Release notes for Yocto-4.0.26 (Kirkstone)

Security Fixes in Yocto-4.0.26

• bind: Fix CVE-2024-11187 and CVE-2024-12705

• binutils: Fix CVE-2025-0840

• elfutils: Fix CVE-2025-1352 and CVE-2025-1372

• ffmpeg: Fix CVE-2024-28661, CVE-2024-35369, CVE-2024-36613, CVE-2024-36616, CVE-2024-36617, CVE-2024-36618, CVE-2025-0518 and CVE-2025-25473

• ffmpeg: Ignore CVE-2023-46407, CVE-2023-47470, CVE-2024-7272, CVE-2024-22860, CVE-2024-22861 and CVE-2024-22862

• freetype: Fix CVE-2025-27363

• gnutls: Fix CVE-2024-12243

• grub: Fix CVE-2024-45774, CVE-2024-45775, CVE-2024-45776, CVE-2024-45777, CVE-2024-45778, CVE-2024-45779, CVE-2024-45780, CVE-2024-45781, CVE-2024-45782, CVE-2024-45783, CVE-2024-56737, CVE-2025-0622, CVE-2025-0624, CVE-2025-0677, CVE-2025-0684, CVE-2025-0685, CVE-2025-0686, CVE-2025-0689, CVE-2025-0678, CVE-2025-0690, CVE-2025-1118 and CVE-2025-1125

• gstreamer1.0-rtsp-server: fix CVE-2024-44331

• libarchive: Fix CVE-2025-25724

• libarchive: Ignore CVE-2025-1632

• libcap: Fix CVE-2025-1390

• linux-yocto/5.10: Fix CVE-2024-36476, CVE-2024-43098, CVE-2024-47143, CVE-2024-48881, CVE-2024-50051, CVE-2024-50074, CVE-2024-50082, CVE-2024-50083, CVE-2024-50099, CVE-2024-50115, CVE-2024-50116, CVE-2024-50117, CVE-2024-50142, CVE-2024-50148, CVE-2024-50150, CVE-2024-50151, CVE-2024-50167, CVE-2024-50168, CVE-2024-50171, CVE-2024-50185, CVE-2024-50192, CVE-2024-50193, CVE-2024-50194, CVE-2024-50195, CVE-2024-50198, CVE-2024-50201, CVE-2024-50202, CVE-2024-50205, CVE-2024-50208, CVE-2024-50209, CVE-2024-50229, CVE-2024-50230, CVE-2024-50233, CVE-2024-50234, CVE-2024-50236, CVE-2024-50237, CVE-2024-50251, CVE-2024-50262, CVE-2024-50264, CVE-2024-50265, CVE-2024-50267, CVE-2024-50268, CVE-2024-50269, CVE-2024-50273, CVE-2024-50278, CVE-2024-50279, CVE-2024-50282, CVE-2024-50287, CVE-2024-50292, CVE-2024-50296, CVE-2024-50299, CVE-2024-50301, CVE-2024-50302, CVE-2024-53042, CVE-2024-53052, CVE-2024-53057, CVE-2024-53059, CVE-2024-53060, CVE-2024-53061, CVE-2024-53063, CVE-2024-53066, CVE-2024-53096, CVE-2024-53097, CVE-2024-53101, CVE-2024-53103, CVE-2024-53104, CVE-2024-53145, CVE-2024-53146, CVE-2024-53150, CVE-2024-53155, CVE-2024-53156, CVE-2024-53157, CVE-2024-53161, CVE-2024-53165, CVE-2024-53171, CVE-2024-53173, CVE-2024-53174, CVE-2024-53194, CVE-2024-53197, CVE-2024-53217, CVE-2024-53226, CVE-2024-53227, CVE-2024-53237, CVE-2024-53239, CVE-2024-55916, CVE-2024-56548, CVE-2024-56558, CVE-2024-56567, CVE-2024-56568, CVE-2024-56569, CVE-2024-56572, CVE-2024-56574, CVE-2024-56581, CVE-2024-56587, CVE-2024-56593, CVE-2024-56595, CVE-2024-56596, CVE-2024-56598, CVE-2024-56600, CVE-2024-56601, CVE-2024-56602, CVE-2024-56603, CVE-2024-56605, CVE-2024-56606, CVE-2024-56615, CVE-2024-56619, CVE-2024-56623, CVE-2024-56629, CVE-2024-56634, CVE-2024-56642, CVE-2024-56643, CVE-2024-56648, CVE-2024-56650, CVE-2024-56659, CVE-2024-56662, CVE-2024-56670, CVE-2024-56688, CVE-2024-56698, CVE-2024-56704, CVE-2024-56716, CVE-2024-56720, CVE-2024-56723, CVE-2024-56724, CVE-2024-56728, CVE-2024-56739, CVE-2024-56746, CVE-2024-56747, CVE-2024-56748, CVE-2024-56754, CVE-2024-56756, CVE-2024-56770, CVE-2024-56779, CVE-2024-56780, CVE-2024-56781, CVE-2024-56785, CVE-2024-57802, CVE-2024-57807, CVE-2024-57850, CVE-2024-57874, CVE-2024-57890, CVE-2024-57896, CVE-2024-57900, CVE-2024-57901, CVE-2024-57902, CVE-2024-57910, CVE-2024-57911, CVE-2024-57913, CVE-2024-57922, CVE-2024-57938, CVE-2024-57939, CVE-2024-57946, CVE-2024-57951, CVE-2025-21638, CVE-2025-21687, CVE-2025-21689, CVE-2025-21692, CVE-2025-21694, CVE-2025-21697 and CVE-2025-21699

