{ "summary": { "snap": { "added": [], "removed": [], "diff": [] }, "deb": { "added": [ "linux-image-7.0.0-22-generic", "linux-main-modules-zfs-7.0.0-22-generic", "linux-modules-7.0.0-22-generic" ], "removed": [ "linux-image-7.0.0-15-generic", "linux-main-modules-zfs-7.0.0-15-generic", "linux-modules-7.0.0-15-generic" ], "diff": [ "ca-certificates", "libgcrypt20", "libssh2-1t64", "libssl3t64", "linux-image-virtual", "openssl", "openssl-provider-legacy", "python3-distupgrade", "python3-urllib3", "ubuntu-release-upgrader-core", "xxd" ] } }, "diff": { "deb": [ { "name": "ca-certificates", "from_version": { "source_package_name": "ca-certificates", "source_package_version": "20260223", "version": "20260223" }, "to_version": { "source_package_name": "ca-certificates", "source_package_version": "20260601~26.04.1", "version": "20260601~26.04.1" }, "cves": [], "launchpad_bugs_fixed": [ 2156786 ], "changes": [ { "cves": [], "log": [ "", " * Update Mozilla certificate authority bundle to version 2.86", " (LP: #2156786)", " The following certificate authority was added (+):", " + e-Szigno TLS Root CA 2023", " The following certificate authorities were removed (-):", " - QuoVadis Root CA 2", " - QuoVadis Root CA 3", " - DigiCert Assured ID Root CA", " - DigiCert Global Root CA", " - DigiCert High Assurance EV Root CA", " - SwissSign Gold CA - G2", " - SecureTrust CA", " - Secure Global CA", " - COMODO Certification Authority", " - Certigna", " - certSIGN ROOT CA", " - AffirmTrust Commercial", " - AffirmTrust Networking", " - AffirmTrust Premium", " - AffirmTrust Premium ECC", " - TeliaSonera Root CA v1", " - Entrust Root Certification Authority - G2", " - Entrust Root Certification Authority - EC1", " - Trustwave Global Certification Authority", " - Trustwave Global ECC P256 Certification Authority", " - Trustwave Global ECC P384 Certification Authority", " - GLOBALTRUST 2020", " - GTS Root R2", " - FIRMAPROFESIONAL CA ROOT-A WEB", " The following certificate authority was renamed (~):", " ~ \"OISTE Server Root RSA G1\" (removed leading space)", "" ], "package": "ca-certificates", "version": "20260601~26.04.1", "urgency": "medium", "distributions": "resolute-security", "launchpad_bugs_fixed": [ 2156786 ], "author": "Marc Deslauriers ", "date": "Mon, 15 Jun 2026 12:17:29 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "libgcrypt20", "from_version": { "source_package_name": "libgcrypt20", "source_package_version": "1.12.0-2", "version": "1.12.0-2" }, "to_version": { "source_package_name": "libgcrypt20", "source_package_version": "1.12.0-2ubuntu0.1", "version": "1.12.0-2ubuntu0.1" }, "cves": [ { "cve": "CVE-2026-41989", "url": "https://ubuntu.com/security/CVE-2026-41989", "cve_description": "Libgcrypt before 1.12.2 sometimes allows a heap-based buffer overflow and denial of service via crafted ECDH ciphertext to gcry_pk_decrypt.", "cve_priority": "medium", "cve_public_date": "2026-04-23 05:16:00 UTC" }, { "cve": "CVE-2026-41990", "url": "https://ubuntu.com/security/CVE-2026-41990", "cve_description": "Libgcrypt before 1.12.2 mishandles Dilithium signing. Writes to a static array lack a bounds check but do not use attacker-controlled data.", "cve_priority": "medium", "cve_public_date": "2026-04-23 05:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-41989", "url": "https://ubuntu.com/security/CVE-2026-41989", "cve_description": "Libgcrypt before 1.12.2 sometimes allows a heap-based buffer overflow and denial of service via crafted ECDH ciphertext to gcry_pk_decrypt.", "cve_priority": "medium", "cve_public_date": "2026-04-23 05:16:00 UTC" }, { "cve": "CVE-2026-41990", "url": "https://ubuntu.com/security/CVE-2026-41990", "cve_description": "Libgcrypt before 1.12.2 mishandles Dilithium signing. Writes to a static array lack a bounds check but do not use attacker-controlled data.", "cve_priority": "medium", "cve_public_date": "2026-04-23 05:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Heap-based buffer overflow via crafted ECDH ciphertext", " - debian/patches/CVE-2026-41989.patch: cipher:ecc: Fix decoding a point on", " Montgomery curve. in cipher/ecc-misc.c.", " - CVE-2026-41989", " * SECURITY UPDATE: Dilithium signing mishandling", " - debian/patches/CVE-2026-41990.patch: cipher:dilithium: Check the label", " length by caller. in