{ "summary": { "snap": { "added": [], "removed": [], "diff": [] }, "deb": { "added": [ "linux-headers-6.8.0-124-generic", "linux-image-6.8.0-124-generic", "linux-modules-6.8.0-124-generic", "linux-riscv-6.8-headers-6.8.0-124" ], "removed": [ "linux-headers-6.8.0-117-generic", "linux-image-6.8.0-117-generic", "linux-modules-6.8.0-117-generic", "linux-riscv-6.8-headers-6.8.0-117" ], "diff": [ "bind9-dnsutils", "bind9-host", "bind9-libs:riscv64", "ca-certificates", "cloud-init", "libarchive13:riscv64", "libgcrypt20:riscv64", "libgnutls30:riscv64", "libjcat1:riscv64", "liblzma5:riscv64", "libnetplan0:riscv64", "libnss-systemd:riscv64", "libpam-systemd:riscv64", "libssl3:riscv64", "libsystemd0:riscv64", "libudev1:riscv64", "libxmlb2:riscv64", "linux-headers-generic", "linux-headers-virtual", "linux-image-virtual", "linux-virtual", "nano", "netplan-generator", "netplan.io", "openssl", "python3-netplan", "python3-twisted", "python3-urllib3", "rsync", "snapd", "systemd", "systemd-sysv", "systemd-timesyncd", "udev", "vim", "vim-common", "vim-runtime", "vim-tiny", "xxd", "xz-utils" ] } }, "diff": { "deb": [ { "name": "bind9-dnsutils", "from_version": { "source_package_name": "bind9", "source_package_version": "1:9.18.39-0ubuntu0.22.04.3", "version": "1:9.18.39-0ubuntu0.22.04.3" }, "to_version": { "source_package_name": "bind9", "source_package_version": "1:9.18.39-0ubuntu0.22.04.4", "version": "1:9.18.39-0ubuntu0.22.04.4" }, "cves": [ { "cve": "CVE-2026-3039", "url": "https://ubuntu.com/security/CVE-2026-3039", "cve_description": "BIND servers that are configured to use TKEY-based authentication via GSS-API tokens are vulnerable to excessive memory consumption when receiving and processing maliciously-constructed packets. Typically these servers will be found in Active Directory integrated DNS deployments and/or Kerberos-secured DNS environments. This issue affects BIND 9 versions 9.0.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, 9.9.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.", "cve_priority": "medium", "cve_public_date": "2026-05-20 13:16:00 UTC" }, { "cve": "CVE-2026-3592", "url": "https://ubuntu.com/security/CVE-2026-3592", "cve_description": "BIND resolvers are vulnerable to an amplified resource consumption/exhaustion attack. If a victim resolver makes a query to a specially crafted zone, the resolver will consume disproportionate resources. This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.", "cve_priority": "medium", "cve_public_date": "2026-05-20 13:16:00 UTC" }, { "cve": "CVE-2026-5946", "url": "https://ubuntu.com/security/CVE-2026-5946", "cve_description": "Multiple flaws have been identified in `named` related to the handling of DNS messages whose CLASS is not Internet (`IN`) — for example, `CHAOS` or `HESIOD`, or DNS messages that specify meta-classes (`ANY` or `NONE`) in the question section. Specially crafted requests reaching the affected code paths — recursion, dynamic updates (`UPDATE`), zone change notifications (`NOTIFY`), or processing of `IN`-specific record types in non-`IN` data — can cause assertion failures in `named`. This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.", "cve_priority": "medium", "cve_public_date": "2026-05-20 13:16:00 UTC" }, { "cve": "CVE-2026-5950", "url": "https://ubuntu.com/security/CVE-2026-5950", "cve_description": "An unbounded resend loop vulnerability exists in the BIND 9 resolver state machine during bad-server handling, enabling a remote unauthenticated attacker to cause severe resource exhaustion by sending queries that trigger specific retry conditions. This issue affects BIND 9 versions 9.18.36 through 9.18.48, 9.20.8 through 9.20.22, 9.21.7 through 9.21.21, 9.18.36-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.", "cve_priority": "medium", "cve_public_date": "2026-05-20 13:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-3039", "url": "https://ubuntu.com/security/CVE-2026-3039", "cve_description": "BIND servers that are configured to use TKEY-based authentication via GSS-API tokens are vulnerable to excessive memory consumption when receiving and processing maliciously-constructed packets. Typically these servers will be found in Active Directory integrated DNS deployments and/or Kerberos-secured DNS environments. This issue affects BIND 9 versions 9.0.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, 9.9.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.", "cve_priority": "medium", "cve_public_date": "2026-05-20 13:16:00 UTC" }, { "cve": "CVE-2026-3592", "url": "https://ubuntu.com/security/CVE-2026-3592", "cve_description": "BIND resolvers are vulnerable to an amplified resource consumption/exhaustion attack. If a victim resolver makes a query to a specially crafted zone, the resolver will consume disproportionate resources. This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.", "cve_priority": "medium", "cve_public_date": "2026-05-20 13:16:00 UTC" }, { "cve": "CVE-2026-5946", "url": "https://ubuntu.com/security/CVE-2026-5946", "cve_description": "Multiple flaws have been identified in `named` related to the handling of DNS messages whose CLASS is not Internet (`IN`) — for example, `CHAOS` or `HESIOD`, or DNS messages that specify meta-classes (`ANY` or `NONE`) in the question section. Specially crafted requests reaching the affected code paths — recursion, dynamic updates (`UPDATE`), zone change notifications (`NOTIFY`), or processing of `IN`-specific record types in non-`IN` data — can cause assertion failures in `named`. This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.", "cve_priority": "medium", "cve_public_date": "2026-05-20 13:16:00 UTC" }, { "cve": "CVE-2026-5950", "url": "https://ubuntu.com/security/CVE-2026-5950", "cve_description": "An unbounded resend loop vulnerability exists in the BIND 9 resolver state machine during bad-server handling, enabling a remote unauthenticated attacker to cause severe resource exhaustion by sending queries that trigger specific retry conditions. This issue affects BIND 9 versions 9.18.36 through 9.18.48, 9.20.8 through 9.20.22, 9.21.7 through 9.21.21, 9.18.36-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.", "cve_priority": "medium", "cve_public_date": "2026-05-20 13:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: BIND 9 server memory exhaustion during GSS-API TKEY", " negotiation", " - debian/patches/CVE-2026-3039-pre1.patch: Release gnamebuf also on the", " error path in lib/dns/gssapictx.c.", " - debian/patches/CVE-2026-3039-1.patch: Fix GSS-API context leak in TKEY", " negotiation in lib/dns/gssapictx.c, lib/dns/include/dst/gssapi.h,", " lib/dns/tkey.c.", " - debian/patches/CVE-2026-3039-3.patch: Fix output token and GSS context", " leaks in TKEY/GSS-API error paths in lib/dns/gssapictx.c,", " lib/dns/tkey.c.", " - CVE-2026-3039", " * SECURITY UPDATE: Amplification vulnerabilities via self-pointed glue", " records", " - debian/patches/CVE-2026-3592-1.patch: Limit the number of addresses", " returned per ADB find in bin/named/main.c, lib/dns/adb.c.", " - debian/patches/CVE-2026-3592-2.patch: Remove duplicate addresses from", " the resolver SLIST in lib/dns/resolver.c.", " - debian/patches/CVE-2026-3592-3.patch: Add system test for self-pointed", " glue deduplication in bin/tests/system/selfpointedglue/ns1/named.conf.j2,", " bin/tests/system/selfpointedglue/ns1/root.db,", " bin/tests/system/selfpointedglue/ns2/named.conf.j2,", " bin/tests/system/selfpointedglue/ns2/tld.db,", " bin/tests/system/selfpointedglue/ns3/example.tld.db,", " bin/tests/system/selfpointedglue/ns3/example2.tld.db,", " bin/tests/system/selfpointedglue/ns3/named.conf.j2,", " bin/tests/system/selfpointedglue/ns4/named.args.j2,", " bin/tests/system/selfpointedglue/ns4/named.conf.j2,", " bin/tests/system/selfpointedglue/ns4/root.hint,", " bin/tests/system/selfpointedglue/prereq.sh,", " bin/tests/system/selfpointedglue/tests_selfpointedglue.py.", " - debian/patches/CVE-2026-3592-5.patch: Add SRTT-based server selection", " system test in bin/tests/system/srtt/README,", " bin/tests/system/srtt/ans2/ans.py, bin/tests/system/srtt/ans3/ans.py,", " bin/tests/system/srtt/ans4/ans.py, bin/tests/system/srtt/ans5/ans.py,", " bin/tests/system/srtt/ns1/named.conf.j2,", " bin/tests/system/srtt/ns1/root.db, bin/tests/system/srtt/ns6/named.args,", " bin/tests/system/srtt/ns6/named.conf.j2, bin/tests/system/srtt/prereq.sh,", " bin/tests/system/srtt/srtt_ans.py, bin/tests/system/srtt/tests_srtt.py.", " - CVE-2026-3592", " * SECURITY UPDATE: Invalid handling of CLASS != IN", " - debian/patches/CVE-2026-5946-1.patch: Disable recursion for non-IN", " classes in bin/named/server.c, bin/tests/system/checkconf/tests.sh,", " bin/tests/system/resolver/tests.sh, lib/bind9/check.c.", " - debian/patches/CVE-2026-5946-2.patch: Disable UPDATE and NOTIFY for", " non-IN classes in bin/named/server.c, lib/dns/adb.c,", " lib/ns/client.c, lib/ns/update.c.", " - debian/patches/CVE-2026-5946-3.patch: Validate DNS message CLASS early", " in request processing in bin/tests/system/unknown/tests.sh,", " lib/ns/client.c.", " - debian/patches/CVE-2026-5946-4.patch: Reject meta-classes in UPDATE and", " NOTIFY messages in lib/dns/message.c.", " - debian/patches/CVE-2026-5946-5.patch: Skip \"deny-answer-address\" for", " non-IN addresses in lib/dns/resolver.c.", " - debian/patches/CVE-2026-5946-6.patch: Test CHAOS view recursion behavior", " in bin/tests/system/checkconf/tests.sh,", " bin/tests/system/checkconf/warn-chaos-recursion.conf,", " bin/tests/system/class/ns1/chaos.db.in,", " bin/tests/system/class/ns1/named.conf.j2,", " bin/tests/system/class/ns2/example.db.in,", " bin/tests/system/class/ns2/localhost.db.in,", " bin/tests/system/class/ns2/named.conf.j2,", " bin/tests/system/class/ns3/named.conf.j2, bin/tests/system/class/setup.sh,", " bin/tests/system/class/tests_class_chaos.py,", " bin/tests/system/isctest/check.py.", " - debian/patches/CVE-2026-5946-7.patch: Test UPDATE behavior in CHAOS and", " other non-IN classes in bin/named/server.c,", " bin/tests/system/class/ns2/localhost.db.in,", " bin/tests/system/class/tests_class_update.py.", " - debian/patches/CVE-2026-5946-8.patch: Test server behavior when sending", " various UPDATE requests in bin/tests/system/class/tests_class_update.py,", " bin/tests/system/nsupdate/setup.sh, bin/tests/system/nsupdate/tests.sh,", " bin/tests/system/packet.pl.", " - debian/patches/CVE-2026-5946-9.patch: Make the RD flag optional in", " isctest.query() in bin/tests/system/isctest/query.py.", " - CVE-2026-5946", " * SECURITY UPDATE: Unbounded resend loop in BIND 9 resolver", " - debian/patches/CVE-2026-5950-1.patch: Add reproducer for BADCOOKIE", " resend loop in bin/tests/system/resend_loop/ans3/ans.py,", " bin/tests/system/resend_loop/ns4/named.conf.j2,", " bin/tests/system/resend_loop/ns4/root.hint,", " bin/tests/system/resend_loop/tests_resend_loop.py.", " - debian/patches/CVE-2026-5950-2.patch: Refactor incrementing query", " counters in lib/dns/resolver.c.", " - debian/patches/CVE-2026-5950-3.patch: rctx_resend() increment query", " counters in lib/dns/resolver.c.", " - CVE-2026-5950", "" ], "package": "bind9", "version": "1:9.18.39-0ubuntu0.22.04.4", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Thu, 21 May 2026 10:42:08 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "bind9-host", "from_version": { "source_package_name": "bind9", "source_package_version": "1:9.18.39-0ubuntu0.22.04.3", "version": "1:9.18.39-0ubuntu0.22.04.3" }, "to_version": { "source_package_name": "bind9", "source_package_version": "1:9.18.39-0ubuntu0.22.04.4", "version": "1:9.18.39-0ubuntu0.22.04.4" }, "cves": [ { "cve": "CVE-2026-3039", "url": "https://ubuntu.com/security/CVE-2026-3039", "cve_description": "BIND servers that are configured to use TKEY-based authentication via GSS-API tokens are vulnerable to excessive memory consumption when receiving and processing maliciously-constructed packets. Typically these servers will be found in Active Directory integrated DNS deployments and/or Kerberos-secured DNS environments. This issue affects BIND 9 versions 9.0.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, 9.9.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.", "cve_priority": "medium", "cve_public_date": "2026-05-20 13:16:00 UTC" }, { "cve": "CVE-2026-3592", "url": "https://ubuntu.com/security/CVE-2026-3592", "cve_description": "BIND resolvers are vulnerable to an amplified resource consumption/exhaustion attack. If a victim resolver makes a query to a specially crafted zone, the resolver will consume disproportionate resources. This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.", "cve_priority": "medium", "cve_public_date": "2026-05-20 13:16:00 UTC" }, { "cve": "CVE-2026-5946", "url": "https://ubuntu.com/security/CVE-2026-5946", "cve_description": "Multiple flaws have been identified in `named` related to the handling of DNS messages whose CLASS is not Internet (`IN`) — for example, `CHAOS` or `HESIOD`, or DNS messages that specify meta-classes (`ANY` or `NONE`) in the question section. Specially crafted requests reaching the affected code paths — recursion, dynamic updates (`UPDATE`), zone change notifications (`NOTIFY`), or processing of `IN`-specific record types in non-`IN` data — can cause assertion failures in `named`. This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.", "cve_priority": "medium", "cve_public_date": "2026-05-20 13:16:00 UTC" }, { "cve": "CVE-2026-5950", "url": "https://ubuntu.com/security/CVE-2026-5950", "cve_description": "An unbounded resend loop vulnerability exists in the BIND 9 resolver state machine during bad-server handling, enabling a remote unauthenticated attacker to cause severe resource exhaustion by sending queries that trigger specific retry conditions. This issue affects BIND 9 versions 9.18.36 through 9.18.48, 9.20.8 through 9.20.22, 9.21.7 through 9.21.21, 9.18.36-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.", "cve_priority": "medium", "cve_public_date": "2026-05-20 13:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-3039", "url": "https://ubuntu.com/security/CVE-2026-3039", "cve_description": "BIND servers that are configured to use TKEY-based authentication via GSS-API tokens are vulnerable to excessive memory consumption when receiving and processing maliciously-constructed packets. Typically these servers will be found in Active Directory integrated DNS deployments and/or Kerberos-secured DNS environments. This issue affects BIND 9 versions 9.0.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, 9.9.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.", "cve_priority": "medium", "cve_public_date": "2026-05-20 13:16:00 UTC" }, { "cve": "CVE-2026-3592", "url": "https://ubuntu.com/security/CVE-2026-3592", "cve_description": "BIND resolvers are vulnerable to an amplified resource consumption/exhaustion attack. If a victim resolver makes a query to a specially crafted zone, the resolver will consume disproportionate resources. This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.", "cve_priority": "medium", "cve_public_date": "2026-05-20 13:16:00 UTC" }, { "cve": "CVE-2026-5946", "url": "https://ubuntu.com/security/CVE-2026-5946", "cve_description": "Multiple flaws have been identified in `named` related to the handling of DNS messages whose CLASS is not Internet (`IN`) — for example, `CHAOS` or `HESIOD`, or DNS messages that specify meta-classes (`ANY` or `NONE`) in the question section. Specially crafted requests reaching the affected code paths — recursion, dynamic updates (`UPDATE`), zone change notifications (`NOTIFY`), or processing of `IN`-specific record types in non-`IN` data — can cause assertion failures in `named`. This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.", "cve_priority": "medium", "cve_public_date": "2026-05-20 13:16:00 UTC" }, { "cve": "CVE-2026-5950", "url": "https://ubuntu.com/security/CVE-2026-5950", "cve_description": "An unbounded resend loop vulnerability exists in the BIND 9 resolver state machine during bad-server handling, enabling a remote unauthenticated attacker to cause severe resource exhaustion by sending queries that trigger specific retry conditions. This issue affects BIND 9 versions 9.18.36 through 9.18.48, 9.20.8 through 9.20.22, 9.21.7 through 9.21.21, 9.18.36-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.", "cve_priority": "medium", "cve_public_date": "2026-05-20 13:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: BIND 9 server memory exhaustion during GSS-API TKEY", " negotiation", " - debian/patches/CVE-2026-3039-pre1.patch: Release gnamebuf also on the", " error path in lib/dns/gssapictx.c.", " - debian/patches/CVE-2026-3039-1.patch: Fix GSS-API context leak in TKEY", " negotiation in lib/dns/gssapictx.c, lib/dns/include/dst/gssapi.h,", " lib/dns/tkey.c.", " - debian/patches/CVE-2026-3039-3.patch: Fix output token and GSS context", " leaks in TKEY/GSS-API error paths in lib/dns/gssapictx.c,", " lib/dns/tkey.c.", " - CVE-2026-3039", " * SECURITY UPDATE: Amplification vulnerabilities via self-pointed glue", " records", " - debian/patches/CVE-2026-3592-1.patch: Limit the number of addresses", " returned per ADB find in bin/named/main.c, lib/dns/adb.c.", " - debian/patches/CVE-2026-3592-2.patch: Remove duplicate addresses from", " the resolver SLIST in lib/dns/resolver.c.", " - debian/patches/CVE-2026-3592-3.patch: Add system test for self-pointed", " glue deduplication in bin/tests/system/selfpointedglue/ns1/named.conf.j2,", " bin/tests/system/selfpointedglue/ns1/root.db,", " bin/tests/system/selfpointedglue/ns2/named.conf.j2,", " bin/tests/system/selfpointedglue/ns2/tld.db,", " bin/tests/system/selfpointedglue/ns3/example.tld.db,", " bin/tests/system/selfpointedglue/ns3/example2.tld.db,", " bin/tests/system/selfpointedglue/ns3/named.conf.j2,", " bin/tests/system/selfpointedglue/ns4/named.args.j2,", " bin/tests/system/selfpointedglue/ns4/named.conf.j2,", " bin/tests/system/selfpointedglue/ns4/root.hint,", " bin/tests/system/selfpointedglue/prereq.sh,", " bin/tests/system/selfpointedglue/tests_selfpointedglue.py.", " - debian/patches/CVE-2026-3592-5.patch: Add SRTT-based server selection", " system test in bin/tests/system/srtt/README,", " bin/tests/system/srtt/ans2/ans.py, bin/tests/system/srtt/ans3/ans.py,", " bin/tests/system/srtt/ans4/ans.py, bin/tests/system/srtt/ans5/ans.py,", " bin/tests/system/srtt/ns1/named.conf.j2,", " bin/tests/system/srtt/ns1/root.db, bin/tests/system/srtt/ns6/named.args,", " bin/tests/system/srtt/ns6/named.conf.j2, bin/tests/system/srtt/prereq.sh,", " bin/tests/system/srtt/srtt_ans.py, bin/tests/system/srtt/tests_srtt.py.", " - CVE-2026-3592", " * SECURITY UPDATE: Invalid handling of CLASS != IN", " - debian/patches/CVE-2026-5946-1.patch: Disable recursion for non-IN", " classes in bin/named/server.c, bin/tests/system/checkconf/tests.sh,", " bin/tests/system/resolver/tests.sh, lib/bind9/check.c.", " - debian/patches/CVE-2026-5946-2.patch: Disable UPDATE and NOTIFY for", " non-IN classes in bin/named/server.c, lib/dns/adb.c,", " lib/ns/client.c, lib/ns/update.c.", " - debian/patches/CVE-2026-5946-3.patch: Validate DNS message CLASS early", " in request processing in bin/tests/system/unknown/tests.sh,", " lib/ns/client.c.", " - debian/patches/CVE-2026-5946-4.patch: Reject meta-classes in UPDATE and", " NOTIFY messages in lib/dns/message.c.", " - debian/patches/CVE-2026-5946-5.patch: Skip \"deny-answer-address\" for", " non-IN addresses in lib/dns/resolver.c.", " - debian/patches/CVE-2026-5946-6.patch: Test CHAOS view recursion behavior", " in bin/tests/system/checkconf/tests.sh,", " bin/tests/system/checkconf/warn-chaos-recursion.conf,", " bin/tests/system/class/ns1/chaos.db.in,", " bin/tests/system/class/ns1/named.conf.j2,", " bin/tests/system/class/ns2/example.db.in,", " bin/tests/system/class/ns2/localhost.db.in,", " bin/tests/system/class/ns2/named.conf.j2,", " bin/tests/system/class/ns3/named.conf.j2, bin/tests/system/class/setup.sh,", " bin/tests/system/class/tests_class_chaos.py,", " bin/tests/system/isctest/check.py.", " - debian/patches/CVE-2026-5946-7.patch: Test UPDATE behavior in CHAOS and", " other non-IN classes in bin/named/server.c,", " bin/tests/system/class/ns2/localhost.db.in,", " bin/tests/system/class/tests_class_update.py.", " - debian/patches/CVE-2026-5946-8.patch: Test server behavior when sending", " various UPDATE requests in bin/tests/system/class/tests_class_update.py,", " bin/tests/system/nsupdate/setup.sh, bin/tests/system/nsupdate/tests.sh,", " bin/tests/system/packet.pl.", " - debian/patches/CVE-2026-5946-9.patch: Make the RD flag optional in", " isctest.query() in bin/tests/system/isctest/query.py.", " - CVE-2026-5946", " * SECURITY UPDATE: Unbounded resend loop in BIND 9 resolver", " - debian/patches/CVE-2026-5950-1.patch: Add reproducer for BADCOOKIE", " resend loop in bin/tests/system/resend_loop/ans3/ans.py,", " bin/tests/system/resend_loop/ns4/named.conf.j2,", " bin/tests/system/resend_loop/ns4/root.hint,", " bin/tests/system/resend_loop/tests_resend_loop.py.", " - debian/patches/CVE-2026-5950-2.patch: Refactor incrementing query", " counters in lib/dns/resolver.c.", " - debian/patches/CVE-2026-5950-3.patch: rctx_resend() increment query", " counters in lib/dns/resolver.c.", " - CVE-2026-5950", "" ], "package": "bind9", "version": "1:9.18.39-0ubuntu0.22.04.4", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Thu, 21 May 2026 10:42:08 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "bind9-libs:riscv64", "from_version": { "source_package_name": "bind9", "source_package_version": "1:9.18.39-0ubuntu0.22.04.3", "version": "1:9.18.39-0ubuntu0.22.04.3" }, "to_version": { "source_package_name": "bind9", "source_package_version": "1:9.18.39-0ubuntu0.22.04.4", "version": "1:9.18.39-0ubuntu0.22.04.4" }, "cves": [ { "cve": "CVE-2026-3039", "url": "https://ubuntu.com/security/CVE-2026-3039", "cve_description": "BIND servers that are configured to use TKEY-based authentication via GSS-API tokens are vulnerable to excessive memory consumption when receiving and processing maliciously-constructed packets. Typically these servers will be found in Active Directory integrated DNS deployments and/or Kerberos-secured DNS environments. This issue affects BIND 9 versions 9.0.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, 9.9.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.", "cve_priority": "medium", "cve_public_date": "2026-05-20 13:16:00 UTC" }, { "cve": "CVE-2026-3592", "url": "https://ubuntu.com/security/CVE-2026-3592", "cve_description": "BIND resolvers are vulnerable to an amplified resource consumption/exhaustion attack. If a victim resolver makes a query to a specially crafted zone, the resolver will consume disproportionate resources. This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.", "cve_priority": "medium", "cve_public_date": "2026-05-20 13:16:00 UTC" }, { "cve": "CVE-2026-5946", "url": "https://ubuntu.com/security/CVE-2026-5946", "cve_description": "Multiple flaws have been identified in `named` related to the handling of DNS messages whose CLASS is not Internet (`IN`) — for example, `CHAOS` or `HESIOD`, or DNS messages that specify meta-classes (`ANY` or `NONE`) in the question section. Specially crafted requests reaching the affected code paths — recursion, dynamic updates (`UPDATE`), zone change notifications (`NOTIFY`), or processing of `IN`-specific record types in non-`IN` data — can cause assertion failures in `named`. This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.", "cve_priority": "medium", "cve_public_date": "2026-05-20 13:16:00 UTC" }, { "cve": "CVE-2026-5950", "url": "https://ubuntu.com/security/CVE-2026-5950", "cve_description": "An unbounded resend loop vulnerability exists in the BIND 9 resolver state machine during bad-server handling, enabling a remote unauthenticated attacker to cause severe resource exhaustion by sending queries that trigger specific retry conditions. This issue affects BIND 9 versions 9.18.36 through 9.18.48, 9.20.8 through 9.20.22, 9.21.7 through 9.21.21, 9.18.36-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.", "cve_priority": "medium", "cve_public_date": "2026-05-20 13:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-3039", "url": "https://ubuntu.com/security/CVE-2026-3039", "cve_description": "BIND servers that are configured to use TKEY-based authentication via GSS-API tokens are vulnerable to excessive memory consumption when receiving and processing maliciously-constructed packets. Typically these servers will be found in Active Directory integrated DNS deployments and/or Kerberos-secured DNS environments. This issue affects BIND 9 versions 9.0.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, 9.9.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.", "cve_priority": "medium", "cve_public_date": "2026-05-20 13:16:00 UTC" }, { "cve": "CVE-2026-3592", "url": "https://ubuntu.com/security/CVE-2026-3592", "cve_description": "BIND resolvers are vulnerable to an amplified resource consumption/exhaustion attack. If a victim resolver makes a query to a specially crafted zone, the resolver will consume disproportionate resources. This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.", "cve_priority": "medium", "cve_public_date": "2026-05-20 13:16:00 UTC" }, { "cve": "CVE-2026-5946", "url": "https://ubuntu.com/security/CVE-2026-5946", "cve_description": "Multiple flaws have been identified in `named` related to the handling of DNS messages whose CLASS is not Internet (`IN`) — for example, `CHAOS` or `HESIOD`, or DNS messages that specify meta-classes (`ANY` or `NONE`) in the question section. Specially crafted requests reaching the affected code paths — recursion, dynamic updates (`UPDATE`), zone change notifications (`NOTIFY`), or processing of `IN`-specific record types in non-`IN` data — can cause assertion failures in `named`. This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.", "cve_priority": "medium", "cve_public_date": "2026-05-20 13:16:00 UTC" }, { "cve": "CVE-2026-5950", "url": "https://ubuntu.com/security/CVE-2026-5950", "cve_description": "An unbounded resend loop vulnerability exists in the BIND 9 resolver state machine during bad-server handling, enabling a remote unauthenticated attacker to cause severe resource exhaustion by sending queries that trigger specific retry conditions. This issue affects BIND 9 versions 9.18.36 through 9.18.48, 9.20.8 through 9.20.22, 9.21.7 through 9.21.21, 9.18.36-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.", "cve_priority": "medium", "cve_public_date": "2026-05-20 13:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: BIND 9 server memory exhaustion during GSS-API TKEY", " negotiation", " - debian/patches/CVE-2026-3039-pre1.patch: Release gnamebuf also on the", " error path in lib/dns/gssapictx.c.", " - debian/patches/CVE-2026-3039-1.patch: Fix GSS-API context leak in TKEY", " negotiation in lib/dns/gssapictx.c, lib/dns/include/dst/gssapi.h,", " lib/dns/tkey.c.", " - debian/patches/CVE-2026-3039-3.patch: Fix output token and GSS context", " leaks in TKEY/GSS-API error paths in lib/dns/gssapictx.c,", " lib/dns/tkey.c.", " - CVE-2026-3039", " * SECURITY UPDATE: Amplification vulnerabilities via self-pointed glue", " records", " - debian/patches/CVE-2026-3592-1.patch: Limit the number of addresses", " returned per ADB find in bin/named/main.c, lib/dns/adb.c.", " - debian/patches/CVE-2026-3592-2.patch: Remove duplicate addresses from", " the resolver SLIST in lib/dns/resolver.c.", " - debian/patches/CVE-2026-3592-3.patch: Add system test for self-pointed", " glue deduplication in bin/tests/system/selfpointedglue/ns1/named.conf.j2,", " bin/tests/system/selfpointedglue/ns1/root.db,", " bin/tests/system/selfpointedglue/ns2/named.conf.j2,", " bin/tests/system/selfpointedglue/ns2/tld.db,", " bin/tests/system/selfpointedglue/ns3/example.tld.db,", " bin/tests/system/selfpointedglue/ns3/example2.tld.db,", " bin/tests/system/selfpointedglue/ns3/named.conf.j2,", " bin/tests/system/selfpointedglue/ns4/named.args.j2,", " bin/tests/system/selfpointedglue/ns4/named.conf.j2,", " bin/tests/system/selfpointedglue/ns4/root.hint,", " bin/tests/system/selfpointedglue/prereq.sh,", " bin/tests/system/selfpointedglue/tests_selfpointedglue.py.", " - debian/patches/CVE-2026-3592-5.patch: Add SRTT-based server selection", " system test in bin/tests/system/srtt/README,", " bin/tests/system/srtt/ans2/ans.py, bin/tests/system/srtt/ans3/ans.py,", " bin/tests/system/srtt/ans4/ans.py, bin/tests/system/srtt/ans5/ans.py,", " bin/tests/system/srtt/ns1/named.conf.j2,", " bin/tests/system/srtt/ns1/root.db, bin/tests/system/srtt/ns6/named.args,", " bin/tests/system/srtt/ns6/named.conf.j2, bin/tests/system/srtt/prereq.sh,", " bin/tests/system/srtt/srtt_ans.py, bin/tests/system/srtt/tests_srtt.py.", " - CVE-2026-3592", " * SECURITY UPDATE: Invalid handling of CLASS != IN", " - debian/patches/CVE-2026-5946-1.patch: Disable recursion for non-IN", " classes in bin/named/server.c, bin/tests/system/checkconf/tests.sh,", " bin/tests/system/resolver/tests.sh, lib/bind9/check.c.", " - debian/patches/CVE-2026-5946-2.patch: Disable UPDATE and NOTIFY for", " non-IN classes in bin/named/server.c, lib/dns/adb.c,", " lib/ns/client.c, lib/ns/update.c.", " - debian/patches/CVE-2026-5946-3.patch: Validate DNS message CLASS early", " in request processing in bin/tests/system/unknown/tests.sh,", " lib/ns/client.c.", " - debian/patches/CVE-2026-5946-4.patch: Reject meta-classes in UPDATE and", " NOTIFY messages in lib/dns/message.c.", " - debian/patches/CVE-2026-5946-5.patch: Skip \"deny-answer-address\" for", " non-IN addresses in lib/dns/resolver.c.", " - debian/patches/CVE-2026-5946-6.patch: Test CHAOS view recursion behavior", " in bin/tests/system/checkconf/tests.sh,", " bin/tests/system/checkconf/warn-chaos-recursion.conf,", " bin/tests/system/class/ns1/chaos.db.in,", " bin/tests/system/class/ns1/named.conf.j2,", " bin/tests/system/class/ns2/example.db.in,", " bin/tests/system/class/ns2/localhost.db.in,", " bin/tests/system/class/ns2/named.conf.j2,", " bin/tests/system/class/ns3/named.conf.j2, bin/tests/system/class/setup.sh,", " bin/tests/system/class/tests_class_chaos.py,", " bin/tests/system/isctest/check.py.", " - debian/patches/CVE-2026-5946-7.patch: Test UPDATE behavior in CHAOS and", " other non-IN classes in bin/named/server.c,", " bin/tests/system/class/ns2/localhost.db.in,", " bin/tests/system/class/tests_class_update.py.", " - debian/patches/CVE-2026-5946-8.patch: Test server behavior when sending", " various UPDATE requests in bin/tests/system/class/tests_class_update.py,", " bin/tests/system/nsupdate/setup.sh, bin/tests/system/nsupdate/tests.sh,", " bin/tests/system/packet.pl.", " - debian/patches/CVE-2026-5946-9.patch: Make the RD flag optional in", " isctest.query() in bin/tests/system/isctest/query.py.", " - CVE-2026-5946", " * SECURITY UPDATE: Unbounded resend loop in BIND 9 resolver", " - debian/patches/CVE-2026-5950-1.patch: Add reproducer for BADCOOKIE", " resend loop in bin/tests/system/resend_loop/ans3/ans.py,", " bin/tests/system/resend_loop/ns4/named.conf.j2,", " bin/tests/system/resend_loop/ns4/root.hint,", " bin/tests/system/resend_loop/tests_resend_loop.py.", " - debian/patches/CVE-2026-5950-2.patch: Refactor incrementing query", " counters in lib/dns/resolver.c.", " - debian/patches/CVE-2026-5950-3.patch: rctx_resend() increment query", " counters in lib/dns/resolver.c.", " - CVE-2026-5950", "" ], "package": "bind9", "version": "1:9.18.39-0ubuntu0.22.04.4", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Thu, 21 May 2026 10:42:08 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "ca-certificates", "from_version": { "source_package_name": "ca-certificates", "source_package_version": "20240203~22.04.1", "version": "20240203~22.04.1" }, "to_version": { "source_package_name": "ca-certificates", "source_package_version": "20260601~22.04.1", "version": "20260601~22.04.1" }, "cves": [], "launchpad_bugs_fixed": [ 2156786 ], "changes": [ { "cves": [], "log": [ "", " * Update Mozilla certificate authority bundle to version 2.86", " (LP: #2156786)", " The following certificate authority was added (+):", " + e-Szigno TLS Root CA 2023", " The following certificate authorities were removed (-):", " - QuoVadis Root CA 2", " - QuoVadis Root CA 3", " - DigiCert Assured ID Root CA", " - DigiCert Global Root CA", " - DigiCert High Assurance EV Root CA", " - SwissSign Gold CA - G2", " - SecureTrust CA", " - Secure Global CA", " - COMODO Certification Authority", " - Certigna", " - certSIGN ROOT CA", " - AffirmTrust Commercial", " - AffirmTrust Networking", " - AffirmTrust Premium", " - AffirmTrust Premium ECC", " - TeliaSonera Root CA v1", " - Entrust Root Certification Authority - G2", " - Entrust Root Certification Authority - EC1", " - Trustwave Global Certification Authority", " - Trustwave Global ECC P256 Certification Authority", " - Trustwave Global ECC P384 Certification Authority", " - GLOBALTRUST 2020", " - GTS Root R2", " - FIRMAPROFESIONAL CA ROOT-A WEB", " The following certificate authority was renamed (~):", " ~ \"OISTE Server Root RSA G1\" (removed leading space)", " * Update Mozilla certificate authority bundle to version 2.82", " The following certificate authorities were added (+):", " + TrustAsia TLS ECC Root CA", " + TrustAsia TLS RSA Root CA", " + SwissSign RSA TLS Root CA 2022 - 1", " + OISTE Server Root ECC G1", " + OISTE Server Root RSA G1", " The following certificate authorities were removed (-):", " - GlobalSign Root CA", " - Entrust.net Premium 2048 Secure Server CA", " - Baltimore CyberTrust Root (closes: #1121936)", " - Comodo AAA Services root", " - XRamp Global CA Root", " - Go Daddy Class 2 CA", " - Starfield Class 2 CA", " - CommScope Public Trust ECC Root-01", " - CommScope Public Trust ECC Root-02", " - CommScope Public Trust RSA Root-01", " - CommScope Public Trust RSA Root-02", " * Update Mozilla certificate authority bundle to version 2.74.", " The following certificate authorities were added (+):", " + D-TRUST BR Root CA 2 2023", " + D-TRUST EV Root CA 2 2023", " The following certificate authorities were removed (-):", " - Entrust Root Certification Authority - G4", " - SecureSign RootCA11", " - Security Communication RootCA3", " - SwissSign Silver CA - G2", " * Update Mozilla certificate authority bundle to version 2.70.", " The following certificate authorities were added (+):", " + Telekom Security TLS ECC Root 2020", " + Telekom Security TLS RSA Root 2023", " + FIRMAPROFESIONAL CA ROOT-A WEB", " + TWCA CYBER Root CA", " + SecureSign Root CA12", " + SecureSign Root CA14", " + SecureSign Root CA15", " The following certificate authorities were removed (-):", " - Security Communication Root CA (closes: #1063093)", "" ], "package": "ca-certificates", "version": "20260601~22.04.1", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [ 2156786 ], "author": "Marc Deslauriers ", "date": "Mon, 15 Jun 2026 12:17:29 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "cloud-init", "from_version": { "source_package_name": "cloud-init", "source_package_version": "25.3-0ubuntu1~22.04.1", "version": "25.3-0ubuntu1~22.04.1" }, "to_version": { "source_package_name": "cloud-init", "source_package_version": "26.1-0ubuntu1~22.04.1", "version": "26.1-0ubuntu1~22.04.1" }, "cves": [], "launchpad_bugs_fixed": [ 2146833 ], "changes": [ { "cves": [], "log": [ "", " * d/p/0001-Revert-fix-DNS-resolution-performance-regression-dur.patch revert Ec2 URL change ", " * d/p/0001-Revert-fix-support-bond-names-in-network_data.patch revert bond name change", " * d/rules: provide PACKAGED_VERSION env var to force setuptools version to", " match downstream DEB_VERSION", " * refresh patches:", " - d/p/no-nocloud-network.patch", " - d/p/no-single-process.patch", " - d/p/retain-ec2-default-net-update-events.patch", " - d/p/retain-setuptools.patch. Read PACKAGED_VERSION environment variable", " - d/p/revert-551f560d-cloud-config-after-snap-seeding.patch", " - d/p/status-do-not-remove-duplicated-data.patch", " - d/p/status-retain-recoverable-error-exit-code.patch", " * Upstream snapshot based on upstream/main at 52ef4d17.", " * Upstream snapshot based on 26.1. (LP: #2146833).", " List of changes from upstream can be found at", " https://raw.githubusercontent.com/canonical/cloud-init/26.1/ChangeLog", "" ], "package": "cloud-init", "version": "26.1-0ubuntu1~22.04.1", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2146833 ], "author": "Chad Smith ", "date": "Mon, 30 Mar 2026 12:56:49 -0600" } ], "notes": null, "is_version_downgrade": false }, { "name": "libarchive13:riscv64", "from_version": { "source_package_name": "libarchive", "source_package_version": "3.6.0-1ubuntu1.6", "version": "3.6.0-1ubuntu1.6" }, "to_version": { "source_package_name": "libarchive", "source_package_version": "3.6.0-1ubuntu1.7", "version": "3.6.0-1ubuntu1.7" }, "cves": [ { "cve": "CVE-2026-4424", "url": "https://ubuntu.com/security/CVE-2026-4424", "cve_description": "A flaw was found in libarchive. This heap out-of-bounds read vulnerability exists in the RAR archive processing logic due to improper validation of the LZSS sliding window size after transitions between compression methods. A remote attacker can exploit this by providing a specially crafted RAR archive, leading to the disclosure of sensitive heap memory information without requiring authentication or user interaction.", "cve_priority": "medium", "cve_public_date": "2026-03-19 15:16:00 UTC" }, { "cve": "CVE-2026-4426", "url": "https://ubuntu.com/security/CVE-2026-4426", "cve_description": "A flaw was found in libarchive. An Undefined Behavior vulnerability exists in the zisofs decompression logic, caused by improper validation of a field (`pz_log2_bs`) read from ISO9660 Rock Ridge extensions. A remote attacker can exploit this by supplying a specially crafted ISO file. This can lead to incorrect memory allocation and potential application crashes, resulting in a denial-of-service (DoS) condition.", "cve_priority": "medium", "cve_public_date": "2026-03-19 15:16:00 UTC" }, { "cve": "CVE-2026-5121", "url": "https://ubuntu.com/security/CVE-2026-5121", "cve_description": "A flaw was found in libarchive. On 32-bit systems, an integer overflow vulnerability exists in the zisofs block pointer allocation logic. A remote attacker can exploit this by providing a specially crafted ISO9660 image, which can lead to a heap buffer overflow. This could potentially allow for arbitrary code execution on the affected system.", "cve_priority": "medium", "cve_public_date": "2026-03-30 08:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-4424", "url": "https://ubuntu.com/security/CVE-2026-4424", "cve_description": "A flaw was found in libarchive. This heap out-of-bounds read vulnerability exists in the RAR archive processing logic due to improper validation of the LZSS sliding window size after transitions between compression methods. A remote attacker can exploit this by providing a specially crafted RAR archive, leading to the disclosure of sensitive heap memory information without requiring authentication or user interaction.", "cve_priority": "medium", "cve_public_date": "2026-03-19 15:16:00 UTC" }, { "cve": "CVE-2026-4426", "url": "https://ubuntu.com/security/CVE-2026-4426", "cve_description": "A flaw was found in libarchive. An Undefined Behavior vulnerability exists in the zisofs decompression logic, caused by improper validation of a field (`pz_log2_bs`) read from ISO9660 Rock Ridge extensions. A remote attacker can exploit this by supplying a specially crafted ISO file. This can lead to incorrect memory allocation and potential application crashes, resulting in a denial-of-service (DoS) condition.", "cve_priority": "medium", "cve_public_date": "2026-03-19 15:16:00 UTC" }, { "cve": "CVE-2026-5121", "url": "https://ubuntu.com/security/CVE-2026-5121", "cve_description": "A flaw was found in libarchive. On 32-bit systems, an integer overflow vulnerability exists in the zisofs block pointer allocation logic. A remote attacker can exploit this by providing a specially crafted ISO9660 image, which can lead to a heap buffer overflow. This could potentially allow for arbitrary code execution on the affected system.", "cve_priority": "medium", "cve_public_date": "2026-03-30 08:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Heap out-of-bounds read during RAR archive processing", " - debian/patches/CVE-2026-4424-1.patch: Reallocate undersized LZSS windows", " in libarchive/archive_read_support_format_rar.c", " - debian/patches/CVE-2026-4424-2.patch: Cast LZSS mask comparison in", " libarchive/archive_read_support_format_rar.c", " - CVE-2026-4424", " * SECURITY UPDATE: Undefined behavior during zisofs decompression", " - debian/patches/CVE-2026-4426.patch: Validate zisofs block size exponent", " in libarchive/archive_read_support_format_iso9660.c", " - CVE-2026-4426", " * SECURITY UPDATE: Integer overflow during zisofs block pointer allocation", " - debian/patches/CVE-2026-5121.patch: Add related regression tests in", " test/test_read_format_iso_zisofs_overflow.c and", " ../test_read_format_iso_zisofs_overflow.iso.uu", " - CVE-2026-5121", "" ], "package": "libarchive", "version": "3.6.0-1ubuntu1.7", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Shafayat Hossain Majumder ", "date": "Tue, 20 May 2026 11:53:03 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "libgcrypt20:riscv64", "from_version": { "source_package_name": "libgcrypt20", "source_package_version": "1.9.4-3ubuntu3", "version": "1.9.4-3ubuntu3" }, "to_version": { "source_package_name": "libgcrypt20", "source_package_version": "1.9.4-3ubuntu3.2", "version": "1.9.4-3ubuntu3.2" }, "cves": [ { "cve": "CVE-2026-41989", "url": "https://ubuntu.com/security/CVE-2026-41989", "cve_description": "Libgcrypt before 1.12.2 sometimes allows a heap-based buffer overflow and denial of service via crafted ECDH ciphertext to gcry_pk_decrypt.", "cve_priority": "medium", "cve_public_date": "2026-04-23 05:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-41989", "url": "https://ubuntu.com/security/CVE-2026-41989", "cve_description": "Libgcrypt before 1.12.2 sometimes allows a heap-based buffer overflow and denial of service via crafted ECDH ciphertext to gcry_pk_decrypt.", "cve_priority": "medium", "cve_public_date": "2026-04-23 05:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Heap-based buffer overflow via crafted ECDH ciphertext", " - debian/patches/CVE-2026-41989.patch: cipher:ecc: Fix decoding a point on", " Montgomery curve. in cipher/ecc-misc.c.", " - CVE-2026-41989", " * This package does _not_ contain the changes from 1.9.4-3ubuntu3.1 in", " jammy-proposed.", "" ], "package": "libgcrypt20", "version": "1.9.4-3ubuntu3.2", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Tue, 12 May 2026 14:17:54 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "libgnutls30:riscv64", "from_version": { "source_package_name": "gnutls28", "source_package_version": "3.7.3-4ubuntu1.8", "version": "3.7.3-4ubuntu1.8" }, "to_version": { "source_package_name": "gnutls28", "source_package_version": "3.7.3-4ubuntu1.9", "version": "3.7.3-4ubuntu1.9" }, "cves": [ { "cve": "CVE-2026-33846", "url": "https://ubuntu.com/security/CVE-2026-33846", "cve_description": "A heap buffer overflow vulnerability exists in the DTLS handshake fragment reassembly logic of GnuTLS. The issue arises in merge_handshake_packet() where incoming handshake fragments are matched and merged based