• linux-yocto/5.15: Fix CVE-2024-57979, CVE-2024-58034, CVE-2024-58052, CVE-2024-58055, CVE-2024-58058, CVE-2024-58063, CVE-2024-58069, CVE-2024-58071, CVE-2024-58076, CVE-2024-58083, CVE-2025-21700, CVE-2025-21703, CVE-2025-21715, CVE-2025-21722, CVE-2025-21727, CVE-2025-21731, CVE-2025-21753, CVE-2025-21756, CVE-2025-21760, CVE-2025-21761, CVE-2025-21762, CVE-2025-21763, CVE-2025-21764, CVE-2025-21796, CVE-2025-21811, CVE-2025-21887, CVE-2025-21898, CVE-2025-21904, CVE-2025-21905, CVE-2025-21912, CVE-2025-21917, CVE-2025-21919, CVE-2025-21920, CVE-2025-21922, CVE-2025-21934, CVE-2025-21943, CVE-2025-21948 and CVE-2025-21951

• libpcre2: Ignore CVE-2022-1586

• libtasn1: Fix CVE-2024-12133

• libxml2: Fix CVE-2022-49043, CVE-2024-56171, CVE-2025-24928 and CVE-2025-27113

• libxslt: Fix CVE-2024-55549 and CVE-2025-24855

• llvm: Fix CVE-2024-0151

• mpg123: Fix CVE-2024-10573

• openssh: Fix CVE-2025-26465

• ovmf: Revert Fix for CVE-2023-45236 CVE-2023-45237

• perl: Ignore CVE-2023-47038

• puzzles: Ignore CVE-2024-13769, CVE-2024-13770 and CVE-2025-0837

• python3: Fix CVE-2025-0938

• ruby: Fix CVE-2024-41946, CVE-2025-27219 and CVE-2025-27220

• subversion: Ignore CVE-2024-45720

• systemd: Fix CVE-2022-3821, CVE-2022-4415, CVE-2022-45873 and CVE-2023-7008

• tiff: mark CVE-2023-30774 as patched with existing patch

• u-boot: Fix CVE-2022-2347, CVE-2022-30767, CVE-2022-30790, CVE-2024-57254, CVE-2024-57255, CVE-2024-57256, CVE-2024-57257, CVE-2024-57258 and CVE-2024-57259

