The updated packages fix security vulnerabilities: Possible Heap Buffer Overflow in ASN.1 Multibyte String Conversion. (CVE-2026-7383) Out-of-Bounds Read in CMS Password-Based Decryption. (CVE-2026-9076) Heap Buffer Over-read in ASN.1 Content Parsing. (CVE-2026-34180) PKCS#12 Files with PBMAC1 Are Accepted with Short HMAC Keys. (CVE-2026-34181) CMS AuthEnvelopedData Processing May Accept Forged Messages. (CVE-2026-34182) Unbounded Memory Growth in the QUIC PATHCHALLENGE Handler. (CVE-2026-34183) NULL Pointer Dereference in QUIC Server Initial Packet Handling. (CVE-2026-42764) Possible NULL Dereference in Password-Based CMS Decryption. (CVE-2026-42766) NULL Pointer Dereference in CRMF EncryptedValue Decryption. (CVE-2026-42767) Multi-RecipientInfo Bleichenbacher Oracle in CMSdecrypt() and PKCS7decrypt(). (CVE-2026-42768) Trust-Anchor Substitution via cert/issuer Typo in CMP rootCaKeyUpdate. (CVE-2026-42769) FFC-DH Peer Validation Uses Attacker-Supplied q. (CVE-2026-42770) AES-OCB IV Ignored on EVPCipher() Path. (CVE-2026-45445) Incorrect Tag Processing for Empty Messages in AES-GCM-SIV and AES-SIV modes. (CVE-2026-45446) Heap Use-After-Free in the PKCS7_verify(). (CVE-2026-45447)