solely on handshake type, without validating that the message_length field remains consistent across all fragments of the same logical message. An attacker can exploit this by sending crafted DTLS fragments with conflicting message_length values, causing the implementation to allocate a buffer based on a smaller initial fragment and subsequently write beyond its bounds using larger, inconsistent fragments. Because the merge operation does not enforce proper bounds checking against the allocated buffer size, this results in an out-of-bounds write on the heap. The vulnerability is remotely exploitable without authentication via the DTLS handshake path and can lead to application crashes or potential memory corruption.", "cve_priority": "medium", "cve_public_date": "2026-05-04 10:15:00 UTC" }, { "cve": "CVE-2026-42009", "url": "https://ubuntu.com/security/CVE-2026-42009", "cve_description": "A flaw was found in gnutls. A remote attacker could exploit an issue in the Datagram Transport Layer Security (DTLS) packet reordering logic. The comparator function, responsible for ordering DTLS packets by sequence numbers, did not correctly handle packets with duplicate sequence numbers. This could lead to unstable packet ordering or undefined behavior, resulting in a denial of service.", "cve_priority": "medium", "cve_public_date": "2026-05-18 13:16:00 UTC" }, { "cve": "CVE-2026-33845", "url": "https://ubuntu.com/security/CVE-2026-33845", "cve_description": "A flaw in GnuTLS DTLS handshake parsing allows malformed fragments with zero length and non-zero offset, leading to an integer underflow during reassembly and resulting in an out-of-bounds read. This issue is remotely exploitable and may cause information disclosure or denial of service.", "cve_priority": "medium", "cve_public_date": "2026-04-30 18:16:00 UTC" }, { "cve": "CVE-2026-3832", "url": "https://ubuntu.com/security/CVE-2026-3832", "cve_description": "A flaw was found in gnutls. A remote attacker could exploit this vulnerability by presenting a specially crafted Online Certificate Status Protocol (OCSP) response during a TLS handshake. Due to a logic error in how gnutls processes multi-record OCSP responses, a client with OCSP verification enabled may incorrectly accept a revoked server certificate, potentially leading to a compromise of trust.", "cve_priority": "medium", "cve_public_date": "2026-04-30 18:16:00 UTC" }, { "cve": "CVE-2026-3833", "url": "https://ubuntu.com/security/CVE-2026-3833", "cve_description": "A flaw was found in gnutls. This vulnerability occurs because gnutls performs case-sensitive comparisons of `nameConstraints` labels, specifically for `dNSName` (DNS) or `rfc822Name` (email) constraints within `excludedSubtrees` or `permittedSubtrees`. A remote attacker can exploit this by crafting a leaf certificate with casing differences in the Subject Alternative Name (SAN), leading to a policy bypass where a certificate that should be rejected is instead accepted. This could result in unauthorized access or information disclosure.", "cve_priority": "medium", "cve_public_date": "2026-04-30 18:16:00 UTC" }, { "cve": "CVE-2026-42011", "url": "https://ubuntu.com/security/CVE-2026-42011", "cve_description": "A flaw was found in gnutls. This vulnerability occurs because permitted name constraints were incorrectly ignored when previous Certificate Authorities (CAs) only had excluded name constraints. A remote attacker could exploit this to bypass critical name constraint checks during certificate validation. This bypass could lead to the acceptance of invalid certificates, potentially enabling spoofing or man-in-the-middle attacks against affected systems.", "cve_priority": "medium", "cve_public_date": "2026-05-07 15:16:00 UTC" }, { "cve": "CVE-2026-42010", "url": "https://ubuntu.com/security/CVE-2026-42010", "cve_description": "A flaw was found in gnutls. Servers configured with RSA-PSK (Rivest–Shamir–Adleman – Pre-Shared Key) wrongfully matched usernames containing a NUL character with truncated usernames. A remote attacker could exploit this by sending a specially crafted username, leading to an authentication bypass. This vulnerability allows an attacker to gain unauthorized access by circumventing the authentication process.", "cve_priority": "medium", "cve_public_date": "2026-05-07 12:16:00 UTC" }, { "cve": "CVE-2026-5260", "url": "https://ubuntu.com/security/CVE-2026-5260", "cve_description": "A flaw was found in libgnutls. A remote attacker, by sending an extremely short premaster secret during an RSA key exchange to a server using an RSA key backed by a PKCS#11 token, could trigger a short heap overread. This memory corruption vulnerability could lead to information disclosure.", "cve_priority": "medium", "cve_public_date": "2026-05-26 22:16:00 UTC" }, { "cve": "CVE-2026-42012", "url": "https://ubuntu.com/security/CVE-2026-42012", "cve_description": "A flaw was found in gnutls. A remote attacker could exploit this vulnerability by presenting a specially crafted certificate that contains Uniform Resource Identifier (URI) or Service (SRV) Subject Alternative Names (SANs). This could cause the certificate validation process to incorrectly fall back to checking DNS hostnames against the Common Name (CN), potentially allowing the attacker to spoof legitimate services or intercept sensitive information.", "cve_priority": "medium", "cve_public_date": "2026-05-26 22:16:00 UTC" }, { "cve": "CVE-2026-42013", "url": "https://ubuntu.com/security/CVE-2026-42013", "cve_description": "A flaw was found in gnutls. When validating certificates, an oversized Subject Alternative Name (SAN) could cause the validation process to incorrectly fall back to checking the Common Name (CN) field. This could allow a remote attacker to bypass proper certificate validation, potentially leading to spoofing or man-in-the-middle attacks.", "cve_priority": "medium", "cve_public_date": "2026-05-26 22:16:00 UTC" }, { "cve": "CVE-2026-42014", "url": "https://ubuntu.com/security/CVE-2026-42014", "cve_description": "Changing the Security Officer PIN with gnutls_pkcs11_token_set_pin() with oldpin == NULL for a token lacking a protected authentication path led to a use-after-free.", "cve_priority": "medium", "cve_public_date": "2026-04-30" }, { "cve": "CVE-2026-42015", "url": "https://ubuntu.com/security/CVE-2026-42015", "cve_description": "A flaw was found in gnutls. An off-by-one error exists in the PKCS#12 bag element bounds check. This vulnerability allows an remote attacker to write past the internal array of a PKCS#12 bag when appending to a bag that already contains 32 elements. This memory corruption could lead to a denial of service (DoS) or potentially other unspecified impacts.", "cve_priority": "medium", "cve_public_date": "2026-05-26 22:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-33846", "url": "https://ubuntu.com/security/CVE-2026-33846", "cve_description": "A heap buffer overflow vulnerability exists in the DTLS handshake fragment reassembly logic of GnuTLS. The issue arises in merge_handshake_packet() where incoming handshake fragments are matched and merged based solely on handshake type, without validating that the message_length field remains consistent across all fragments of the same logical message. An attacker can exploit this by sending crafted DTLS fragments with conflicting message_length values, causing the implementation to allocate a buffer based on a smaller initial fragment and subsequently write beyond its bounds using larger, inconsistent fragments. Because the merge operation does not enforce proper bounds checking against the allocated buffer size, this results in an out-of-bounds write on the heap. The vulnerability is remotely exploitable without authentication via the DTLS handshake path and can lead to application crashes or potential memory corruption.", "cve_priority": "medium", "cve_public_date": "2026-05-04 10:15:00 UTC" }, { "cve": "CVE-2026-42009", "url": "https://ubuntu.com/security/CVE-2026-42009", "cve_description": "A flaw was found in gnutls. A remote attacker could exploit an issue in the Datagram Transport Layer Security (DTLS) packet reordering logic. The comparator function, responsible for ordering DTLS packets by sequence numbers, did not correctly handle packets with duplicate sequence numbers. This could lead to unstable packet ordering or undefined behavior, resulting in a denial of service.", "cve_priority": "medium", "cve_public_date": "2026-05-18 13:16:00 UTC" }, { "cve": "CVE-2026-33845", "url": "https://ubuntu.com/security/CVE-2026-33845", "cve_description": "A flaw in GnuTLS DTLS handshake parsing allows malformed fragments with zero length and non-zero offset, leading to an integer underflow during reassembly and resulting in an out-of-bounds read. This issue is remotely exploitable and may cause information disclosure or denial of service.", "cve_priority": "medium", "cve_public_date": "2026-04-30 18:16:00 UTC" }, { "cve": "CVE-2026-3832", "url": "https://ubuntu.com/security/CVE-2026-3832", "cve_description": "A flaw was found in gnutls. A remote attacker could exploit this vulnerability by presenting a specially crafted Online Certificate Status Protocol (OCSP) response during a TLS handshake. Due to a logic error in how gnutls processes multi-record OCSP responses, a client with OCSP verification enabled may incorrectly accept a revoked server certificate, potentially leading to a compromise of trust.", "cve_priority": "medium", "cve_public_date": "2026-04-30 18:16:00 UTC" }, { "cve": "CVE-2026-3833", "url": "https://ubuntu.com/security/CVE-2026-3833", "cve_description": "A flaw was found in gnutls. This vulnerability occurs because gnutls performs case-sensitive comparisons of `nameConstraints` labels, specifically for `dNSName` (DNS) or `rfc822Name` (email) constraints within `excludedSubtrees` or `permittedSubtrees`. A remote attacker can exploit this by crafting a leaf certificate with casing differences in the Subject Alternative Name (SAN), leading to a policy bypass where a certificate that should be rejected is instead accepted. This could result in unauthorized access or information disclosure.", "cve_priority": "medium", "cve_public_date": "2026-04-30 18:16:00 UTC" }, { "cve": "CVE-2026-42011", "url": "https://ubuntu.com/security/CVE-2026-42011", "cve_description": "A flaw was found in gnutls. This vulnerability occurs because permitted name constraints were incorrectly ignored when previous Certificate Authorities (CAs) only had excluded name constraints. A remote attacker could exploit this to bypass critical name constraint checks during certificate validation. This bypass could lead to the acceptance of invalid certificates, potentially enabling spoofing or man-in-the-middle attacks against affected systems.", "cve_priority": "medium", "cve_public_date": "2026-05-07 15:16:00 UTC" }, { "cve": "CVE-2026-42010", "url": "https://ubuntu.com/security/CVE-2026-42010", "cve_description": "A flaw was found in gnutls. Servers configured with RSA-PSK (Rivest–Shamir–Adleman – Pre-Shared Key) wrongfully matched usernames containing a NUL character with truncated usernames. A remote attacker could exploit this by sending a specially crafted username, leading to an authentication bypass. This vulnerability allows an attacker to gain unauthorized access by circumventing the authentication process.", "cve_priority": "medium", "cve_public_date": "2026-05-07 12:16:00 UTC" }, { "cve": "CVE-2026-5260", "url": "https://ubuntu.com/security/CVE-2026-5260", "cve_description": "A flaw was found in libgnutls. A remote attacker, by sending an extremely short premaster secret during an RSA key exchange to a server using an RSA key backed by a PKCS#11 token, could trigger a short heap overread. This memory corruption vulnerability could lead to information disclosure.", "cve_priority": "medium", "cve_public_date": "2026-05-26 22:16:00 UTC" }, { "cve": "CVE-2026-42012", "url": "https://ubuntu.com/security/CVE-2026-42012", "cve_description": "A flaw was found in gnutls. A remote attacker could exploit this vulnerability by presenting a specially crafted certificate that contains Uniform Resource Identifier (URI) or Service (SRV) Subject Alternative Names (SANs). This could cause the certificate validation process to incorrectly fall back to checking DNS hostnames against the Common Name (CN), potentially allowing the attacker to spoof legitimate services or intercept sensitive information.", "cve_priority": "medium", "cve_public_date": "2026-05-26 22:16:00 UTC" }, { "cve": "CVE-2026-42013", "url": "https://ubuntu.com/security/CVE-2026-42013", "cve_description": "A flaw was found in gnutls. When validating certificates, an oversized Subject Alternative Name (SAN) could cause the validation process to incorrectly fall back to checking the Common Name (CN) field. This could allow a remote attacker to bypass proper certificate validation, potentially leading to spoofing or man-in-the-middle attacks.", "cve_priority": "medium", "cve_public_date": "2026-05-26 22:16:00 UTC" }, { "cve": "CVE-2026-42014", "url": "https://ubuntu.com/security/CVE-2026-42014", "cve_description": "Changing the Security Officer PIN with gnutls_pkcs11_token_set_pin() with oldpin == NULL for a token lacking a protected authentication path led to a use-after-free.", "cve_priority": "medium", "cve_public_date": "2026-04-30" }, { "cve": "CVE-2026-42015", "url": "https://ubuntu.com/security/CVE-2026-42015", "cve_description": "A flaw was found in gnutls. An off-by-one error exists in the PKCS#12 bag element bounds check. This vulnerability allows an remote attacker to write past the internal array of a PKCS#12 bag when appending to a bag that already contains 32 elements. This memory corruption could lead to a denial of service (DoS) or potentially other unspecified impacts.", "cve_priority": "medium", "cve_public_date": "2026-05-26 22:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: buffer overflow in DTLS handshake fragment reassembly", " - debian/patches/CVE-2026-33846-pre1.patch: buffers: shorten", " merge_handshake_packet using recv_buf in lib/buffers.c.", " - debian/patches/CVE-2026-33846.patch: buffers: add more checks to DTLS", " reassembly in lib/buffers.c.", " - CVE-2026-33846", " * SECURITY UPDATE: DTLS packets sequence number ordering issue", " - debian/patches/CVE-2026-42009-pre1.patch: buffers: match DTLS datagrams by", " sequence number in lib/buffers.c.", " - debian/patches/CVE-2026-42009-1.patch: lib/buffers: ensure packets have", " differing sequence numbers in lib/buffers.c.", " - debian/patches/CVE-2026-42009-2.patch: buffers: fix handshake_compare when", " sequence numbers match in lib/buffers.c.", " - CVE-2026-42009", " * SECURITY UPDATE: OOB read via malformed fragments with zero length and", " non-zero offset", " - debian/patches/CVE-2026-33845-pre1.patch: buffers: rename a variable in", " parse_handshake_header in lib/buffers.c.", " - debian/patches/CVE-2026-33845.patch: buffers: switch from end_offset over", " to frag_length in lib/buffers.c, lib/gnutls_int.h.", " - debian/patches/CVE-2026-33845-2.patch: buffers: simplify and tighten", " parse_handshake_header checks in lib/buffers.c.", " - CVE-2026-33845", " * SECURITY UPDATE: malformed OCSP response issue", " - debian/patches/CVE-2026-3832-pre1.patch: iterate ocsp response records", " for matching certificate in doc/examples/ex-ocsp-client.c,", " lib/cert-session.c, lib/ocsp-api.c, src/ocsptool-common.c.", " - debian/patches/CVE-2026-3832-pre2.patch: fix formatting in", " doc/examples/ex-ocsp-client.c, lib/cert-session.c, lib/ocsp-api.c,", " src/ocsptool-common.c.", " - debian/patches/CVE-2026-3832.patch: cert-session: fix multi-entry OCSP", " revocation bypass in lib/cert-session.c.", " - CVE-2026-3832", " * SECURITY UPDATE: policy bypass via x509 case-sensitive comparisons", " - debian/patches/CVE-2026-3833.patch: x509/name-constraints: compare domain", " names case-insensitive in lib/x509/name_constraints.c.", " - CVE-2026-3833", " * SECURITY UPDATE: permitted name constrains were incorrectly ignored", " - debian/patches/CVE-2026-42011.patch: x509/name_constraints: fix", " intersecting empty constraints in lib/x509/name_constraints.c.", " - CVE-2026-42011", " * SECURITY UPDATE: ", " - debian/patches/CVE-2026-42010.patch: lib/auth/rsa_psk: fix binary PSK", " identity lookup in lib/auth/rsa_psk.c.", " - CVE-2026-42010", " * SECURITY UPDATE: incorrect username parsing with NUL characters", " - debian/patches/CVE-2026-5260-1.patch: lib/auth/rsa: check that ciphertext", " matches the modulus size in lib/auth/rsa.c, lib/auth/rsa_psk.c.", " - debian/patches/CVE-2026-5260-2.patch: lib/pkcs11_privkey: guard against", " overreading on short ciphertexts in lib/pkcs11_privkey.c.", " - CVE-2026-5260", " * SECURITY UPDATE: ", " - debian/patches/CVE-2026-42012-pre1.patch: x509/hostname-verify: refactor", " and simplify CN fallback logic in lib/x509/hostname-verify.c.", " - debian/patches/CVE-2026-42012-pre2.patch: Fix for #1132 in", " lib/includes/gnutls/gnutls.h.in, lib/x509/common.h,", " lib/x509/name_constraints.c, lib/x509/output.c, lib/x509/virt-san.c,", " lib/x509/x509.c, tests/Makefile.am, tests/x509-upnconstraint.c.", " - debian/patches/CVE-2026-42012-pre3.patch: x509: add bare-bones awareness", " of SRV virtual SAN in lib/includes/gnutls/gnutls.h.in, lib/x509/common.h,", " lib/x509/name_constraints.c, lib/x509/output.c, lib/x509/virt-san.c,", " lib/x509/x509.c.", " - debian/patches/CVE-2026-42012-pre4.patch: datum, mem, str: add helper", " functions to steal pointers in lib/datum.h, lib/mem.h, lib/str.h.", " - debian/patches/CVE-2026-42012.patch: x509/hostname-verify: make URI/SRV", " SAN preclude CN fallback in lib/x509/hostname-verify.c.", " - CVE-2026-42012", " * SECURITY UPDATE: incorrect URI or SRV Subject Alternative Names checking", " - debian/patches/CVE-2026-42013-pre1.patch: x509/email-verify: call", " fallback DN fallback in lib/x509/email-verify.c.", " - debian/patches/CVE-2026-42013.patch: x509: prevent fallback on oversized", " SAN in lib/x509/email-verify.c, lib/x509/hostname-verify.c.", " - CVE-2026-42013", " * SECURITY UPDATE: UaF when changing the Security Officer PIN", " - debian/patches/CVE-2026-42014.patch: pkcs11_write: fix UAF and leak in", " gnutls_pkcs11_token_set_pin in lib/pkcs11_write.c.", " - CVE-2026-42014", " * SECURITY UPDATE: buffer overflow when appending to a PKCS#12 bag", " - debian/patches/CVE-2026-42015.patch: x509/pkcs12_bag: fix off-by-one in", " bag element bounds check in lib/x509/pkcs12_bag.c.", " - CVE-2026-42015", "" ], "package": "gnutls28", "version": "3.7.3-4ubuntu1.9", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Fri, 08 May 2026 14:50:04 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "libjcat1:riscv64", "from_version": { "source_package_name": "libjcat", "source_package_version": "0.1.9-1", "version": "0.1.9-1" }, "to_version": { "source_package_name": "libjcat", "source_package_version": "0.2.3-1~ubuntu0.22.04.1", "version": "0.2.3-1~ubuntu0.22.04.1" }, "cves": [], "launchpad_bugs_fixed": [ 2142578 ], "changes": [ { "cves": [], "log": [ "", " * Backport to jammy for KEK and db updates (LP: #2142578)", "" ], "package": "libjcat", "version": "0.2.3-1~ubuntu0.22.04.1", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2142578 ], "author": "Mate Kukri ", "date": "Tue, 24 Feb 2026 20:28:37 +0000" }, { "cves": [], "log": [ "", " * New upstream version.", " * Drop patches upstream", " * d/control: B-d on pkgconf instead of pkg-config", "" ], "package": "libjcat", "version": "0.2.3-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Mario Limonciello ", "date": "Wed, 19 Mar 2025 09:47:18 -0500" }, { "cves": [], "log": [ "", " * Backport a patch from upstream to fix the installed tests.", "" ], "package": "libjcat", "version": "0.2.0-2", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Mario Limonciello ", "date": "Wed, 17 Jan 2024 08:52:30 -0600" }, { "cves": [], "log": [ "", " * Upgrade to 0.2.0 release.", "" ], "package": "libjcat", "version": "0.2.0-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Mario Limonciello ", "date": "Sun, 14 Jan 2024 10:50:14 -0600" } ], "notes": null, "is_version_downgrade": false }, { "name": "liblzma5:riscv64", "from_version": { "source_package_name": "xz-utils", "source_package_version": "5.2.5-2ubuntu1", "version": "5.2.5-2ubuntu1" }, "to_version": { "source_package_name": "xz-utils", "source_package_version": "5.2.5-2ubuntu1.1", "version": "5.2.5-2ubuntu1.1" }, "cves": [ { "cve": "CVE-2026-34743", "url": "https://ubuntu.com/security/CVE-2026-34743", "cve_description": "XZ Utils provide a general-purpose data-compression library plus command-line tools. Prior to version 5.8.3, if lzma_index_decoder() was used to decode an Index that contained no Records, the resulting lzma_index was left in a state where where a subsequent lzma_index_append() would allocate too little memory, and a buffer overflow would occur. This issue has been patched in version 5.8.3.", "cve_priority": "low", "cve_public_date": "2026-04-02 19:21:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-34743", "url": "https://ubuntu.com/security/CVE-2026-34743", "cve_description": "XZ Utils provide a general-purpose data-compression library plus command-line tools. Prior to version 5.8.3, if lzma_index_decoder() was used to decode an Index that contained no Records, the resulting lzma_index was left in a state where where a subsequent lzma_index_append() would allocate too little memory, and a buffer overflow would occur. This issue has been patched in version 5.8.3.", "cve_priority": "low", "cve_public_date": "2026-04-02 19:21:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: heap buffer overflow", " - debian/patches/CVE-2026-34743.patch: adds a check to", " lzma_index_prealloc() to default to a safe size when decoding empty", " indexes in src/liblzma/common/index.c.", " - CVE-2026-34743", "" ], "package": "xz-utils", "version": "5.2.5-2ubuntu1.1", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Ian Constantin ", "date": "Thu, 28 May 2026 19:06:40 +0300" } ], "notes": null, "is_version_downgrade": false }, { "name": "libnetplan0:riscv64", "from_version": { "source_package_name": "netplan.io", "source_package_version": "0.107.1-3ubuntu0.22.04.3", "version": "0.107.1-3ubuntu0.22.04.3" }, "to_version": { "source_package_name": "netplan.io", "source_package_version": "0.107.1-3ubuntu0.22.04.4", "version": "0.107.1-3ubuntu0.22.04.4" }, "cves": [], "launchpad_bugs_fixed": [ 2076319 ], "changes": [ { "cves": [], "log": [ "", " * d/p/lp2076319-fix-dir-permissions.patch:", " Change default umask when creating dirctories (LP: #2076319)", "" ], "package": "netplan.io", "version": "0.107.1-3ubuntu0.22.04.4", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2076319 ], "author": "Robert Malz ", "date": "Wed, 23 Apr 2026 14:17:38 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "libnss-systemd:riscv64", "from_version": { "source_package_name": "systemd", "source_package_version": "249.11-0ubuntu3.20", "version": "249.11-0ubuntu3.20" }, "to_version": { "source_package_name": "systemd", "source_package_version": "249.11-0ubuntu3.21", "version": "249.11-0ubuntu3.21" }, "cves": [ { "cve": "CVE-2023-7008", "url": "https://ubuntu.com/security/CVE-2023-7008", "cve_description": "A vulnerability was found in systemd-resolved. This issue may allow systemd-resolved to accept records of DNSSEC-signed domains even when they have no signature, allowing man-in-the-middles (or the upstream DNS resolver) to manipulate records.", "cve_priority": "low", "cve_public_date": "2023-12-23 13:15:00 UTC" }, { "cve": "CVE-2026-40226", "url": "https://ubuntu.com/security/CVE-2026-40226", "cve_description": "In nspawn in systemd 233 through 259 before 260, an escape-to-host action can occur via a crafted optional config file.", "cve_priority": "medium", "cve_public_date": "2026-04-10 16:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2023-7008", "url": "https://ubuntu.com/security/CVE-2023-7008", "cve_description": "A vulnerability was found in systemd-resolved. This issue may allow systemd-resolved to accept records of DNSSEC-signed domains even when they have no signature, allowing man-in-the-middles (or the upstream DNS resolver) to manipulate records.", "cve_priority": "low", "cve_public_date": "2023-12-23 13:15:00 UTC" }, { "cve": "CVE-2026-40226", "url": "https://ubuntu.com/security/CVE-2026-40226", "cve_description": "In nspawn in systemd 233 through 259 before 260, an escape-to-host action can occur via a crafted optional config file.", "cve_priority": "medium", "cve_public_date": "2026-04-10 16:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: MITM via DNSSEC-signed domains with no signature", " - debian/patches/CVE-2023-7008.patch: resolved: actually check authenticated", " flag of SOA transaction in src/resolve/resolved-dns-transaction.c.", " - CVE-2023-7008", " * SECURITY UPDATE: escape-to-host via malformed optional config file", " - debian/patches/CVE-2026-40226-1.patch: nspawn: apply BindUser/Ephemeral", " from settings file only if trusted in src/nspawn/nspawn.c.", " - debian/patches/CVE-2026-40226-2.patch: nspawn: normalize pivot_root paths", " in src/nspawn/nspawn-mount.c.", " - CVE-2026-40226", "" ], "package": "systemd", "version": "249.11-0ubuntu3.21", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Fri, 05 Jun 2026 11:40:28 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "libpam-systemd:riscv64", "from_version": { "source_package_name": "systemd", "source_package_version": "249.11-0ubuntu3.20", "version": "249.11-0ubuntu3.20" }, "to_version": { "source_package_name": "systemd", "source_package_version": "249.11-0ubuntu3.21", "version": "249.11-0ubuntu3.21" }, "cves": [ { "cve": "CVE-2023-7008", "url": "https://ubuntu.com/security/CVE-2023-7008", "cve_description": "A vulnerability was found in systemd-resolved. This issue may allow systemd-resolved to accept records of DNSSEC-signed domains even when they have no signature, allowing man-in-the-middles (or the upstream DNS resolver) to manipulate records.", "cve_priority": "low", "cve_public_date": "2023-12-23 13:15:00 UTC" }, { "cve": "CVE-2026-40226", "url": "https://ubuntu.com/security/CVE-2026-40226", "cve_description": "In nspawn in systemd 233 through 259 before 260, an escape-to-host action can occur via a crafted optional config file.", "cve_priority": "medium", "cve_public_date": "2026-04-10 16:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2023-7008", "url": "https://ubuntu.com/security/CVE-2023-7008", "cve_description": "A vulnerability was found in systemd-resolved. This issue may allow systemd-resolved to accept records of DNSSEC-signed domains even when they have no signature, allowing man-in-the-middles (or the upstream DNS resolver) to manipulate records.", "cve_priority": "low", "cve_public_date": "2023-12-23 13:15:00 UTC" }, { "cve": "CVE-2026-40226", "url": "https://ubuntu.com/security/CVE-2026-40226", "cve_description": "In nspawn in systemd 233 through 259 before 260, an escape-to-host action can occur via a crafted optional config file.", "cve_priority": "medium", "cve_public_date": "2026-04-10 16:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: MITM via DNSSEC-signed domains with no signature", " - debian/patches/CVE-2023-7008.patch: resolved: actually check authenticated", " flag of SOA transaction in src/resolve/resolved-dns-transaction.c.", " - CVE-2023-7008", " * SECURITY UPDATE: escape-to-host via malformed optional config file", " - debian/patches/CVE-2026-40226-1.patch: nspawn: apply BindUser/Ephemeral", " from settings file only if trusted in src/nspawn/nspawn.c.", " - debian/patches/CVE-2026-40226-2.patch: nspawn: normalize pivot_root paths", " in src/nspawn/nspawn-mount.c.", " - CVE-2026-40226", "" ], "package": "systemd", "version": "249.11-0ubuntu3.21", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Fri, 05 Jun 2026 11:40:28 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "libssl3:riscv64", "from_version": { "source_package_name": "openssl", "source_package_version": "3.0.2-0ubuntu1.23", "version": "3.0.2-0ubuntu1.23" }, "to_version": { "source_package_name": "openssl", "source_package_version": "3.0.2-0ubuntu1.25", "version": "3.0.2-0ubuntu1.25" }, "cves": [ { "cve": "CVE-2026-34180", "url": "https://ubuntu.com/security/CVE-2026-34180", "cve_description": "Issue summary: Parsing a crafted DER-encoded ASN.1 structure with a primitive element whose content exceeds 2 gigabytes in length may cause a heap buffer over-read on 64-bit Unix and Unix-like platforms. Impact summary: The heap buffer over-read may crash the application (Denial of Service) or to load into the decoded ASN.1 object contents of memory beyond the end of the input buffer. More typically such ASN.1 elements would instead be truncated. An integer truncation in OpenSSL's ASN.1 decoder causes the content length of an ASN.1 primitive element to be mishandled when it exceeds 2 gigabytes. In the worst case the truncated length is treated as a request to scan the binary content for a terminating zero byte, possibly causing OpenSSL to read either less than or beyond the end of the allocated buffer. Applications that pass attacker-supplied data to d2i_X509(), d2i_PKCS7(), or any other d2i_* decoding function are affected. OpenSSL's own command-line tools are not vulnerable, as data read through the BIO layer is checked before it reaches the affected code. The issue only affects 64-bit Unix and Unix-like platforms; 32-bit platforms and 64-bit Windows are not affected. The FIPS modules in 4.0, 3.6, 3.5, 3.4 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-34182", "url": "https://ubuntu.com/security/CVE-2026-34182", "cve_description": "Issue Summary: Cryptographic Message Services (CMS) processing fails to perform sufficient input validation on the cipher and tag length fields of AuthEnvelopedData containers, leading to various potential compromises. Impact Summary: Attackers making use of these vulnerabilities may achieve key-equivalent functionality for a given CMS recipient and/or bypass integrity validation for a given message. In one use case, an attacker may send a CMS message containing AuthEnvelopedData with the cipher specified as a non-AEAD cipher. OpenSSL erroneously allows this selection, and attempts to decrypt and validate the message. An on-path attacker who captures one legitimate AES-GCM AuthEnvelopedData addressed to the victim can re-emit it with the recipientInfos set left byte-for-byte intact, so the victim's private key still unwraps the genuine CEK (the content-encryption key), but with the inner OID rewritten to AES-256-OFB (Output Feedback Mode, an unauthenticated keystream mode) and with an attacker-chosen IV and ciphertext. The victim initializes AES-256-OFB under the real CEK, never consults the MAC field, and CMS_decrypt() returns success. If the application under attack responds to the attacker with any indicator showing success or failure of the decryption effort, it is possible for the attacker to use this as an oracle to obtain key equivalent functionality for the CEK used for the chosen recipient of the message. In another use case, an attacker can reduce the tag length of the chosen AEAD cipher for a given AuthEnvelopedData container to be a single byte long, allowing an attacker to brute force CMS decryption, producing an integrity bypass for applications that trust CMS_decrypt() to reject modified content. The FIPS modules are not affected by this issue.", "cve_priority": "medium", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-42766", "url": "https://ubuntu.com/security/CVE-2026-42766", "cve_description": "Issue summary: A specially crafted password-encrypted CMS message can trigger a NULL pointer dereference during CMS decryption. Impact summary: This NULL pointer dereference leads to an application crash and a Denial of Service. The CMS PasswordRecipientInfo.keyDerivationAlgorithm field is defined as OPTIONAL in the ASN.1 specification and may therefore be absent in specially crafted inputs. During the password-based CMS decryption the OpenSSL CMS implementation dereferences this field without first checking whether it was present. An attacker who supplies such a CMS message to an application performing password-based CMS decryption can trigger an application crash, leading to a Denial of Service. Applications that process password-encrypted CMS messages may be affected. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-42767", "url": "https://ubuntu.com/security/CVE-2026-42767", "cve_description": "Issue summary: An attacker-controlled CMP (Certificate Management Protocol) server could trigger a NULL pointer dereference in a CMP client application. Impact summary: A NULL pointer dereference causes a crash of the application and a Denial of Service. An attacker controlling a CMP server (or acting as a man-in-the-middle) could craft a CMP response containing a CRMF (Certificate Request Message Format) CertRepMessage with an EncryptedValue structure where the symmAlg field has an algorithm OID but no parameters field. When the OpenSSL CMP client processes this response, the NULL dereference occurs, causing a crash of the CMP client. Applications that process untrusted CMP/CRMF messages may be affected. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-42770", "url": "https://ubuntu.com/security/CVE-2026-42770", "cve_description": "Issue summary: When EVP_PKEY_derive_set_peer() is called with a DHX (X9.42) peer key, the peer key is not properly checked for the subgroup membership. Impact summary: A malicious peer which presents an X9.42 key carrying the victim's p and g parameters, a forged q = r (a small prime factor of the cofactor (p−1)/q_local), and a public value Y of order r can recover the victim's private key after a small number of key exchange attempts. When EVP_PKEY_derive_set_peer() is called with a DHX (X9.42) peer key, the subgroup membership check Y^q ≡ 1 (mod p) is performed using the peer's own q parameter, not the local key's q. The peer's domain parameters are then matched against the domain parameters of the private key, but the value of q is not compared. A malicious peer who presents an X9.42 key carrying the victim's p, g, a forged q = r (a small prime factor of the cofactor), and a public value Y of order r passes all checks. The shared secret then takes only r distinct values, leaking priv mod r. Repeating for each small-prime factor of the cofactor and combining via CRT recovers the full private key (Lim–Lee / small-subgroup-confinement attack). The realistic attack surface is narrow: principally CMP deployments with long-lived RA/CA DHX keys and bespoke enterprise or government applications using X9.42 DHX static keys with interactive protocols and therefore this issue was assigned Low severity. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are affected by this issue.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-45445", "url": "https://ubuntu.com/security/CVE-2026-45445", "cve_description": "Issue summary: When an application drives an AES-OCB context through the public EVP_Cipher() one-shot interface, the application-supplied initialisation vector (IV) is silently discarded. Impact summary: Every message encrypted under the same key uses the same effective nonce regardless of the IV supplied by the caller, resulting in (key, nonce) reuse and loss of confidentiality. If the same code path is used to compute the authentication tag, the tag depends only on the (key, IV) pair and not on the plaintext or ciphertext, allowing universal forgery of arbitrary ciphertext from a single captured message. OpenSSL provides two ways to drive a cipher: the documented streaming interface (EVP_CipherUpdate / EVP_CipherFinal_ex) and a lower-level one-shot, EVP_Cipher(), whose documentation explicitly recommends against use by applications in favour of EVP_CipherUpdate() and EVP_CipherFinal_ex(). The OCB provider's streaming handler flushes the application-supplied IV into the OCB context before processing data; the one-shot handler did not. Every call to EVP_Cipher() on an AES-OCB context therefore ran with the all-zero key-derived offset state left by cipher initialisation, regardless of the caller's IV. If EVP_EncryptFinal_ex() is subsequently used to obtain the authentication tag, the deferred IV setup runs at that point and clears the running checksum that should have been accumulated over the plaintext. The resulting tag is a function of (key, IV) only and verifies against any ciphertext produced under the same (key, IV) pair. The OpenSSL SSL/TLS implementation is not affected: AES-OCB is not a TLS cipher suite, and libssl does not call EVP_Cipher() in any case. Applications that drive AES-OCB through the documented streaming AEAD API (EVP_CipherUpdate / EVP_CipherFinal_ex) are not affected. Only applications that combine the AES-OCB cipher with the EVP_Cipher() one-shot API are vulnerable. The FIPS modules in 4.0, 3.6, 3.5, 3.4 and 3.0 are not affected by this issue, as AES-OCB is outside the OpenSSL FIPS module boundary.", "cve_priority": "medium", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-45446", "url": "https://ubuntu.com/security/CVE-2026-45446", "cve_description": "Issue summary: The implementations of AES-SIV (RFC 5297) and AES-GCM-SIV (RFC 8452) mishandle the authentication of AAD (Additional Authenticated Data) with an empty ciphertext allowing a forgery of such messages. Impact summary: An attacker can forge empty messages with arbitrary AAD to the victim's application using these ciphers. AES-SIV (RFC 5297) and AES-GCM-SIV (RFC 8452) are nonce-misuse-resistant AEAD modes: they accept a key, nonce, optional AAD (bytes that are authenticated but not encrypted), and plaintext, and produces ciphertext plus a 16-byte tag. On decrypt, `EVP_DecryptFinal_ex()` is documented to return success only if the tag is verified succesfully. In OpenSSL's provider implementation of these ciphers, the expected tag is computed only when decryption function is invoked with non-empty data. If the caller supplies AAD and then calls `EVP_DecryptFinal_ex()` without invocation of the ciphertext update, which can happen when the received ciphertext length is zero, the tag is never recalculated and still holds its all-zeros value. When AES-GCM-SIV is used, an attacker who sends arbitrary AAD, empty ciphertext, and all-zeros tag passes authentication under any key they do not know, single-shot. When AES-SIV is used, for mounting the attack it's necessary for the application to reuse the decryption context without resetting the key. AES-SIV is implemented since OpenSSL 3.0. AES-GCM-SIV is implemented since OpenSSL 3.2. No protocols implemented in OpenSSL itself (TLS/CMS/PKCS7/HPKE/QUIC) support either AES-GCM-SIV or AES-SIV. To mount an attack, the applications must implement their own protocol and use the EVP interface. Also they must skip the ciphertext update when a message with an empty ciphertext arrives. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as these algorithms are not FIPS approved and the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-45447", "url": "https://ubuntu.com/security/CVE-2026-45447", "cve_description": "Issue summary: A specially crafted PKCS#7 or S/MIME signed message could trigger a use-after-free during PKCS#7 signature verification. Impact summary: A use-after-free may result in process crashes, heap corruption, or potentially remote code execution. When processing a PKCS#7 or S/MIME signed message, if the SignedData digestAlgorithms field is present as an empty ASN.1 SET, OpenSSL may incorrectly free a caller-owned BIO during PKCS7_verify(). A subsequent use of the BIO by the calling application results in a use-after-free condition. In the common case this occurs when the application later calls BIO_free() on the BIO originally passed to PKCS7_verify(). Depending on allocator behavior and application-specific BIO usage patterns, this may result in a crash or other memory corruption. In some application contexts this may potentially be exploitable for remote code execution. Applications that process PKCS#7 or S/MIME signed messages using OpenSSL PKCS#7 APIs may be affected. Applications using the CMS APIs for this processing are not affected. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "high", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-7383", "url": "https://ubuntu.com/security/CVE-2026-7383", "cve_description": "Issue summary: A signed integer overflow when sizing the destination buffer for Unicode output in ASN1_mbstring_ncopy() can lead to a heap buffer overflow. Impact summary: A heap buffer overflow may lead to a crash or possibly attacker controlled code execution or other undefined behaviour. In ASN1_mbstring_copy() and ASN1_mbstring_ncopy() the destination size for Unicode output is computed in a signed int: by left shift of the input character count for BMPSTRING (UTF-16) and UNIVERSALSTRING (UTF-32), and by summing per-character byte counts for UTF8STRING. The calculation overflows when the input reaches around 2^30 characters. In the worst case (UNIVERSALSTRING at 2^30 characters) the size wraps to zero, OPENSSL_malloc(1) is called, and the subsequent character copy writes several gigabytes past the one-byte allocation. X.509 certificate processing routes through ASN1_STRING_set_by_NID(), whose DIRSTRING_TYPE mask excludes UNIVERSALSTRING and whose per-NID size limits cap the input length; no network protocol or certificate-handling path in OpenSSL exercises the overflow. Triggering the bug requires an application that calls ASN1_mbstring_copy() or ASN1_mbstring_ncopy() directly, or registers a custom string type via ASN1_STRING_TABLE_add(), with attacker-controlled input on the order of half a gigabyte or more. For these reasons this issue was assigned Low severity. The FIPS modules in 4.0, 3.6, 3.5, 3.4 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-9076", "url": "https://ubuntu.com/security/CVE-2026-9076", "cve_description": "Issue summary: When CMS password-based decryption (RFC 3211 / PWRI key unwrap) processes attacker-supplied CMS data, an attacker-chosen stream-mode KEK cipher can trigger a heap out-of-bounds read in kek_unwrap_key(). Impact summary: A heap buffer over-read may trigger a crash which leads to Denial of Service for an application if the input buffer ends at a memory page boundary and the following page is unmapped. There is no information disclosure as the over-read bytes are not revealed to the attacker. The key unwrapping function performs a check-byte test as specified in the RFC that reads 7 bytes from a heap allocation that is based on the wrapped key length from the message. There is a minimum length check based on the block length of the wrapping cipher. However the cipher is selected from an OID carried in the attacker's PWRI keyEncryptionAlgorithm with no requirement that the cipher be a block cipher. When an attacker selects a stream-mode cipher the guard will be ineffective and the allocated buffer containing the unwrapped key can be too small to fit the check-bytes specified in the RFC and a buffer over-read can happen. Applications calling CMS_decrypt() or CMS_decrypt_set1_password() (equivalently openssl cms -decrypt -pwri_password ...) on untrusted CMS data are vulnerable to this issue. No password knowledge is required: the over-read happens during the unwrap attempt before any authentication succeeds. The over-read is limited to a few bytes and is not written to output, so there is no information disclosure. Triggering a crash requires the allocation to border unmapped memory, which is unlikely with the normal allocator. The FIPS modules are not affected by this issue.