• vim: Fix CVE-2025-1215, CVE-2025-22134, CVE-2025-24014, CVE-2025-26603, CVE-2025-27423 and CVE-2025-29768

• xserver-xorg: Fix CVE-2022-49737, CVE-2025-26594, CVE-2025-26595, CVE-2025-26596, CVE-2025-26597, CVE-2025-26598, CVE-2025-26599, CVE-2025-26600 and CVE-2025-26601

• xwayland: Fix CVE-2022-49737, CVE-2024-9632, CVE-2024-21885, CVE-2024-21886, CVE-2024-31080, CVE-2024-31081, CVE-2024-31083, CVE-2025-26594, CVE-2025-26595, CVE-2025-26596, CVE-2025-26597, CVE-2025-26598, CVE-2025-26599, CVE-2025-26600 and CVE-2025-26601

• zlib: Fix CVE-2014-9485

Fixes in Yocto-4.0.26

• bind: Upgrade to 9.18.33

• bitbake: cache: bump cache version

• bitbake: siggen.py: Improve taskhash reproducibility

• boost: fix do_fetch error

• build-appliance-image: Update to kirkstone head revision

• contributor-guide/submit-changes: add policy on AI generated code

• cve-update-nvd2-native: handle missing vulnStatus

• docs: Add favicon for the documentation html

• docs: Remove all mention of core-image-lsb

• libtasn1: upgrade to 4.20.0

• libxcrypt-compat: Remove libcrypt.so to fix conflict with libcrypt

• libxml2: fix compilation of explicit child axis in pattern

• linux-yocto/5.10: update to v5.10.234

• linux-yocto/5.15: update to v5.15.179

• mesa: Fix missing GLES3 headers in SDK sysroot

• mesa: Update SRC_URI

• meta: Enable ‘-o pipefail’ for the SDK installer

• migration-guides: add release notes for 4.0.25

• poky.conf: add ubuntu2404 to SANITY_TESTED_DISTROS

• poky.conf: bump version for 4.0.26

• procps: replaced one use of fputs(3) with a write(2) call

• ref-manual: don’t refer to poky-lsb

• scripts/install-buildtools: Update to 4.0.24

• scritps/runqemu: Ensure we only have two serial ports

• systemd: upgrade to 250.14

• tzcode-native: Fix compiler setting from 2023d version

• tzcode: Update SRC_URI

• tzdata/tzcode-native: upgrade 2025a

• vim: Upgrade to 9.1.1198

• virglrenderer: fix do_fetch error

• vulnerabilities/classes: remove references to cve-check text format

• xz: Update SRC_URI

• yocto-uninative: Update to 4.7 for glibc 2.41

Known Issues in Yocto-4.0.26

• N/A

Contributors to Yocto-4.0.26

Thanks to the following people who contributed to this release:

• Aleksandar Nikolic

• Alessio Cascone

• Antonin Godard

• Archana Polampalli

• Ashish Sharma

• Bruce Ashfield

• Carlos Dominguez

• Deepesh Varatharajan

• Divya Chellam

• Guocai He

• Hitendra Prajapati

• Hongxu Jia

• Jiaying Song

• Johannes Kauffmann

• Kai Kang

• Lee Chee Yang

• Libo Chen

• Marta Rybczynska

• Michael Halstead

• Mingli Yu

• Moritz Haase

• Narpat Mali

• Paulo Neves

• Peter Marko

• Priyal Doshi

• Richard Purdie

• Robert Yang

• Ross Burton

• Sakib Sajal

• Steve Sakoman

• Vijay Anusuri

• Yogita Urade

• Zhang Peng

Repositories / Downloads for Yocto-4.0.26

poky

• Repository Location: https://git.yoctoproject.org/poky

• Branch: kirkstone

• Tag: yocto-4.0.26

• Git Revision: d70d287a77d5026b698ac237ab865b2dafd36bb8

• Release Artefact: poky-d70d287a77d5026b698ac237ab865b2dafd36bb8

• sha: 3ebfadb8bff4c1ca12b3cf3e4ef6e3ac2ce52b73570266daa98436c9959249f2

• Download Locations: https://downloads.yoctoproject.org/releases/yocto/yocto-4.0.26/poky-d70d287a77d5026b698ac237ab865b2dafd36bb8.tar.bz2 https://mirrors.kernel.org/yocto/yocto/yocto-4.0.26/poky-d70d287a77d5026b698ac237ab865b2dafd36bb8.tar.bz2

