diff --git a/.cirrus.yml b/.cirrus.yml
index 69f2c1077e..d72dd59869 100644
--- a/.cirrus.yml
+++ b/.cirrus.yml
@@ -187,6 +187,13 @@ debian11_task:
     << : *RESOURCES_TEMPLATE
   << : *CI_TEMPLATE
 
+arm_debian11_task:
+  arm_container:
+    # Debian 11 EOL: June 2026
+    dockerfile: ci/debian-11/Dockerfile
+    << : *RESOURCES_TEMPLATE
+  << : *CI_TEMPLATE
+
 debian11_static_task:
   container:
     # Just use a recent/common distro to run a static compile test.
@@ -527,6 +534,10 @@ container_image_manifest_docker_builder:
     - docker tag zeek/zeek-multiarch:amd64 zeekurity/zeek-multiarch:amd64
     - ZEEK_IMAGE_REPO=zeekurity ./ci/container-images-tag-and-push.sh
   depends_on:
+    # Only push out the image if all the btests succeeded and the
+    # images have been built.
+    - arm_debian11
+    - debian11
     - arm64_container_image
     - amd64_container_image
 
diff --git a/src/Base64.cc b/src/Base64.cc
index 1cf3f1b924..b88c7dff60 100644
--- a/src/Base64.cc
+++ b/src/Base64.cc
@@ -184,17 +184,17 @@ int Base64Converter::Decode(int len, const char* data, int* pblen, char** pbuf)
 		if ( dlen >= len )
 			break;
 
-		if ( data[dlen] == '=' )
+		unsigned char c = (unsigned char)data[dlen];
+		if ( c == '=' )
 			++base64_padding;
 
-		int k = base64_table[(unsigned char)data[dlen]];
+		int k = base64_table[c];
 		if ( k >= 0 )
 			base64_group[base64_group_next++] = k;
 		else
 			{
 			if ( ++errored == 1 )
-				IllegalEncoding(
-					util::fmt("character %d ignored by Base64 decoding", (int)(data[dlen])));
+				IllegalEncoding(util::fmt("character %d ignored by Base64 decoding", (int)c));
 			}
 
 		++dlen;
diff --git a/src/analyzer/protocol/http/HTTP.cc b/src/analyzer/protocol/http/HTTP.cc
index 09bff23847..caaa6fca1c 100644
--- a/src/analyzer/protocol/http/HTTP.cc
+++ b/src/analyzer/protocol/http/HTTP.cc
@@ -1186,9 +1186,9 @@ const char* HTTP_Analyzer::PrefixWordMatch(const char* line, const char* end_of_
 	return line;
 	}
 
-static bool is_HTTP_token_char(char c)
+static bool is_HTTP_token_char(unsigned char c)
 	{
-	return c > 31 && c != 127 && // CTL per RFC 2616.
+	return c > 31 && c < 127 && // Exclude non-ascii and DEL/CTL per RFC 2616
 	       c != ' ' && c != '\t' && // Separators.
 	       c != '(' && c != ')' && c != '<' && c != '>' && c != '@' && c != ',' && c != ';' &&
 	       c != ':' && c != '\\' && c != '"' && c != '/' && c != '[' && c != ']' && c != '?' &&
diff --git a/src/analyzer/protocol/netbios/functions.bif b/src/analyzer/protocol/netbios/functions.bif
index f841694914..b45fc2adf0 100644
--- a/src/analyzer/protocol/netbios/functions.bif
+++ b/src/analyzer/protocol/netbios/functions.bif
@@ -25,7 +25,7 @@ function decode_netbios_name%(name: string%): string
 	if ( name->Len() != 32 )
 		return val_mgr->EmptyString();
 
-	char buf[16];
+	unsigned char buf[16];
 	const u_char* s = name->Bytes();
 	int i, j;
 	int length = 0;
@@ -68,7 +68,7 @@ function decode_netbios_name%(name: string%): string
 		--length;
 		}
 
-	return zeek::make_intrusive<zeek::StringVal>(length, buf);
+	return zeek::make_intrusive<zeek::StringVal>(length, (const char *)buf);
 	%}
 
 ## Converts a NetBIOS name type to its corresponding numeric value.
diff --git a/testing/btest/Baseline/bifs.decode_base64_errors/out b/testing/btest/Baseline/bifs.decode_base64_errors/out
new file mode 100644
index 0000000000..6fd2476e2f
--- /dev/null
+++ b/testing/btest/Baseline/bifs.decode_base64_errors/out
@@ -0,0 +1,7 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+error: character 94 ignored by Base64 decoding
+error: error in decoding string ^#@!@##$!===
+error: character 237 ignored by Base64 decoding
+error: error in decoding string ноп===
+PASS
+PASS
diff --git a/testing/btest/Baseline/bifs.netbios-functions/out b/testing/btest/Baseline/bifs.netbios-functions/out
index f67f434df7..74496ebc89 100644
--- a/testing/btest/Baseline/bifs.netbios-functions/out
+++ b/testing/btest/Baseline/bifs.netbios-functions/out
@@ -11,3 +11,4 @@
 256, 0, 
 256, 0, 
 256, 0, 
+0, 0, 
diff --git a/testing/btest/bifs/decode_base64_errors.zeek b/testing/btest/bifs/decode_base64_errors.zeek
new file mode 100644
index 0000000000..0becccb09b
--- /dev/null
+++ b/testing/btest/bifs/decode_base64_errors.zeek
@@ -0,0 +1,11 @@
+# @TEST-EXEC: zeek -b %INPUT >out 2>&1
+# @TEST-EXEC: btest-diff out
+
+event zeek_init()
+	{
+	local r1 = decode_base64("^#@!@##$!===");
+	print |r1| > 0 ? "FAIL" : "PASS";
+
+	local r2 = decode_base64("\xed\xee\xef===");
+	print |r2| > 0 ? "FAIL" : "PASS";
+	}
diff --git a/testing/btest/bifs/netbios-functions.zeek b/testing/btest/bifs/netbios-functions.zeek
index 402c06c07f..85f9f5c296 100644
--- a/testing/btest/bifs/netbios-functions.zeek
+++ b/testing/btest/bifs/netbios-functions.zeek
@@ -21,7 +21,9 @@ local encoded_names = vector(
 		"cacacacacacacacacacacacacacacaca", # empty
 		"abcd",                             # invalid length
 		"~jfdebfeebfacacacacacacacacacaaa", # invalid alphabet
-		"0jfdebfeebfacacacacacacacacacaaa");# invalid alphabet
+		"0jfdebfeebfacacacacacacacacacaaa", # invalid alphabet
+		"lpejldmeebfacacacacacacacacacaaa", # non-ascii stuff
+);
 
 for ( i in encoded_names )
 	decode_name(encoded_names[i]);
diff --git a/testing/external/commit-hash.zeek-testing-private b/testing/external/commit-hash.zeek-testing-private
index aaaa01bdc4..193ea5a63d 100644
--- a/testing/external/commit-hash.zeek-testing-private
+++ b/testing/external/commit-hash.zeek-testing-private
@@ -1 +1 @@
-7bbcd06c50dc5bcae3533842c302c617ac5f1852
+0bd2853c1666e89da1c262107d8be7a445078f8a