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-34180", "url": "https://ubuntu.com/security/CVE-2026-34180", "cve_description": "Issue summary: Parsing a crafted DER-encoded ASN.1 structure with a primitive element whose content exceeds 2 gigabytes in length may cause a heap buffer over-read on 64-bit Unix and Unix-like platforms. Impact summary: The heap buffer over-read may crash the application (Denial of Service) or to load into the decoded ASN.1 object contents of memory beyond the end of the input buffer. More typically such ASN.1 elements would instead be truncated. An integer truncation in OpenSSL's ASN.1 decoder causes the content length of an ASN.1 primitive element to be mishandled when it exceeds 2 gigabytes. In the worst case the truncated length is treated as a request to scan the binary content for a terminating zero byte, possibly causing OpenSSL to read either less than or beyond the end of the allocated buffer. Applications that pass attacker-supplied data to d2i_X509(), d2i_PKCS7(), or any other d2i_* decoding function are affected. OpenSSL's own command-line tools are not vulnerable, as data read through the BIO layer is checked before it reaches the affected code. The issue only affects 64-bit Unix and Unix-like platforms; 32-bit platforms and 64-bit Windows are not affected. The FIPS modules in 4.0, 3.6, 3.5, 3.4 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-34182", "url": "https://ubuntu.com/security/CVE-2026-34182", "cve_description": "Issue Summary: Cryptographic Message Services (CMS) processing fails to perform sufficient input validation on the cipher and tag length fields of AuthEnvelopedData containers, leading to various potential compromises. Impact Summary: Attackers making use of these vulnerabilities may achieve key-equivalent functionality for a given CMS recipient and/or bypass integrity validation for a given message. In one use case, an attacker may send a CMS message containing AuthEnvelopedData with the cipher specified as a non-AEAD cipher. OpenSSL erroneously allows this selection, and attempts to decrypt and validate the message. An on-path attacker who captures one legitimate AES-GCM AuthEnvelopedData addressed to the victim can re-emit it with the recipientInfos set left byte-for-byte intact, so the victim's private key still unwraps the genuine CEK (the content-encryption key), but with the inner OID rewritten to AES-256-OFB (Output Feedback Mode, an unauthenticated keystream mode) and with an attacker-chosen IV and ciphertext. The victim initializes AES-256-OFB under the real CEK, never consults the MAC field, and CMS_decrypt() returns success. If the application under attack responds to the attacker with any indicator showing success or failure of the decryption effort, it is possible for the attacker to use this as an oracle to obtain key equivalent functionality for the CEK used for the chosen recipient of the message. In another use case, an attacker can reduce the tag length of the chosen AEAD cipher for a given AuthEnvelopedData container to be a single byte long, allowing an attacker to brute force CMS decryption, producing an integrity bypass for applications that trust CMS_decrypt() to reject modified content. The FIPS modules are not affected by this issue.", "cve_priority": "medium", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-42766", "url": "https://ubuntu.com/security/CVE-2026-42766", "cve_description": "Issue summary: A specially crafted password-encrypted CMS message can trigger a NULL pointer dereference during CMS decryption. Impact summary: This NULL pointer dereference leads to an application crash and a Denial of Service. The CMS PasswordRecipientInfo.keyDerivationAlgorithm field is defined as OPTIONAL in the ASN.1 specification and may therefore be absent in specially crafted inputs. During the password-based CMS decryption the OpenSSL CMS implementation dereferences this field without first checking whether it was present. An attacker who supplies such a CMS message to an application performing password-based CMS decryption can trigger an application crash, leading to a Denial of Service. Applications that process password-encrypted CMS messages may be affected. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-42767", "url": "https://ubuntu.com/security/CVE-2026-42767", "cve_description": "Issue summary: An attacker-controlled CMP (Certificate Management Protocol) server could trigger a NULL pointer dereference in a CMP client application. Impact summary: A NULL pointer dereference causes a crash of the application and a Denial of Service. An attacker controlling a CMP server (or acting as a man-in-the-middle) could craft a CMP response containing a CRMF (Certificate Request Message Format) CertRepMessage with an EncryptedValue structure where the symmAlg field has an algorithm OID but no parameters field. When the OpenSSL CMP client processes this response, the NULL dereference occurs, causing a crash of the CMP client. Applications that process untrusted CMP/CRMF messages may be affected. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-42770", "url": "https://ubuntu.com/security/CVE-2026-42770", "cve_description": "Issue summary: When EVP_PKEY_derive_set_peer() is called with a DHX (X9.42) peer key, the peer key is not properly checked for the subgroup membership. Impact summary: A malicious peer which presents an X9.42 key carrying the victim's p and g parameters, a forged q = r (a small prime factor of the cofactor (p−1)/q_local), and a public value Y of order r can recover the victim's private key after a small number of key exchange attempts. When EVP_PKEY_derive_set_peer() is called with a DHX (X9.42) peer key, the subgroup membership check Y^q ≡ 1 (mod p) is performed using the peer's own q parameter, not the local key's q. The peer's domain parameters are then matched against the domain parameters of the private key, but the value of q is not compared. A malicious peer who presents an X9.42 key carrying the victim's p, g, a forged q = r (a small prime factor of the cofactor), and a public value Y of order r passes all checks. The shared secret then takes only r distinct values, leaking priv mod r. Repeating for each small-prime factor of the cofactor and combining via CRT recovers the full private key (Lim–Lee / small-subgroup-confinement attack). The realistic attack surface is narrow: principally CMP deployments with long-lived RA/CA DHX keys and bespoke enterprise or government applications using X9.42 DHX static keys with interactive protocols and therefore this issue was assigned Low severity. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are affected by this issue.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-45445", "url": "https://ubuntu.com/security/CVE-2026-45445", "cve_description": "Issue summary: When an application drives an AES-OCB context through the public EVP_Cipher() one-shot interface, the application-supplied initialisation vector (IV) is silently discarded. Impact summary: Every message encrypted under the same key uses the same effective nonce regardless of the IV supplied by the caller, resulting in (key, nonce) reuse and loss of confidentiality. If the same code path is used to compute the authentication tag, the tag depends only on the (key, IV) pair and not on the plaintext or ciphertext, allowing universal forgery of arbitrary ciphertext from a single captured message. OpenSSL provides two ways to drive a cipher: the documented streaming interface (EVP_CipherUpdate / EVP_CipherFinal_ex) and a lower-level one-shot, EVP_Cipher(), whose documentation explicitly recommends against use by applications in favour of EVP_CipherUpdate() and EVP_CipherFinal_ex(). The OCB provider's streaming handler flushes the application-supplied IV into the OCB context before processing data; the one-shot handler did not. Every call to EVP_Cipher() on an AES-OCB context therefore ran with the all-zero key-derived offset state left by cipher initialisation, regardless of the caller's IV. If EVP_EncryptFinal_ex() is subsequently used to obtain the authentication tag, the deferred IV setup runs at that point and clears the running checksum that should have been accumulated over the plaintext. The resulting tag is a function of (key, IV) only and verifies against any ciphertext produced under the same (key, IV) pair. The OpenSSL SSL/TLS implementation is not affected: AES-OCB is not a TLS cipher suite, and libssl does not call EVP_Cipher() in any case. Applications that drive AES-OCB through the documented streaming AEAD API (EVP_CipherUpdate / EVP_CipherFinal_ex) are not affected. Only applications that combine the AES-OCB cipher with the EVP_Cipher() one-shot API are vulnerable. The FIPS modules in 4.0, 3.6, 3.5, 3.4 and 3.0 are not affected by this issue, as AES-OCB is outside the OpenSSL FIPS module boundary.", "cve_priority": "medium", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-45446", "url": "https://ubuntu.com/security/CVE-2026-45446", "cve_description": "Issue summary: The implementations of AES-SIV (RFC 5297) and AES-GCM-SIV (RFC 8452) mishandle the authentication of AAD (Additional Authenticated Data) with an empty ciphertext allowing a forgery of such messages. Impact summary: An attacker can forge empty messages with arbitrary AAD to the victim's application using these ciphers. AES-SIV (RFC 5297) and AES-GCM-SIV (RFC 8452) are nonce-misuse-resistant AEAD modes: they accept a key, nonce, optional AAD (bytes that are authenticated but not encrypted), and plaintext, and produces ciphertext plus a 16-byte tag. On decrypt, `EVP_DecryptFinal_ex()` is documented to return success only if the tag is verified succesfully. In OpenSSL's provider implementation of these ciphers, the expected tag is computed only when decryption function is invoked with non-empty data. If the caller supplies AAD and then calls `EVP_DecryptFinal_ex()` without invocation of the ciphertext update, which can happen when the received ciphertext length is zero, the tag is never recalculated and still holds its all-zeros value. When AES-GCM-SIV is used, an attacker who sends arbitrary AAD, empty ciphertext, and all-zeros tag passes authentication under any key they do not know, single-shot. When AES-SIV is used, for mounting the attack it's necessary for the application to reuse the decryption context without resetting the key. AES-SIV is implemented since OpenSSL 3.0. AES-GCM-SIV is implemented since OpenSSL 3.2. No protocols implemented in OpenSSL itself (TLS/CMS/PKCS7/HPKE/QUIC) support either AES-GCM-SIV or AES-SIV. To mount an attack, the applications must implement their own protocol and use the EVP interface. Also they must skip the ciphertext update when a message with an empty ciphertext arrives. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as these algorithms are not FIPS approved and the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-45447", "url": "https://ubuntu.com/security/CVE-2026-45447", "cve_description": "Issue summary: A specially crafted PKCS#7 or S/MIME signed message could trigger a use-after-free during PKCS#7 signature verification. Impact summary: A use-after-free may result in process crashes, heap corruption, or potentially remote code execution. When processing a PKCS#7 or S/MIME signed message, if the SignedData digestAlgorithms field is present as an empty ASN.1 SET, OpenSSL may incorrectly free a caller-owned BIO during PKCS7_verify(). A subsequent use of the BIO by the calling application results in a use-after-free condition. In the common case this occurs when the application later calls BIO_free() on the BIO originally passed to PKCS7_verify(). Depending on allocator behavior and application-specific BIO usage patterns, this may result in a crash or other memory corruption. In some application contexts this may potentially be exploitable for remote code execution. Applications that process PKCS#7 or S/MIME signed messages using OpenSSL PKCS#7 APIs may be affected. Applications using the CMS APIs for this processing are not affected. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "high", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-7383", "url": "https://ubuntu.com/security/CVE-2026-7383", "cve_description": "Issue summary: A signed integer overflow when sizing the destination buffer for Unicode output in ASN1_mbstring_ncopy() can lead to a heap buffer overflow. Impact summary: A heap buffer overflow may lead to a crash or possibly attacker controlled code execution or other undefined behaviour. In ASN1_mbstring_copy() and ASN1_mbstring_ncopy() the destination size for Unicode output is computed in a signed int: by left shift of the input character count for BMPSTRING (UTF-16) and UNIVERSALSTRING (UTF-32), and by summing per-character byte counts for UTF8STRING. The calculation overflows when the input reaches around 2^30 characters. In the worst case (UNIVERSALSTRING at 2^30 characters) the size wraps to zero, OPENSSL_malloc(1) is called, and the subsequent character copy writes several gigabytes past the one-byte allocation. X.509 certificate processing routes through ASN1_STRING_set_by_NID(), whose DIRSTRING_TYPE mask excludes UNIVERSALSTRING and whose per-NID size limits cap the input length; no network protocol or certificate-handling path in OpenSSL exercises the overflow. Triggering the bug requires an application that calls ASN1_mbstring_copy() or ASN1_mbstring_ncopy() directly, or registers a custom string type via ASN1_STRING_TABLE_add(), with attacker-controlled input on the order of half a gigabyte or more. For these reasons this issue was assigned Low severity. The FIPS modules in 4.0, 3.6, 3.5, 3.4 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-9076", "url": "https://ubuntu.com/security/CVE-2026-9076", "cve_description": "Issue summary: When CMS password-based decryption (RFC 3211 / PWRI key unwrap) processes attacker-supplied CMS data, an attacker-chosen stream-mode KEK cipher can trigger a heap out-of-bounds read in kek_unwrap_key(). Impact summary: A heap buffer over-read may trigger a crash which leads to Denial of Service for an application if the input buffer ends at a memory page boundary and the following page is unmapped. There is no information disclosure as the over-read bytes are not revealed to the attacker. The key unwrapping function performs a check-byte test as specified in the RFC that reads 7 bytes from a heap allocation that is based on the wrapped key length from the message. There is a minimum length check based on the block length of the wrapping cipher. However the cipher is selected from an OID carried in the attacker's PWRI keyEncryptionAlgorithm with no requirement that the cipher be a block cipher. When an attacker selects a stream-mode cipher the guard will be ineffective and the allocated buffer containing the unwrapped key can be too small to fit the check-bytes specified in the RFC and a buffer over-read can happen. Applications calling CMS_decrypt() or CMS_decrypt_set1_password() (equivalently openssl cms -decrypt -pwri_password ...) on untrusted CMS data are vulnerable to this issue. No password knowledge is required: the over-read happens during the unwrap attempt before any authentication succeeds. The over-read is limited to a few bytes and is not written to output, so there is no information disclosure. Triggering a crash requires the allocation to border unmapped memory, which is unlikely with the normal allocator. The FIPS modules are not affected by this issue.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Heap Buffer Over-read in ASN.1 Content Parsing", " - debian/patches/CVE-2026-34180.patch: Avoid length truncation in", " ASN1_STRING_set in crypto/asn1/tasn_dec.c.", " - CVE-2026-34180", " * SECURITY UPDATE: CMS AuthEnvelopedData Processing May Accept Forged Messages", " - debian/patches/CVE-2026-34182-pre1.patch: Ensure", " ossl_cms_EncryptedContent_init_bio() reports an error on no OID in", " crypto/cms/cms_enc.c, crypto/cms/cms_err.c, crypto/err/openssl.txt,", " include/openssl/cmserr.h.", " - debian/patches/CVE-2026-34182-1.patch: CMS: Produce error when AEAD", " algorithms are used in enveloped data in crypto/cms/cms_enc.c,", " crypto/cms/cms_env.c, crypto/cms/cms_err.c, crypto/cms/cms_local.h,", " crypto/err/openssl.txt, include/openssl/cmserr.h, test/cms-msg/enveloped-", " content-type-for-aes-gcm.pem, test/cmsapitest.c,", " test/recipes/80-test_cms.t.", " - debian/patches/CVE-2026-34182-2.patch: Reject potentially forged encrypted", " CMS AuthEnvelopedData messages in crypto/cms/cms_enc.c.", " - debian/patches/CVE-2026-34182-3.patch: Add tests for CVE-2026-34182 in", " test/cmsapitest.c.", " - CVE-2026-34182", " * SECURITY UPDATE: Possible NULL Dereference in Password-Based CMS Decryption", " - debian/patches/CVE-2026-42766.patch: Fix potential NULL dereference", " processing CMS PasswordRecipientInfo in crypto/cms/cms_pwri.c.", " - CVE-2026-42766", " * SECURITY UPDATE: NULL Pointer Dereference in CRMF EncryptedValue Decryption", " - debian/patches/CVE-2026-42767.patch: Fix potential NULL dereference in", " OSSL_CRMF_ENCRYPTEDVALUE_decrypt() in crypto/crmf/crmf_lib.c.", " - CVE-2026-42767", " * SECURITY UPDATE: FFC-DH Peer Validation Uses Attacker-Supplied q", " - debian/patches/CVE-2026-42770.patch: Match the local q DHX parameter", " against the peer's q in providers/implementations/exchange/dh_exch.c.", " - CVE-2026-42770", " * SECURITY UPDATE: AES-OCB IV Ignored on EVP_Cipher() Path", " - debian/patches/CVE-2026-45445.patch: Apply the buffered IV on the AES-OCB", " EVP_Cipher() path in providers/implementations/ciphers/cipher_aes_ocb.c,", " test/evp_extra_test.c.", " - CVE-2026-45445", " * SECURITY UPDATE: Incorrect Tag Processing for Empty Messages in", " AES-GCM-SIV and AES-SIV modes", " - debian/patches/CVE-2026-45446.patch: Fix handling of empty-ciphertext", " messages in AES-SIV in providers/implementations/ciphers/cipher_aes_siv.c,", " test/evp_extra_test.c.", " - CVE-2026-45446", " * SECURITY UPDATE: Heap Use-After-Free in OpenSSL PKCS7_verify()", " - debian/patches/CVE-2026-45447-pre1.patch: Revert unnecessary", " PKCS7_verify() performance optimization in crypto/pkcs7/pk7_smime.c.", " - debian/patches/CVE-2026-45447-1.patch: Fix possible use-after-free in", " OpenSSL PKCS7_verify() in crypto/pkcs7/pk7_smime.c.", " - debian/patches/CVE-2026-45447-2.patch: Test for CVE-2026-45447 (UAF in", " PKCS7_verify) in test/recipes/80-test_cms.t, test/smime-eml/pkcs7-empty-", " digest-set.eml.", " - CVE-2026-45447", " * SECURITY UPDATE: Possible Heap Buffer Overflow in ASN.1 Multibyte String", " Conversion", " - debian/patches/CVE-2026-7383.patch: Reject oversized inputs in", " ASN1_mbstring_ncopy() in crypto/asn1/a_mbstr.c.", " - CVE-2026-7383", " * SECURITY UPDATE: Out-of-Bounds Read in CMS Password-Based Decryption", " - debian/patches/CVE-2026-9076.patch: cms: kek_unwrap_key: Fix out-of-bounds", " read in check-byte validation in crypto/cms/cms_pwri.c.", " - CVE-2026-9076", "" ], "package": "openssl", "version": "3.0.2-0ubuntu1.25", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Tue, 02 Jun 2026 15:33:25 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "libsystemd0:riscv64", "from_version": { "source_package_name": "systemd", "source_package_version": "249.11-0ubuntu3.20", "version": "249.11-0ubuntu3.20" }, "to_version": { "source_package_name": "systemd", "source_package_version": "249.11-0ubuntu3.21", "version": "249.11-0ubuntu3.21" }, "cves": [ { "cve": "CVE-2023-7008", "url": "https://ubuntu.com/security/CVE-2023-7008", "cve_description": "A vulnerability was found in systemd-resolved. This issue may allow systemd-resolved to accept records of DNSSEC-signed domains even when they have no signature, allowing man-in-the-middles (or the upstream DNS resolver) to manipulate records.", "cve_priority": "low", "cve_public_date": "2023-12-23 13:15:00 UTC" }, { "cve": "CVE-2026-40226", "url": "https://ubuntu.com/security/CVE-2026-40226", "cve_description": "In nspawn in systemd 233 through 259 before 260, an escape-to-host action can occur via a crafted optional config file.", "cve_priority": "medium", "cve_public_date": "2026-04-10 16:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2023-7008", "url": "https://ubuntu.com/security/CVE-2023-7008", "cve_description": "A vulnerability was found in systemd-resolved. This issue may allow systemd-resolved to accept records of DNSSEC-signed domains even when they have no signature, allowing man-in-the-middles (or the upstream DNS resolver) to manipulate records.", "cve_priority": "low", "cve_public_date": "2023-12-23 13:15:00 UTC" }, { "cve": "CVE-2026-40226", "url": "https://ubuntu.com/security/CVE-2026-40226", "cve_description": "In nspawn in systemd 233 through 259 before 260, an escape-to-host action can occur via a crafted optional config file.", "cve_priority": "medium", "cve_public_date": "2026-04-10 16:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: MITM via DNSSEC-signed domains with no signature", " - debian/patches/CVE-2023-7008.patch: resolved: actually check authenticated", " flag of SOA transaction in src/resolve/resolved-dns-transaction.c.", " - CVE-2023-7008", " * SECURITY UPDATE: escape-to-host via malformed optional config file", " - debian/patches/CVE-2026-40226-1.patch: nspawn: apply BindUser/Ephemeral", " from settings file only if trusted in src/nspawn/nspawn.c.", " - debian/patches/CVE-2026-40226-2.patch: nspawn: normalize pivot_root paths", " in src/nspawn/nspawn-mount.c.", " - CVE-2026-40226", "" ], "package": "systemd", "version": "249.11-0ubuntu3.21", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Fri, 05 Jun 2026 11:40:28 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "libudev1:riscv64", "from_version": { "source_package_name": "systemd", "source_package_version": "249.11-0ubuntu3.20", "version": "249.11-0ubuntu3.20" }, "to_version": { "source_package_name": "systemd", "source_package_version": "249.11-0ubuntu3.21", "version": "249.11-0ubuntu3.21" }, "cves": [ { "cve": "CVE-2023-7008", "url": "https://ubuntu.com/security/CVE-2023-7008", "cve_description": "A vulnerability was found in systemd-resolved. This issue may allow systemd-resolved to accept records of DNSSEC-signed domains even when they have no signature, allowing man-in-the-middles (or the upstream DNS resolver) to manipulate records.", "cve_priority": "low", "cve_public_date": "2023-12-23 13:15:00 UTC" }, { "cve": "CVE-2026-40226", "url": "https://ubuntu.com/security/CVE-2026-40226", "cve_description": "In nspawn in systemd 233 through 259 before 260, an escape-to-host action can occur via a crafted optional config file.", "cve_priority": "medium", "cve_public_date": "2026-04-10 16:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2023-7008", "url": "https://ubuntu.com/security/CVE-2023-7008", "cve_description": "A vulnerability was found in systemd-resolved. This issue may allow systemd-resolved to accept records of DNSSEC-signed domains even when they have no signature, allowing man-in-the-middles (or the upstream DNS resolver) to manipulate records.", "cve_priority": "low", "cve_public_date": "2023-12-23 13:15:00 UTC" }, { "cve": "CVE-2026-40226", "url": "https://ubuntu.com/security/CVE-2026-40226", "cve_description": "In nspawn in systemd 233 through 259 before 260, an escape-to-host action can occur via a crafted optional config file.", "cve_priority": "medium", "cve_public_date": "2026-04-10 16:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: MITM via DNSSEC-signed domains with no signature", " - debian/patches/CVE-2023-7008.patch: resolved: actually check authenticated", " flag of SOA transaction in src/resolve/resolved-dns-transaction.c.", " - CVE-2023-7008", " * SECURITY UPDATE: escape-to-host via malformed optional config file", " - debian/patches/CVE-2026-40226-1.patch: nspawn: apply BindUser/Ephemeral", " from settings file only if trusted in src/nspawn/nspawn.c.", " - debian/patches/CVE-2026-40226-2.patch: nspawn: normalize pivot_root paths", " in src/nspawn/nspawn-mount.c.", " - CVE-2026-40226", "" ], "package": "systemd", "version": "249.11-0ubuntu3.21", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Fri, 05 Jun 2026 11:40:28 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "libxmlb2:riscv64", "from_version": { "source_package_name": "libxmlb", "source_package_version": "0.3.6-2build1", "version": "0.3.6-2build1" }, "to_version": { "source_package_name": "libxmlb", "source_package_version": "0.3.24-1~ubuntu0.22.04.1", "version": "0.3.24-1~ubuntu0.22.04.1" }, "cves": [], "launchpad_bugs_fixed": [ 2142578 ], "changes": [ { "cves": [], "log": [ "", " * Backport to jammy for KEK and db updates (LP: #2142578)", "" ], "package": "libxmlb", "version": "0.3.24-1~ubuntu0.22.04.1", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2142578 ], "author": "Mate Kukri ", "date": "Tue, 24 Feb 2026 20:20:00 +0000" }, { "cves": [], "log": [ "", " * New upstream version", "" ], "package": "libxmlb", "version": "0.3.24-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Mario Limonciello ", "date": "Wed, 10 Sep 2025 13:05:10 -0500" }, { "cves": [], "log": [ "", " * New upstream version", " * Update my email", " * Add salsa-ci.yml", " * Update standards version", "" ], "package": "libxmlb", "version": "0.3.23-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Mario Limonciello ", "date": "Mon, 18 Aug 2025 15:27:53 -0500" }, { "cves": [], "log": [ "", " * New upstream version", "" ], "package": "libxmlb", "version": "0.3.22-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Mario Limonciello ", "date": "Wed, 19 Mar 2025 10:11:39 -0500" }, { "cves": [], "log": [ "", " * New upstream version", "" ], "package": "libxmlb", "version": "0.3.21-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Mario Limonciello ", "date": "Wed, 19 Mar 2025 10:11:37 -0500" }, { "cves": [], "log": [ "", " * New upstream version", "" ], "package": "libxmlb", "version": "0.3.20-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Mario Limonciello ", "date": "Mon, 14 Oct 2024 09:20:56 -0500" }, { "cves": [], "log": [ "", " * New upstream version", "" ], "package": "libxmlb", "version": "0.3.19-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Mario Limonciello ", "date": "Wed, 21 Aug 2024 14:09:17 -0500" }, { "cves": [], "log": [ "", " * New upstream version (0.3.18)", " * Drop patch for zstd decompression issue, upstream.", "" ], "package": "libxmlb", "version": "0.3.18-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Mario Limonciello ", "date": "Tue, 09 Apr 2024 15:52:31 -0500" }, { "cves": [], "log": [ "", " * Backport a patch from upstream to fix decompressing some zstd metadata.", " This fixes accessing some remotes in fwupd.", "" ], "package": "libxmlb", "version": "0.3.17-2", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Mario Limonciello ", "date": "Tue, 09 Apr 2024 14:23:10 -0500" }, { "cves": [], "log": [ "", " * New upstream release", "" ], "package": "libxmlb", "version": "0.3.17-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Mario Limonciello ", "date": "Fri, 05 Apr 2024 06:31:05 -0500" }, { "cves": [], "log": [ "", " * New upstream release", "" ], "package": "libxmlb", "version": "0.3.16-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Mario Limonciello ", "date": "Wed, 03 Apr 2024 09:10:32 -0500" }, { "cves": [], "log": [ "", " * Team upload", " * New upstream release", " * Add Build-Depends: dh-sequence-gir", " * Add Build-Depends-Package", "" ], "package": "libxmlb", "version": "0.3.15-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Jeremy Bícha ", "date": "Thu, 22 Feb 2024 18:56:44 -0500" }, { "cves": [], "log": [ "", " * Fix autopkgtest by setting the right data location", "" ], "package": "libxmlb", "version": "0.3.14-2", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Matthias Klumpp ", "date": "Fri, 01 Sep 2023 10:42:10 +0200" }, { "cves": [], "log": [ "", " * New upstream bugfix release: 0.3.14", "" ], "package": "libxmlb", "version": "0.3.14-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Matthias Klumpp ", "date": "Thu, 24 Aug 2023 22:44:50 +0200" }, { "cves": [], "log": [ "", " * New upstream release: 0.3.13", " * Add dependency on libzstd", " * Mark rules as not requiring root", "" ], "package": "libxmlb", "version": "0.3.13-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Matthias Klumpp ", "date": "Tue, 22 Aug 2023 22:45:18 +0200" }, { "cves": [], "log": [ "", " * No-change upload to trigger a full rebuild", "" ], "package": "libxmlb", "version": "0.3.10-2", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Matthias Klumpp ", "date": "Thu, 22 Dec 2022 23:54:36 +0100" }, { "cves": [], "log": [ "", " * New upstream release: 0.3.10", " - Resolves double-free corruption (Closes: #1019262)", " - xb-tool has been moved to PATH", " - Various other crash fixes", " * Bump standards version: No changes needed", " * Add new package for xb-tool, which is now in PATH", "" ], "package": "libxmlb", "version": "0.3.10-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Matthias Klumpp ", "date": "Tue, 20 Dec 2022 18:16:38 +0100" }, { "cves": [], "log": [ "", " * New upstream release: 0.3.8", "" ], "package": "libxmlb", "version": "0.3.8-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Matthias Klumpp ", "date": "Sun, 10 Apr 2022 21:46:50 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "linux-headers-generic", "from_version": { "source_package_name": "linux-meta-riscv-6.8", "source_package_version": "6.8.0.117.117~22.04.1", "version": "6.8.0.117.117~22.04.1" }, "to_version": { "source_package_name": "linux-meta-riscv-6.8", "source_package_version": "6.8.0.124.124~22.04.1", "version": "6.8.0.124.124~22.04.1" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Bump ABI 6.8.0-124.124~22.04", "" ], "package": "linux-meta-riscv-6.8", "version": "6.8.0.124.124~22.04.1", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [], "author": "Manuel Diewald ", "date": "Tue, 26 May 2026 22:39:02 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "linux-headers-virtual", "from_version": { "source_package_name": "linux-meta-riscv-6.8", "source_package_version": "6.8.0.117.117~22.04.1", "version": "6.8.0.117.117~22.04.1" }, "to_version": { "source_package_name": "linux-meta-riscv-6.8", "source_package_version": "6.8.0.124.124~22.04.1", "version": "6.8.0.124.124~22.04.1" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Bump ABI 6.8.0-124.124~22.04", "" ], "package": "linux-meta-riscv-6.8", "version": "6.8.0.124.124~22.04.1", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [], "author": "Manuel Diewald ", "date": "Tue, 26 May 2026 22:39:02 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "linux-image-virtual", "from_version": { "source_package_name": "linux-meta-riscv-6.8", "source_package_version": "6.8.0.117.117~22.04.1", "version": "6.8.0.117.117~22.04.1" }, "to_version": { "source_package_name": "linux-meta-riscv-6.8", "source_package_version": "6.8.0.124.124~22.04.1", "version": "6.8.0.124.124~22.04.1" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Bump ABI 6.8.0-124.124~22.04", "" ], "package": "linux-meta-riscv-6.8", "version": "6.8.0.124.124~22.04.1", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [], "author": "Manuel Diewald ", "date": "Tue, 26 May 2026 22:39:02 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "linux-virtual", "from_version": { "source_package_name": "linux-meta-riscv-6.8", "source_package_version": "6.8.0.117.117~22.04.1", "version": "6.8.0.117.117~22.04.1" }, "to_version": { "source_package_name": "linux-meta-riscv-6.8", "source_package_version": "6.8.0.124.124~22.04.1", "version": "6.8.0.124.124~22.04.1" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Bump ABI 6.8.0-124.124~22.04", "" ], "package": "linux-meta-riscv-6.8", "version": "6.8.0.124.124~22.04.1", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [], "author": "Manuel Diewald ", "date": "Tue, 26 May 2026 22:39:02 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "nano", "from_version": { "source_package_name": "nano", "source_package_version": "6.2-1ubuntu0.1", "version": "6.2-1ubuntu0.1" }, "to_version": { "source_package_name": "nano", "source_package_version": "6.2-1ubuntu0.2", "version": "6.2-1ubuntu0.2" }, "cves": [ { "cve": "CVE-2026-6842", "url": "https://ubuntu.com/security/CVE-2026-6842", "cve_description": "A flaw was found in nano. In environments with permissive umask settings, a local attacker can exploit incorrect directory permissions (0777 instead of 0700) for the `~/.local` directory. This allows the attacker to inject a malicious `.desktop` launcher, which could lead to unintended actions or information disclosure if the launcher is subsequently processed.", "cve_priority": "medium", "cve_public_date": "2026-04-22 08:16:00 UTC" }, { "cve": "CVE-2026-6843", "url": "https://ubuntu.com/security/CVE-2026-6843", "cve_description": "A flaw was found in nano. A local user could exploit a format string vulnerability in the `statusline()` function. By creating a directory with a name containing `printf` specifiers, the application attempts to display this name, leading to a segmentation fault (SEGV). This results in a Denial of Service (DoS) for the `nano` application.", "cve_priority": "medium", "cve_public_date": "2026-04-22 09:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-6842", "url": "https://ubuntu.com/security/CVE-2026-6842", "cve_description": "A flaw was found in nano. In environments with permissive umask settings, a local attacker can exploit incorrect directory permissions (0777 instead of 0700) for the `~/.local` directory. This allows the attacker to inject a malicious `.desktop` launcher, which could lead to unintended actions or information disclosure if the launcher is subsequently processed.", "cve_priority": "medium", "cve_public_date": "2026-04-22 08:16:00 UTC" }, { "cve": "CVE-2026-6843", "url": "https://ubuntu.com/security/CVE-2026-6843", "cve_description": "A flaw was found in nano. A local user could exploit a format string vulnerability in the `statusline()` function. By creating a directory with a name containing `printf` specifiers, the application attempts to display this name, leading to a segmentation fault (SEGV). This results in a Denial of Service (DoS) for the `nano` application.", "cve_priority": "medium", "cve_public_date": "2026-04-22 09:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Incorrect permission assignment.", " - debian/patches/CVE-2026-6842.patch: Create ~/.local with correct", " permissions in src/history.c.", " - CVE-2026-6842", " * SECURITY UPDATE: Denial of service in redecorate_after_switch", " - debian/patches/CVE-2026-6843.patch: Escape error message to avoid", " content being interpreted as format specifiers in src/files.c", " - CVE-2026-6843", "" ], "package": "nano", "version": "6.2-1ubuntu0.2", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Kyle Kernick ", "date": "Wed, 03 Jun 2026 16:51:38 -0600" } ], "notes": null, "is_version_downgrade": false }, { "name": "netplan-generator", "from_version": { "source_package_name": "netplan.io", "source_package_version": "0.107.1-3ubuntu0.22.04.3", "version": "0.107.1-3ubuntu0.22.04.3" }, "to_version": { "source_package_name": "netplan.io", "source_package_version": "0.107.1-3ubuntu0.22.04.4", "version": "0.107.1-3ubuntu0.22.04.4" }, "cves": [], "launchpad_bugs_fixed": [ 2076319 ], "changes": [ { "cves": [], "log": [ "", " * d/p/lp2076319-fix-dir-permissions.patch:", " Change default umask when creating dirctories (LP: #2076319)", "" ], "package": "netplan.io", "version": "0.107.1-3ubuntu0.22.04.4", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2076319 ], "author": "Robert Malz ", "date": "Wed, 23 Apr 2026 14:17:38 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "netplan.io", "from_version": { "source_package_name": "netplan.io", "source_package_version": "0.107.1-3ubuntu0.22.04.3", "version": "0.107.1-3ubuntu0.22.04.3" }, "to_version": { "source_package_name": "netplan.io", "source_package_version": "0.107.1-3ubuntu0.22.04.4", "version": "0.107.1-3ubuntu0.22.04.4" }, "cves": [], "launchpad_bugs_fixed": [ 2076319 ], "changes": [ { "cves": [], "log": [ "", " * d/p/lp2076319-fix-dir-permissions.patch:", " Change default umask when creating dirctories (LP: #2076319)", "" ], "package": "netplan.io", "version": "0.107.1-3ubuntu0.22.04.4", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2076319 ], "author": "Robert Malz ", "date": "Wed, 23 Apr 2026 14:17:38 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "openssl", "from_version": { "source_package_name": "openssl", "source_package_version": "3.0.2-0ubuntu1.23", "version": "3.0.2-0ubuntu1.23" }, "to_version": { "source_package_name": "openssl", "source_package_version": "3.0.2-0ubuntu1.25", "version": "3.0.2-0ubuntu1.25" }, "cves": [ { "cve": "CVE-2026-34180", "url": "https://ubuntu.com/security/CVE-2026-34180", "cve_description": "Issue summary: Parsing a crafted DER-encoded ASN.1 structure with a primitive element whose content exceeds 2 gigabytes in length may cause a heap buffer over-read on 64-bit Unix and Unix-like platforms. Impact summary: The heap buffer over-read may crash the application (Denial of Service) or to load into the decoded ASN.1 object contents of memory beyond the end of the input buffer. More typically such ASN.1 elements would instead be truncated. An integer truncation in OpenSSL's ASN.1 decoder causes the content length of an ASN.1 primitive element to be mishandled when it exceeds 2 gigabytes. In the worst case the truncated length is treated as a request to scan the binary content for a terminating zero byte, possibly causing OpenSSL to read either less than or beyond the end of the allocated buffer. Applications that pass attacker-supplied data to d2i_X509(), d2i_PKCS7(), or any other d2i_* decoding function are affected. OpenSSL's own command-line tools are not vulnerable, as data read through the BIO layer is checked before it reaches the affected code. The issue only affects 64-bit Unix and Unix-like platforms; 32-bit platforms and 64-bit Windows are not affected. The FIPS modules in 4.0, 3.6, 3.5, 3.4 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-34182", "url": "https://ubuntu.com/security/CVE-2026-34182", "cve_description": "Issue Summary: Cryptographic Message Services (CMS) processing fails to perform sufficient input validation on the cipher and tag length fields of AuthEnvelopedData containers, leading to various potential compromises. Impact Summary: Attackers making use of these vulnerabilities may achieve key-equivalent functionality for a given CMS recipient and/or bypass integrity validation for a given message. In one use case, an attacker may send a CMS message containing AuthEnvelopedData with the cipher specified as a non-AEAD cipher. OpenSSL erroneously allows this selection, and attempts to decrypt and validate the message. An on-path attacker who captures one legitimate AES-GCM AuthEnvelopedData addressed to the victim can re-emit it with the recipientInfos set left byte-for-byte intact, so the victim's private key still unwraps the genuine CEK (the content-encryption key), but with the inner OID rewritten to AES-256-OFB (Output Feedback Mode, an unauthenticated keystream mode) and with an attacker-chosen IV and ciphertext. The victim initializes AES-256-OFB under the real CEK, never consults the MAC field, and CMS_decrypt() returns success. If the application under attack responds to the attacker with any indicator showing success or failure of the decryption effort, it is possible for the attacker to use this as an oracle to obtain key equivalent functionality for the CEK used for the chosen recipient of the message. In another use case, an attacker can reduce the tag length of the chosen AEAD cipher for a given AuthEnvelopedData container to be a single byte long, allowing an attacker to brute force CMS decryption, producing an integrity bypass for applications that trust CMS_decrypt() to reject modified content. The FIPS modules are not affected by this issue.", "cve_priority": "medium", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-42766", "url": "https://ubuntu.com/security/CVE-2026-42766", "cve_description": "Issue summary: A specially crafted password-encrypted CMS message can trigger a NULL pointer dereference during CMS decryption. Impact summary: This NULL pointer dereference leads to an application crash and a Denial of Service. The CMS PasswordRecipientInfo.keyDerivationAlgorithm field is defined as OPTIONAL in the ASN.1 specification and may therefore be absent in specially crafted inputs. During the password-based CMS decryption the OpenSSL CMS implementation dereferences this field without first checking whether it was present. An attacker who supplies such a CMS message to an application performing password-based CMS decryption can trigger an application crash, leading to a Denial of Service. Applications that process password-encrypted CMS messages may be affected. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-42767", "url": "https://ubuntu.com/security/CVE-2026-42767", "cve_description": "Issue summary: An attacker-controlled CMP (Certificate Management Protocol) server could trigger a NULL pointer dereference in a CMP client application. Impact summary: A NULL pointer dereference causes a crash of the application and a Denial of Service. An attacker controlling a CMP server (or acting as a man-in-the-middle) could craft a CMP response containing a CRMF (Certificate Request Message Format) CertRepMessage with an EncryptedValue structure where the symmAlg field has an algorithm OID but no parameters field. When the OpenSSL CMP client processes this response, the NULL dereference occurs, causing a crash of the CMP client. Applications that process untrusted CMP/CRMF messages may be affected. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-42770", "url": "https://ubuntu.com/security/CVE-2026-42770", "cve_description": "Issue summary: When EVP_PKEY_derive_set_peer() is called with a DHX (X9.42) peer key, the peer key is not properly checked for the subgroup membership. Impact summary: A malicious peer which presents an X9.42 key carrying the victim's p and g parameters, a forged q = r (a small prime factor of the cofactor (p−1)/q_local), and a public value Y of order r can recover the victim's private key after a small number of key exchange attempts. When EVP_PKEY_derive_set_peer() is called with a DHX (X9.42) peer key, the subgroup membership check Y^q ≡ 1 (mod p) is performed using the peer's own q parameter, not the local key's q. The peer's domain parameters are then matched against the domain parameters of the private key, but the value of q is not compared. A malicious peer who presents an X9.42 key carrying the victim's p, g, a forged q = r (a small prime factor of the cofactor), and a public value Y of order r passes all checks. The shared secret then takes only r distinct values, leaking priv mod r. Repeating for each small-prime factor of the cofactor and combining via CRT recovers the full private key (Lim–Lee / small-subgroup-confinement attack). The realistic attack surface is narrow: principally CMP deployments with long-lived RA/CA DHX keys and bespoke enterprise or government applications using X9.42 DHX static keys with interactive protocols and therefore this issue was assigned Low severity. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are affected by this issue.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-45445", "url": "https://ubuntu.com/security/CVE-2026-45445", "cve_description": "Issue summary: When an application drives an AES-OCB context through the public EVP_Cipher() one-shot interface, the application-supplied initialisation vector (IV) is silently discarded. Impact summary: Every message encrypted under the same key uses the same effective nonce regardless of the IV supplied by the caller, resulting in (key, nonce) reuse and loss of confidentiality. If the same code path is used to compute the authentication tag, the tag depends only on the (key, IV) pair and not on the plaintext or ciphertext, allowing universal forgery of arbitrary ciphertext from a single captured message. OpenSSL provides two ways to drive a cipher: the documented streaming interface (EVP_CipherUpdate / EVP_CipherFinal_ex) and a lower-level one-shot, EVP_Cipher(), whose documentation explicitly recommends against use by applications in favour of EVP_CipherUpdate() and EVP_CipherFinal_ex(). The OCB provider's streaming handler flushes the application-supplied IV into the OCB context before processing data; the one-shot handler did not. Every call to EVP_Cipher() on an AES-OCB context therefore ran with the all-zero key-derived offset state left by cipher initialisation, regardless of the caller's IV. If EVP_EncryptFinal_ex() is subsequently used to obtain the authentication tag, the deferred IV setup runs at that point and clears the running checksum that should have been accumulated over the plaintext. The resulting tag is a function of (key, IV) only and verifies against any ciphertext produced under the same (key, IV) pair. The OpenSSL SSL/TLS implementation is not affected: AES-OCB is not a TLS cipher suite, and libssl does not call EVP_Cipher() in any case. Applications that drive AES-OCB through the documented streaming AEAD API (EVP_CipherUpdate / EVP_CipherFinal_ex) are not affected. Only applications that combine the AES-OCB cipher with the EVP_Cipher() one-shot API are vulnerable. The FIPS modules in 4.0, 3.6, 3.5, 3.4 and 3.0 are not affected by this issue, as AES-OCB is outside the OpenSSL FIPS module boundary.", "cve_priority": "medium", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-45446", "url": "https://ubuntu.com/security/CVE-2026-45446", "cve_description": "Issue summary: The implementations of AES-SIV (RFC 5297) and AES-GCM-SIV (RFC 8452) mishandle the authentication of AAD (Additional Authenticated Data) with an empty ciphertext allowing a forgery of such messages. Impact summary: An attacker can forge empty messages with arbitrary AAD to the victim's application using these ciphers. AES-SIV (RFC 5297) and AES-GCM-SIV (RFC 8452) are nonce-misuse-resistant AEAD modes: they accept a key, nonce, optional AAD (bytes that are authenticated but not encrypted), and plaintext, and produces ciphertext plus a 16-byte tag. On decrypt, `EVP_DecryptFinal_ex()` is documented to return success only if the tag is verified succesfully. In OpenSSL's provider implementation of these ciphers, the expected tag is computed only when decryption function is invoked with non-empty data. If the caller supplies AAD and then calls `EVP_DecryptFinal_ex()` without invocation of the ciphertext update, which can happen when the received ciphertext length is zero, the tag is never recalculated and still holds its all-zeros value. When AES-GCM-SIV is used, an attacker who sends arbitrary AAD, empty ciphertext, and all-zeros tag passes authentication under any key they do not know, single-shot. When AES-SIV is used, for mounting the attack it's necessary for the application to reuse the decryption context without resetting the key. AES-SIV is implemented since OpenSSL 3.0. AES-GCM-SIV is implemented since OpenSSL 3.2. No protocols implemented in OpenSSL itself (TLS/CMS/PKCS7/HPKE/QUIC) support either AES-GCM-SIV or AES-SIV. To mount an attack, the applications must implement their own protocol and use the EVP interface. Also they must skip the ciphertext update when a message with an empty ciphertext arrives. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as these algorithms are not FIPS approved and the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-45447", "url": "https://ubuntu.com/security/CVE-2026-45447", "cve_description": "Issue summary: A specially crafted PKCS#7 or S/MIME signed message could trigger a use-after-free during PKCS#7 signature verification. Impact summary: A use-after-free may result in process crashes, heap corruption, or potentially remote code execution. When processing a PKCS#7 or S/MIME signed message, if the SignedData digestAlgorithms field is present as an empty ASN.1 SET, OpenSSL may incorrectly free a caller-owned BIO during PKCS7_verify(). A subsequent use of the BIO by the calling application results in a use-after-free condition. In the common case this occurs when the application later calls BIO_free() on the BIO originally passed to PKCS7_verify(). Depending on allocator behavior and application-specific BIO usage patterns, this may result in a crash or other memory corruption. In some application contexts this may potentially be exploitable for remote code execution. Applications that process PKCS#7 or S/MIME signed messages using OpenSSL PKCS#7 APIs may be affected. Applications using the CMS APIs for this processing are not affected. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "high", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-7383", "url": "https://ubuntu.com/security/CVE-2026-7383", "cve_description": "Issue summary: A signed integer overflow when sizing the destination buffer for Unicode output in ASN1_mbstring_ncopy() can lead to a heap buffer overflow. Impact summary: A heap buffer overflow may lead to a crash or possibly attacker controlled code execution or other undefined behaviour. In ASN1_mbstring_copy() and ASN1_mbstring_ncopy() the destination size for Unicode output is computed in a signed int: by left shift of the input character count for BMPSTRING (UTF-16) and UNIVERSALSTRING (UTF-32), and by summing per-character byte counts for UTF8STRING. The calculation overflows when the input reaches around 2^30 characters. In the worst case (UNIVERSALSTRING at 2^30 characters) the size wraps to zero, OPENSSL_malloc(1) is called, and the subsequent character copy writes several gigabytes past the one-byte allocation. X.509 certificate processing routes through ASN1_STRING_set_by_NID(), whose DIRSTRING_TYPE mask excludes UNIVERSALSTRING and whose per-NID size limits cap the input length; no network protocol or certificate-handling path in OpenSSL exercises the overflow. Triggering the bug requires an application that calls ASN1_mbstring_copy() or ASN1_mbstring_ncopy() directly, or registers a custom string type via ASN1_STRING_TABLE_add(), with attacker-controlled input on the order of half a gigabyte or more. For these reasons this issue was assigned Low severity. The FIPS modules in 4.0, 3.6, 3.5, 3.4 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-9076", "url": "https://ubuntu.com/security/CVE-2026-9076", "cve_description": "Issue summary: When CMS password-based decryption (RFC 3211 / PWRI key unwrap) processes attacker-supplied CMS data, an attacker-chosen stream-mode KEK cipher can trigger a heap out-of-bounds read in kek_unwrap_key(). Impact summary: A heap buffer over-read may trigger a crash which leads to Denial of Service for an application if the input buffer ends at a memory page boundary and the following page is unmapped. There is no information disclosure as the over-read bytes are not revealed to the attacker. The key unwrapping function performs a check-byte test as specified in the RFC that reads 7 bytes from a heap allocation that is based on the wrapped key length from the message. There is a minimum length check based on the block length of the wrapping cipher. However the cipher is selected from an OID carried in the attacker's PWRI keyEncryptionAlgorithm with no requirement that the cipher be a block cipher. When an attacker selects a stream-mode cipher the guard will be ineffective and the allocated buffer containing the unwrapped key can be too small to fit the check-bytes specified in the RFC and a buffer over-read can happen. Applications calling CMS_decrypt() or CMS_decrypt_set1_password() (equivalently openssl cms -decrypt -pwri_password ...) on untrusted CMS data are vulnerable to this issue. No password knowledge is required: the over-read happens during the unwrap attempt before any authentication succeeds. The over-read is limited to a few bytes and is not written to output, so there is no information disclosure. Triggering a crash requires the allocation to border unmapped memory, which is unlikely with the normal allocator. The FIPS modules are not affected by this issue.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-34180", "url": "https://ubuntu.com/security/CVE-2026-34180", "cve_description": "Issue summary: Parsing a crafted DER-encoded ASN.1 structure with a primitive element whose content exceeds 2 gigabytes in length may cause a heap buffer over-read on 64-bit Unix and Unix-like platforms. Impact summary: The heap buffer over-read may crash the application (Denial of Service) or to load into the decoded ASN.1 object contents of memory beyond the end of the input buffer. More typically such ASN.1 elements would instead be truncated. An integer truncation in OpenSSL's ASN.1 decoder causes the content length of an ASN.1 primitive element to be mishandled when it exceeds 2 gigabytes. In the worst case the truncated length is treated as a request to scan the binary content for a terminating zero byte, possibly causing OpenSSL to read either less than or beyond the end of the allocated buffer. Applications that pass attacker-supplied data to d2i_X509(), d2i_PKCS7(), or any other d2i_* decoding function are affected. OpenSSL's own command-line tools are not vulnerable, as data read through the BIO layer is checked before it reaches the affected code. The issue only affects 64-bit Unix and Unix-like platforms; 32-bit platforms and 64-bit Windows are not affected. The FIPS modules in 4.0, 3.6, 3.5, 3.4 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-34182", "url": "https://ubuntu.com/security/CVE-2026-34182", "cve_description": "Issue Summary: Cryptographic Message Services (CMS) processing fails to perform sufficient input validation on the cipher and tag length fields of AuthEnvelopedData containers, leading to various potential compromises. Impact Summary: Attackers making use of these vulnerabilities may achieve key-equivalent functionality for a given CMS recipient and/or bypass integrity validation for a given message. In one use case, an attacker may send a CMS message containing AuthEnvelopedData with the cipher specified as a non-AEAD cipher. OpenSSL erroneously allows this selection, and attempts to decrypt and validate the message. An on-path attacker who captures one legitimate AES-GCM AuthEnvelopedData addressed to the victim can re-emit it with the recipientInfos set left byte-for-byte intact, so the victim's private key still unwraps the genuine CEK (the content-encryption key), but with the inner OID rewritten to AES-256-OFB (Output Feedback Mode, an unauthenticated keystream mode) and with an attacker-chosen IV and ciphertext. The victim initializes AES-256-OFB under the real CEK, never consults the MAC field, and CMS_decrypt() returns success. If the application under attack responds to the attacker with any indicator showing success or failure of the decryption effort, it is possible for the attacker to use this as an oracle to obtain key equivalent functionality for the CEK used for the chosen recipient of the message. In another use case, an attacker can reduce the tag length of the chosen AEAD cipher for a given AuthEnvelopedData container to be a single byte long, allowing an attacker to brute force CMS decryption, producing an integrity bypass for applications that trust CMS_decrypt() to reject modified content. The FIPS modules are not affected by this issue.", "cve_priority": "medium", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-42766", "url": "https://ubuntu.com/security/CVE-2026-42766", "cve_description": "Issue summary: A specially crafted password-encrypted CMS message can trigger a NULL pointer dereference during CMS decryption. Impact summary: This NULL pointer dereference leads to an application crash and a Denial of Service. The CMS PasswordRecipientInfo.keyDerivationAlgorithm field is defined as OPTIONAL in the ASN.1 specification and may therefore be absent in specially crafted inputs. During the password-based CMS decryption the OpenSSL CMS implementation dereferences this field without first checking whether it was present. An attacker who supplies such a CMS message to an application performing password-based CMS decryption can trigger an application crash, leading to a Denial of Service. Applications that process password-encrypted CMS messages may be affected. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-42767", "url": "https://ubuntu.com/security/CVE-2026-42767", "cve_description": "Issue summary: An attacker-controlled CMP (Certificate Management Protocol) server could trigger a NULL pointer dereference in a CMP client application. Impact summary: A NULL pointer dereference causes a crash of the application and a Denial of Service. An attacker controlling a CMP server (or acting as a man-in-the-middle) could craft a CMP response containing a CRMF (Certificate Request Message Format) CertRepMessage with an EncryptedValue structure where the symmAlg field has an algorithm OID but no parameters field. When the OpenSSL CMP client processes this response, the NULL dereference occurs, causing a crash of the CMP client. Applications that process untrusted CMP/CRMF messages may be affected. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-42770", "url": "https://ubuntu.com/security/CVE-2026-42770", "cve_description": "Issue summary: When EVP_PKEY_derive_set_peer() is called with a DHX (X9.42) peer key, the peer key is not properly checked for the subgroup membership. Impact summary: A malicious peer which presents an X9.42 key carrying the victim's p and g parameters, a forged q = r (a small prime factor of the cofactor (p−1)/q_local), and a public value Y of order r can recover the victim's private key after a small number of key exchange attempts. When EVP_PKEY_derive_set_peer() is called with a DHX (X9.42) peer key, the subgroup membership check Y^q ≡ 1 (mod p) is performed using the peer's own q parameter, not the local key's q. The peer's domain parameters are then matched against the domain parameters of the private key, but the value of q is not compared. A malicious peer who presents an X9.42 key carrying the victim's p, g, a forged q = r (a small prime factor of the cofactor), and a public value Y of order r passes all checks. The shared secret then takes only r distinct values, leaking priv mod r. Repeating for each small-prime factor of the cofactor and combining via CRT recovers the full private key (Lim–Lee / small-subgroup-confinement attack). The realistic attack surface is narrow: principally CMP deployments with long-lived RA/CA DHX keys and bespoke enterprise or government applications using X9.42 DHX static keys with interactive protocols and therefore this issue was assigned Low severity. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are affected by this issue.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-45445", "url": "https://ubuntu.com/security/CVE-2026-45445", "cve_description": "Issue summary: When an application drives an AES-OCB context through the public EVP_Cipher() one-shot interface, the application-supplied initialisation vector (IV) is silently discarded. Impact summary: Every message encrypted under the same key uses the same effective nonce regardless of the IV supplied by the caller, resulting in (key, nonce) reuse and loss of confidentiality. If the same code path is used to compute the authentication tag, the tag depends only on the (key, IV) pair and not on the plaintext or ciphertext, allowing universal forgery of arbitrary ciphertext from a single captured message. OpenSSL provides two ways to drive a cipher: the documented streaming interface (EVP_CipherUpdate / EVP_CipherFinal_ex) and a lower-level one-shot, EVP_Cipher(), whose documentation explicitly recommends against use by applications in favour of EVP_CipherUpdate() and EVP_CipherFinal_ex(). The OCB provider's streaming handler flushes the application-supplied IV into the OCB context before processing data; the one-shot handler did not. Every call to EVP_Cipher() on an AES-OCB context therefore ran with the all-zero key-derived offset state left by cipher initialisation, regardless of the caller's IV. If EVP_EncryptFinal_ex() is subsequently used to obtain the authentication tag, the deferred IV setup runs at that point and clears the running checksum that should have been accumulated over the plaintext. The resulting tag is a function of (key, IV) only and verifies against any ciphertext produced under the same (key, IV) pair. The OpenSSL SSL/TLS implementation is not affected: AES-OCB is not a TLS cipher suite, and libssl does not call EVP_Cipher() in any case. Applications that drive AES-OCB through the documented streaming AEAD API (EVP_CipherUpdate / EVP_CipherFinal_ex) are not affected. Only applications that combine the AES-OCB cipher with the EVP_Cipher() one-shot API are vulnerable. The FIPS modules in 4.0, 3.6, 3.5, 3.4 and 3.0 are not affected by this issue, as AES-OCB is outside the OpenSSL FIPS module boundary.", "cve_priority": "medium", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-45446", "url": "https://ubuntu.com/security/CVE-2026-45446", "cve_description": "Issue summary: The implementations of AES-SIV (RFC 5297) and AES-GCM-SIV (RFC 8452) mishandle the authentication of AAD (Additional Authenticated Data) with an empty ciphertext allowing a forgery of such messages. Impact summary: An attacker can forge empty messages with arbitrary AAD to the victim's application using these ciphers. AES-SIV (RFC 5297) and AES-GCM-SIV (RFC 8452) are nonce-misuse-resistant AEAD modes: they accept a key, nonce, optional AAD (bytes that are authenticated but not encrypted), and plaintext, and produces ciphertext plus a 16-byte tag. On decrypt, `EVP_DecryptFinal_ex()` is documented to return success only if the tag is verified succesfully. In OpenSSL's provider implementation of these ciphers, the expected tag is computed only when decryption function is invoked with non-empty data. If the caller supplies AAD and then calls `EVP_DecryptFinal_ex()` without invocation of the ciphertext update, which can happen when the received ciphertext length is zero, the tag is never recalculated and still holds its all-zeros value. When AES-GCM-SIV is used, an attacker who sends arbitrary AAD, empty ciphertext, and all-zeros tag passes authentication under any key they do not know, single-shot. When AES-SIV is used, for mounting the attack it's necessary for the application to reuse the decryption context without resetting the key. AES-SIV is implemented since OpenSSL 3.0. AES-GCM-SIV is implemented since OpenSSL 3.2. No protocols implemented in OpenSSL itself (TLS/CMS/PKCS7/HPKE/QUIC) support either AES-GCM-SIV or AES-SIV. To mount an attack, the applications must implement their own protocol and use the EVP interface. Also they must skip the ciphertext update when a message with an empty ciphertext arrives. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as these algorithms are not FIPS approved and the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-45447", "url": "https://ubuntu.com/security/CVE-2026-45447", "cve_description": "Issue summary: A specially crafted PKCS#7 or S/MIME signed message could trigger a use-after-free during PKCS#7 signature verification. Impact summary: A use-after-free may result in process crashes, heap corruption, or potentially remote code execution. When processing a PKCS#7 or S/MIME signed message, if the SignedData digestAlgorithms field is present as an empty ASN.1 SET, OpenSSL may incorrectly free a caller-owned BIO during PKCS7_verify(). A subsequent use of the BIO by the calling application results in a use-after-free condition. In the common case this occurs when the application later calls BIO_free() on the BIO originally passed to PKCS7_verify(). Depending on allocator behavior and application-specific BIO usage patterns, this may result in a crash or other memory corruption. In some application contexts this may potentially be exploitable for remote code execution. Applications that process PKCS#7 or S/MIME signed messages using OpenSSL PKCS#7 APIs may be affected. Applications using the CMS APIs for this processing are not affected. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "high", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-7383", "url": "https://ubuntu.com/security/CVE-2026-7383", "cve_description": "Issue summary: A signed integer overflow when sizing the destination buffer for Unicode output in ASN1_mbstring_ncopy() can lead to a heap buffer overflow. Impact summary: A heap buffer overflow may lead to a crash or possibly attacker controlled code execution or other undefined behaviour. In ASN1_mbstring_copy() and ASN1_mbstring_ncopy() the destination size for Unicode output is computed in a signed int: by left shift of the input character count for BMPSTRING (UTF-16) and UNIVERSALSTRING (UTF-32), and by summing per-character byte counts for UTF8STRING. The calculation overflows when the input reaches around 2^30 characters. In the worst case (UNIVERSALSTRING at 2^30 characters) the size wraps to zero, OPENSSL_malloc(1) is called, and the subsequent character copy writes several gigabytes past the one-byte allocation. X.509 certificate processing routes through ASN1_STRING_set_by_NID(), whose DIRSTRING_TYPE mask excludes UNIVERSALSTRING and whose per-NID size limits cap the input length; no network protocol or certificate-handling path in OpenSSL exercises the overflow. Triggering the bug requires an application that calls ASN1_mbstring_copy() or ASN1_mbstring_ncopy() directly, or registers a custom string type via ASN1_STRING_TABLE_add(), with attacker-controlled input on the order of half a gigabyte or more. For these reasons this issue was assigned Low severity. The FIPS modules in 4.0, 3.6, 3.5, 3.4 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-9076", "url": "https://ubuntu.com/security/CVE-2026-9076", "cve_description": "Issue summary: When CMS password-based decryption (RFC 3211 / PWRI key unwrap) processes attacker-supplied CMS data, an attacker-chosen stream-mode KEK cipher can trigger a heap out-of-bounds read in kek_unwrap_key(). Impact summary: A heap buffer over-read may trigger a crash which leads to Denial of Service for an application if the input buffer ends at a memory page boundary and the following page is unmapped. There is no information disclosure as the over-read bytes are not revealed to the attacker. The key unwrapping function performs a check-byte test as specified in the RFC that reads 7 bytes from a heap allocation that is based on the wrapped key length from the message. There is a minimum length check based on the block length of the wrapping cipher. However the cipher is selected from an OID carried in the attacker's PWRI keyEncryptionAlgorithm with no requirement that the cipher be a block cipher. When an attacker selects a stream-mode cipher the guard will be ineffective and the allocated buffer containing the unwrapped key can be too small to fit the check-bytes specified in the RFC and a buffer over-read can happen. Applications calling CMS_decrypt() or CMS_decrypt_set1_password() (equivalently openssl cms -decrypt -pwri_password ...) on untrusted CMS data are vulnerable to this issue. No password knowledge is required: the over-read happens during the unwrap attempt before any authentication succeeds. The over-read is limited to a few bytes and is not written to output, so there is no information disclosure. Triggering a crash requires the allocation to border unmapped memory, which is unlikely with the normal allocator. The FIPS modules are not affected by this issue.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Heap Buffer Over-read in ASN.1 Content Parsing", " - debian/patches/CVE-2026-34180.patch: Avoid length truncation in", " ASN1_STRING_set in crypto/asn1/tasn_dec.c.", " - CVE-2026-34180", " * SECURITY UPDATE: CMS AuthEnvelopedData Processing May Accept Forged Messages", " - debian/patches/CVE-2026-34182-pre1.patch: Ensure", " ossl_cms_EncryptedContent_init_bio() reports an error on no OID in", " crypto/cms/cms_enc.c, crypto/cms/cms_err.c, crypto/err/openssl.txt,", " include/openssl/cmserr.h.", " - debian/patches/CVE-2026-34182-1.patch: CMS: Produce error when AEAD", " algorithms are used in enveloped data in crypto/cms/cms_enc.c,", " crypto/cms/cms_env.c, crypto/cms/cms_err.c, crypto/cms/cms_local.h,", " crypto/err/openssl.txt, include/openssl/cmserr.h, test/cms-msg/enveloped-", " content-type-for-aes-gcm.pem, test/cmsapitest.c,", " test/recipes/80-test_cms.t.", " - debian/patches/CVE-2026-34182-2.patch: Reject potentially forged encrypted", " CMS AuthEnvelopedData messages in crypto/cms/cms_enc.c.", " - debian/patches/CVE-2026-34182-3.patch: Add tests for CVE-2026-34182 in", " test/cmsapitest.c.", " - CVE-2026-34182", " * SECURITY UPDATE: Possible NULL Dereference in Password-Based CMS Decryption", " - debian/patches/CVE-2026-42766.patch: Fix potential NULL dereference", " processing CMS PasswordRecipientInfo in crypto/cms/cms_pwri.c.", " - CVE-2026-42766", " * SECURITY UPDATE: NULL Pointer Dereference in CRMF EncryptedValue Decryption", " - debian/patches/CVE-2026-42767.patch: Fix potential NULL dereference in", " OSSL_CRMF_ENCRYPTEDVALUE_decrypt() in crypto/crmf/crmf_lib.c.", " - CVE-2026-42767", " * SECURITY UPDATE: FFC-DH Peer Validation Uses Attacker-Supplied q", " - debian/patches/CVE-2026-42770.patch: Match the local q DHX parameter", " against the peer's q in providers/implementations/exchange/dh_exch.c.", " - CVE-2026-42770", " * SECURITY UPDATE: AES-OCB IV Ignored on EVP_Cipher() Path", " - debian/patches/CVE-2026-45445.patch: Apply the buffered IV on the AES-OCB", " EVP_Cipher() path in providers/implementations/ciphers/cipher_aes_ocb.c,", " test/evp_extra_test.c.", " - CVE-2026-45445", " * SECURITY UPDATE: Incorrect Tag Processing for Empty Messages in", " AES-GCM-SIV and AES-SIV modes", " - debian/patches/CVE-2026-45446.patch: Fix handling of empty-ciphertext", " messages in AES-SIV in providers/implementations/ciphers/cipher_aes_siv.c,", " test/evp_extra_test.c.", " - CVE-2026-45446", " * SECURITY UPDATE: Heap Use-After-Free in OpenSSL PKCS7_verify()", " - debian/patches/CVE-2026-45447-pre1.patch: Revert unnecessary", " PKCS7_verify() performance optimization in crypto/pkcs7/pk7_smime.c.", " - debian/patches/CVE-2026-45447-1.patch: Fix possible use-after-free in", " OpenSSL PKCS7_verify() in crypto/pkcs7/pk7_smime.c.", " - debian/patches/CVE-2026-45447-2.patch: Test for CVE-2026-45447 (UAF in", " PKCS7_verify) in test/recipes/80-test_cms.t, test/smime-eml/pkcs7-empty-", " digest-set.eml.", " - CVE-2026-45447", " * SECURITY UPDATE: Possible Heap Buffer Overflow in ASN.1 Multibyte String", " Conversion", " - debian/patches/CVE-2026-7383.patch: Reject oversized inputs in", " ASN1_mbstring_ncopy() in crypto/asn1/a_mbstr.c.", " - CVE-2026-7383", " * SECURITY UPDATE: Out-of-Bounds Read in CMS Password-Based Decryption", " - debian/patches/CVE-2026-9076.patch: cms: kek_unwrap_key: Fix out-of-bounds", " read in check-byte validation in crypto/cms/cms_pwri.c.", " - CVE-2026-9076", "" ], "package": "openssl", "version": "3.0.2-0ubuntu1.25", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Tue, 02 Jun 2026 15:33:25 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "python3-netplan", "from_version": { "source_package_name": "netplan.io", "source_package_version": "0.107.1-3ubuntu0.22.04.3", "version": "0.107.1-3ubuntu0.22.04.3" }, "to_version": { "source_package_name": "netplan.io", "source_package_version": "0.107.1-3ubuntu0.22.04.4", "version": "0.107.1-3ubuntu0.22.04.4" }, "cves": [], "launchpad_bugs_fixed": [ 2076319 ], "changes": [ { "cves": [], "log": [ "", " * d/p/lp2076319-fix-dir-permissions.patch:", " Change default umask when creating dirctories (LP: #2076319)", "" ], "package": "netplan.io", "version": "0.107.1-3ubuntu0.22.04.4", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2076319 ], "author": "Robert Malz ", "date": "Wed, 23 Apr 2026 14:17:38 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "python3-twisted", "from_version": { "source_package_name": "twisted", "source_package_version": "22.1.0-2ubuntu2.6", "version": "22.1.0-2ubuntu2.6" }, "to_version": { "source_package_name": "twisted", "source_package_version": "22.1.0-2ubuntu2.7", "version": "22.1.0-2ubuntu2.7" }, "cves": [ { "cve": "CVE-2026-42304", "url": "https://ubuntu.com/security/CVE-2026-42304", "cve_description": "Twisted is an event-based framework for internet applications, supporting Python 3.6+. Prior to 26.4.0rc2, the twisted.names module is vulnerable to a Denial of Service (DoS) attack via resource exhaustion during DNS name decompression. A remote, unauthenticated attacker can exploit this by sending a crafted TCP DNS packet containing deeply chained compression pointers. This flaw bypasses previous loop-prevention logic, causing the single-threaded Twisted reactor to hang while processing millions of recursive lookups, effectively freezing the server. This vulnerability is fixed in 26.4.0rc2.", "cve_priority": "medium", "cve_public_date": "2026-05-13 21:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-42304", "url": "https://ubuntu.com/security/CVE-2026-42304", "cve_description": "Twisted is an event-based framework for internet applications, supporting Python 3.6+. Prior to 26.4.0rc2, the twisted.names module is vulnerable to a Denial of Service (DoS) attack via resource exhaustion during DNS name decompression. A remote, unauthenticated attacker can exploit this by sending a crafted TCP DNS packet containing deeply chained compression pointers. This flaw bypasses previous loop-prevention logic, causing the single-threaded Twisted reactor to hang while processing millions of recursive lookups, effectively freezing the server. This vulnerability is fixed in 26.4.0rc2.", "cve_priority": "medium", "cve_public_date": "2026-05-13 21:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: DNS name decompression denial of service", " - debian/patches/CVE-2026-42304-1.patch: fix denial of service in", " twisted.names mitigation in src/twisted/names/dns.py,", " src/twisted/names/test/test_dns.py.", " - debian/patches/CVE-2026-42304-2.patch: Update src/twisted/names/dns.py.", " - debian/patches/CVE-2026-42304-3.patch: Update", " src/twisted/names/test/test_dns.py.", " - debian/patches/CVE-2026-42304-4.patch: names: Refactor DNS compression", " mitigation in src/twisted/names/dns.py,", " src/twisted/names/newsfragments/12626.bugfix,", " src/twisted/names/test/test_dns.py.", " - debian/patches/CVE-2026-42304-5.patch: names: fix changes in", " src/twisted/names/dns.py, src/twisted/names/test/test_dns.py.", " - debian/patches/CVE-2026-42304-6.patch: Update", " src/twisted/names/newsfragments/12626.bugfix.", " - CVE-2026-42304", "" ], "package": "twisted", "version": "22.1.0-2ubuntu2.7", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Fri, 22 May 2026 11:02:45 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "python3-urllib3", "from_version": { "source_package_name": "python-urllib3", "source_package_version": "1.26.5-1~exp1ubuntu0.6", "version": "1.26.5-1~exp1ubuntu0.6" }, "to_version": { "source_package_name": "python-urllib3", "source_package_version": "1.26.5-1~exp1ubuntu0.7", "version": "1.26.5-1~exp1ubuntu0.7" }, "cves": [ { "cve": "CVE-2026-44431", "url": "https://ubuntu.com/security/CVE-2026-44431", "cve_description": "urllib3 is an HTTP client library for Python. From 1.23 to before 2.7.0, cross-origin redirects followed from the low-level API via ProxyManager.connection_from_url().urlopen(..., assert_same_host=False) still forward these sensitive headers. This vulnerability is fixed in 2.7.0.", "cve_priority": "medium", "cve_public_date": "2026-05-13 16:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-44431", "url": "https://ubuntu.com/security/CVE-2026-44431", "cve_description": "urllib3 is an HTTP client library for Python. From 1.23 to before 2.7.0, cross-origin redirects followed from the low-level API via ProxyManager.connection_from_url().urlopen(..., assert_same_host=False) still forward these sensitive headers. This vulnerability is fixed in 2.7.0.", "cve_priority": "medium", "cve_public_date": "2026-05-13 16:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: sensitive headers not stripped in cross-origin redirects", " - debian/patches/CVE-2026-44431.patch: remove sensitive headers in proxy", " pools too in src/urllib3/connectionpool.py,", " test/with_dummyserver/test_proxy_poolmanager.py.", " - CVE-2026-44431", "" ], "package": "python-urllib3", "version": "1.26.5-1~exp1ubuntu0.7", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Fri, 22 May 2026 16:41:35 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "rsync", "from_version": { "source_package_name": "rsync", "source_package_version": "3.2.7-0ubuntu0.22.04.4", "version": "3.2.7-0ubuntu0.22.04.4" }, "to_version": { "source_package_name": "rsync", "source_package_version": "3.2.7-0ubuntu0.22.04.7", "version": "3.2.7-0ubuntu0.22.04.7" }, "cves": [ { "cve": "CVE-2025-10158", "url": "https://ubuntu.com/security/CVE-2025-10158", "cve_description": "A malicious client acting as the receiver of an rsync file transfer can trigger an out of bounds read of a heap based buffer, via a negative array index. The malicious rsync client requires at least read access to the remote rsync module in order to trigger the issue.", "cve_priority": "low", "cve_public_date": "2025-11-18 15:16:00 UTC" }, { "cve": "CVE-2026-29518", "url": "https://ubuntu.com/security/CVE-2026-29518", "cve_description": "Rsync versions before 3.4.3 contain a time-of-check to time-of-use (TOCTOU) race condition in daemon file handling that allows attackers to redirect file writes outside intended directories by replacing parent directory components with symbolic links. Attackers with write access to a module path can exploit this race condition to create or overwrite arbitrary files, potentially modifying sensitive system files and achieving privilege escalation when the daemon runs with elevated privileges. This vulnerability can only be triggered if the chroot setting is false.", "cve_priority": "high", "cve_public_date": "2026-05-20 13:16:00 UTC" }, { "cve": "CVE-2026-41035", "url": "https://ubuntu.com/security/CVE-2026-41035", "cve_description": "In rsync 3.0.1 through 3.4.1, receive_xattr relies on an untrusted length value during a qsort call, leading to a receiver use-after-free. The victim must run rsync with -X (aka --xattrs). On Linux, many (but not all) common configurations are vulnerable. Non-Linux platforms are more widely vulnerable.", "cve_priority": "low", "cve_public_date": "2026-04-16 07:16:00 UTC" }, { "cve": "CVE-2026-43617", "url": "https://ubuntu.com/security/CVE-2026-43617", "cve_description": "Rsync version 3.4.2 and prior contain an authorization bypass vulnerability in the rsync daemon's hostname-based access control list enforcement when configured with chroot. Attackers can bypass hostname-based deny rules by controlling the PTR record for their source IP address, allowing connections from hostnames that administrators intended to deny when reverse DNS resolution fails and defaults to UNKNOWN.", "cve_priority": "medium", "cve_public_date": "2026-05-20 02:16:00 UTC" }, { "cve": "CVE-2026-43618", "url": "https://ubuntu.com/security/CVE-2026-43618", "cve_description": "Rsync version 3.4.2 and prior contain an integer overflow vulnerability in the compressed-token decoder where a 32-bit signed counter is not checked for overflow, allowing a malicious sender to trigger an overflow that causes the receiver process to read and return data from outside the intended buffer bounds. Attackers can exploit this vulnerability to disclose process memory contents including environment variables, passwords, heap and stack data, and library memory pointers, significantly reducing ASLR effectiveness and facilitating further exploitation.", "cve_priority": "high", "cve_public_date": "2026-05-20 02:16:00 UTC" }, { "cve": "CVE-2026-43619", "url": "https://ubuntu.com/security/CVE-2026-43619", "cve_description": "Rsync version 3.4.2 and prior contain symlink race condition vulnerabilities in path-based system calls including chmod, lchown, utimes, rename, unlink, mkdir, symlink, mknod, link, rmdir, and lstat that allow local attackers to redirect operations to files outside the exported rsync module. Attackers with local filesystem access can exploit the timing window between path resolution and syscall execution by swapping symlinks to apply sender-supplied permissions, ownership, timestamps, or filenames to arbitrary files outside the intended module boundary on rsync daemons configured with 'use chroot = no'.", "cve_priority": "medium", "cve_public_date": "2026-05-20 02:16:00 UTC" }, { "cve": "CVE-2026-43620", "url": "https://ubuntu.com/security/CVE-2026-43620", "cve_description": "Rsync version 3.4.2 and prior contain a receiver-side out-of-bounds array read vulnerability in recv_files() in receiver.c that allows a malicious rsync server to crash the rsync client process. Attackers can exploit the vulnerability by setting CF_INC_RECURSE in compatibility flags and sending a specially crafted file list where the first sorted entry is not the leading dot directory, followed by a transfer record with ndx=0 and an iflag word without ITEM_TRANSFER, causing the receiver to read 8 bytes before the allocated pointer array and dereference an invalid pointer at an unmapped address, resulting in a deterministic SIGSEGV crash of the rsync client.", "cve_priority": "medium", "cve_public_date": "2026-05-20 02:16:00 UTC" }, { "cve": "CVE-2026-45232", "url": "https://ubuntu.com/security/CVE-2026-45232", "cve_description": "Rsync versions before 3.4.3 contain an off-by-one out-of-bounds stack write vulnerability in the establish_proxy_connection() function in socket.c that allows network attackers to corrupt stack memory by sending a malformed HTTP proxy response. Attackers can exploit this by positioning themselves between the client and proxy or controlling the proxy server to send a response line of 1023 or more bytes without a newline terminator, causing a null byte to be written to an out-of-bounds stack address when the RSYNC_PROXY environment variable is set.", "cve_priority": "medium", "cve_public_date": "2026-05-20 02:16:00 UTC" } ], "launchpad_bugs_fixed": [ 2155874 ], "changes": [ { "cves": [], "log": [ "", " * SECURITY REGRESSION: Regression fixes from May 2026 security update", " (LP: #2155874)", " - debian/patches/security-202605/*.patch: added regression fix commits", " backported from 3.4.4 by upstream.", " - debian/patches/fix_flag_got_dir_flist_collision.patch: removed,", " included in patch cluster.", "" ], "package": "rsync", "version": "3.2.7-0ubuntu0.22.04.7", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [ 2155874 ], "author": "Marc Deslauriers ", "date": "Mon, 08 Jun 2026 10:10:43 -0400" }, { "cves": [ { "cve": "CVE-2025-10158", "url": "https://ubuntu.com/security/CVE-2025-10158", "cve_description": "A malicious client acting as the receiver of an rsync file transfer can trigger an out of bounds read of a heap based buffer, via a negative array index. The malicious rsync client requires at least read access to the remote rsync module in order to trigger the issue.", "cve_priority": "low", "cve_public_date": "2025-11-18 15:16:00 UTC" }, { "cve": "CVE-2026-29518", "url": "https://ubuntu.com/security/CVE-2026-29518", "cve_description": "Rsync versions before 3.4.3 contain a time-of-check to time-of-use (TOCTOU) race condition in daemon file handling that allows attackers to redirect file writes outside intended directories by replacing parent directory components with symbolic links. Attackers with write access to a module path can exploit this race condition to create or overwrite arbitrary files, potentially modifying sensitive system files and achieving privilege escalation when the daemon runs with elevated privileges. This vulnerability can only be triggered if the chroot setting is false.", "cve_priority": "high", "cve_public_date": "2026-05-20 13:16:00 UTC" }, { "cve": "CVE-2026-41035", "url": "https://ubuntu.com/security/CVE-2026-41035", "cve_description": "In rsync 3.0.1 through 3.4.1, receive_xattr relies on an untrusted length value during a qsort call, leading to a receiver use-after-free. The victim must run rsync with -X (aka --xattrs). On Linux, many (but not all) common configurations are vulnerable. Non-Linux platforms are more widely vulnerable.", "cve_priority": "low", "cve_public_date": "2026-04-16 07:16:00 UTC" }, { "cve": "CVE-2026-43617", "url": "https://ubuntu.com/security/CVE-2026-43617", "cve_description": "Rsync version 3.4.2 and prior contain an authorization bypass vulnerability in the rsync daemon's hostname-based access control list enforcement when configured with chroot. Attackers can bypass hostname-based deny rules by controlling the PTR record for their source IP address, allowing connections from hostnames that administrators intended to deny when reverse DNS resolution fails and defaults to UNKNOWN.", "cve_priority": "medium", "cve_public_date": "2026-05-20 02:16:00 UTC" }, { "cve": "CVE-2026-43618", "url": "https://ubuntu.com/security/CVE-2026-43618", "cve_description": "Rsync version 3.4.2 and prior contain an integer overflow vulnerability in the compressed-token decoder where a 32-bit signed counter is not checked for overflow, allowing a malicious sender to trigger an overflow that causes the receiver process to read and return data from outside the intended buffer bounds. Attackers can exploit this vulnerability to disclose process memory contents including environment variables, passwords, heap and stack data, and library memory pointers, significantly reducing ASLR effectiveness and facilitating further exploitation.", "cve_priority": "high", "cve_public_date": "2026-05-20 02:16:00 UTC" }, { "cve": "CVE-2026-43619", "url": "https://ubuntu.com/security/CVE-2026-43619", "cve_description": "Rsync version 3.4.2 and prior contain symlink race condition vulnerabilities in path-based system calls including chmod, lchown, utimes, rename, unlink, mkdir, symlink, mknod, link, rmdir, and lstat that allow local attackers to redirect operations to files outside the exported rsync module. Attackers with local filesystem access can exploit the timing window between path resolution and syscall execution by swapping symlinks to apply sender-supplied permissions, ownership, timestamps, or filenames to arbitrary files outside the intended module boundary on rsync daemons configured with 'use chroot = no'.", "cve_priority": "medium", "cve_public_date": "2026-05-20 02:16:00 UTC" }, { "cve": "CVE-2026-43620", "url": "https://ubuntu.com/security/CVE-2026-43620", "cve_description": "Rsync version 3.4.2 and prior contain a receiver-side out-of-bounds array read vulnerability in recv_files() in receiver.c that allows a malicious rsync server to crash the rsync client process. Attackers can exploit the vulnerability by setting CF_INC_RECURSE in compatibility flags and sending a specially crafted file list where the first sorted entry is not the leading dot directory, followed by a transfer record with ndx=0 and an iflag word without ITEM_TRANSFER, causing the receiver to read 8 bytes before the allocated pointer array and dereference an invalid pointer at an unmapped address, resulting in a deterministic SIGSEGV crash of the rsync client.", "cve_priority": "medium", "cve_public_date": "2026-05-20 02:16:00 UTC" }, { "cve": "CVE-2026-45232", "url": "https://ubuntu.com/security/CVE-2026-45232", "cve_description": "Rsync versions before 3.4.3 contain an off-by-one out-of-bounds stack write vulnerability in the establish_proxy_connection() function in socket.c that allows network attackers to corrupt stack memory by sending a malformed HTTP proxy response. Attackers can exploit this by positioning themselves between the client and proxy or controlling the proxy server to send a response line of 1023 or more bytes without a newline terminator, causing a null byte to be written to an out-of-bounds stack address when the RSYNC_PROXY environment variable is set.", "cve_priority": "medium", "cve_public_date": "2026-05-20 02:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: May 2026 security issues", " - debian/patches/security-202605/*.patch: commits to backport security", " fixes to 3.2.7.", " - d/p/CVE-2024-*/*.patch: removed, included in patch cluster.", " - CVE-2025-10158", " - CVE-2026-29518", " - CVE-2026-41035", " - CVE-2026-43617", " - CVE-2026-43618", " - CVE-2026-43619", " - CVE-2026-43620", " - CVE-2026-45232", "" ], "package": "rsync", "version": "3.2.7-0ubuntu0.22.04.6", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Thu, 14 May 2026 11:16:31 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "snapd", "from_version": { "source_package_name": "snapd", "source_package_version": "2.74.1+ubuntu22.04.4", "version": "2.74.1+ubuntu22.04.4" }, "to_version": { "source_package_name": "snapd", "source_package_version": "2.75.2+ubuntu22.04", "version": "2.75.2+ubuntu22.04" }, "cves": [ { "cve": "CVE-2026-3888", "url": "https://ubuntu.com/security/CVE-2026-3888", "cve_description": "Local privilege escalation in snapd on Linux allows local attackers to get root privilege by re-creating snap's private /tmp directory when systemd-tmpfiles is configured to automatically clean up this directory. This issue affects Ubuntu 16.04 LTS, 18.04 LTS, 20.04 LTS, 22.04 LTS, and 24.04 LTS.", "cve_priority": "high", "cve_public_date": "2026-03-17 14:16:00 UTC" } ], "launchpad_bugs_fixed": [ 2143882, 2142130, 2137543, 2142655, 2139664, 2139065, 2002697, 2141461, 2138268, 2138629, 2141328, 2139611, 2139300, 2139099, 2141607, 2138629, 2116949, 2068493, 2134364, 2132084, 2127189, 1851490, 2121853, 2127214, 2127244, 2127766 ], "changes": [ { "cves": [], "log": [ "", " * New upstream release, LP: #2143882", " - Interfaces: network-setup-*| allow running python binaries from", " the base on UC26+", " - Cross-distro: modify SELinux policy to allow mounting on", " /var/snap//", " - Fix potential task deadlock by considering all tasks in a lane", " that might be waiting for a reboot when processing delayed", " security backend effects", "" ], "package": "snapd", "version": "2.75.2+ubuntu22.04", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2143882 ], "author": "Katie May ", "date": "Mon, 30 Mar 2026 17:06:36 +0200" }, { "cves": [ { "cve": "CVE-2026-3888", "url": "https://ubuntu.com/security/CVE-2026-3888", "cve_description": "Local privilege escalation in snapd on Linux allows local attackers to get root privilege by re-creating snap's private /tmp directory when systemd-tmpfiles is configured to automatically clean up this directory. This issue affects Ubuntu 16.04 LTS, 18.04 LTS, 20.04 LTS, 22.04 LTS, and 24.04 LTS.", "cve_priority": "high", "cve_public_date": "2026-03-17 14:16:00 UTC" } ], "log": [ "", " - FDE: limit number of boot check log entries", " - Allow a logged in user to refresh private snaps during a refresh", " with multiple snaps", " - Use precise prune pattern for tmpfiles (CVE-2026-3888)", "" ], "package": "snapd", "version": "2.75.1+ubuntu22.04", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [], "author": "Katie May ", "date": "Wed, 18 Mar 2026 09:59:01 +0100" }, { "cves": [], "log": [ "", " - FDE: run early boot check only once per boot", " - FDE: update secboot to revision 77bc2457cc76", " - FDE: add degraded state for status API", " - FDE: prevent resealing tasks from running together", " - FDE: enable using keyslot tokens to store protected keys for UC26+", " - FDE: early commit kcmdline config transaction in update-gadget-", " cmdline to mitigate possible race condition", " - FDE: ensure extra snapd kcmdline fragments are applied", " - FDE: remove old secboot activation API calls", " - LP: #2142130 update apparmor parser to 4.1.7", " - LP: #2137543 disable translations in formatted output for snapctl", " services", " - LP: #2142655 improve snap size reporting precision in snap info", " output", " - LP: #2139664 snap-confine: remove race condition triggered by hat", " profile", " - LP: #2139065 skip 70-snap.