openembedded-core

• Repository Location: https://git.openembedded.org/openembedded-core

• Branch: kirkstone

• Tag: yocto-4.0.26

• Git Revision: 1efbe1004bc82e7c14c1e8bd4ce644f5015c3346

• Release Artefact: oecore-1efbe1004bc82e7c14c1e8bd4ce644f5015c3346

• sha: d3805e034dabd0865dbf55488b2c16d4ea0351d37aa826f0054a6bfdde5a8be9

• Download Locations: https://downloads.yoctoproject.org/releases/yocto/yocto-4.0.26/oecore-1efbe1004bc82e7c14c1e8bd4ce644f5015c3346.tar.bz2 https://mirrors.kernel.org/yocto/yocto/yocto-4.0.26/oecore-1efbe1004bc82e7c14c1e8bd4ce644f5015c3346.tar.bz2

meta-mingw

• Repository Location: https://git.yoctoproject.org/meta-mingw

• Branch: kirkstone

• Tag: yocto-4.0.26

• Git Revision: 87c22abb1f11be430caf4372e6b833dc7d77564e

• Release Artefact: meta-mingw-87c22abb1f11be430caf4372e6b833dc7d77564e

• sha: f0bc4873e2e0319fb9d6d6ab9b98eb3f89664d4339a167d2db6a787dd12bc1a8

• Download Locations: https://downloads.yoctoproject.org/releases/yocto/yocto-4.0.26/meta-mingw-87c22abb1f11be430caf4372e6b833dc7d77564e.tar.bz2 https://mirrors.kernel.org/yocto/yocto/yocto-4.0.26/meta-mingw-87c22abb1f11be430caf4372e6b833dc7d77564e.tar.bz2

meta-gplv2

• Repository Location: https://git.yoctoproject.org/meta-gplv2

• Branch: kirkstone

• Tag: yocto-4.0.26

• Git Revision: d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a

• Release Artefact: meta-gplv2-d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a

• sha: c386f59f8a672747dc3d0be1d4234b6039273d0e57933eb87caa20f56b9cca6d

• Download Locations: https://downloads.yoctoproject.org/releases/yocto/yocto-4.0.26/meta-gplv2-d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a.tar.bz2 https://mirrors.kernel.org/yocto/yocto/yocto-4.0.26/meta-gplv2-d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a.tar.bz2

bitbake

• Repository Location: https://git.openembedded.org/bitbake

• Branch: 2.0

• Tag: yocto-4.0.26

• Git Revision: 046871d9fd76efdca7b72718b328d8f545523f7e

• Release Artefact: bitbake-046871d9fd76efdca7b72718b328d8f545523f7e

• sha: e9df0a9f5921b583b539188d66b23f120e1751000e7822e76c3391d5c76ee21a

• Download Locations: https://downloads.yoctoproject.org/releases/yocto/yocto-4.0.26/bitbake-046871d9fd76efdca7b72718b328d8f545523f7e.tar.bz2 https://mirrors.kernel.org/yocto/yocto/yocto-4.0.26/bitbake-046871d9fd76efdca7b72718b328d8f545523f7e.tar.bz2

yocto-docs

• Repository Location: https://git.yoctoproject.org/yocto-docs

• Branch: kirkstone

• Tag: yocto-4.0.26

• Git Revision: 9b4c36f7b02dd4bedfec90206744a1e90e37733c