The Debian Project has released Debian 13.6, the latest update for the stable Debian 13 “Trixie” release. Published on July 11, 2026, this update includes important security patches, bug fixes, and updated installation images.
This is a maintenance release rather than a new version of Debian. Existing users can upgrade their systems using the standard APT update process without performing a full operating system upgrade.
What’s New in Debian 13.6?
Debian 13.6 combines previously released security updates into a single package, making it easier for users to keep their systems up to date.
The release also includes:
- An updated Linux kernel (6.12.94+deb13)
- Improved installation media for new deployments
- Security fixes for Apache HTTP Server
- Curl updates that address credential leaks and other security issues
- QEMU updates with multiple security improvements
- Bug fixes across various Debian packages
The update also improves UEFI Secure Boot support by updating fwupd to version 2.0.20. Debian recommends installing firmware updates provided by your hardware manufacturer before making changes to Secure Boot on supported systems.
Security Recommendations
Administrators should update their systems as soon as possible to benefit from the latest security fixes.
Recommended actions include:
- Run
apt update && apt upgradeto install the latest updates. - Use the new Debian 13.6 installation images for fresh deployments.
- Apply firmware updates recommended by your hardware vendor.
- Update Apache, Curl, QEMU, and other affected packages.
- If your organization relies on accurate IP geolocation, obtain the latest GeoLite database directly from its provider instead of using Debian’s bundled package.
Keeping Debian systems updated is one of the most effective ways to reduce security risks and ensure stable, reliable operation.
Notable CVEs Fixed
- Apache2: CVE-2026-29167, CVE-2026-48913, CVE-2026-29170, CVE-2026-34355, CVE-2026-34356, CVE-2026-42536, CVE-2026-42535, CVE-2026-44186, CVE-2026-49975, CVE-2026-43951, CVE-2026-44185, CVE-2026-44119, CVE-2026-44631
- Curl: CVE-2025-14524, CVE-2026-3783, CVE-2025-14819, CVE-2026-1965, CVE-2026-3784, CVE-2026-5545, CVE-2026-4873, CVE-2026-3805, CVE-2026-5773, CVE-2026-6253, CVE-2026-6429, CVE-2026-6276, CVE-2026-7168
- QEMU: CVE-2024-6519, CVE-2026-2243, CVE-2026-3195, CVE-2026-3196, CVE-2026-3842, CVE-2026-3886, CVE-2026-3890, CVE-2026-41435 through CVE-2026-41440, CVE-2026-5744, CVE-2026-5761, CVE-2026-5763, CVE-2026-6502, CVE-2026-8341, CVE-2026-48002 through CVE-2026-48004, CVE-2026-48914, CVE-2026-48915, CVE-2026-6425, CVE-2026-8343
- Linux kernel: Updated through multiple Debian security advisories, alongside refreshed signed AMD64 and ARM64 kernel packages.debian
- Other affected software:
dcmtk,dhcpcd,giflib,libxml2,mutt,python3.13,rsync,sshfs-fuse,xz-utils,wireshark,OpenSSL, Chromium, Firefox ESR, Nginx, Redis, PostgreSQL 17, and Thunderbird received security-related updates.