*.rules when building dracut initramfs", " - LP: #2002697 error early on removal without purge if home is in", " NFS mount", " - LP: #2141461 Intefaces: allow snap-update-ns to read", " /proc/pid/auxv", " - LP: #2138268 Interfaces: kerberos-tickets| new interface allow", " access to kerberos tickets stored in /tmp", " - Interfaces: block-devices| allow Xen block devices", " - Interfaces: u2f-devices| add Tokey 3 FIDO", " - Interfaces: devlxd| new interface allowing acccess to LXD devlxd", " socket and APIs", " - Interfaces: browser-support| allow reading pressure stall info", " information", " - Interfaces: network-setup-control| allow additional netplan files", " access", " - Interfaces: desktop| allow access kvantum, lxqt, and gtk4", " configuration files", " - Interfaces: system-observe| allow fdinfo access for GPU monitoring", " - Interfaces: ubuntu-pro-control| allow access to Ubuntu Advantage", " client configuration", " - Prompting: add API endpoint to ask whether application should have", " access", " - Prompting: add support for audio-record prompting via API endpoint", " - Prompting: store snap name instead of apparmor label in requests", " - Prompting: respond with 503 to API requests when prompting", " subsystem is shutting down", " - Prompting: generalize prompting subsystem to support requests from", " outside AppArmor", " - Confdb: unset data for missing paths in set request", " - Confdb: return 400 for API requests with missing filter", " constraints", " - Confdb: return 400 for API requests with unmatched filter", " constraints", " - Confdb: support typed constraints in confdb filtering", " - Confdb: fixed unmarshalling transaction with placeholder path in", " deltas", " - Confdb: refresh confdb-schema assertions during manual refresh", " - Remote device management (experimental): add skeleton device", " management manager", " - Remote device management (experimental): add message exchange loop", " - Components: add snap component command, include component summary", " in snap info output", " - Components: enforce validation sets when installing components", " - Configuration: add system.motd configuration option to customize", " message of the day (motd)", " - packaging: remove dependencies libbrotli1, libfreetype6, and", " libpng16-16 from snap", " - snap-bootstrap: use libblkid for disk information to speed up boot", " - snap-confine: improve data handling error", " - snap-confine: use ld cache from the app base for core26+", " - snap: add riscv ISA detection for snaps", " - squashfs: reduce memory footprint of single file extraction", " - Add experimental snap delta format", " - Enable early download of seed snaps during refresh", " - Enable parallel downloads of essential snaps during refresh", " - Disallow removing components required by validation sets", " - Make snap prepare-image fail on --validation=ignore if model has", " enforced validation-sets", " - Fix correctly handling interrupted snap downloads", " - Fix handling of store throttling for refresh-app-awareness", " monitored snaps", " - Stop removed \"endure\" services on refresh", " - Install by default from the initramfs for UC26+, removing the need", " for a reboot after installation", " - Keep minidebuginfo in snapd snap", " - Make snap-specific systemd cgroup mandatory for snaps using core26", " and later, improve messaging for failure scenarios", " - Preserve stale connections of broken snaps", " - Remove enforce-validation-sets need for network", " - Opportunistic discarding of mount namespace when updating slot", " providers", " - Support for delaying updates of snap mount namespaces when", " refreshing slot providers", " - Use application CommonID as default source for desktop ID", "" ], "package": "snapd", "version": "2.75+ubuntu22.04", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2142130, 2137543, 2142655, 2139664, 2139065, 2002697, 2141461, 2138268 ], "author": "Katie May ", "date": "Mon, 09 Mar 2026 17:10:13 +0100" }, { "cves": [], "log": [ "", " * New upstream release, LP: #2138629", " - FDE: measure DeployedMode and AuditMode variables if they appear", " as disabled in the event log to avoid a potential reseal-failure", " boot loop", " - LP: #2141328 FDE: reuse preinstall check context during install to", " account for user-ignored errors", " - LP: #2139611 FDE: fix db updates by allowing multiple payloads", " - LP: #2139300 snap-confine: add CAP_SYS_RESOURCE to allow raising", " memory lock limit when required", " - LP: #2139099 snap-confine: bump the max element count of the BPF", " map used to store IDs of allowed/matched devices to 1000", " - LP: #2141607 Desktop: revert change that caused user daemons", " declaring the desktop plug to implicitly depend on graphical-", " session.target", " - Interfaces: Added pidfd_open and memfd_secret to seccomp template", " - Interfaces: camera | add locking permission for /dev/video", "" ], "package": "snapd", "version": "2.74.1", "urgency": "medium", "distributions": "xenial", "launchpad_bugs_fixed": [ 2138629, 2141328, 2139611, 2139300, 2139099, 2141607 ], "author": "Ernest Lotter ", "date": "Thu, 12 Feb 2026 21:27:23 +0200" }, { "cves": [], "log": [ "", " * New upstream release, LP: #2138629", " - FDE: use new activation API from secboot", " - FDE: use activation API also with non keydata keys", " - FDE: ignore internal recovery key expiration during install", " - FDE: support adding/removing PINs post-installation", " - FDE: support changing PINs post-installation", " - FDE: support adding a recovery key post-installation", " - FDE: provide activation status via new endpoint v2/system-", " info/storage-encrypted", " - FDE: support sealing and resealing using the preinstall check", " result", " - FDE: disable passphrase support during install", " - FDE: add keyboard configuration helpers", " - FDE: lazily inject keyboard layout configuration in kernel cmdline", " - FDE: enable pin tries and limits PIN entry attempts to 3", " - FDE: extend secureboot endpoint to accept DB, KEK, and PK", " - FDE: simplify /v2/system-volumes keyslots handling by allowing", " name-only entries, implicitly expanding to all system containers", " - FDE: support extra non-system key slot names to support agents", " such as Landscape to set dedicated recovery keys", " - FDE: initialize fde state after device state", " - FDE: use device node to find the storage container and keys", " - FDE: provide user visible name for disk based on ID_MODEL", " - FDE: update secboot in snapd with latest additions and fixes", " - core-initrd: add systemd service for setting plymouth keyboard", " layout and X11 keyboard layouts", " - core-initrd: set plymouth cleartext toggle option", " - core-initrd: fix plymouth missing font issue", " - core-initrd: update dependency from libteec1 to libteec2", " - core-initrd: add new dlopened libs", " - LP: #2116949 Preseeding: add support for preseeding of hybrid", " systems via the installer API$", " - Preseeding: check whether a path is a mountpoint before remounting", " - Confdb: support tagging paths as secret in storage schemas", " - Confdb: support filtering on placeholder sub-keys", " - Confdb: support filtering in API and confdbstate", " - Confdb: support field filtering on reads", " - Confdb: support \"parameters\" stanza and check filters against them", " - Confdb: add support for '--with' contraints", " - Confdb: parsing fixes and error handling improvements", " - Assertions: restrict serials to new format in confdb-control", " - Assertions: add verify signature function", " - Remote device management: modify request-message assertion to", " expose its time constraints for remote device management", " - Remote device management: support polling of store messages", " - Remote device management: add signing of response messages with", " device key", " - Prompting: enable notify protocol v5 and test prompt restoration", " after snapd restart", " - snap: change malformed '--channel=' warning to error", " - snap: add 'snap report-issue' command to get the available contact", " details for the specified snap", " - snap: add 'snap version --verbose' flag to include information on", " snap binaries origin", " - snap: create the XDG_RUNTIME_DIR folder", " - LP: #2068493 snap: add support for 'snap refresh --tracking'", " - snapctl: add '--tracking' flag to 'snapctl refresh'", " - Reexec: include the info filepath in the version compare debug log", " - Reexec: add support for forcing reexec into and older snapd snap", " by setting SNAP_REEXEC=force in the environment", " - snap-confine: correct error message related to snap-confine group", " policy validation", " - snap-confine: ensure we only mount existing directories", " - LP: #2134364 snap-confine: handle potential race when creating", " /tmp/snap-private-tmp when lacking systemd-tmpfiles support", " - snap-confine: filter plus characters from security tags", " - Desktop: use desktop file IDs as desktop IDs", " - Desktop: store the common ID in the desktop file", " - Desktop: allow graphical daemons to show icons in the dock", " - Desktop: change user daemons with desktop plug defined to depend", " on graphical-session.target", " - dm-verity for essential snaps: made change to prerequisite struct", " - Cross-distro: modify SELinux profile to allow connecting to squid", " proxy", " - Cross-distro: add support for migrating snap mount directory", " - Packaging: drop ubuntu-14.04 packaging", " - Packaging: drop ubuntu-{14.04,16.04} transitional binary packages", " - Packaging: remove desktop files and state lock file during snapd", " purge", " - Packaging: fix inhibition hint file being left behind on failed", " unlink-current-snap", " - Disallow timeouts < 1us in systemd units", " - Add snap-store to the user-daemons support overrides", " - Support for SuccessExitStatus= generation for systemd daemon", " - Make standby output more verbose", " - Add prepare-serial-request hook", " - Try to discard snap mount namespaces when no processes are running", " during snap updates", " - Improve handling of snap downloads cache by introducing periodic", " cleanup with more aggressive policy", " - Interfaces: mediatek-accel | create new interface", " - Interfaces: nvidia-video-driver-libs | create new interface", " - Interfaces: *-driver-libs | accept component paths", " - Interfaces: desktop-legacy, unity7 | remove workaround for slash", " filtering in ibus address", " - Interfaces: fwupd | allow writing reboot notification in /run", " - Interfaces: add 'install' coreutil to base AppArmor template", " - Interfaces: u2f-devices | add apparmor permissions to allow the", " use of the libfido2 library in snaps", " - Interfaces: u2f-devices | add support for Thetis security key", " - Interfaces: add AppArmor workaround for mmap MAP_HUGETLB", " - Interfaces: timeserver-control | manage per-link ntp settings via", " systemd-networkd", "" ], "package": "snapd", "version": "2.74", "urgency": "medium", "distributions": "xenial", "launchpad_bugs_fixed": [ 2138629, 2116949, 2068493, 2134364 ], "author": "Ernest Lotter ", "date": "Tue, 20 Jan 2026 18:54:17 +0200" }, { "cves": [], "log": [ "", " * New upstream release, LP: #2132084", " - FDE: do not save incomplete FDE state when resealing was skipped", " - FDE: warn of inconsistent primary or policy counter", " - Confdb: document confdb in snapctl help messages", " - Confdb: only confdb hooks wait if snaps are disabled", " - Confdb: relax confdb change conflict checks", " - Confdb: remove empty parent when removing last leaf", " - Confdb: support parsing field filters", " - Confdb: wrap confdb write values under \"values\" key", " - dm-verity for essential snaps: add new naming convention for", " verity files", " - dm-verity for essential snaps: add snap integrity discovery", " - dm-verity for essential snaps: fix verity salt calculation", " - Assertions: add hardware identity assertion", " - Assertions: add integrity stanza in snap resources revisions", " - Assertions: add request message assertion required for remote", " device management", " - Assertions: add response-message assertion for secure remote", " device management", " - Assertions: expose WithStackedBackstore in RODatabase", " - Packaging: cross-distro | install upstream NEWS file into relevant", " snapd package doc directory", " - Packaging: cross-distro | tweak how the blocks injecting", " $SNAP_MOUNT_DIR/bin are generated as required for openSUSE", " - Packaging: remove deprecated snap-gdb-shim and all references now", " that snap run --gdb is unsupported and replaced by --gdbserver", " - Preseed: call systemd-tmpfiles instead handle-writable-paths on", " uc26", " - Preseed: do not remove the /snap dir but rather all its contents", " during reset", " - snap-confine: attach name derived from security tag to BPF maps", " and programs", " - snap-confine: ensure permitted capabilities match expectation", " - snap-confine: fix cached snap-confine profile cleanup to report", " the correct error instead of masking backend setup failures", " - snap-confine: Improve validation of user controlled paths", " - snap-confine: tighten snap cgroup checks to ensure a snap cannot", " start another snap in the same cgroup, preventing incorrect", " device-filter installation", " - core-initrd: add 26.04 ubuntu-core-initramfs package", " - core-initrd: add missing order dependency for setting default", " system files", " - core-initrd: avoid scanning loop and mmc boot partitions as the", " boot disk won't be any of these", " - core-initrd: make cpio a Depends and remove from Build-Depends", " - core-initrd: start plymouth sooner and reload when gadget is", " available", " - Cross-distro: modify syscheck to account for differences in", " openSUSE 16.0+", " - Validation sets: use in-flight validation sets when calling", " 'snapctl install' from hook", " - Prompting: enable prompting for the camera interface", " - Prompting: remove polkit authentication when modifying/deleting", " prompting rules", " - LP: #2127189 Prompting: do not record notices for unchanged rules", " on snapd startup", " - AppArmor: add free and pidof to the template", " - AppArmor: adjust interfaces/profiles to cope with coreutils paths", " - Interfaces: add support for compatibility expressions", " - Interfaces: checkbox-support | complete overhaul", " - Interfaces: define vulkan-driver-libs, cuda-driver-libs, egl-", " driver-libs, gbm-driver-libs, opengl-driver-libs, and opengles-", " driver-libs", " - Interfaces: allow snaps on classic access to nvidia graphics", " libraries exported by *-driver-libs interfaces", " - Interfaces: fwupd | broaden access to /boot/efi/EFI", " - Interfaces: gsettings | set dconf-service as profile for", " ca.desrt.dconf.Writer", " - Interfaces: iscsi-initiator, dm-multipath, nvme-control | add new", " interfaces", " - Interfaces: opengl | grant read/write permission to /run/nvidia-", " persistenced/socket", " - interfaces: ros-snapd-support | add access to /v2/changes/", " - Interfaces: system-observe | read access to btrfs/ext4/zfs", " filesystem information", " - Interfaces: system-trace | allow /sys/kernel/tracing/** rw", " - Interfaces: usb-gadget | add support for ffs mounts in attributes", " - Add autocompletion to run command", " - Introduce option for disallowing auto-connection of a specific", " interface", " - Only log errors for user service operations performed as a part of", " snap removal", " - Patch snap names in service requests for parallel installed snaps", " - Simplify traits for eMMC special partitions", " - Strip apparmor_parser from debug symbols shrinking snapd size by", " ~3MB", " - Fix InstallPathMany skipping refresh control", " - Fix waiting for GDB helper to stop before attaching gdbserver", " - Protect the per-snap tmp directory against being reaped by age", " - Prevent disabling base snaps to ensure dependent snaps can be", " removed", " - Modify API endpoint /v2/logs to reject n <= 0 (except for special", " case -1 meaning all)", " - Avoid potential deadlock when task is injected after the change", " was aborted", " - Avoid race between store download stream and cache cleanup", " executing in parallel when invoked by snap download task", " - LP: #1851490 Use \"current\" instead of revision number for icons", " - LP: #2121853 Add snapctl version command", " - LP: #2127214 Ensure no more than one partition on disk can match a", " gadget partition", " - LP: #2127244 snap-confine: update AppArmor profile to allow", " read/write to journal as workaround for snap-confine fd", " inheritance prevented by newer AppArmor", " - LP: #2127766 Add new tracing mechanism with independently running", " strace and shim synchronization", "" ], "package": "snapd", "version": "2.73", "urgency": "medium", "distributions": "xenial", "launchpad_bugs_fixed": [ 2132084, 2127189, 1851490, 2121853, 2127214, 2127244, 2127766 ], "author": "Ernest Lotter ", "date": "Fri, 21 Nov 2025 09:08:02 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "systemd", "from_version": { "source_package_name": "systemd", "source_package_version": "249.11-0ubuntu3.20", "version": "249.11-0ubuntu3.20" }, "to_version": { "source_package_name": "systemd", "source_package_version": "249.11-0ubuntu3.21", "version": "249.11-0ubuntu3.21" }, "cves": [ { "cve": "CVE-2023-7008", "url": "https://ubuntu.com/security/CVE-2023-7008", "cve_description": "A vulnerability was found in systemd-resolved. This issue may allow systemd-resolved to accept records of DNSSEC-signed domains even when they have no signature, allowing man-in-the-middles (or the upstream DNS resolver) to manipulate records.", "cve_priority": "low", "cve_public_date": "2023-12-23 13:15:00 UTC" }, { "cve": "CVE-2026-40226", "url": "https://ubuntu.com/security/CVE-2026-40226", "cve_description": "In nspawn in systemd 233 through 259 before 260, an escape-to-host action can occur via a crafted optional config file.", "cve_priority": "medium", "cve_public_date": "2026-04-10 16:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2023-7008", "url": "https://ubuntu.com/security/CVE-2023-7008", "cve_description": "A vulnerability was found in systemd-resolved. This issue may allow systemd-resolved to accept records of DNSSEC-signed domains even when they have no signature, allowing man-in-the-middles (or the upstream DNS resolver) to manipulate records.", "cve_priority": "low", "cve_public_date": "2023-12-23 13:15:00 UTC" }, { "cve": "CVE-2026-40226", "url": "https://ubuntu.com/security/CVE-2026-40226", "cve_description": "In nspawn in systemd 233 through 259 before 260, an escape-to-host action can occur via a crafted optional config file.", "cve_priority": "medium", "cve_public_date": "2026-04-10 16:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: MITM via DNSSEC-signed domains with no signature", " - debian/patches/CVE-2023-7008.patch: resolved: actually check authenticated", " flag of SOA transaction in src/resolve/resolved-dns-transaction.c.", " - CVE-2023-7008", " * SECURITY UPDATE: escape-to-host via malformed optional config file", " - debian/patches/CVE-2026-40226-1.patch: nspawn: apply BindUser/Ephemeral", " from settings file only if trusted in src/nspawn/nspawn.c.", " - debian/patches/CVE-2026-40226-2.patch: nspawn: normalize pivot_root paths", " in src/nspawn/nspawn-mount.c.", " - CVE-2026-40226", "" ], "package": "systemd", "version": "249.11-0ubuntu3.21", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Fri, 05 Jun 2026 11:40:28 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "systemd-sysv", "from_version": { "source_package_name": "systemd", "source_package_version": "249.11-0ubuntu3.20", "version": "249.11-0ubuntu3.20" }, "to_version": { "source_package_name": "systemd", "source_package_version": "249.11-0ubuntu3.21", "version": "249.11-0ubuntu3.21" }, "cves": [ { "cve": "CVE-2023-7008", "url": "https://ubuntu.com/security/CVE-2023-7008", "cve_description": "A vulnerability was found in systemd-resolved. This issue may allow systemd-resolved to accept records of DNSSEC-signed domains even when they have no signature, allowing man-in-the-middles (or the upstream DNS resolver) to manipulate records.", "cve_priority": "low", "cve_public_date": "2023-12-23 13:15:00 UTC" }, { "cve": "CVE-2026-40226", "url": "https://ubuntu.com/security/CVE-2026-40226", "cve_description": "In nspawn in systemd 233 through 259 before 260, an escape-to-host action can occur via a crafted optional config file.", "cve_priority": "medium", "cve_public_date": "2026-04-10 16:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2023-7008", "url": "https://ubuntu.com/security/CVE-2023-7008", "cve_description": "A vulnerability was found in systemd-resolved. This issue may allow systemd-resolved to accept records of DNSSEC-signed domains even when they have no signature, allowing man-in-the-middles (or the upstream DNS resolver) to manipulate records.", "cve_priority": "low", "cve_public_date": "2023-12-23 13:15:00 UTC" }, { "cve": "CVE-2026-40226", "url": "https://ubuntu.com/security/CVE-2026-40226", "cve_description": "In nspawn in systemd 233 through 259 before 260, an escape-to-host action can occur via a crafted optional config file.", "cve_priority": "medium", "cve_public_date": "2026-04-10 16:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: MITM via DNSSEC-signed domains with no signature", " - debian/patches/CVE-2023-7008.patch: resolved: actually check authenticated", " flag of SOA transaction in src/resolve/resolved-dns-transaction.c.", " - CVE-2023-7008", " * SECURITY UPDATE: escape-to-host via malformed optional config file", " - debian/patches/CVE-2026-40226-1.patch: nspawn: apply BindUser/Ephemeral", " from settings file only if trusted in src/nspawn/nspawn.c.", " - debian/patches/CVE-2026-40226-2.patch: nspawn: normalize pivot_root paths", " in src/nspawn/nspawn-mount.c.", " - CVE-2026-40226", "" ], "package": "systemd", "version": "249.11-0ubuntu3.21", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Fri, 05 Jun 2026 11:40:28 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "systemd-timesyncd", "from_version": { "source_package_name": "systemd", "source_package_version": "249.11-0ubuntu3.20", "version": "249.11-0ubuntu3.20" }, "to_version": { "source_package_name": "systemd", "source_package_version": "249.11-0ubuntu3.21", "version": "249.11-0ubuntu3.21" }, "cves": [ { "cve": "CVE-2023-7008", "url": "https://ubuntu.com/security/CVE-2023-7008", "cve_description": "A vulnerability was found in systemd-resolved. This issue may allow systemd-resolved to accept records of DNSSEC-signed domains even when they have no signature, allowing man-in-the-middles (or the upstream DNS resolver) to manipulate records.", "cve_priority": "low", "cve_public_date": "2023-12-23 13:15:00 UTC" }, { "cve": "CVE-2026-40226", "url": "https://ubuntu.com/security/CVE-2026-40226", "cve_description": "In nspawn in systemd 233 through 259 before 260, an escape-to-host action can occur via a crafted optional config file.", "cve_priority": "medium", "cve_public_date": "2026-04-10 16:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2023-7008", "url": "https://ubuntu.com/security/CVE-2023-7008", "cve_description": "A vulnerability was found in systemd-resolved. This issue may allow systemd-resolved to accept records of DNSSEC-signed domains even when they have no signature, allowing man-in-the-middles (or the upstream DNS resolver) to manipulate records.", "cve_priority": "low", "cve_public_date": "2023-12-23 13:15:00 UTC" }, { "cve": "CVE-2026-40226", "url": "https://ubuntu.com/security/CVE-2026-40226", "cve_description": "In nspawn in systemd 233 through 259 before 260, an escape-to-host action can occur via a crafted optional config file.", "cve_priority": "medium", "cve_public_date": "2026-04-10 16:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: MITM via DNSSEC-signed domains with no signature", " - debian/patches/CVE-2023-7008.patch: resolved: actually check authenticated", " flag of SOA transaction in src/resolve/resolved-dns-transaction.c.", " - CVE-2023-7008", " * SECURITY UPDATE: escape-to-host via malformed optional config file", " - debian/patches/CVE-2026-40226-1.patch: nspawn: apply BindUser/Ephemeral", " from settings file only if trusted in src/nspawn/nspawn.c.", " - debian/patches/CVE-2026-40226-2.patch: nspawn: normalize pivot_root paths", " in src/nspawn/nspawn-mount.c.", " - CVE-2026-40226", "" ], "package": "systemd", "version": "249.11-0ubuntu3.21", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Fri, 05 Jun 2026 11:40:28 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "udev", "from_version": { "source_package_name": "systemd", "source_package_version": "249.11-0ubuntu3.20", "version": "249.11-0ubuntu3.20" }, "to_version": { "source_package_name": "systemd", "source_package_version": "249.11-0ubuntu3.21", "version": "249.11-0ubuntu3.21" }, "cves": [ { "cve": "CVE-2023-7008", "url": "https://ubuntu.com/security/CVE-2023-7008", "cve_description": "A vulnerability was found in systemd-resolved. This issue may allow systemd-resolved to accept records of DNSSEC-signed domains even when they have no signature, allowing man-in-the-middles (or the upstream DNS resolver) to manipulate records.", "cve_priority": "low", "cve_public_date": "2023-12-23 13:15:00 UTC" }, { "cve": "CVE-2026-40226", "url": "https://ubuntu.com/security/CVE-2026-40226", "cve_description": "In nspawn in systemd 233 through 259 before 260, an escape-to-host action can occur via a crafted optional config file.", "cve_priority": "medium", "cve_public_date": "2026-04-10 16:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2023-7008", "url": "https://ubuntu.com/security/CVE-2023-7008", "cve_description": "A vulnerability was found in systemd-resolved. This issue may allow systemd-resolved to accept records of DNSSEC-signed domains even when they have no signature, allowing man-in-the-middles (or the upstream DNS resolver) to manipulate records.", "cve_priority": "low", "cve_public_date": "2023-12-23 13:15:00 UTC" }, { "cve": "CVE-2026-40226", "url": "https://ubuntu.com/security/CVE-2026-40226", "cve_description": "In nspawn in systemd 233 through 259 before 260, an escape-to-host action can occur via a crafted optional config file.", "cve_priority": "medium", "cve_public_date": "2026-04-10 16:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: MITM via DNSSEC-signed domains with no signature", " - debian/patches/CVE-2023-7008.patch: resolved: actually check authenticated", " flag of SOA transaction in src/resolve/resolved-dns-transaction.c.", " - CVE-2023-7008", " * SECURITY UPDATE: escape-to-host via malformed optional config file", " - debian/patches/CVE-2026-40226-1.patch: nspawn: apply BindUser/Ephemeral", " from settings file only if trusted in src/nspawn/nspawn.c.", " - debian/patches/CVE-2026-40226-2.patch: nspawn: normalize pivot_root paths", " in src/nspawn/nspawn-mount.c.", " - CVE-2026-40226", "" ], "package": "systemd", "version": "249.11-0ubuntu3.21", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Fri, 05 Jun 2026 11:40:28 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "vim", "from_version": { "source_package_name": "vim", "source_package_version": "2:8.2.3995-1ubuntu2.29", "version": "2:8.2.3995-1ubuntu2.29" }, "to_version": { "source_package_name": "vim", "source_package_version": "2:8.2.3995-1ubuntu2.31", "version": "2:8.2.3995-1ubuntu2.31" }, "cves": [ { "cve": "CVE-2026-46483", "url": "https://ubuntu.com/security/CVE-2026-46483", "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0479, a command injection vulnerability exists in tar#Vimuntar() in runtime/autoload/tar.vim when decompressing .tgz archives on Unix-like systems. The function builds :!gunzip and :!gzip -d commands using shellescape(tartail) without the {special} flag, allowing a crafted archive filename to trigger Vim cmdline-special expansion and execute shell commands in the user's context. This vulnerability is fixed in 9.2.0479.", "cve_priority": "medium", "cve_public_date": "2026-05-15 15:16:00 UTC" }, { "cve": "CVE-2026-43961", "url": "https://ubuntu.com/security/CVE-2026-43961", "cve_description": "[Unknown description]", "cve_priority": "medium", "cve_public_date": "2026-05-20" }, { "cve": "CVE-2026-42307", "url": "https://ubuntu.com/security/CVE-2026-42307", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0383, an OS command injection vulnerability exists in the netrw standard plugin bundled with Vim. By inducing a user to open a crafted URL (e.g., using the sftp:// or file:// protocol handlers), an attacker can execute arbitrary shell commands with the privileges of the Vim process. This issue has been patched in version 9.2.0383.", "cve_priority": "medium", "cve_public_date": "2026-05-08 23:16:00 UTC" }, { "cve": "CVE-2026-44656", "url": "https://ubuntu.com/security/CVE-2026-44656", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0435, an OS command injection vulnerability exists in Vim's :find command-line completion. When the path option contains backtick-enclosed shell commands, those commands are executed during file name completion. Because the path option lacks the P_SECURE flag, it can be set from a modeline, allowing an attacker who controls the contents of a file to execute arbitrary shell commands when the user opens that file in Vim and triggers :find completion. This issue has been patched in version 9.2.0435.", "cve_priority": "medium", "cve_public_date": "2026-05-08 23:16:00 UTC" }, { "cve": "CVE-2026-45130", "url": "https://ubuntu.com/security/CVE-2026-45130", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0450, a heap buffer overflow exists in read_compound() in src/spellfile.c when loading a crafted spell file (.spl) with UTF-8 encoding active. An attacker-controlled length field in the spell file's compound section overflows a 32-bit signed integer multiplication, causing a small buffer to be allocated for a write loop that runs many iterations, overflowing the heap. Because the 'spelllang' option can be set from a modeline, a text file modeline can trigger spell file loading if a malicious .spl file has been planted on the runtimepath. This issue has been patched in version 9.2.0450.", "cve_priority": "medium", "cve_public_date": "2026-05-08 23:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-46483", "url": "https://ubuntu.com/security/CVE-2026-46483", "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0479, a command injection vulnerability exists in tar#Vimuntar() in runtime/autoload/tar.vim when decompressing .tgz archives on Unix-like systems. The function builds :!gunzip and :!gzip -d commands using shellescape(tartail) without the {special} flag, allowing a crafted archive filename to trigger Vim cmdline-special expansion and execute shell commands in the user's context. This vulnerability is fixed in 9.2.0479.", "cve_priority": "medium", "cve_public_date": "2026-05-15 15:16:00 UTC" }, { "cve": "CVE-2026-43961", "url": "https://ubuntu.com/security/CVE-2026-43961", "cve_description": "[Unknown description]", "cve_priority": "medium", "cve_public_date": "2026-05-20" } ], "log": [ "", " * SECURITY UPDATE: Command injection in tar plugin.", " - debian/patches/CVE-2026-46483.patch: Use the correct shell-escape in", " runtime/autoload/tar.vim.", " - CVE-2026-46483", " * SECURITY UPDATE: Code injection via mf command.", " - debian/patches/CVE-2026-43961.patch: Avoid string concatenation for", " filter commands in runtime/autoload/netrw.vim.", " - CVE-2026-43961", "" ], "package": "vim", "version": "2:8.2.3995-1ubuntu2.31", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Kyle Kernick ", "date": "Wed, 03 Jun 2026 10:41:25 -0600" }, { "cves": [ { "cve": "CVE-2026-42307", "url": "https://ubuntu.com/security/CVE-2026-42307", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0383, an OS command injection vulnerability exists in the netrw standard plugin bundled with Vim. By inducing a user to open a crafted URL (e.g., using the sftp:// or file:// protocol handlers), an attacker can execute arbitrary shell commands with the privileges of the Vim process. This issue has been patched in version 9.2.0383.", "cve_priority": "medium", "cve_public_date": "2026-05-08 23:16:00 UTC" }, { "cve": "CVE-2026-44656", "url": "https://ubuntu.com/security/CVE-2026-44656", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0435, an OS command injection vulnerability exists in Vim's :find command-line completion. When the path option contains backtick-enclosed shell commands, those commands are executed during file name completion. Because the path option lacks the P_SECURE flag, it can be set from a modeline, allowing an attacker who controls the contents of a file to execute arbitrary shell commands when the user opens that file in Vim and triggers :find completion. This issue has been patched in version 9.2.0435.", "cve_priority": "medium", "cve_public_date": "2026-05-08 23:16:00 UTC" }, { "cve": "CVE-2026-45130", "url": "https://ubuntu.com/security/CVE-2026-45130", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0450, a heap buffer overflow exists in read_compound() in src/spellfile.c when loading a crafted spell file (.spl) with UTF-8 encoding active. An attacker-controlled length field in the spell file's compound section overflows a 32-bit signed integer multiplication, causing a small buffer to be allocated for a write loop that runs many iterations, overflowing the heap. Because the 'spelllang' option can be set from a modeline, a text file modeline can trigger spell file loading if a malicious .spl file has been planted on the runtimepath. This issue has been patched in version 9.2.0450.", "cve_priority": "medium", "cve_public_date": "2026-05-08 23:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Command injection in netrw plugin.", " - debian/patches/CVE-2026-42307.patch: Escape file names and harden regex", " patterns in runtime/autoload/netrw.vim", " - CVE-2026-42307", " * SECURITY UPDATE: Shell execution in completion.", " - debian/patches/CVE-2026-44656.patch: Skip path entries containing", " backticks and add P_SECURE option in src/findfile.c and src/optiondefs.h", " - CVE-2026-44656", " * SECURITY UPDATE: Heap overflow in spellfile.", " - debian/patches/CVE-2026-45130.patch: Enforce a maximum compound length", " in src/spellfile.c", " - CVE-2026-45130", "" ], "package": "vim", "version": "2:8.2.3995-1ubuntu2.30", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Kyle Kernick ", "date": "Wed, 20 May 2026 15:28:11 -0600" } ], "notes": null, "is_version_downgrade": false }, { "name": "vim-common", "from_version": { "source_package_name": "vim", "source_package_version": "2:8.2.3995-1ubuntu2.29", "version": "2:8.2.3995-1ubuntu2.29" }, "to_version": { "source_package_name": "vim", "source_package_version": "2:8.2.3995-1ubuntu2.31", "version": "2:8.2.3995-1ubuntu2.31" }, "cves": [ { "cve": "CVE-2026-46483", "url": "https://ubuntu.com/security/CVE-2026-46483", "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0479, a command injection vulnerability exists in tar#Vimuntar() in runtime/autoload/tar.vim when decompressing .tgz archives on Unix-like systems. The function builds :!gunzip and :!gzip -d commands using shellescape(tartail) without the {special} flag, allowing a crafted archive filename to trigger Vim cmdline-special expansion and execute shell commands in the user's context. This vulnerability is fixed in 9.2.0479.", "cve_priority": "medium", "cve_public_date": "2026-05-15 15:16:00 UTC" }, { "cve": "CVE-2026-43961", "url": "https://ubuntu.com/security/CVE-2026-43961", "cve_description": "[Unknown description]", "cve_priority": "medium", "cve_public_date": "2026-05-20" }, { "cve": "CVE-2026-42307", "url": "https://ubuntu.com/security/CVE-2026-42307", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0383, an OS command injection vulnerability exists in the netrw standard plugin bundled with Vim. By inducing a user to open a crafted URL (e.g., using the sftp:// or file:// protocol handlers), an attacker can execute arbitrary shell commands with the privileges of the Vim process. This issue has been patched in version 9.2.0383.", "cve_priority": "medium", "cve_public_date": "2026-05-08 23:16:00 UTC" }, { "cve": "CVE-2026-44656", "url": "https://ubuntu.com/security/CVE-2026-44656", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0435, an OS command injection vulnerability exists in Vim's :find command-line completion. When the path option contains backtick-enclosed shell commands, those commands are executed during file name completion. Because the path option lacks the P_SECURE flag, it can be set from a modeline, allowing an attacker who controls the contents of a file to execute arbitrary shell commands when the user opens that file in Vim and triggers :find completion. This issue has been patched in version 9.2.0435.", "cve_priority": "medium", "cve_public_date": "2026-05-08 23:16:00 UTC" }, { "cve": "CVE-2026-45130", "url": "https://ubuntu.com/security/CVE-2026-45130", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0450, a heap buffer overflow exists in read_compound() in src/spellfile.c when loading a crafted spell file (.spl) with UTF-8 encoding active. An attacker-controlled length field in the spell file's compound section overflows a 32-bit signed integer multiplication, causing a small buffer to be allocated for a write loop that runs many iterations, overflowing the heap. Because the 'spelllang' option can be set from a modeline, a text file modeline can trigger spell file loading if a malicious .spl file has been planted on the runtimepath. This issue has been patched in version 9.2.0450.", "cve_priority": "medium", "cve_public_date": "2026-05-08 23:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-46483", "url": "https://ubuntu.com/security/CVE-2026-46483", "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0479, a command injection vulnerability exists in tar#Vimuntar() in runtime/autoload/tar.vim when decompressing .tgz archives on Unix-like systems. The function builds :!gunzip and :!gzip -d commands using shellescape(tartail) without the {special} flag, allowing a crafted archive filename to trigger Vim cmdline-special expansion and execute shell commands in the user's context. This vulnerability is fixed in 9.2.0479.", "cve_priority": "medium", "cve_public_date": "2026-05-15 15:16:00 UTC" }, { "cve": "CVE-2026-43961", "url": "https://ubuntu.com/security/CVE-2026-43961", "cve_description": "[Unknown description]", "cve_priority": "medium", "cve_public_date": "2026-05-20" } ], "log": [ "", " * SECURITY UPDATE: Command injection in tar plugin.", " - debian/patches/CVE-2026-46483.patch: Use the correct shell-escape in", " runtime/autoload/tar.vim.", " - CVE-2026-46483", " * SECURITY UPDATE: Code injection via mf command.", " - debian/patches/CVE-2026-43961.patch: Avoid string concatenation for", " filter commands in runtime/autoload/netrw.vim.", " - CVE-2026-43961", "" ], "package": "vim", "version": "2:8.2.3995-1ubuntu2.31", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Kyle Kernick ", "date": "Wed, 03 Jun 2026 10:41:25 -0600" }, { "cves": [ { "cve": "CVE-2026-42307", "url": "https://ubuntu.com/security/CVE-2026-42307", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0383, an OS command injection vulnerability exists in the netrw standard plugin bundled with Vim. By inducing a user to open a crafted URL (e.g., using the sftp:// or file:// protocol handlers), an attacker can execute arbitrary shell commands with the privileges of the Vim process. This issue has been patched in version 9.2.0383.", "cve_priority": "medium", "cve_public_date": "2026-05-08 23:16:00 UTC" }, { "cve": "CVE-2026-44656", "url": "https://ubuntu.com/security/CVE-2026-44656", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0435, an OS command injection vulnerability exists in Vim's :find command-line completion. When the path option contains backtick-enclosed shell commands, those commands are executed during file name completion. Because the path option lacks the P_SECURE flag, it can be set from a modeline, allowing an attacker who controls the contents of a file to execute arbitrary shell commands when the user opens that file in Vim and triggers :find completion. This issue has been patched in version 9.2.0435.", "cve_priority": "medium", "cve_public_date": "2026-05-08 23:16:00 UTC" }, { "cve": "CVE-2026-45130", "url": "https://ubuntu.com/security/CVE-2026-45130", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0450, a heap buffer overflow exists in read_compound() in src/spellfile.c when loading a crafted spell file (.spl) with UTF-8 encoding active. An attacker-controlled length field in the spell file's compound section overflows a 32-bit signed integer multiplication, causing a small buffer to be allocated for a write loop that runs many iterations, overflowing the heap. Because the 'spelllang' option can be set from a modeline, a text file modeline can trigger spell file loading if a malicious .spl file has been planted on the runtimepath. This issue has been patched in version 9.2.0450.", "cve_priority": "medium", "cve_public_date": "2026-05-08 23:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Command injection in netrw plugin.", " - debian/patches/CVE-2026-42307.patch: Escape file names and harden regex", " patterns in runtime/autoload/netrw.vim", " - CVE-2026-42307", " * SECURITY UPDATE: Shell execution in completion.", " - debian/patches/CVE-2026-44656.patch: Skip path entries containing", " backticks and add P_SECURE option in src/findfile.c and src/optiondefs.h", " - CVE-2026-44656", " * SECURITY UPDATE: Heap overflow in spellfile.", " - debian/patches/CVE-2026-45130.patch: Enforce a maximum compound length", " in src/spellfile.c", " - CVE-2026-45130", "" ], "package": "vim", "version": "2:8.2.3995-1ubuntu2.30", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Kyle Kernick ", "date": "Wed, 20 May 2026 15:28:11 -0600" } ], "notes": null, "is_version_downgrade": false }, { "name": "vim-runtime", "from_version": { "source_package_name": "vim", "source_package_version": "2:8.2.3995-1ubuntu2.29", "version": "2:8.2.3995-1ubuntu2.29" }, "to_version": { "source_package_name": "vim", "source_package_version": "2:8.2.3995-1ubuntu2.31", "version": "2:8.2.3995-1ubuntu2.31" }, "cves": [ { "cve": "CVE-2026-46483", "url": "https://ubuntu.com/security/CVE-2026-46483", "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0479, a command injection vulnerability exists in tar#Vimuntar() in runtime/autoload/tar.vim when decompressing .tgz archives on Unix-like systems. The function builds :!gunzip and :!gzip -d commands using shellescape(tartail) without the {special} flag, allowing a crafted archive filename to trigger Vim cmdline-special expansion and execute shell commands in the user's context. This vulnerability is fixed in 9.2.0479.", "cve_priority": "medium", "cve_public_date": "2026-05-15 15:16:00 UTC" }, { "cve": "CVE-2026-43961", "url": "https://ubuntu.com/security/CVE-2026-43961", "cve_description": "[Unknown description]", "cve_priority": "medium", "cve_public_date": "2026-05-20" }, { "cve": "CVE-2026-42307", "url": "https://ubuntu.com/security/CVE-2026-42307", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0383, an OS command injection vulnerability exists in the netrw standard plugin bundled with Vim. By inducing a user to open a crafted URL (e.g., using the sftp:// or file:// protocol handlers), an attacker can execute arbitrary shell commands with the privileges of the Vim process. This issue has been patched in version 9.2.0383.", "cve_priority": "medium", "cve_public_date": "2026-05-08 23:16:00 UTC" }, { "cve": "CVE-2026-44656", "url": "https://ubuntu.com/security/CVE-2026-44656", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0435, an OS command injection vulnerability exists in Vim's :find command-line completion. When the path option contains backtick-enclosed shell commands, those commands are executed during file name completion. Because the path option lacks the P_SECURE flag, it can be set from a modeline, allowing an attacker who controls the contents of a file to execute arbitrary shell commands when the user opens that file in Vim and triggers :find completion. This issue has been patched in version 9.2.0435.", "cve_priority": "medium", "cve_public_date": "2026-05-08 23:16:00 UTC" }, { "cve": "CVE-2026-45130", "url": "https://ubuntu.com/security/CVE-2026-45130", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0450, a heap buffer overflow exists in read_compound() in src/spellfile.c when loading a crafted spell file (.spl) with UTF-8 encoding active. An attacker-controlled length field in the spell file's compound section overflows a 32-bit signed integer multiplication, causing a small buffer to be allocated for a write loop that runs many iterations, overflowing the heap. Because the 'spelllang' option can be set from a modeline, a text file modeline can trigger spell file loading if a malicious .spl file has been planted on the runtimepath. This issue has been patched in version 9.2.0450.", "cve_priority": "medium", "cve_public_date": "2026-05-08 23:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-46483", "url": "https://ubuntu.com/security/CVE-2026-46483", "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0479, a command injection vulnerability exists in tar#Vimuntar() in runtime/autoload/tar.vim when decompressing .tgz archives on Unix-like systems. The function builds :!gunzip and :!gzip -d commands using shellescape(tartail) without the {special} flag, allowing a crafted archive filename to trigger Vim cmdline-special expansion and execute shell commands in the user's context. This vulnerability is fixed in 9.2.0479.", "cve_priority": "medium", "cve_public_date": "2026-05-15 15:16:00 UTC" }, { "cve": "CVE-2026-43961", "url": "https://ubuntu.com/security/CVE-2026-43961", "cve_description": "[Unknown description]", "cve_priority": "medium", "cve_public_date": "2026-05-20" } ], "log": [ "", " * SECURITY UPDATE: Command injection in tar plugin.", " - debian/patches/CVE-2026-46483.patch: Use the correct shell-escape in", " runtime/autoload/tar.vim.", " - CVE-2026-46483", " * SECURITY UPDATE: Code injection via mf command.", " - debian/patches/CVE-2026-43961.patch: Avoid string concatenation for", " filter commands in runtime/autoload/netrw.vim.", " - CVE-2026-43961", "" ], "package": "vim", "version": "2:8.2.3995-1ubuntu2.31", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Kyle Kernick ", "date": "Wed, 03 Jun 2026 10:41:25 -0600" }, { "cves": [ { "cve": "CVE-2026-42307", "url": "https://ubuntu.com/security/CVE-2026-42307", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0383, an OS command injection vulnerability exists in the netrw standard plugin bundled with Vim. By inducing a user to open a crafted URL (e.g., using the sftp:// or file:// protocol handlers), an attacker can execute arbitrary shell commands with the privileges of the Vim process. This issue has been patched in version 9.2.0383.", "cve_priority": "medium", "cve_public_date": "2026-05-08 23:16:00 UTC" }, { "cve": "CVE-2026-44656", "url": "https://ubuntu.com/security/CVE-2026-44656", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0435, an OS command injection vulnerability exists in Vim's :find command-line completion. When the path option contains backtick-enclosed shell commands, those commands are executed during file name completion. Because the path option lacks the P_SECURE flag, it can be set from a modeline, allowing an attacker who controls the contents of a file to execute arbitrary shell commands when the user opens that file in Vim and triggers :find completion. This issue has been patched in version 9.2.0435.", "cve_priority": "medium", "cve_public_date": "2026-05-08 23:16:00 UTC" }, { "cve": "CVE-2026-45130", "url": "https://ubuntu.com/security/CVE-2026-45130", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0450, a heap buffer overflow exists in read_compound() in src/spellfile.c when loading a crafted spell file (.spl) with UTF-8 encoding active. An attacker-controlled length field in the spell file's compound section overflows a 32-bit signed integer multiplication, causing a small buffer to be allocated for a write loop that runs many iterations, overflowing the heap. Because the 'spelllang' option can be set from a modeline, a text file modeline can trigger spell file loading if a malicious .spl file has been planted on the runtimepath. This issue has been patched in version 9.2.0450.", "cve_priority": "medium", "cve_public_date": "2026-05-08 23:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Command injection in netrw plugin.", " - debian/patches/CVE-2026-42307.patch: Escape file names and harden regex", " patterns in runtime/autoload/netrw.vim", " - CVE-2026-42307", " * SECURITY UPDATE: Shell execution in completion.", " - debian/patches/CVE-2026-44656.patch: Skip path entries containing", " backticks and add P_SECURE option in src/findfile.c and src/optiondefs.h", " - CVE-2026-44656", " * SECURITY UPDATE: Heap overflow in spellfile.", " - debian/patches/CVE-2026-45130.patch: Enforce a maximum compound length", " in src/spellfile.c", " - CVE-2026-45130", "" ], "package": "vim", "version": "2:8.2.3995-1ubuntu2.30", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Kyle Kernick ", "date": "Wed, 20 May 2026 15:28:11 -0600" } ], "notes": null, "is_version_downgrade": false }, { "name": "vim-tiny", "from_version": { "source_package_name": "vim", "source_package_version": "2:8.2.3995-1ubuntu2.29", "version": "2:8.2.3995-1ubuntu2.29" }, "to_version": { "source_package_name": "vim", "source_package_version": "2:8.2.3995-1ubuntu2.31", "version": "2:8.2.3995-1ubuntu2.31" }, "cves": [ { "cve": "CVE-2026-46483", "url": "https://ubuntu.com/security/CVE-2026-46483", "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0479, a command injection vulnerability exists in tar#Vimuntar() in runtime/autoload/tar.vim when decompressing .tgz archives on Unix-like systems. The function builds :!gunzip and :!gzip -d commands using shellescape(tartail) without the {special} flag, allowing a crafted archive filename to trigger Vim cmdline-special expansion and execute shell commands in the user's context. This vulnerability is fixed in 9.2.0479.", "cve_priority": "medium", "cve_public_date": "2026-05-15 15:16:00 UTC" }, { "cve": "CVE-2026-43961", "url": "https://ubuntu.com/security/CVE-2026-43961", "cve_description": "[Unknown description]", "cve_priority": "medium", "cve_public_date": "2026-05-20" }, { "cve": "CVE-2026-42307", "url": "https://ubuntu.com/security/CVE-2026-42307", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0383, an OS command injection vulnerability exists in the netrw standard plugin bundled with Vim. By inducing a user to open a crafted URL (e.g., using the sftp:// or file:// protocol handlers), an attacker can execute arbitrary shell commands with the privileges of the Vim process. This issue has been patched in version 9.2.0383.", "cve_priority": "medium", "cve_public_date": "2026-05-08 23:16:00 UTC" }, { "cve": "CVE-2026-44656", "url": "https://ubuntu.com/security/CVE-2026-44656", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0435, an OS command injection vulnerability exists in Vim's :find command-line completion. When the path option contains backtick-enclosed shell commands, those commands are executed during file name completion. Because the path option lacks the P_SECURE flag, it can be set from a modeline, allowing an attacker who controls the contents of a file to execute arbitrary shell commands when the user opens that file in Vim and triggers :find completion. This issue has been patched in version 9.2.0435.", "cve_priority": "medium", "cve_public_date": "2026-05-08 23:16:00 UTC" }, { "cve": "CVE-2026-45130", "url": "https://ubuntu.com/security/CVE-2026-45130", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0450, a heap buffer overflow exists in read_compound() in src/spellfile.c when loading a crafted spell file (.spl) with UTF-8 encoding active. An attacker-controlled length field in the spell file's compound section overflows a 32-bit signed integer multiplication, causing a small buffer to be allocated for a write loop that runs many iterations, overflowing the heap. Because the 'spelllang' option can be set from a modeline, a text file modeline can trigger spell file loading if a malicious .spl file has been planted on the runtimepath. This issue has been patched in version 9.2.0450.", "cve_priority": "medium", "cve_public_date": "2026-05-08 23:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-46483", "url": "https://ubuntu.com/security/CVE-2026-46483", "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0479, a command injection vulnerability exists in tar#Vimuntar() in runtime/autoload/tar.vim when decompressing .tgz archives on Unix-like systems. The function builds :!gunzip and :!gzip -d commands using shellescape(tartail) without the {special} flag, allowing a crafted archive filename to trigger Vim cmdline-special expansion and execute shell commands in the user's context. This vulnerability is fixed in 9.2.0479.", "cve_priority": "medium", "cve_public_date": "2026-05-15 15:16:00 UTC" }, { "cve": "CVE-2026-43961", "url": "https://ubuntu.com/security/CVE-2026-43961", "cve_description": "[Unknown description]", "cve_priority": "medium", "cve_public_date": "2026-05-20" } ], "log": [ "", " * SECURITY UPDATE: Command injection in tar plugin.", " - debian/patches/CVE-2026-46483.patch: Use the correct shell-escape in", " runtime/autoload/tar.vim.", " - CVE-2026-46483", " * SECURITY UPDATE: Code injection via mf command.", " - debian/patches/CVE-2026-43961.patch: Avoid string concatenation for", " filter commands in runtime/autoload/netrw.vim.", " - CVE-2026-43961", "" ], "package": "vim", "version": "2:8.2.3995-1ubuntu2.31", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Kyle Kernick ", "date": "Wed, 03 Jun 2026 10:41:25 -0600" }, { "cves": [ { "cve": "CVE-2026-42307", "url": "https://ubuntu.com/security/CVE-2026-42307", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0383, an OS command injection vulnerability exists in the netrw standard plugin bundled with Vim. By inducing a user to open a crafted URL (e.g., using the sftp:// or file:// protocol handlers), an attacker can execute arbitrary shell commands with the privileges of the Vim process. This issue has been patched in version 9.2.0383.", "cve_priority": "medium", "cve_public_date": "2026-05-08 23:16:00 UTC" }, { "cve": "CVE-2026-44656", "url": "https://ubuntu.com/security/CVE-2026-44656", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0435, an OS command injection vulnerability exists in Vim's :find command-line completion. When the path option contains backtick-enclosed shell commands, those commands are executed during file name completion. Because the path option lacks the P_SECURE flag, it can be set from a modeline, allowing an attacker who controls the contents of a file to execute arbitrary shell commands when the user opens that file in Vim and triggers :find completion. This issue has been patched in version 9.2.0435.", "cve_priority": "medium", "cve_public_date": "2026-05-08 23:16:00 UTC" }, { "cve": "CVE-2026-45130", "url": "https://ubuntu.com/security/CVE-2026-45130", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0450, a heap buffer overflow exists in read_compound() in src/spellfile.c when loading a crafted spell file (.spl) with UTF-8 encoding active. An attacker-controlled length field in the spell file's compound section overflows a 32-bit signed integer multiplication, causing a small buffer to be allocated for a write loop that runs many iterations, overflowing the heap. Because the 'spelllang' option can be set from a modeline, a text file modeline can trigger spell file loading if a malicious .spl file has been planted on the runtimepath. This issue has been patched in version 9.2.0450.", "cve_priority": "medium", "cve_public_date": "2026-05-08 23:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Command injection in netrw plugin.", " - debian/patches/CVE-2026-42307.patch: Escape file names and harden regex", " patterns in runtime/autoload/netrw.vim", " - CVE-2026-42307", " * SECURITY UPDATE: Shell execution in completion.", " - debian/patches/CVE-2026-44656.patch: Skip path entries containing", " backticks and add P_SECURE option in src/findfile.c and src/optiondefs.h", " - CVE-2026-44656", " * SECURITY UPDATE: Heap overflow in spellfile.", " - debian/patches/CVE-2026-45130.patch: Enforce a maximum compound length", " in src/spellfile.c", " - CVE-2026-45130", "" ], "package": "vim", "version": "2:8.2.3995-1ubuntu2.30", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Kyle Kernick ", "date": "Wed, 20 May 2026 15:28:11 -0600" } ], "notes": null, "is_version_downgrade": false }, { "name": "xxd", "from_version": { "source_package_name": "vim", "source_package_version": "2:8.2.3995-1ubuntu2.29", "version": "2:8.2.3995-1ubuntu2.29" }, "to_version": { "source_package_name": "vim", "source_package_version": "2:8.2.3995-1ubuntu2.31", "version": "2:8.2.3995-1ubuntu2.31" }, "cves": [ { "cve": "CVE-2026-46483", "url": "https://ubuntu.com/security/CVE-2026-46483", "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0479, a command injection vulnerability exists in tar#Vimuntar() in runtime/autoload/tar.vim when decompressing .tgz archives on Unix-like systems. The function builds :!gunzip and :!gzip -d commands using shellescape(tartail) without the {special} flag, allowing a crafted archive filename to trigger Vim cmdline-special expansion and execute shell commands in the user's context. This vulnerability is fixed in 9.2.0479.", "cve_priority": "medium", "cve_public_date": "2026-05-15 15:16:00 UTC" }, { "cve": "CVE-2026-43961", "url": "https://ubuntu.com/security/CVE-2026-43961", "cve_description": "[Unknown description]", "cve_priority": "medium", "cve_public_date": "2026-05-20" }, { "cve": "CVE-2026-42307", "url": "https://ubuntu.com/security/CVE-2026-42307", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0383, an OS command injection vulnerability exists in the netrw standard plugin bundled with Vim. By inducing a user to open a crafted URL (e.g., using the sftp:// or file:// protocol handlers), an attacker can execute arbitrary shell commands with the privileges of the Vim process. This issue has been patched in version 9.2.0383.", "cve_priority": "medium", "cve_public_date": "2026-05-08 23:16:00 UTC" }, { "cve": "CVE-2026-44656", "url": "https://ubuntu.com/security/CVE-2026-44656", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0435, an OS command injection vulnerability exists in Vim's :find command-line completion. When the path option contains backtick-enclosed shell commands, those commands are executed during file name completion. Because the path option lacks the P_SECURE flag, it can be set from a modeline, allowing an attacker who controls the contents of a file to execute arbitrary shell commands when the user opens that file in Vim and triggers :find completion. This issue has been patched in version 9.2.0435.", "cve_priority": "medium", "cve_public_date": "2026-05-08 23:16:00 UTC" }, { "cve": "CVE-2026-45130", "url": "https://ubuntu.com/security/CVE-2026-45130", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0450, a heap buffer overflow exists in read_compound() in src/spellfile.c when loading a crafted spell file (.spl) with UTF-8 encoding active. An attacker-controlled length field in the spell file's compound section overflows a 32-bit signed integer multiplication, causing a small buffer to be allocated for a write loop that runs many iterations, overflowing the heap. Because the 'spelllang' option can be set from a modeline, a text file modeline can trigger spell file loading if a malicious .spl file has been planted on the runtimepath. This issue has been patched in version 9.2.0450.", "cve_priority": "medium", "cve_public_date": "2026-05-08 23:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-46483", "url": "https://ubuntu.com/security/CVE-2026-46483", "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0479, a command injection vulnerability exists in tar#Vimuntar() in runtime/autoload/tar.vim when decompressing .tgz archives on Unix-like systems. The function builds :!gunzip and :!gzip -d commands using shellescape(tartail) without the {special} flag, allowing a crafted archive filename to trigger Vim cmdline-special expansion and execute shell commands in the user's context. This vulnerability is fixed in 9.2.0479.", "cve_priority": "medium", "cve_public_date": "2026-05-15 15:16:00 UTC" }, { "cve": "CVE-2026-43961", "url": "https://ubuntu.com/security/CVE-2026-43961", "cve_description": "[Unknown description]", "cve_priority": "medium", "cve_public_date": "2026-05-20" } ], "log": [ "", " * SECURITY UPDATE: Command injection in tar plugin.", " - debian/patches/CVE-2026-46483.patch: Use the correct shell-escape in", " runtime/autoload/tar.vim.", " - CVE-2026-46483", " * SECURITY UPDATE: Code injection via mf command.", " - debian/patches/CVE-2026-43961.patch: Avoid string concatenation for", " filter commands in runtime/autoload/netrw.vim.", " - CVE-2026-43961", "" ], "package": "vim", "version": "2:8.2.3995-1ubuntu2.31", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Kyle Kernick ", "date": "Wed, 03 Jun 2026 10:41:25 -0600" }, { "cves": [ { "cve": "CVE-2026-42307", "url": "https://ubuntu.com/security/CVE-2026-42307", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0383, an OS command injection vulnerability exists in the netrw standard plugin bundled with Vim. By inducing a user to open a crafted URL (e.g., using the sftp:// or file:// protocol handlers), an attacker can execute arbitrary shell commands with the privileges of the Vim process. This issue has been patched in version 9.2.0383.", "cve_priority": "medium", "cve_public_date": "2026-05-08 23:16:00 UTC" }, { "cve": "CVE-2026-44656", "url": "https://ubuntu.com/security/CVE-2026-44656", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0435, an OS command injection vulnerability exists in Vim's :find command-line completion. When the path option contains backtick-enclosed shell commands, those commands are executed during file name completion. Because the path option lacks the P_SECURE flag, it can be set from a modeline, allowing an attacker who controls the contents of a file to execute arbitrary shell commands when the user opens that file in Vim and triggers :find completion. This issue has been patched in version 9.2.0435.", "cve_priority": "medium", "cve_public_date": "2026-05-08 23:16:00 UTC" }, { "cve": "CVE-2026-45130", "url": "https://ubuntu.com/security/CVE-2026-45130", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0450, a heap buffer overflow exists in read_compound() in src/spellfile.c when loading a crafted spell file (.spl) with UTF-8 encoding active. An attacker-controlled length field in the spell file's compound section overflows a 32-bit signed integer multiplication, causing a small buffer to be allocated for a write loop that runs many iterations, overflowing the heap. Because the 'spelllang' option can be set from a modeline, a text file modeline can trigger spell file loading if a malicious .spl file has been planted on the runtimepath. This issue has been patched in version 9.2.0450.", "cve_priority": "medium", "cve_public_date": "2026-05-08 23:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Command injection in netrw plugin.", " - debian/patches/CVE-2026-42307.patch: Escape file names and harden regex", " patterns in runtime/autoload/netrw.vim", " - CVE-2026-42307", " * SECURITY UPDATE: Shell execution in completion.", " - debian/patches/CVE-2026-44656.patch: Skip path entries containing", " backticks and add P_SECURE option in src/findfile.c and src/optiondefs.h", " - CVE-2026-44656", " * SECURITY UPDATE: Heap overflow in spellfile.", " - debian/patches/CVE-2026-45130.patch: Enforce a maximum compound length", " in src/spellfile.c", " - CVE-2026-45130", "" ], "package": "vim", "version": "2:8.2.3995-1ubuntu2.30", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Kyle Kernick ", "date": "Wed, 20 May 2026 15:28:11 -0600" } ], "notes": null, "is_version_downgrade": false }, { "name": "xz-utils", "from_version": { "source_package_name": "xz-utils", "source_package_version": "5.2.5-2ubuntu1", "version": "5.2.5-2ubuntu1" }, "to_version": { "source_package_name": "xz-utils", "source_package_version": "5.2.5-2ubuntu1.1", "version": "5.2.5-2ubuntu1.1" }, "cves": [ { "cve": "CVE-2026-34743", "url": "https://ubuntu.com/security/CVE-2026-34743", "cve_description": "XZ Utils provide a general-purpose data-compression library plus command-line tools. Prior to version 5.8.3, if lzma_index_decoder() was used to decode an Index that contained no Records, the resulting lzma_index was left in a state where where a subsequent lzma_index_append() would allocate too little memory, and a buffer overflow would occur. This issue has been patched in version 5.8.3.", "cve_priority": "low", "cve_public_date": "2026-04-02 19:21:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-34743", "url": "https://ubuntu.com/security/CVE-2026-34743", "cve_description": "XZ Utils provide a general-purpose data-compression library plus command-line tools. Prior to version 5.8.3, if lzma_index_decoder() was used to decode an Index that contained no Records, the resulting lzma_index was left in a state where where a subsequent lzma_index_append() would allocate too little memory, and a buffer overflow would occur. This issue has been patched in version 5.8.3.", "cve_priority": "low", "cve_public_date": "2026-04-02 19:21:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: heap buffer overflow", " - debian/patches/CVE-2026-34743.patch: adds a check to", " lzma_index_prealloc() to default to a safe size when decoding empty", " indexes in src/liblzma/common/index.c.", " - CVE-2026-34743", "" ], "package": "xz-utils", "version": "5.2.5-2ubuntu1.1", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Ian Constantin ", "date": "Thu, 28 May 2026 19:06:40 +0300" } ], "notes": null, "is_version_downgrade": false } ], "snap": [] }, "added": { "deb": [ { "name": "linux-headers-6.8.0-124-generic", "from_version": { "source_package_name": "linux-riscv-6.8", "source_package_version": "6.8.0-117.117~22.04.1", "version": null }, "to_version": { "source_package_name": "linux-riscv-6.8", "source_package_version": "6.8.0-124.124~22.04.1", "version": "6.8.0-124.124~22.04.1" }, "cves": [ { "cve": "CVE-2026-47337", "url": "https://ubuntu.com/security/CVE-2026-47337", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a possible NULL pointer dereference in the handling of AF_INET/AF_INET6 socket mediation. The bug can be triggered by an unprivileged local user. This can lead to a kernel oops.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47336", "url": "https://ubuntu.com/security/CVE-2026-47336", "cve_description": "Ubuntu Linux 6.8 contains SAUCE patches with a possible use of an uninitialized variable in AppArmor AF_INET/AF_INET6 socket mediation code. The bug can be triggered by an unprivileged local user and could result in incorrect fine-grained mediation of network sockets.", "cve_priority": "low", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47335", "url": "https://ubuntu.com/security/CVE-2026-47335", "cve_description": "Ubuntu Linux 6.8 contains SAUCE patches with a possible NULL pointer dereference in the handling of AppArmor notifications. The bug can be triggered by an unprivileged local user. This can lead to a kernel panic.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47334", "url": "https://ubuntu.com/security/CVE-2026-47334", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly sleep while holding a spinlock in notification handling code. The bug can be triggered by an unprivileged local user and can result in kernel panic or deadlock.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47333", "url": "https://ubuntu.com/security/CVE-2026-47333", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which can potentially incorrectly compute the size of an internal buffer, leading to a heap memory out-of-bounds read in notification handling code. The bug can be triggered by an unprivileged local user and can result in invalid data being processed by the AppArmor DFA policy engine.", "cve_priority": "high", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47332", "url": "https://ubuntu.com/security/CVE-2026-47332", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly validate the size of an internal structure, leading to an out-of-bounds read in notification handling code. The bug can be triggered by an unprivileged local user and can result in information disclosure from adjacent slab objects.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47331", "url": "https://ubuntu.com/security/CVE-2026-47331", "cve_description": "Ubuntu Linux 6.8 contains AppArmor SAUCE patches which fail to acquire a lock when modifying a linked list. An unprivileged local user could trigger the race condition that can lead to a use-after-free (UAF) and, theoretically, arbitrary code execution.", "cve_priority": "high", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47330", "url": "https://ubuntu.com/security/CVE-2026-47330", "cve_description": "Ubuntu Linux 6.8, 7.17 and 7.0 contain AppArmor SAUCE patches which can, under certain circumstances, use an uninitialized variable in notification handling code. The bug can be triggered by an unprivileged local user and can result in the incorrect caching of AppArmor notification responses.", "cve_priority": "low", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47329", "url": "https://ubuntu.com/security/CVE-2026-47329", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches which fail to validate invalid sizes of the name field in AppAmor notification responses. The bug can be triggered by an unprivileged local user and could result in handling of crafted responses.", "cve_priority": "low", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47327", "url": "https://ubuntu.com/security/CVE-2026-47327", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a possible NULL pointer dereference in the handling of AppArmor notifications. The bug can be triggered by an unprivileged local user. This can lead to a kernel oops.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47328", "url": "https://ubuntu.com/security/CVE-2026-47328", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly attempt to free a pointer which was not previously kmalloc()d, while at the same time leaking allocated memory. The bug can be triggered by an unprivileged local user and can result in the corruption of slab metadata and could lead to resource exhaustion.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47326", "url": "https://ubuntu.com/security/CVE-2026-47326", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a memory leak in the handling of big responses to AppArmor notifications. The bug can be triggered by an unprivileged local user. The memory leak could lead to resource exhaustion.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-46300", "url": "https://ubuntu.com/security/CVE-2026-46300", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: skbuff: preserve shared-frag marker during coalescing skb_try_coalesce() can attach paged frags from @from to @to. If @from has SKBFL_SHARED_FRAG set, the resulting @to skb can contain the same externally-owned or page-cache-backed frags, but the shared-frag marker is currently lost. That breaks the invariant relied on by later in-place writers. In particular, ESP input checks skb_has_shared_frag() before deciding whether an uncloned nonlinear skb can skip skb_cow_data(). If TCP receive coalescing has moved shared frags into an unmarked skb, ESP can see skb_has_shared_frag() as false and decrypt in place over page-cache backed frags. Propagate SKBFL_SHARED_FRAG when skb_try_coalesce() transfers paged frags. The tailroom copy path does not need the marker because it copies bytes into @to's linear data rather than transferring frag descriptors.", "cve_priority": "high", "cve_public_date": "2026-05-23 12:17:00 UTC" }, { "cve": "CVE-2026-46333", "url": "https://ubuntu.com/security/CVE-2026-46333", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ptrace: slightly saner 'get_dumpable()' logic The 'dumpability' of a task is fundamentally about the memory image of the task - the concept comes from whether it can core dump or not - and makes no sense when you don't have an associated mm. And almost all users do in fact use it only for the case where the task has a mm pointer. But we have one odd special case: ptrace_may_access() uses 'dumpable' to check various other things entirely independently of the MM (typically explicitly using flags like PTRACE_MODE_READ_FSCREDS). Including for threads that no longer have a VM (and maybe never did, like most kernel threads). It's not what this flag was designed for, but it is what it is. The ptrace code does check that the uid/gid matches, so you do have to be uid-0 to see kernel thread details, but this means that the traditional \"drop capabilities\" model doesn't make any difference for this all. Make it all make a *bit* more sense by saying that if you don't have a MM pointer, we'll use a cached \"last dumpability\" flag if the thread ever had a MM (it will be zero for kernel threads since it is never set), and require a proper CAP_SYS_PTRACE capability to override.", "cve_priority": "high", "cve_public_date": "2026-05-15 14:16:00 UTC" }, { "cve": "CVE-2026-43500", "url": "https://ubuntu.com/security/CVE-2026-43500", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present The DATA-packet handler in rxrpc_input_call_event() and the RESPONSE handler in rxrpc_verify_response() copy the skb to a linear one before calling into the security ops only when skb_cloned() is true. An skb that is not cloned but still carries externally-owned paged fragments (e.g. SKBFL_SHARED_FRAG set by splice() into a UDP socket via __ip_append_data, or a chained skb_has_frag_list()) falls through to the in-place decryption path, which binds the frag pages directly into the AEAD/skcipher SGL via skb_to_sgvec(). Extend the gate to also unshare when skb_has_frag_list() or skb_has_shared_frag() is true. This catches the splice-loopback vector and other externally-shared frag sources while preserving the zero-copy fast path for skbs whose frags are kernel-private (e.g. NIC page_pool RX, GRO). The OOM/trace handling already in place is reused.", "cve_priority": "high", "cve_public_date": "2026-05-11 08:16:00 UTC" }, { "cve": "CVE-2026-31676", "url": "https://ubuntu.com/security/CVE-2026-31676", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: rxrpc: only handle RESPONSE during service challenge Only process RESPONSE packets while the service connection is still in RXRPC_CONN_SERVICE_CHALLENGING. Check that state under state_lock before running response verification and security initialization, then use a local secured flag to decide whether to queue the secured-connection work after the state transition. This keeps duplicate or late RESPONSE packets from re-running the setup path and removes the unlocked post-transition state test.", "cve_priority": "medium", "cve_public_date": "2026-04-25 09:16:00 UTC" }, { "cve": "CVE-2026-43284", "url": "https://ubuntu.com/security/CVE-2026-43284", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: xfrm: esp: avoid in-place decrypt on shared skb frags MSG_SPLICE_PAGES can attach pages from a pipe directly to an skb. TCP marks such skbs with SKBFL_SHARED_FRAG after skb_splice_from_iter(), so later paths that may modify packet data can first make a private copy. The IPv4/IPv6 datagram append paths did not set this flag when splicing pages into UDP skbs. That leaves an ESP-in-UDP packet made from shared pipe pages looking like an ordinary uncloned nonlinear skb. ESP input then takes the no-COW fast path for uncloned skbs without a frag_list and decrypts in place over data that is not owned privately by the skb. Mark IPv4/IPv6 datagram splice frags with SKBFL_SHARED_FRAG, matching TCP. Also make ESP input fall back to skb_cow_data() when the flag is present, so ESP does not decrypt externally backed frags in place. Private nonlinear skb frags still use the existing fast path. This intentionally does not change ESP output. In esp_output_head(), the path that appends the ESP trailer to existing skb tailroom without calling skb_cow_data() is not reachable for nonlinear skbs: skb_tailroom() returns zero when skb->data_len is nonzero, while ESP tailen is positive. Thus ESP output will either use the separate destination-frag path or fall back to skb_cow_data().", "cve_priority": "high", "cve_public_date": "2026-05-08 08:16:00 UTC" } ], "launchpad_bugs_fixed": [ 2154172, 2151747, 2151747, 2151747, 2151747, 2151747, 2151747, 2151747, 2151747, 2148809, 2151747, 2151747, 2151747, 2153733, 1786013, 2153962 ], "changes": [ { "cves": [ { "cve": "CVE-2026-47337", "url": "https://ubuntu.com/security/CVE-2026-47337", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a possible NULL pointer dereference in the handling of AF_INET/AF_INET6 socket mediation. The bug can be triggered by an unprivileged local user. This can lead to a kernel oops.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47336", "url": "https://ubuntu.com/security/CVE-2026-47336", "cve_description": "Ubuntu Linux 6.8 contains SAUCE patches with a possible use of an uninitialized variable in AppArmor AF_INET/AF_INET6 socket mediation code. The bug can be triggered by an unprivileged local user and could result in incorrect fine-grained mediation of network sockets.", "cve_priority": "low", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47335", "url": "https://ubuntu.com/security/CVE-2026-47335", "cve_description": "Ubuntu Linux 6.8 contains SAUCE patches with a possible NULL pointer dereference in the handling of AppArmor notifications. The bug can be triggered by an unprivileged local user. This can lead to a kernel panic.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47334", "url": "https://ubuntu.com/security/CVE-2026-47334", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly sleep while holding a spinlock in notification handling code. The bug can be triggered by an unprivileged local user and can result in kernel panic or deadlock.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47333", "url": "https://ubuntu.com/security/CVE-2026-47333", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which can potentially incorrectly compute the size of an internal buffer, leading to a heap memory out-of-bounds read in notification handling code. The bug can be triggered by an unprivileged local user and can result in invalid data being processed by the AppArmor DFA policy engine.", "cve_priority": "high", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47332", "url": "https://ubuntu.com/security/CVE-2026-47332", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly validate the size of an internal structure, leading to an out-of-bounds read in notification handling code. The bug can be triggered by an unprivileged local user and can result in information disclosure from adjacent slab objects.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47331", "url": "https://ubuntu.com/security/CVE-2026-47331", "cve_description": "Ubuntu Linux 6.8 contains AppArmor SAUCE patches which fail to acquire a lock when modifying a linked list. An unprivileged local user could trigger the race condition that can lead to a use-after-free (UAF) and, theoretically, arbitrary code execution.", "cve_priority": "high", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47330", "url": "https://ubuntu.com/security/CVE-2026-47330", "cve_description": "Ubuntu Linux 6.8, 7.17 and 7.0 contain AppArmor SAUCE patches which can, under certain circumstances, use an uninitialized variable in notification handling code. The bug can be triggered by an unprivileged local user and can result in the incorrect caching of AppArmor notification responses.", "cve_priority": "low", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47329", "url": "https://ubuntu.com/security/CVE-2026-47329", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches which fail to validate invalid sizes of the name field in AppAmor notification responses. The bug can be triggered by an unprivileged local user and could result in handling of crafted responses.", "cve_priority": "low", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47327", "url": "https://ubuntu.com/security/CVE-2026-47327", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a possible NULL pointer dereference in the handling of AppArmor notifications. The bug can be triggered by an unprivileged local user. This can lead to a kernel oops.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47328", "url": "https://ubuntu.com/security/CVE-2026-47328", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly attempt to free a pointer which was not previously kmalloc()d, while at the same time leaking allocated memory. The bug can be triggered by an unprivileged local user and can result in the corruption of slab metadata and could lead to resource exhaustion.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47326", "url": "https://ubuntu.com/security/CVE-2026-47326", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a memory leak in the handling of big responses to AppArmor notifications. The bug can be triggered by an unprivileged local user. The memory leak could lead to resource exhaustion.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-46300", "url": "https://ubuntu.com/security/CVE-2026-46300", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: skbuff: preserve shared-frag marker during coalescing skb_try_coalesce() can attach paged frags from @from to @to. If @from has SKBFL_SHARED_FRAG set, the resulting @to skb can contain the same externally-owned or page-cache-backed frags, but the shared-frag marker is currently lost. That breaks the invariant relied on by later in-place writers. In particular, ESP input checks skb_has_shared_frag() before deciding whether an uncloned nonlinear skb can skip skb_cow_data(). If TCP receive coalescing has moved shared frags into an unmarked skb, ESP can see skb_has_shared_frag() as false and decrypt in place over page-cache backed frags. Propagate SKBFL_SHARED_FRAG when skb_try_coalesce() transfers paged frags. The tailroom copy path does not need the marker because it copies bytes into @to's linear data rather than transferring frag descriptors.", "cve_priority": "high", "cve_public_date": "2026-05-23 12:17:00 UTC" }, { "cve": "CVE-2026-46333", "url": "https://ubuntu.com/security/CVE-2026-46333", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ptrace: slightly saner 'get_dumpable()' logic The 'dumpability' of a task is fundamentally about the memory image of the task - the concept comes from whether it can core dump or not - and makes no sense when you don't have an associated mm. And almost all users do in fact use it only for the case where the task has a mm pointer. But we have one odd special case: ptrace_may_access() uses 'dumpable' to check various other things entirely independently of the MM (typically explicitly using flags like PTRACE_MODE_READ_FSCREDS). Including for threads that no longer have a VM (and maybe never did, like most kernel threads). It's not what this flag was designed for, but it is what it is. The ptrace code does check that the uid/gid matches, so you do have to be uid-0 to see kernel thread details, but this means that the traditional \"drop capabilities\" model doesn't make any difference for this all. Make it all make a *bit* more sense by saying that if you don't have a MM pointer, we'll use a cached \"last dumpability\" flag if the thread ever had a MM (it will be zero for kernel threads since it is never set), and require a proper CAP_SYS_PTRACE capability to override.", "cve_priority": "high", "cve_public_date": "2026-05-15 14:16:00 UTC" }, { "cve": "CVE-2026-43500", "url": "https://ubuntu.com/security/CVE-2026-43500", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present The DATA-packet handler in rxrpc_input_call_event() and the RESPONSE handler in rxrpc_verify_response() copy the skb to a linear one before calling into the security ops only when skb_cloned() is true. An skb that is not cloned but still carries externally-owned paged fragments (e.g. SKBFL_SHARED_FRAG set by splice() into a UDP socket via __ip_append_data, or a chained skb_has_frag_list()) falls through to the in-place decryption path, which binds the frag pages directly into the AEAD/skcipher SGL via skb_to_sgvec(). Extend the gate to also unshare when skb_has_frag_list() or skb_has_shared_frag() is true. This catches the splice-loopback vector and other externally-shared frag sources while preserving the zero-copy fast path for skbs whose frags are kernel-private (e.g. NIC page_pool RX, GRO). The OOM/trace handling already in place is reused.", "cve_priority": "high", "cve_public_date": "2026-05-11 08:16:00 UTC" }, { "cve": "CVE-2026-31676", "url": "https://ubuntu.com/security/CVE-2026-31676", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: rxrpc: only handle RESPONSE during service challenge Only process RESPONSE packets while the service connection is still in RXRPC_CONN_SERVICE_CHALLENGING. Check that state under state_lock before running response verification and security initialization, then use a local secured flag to decide whether to queue the secured-connection work after the state transition. This keeps duplicate or late RESPONSE packets from re-running the setup path and removes the unlocked post-transition state test.", "cve_priority": "medium", "cve_public_date": "2026-04-25 09:16:00 UTC" }, { "cve": "CVE-2026-43284", "url": "https://ubuntu.com/security/CVE-2026-43284", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: xfrm: esp: avoid in-place decrypt on shared skb frags MSG_SPLICE_PAGES can attach pages from a pipe directly to an skb. TCP marks such skbs with SKBFL_SHARED_FRAG after skb_splice_from_iter(), so later paths that may modify packet data can first make a private copy. The IPv4/IPv6 datagram append paths did not set this flag when splicing pages into UDP skbs. That leaves an ESP-in-UDP packet made from shared pipe pages looking like an ordinary uncloned nonlinear skb. ESP input then takes the no-COW fast path for uncloned skbs without a frag_list and decrypts in place over data that is not owned privately by the skb. Mark IPv4/IPv6 datagram splice frags with SKBFL_SHARED_FRAG, matching TCP. Also make ESP input fall back to skb_cow_data() when the flag is present, so ESP does not decrypt externally backed frags in place. Private nonlinear skb frags still use the existing fast path. This intentionally does not change ESP output. In esp_output_head(), the path that appends the ESP trailer to existing skb tailroom without calling skb_cow_data() is not reachable for nonlinear skbs: skb_tailroom() returns zero when skb->data_len is nonzero, while ESP tailen is positive. Thus ESP output will either use the separate destination-frag path or fall back to skb_cow_data().", "cve_priority": "high", "cve_public_date": "2026-05-08 08:16:00 UTC" } ], "log": [ "", " [ Ubuntu: 6.8.0-124.124 ]", "", " * GRO managed-frag use-after-free leading to local privilege escalation", " (LP: #2154172)", " - net: gro: don't merge zcopy skbs", "", " [ Ubuntu: 6.8.0-121.121 ]", "", " * apparmor (LP: #2151747)", " - apparmor: Fix incorrect profile->signal range check", " - SAUCE: apparmor: pass big_resp to handler", " - SAUCE: apparmor: remove redundant kref_init for listener->count", " - SAUCE: apparmor: fix NULL pointer dereference in unpack_pdb", " * apparmor (LP: #2151747) // CVE-2026-47337", " - SAUCE: apparmor: fix NULL pointer dereference in bind_map_addr", " * apparmor (LP: #2151747) // CVE-2026-47336", " - SAUCE: apparmor: fix use of unintialized variable in net opt level", " * apparmor (LP: #2151747) // CVE-2026-47335", " - SAUCE: apparmor: fix possible NULL pointer dereference by adding a NULL", " check", " * apparmor (LP: #2151747) // CVE-2026-47334", " - SAUCE: apparmor: fix sleep prone memory allocation under a spin_lock", " * apparmor (LP: #2151747) // CVE-2026-47333", " - SAUCE: apparmor: fix dfa unpacking size of the notification filter", " * apparmor (LP: #2151747) // CVE-2026-47332", " - SAUCE: apparmor: fix size check against type instead of pointer", " * apparmor (LP: #2151747) // CVE-2026-47331", " - SAUCE: apparmor: fix changing rules list without a lock", " * apparmor: LLVM/clang build failure due to uninitialized variable in", " notify.c (LP: #2148809) // CVE-2026-47330", " - SAUCE: apparmor: initialize variable used in uninitialized context", " * apparmor (LP: #2151747) // CVE-2026-47329", " - SAUCE: apparmor: fix name validation bypass on notification", " * apparmor (LP: #2151747) // CVE-2026-47327 // CVE-2026-47328", " - SAUCE: apparmor: fix glob memory leak after kstrdup", " * apparmor (LP: #2151747) // CVE-2026-47326", " - SAUCE: apparmor: fix inverted NULL check after aa_get_buffer", "", " [ Ubuntu: 6.8.0-120.120 ]", "", " * noble/linux: 6.8.0-120.120 -proposed tracker (LP: #2153733)", " * Packaging resync (LP: #1786013)", " - [Packaging] update annotations scripts", " * CVE-2026-46300", " - net: skbuff: preserve shared-frag marker during coalescing", " - net: skbuff: propagate shared-frag marker through frag-transfer helpers", " * net/rds: reset op_nents when zerocopy page pin fails (LP: #2153962)", " - net/rds: reset op_nents when zerocopy page pin fails", " * CVE-2026-46333", " - ptrace: slightly saner 'get_dumpable()' logic", " * CVE-2026-43500", " - rxrpc: Fix conn-level packet handling to unshare RESPONSE packets", " - rxrpc: Parse received packets before dealing with timeouts", " - rxrpc: Fix potential UAF after skb_unshare() failure", " - rxrpc: Fix rxrpc_input_call_event() to only unshare DATA packets", " - rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present", " * CVE-2026-31676 // CVE-2026-43500", " - rxrpc: only handle RESPONSE during service challenge", " * CVE-2026-43284", " - xfrm: esp: avoid in-place decrypt on shared skb frags", "" ], "package": "linux-riscv-6.8", "version": "6.8.0-124.124~22.04.1", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2154172, 2151747, 2151747, 2151747, 2151747, 2151747, 2151747, 2151747, 2151747, 2148809, 2151747, 2151747, 2151747, 2153733, 1786013, 2153962 ], "author": "Manuel Diewald ", "date": "Tue, 26 May 2026 22:38:42 +0200" } ], "notes": "linux-headers-6.8.0-124-generic version '6.8.0-124.124~22.04.1' (source package linux-riscv-6.8 version '6.8.0-124.124~22.04.1') was added. linux-headers-6.8.0-124-generic version '6.8.0-124.124~22.04.1' has the same source package name, linux-riscv-6.8, as removed package linux-headers-6.8.0-117-generic. As such we can use the source package version of the removed package, '6.8.0-117.117~22.04.1', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package.", "is_version_downgrade": false }, { "name": "linux-image-6.8.0-124-generic", "from_version": { "source_package_name": "linux-riscv-6.8", "source_package_version": "6.8.0-117.117~22.04.1", "version": null }, "to_version": { "source_package_name": "linux-riscv-6.8", "source_package_version": "6.8.0-124.124~22.04.1", "version": "6.8.0-124.124~22.04.1" }, "cves": [ { "cve": "CVE-2026-47337", "url": "https://ubuntu.com/security/CVE-2026-47337", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a possible NULL pointer dereference in the handling of AF_INET/AF_INET6 socket mediation. The bug can be triggered by an unprivileged local user. This can lead to a kernel oops.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47336", "url": "https://ubuntu.com/security/CVE-2026-47336", "cve_description": "Ubuntu Linux 6.8 contains SAUCE patches with a possible use of an uninitialized variable in AppArmor AF_INET/AF_INET6 socket mediation code. The bug can be triggered by an unprivileged local user and could result in incorrect fine-grained mediation of network sockets.", "cve_priority": "low", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47335", "url": "https://ubuntu.com/security/CVE-2026-47335", "cve_description": "Ubuntu Linux 6.8 contains SAUCE patches with a possible NULL pointer dereference in the handling of AppArmor notifications. The bug can be triggered by an unprivileged local user. This can lead to a kernel panic.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47334", "url": "https://ubuntu.com/security/CVE-2026-47334", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly sleep while holding a spinlock in notification handling code. The bug can be triggered by an unprivileged local user and can result in kernel panic or deadlock.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47333", "url": "https://ubuntu.com/security/CVE-2026-47333", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which can potentially incorrectly compute the size of an internal buffer, leading to a heap memory out-of-bounds read in notification handling code. The bug can be triggered by an unprivileged local user and can result in invalid data being processed by the AppArmor DFA policy engine.", "cve_priority": "high", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47332", "url": "https://ubuntu.com/security/CVE-2026-47332", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly validate the size of an internal structure, leading to an out-of-bounds read in notification handling code. The bug can be triggered by an unprivileged local user and can result in information disclosure from adjacent slab objects.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47331", "url": "https://ubuntu.com/security/CVE-2026-47331", "cve_description": "Ubuntu Linux 6.8 contains AppArmor SAUCE patches which fail to acquire a lock when modifying a linked list. An unprivileged local user could trigger the race condition that can lead to a use-after-free (UAF) and, theoretically, arbitrary code execution.", "cve_priority": "high", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47330", "url": "https://ubuntu.com/security/CVE-2026-47330", "cve_description": "Ubuntu Linux 6.8, 7.17 and 7.0 contain AppArmor SAUCE patches which can, under certain circumstances, use an uninitialized variable in notification handling code. The bug can be triggered by an unprivileged local user and can result in the incorrect caching of AppArmor notification responses.", "cve_priority": "low", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47329", "url": "https://ubuntu.com/security/CVE-2026-47329", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches which fail to validate invalid sizes of the name field in AppAmor notification responses. The bug can be triggered by an unprivileged local user and could result in handling of crafted responses.", "cve_priority": "low", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47327", "url": "https://ubuntu.com/security/CVE-2026-47327", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a possible NULL pointer dereference in the handling of AppArmor notifications. The bug can be triggered by an unprivileged local user. This can lead to a kernel oops.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47328", "url": "https://ubuntu.com/security/CVE-2026-47328", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly attempt to free a pointer which was not previously kmalloc()d, while at the same time leaking allocated memory. The bug can be triggered by an unprivileged local user and can result in the corruption of slab metadata and could lead to resource exhaustion.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47326", "url": "https://ubuntu.com/security/CVE-2026-47326", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a memory leak in the handling of big responses to AppArmor notifications. The bug can be triggered by an unprivileged local user. The memory leak could lead to resource exhaustion.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-46300", "url": "https://ubuntu.com/security/CVE-2026-46300", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: skbuff: preserve shared-frag marker during coalescing skb_try_coalesce() can attach paged frags from @from to @to. If @from has SKBFL_SHARED_FRAG set, the resulting @to skb can contain the same externally-owned or page-cache-backed frags, but the shared-frag marker is currently lost. That breaks the invariant relied on by later in-place writers. In particular, ESP input checks skb_has_shared_frag() before deciding whether an uncloned nonlinear skb can skip skb_cow_data(). If TCP receive coalescing has moved shared frags into an unmarked skb, ESP can see skb_has_shared_frag() as false and decrypt in place over page-cache backed frags. Propagate SKBFL_SHARED_FRAG when skb_try_coalesce() transfers paged frags. The tailroom copy path does not need the marker because it copies bytes into @to's linear data rather than transferring frag descriptors.", "cve_priority": "high", "cve_public_date": "2026-05-23 12:17:00 UTC" }, { "cve": "CVE-2026-46333", "url": "https://ubuntu.com/security/CVE-2026-46333", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ptrace: slightly saner 'get_dumpable()' logic The 'dumpability' of a task is fundamentally about the memory image of the task - the concept comes from whether it can core dump or not - and makes no sense when you don't have an associated mm. And almost all users do in fact use it only for the case where the task has a mm pointer. But we have one odd special case: ptrace_may_access() uses 'dumpable' to check various other things entirely independently of the MM (typically explicitly using flags like PTRACE_MODE_READ_FSCREDS). Including for threads that no longer have a VM (and maybe never did, like most kernel threads). It's not what this flag was designed for, but it is what it is. The ptrace code does check that the uid/gid matches, so you do have to be uid-0 to see kernel thread details, but this means that the traditional \"drop capabilities\" model doesn't make any difference for this all. Make it all make a *bit* more sense by saying that if you don't have a MM pointer, we'll use a cached \"last dumpability\" flag if the thread ever had a MM (it will be zero for kernel threads since it is never set), and require a proper CAP_SYS_PTRACE capability to override.", "cve_priority": "high", "cve_public_date": "2026-05-15 14:16:00 UTC" }, { "cve": "CVE-2026-43500", "url": "https://ubuntu.com/security/CVE-2026-43500", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present The DATA-packet handler in rxrpc_input_call_event() and the RESPONSE handler in rxrpc_verify_response() copy the skb to a linear one before calling into the security ops only when skb_cloned() is true. An skb that is not cloned but still carries externally-owned paged fragments (e.g. SKBFL_SHARED_FRAG set by splice() into a UDP socket via __ip_append_data, or a chained skb_has_frag_list()) falls through to the in-place decryption path, which binds the frag pages directly into the AEAD/skcipher SGL via skb_to_sgvec(). Extend the gate to also unshare when skb_has_frag_list() or skb_has_shared_frag() is true. This catches the splice-loopback vector and other externally-shared frag sources while preserving the zero-copy fast path for skbs whose frags are kernel-private (e.g. NIC page_pool RX, GRO). The OOM/trace handling already in place is reused.", "cve_priority": "high", "cve_public_date": "2026-05-11 08:16:00 UTC" }, { "cve": "CVE-2026-31676", "url": "https://ubuntu.com/security/CVE-2026-31676", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: rxrpc: only handle RESPONSE during service challenge Only process RESPONSE packets while the service connection is still in RXRPC_CONN_SERVICE_CHALLENGING. Check that state under state_lock before running response verification and security initialization, then use a local secured flag to decide whether to queue the secured-connection work after the state transition. This keeps duplicate or late RESPONSE packets from re-running the setup path and removes the unlocked post-transition state test.", "cve_priority": "medium", "cve_public_date": "2026-04-25 09:16:00 UTC" }, { "cve": "CVE-2026-43284", "url": "https://ubuntu.com/security/CVE-2026-43284", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: xfrm: esp: avoid in-place decrypt on shared skb frags MSG_SPLICE_PAGES can attach pages from a pipe directly to an skb. TCP marks such skbs with SKBFL_SHARED_FRAG after skb_splice_from_iter(), so later paths that may modify packet data can first make a private copy. The IPv4/IPv6 datagram append paths did not set this flag when splicing pages into UDP skbs. That leaves an ESP-in-UDP packet made from shared pipe pages looking like an ordinary uncloned nonlinear skb. ESP input then takes the no-COW fast path for uncloned skbs without a frag_list and decrypts in place over data that is not owned privately by the skb. Mark IPv4/IPv6 datagram splice frags with SKBFL_SHARED_FRAG, matching TCP. Also make ESP input fall back to skb_cow_data() when the flag is present, so ESP does not decrypt externally backed frags in place. Private nonlinear skb frags still use the existing fast path. This intentionally does not change ESP output. In esp_output_head(), the path that appends the ESP trailer to existing skb tailroom without calling skb_cow_data() is not reachable for nonlinear skbs: skb_tailroom() returns zero when skb->data_len is nonzero, while ESP tailen is positive. Thus ESP output will either use the separate destination-frag path or fall back to skb_cow_data().", "cve_priority": "high", "cve_public_date": "2026-05-08 08:16:00 UTC" } ], "launchpad_bugs_fixed": [ 2154172, 2151747, 2151747, 2151747, 2151747, 2151747, 2151747, 2151747, 2151747, 2148809, 2151747, 2151747, 2151747, 2153733, 1786013, 2153962 ], "changes": [ { "cves": [ { "cve": "CVE-2026-47337", "url": "https://ubuntu.com/security/CVE-2026-47337", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a possible NULL pointer dereference in the handling of AF_INET/AF_INET6 socket mediation. The bug can be triggered by an unprivileged local user. This can lead to a kernel oops.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47336", "url": "https://ubuntu.com/security/CVE-2026-47336", "cve_description": "Ubuntu Linux 6.8 contains SAUCE patches with a possible use of an uninitialized variable in AppArmor AF_INET/AF_INET6 socket mediation code. The bug can be triggered by an unprivileged local user and could result in incorrect fine-grained mediation of network sockets.", "cve_priority": "low", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47335", "url": "https://ubuntu.com/security/CVE-2026-47335", "cve_description": "Ubuntu Linux 6.8 contains SAUCE patches with a possible NULL pointer dereference in the handling of AppArmor notifications. The bug can be triggered by an unprivileged local user. This can lead to a kernel panic.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47334", "url": "https://ubuntu.com/security/CVE-2026-47334", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly sleep while holding a spinlock in notification handling code. The bug can be triggered by an unprivileged local user and can result in kernel panic or deadlock.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47333", "url": "https://ubuntu.com/security/CVE-2026-47333", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which can potentially incorrectly compute the size of an internal buffer, leading to a heap memory out-of-bounds read in notification handling code. The bug can be triggered by an unprivileged local user and can result in invalid data being processed by the AppArmor DFA policy engine.", "cve_priority": "high", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47332", "url": "https://ubuntu.com/security/CVE-2026-47332", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly validate the size of an internal structure, leading to an out-of-bounds read in notification handling code. The bug can be triggered by an unprivileged local user and can result in information disclosure from adjacent slab objects.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47331", "url": "https://ubuntu.com/security/CVE-2026-47331", "cve_description": "Ubuntu Linux 6.8 contains AppArmor SAUCE patches which fail to acquire a lock when modifying a linked list. An unprivileged local user could trigger the race condition that can lead to a use-after-free (UAF) and, theoretically, arbitrary code execution.", "cve_priority": "high", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47330", "url": "https://ubuntu.com/security/CVE-2026-47330", "cve_description": "Ubuntu Linux 6.8, 7.17 and 7.0 contain AppArmor SAUCE patches which can, under certain circumstances, use an uninitialized variable in notification handling code. The bug can be triggered by an unprivileged local user and can result in the incorrect caching of AppArmor notification responses.", "cve_priority": "low", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47329", "url": "https://ubuntu.com/security/CVE-2026-47329", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches which fail to validate invalid sizes of the name field in AppAmor notification responses. The bug can be triggered by an unprivileged local user and could result in handling of crafted responses.", "cve_priority": "low", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47327", "url": "https://ubuntu.com/security/CVE-2026-47327", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a possible NULL pointer dereference in the handling of AppArmor notifications. The bug can be triggered by an unprivileged local user. This can lead to a kernel oops.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47328", "url": "https://ubuntu.com/security/CVE-2026-47328", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly attempt to free a pointer which was not previously kmalloc()d, while at the same time leaking allocated memory. The bug can be triggered by an unprivileged local user and can result in the corruption of slab metadata and could lead to resource exhaustion.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47326", "url": "https://ubuntu.com/security/CVE-2026-47326", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a memory leak in the handling of big responses to AppArmor notifications. The bug can be triggered by an unprivileged local user. The memory leak could lead to resource exhaustion.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-46300", "url": "https://ubuntu.com/security/CVE-2026-46300", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: skbuff: preserve shared-frag marker during coalescing skb_try_coalesce() can attach paged frags from @from to @to. If @from has SKBFL_SHARED_FRAG set, the resulting @to skb can contain the same externally-owned or page-cache-backed frags, but the shared-frag marker is currently lost. That breaks the invariant relied on by later in-place writers. In particular, ESP input checks skb_has_shared_frag() before deciding whether an uncloned nonlinear skb can skip skb_cow_data(). If TCP receive coalescing has moved shared frags into an unmarked skb, ESP can see skb_has_shared_frag() as false and decrypt in place over page-cache backed frags. Propagate SKBFL_SHARED_FRAG when skb_try_coalesce() transfers paged frags. The tailroom copy path does not need the marker because it copies bytes into @to's linear data rather than transferring frag descriptors.", "cve_priority": "high", "cve_public_date": "2026-05-23 12:17:00 UTC" }, { "cve": "CVE-2026-46333", "url": "https://ubuntu.com/security/CVE-2026-46333", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ptrace: slightly saner 'get_dumpable()' logic The 'dumpability' of a task is fundamentally about the memory image of the task - the concept comes from whether it can core dump or not - and makes no sense when you don't have an associated mm. And almost all users do in fact use it only for the case where the task has a mm pointer. But we have one odd special case: ptrace_may_access() uses 'dumpable' to check various other things entirely independently of the MM (typically explicitly using flags like PTRACE_MODE_READ_FSCREDS). Including for threads that no longer have a VM (and maybe never did, like most kernel threads). It's not what this flag was designed for, but it is what it is. The ptrace code does check that the uid/gid matches, so you do have to be uid-0 to see kernel thread details, but this means that the traditional \"drop capabilities\" model doesn't make any difference for this all. Make it all make a *bit* more sense by saying that if you don't have a MM pointer, we'll use a cached \"last dumpability\" flag if the thread ever had a MM (it will be zero for kernel threads since it is never set), and require a proper CAP_SYS_PTRACE capability to override.", "cve_priority": "high", "cve_public_date": "2026-05-15 14:16:00 UTC" }, { "cve": "CVE-2026-43500", "url": "https://ubuntu.com/security/CVE-2026-43500", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present The DATA-packet handler in rxrpc_input_call_event() and the RESPONSE handler in rxrpc_verify_response() copy the skb to a linear one before calling into the security ops only when skb_cloned() is true. An skb that is not cloned but still carries externally-owned paged fragments (e.g. SKBFL_SHARED_FRAG set by splice() into a UDP socket via __ip_append_data, or a chained skb_has_frag_list()) falls through to the in-place decryption path, which binds the frag pages directly into the AEAD/skcipher SGL via skb_to_sgvec(). Extend the gate to also unshare when skb_has_frag_list() or skb_has_shared_frag() is true. This catches the splice-loopback vector and other externally-shared frag sources while preserving the zero-copy fast path for skbs whose frags are kernel-private (e.g. NIC page_pool RX, GRO). The OOM/trace handling already in place is reused.", "cve_priority": "high", "cve_public_date": "2026-05-11 08:16:00 UTC" }, { "cve": "CVE-2026-31676", "url": "https://ubuntu.com/security/CVE-2026-31676", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: rxrpc: only handle RESPONSE during service challenge Only process RESPONSE packets while the service connection is still in RXRPC_CONN_SERVICE_CHALLENGING. Check that state under state_lock before running response verification and security initialization, then use a local secured flag to decide whether to queue the secured-connection work after the state transition. This keeps duplicate or late RESPONSE packets from re-running the setup path and removes the unlocked post-transition state test.", "cve_priority": "medium", "cve_public_date": "2026-04-25 09:16:00 UTC" }, { "cve": "CVE-2026-43284", "url": "https://ubuntu.com/security/CVE-2026-43284", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: xfrm: esp: avoid in-place decrypt on shared skb frags MSG_SPLICE_PAGES can attach pages from a pipe directly to an skb. TCP marks such skbs with SKBFL_SHARED_FRAG after skb_splice_from_iter(), so later paths that may modify packet data can first make a private copy. The IPv4/IPv6 datagram append paths did not set this flag when splicing pages into UDP skbs. That leaves an ESP-in-UDP packet made from shared pipe pages looking like an ordinary uncloned nonlinear skb. ESP input then takes the no-COW fast path for uncloned skbs without a frag_list and decrypts in place over data that is not owned privately by the skb. Mark IPv4/IPv6 datagram splice frags with SKBFL_SHARED_FRAG, matching TCP. Also make ESP input fall back to skb_cow_data() when the flag is present, so ESP does not decrypt externally backed frags in place. Private nonlinear skb frags still use the existing fast path. This intentionally does not change ESP output. In esp_output_head(), the path that appends the ESP trailer to existing skb tailroom without calling skb_cow_data() is not reachable for nonlinear skbs: skb_tailroom() returns zero when skb->data_len is nonzero, while ESP tailen is positive. Thus ESP output will either use the separate destination-frag path or fall back to skb_cow_data().", "cve_priority": "high", "cve_public_date": "2026-05-08 08:16:00 UTC" } ], "log": [ "", " [ Ubuntu: 6.8.0-124.124 ]", "", " * GRO managed-frag use-after-free leading to local privilege escalation", " (LP: #2154172)", " - net: gro: don't merge zcopy skbs", "", " [ Ubuntu: 6.8.0-121.121 ]", "", " * apparmor (LP: #2151747)", " - apparmor: Fix incorrect profile->signal range check", " - SAUCE: apparmor: pass big_resp to handler", " - SAUCE: apparmor: remove redundant kref_init for listener->count", " - SAUCE: apparmor: fix NULL pointer dereference in unpack_pdb", " * apparmor (LP: #2151747) // CVE-2026-47337", " - SAUCE: apparmor: fix NULL pointer dereference in bind_map_addr", " * apparmor (LP: #2151747) // CVE-2026-47336", " - SAUCE: apparmor: fix use of unintialized variable in net opt level", " * apparmor (LP: #2151747) // CVE-2026-47335", " - SAUCE: apparmor: fix possible NULL pointer dereference by adding a NULL", " check", " * apparmor (LP: #2151747) // CVE-2026-47334", " - SAUCE: apparmor: fix sleep prone memory allocation under a spin_lock", " * apparmor (LP: #2151747) // CVE-2026-47333", " - SAUCE: apparmor: fix dfa unpacking size of the notification filter", " * apparmor (LP: #2151747) // CVE-2026-47332", " - SAUCE: apparmor: fix size check against type instead of pointer", " * apparmor (LP: #2151747) // CVE-2026-47331", " - SAUCE: apparmor: fix changing rules list without a lock", " * apparmor: LLVM/clang build failure due to uninitialized variable in", " notify.c (LP: #2148809) // CVE-2026-47330", " - SAUCE: apparmor: initialize variable used in uninitialized context", " * apparmor (LP: #2151747) // CVE-2026-47329", " - SAUCE: apparmor: fix name validation bypass on notification", " * apparmor (LP: #2151747) // CVE-2026-47327 // CVE-2026-47328", " - SAUCE: apparmor: fix glob memory leak after kstrdup", " * apparmor (LP: #2151747) // CVE-2026-47326", " - SAUCE: apparmor: fix inverted NULL check after aa_get_buffer", "", " [ Ubuntu: 6.8.0-120.120 ]", "", " * noble/linux: 6.8.0-120.120 -proposed tracker (LP: #2153733)", " * Packaging resync (LP: #1786013)", " - [Packaging] update annotations scripts", " * CVE-2026-46300", " - net: skbuff: preserve shared-frag marker during coalescing", " - net: skbuff: propagate shared-frag marker through frag-transfer helpers", " * net/rds: reset op_nents when zerocopy page pin fails (LP: #2153962)", " - net/rds: reset op_nents when zerocopy page pin fails", " * CVE-2026-46333", " - ptrace: slightly saner 'get_dumpable()' logic", " * CVE-2026-43500", " - rxrpc: Fix conn-level packet handling to unshare RESPONSE packets", " - rxrpc: Parse received packets before dealing with timeouts", " - rxrpc: Fix potential UAF after skb_unshare() failure", " - rxrpc: Fix rxrpc_input_call_event() to only unshare DATA packets", " - rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present", " * CVE-2026-31676 // CVE-2026-43500", " - rxrpc: only handle RESPONSE during service challenge", " * CVE-2026-43284", " - xfrm: esp: avoid in-place decrypt on shared skb frags", "" ], "package": "linux-riscv-6.8", "version": "6.8.0-124.124~22.04.1", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2154172, 2151747, 2151747, 2151747, 2151747, 2151747, 2151747, 2151747, 2151747, 2148809, 2151747, 2151747, 2151747, 2153733, 1786013, 2153962 ], "author": "Manuel Diewald ", "date": "Tue, 26 May 2026 22:38:42 +0200" } ], "notes": "linux-image-6.8.0-124-generic version '6.8.0-124.124~22.04.1' (source package linux-riscv-6.8 version '6.8.0-124.124~22.04.1') was added. linux-image-6.8.0-124-generic version '6.8.0-124.124~22.04.1' has the same source package name, linux-riscv-6.8, as removed package linux-headers-6.8.0-117-generic. As such we can use the source package version of the removed package, '6.8.0-117.117~22.04.1', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package.", "is_version_downgrade": false }, { "name": "linux-modules-6.8.0-124-generic", "from_version": { "source_package_name": "linux-riscv-6.8", "source_package_version": "6.8.0-117.117~22.04.1", "version": null }, "to_version": { "source_package_name": "linux-riscv-6.8", "source_package_version": "6.8.0-124.124~22.04.1", "version": "6.8.0-124.124~22.04.1" }, "cves": [ { "cve": "CVE-2026-47337", "url": "https://ubuntu.com/security/CVE-2026-47337", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a possible NULL pointer dereference in the handling of AF_INET/AF_INET6 socket mediation. The bug can be triggered by an unprivileged local user. This can lead to a kernel oops.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47336", "url": "https://ubuntu.com/security/CVE-2026-47336", "cve_description": "Ubuntu Linux 6.8 contains SAUCE patches with a possible use of an uninitialized variable in AppArmor AF_INET/AF_INET6 socket mediation code. The bug can be triggered by an unprivileged local user and could result in incorrect fine-grained mediation of network sockets.", "cve_priority": "low", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47335", "url": "https://ubuntu.com/security/CVE-2026-47335", "cve_description": "Ubuntu Linux 6.8 contains SAUCE patches with a possible NULL pointer dereference in the handling of AppArmor notifications. The bug can be triggered by an unprivileged local user. This can lead to a kernel panic.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47334", "url": "https://ubuntu.com/security/CVE-2026-47334", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly sleep while holding a spinlock in notification handling code. The bug can be triggered by an unprivileged local user and can result in kernel panic or deadlock.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47333", "url": "https://ubuntu.com/security/CVE-2026-47333", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which can potentially incorrectly compute the size of an internal buffer, leading to a heap memory out-of-bounds read in notification handling code. The bug can be triggered by an unprivileged local user and can result in invalid data being processed by the AppArmor DFA policy engine.", "cve_priority": "high", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47332", "url": "https://ubuntu.com/security/CVE-2026-47332", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly validate the size of an internal structure, leading to an out-of-bounds read in notification handling code. The bug can be triggered by an unprivileged local user and can result in information disclosure from adjacent slab objects.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47331", "url": "https://ubuntu.com/security/CVE-2026-47331", "cve_description": "Ubuntu Linux 6.8 contains AppArmor SAUCE patches which fail to acquire a lock when modifying a linked list. An unprivileged local user could trigger the race condition that can lead to a use-after-free (UAF) and, theoretically, arbitrary code execution.", "cve_priority": "high", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47330", "url": "https://ubuntu.com/security/CVE-2026-47330", "cve_description": "Ubuntu Linux 6.8, 7.17 and 7.0 contain AppArmor SAUCE patches which can, under certain circumstances, use an uninitialized variable in notification handling code. The bug can be triggered by an unprivileged local user and can result in the incorrect caching of AppArmor notification responses.", "cve_priority": "low", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47329", "url": "https://ubuntu.com/security/CVE-2026-47329", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches which fail to validate invalid sizes of the name field in AppAmor notification responses. The bug can be triggered by an unprivileged local user and could result in handling of crafted responses.", "cve_priority": "low", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47327", "url": "https://ubuntu.com/security/CVE-2026-47327", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a possible NULL pointer dereference in the handling of AppArmor notifications. The bug can be triggered by an unprivileged local user. This can lead to a kernel oops.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47328", "url": "https://ubuntu.com/security/CVE-2026-47328", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly attempt to free a pointer which was not previously kmalloc()d, while at the same time leaking allocated memory. The bug can be triggered by an unprivileged local user and can result in the corruption of slab metadata and could lead to resource exhaustion.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47326", "url": "https://ubuntu.com/security/CVE-2026-47326", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a memory leak in the handling of big responses to AppArmor notifications. The bug can be triggered by an unprivileged local user. The memory leak could lead to resource exhaustion.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-46300", "url": "https://ubuntu.com/security/CVE-2026-46300", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: skbuff: preserve shared-frag marker during coalescing skb_try_coalesce() can attach paged frags from @from to @to. If @from has SKBFL_SHARED_FRAG set, the resulting @to skb can contain the same externally-owned or page-cache-backed frags, but the shared-frag marker is currently lost. That breaks the invariant relied on by later in-place writers. In particular, ESP input checks skb_has_shared_frag() before deciding whether an uncloned nonlinear skb can skip skb_cow_data(). If TCP receive coalescing has moved shared frags into an unmarked skb, ESP can see skb_has_shared_frag() as false and decrypt in place over page-cache backed frags. Propagate SKBFL_SHARED_FRAG when skb_try_coalesce() transfers paged frags. The tailroom copy path does not need the marker because it copies bytes into @to's linear data rather than transferring frag descriptors.", "cve_priority": "high", "cve_public_date": "2026-05-23 12:17:00 UTC" }, { "cve": "CVE-2026-46333", "url": "https://ubuntu.com/security/CVE-2026-46333", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ptrace: slightly saner 'get_dumpable()' logic The 'dumpability' of a task is fundamentally about the memory image of the task - the concept comes from whether it can core dump or not - and makes no sense when you don't have an associated mm. And almost all users do in fact use it only for the case where the task has a mm pointer. But we have one odd special case: ptrace_may_access() uses 'dumpable' to check various other things entirely independently of the MM (typically explicitly using flags like PTRACE_MODE_READ_FSCREDS). Including for threads that no longer have a VM (and maybe never did, like most kernel threads). It's not what this flag was designed for, but it is what it is. The ptrace code does check that the uid/gid matches, so you do have to be uid-0 to see kernel thread details, but this means that the traditional \"drop capabilities\" model doesn't make any difference for this all. Make it all make a *bit* more sense by saying that if you don't have a MM pointer, we'll use a cached \"last dumpability\" flag if the thread ever had a MM (it will be zero for kernel threads since it is never set), and require a proper CAP_SYS_PTRACE capability to override.", "cve_priority": "high", "cve_public_date": "2026-05-15 14:16:00 UTC" }, { "cve": "CVE-2026-43500", "url": "https://ubuntu.com/security/CVE-2026-43500", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present The DATA-packet handler in rxrpc_input_call_event() and the RESPONSE handler in rxrpc_verify_response() copy the skb to a linear one before calling into the security ops only when skb_cloned() is true. An skb that is not cloned but still carries externally-owned paged fragments (e.g. SKBFL_SHARED_FRAG set by splice() into a UDP socket via __ip_append_data, or a chained skb_has_frag_list()) falls through to the in-place decryption path, which binds the frag pages directly into the AEAD/skcipher SGL via skb_to_sgvec(). Extend the gate to also unshare when skb_has_frag_list() or skb_has_shared_frag() is true. This catches the splice-loopback vector and other externally-shared frag sources while preserving the zero-copy fast path for skbs whose frags are kernel-private (e.g. NIC page_pool RX, GRO). The OOM/trace handling already in place is reused.", "cve_priority": "high", "cve_public_date": "2026-05-11 08:16:00 UTC" }, { "cve": "CVE-2026-31676", "url": "https://ubuntu.com/security/CVE-2026-31676", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: rxrpc: only handle RESPONSE during service challenge Only process RESPONSE packets while the service connection is still in RXRPC_CONN_SERVICE_CHALLENGING. Check that state under state_lock before running response verification and security initialization, then use a local secured flag to decide whether to queue the secured-connection work after the state transition. This keeps duplicate or late RESPONSE packets from re-running the setup path and removes the unlocked post-transition state test.", "cve_priority": "medium", "cve_public_date": "2026-04-25 09:16:00 UTC" }, { "cve": "CVE-2026-43284", "url": "https://ubuntu.com/security/CVE-2026-43284", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: xfrm: esp: avoid in-place decrypt on shared skb frags MSG_SPLICE_PAGES can attach pages from a pipe directly to an skb. TCP marks such skbs with SKBFL_SHARED_FRAG after skb_splice_from_iter(), so later paths that may modify packet data can first make a private copy. The IPv4/IPv6 datagram append paths did not set this flag when splicing pages into UDP skbs. That leaves an ESP-in-UDP packet made from shared pipe pages looking like an ordinary uncloned nonlinear skb. ESP input then takes the no-COW fast path for uncloned skbs without a frag_list and decrypts in place over data that is not owned privately by the skb. Mark IPv4/IPv6 datagram splice frags with SKBFL_SHARED_FRAG, matching TCP. Also make ESP input fall back to skb_cow_data() when the flag is present, so ESP does not decrypt externally backed frags in place. Private nonlinear skb frags still use the existing fast path. This intentionally does not change ESP output. In esp_output_head(), the path that appends the ESP trailer to existing skb tailroom without calling skb_cow_data() is not reachable for nonlinear skbs: skb_tailroom() returns zero when skb->data_len is nonzero, while ESP tailen is positive. Thus ESP output will either use the separate destination-frag path or fall back to skb_cow_data().", "cve_priority": "high", "cve_public_date": "2026-05-08 08:16:00 UTC" } ], "launchpad_bugs_fixed": [ 2154172, 2151747, 2151747, 2151747, 2151747, 2151747, 2151747, 2151747, 2151747, 2148809, 2151747, 2151747, 2151747, 2153733, 1786013, 2153962 ], "changes": [ { "cves": [ { "cve": "CVE-2026-47337", "url": "https://ubuntu.com/security/CVE-2026-47337", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a possible NULL pointer dereference in the handling of AF_INET/AF_INET6 socket mediation. The bug can be triggered by an unprivileged local user. This can lead to a kernel oops.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47336", "url": "https://ubuntu.com/security/CVE-2026-47336", "cve_description": "Ubuntu Linux 6.8 contains SAUCE patches with a possible use of an uninitialized variable in AppArmor AF_INET/AF_INET6 socket mediation code. The bug can be triggered by an unprivileged local user and could result in incorrect fine-grained mediation of network sockets.", "cve_priority": "low", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47335", "url": "https://ubuntu.com/security/CVE-2026-47335", "cve_description": "Ubuntu Linux 6.8 contains SAUCE patches with a possible NULL pointer dereference in the handling of AppArmor notifications. The bug can be triggered by an unprivileged local user. This can lead to a kernel panic.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47334", "url": "https://ubuntu.com/security/CVE-2026-47334", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly sleep while holding a spinlock in notification handling code. The bug can be triggered by an unprivileged local user and can result in kernel panic or deadlock.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47333", "url": "https://ubuntu.com/security/CVE-2026-47333", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which can potentially incorrectly compute the size of an internal buffer, leading to a heap memory out-of-bounds read in notification handling code. The bug can be triggered by an unprivileged local user and can result in invalid data being processed by the AppArmor DFA policy engine.", "cve_priority": "high", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47332", "url": "https://ubuntu.com/security/CVE-2026-47332", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly validate the size of an internal structure, leading to an out-of-bounds read in notification handling code. The bug can be triggered by an unprivileged local user and can result in information disclosure from adjacent slab objects.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47331", "url": "https://ubuntu.com/security/CVE-2026-47331", "cve_description": "Ubuntu Linux 6.8 contains AppArmor SAUCE patches which fail to acquire a lock when modifying a linked list. An unprivileged local user could trigger the race condition that can lead to a use-after-free (UAF) and, theoretically, arbitrary code execution.", "cve_priority": "high", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47330", "url": "https://ubuntu.com/security/CVE-2026-47330", "cve_description": "Ubuntu Linux 6.8, 7.17 and 7.0 contain AppArmor SAUCE patches which can, under certain circumstances, use an uninitialized variable in notification handling code. The bug can be triggered by an unprivileged local user and can result in the incorrect caching of AppArmor notification responses.", "cve_priority": "low", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47329", "url": "https://ubuntu.com/security/CVE-2026-47329", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches which fail to validate invalid sizes of the name field in AppAmor notification responses. The bug can be triggered by an unprivileged local user and could result in handling of crafted responses.", "cve_priority": "low", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47327", "url": "https://ubuntu.com/security/CVE-2026-47327", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a possible NULL pointer dereference in the handling of AppArmor notifications. The bug can be triggered by an unprivileged local user. This can lead to a kernel oops.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47328", "url": "https://ubuntu.com/security/CVE-2026-47328", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly attempt to free a pointer which was not previously kmalloc()d, while at the same time leaking allocated memory. The bug can be triggered by an unprivileged local user and can result in the corruption of slab metadata and could lead to resource exhaustion.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47326", "url": "https://ubuntu.com/security/CVE-2026-47326", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a memory leak in the handling of big responses to AppArmor notifications. The bug can be triggered by an unprivileged local user. The memory leak could lead to resource exhaustion.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-46300", "url": "https://ubuntu.com/security/CVE-2026-46300", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: skbuff: preserve shared-frag marker during coalescing skb_try_coalesce() can attach paged frags from @from to @to. If @from has SKBFL_SHARED_FRAG set, the resulting @to skb can contain the same externally-owned or page-cache-backed frags, but the shared-frag marker is currently lost. That breaks the invariant relied on by later in-place writers. In particular, ESP input checks skb_has_shared_frag() before deciding whether an uncloned nonlinear skb can skip skb_cow_data(). If TCP receive coalescing has moved shared frags into an unmarked skb, ESP can see skb_has_shared_frag() as false and decrypt in place over page-cache backed frags. Propagate SKBFL_SHARED_FRAG when skb_try_coalesce() transfers paged frags. The tailroom copy path does not need the marker because it copies bytes into @to's linear data rather than transferring frag descriptors.", "cve_priority": "high", "cve_public_date": "2026-05-23 12:17:00 UTC" }, { "cve": "CVE-2026-46333", "url": "https://ubuntu.com/security/CVE-2026-46333", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ptrace: slightly saner 'get_dumpable()' logic The 'dumpability' of a task is fundamentally about the memory image of the task - the concept comes from whether it can core dump or not - and makes no sense when you don't have an associated mm. And almost all users do in fact use it only for the case where the task has a mm pointer. But we have one odd special case: ptrace_may_access() uses 'dumpable' to check various other things entirely independently of the MM (typically explicitly using flags like PTRACE_MODE_READ_FSCREDS). Including for threads that no longer have a VM (and maybe never did, like most kernel threads). It's not what this flag was designed for, but it is what it is. The ptrace code does check that the uid/gid matches, so you do have to be uid-0 to see kernel thread details, but this means that the traditional \"drop capabilities\" model doesn't make any difference for this all. Make it all make a *bit* more sense by saying that if you don't have a MM pointer, we'll use a cached \"last dumpability\" flag if the thread ever had a MM (it will be zero for kernel threads since it is never set), and require a proper CAP_SYS_PTRACE capability to override.", "cve_priority": "high", "cve_public_date": "2026-05-15 14:16:00 UTC" }, { "cve": "CVE-2026-43500", "url": "https://ubuntu.com/security/CVE-2026-43500", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present The DATA-packet handler in rxrpc_input_call_event() and the RESPONSE handler in rxrpc_verify_response() copy the skb to a linear one before calling into the security ops only when skb_cloned() is true. An skb that is not cloned but still carries externally-owned paged fragments (e.g. SKBFL_SHARED_FRAG set by splice() into a UDP socket via __ip_append_data, or a chained skb_has_frag_list()) falls through to the in-place decryption path, which binds the frag pages directly into the AEAD/skcipher SGL via skb_to_sgvec(). Extend the gate to also unshare when skb_has_frag_list() or skb_has_shared_frag() is true. This catches the splice-loopback vector and other externally-shared frag sources while preserving the zero-copy fast path for skbs whose frags are kernel-private (e.g. NIC page_pool RX, GRO). The OOM/trace handling already in place is reused.", "cve_priority": "high", "cve_public_date": "2026-05-11 08:16:00 UTC" }, { "cve": "CVE-2026-31676", "url": "https://ubuntu.com/security/CVE-2026-31676", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: rxrpc: only handle RESPONSE during service challenge Only process RESPONSE packets while the service connection is still in RXRPC_CONN_SERVICE_CHALLENGING. Check that state under state_lock before running response verification and security initialization, then use a local secured flag to decide whether to queue the secured-connection work after the state transition. This keeps duplicate or late RESPONSE packets from re-running the setup path and removes the unlocked post-transition state test.", "cve_priority": "medium", "cve_public_date": "2026-04-25 09:16:00 UTC" }, { "cve": "CVE-2026-43284", "url": "https://ubuntu.com/security/CVE-2026-43284", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: xfrm: esp: avoid in-place decrypt on shared skb frags MSG_SPLICE_PAGES can attach pages from a pipe directly to an skb. TCP marks such skbs with SKBFL_SHARED_FRAG after skb_splice_from_iter(), so later paths that may modify packet data can first make a private copy. The IPv4/IPv6 datagram append paths did not set this flag when splicing pages into UDP skbs. That leaves an ESP-in-UDP packet made from shared pipe pages looking like an ordinary uncloned nonlinear skb. ESP input then takes the no-COW fast path for uncloned skbs without a frag_list and decrypts in place over data that is not owned privately by the skb. Mark IPv4/IPv6 datagram splice frags with SKBFL_SHARED_FRAG, matching TCP. Also make ESP input fall back to skb_cow_data() when the flag is present, so ESP does not decrypt externally backed frags in place. Private nonlinear skb frags still use the existing fast path. This intentionally does not change ESP output. In esp_output_head(), the path that appends the ESP trailer to existing skb tailroom without calling skb_cow_data() is not reachable for nonlinear skbs: skb_tailroom() returns zero when skb->data_len is nonzero, while ESP tailen is positive. Thus ESP output will either use the separate destination-frag path or fall back to skb_cow_data().", "cve_priority": "high", "cve_public_date": "2026-05-08 08:16:00 UTC" } ], "log": [ "", " [ Ubuntu: 6.8.0-124.124 ]", "", " * GRO managed-frag use-after-free leading to local privilege escalation", " (LP: #2154172)", " - net: gro: don't merge zcopy skbs", "", " [ Ubuntu: 6.8.0-121.121 ]", "", " * apparmor (LP: #2151747)", " - apparmor: Fix incorrect profile->signal range check", " - SAUCE: apparmor: pass big_resp to handler", " - SAUCE: apparmor: remove redundant kref_init for listener->count", " - SAUCE: apparmor: fix NULL pointer dereference in unpack_pdb", " * apparmor (LP: #2151747) // CVE-2026-47337", " - SAUCE: apparmor: fix NULL pointer dereference in bind_map_addr", " * apparmor (LP: #2151747) // CVE-2026-47336", " - SAUCE: apparmor: fix use of unintialized variable in net opt level", " * apparmor (LP: #2151747) // CVE-2026-47335", " - SAUCE: apparmor: fix possible NULL pointer dereference by adding a NULL", " check", " * apparmor (LP: #2151747) // CVE-2026-47334", " - SAUCE: apparmor: fix sleep prone memory allocation under a spin_lock", " * apparmor (LP: #2151747) // CVE-2026-47333", " - SAUCE: apparmor: fix dfa unpacking size of the notification filter", " * apparmor (LP: #2151747) // CVE-2026-47332", " - SAUCE: apparmor: fix size check against type instead of pointer", " * apparmor (LP: #2151747) // CVE-2026-47331", " - SAUCE: apparmor: fix changing rules list without a lock", " * apparmor: LLVM/clang build failure due to uninitialized variable in", " notify.c (LP: #2148809) // CVE-2026-47330", " - SAUCE: apparmor: initialize variable used in uninitialized context", " * apparmor (LP: #2151747) // CVE-2026-47329", " - SAUCE: apparmor: fix name validation bypass on notification", " * apparmor (LP: #2151747) // CVE-2026-47327 // CVE-2026-47328", " - SAUCE: apparmor: fix glob memory leak after kstrdup", " * apparmor (LP: #2151747) // CVE-2026-47326", " - SAUCE: apparmor: fix inverted NULL check after aa_get_buffer", "", " [ Ubuntu: 6.8.0-120.120 ]", "", " * noble/linux: 6.8.0-120.120 -proposed tracker (LP: #2153733)", " * Packaging resync (LP: #1786013)", " - [Packaging] update annotations scripts", " * CVE-2026-46300", " - net: skbuff: preserve shared-frag marker during coalescing", " - net: skbuff: propagate shared-frag marker through frag-transfer helpers", " * net/rds: reset op_nents when zerocopy page pin fails (LP: #2153962)", " - net/rds: reset op_nents when zerocopy page pin fails", " * CVE-2026-46333", " - ptrace: slightly saner 'get_dumpable()' logic", " * CVE-2026-43500", " - rxrpc: Fix conn-level packet handling to unshare RESPONSE packets", " - rxrpc: Parse received packets before dealing with timeouts", " - rxrpc: Fix potential UAF after skb_unshare() failure", " - rxrpc: Fix rxrpc_input_call_event() to only unshare DATA packets", " - rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present", " * CVE-2026-31676 // CVE-2026-43500", " - rxrpc: only handle RESPONSE during service challenge", " * CVE-2026-43284", " - xfrm: esp: avoid in-place decrypt on shared skb frags", "" ], "package": "linux-riscv-6.8", "version": "6.8.0-124.124~22.04.1", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2154172, 2151747, 2151747, 2151747, 2151747, 2151747, 2151747, 2151747, 2151747, 2148809, 2151747, 2151747, 2151747, 2153733, 1786013, 2153962 ], "author": "Manuel Diewald ", "date": "Tue, 26 May 2026 22:38:42 +0200" } ], "notes": "linux-modules-6.8.0-124-generic version '6.8.0-124.124~22.04.1' (source package linux-riscv-6.8 version '6.8.0-124.124~22.04.1') was added. linux-modules-6.8.0-124-generic version '6.8.0-124.124~22.04.1' has the same source package name, linux-riscv-6.8, as removed package linux-headers-6.8.0-117-generic. As such we can use the source package version of the removed package, '6.8.0-117.117~22.04.1', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package.", "is_version_downgrade": false }, { "name": "linux-riscv-6.8-headers-6.8.0-124", "from_version": { "source_package_name": "linux-riscv-6.8", "source_package_version": "6.8.0-117.117~22.04.1", "version": null }, "to_version": { "source_package_name": "linux-riscv-6.8", "source_package_version": "6.8.0-124.124~22.04.1", "version": "6.8.0-124.124~22.04.1" }, "cves": [ { "cve": "CVE-2026-47337", "url": "https://ubuntu.com/security/CVE-2026-47337", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a possible NULL pointer dereference in the handling of AF_INET/AF_INET6 socket mediation. The bug can be triggered by an unprivileged local user. This can lead to a kernel oops.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47336", "url": "https://ubuntu.com/security/CVE-2026-47336", "cve_description": "Ubuntu Linux 6.8 contains SAUCE patches with a possible use of an uninitialized variable in AppArmor AF_INET/AF_INET6 socket mediation code. The bug can be triggered by an unprivileged local user and could result in incorrect fine-grained mediation of network sockets.", "cve_priority": "low", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47335", "url": "https://ubuntu.com/security/CVE-2026-47335", "cve_description": "Ubuntu Linux 6.8 contains SAUCE patches with a possible NULL pointer dereference in the handling of AppArmor notifications. The bug can be triggered by an unprivileged local user. This can lead to a kernel panic.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47334", "url": "https://ubuntu.com/security/CVE-2026-47334", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly sleep while holding a spinlock in notification handling code. The bug can be triggered by an unprivileged local user and can result in kernel panic or deadlock.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47333", "url": "https://ubuntu.com/security/CVE-2026-47333", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which can potentially incorrectly compute the size of an internal buffer, leading to a heap memory out-of-bounds read in notification handling code. The bug can be triggered by an unprivileged local user and can result in invalid data being processed by the AppArmor DFA policy engine.", "cve_priority": "high", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47332", "url": "https://ubuntu.com/security/CVE-2026-47332", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly validate the size of an internal structure, leading to an out-of-bounds read in notification handling code. The bug can be triggered by an unprivileged local user and can result in information disclosure from adjacent slab objects.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47331", "url": "https://ubuntu.com/security/CVE-2026-47331", "cve_description": "Ubuntu Linux 6.8 contains AppArmor SAUCE patches which fail to acquire a lock when modifying a linked list. An unprivileged local user could trigger the race condition that can lead to a use-after-free (UAF) and, theoretically, arbitrary code execution.", "cve_priority": "high", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47330", "url": "https://ubuntu.com/security/CVE-2026-47330", "cve_description": "Ubuntu Linux 6.8, 7.17 and 7.0 contain AppArmor SAUCE patches which can, under certain circumstances, use an uninitialized variable in notification handling code. The bug can be triggered by an unprivileged local user and can result in the incorrect caching of AppArmor notification responses.", "cve_priority": "low", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47329", "url": "https://ubuntu.com/security/CVE-2026-47329", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches which fail to validate invalid sizes of the name field in AppAmor notification responses. The bug can be triggered by an unprivileged local user and could result in handling of crafted responses.", "cve_priority": "low", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47327", "url": "https://ubuntu.com/security/CVE-2026-47327", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a possible NULL pointer dereference in the handling of AppArmor notifications. The bug can be triggered by an unprivileged local user. This can lead to a kernel oops.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47328", "url": "https://ubuntu.com/security/CVE-2026-47328", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly attempt to free a pointer which was not previously kmalloc()d, while at the same time leaking allocated memory. The bug can be triggered by an unprivileged local user and can result in the corruption of slab metadata and could lead to resource exhaustion.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47326", "url": "https://ubuntu.com/security/CVE-2026-47326", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a memory leak in the handling of big responses to AppArmor notifications. The bug can be triggered by an unprivileged local user. The memory leak could lead to resource exhaustion.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-46300", "url": "https://ubuntu.com/security/CVE-2026-46300", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: skbuff: preserve shared-frag marker during coalescing skb_try_coalesce() can attach paged frags from @from to @to. If @from has SKBFL_SHARED_FRAG set, the resulting @to skb can contain the same externally-owned or page-cache-backed frags, but the shared-frag marker is currently lost. That breaks the invariant relied on by later in-place writers. In particular, ESP input checks skb_has_shared_frag() before deciding whether an uncloned nonlinear skb can skip skb_cow_data(). If TCP receive coalescing has moved shared frags into an unmarked skb, ESP can see skb_has_shared_frag() as false and decrypt in place over page-cache backed frags. Propagate SKBFL_SHARED_FRAG when skb_try_coalesce() transfers paged frags. The tailroom copy path does not need the marker because it copies bytes into @to's linear data rather than transferring frag descriptors.", "cve_priority": "high", "cve_public_date": "2026-05-23 12:17:00 UTC" }, { "cve": "CVE-2026-46333", "url": "https://ubuntu.com/security/CVE-2026-46333", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ptrace: slightly saner 'get_dumpable()' logic The 'dumpability' of a task is fundamentally about the memory image of the task - the concept comes from whether it can core dump or not - and makes no sense when you don't have an associated mm. And almost all users do in fact use it only for the case where the task has a mm pointer. But we have one odd special case: ptrace_may_access() uses 'dumpable' to check various other things entirely independently of the MM (typically explicitly using flags like PTRACE_MODE_READ_FSCREDS). Including for threads that no longer have a VM (and maybe never did, like most kernel threads). It's not what this flag was designed for, but it is what it is. The ptrace code does check that the uid/gid matches, so you do have to be uid-0 to see kernel thread details, but this means that the traditional \"drop capabilities\" model doesn't make any difference for this all. Make it all make a *bit* more sense by saying that if you don't have a MM pointer, we'll use a cached \"last dumpability\" flag if the thread ever had a MM (it will be zero for kernel threads since it is never set), and require a proper CAP_SYS_PTRACE capability to override.", "cve_priority": "high", "cve_public_date": "2026-05-15 14:16:00 UTC" }, { "cve": "CVE-2026-43500", "url": "https://ubuntu.com/security/CVE-2026-43500", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present The DATA-packet handler in rxrpc_input_call_event() and the RESPONSE handler in rxrpc_verify_response() copy the skb to a linear one before calling into the security ops only when skb_cloned() is true. An skb that is not cloned but still carries externally-owned paged fragments (e.g. SKBFL_SHARED_FRAG set by splice() into a UDP socket via __ip_append_data, or a chained skb_has_frag_list()) falls through to the in-place decryption path, which binds the frag pages directly into the AEAD/skcipher SGL via skb_to_sgvec(). Extend the gate to also unshare when skb_has_frag_list() or skb_has_shared_frag() is true. This catches the splice-loopback vector and other externally-shared frag sources while preserving the zero-copy fast path for skbs whose frags are kernel-private (e.g. NIC page_pool RX, GRO). The OOM/trace handling already in place is reused.", "cve_priority": "high", "cve_public_date": "2026-05-11 08:16:00 UTC" }, { "cve": "CVE-2026-31676", "url": "https://ubuntu.com/security/CVE-2026-31676", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: rxrpc: only handle RESPONSE during service challenge Only process RESPONSE packets while the service connection is still in RXRPC_CONN_SERVICE_CHALLENGING. Check that state under state_lock before running response verification and security initialization, then use a local secured flag to decide whether to queue the secured-connection work after the state transition. This keeps duplicate or late RESPONSE packets from re-running the setup path and removes the unlocked post-transition state test.", "cve_priority": "medium", "cve_public_date": "2026-04-25 09:16:00 UTC" }, { "cve": "CVE-2026-43284", "url": "https://ubuntu.com/security/CVE-2026-43284", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: xfrm: esp: avoid in-place decrypt on shared skb frags MSG_SPLICE_PAGES can attach pages from a pipe directly to an skb. TCP marks such skbs with SKBFL_SHARED_FRAG after skb_splice_from_iter(), so later paths that may modify packet data can first make a private copy. The IPv4/IPv6 datagram append paths did not set this flag when splicing pages into UDP skbs. That leaves an ESP-in-UDP packet made from shared pipe pages looking like an ordinary uncloned nonlinear skb. ESP input then takes the no-COW fast path for uncloned skbs without a frag_list and decrypts in place over data that is not owned privately by the skb. Mark IPv4/IPv6 datagram splice frags with SKBFL_SHARED_FRAG, matching TCP. Also make ESP input fall back to skb_cow_data() when the flag is present, so ESP does not decrypt externally backed frags in place. Private nonlinear skb frags still use the existing fast path. This intentionally does not change ESP output. In esp_output_head(), the path that appends the ESP trailer to existing skb tailroom without calling skb_cow_data() is not reachable for nonlinear skbs: skb_tailroom() returns zero when skb->data_len is nonzero, while ESP tailen is positive. Thus ESP output will either use the separate destination-frag path or fall back to skb_cow_data().", "cve_priority": "high", "cve_public_date": "2026-05-08 08:16:00 UTC" } ], "launchpad_bugs_fixed": [ 2154172, 2151747, 2151747, 2151747, 2151747, 2151747, 2151747, 2151747, 2151747, 2148809, 2151747, 2151747, 2151747, 2153733, 1786013, 2153962 ], "changes": [ { "cves": [ { "cve": "CVE-2026-47337", "url": "https://ubuntu.com/security/CVE-2026-47337", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a possible NULL pointer dereference in the handling of AF_INET/AF_INET6 socket mediation. The bug can be triggered by an unprivileged local user. This can lead to a kernel oops.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47336", "url": "https://ubuntu.com/security/CVE-2026-47336", "cve_description": "Ubuntu Linux 6.8 contains SAUCE patches with a possible use of an uninitialized variable in AppArmor AF_INET/AF_INET6 socket mediation code. The bug can be triggered by an unprivileged local user and could result in incorrect fine-grained mediation of network sockets.", "cve_priority": "low", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47335", "url": "https://ubuntu.com/security/CVE-2026-47335", "cve_description": "Ubuntu Linux 6.8 contains SAUCE patches with a possible NULL pointer dereference in the handling of AppArmor notifications. The bug can be triggered by an unprivileged local user. This can lead to a kernel panic.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47334", "url": "https://ubuntu.com/security/CVE-2026-47334", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly sleep while holding a spinlock in notification handling code. The bug can be triggered by an unprivileged local user and can result in kernel panic or deadlock.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47333", "url": "https://ubuntu.com/security/CVE-2026-47333", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which can potentially incorrectly compute the size of an internal buffer, leading to a heap memory out-of-bounds read in notification handling code. The bug can be triggered by an unprivileged local user and can result in invalid data being processed by the AppArmor DFA policy engine.", "cve_priority": "high", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47332", "url": "https://ubuntu.com/security/CVE-2026-47332", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly validate the size of an internal structure, leading to an out-of-bounds read in notification handling code. The bug can be triggered by an unprivileged local user and can result in information disclosure from adjacent slab objects.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47331", "url": "https://ubuntu.com/security/CVE-2026-47331", "cve_description": "Ubuntu Linux 6.8 contains AppArmor SAUCE patches which fail to acquire a lock when modifying a linked list. An unprivileged local user could trigger the race condition that can lead to a use-after-free (UAF) and, theoretically, arbitrary code execution.", "cve_priority": "high", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47330", "url": "https://ubuntu.com/security/CVE-2026-47330", "cve_description": "Ubuntu Linux 6.8, 7.17 and 7.0 contain AppArmor SAUCE patches which can, under certain circumstances, use an uninitialized variable in notification handling code. The bug can be triggered by an unprivileged local user and can result in the incorrect caching of AppArmor notification responses.", "cve_priority": "low", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47329", "url": "https://ubuntu.com/security/CVE-2026-47329", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches which fail to validate invalid sizes of the name field in AppAmor notification responses. The bug can be triggered by an unprivileged local user and could result in handling of crafted responses.", "cve_priority": "low", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47327", "url": "https://ubuntu.com/security/CVE-2026-47327", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a possible NULL pointer dereference in the handling of AppArmor notifications. The bug can be triggered by an unprivileged local user. This can lead to a kernel oops.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47328", "url": "https://ubuntu.com/security/CVE-2026-47328", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly attempt to free a pointer which was not previously kmalloc()d, while at the same time leaking allocated memory. The bug can be triggered by an unprivileged local user and can result in the corruption of slab metadata and could lead to resource exhaustion.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47326", "url": "https://ubuntu.com/security/CVE-2026-47326", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a memory leak in the handling of big responses to AppArmor notifications. The bug can be triggered by an unprivileged local user. The memory leak could lead to resource exhaustion.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-46300", "url": "https://ubuntu.com/security/CVE-2026-46300", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: skbuff: preserve shared-frag marker during coalescing skb_try_coalesce() can attach paged frags from @from to @to. If @from has SKBFL_SHARED_FRAG set, the resulting @to skb can contain the same externally-owned or page-cache-backed frags, but the shared-frag marker is currently lost. That breaks the invariant relied on by later in-place writers. In particular, ESP input checks skb_has_shared_frag() before deciding whether an uncloned nonlinear skb can skip skb_cow_data(). If TCP receive coalescing has moved shared frags into an unmarked skb, ESP can see skb_has_shared_frag() as false and decrypt in place over page-cache backed frags. Propagate SKBFL_SHARED_FRAG when skb_try_coalesce() transfers paged frags. The tailroom copy path does not need the marker because it copies bytes into @to's linear data rather than transferring frag descriptors.", "cve_priority": "high", "cve_public_date": "2026-05-23 12:17:00 UTC" }, { "cve": "CVE-2026-46333", "url": "https://ubuntu.com/security/CVE-2026-46333", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ptrace: slightly saner 'get_dumpable()' logic The 'dumpability' of a task is fundamentally about the memory image of the task - the concept comes from whether it can core dump or not - and makes no sense when you don't have an associated mm. And almost all users do in fact use it only for the case where the task has a mm pointer. But we have one odd special case: ptrace_may_access() uses 'dumpable' to check various other things entirely independently of the MM (typically explicitly using flags like PTRACE_MODE_READ_FSCREDS). Including for threads that no longer have a VM (and maybe never did, like most kernel threads). It's not what this flag was designed for, but it is what it is. The ptrace code does check that the uid/gid matches, so you do have to be uid-0 to see kernel thread details, but this means that the traditional \"drop capabilities\" model doesn't make any difference for this all. Make it all make a *bit* more sense by saying that if you don't have a MM pointer, we'll use a cached \"last dumpability\" flag if the thread ever had a MM (it will be zero for kernel threads since it is never set), and require a proper CAP_SYS_PTRACE capability to override.", "cve_priority": "high", "cve_public_date": "2026-05-15 14:16:00 UTC" }, { "cve": "CVE-2026-43500", "url": "https://ubuntu.com/security/CVE-2026-43500", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present The DATA-packet handler in rxrpc_input_call_event() and the RESPONSE handler in rxrpc_verify_response() copy the skb to a linear one before calling into the security ops only when skb_cloned() is true. An skb that is not cloned but still carries externally-owned paged fragments (e.g. SKBFL_SHARED_FRAG set by splice() into a UDP socket via __ip_append_data, or a chained skb_has_frag_list()) falls through to the in-place decryption path, which binds the frag pages directly into the AEAD/skcipher SGL via skb_to_sgvec(). Extend the gate to also unshare when skb_has_frag_list() or skb_has_shared_frag() is true. This catches the splice-loopback vector and other externally-shared frag sources while preserving the zero-copy fast path for skbs whose frags are kernel-private (e.g. NIC page_pool RX, GRO). The OOM/trace handling already in place is reused.", "cve_priority": "high", "cve_public_date": "2026-05-11 08:16:00 UTC" }, { "cve": "CVE-2026-31676", "url": "https://ubuntu.com/security/CVE-2026-31676", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: rxrpc: only handle RESPONSE during service challenge Only process RESPONSE packets while the service connection is still in RXRPC_CONN_SERVICE_CHALLENGING. Check that state under state_lock before running response verification and security initialization, then use a local secured flag to decide whether to queue the secured-connection work after the state transition. This keeps duplicate or late RESPONSE packets from re-running the setup path and removes the unlocked post-transition state test.", "cve_priority": "medium", "cve_public_date": "2026-04-25 09:16:00 UTC" }, { "cve": "CVE-2026-43284", "url": "https://ubuntu.com/security/CVE-2026-43284", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: xfrm: esp: avoid in-place decrypt on shared skb frags MSG_SPLICE_PAGES can attach pages from a pipe directly to an skb. TCP marks such skbs with SKBFL_SHARED_FRAG after skb_splice_from_iter(), so later paths that may modify packet data can first make a private copy. The IPv4/IPv6 datagram append paths did not set this flag when splicing pages into UDP skbs. That leaves an ESP-in-UDP packet made from shared pipe pages looking like an ordinary uncloned nonlinear skb. ESP input then takes the no-COW fast path for uncloned skbs without a frag_list and decrypts in place over data that is not owned privately by the skb. Mark IPv4/IPv6 datagram splice frags with SKBFL_SHARED_FRAG, matching TCP. Also make ESP input fall back to skb_cow_data() when the flag is present, so ESP does not decrypt externally backed frags in place. Private nonlinear skb frags still use the existing fast path. This intentionally does not change ESP output. In esp_output_head(), the path that appends the ESP trailer to existing skb tailroom without calling skb_cow_data() is not reachable for nonlinear skbs: skb_tailroom() returns zero when skb->data_len is nonzero, while ESP tailen is positive. Thus ESP output will either use the separate destination-frag path or fall back to skb_cow_data().", "cve_priority": "high", "cve_public_date": "2026-05-08 08:16:00 UTC" } ], "log": [ "", " [ Ubuntu: 6.8.0-124.124 ]", "", " * GRO managed-frag use-after-free leading to local privilege escalation", " (LP: #2154172)", " - net: gro: don't merge zcopy skbs", "", " [ Ubuntu: 6.8.0-121.121 ]", "", " * apparmor (LP: #2151747)", " - apparmor: Fix incorrect profile->signal range check", " - SAUCE: apparmor: pass big_resp to handler", " - SAUCE: apparmor: remove redundant kref_init for listener->count", " - SAUCE: apparmor: fix NULL pointer dereference in unpack_pdb", " * apparmor (LP: #2151747) // CVE-2026-47337", " - SAUCE: apparmor: fix NULL pointer dereference in bind_map_addr", " * apparmor (LP: #2151747) // CVE-2026-47336", " - SAUCE: apparmor: fix use of unintialized variable in net opt level", " * apparmor (LP: #2151747) // CVE-2026-47335", " - SAUCE: apparmor: fix possible NULL pointer dereference by adding a NULL", " check", " * apparmor (LP: #2151747) // CVE-2026-47334", " - SAUCE: apparmor: fix sleep prone memory allocation under a spin_lock", " * apparmor (LP: #2151747) // CVE-2026-47333", " - SAUCE: apparmor: fix dfa unpacking size of the notification filter", " * apparmor (LP: #2151747) // CVE-2026-47332", " - SAUCE: apparmor: fix size check against type instead of pointer", " * apparmor (LP: #2151747) // CVE-2026-47331", " - SAUCE: apparmor: fix changing rules list without a lock", " * apparmor: LLVM/clang build failure due to uninitialized variable in", " notify.c (LP: #2148809) // CVE-2026-47330", " - SAUCE: apparmor: initialize variable used in uninitialized context", " * apparmor (LP: #2151747) // CVE-2026-47329", " - SAUCE: apparmor: fix name validation bypass on notification", " * apparmor (LP: #2151747) // CVE-2026-47327 // CVE-2026-47328", " - SAUCE: apparmor: fix glob memory leak after kstrdup", " * apparmor (LP: #2151747) // CVE-2026-47326", " - SAUCE: apparmor: fix inverted NULL check after aa_get_buffer", "", " [ Ubuntu: 6.8.0-120.120 ]", "", " * noble/linux: 6.8.0-120.120 -proposed tracker (LP: #2153733)", " * Packaging resync (LP: #1786013)", " - [Packaging] update annotations scripts", " * CVE-2026-46300", " - net: skbuff: preserve shared-frag marker during coalescing", " - net: skbuff: propagate shared-frag marker through frag-transfer helpers", " * net/rds: reset op_nents when zerocopy page pin fails (LP: #2153962)", " - net/rds: reset op_nents when zerocopy page pin fails", " * CVE-2026-46333", " - ptrace: slightly saner 'get_dumpable()' logic", " * CVE-2026-43500", " - rxrpc: Fix conn-level packet handling to unshare RESPONSE packets", " - rxrpc: Parse received packets before dealing with timeouts", " - rxrpc: Fix potential UAF after skb_unshare() failure", " - rxrpc: Fix rxrpc_input_call_event() to only unshare DATA packets", " - rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present", " * CVE-2026-31676 // CVE-2026-43500", " - rxrpc: only handle RESPONSE during service challenge", " * CVE-2026-43284", " - xfrm: esp: avoid in-place decrypt on shared skb frags", "" ], "package": "linux-riscv-6.8", "version": "6.8.0-124.124~22.04.1", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2154172, 2151747, 2151747, 2151747, 2151747, 2151747, 2151747, 2151747, 2151747, 2148809, 2151747, 2151747, 2151747, 2153733, 1786013, 2153962 ], "author": "Manuel Diewald ", "date": "Tue, 26 May 2026 22:38:42 +0200" } ], "notes": "linux-riscv-6.8-headers-6.8.0-124 version '6.8.0-124.124~22.04.1' (source package linux-riscv-6.8 version '6.8.0-124.124~22.04.1') was added. linux-riscv-6.8-headers-6.8.0-124 version '6.8.0-124.124~22.04.1' has the same source package name, linux-riscv-6.8, as removed package linux-headers-6.8.0-117-generic. As such we can use the source package version of the removed package, '6.8.0-117.117~22.04.1', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package.", "is_version_downgrade": false } ], "snap": [] }, "removed": { "deb": [ { "name": "linux-headers-6.8.0-117-generic", "from_version": { "source_package_name": "linux-riscv-6.8", "source_package_version": "6.8.0-117.117~22.04.1", "version": "6.8.0-117.117~22.04.1" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null, "is_version_downgrade": false }, { "name": "linux-image-6.8.0-117-generic", "from_version": { "source_package_name": "linux-riscv-6.8", "source_package_version": "6.8.0-117.117~22.04.1", "version": "6.8.0-117.117~22.04.1" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null, "is_version_downgrade": false }, { "name": "linux-modules-6.8.0-117-generic", "from_version": { "source_package_name": "linux-riscv-6.8", "source_package_version": "6.8.0-117.117~22.04.1", "version": "6.8.0-117.117~22.04.1" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null, "is_version_downgrade": false }, { "name": "linux-riscv-6.8-headers-6.8.0-117", "from_version": { "source_package_name": "linux-riscv-6.8", "source_package_version": "6.8.0-117.117~22.04.1", "version": "6.8.0-117.117~22.04.1" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null, "is_version_downgrade": false } ], "snap": [] }, "notes": "Changelog diff for Ubuntu 22.04 jammy image from daily image serial 20260515 to 20260617", "from_series": "jammy", "to_series": "jammy", "from_serial": "20260515", "to_serial": "20260617", "from_manifest_filename": "daily_manifest.previous", "to_manifest_filename": "manifest.current" }