNORE_CVES to host packages
- cve-check: remove 'bom-ref' for vulnerabilities
- generate-cyclonedx: generate externalReferences with
  source-distribution
- cve-check: fix vulnerability timestamp to RFC 3339
- generate-cyclonedx: generate vcs externalReferences for source repos
- gitlab-ci: use larger shared runners where necessary
- add 'make show-info-all'
- dependencies.sh: reject buggy uutils "install" on Ubuntu 26.04

Updated defconfigs: arcturus_ucp1020, at91sam9x5ek*

Updated / fixed packages: kexec, zsh, cups-filters, python-cbor2,
  haveged, lrzsz, ustream-ssl, expat, xwayland, libvncserver, liburing,
  sysrepo, qt53d, collectd, mariadb, gstreamer1, jemalloc, libks,
  lua-sdl2, util-linux, vlc, xfsprogs, kodi, bind, libde265,
  docker-cli, libabseil-cpp, wpewebkit, libpthsem, heirloom-mailx, icu,
  libheif, podman, unbound, dropbear, vorbis-tools, crucible, unzip,
  libssh2, python3, imagemagick, libbpf, gdb, capnproto, esp-hosted,
  freeipmi, asterisk, wireless-regdb, intel-microcode, weston,
  util-linux-libs, linux-headers, qt6base, zlib-ng, libgphoto2, hplip,
  bpftrace, postgresql, babeld, sed, libdrm, lrzip, odhcp6c, linux,
  efl, libusb, jq, sane-airscan, libmad, faad2, dnsmasq, privoxy,
  libgit2, mrp, putty, sshfs, gcc-bare-metal, graphene, mongoose,
  rsync, redis, hiredis, cairo, zic, dos2unix, libargon2,
  docker-engine, sane-backends, arm-trusted-firmware, libnss, openscap,
  opencv4, liburiparser, libdill, radvd, poppler, tzdata,
  gst1-plugins-bad, python-ecdsa, php, stellarium, python-aiodns,
  nginx, gnupg2, tor, xerces, gst1-plugins-good, libmodsecurity,
  sdl2_image, readline, libgpg-error, samba4, runc,
  xserver_xorg-server, glibc, memcached, libmicrohttpd, supertux, exim,
  python-urllib3, qt5webengine-chromium

For more details, see the CHANGES file:

https://gitlab.com/buildroot.org/buildroot/-/blob/2026.02.3/CHANGES

Users of the affected packages are strongly encouraged to upgrade.

Many thanks to all the people contributing to this release:

git shortlog -s -n 2026.02.2..

    83	Bernd Kuhls
    33	Thomas Perale
    12	Peter Korsgaard
     8	Quentin Schulz
     7	Romain Naour
     6	Martin Willi
     5	Thomas Petazzoni
     5	Titouan Christophe
     4	Arnout Vandecappelle
     4	Giulio Benetti
     4	Julien Olivain
     4	Shubham Chakraborty
     2	Dario Binacchi
     2	Francois Perrad
     2	Joseph Kogut
     2	Marcus Hoffmann
     2	Waldemar Brodkorb
     1	Alexis Lothoré
     1	Andreas Mohr
     1	Devreese Jorik
     1	Heiko Stuebner
     1	James Hilliard
     1	John Ernberg
     1	Michael Nosthoff
     1	Pengji Li
     1	Raphael Pavlidis
     1	Viacheslav Bocharov
     1	Vincent Cruz

Regards,
Arnout
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot