The Debian Project has shipped the fourteenth point release of its oldstable distribution, Debian 12.14 (codename bookworm), on 2026-05-16. The update bundles a long roster of security patches and serious bug fixes for the venerable release, which now sits one major version behind current stable but remains a workhorse on servers, single-board computers, and self-hosted setups across the open source world.
This revision pulls in upstream stable releases for foundational pieces of the userland, including glibc, openssl, dpkg, and postgresql-15, alongside corrections for nginx, apache2, openssh, systemd, and the GRUB bootloader family. The GRUB updates are particularly substantial, removing NTFS and JFS from the monolithic EFI image, refreshing SBAT levels, and marking signed packages as Protected so they cannot be casually uninstalled. Container infrastructure also gets attention with fixes flowing through containerd, docker.io, libpod, and buildah, while LXC picks up a patch for an authorization bypass tracked as CVE-2026-39402.
Security-conscious admins running 7zip, Calibre, Erlang, Exim4, libpng, libarchive, and Wireshark will find pages of CVE fixes worth applying. The Security Team has folded in well over a hundred separate security advisories issued since the previous point release, covering everything from Firefox ESR and Thunderbird to chromium, LibreOffice, GIMP, and the Linux kernel itself. Two packages, suricata and zulucrypt, have been dropped from the archive due to security issues and unsupportable or unmaintained status.
The Debian Installer has been refreshed against the new package set, with the Linux ABI bumped to 6.1.0-47, and distro-info-data now recognizes Ubuntu 26.10 Stonking Stingray. Existing installations can pull the changes from any of Debian's mirrors using standard package management, and fresh installation images are on the way to the usual download locations. Users who track security.debian.org regularly will already have most of these updates in place.