cipher/dilithium.c, cipher/dilithium.h,", " cipher/pubkey-dilithium.c.", " - CVE-2026-41990", "" ], "package": "libgcrypt20", "version": "1.12.0-2ubuntu0.1", "urgency": "medium", "distributions": "resolute-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Tue, 12 May 2026 11:01:30 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "libssh2-1t64", "from_version": { "source_package_name": "libssh2", "source_package_version": "1.11.1-1build2", "version": "1.11.1-1build2" }, "to_version": { "source_package_name": "libssh2", "source_package_version": "1.11.1-1ubuntu0.26.04.1", "version": "1.11.1-1ubuntu0.26.04.1" }, "cves": [ { "cve": "CVE-2026-7598", "url": "https://ubuntu.com/security/CVE-2026-7598", "cve_description": "A security vulnerability has been detected in libssh2 up to 1.11.1. The impacted element is the function userauth_password of the file src/userauth.c. Such manipulation of the argument username_len/password_len leads to integer overflow. The attack may be launched remotely. The name of the patch is 256d04b60d80bf1190e96b0ad1e91b2174d744b1. A patch should be applied to remediate this issue.", "cve_priority": "medium", "cve_public_date": "2026-05-01 22:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-7598", "url": "https://ubuntu.com/security/CVE-2026-7598", "cve_description": "A security vulnerability has been detected in libssh2 up to 1.11.1. The impacted element is the function userauth_password of the file src/userauth.c. Such manipulation of the argument username_len/password_len leads to integer overflow. The attack may be launched remotely. The name of the patch is 256d04b60d80bf1190e96b0ad1e91b2174d744b1. A patch should be applied to remediate this issue.", "cve_priority": "medium", "cve_public_date": "2026-05-01 22:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: integer overflow via long username", " - debian/patches/CVE-2026-7598.patch: add username_len bounds checking in", " src/userauth.c.", " - CVE-2026-7598", "" ], "package": "libssh2", "version": "1.11.1-1ubuntu0.26.04.1", "urgency": "medium", "distributions": "resolute-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Tue, 05 May 2026 12:39:40 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "libssl3t64", "from_version": { "source_package_name": "openssl", "source_package_version": "3.5.5-1ubuntu3", "version": "3.5.5-1ubuntu3" }, "to_version": { "source_package_name": "openssl", "source_package_version": "3.5.5-1ubuntu3.2", "version": "3.5.5-1ubuntu3.2" }, "cves": [ { "cve": "CVE-2026-34180", "url": "https://ubuntu.com/security/CVE-2026-34180", "cve_description": "Issue summary: Parsing a crafted DER-encoded ASN.1 structure with a primitive element whose content exceeds 2 gigabytes in length may cause a heap buffer over-read on 64-bit Unix and Unix-like platforms. Impact summary: The heap buffer over-read may crash the application (Denial of Service) or to load into the decoded ASN.1 object contents of memory beyond the end of the input buffer. More typically such ASN.1 elements would instead be truncated. An integer truncation in OpenSSL's ASN.1 decoder causes the content length of an ASN.1 primitive element to be mishandled when it exceeds 2 gigabytes. In the worst case the truncated length is treated as a request to scan the binary content for a terminating zero byte, possibly causing OpenSSL to read either less than or beyond the end of the allocated buffer. Applications that pass attacker-supplied data to d2i_X509(), d2i_PKCS7(), or any other d2i_* decoding function are affected. OpenSSL's own command-line tools are not vulnerable, as data read through the BIO layer is checked before it reaches the affected code. The issue only affects 64-bit Unix and Unix-like platforms; 32-bit platforms and 64-bit Windows are not affected. The FIPS modules in 4.0, 3.6, 3.5, 3.4 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-34181", "url": "https://ubuntu.com/security/CVE-2026-34181", "cve_description": "Issue Summary: The PKCS#12 file processing fails to perform sufficient input validation for files that use Password-Based Message Authentication Code 1 (PBMAC1) integrity mechanism allowing a certificate and private key forgery. Impact Summary: An attacker impersonating a user can cause a service reading PKCS#12 files to accept forged certificates and private keys with a 1 in 256 probability. If a service accepting PKCS#12 files is using passwords for authenticating the received files, the attacker can create unencrypted PKCS#12 files that use PBMAC1 authentication that specifies an HMAC key of only one byte, allowing them to craft a file that will be accepted with a 1 in 256 probability. That would then cause the service to accept a certificate and private key controlled by the attacker. The FIPS modules are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-34182", "url": "https://ubuntu.com/security/CVE-2026-34182", "cve_description": "Issue Summary: Cryptographic Message Services (CMS) processing fails to perform sufficient input validation on the cipher and tag length fields of AuthEnvelopedData containers, leading to various potential compromises. Impact Summary: Attackers making use of these vulnerabilities may achieve key-equivalent functionality for a given CMS recipient and/or bypass integrity validation for a given message. In one use case, an attacker may send a CMS message containing AuthEnvelopedData with the cipher specified as a non-AEAD cipher. OpenSSL erroneously allows this selection, and attempts to decrypt and validate the message. An on-path attacker who captures one legitimate AES-GCM AuthEnvelopedData addressed to the victim can re-emit it with the recipientInfos set left byte-for-byte intact, so the victim's private key still unwraps the genuine CEK (the content-encryption key), but with the inner OID rewritten to AES-256-OFB (Output Feedback Mode, an unauthenticated keystream mode) and with an attacker-chosen IV and ciphertext. The victim initializes AES-256-OFB under the real CEK, never consults the MAC field, and CMS_decrypt() returns success. If the application under attack responds to the attacker with any indicator showing success or failure of the decryption effort, it is possible for the attacker to use this as an oracle to obtain key equivalent functionality for the CEK used for the chosen recipient of the message. In another use case, an attacker can reduce the tag length of the chosen AEAD cipher for a given AuthEnvelopedData container to be a single byte long, allowing an attacker to brute force CMS decryption, producing an integrity bypass for applications that trust CMS_decrypt() to reject modified content. The FIPS modules are not affected by this issue.", "cve_priority": "medium", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-34183", "url": "https://ubuntu.com/security/CVE-2026-34183", "cve_description": "Issue summary: Remote peer may exhaust heap memory of the QUIC server or client by flooding it with packets containing PATH_CHALLENGE frames. Impact summary: A malicious remote peer can cause an unbounded memory allocation which can lead to an abnormal termination of the application acting as a QUIC client or server and a Denial of Service. A remote peer may exhaust heap memory by flooding the local QUIC stack with PATH_CHALLENGE frames. The local QUIC stack allocates a PATH_RESPONSE frame for every PATH_CHALLENGE it receives. The allocated PATH_RESPONSE frame gets freed only when the remote peer acknowledges reception of the PATH_RESPONSE frame which will not be done by a malicious peer. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue. The QUIC stack is outside of OpenSSL FIPS module boundary.", "cve_priority": "medium", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-42764", "url": "https://ubuntu.com/security/CVE-2026-42764", "cve_description": "Issue summary: Receiving a QUIC initial packet with an invalid token may trigger a NULL pointer dereference in the OpenSSL QUIC server with address validation disabled. Impact summary: NULL pointer dereference typically causes abnormal termination of the affected QUIC server process and a Denial of Service. If the address validation is disabled in the OpenSSL QUIC server implementation, an attacker can crash the server by sending an initial packet with an invalid or expired token. By default, the client address validation is enabled in the OpenSSL QUIC server implementation, which makes the default configuration not vulnerable to this issue. However if the SSL_LISTENER_FLAG_NO_VALIDATE is used with the SSL_new_listener() call, the address validation is disabled making the vulnerable code reachable. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "medium", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-42766", "url": "https://ubuntu.com/security/CVE-2026-42766", "cve_description": "Issue summary: A specially crafted password-encrypted CMS message can trigger a NULL pointer dereference during CMS decryption. Impact summary: This NULL pointer dereference leads to an application crash and a Denial of Service. The CMS PasswordRecipientInfo.keyDerivationAlgorithm field is defined as OPTIONAL in the ASN.1 specification and may therefore be absent in specially crafted inputs. During the password-based CMS decryption the OpenSSL CMS implementation dereferences this field without first checking whether it was present. An attacker who supplies such a CMS message to an application performing password-based CMS decryption can trigger an application crash, leading to a Denial of Service. Applications that process password-encrypted CMS messages may be affected. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-42767", "url": "https://ubuntu.com/security/CVE-2026-42767", "cve_description": "Issue summary: An attacker-controlled CMP (Certificate Management Protocol) server could trigger a NULL pointer dereference in a CMP client application. Impact summary: A NULL pointer dereference causes a crash of the application and a Denial of Service. An attacker controlling a CMP server (or acting as a man-in-the-middle) could craft a CMP response containing a CRMF (Certificate Request Message Format) CertRepMessage with an EncryptedValue structure where the symmAlg field has an algorithm OID but no parameters field. When the OpenSSL CMP client processes this response, the NULL dereference occurs, causing a crash of the CMP client. Applications that process untrusted CMP/CRMF messages may be affected. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-42768", "url": "https://ubuntu.com/security/CVE-2026-42768", "cve_description": "Issue summary: The CMS_decrypt and PKCS7_decrypt functions are vulnerable to Bleichenbacher-style attack when an attacker is able to provide the CMS or S/MIME messages and observe the error code and/or decryption output. Impact summary: The Bleichenbacher-style attack allows an attacker to use the victim's vulnerable application as a way to decrypt or sign messages with the victim's private RSA key. The attack is possible in 2 variants. 1. The decryption API (CMS_decrypt(), PKCS7_decrypt()) is used without providing the recipient certificate. In this case OpenSSL iterates over every KeyTransRecipientInfo (KTRI) without stopping at the first success. An attacker who authors a message with two KTRI entries — the first one wrapping a real CEK under the victim's public key, the second with an arbitrary probe ciphertext — obtains opportunity to iterate the 2nd KTRI to get a valid PKCS#1 v1.5 padding if the error code of the application is available. That is a Bleichenbacher oracle (Bleichenbacher, CRYPTO '98): an adaptive-chosen-ciphertext side channel from which the attacker decrypts any RSA ciphertext to the victim's key or forges any PKCS#1 v1.5 signature under it. 2. When the decryption API (CMS_decrypt(), PKCS7_decrypt()) is provided with the recipient certificate, and the recipient is not found, a random key is substituted. An attacker who authors a message and is able to compare both error code and the result of the decryption, can mount a Bleichenbacher oracle. We are not aware of any applications that provide a remote attacker an opportunity to mount an attack described in these scenarios. We consider the existence of such application very unlikely, and for this reason this CVE has been evaluated as Low severity. To avoid these attacks, when RSA PKCS#1 v1.5 Key Transport is in use, the invoked EVP_PKEY_decrypt() will use the implicit rejection mechanism described in draft-irtf-cfrg-rsa-guidance. In previous OpenSSL releases the implicit rejection was explicitly disabled. The implicit rejection mechanism always returns a plaintext value, the symmetric key. This result is deterministic for the ciphertext and the private key. The length of the decryption result can happen to match the length of the key of the symmetric cipher that was used for the content encryption. When a certificate is not provided, the last RecipientInfo producing a key that looks valid will be used. It may cause getting garbage content on decryption. As a proper way to deal with this a recipient certificate has to be provided to identify the particular RecipientInfo for decryption. The FIPS modules in 4.0, 3.6, 3.5, and 3.4 are not affected by this issue, as CMS and S/MIME processing happens outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-42769", "url": "https://ubuntu.com/security/CVE-2026-42769", "cve_description": "Issue Summary: An error in the callback used to verify the certificate provided in a Root CA key update Certificate Management Protocol (CMP) message response rendered the certificate validation ineffectual, which could lead to escalation of credentials from the Registration Authority (RA) level to the root Certification Authority (root CA) level. Impact Summary: The Registration Autority could replace the root CA certificate for the CMP clients with an arbitrary root CA certificate. One of the parts of the Certificate Management Protocol (CMP), specified in RFC 9810, is Root Certification Authority (root CA) key Rollover, which is sent by the server in a message with type 'id-it-rootCaKeyUpdate'. As part of these messages, 'newWithOld' certificate, the new root CA certificate signed with the old root CA key, is provided, and verifying its signature is crucial for transferring the trust from the old CA key to the new one. The 'id-it-rootCaKeyUpdate' messages are expected to be processed with OSSL_CMP_get1_rootCaKeyUpdate(), that is expected to verify the 'newWithOld' certificate. A typo in the certificate chain building code led to adding an incorrect certificate ('newWithOld' instead of 'oldRoot') to the certificate chain, rendering the certificate verification process ineffectual (only the issuer name and the algorithm OIDs were verified by other parts of the verification code). An attacker who already has credentials that satisfy the CMP message protection checks can generate a new key pair and use a crafted self-signed certificate in its 'id-it-rootCaKeyUpdate' CMP messages which affected CMP clients would accept as a new trust anchor. Significant preconditions for the attack (having valid RA-level credentials) are the reason the issue was assigned Low severity. The FIPS modules are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-42770", "url": "https://ubuntu.com/security/CVE-2026-42770", "cve_description": "Issue summary: When EVP_PKEY_derive_set_peer() is called with a DHX (X9.42) peer key, the peer key is not properly checked for the subgroup membership. Impact summary: A malicious peer which presents an X9.42 key carrying the victim's p and g parameters, a forged q = r (a small prime factor of the cofactor (p−1)/q_local), and a public value Y of order r can recover the victim's private key after a small number of key exchange attempts. When EVP_PKEY_derive_set_peer() is called with a DHX (X9.42) peer key, the subgroup membership check Y^q ≡ 1 (mod p) is performed using the peer's own q parameter, not the local key's q. The peer's domain parameters are then matched against the domain parameters of the private key, but the value of q is not compared. A malicious peer who presents an X9.42 key carrying the victim's p, g, a forged q = r (a small prime factor of the cofactor), and a public value Y of order r passes all checks. The shared secret then takes only r distinct values, leaking priv mod r. Repeating for each small-prime factor of the cofactor and combining via CRT recovers the full private key (Lim–Lee / small-subgroup-confinement attack). The realistic attack surface is narrow: principally CMP deployments with long-lived RA/CA DHX keys and bespoke enterprise or government applications using X9.42 DHX static keys with interactive protocols and therefore this issue was assigned Low severity. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are affected by this issue.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-45445", "url": "https://ubuntu.com/security/CVE-2026-45445", "cve_description": "Issue summary: When an application drives an AES-OCB context through the public EVP_Cipher() one-shot interface, the application-supplied initialisation vector (IV) is silently discarded. Impact summary: Every message encrypted under the same key uses the same effective nonce regardless of the IV supplied by the caller, resulting in (key, nonce) reuse and loss of confidentiality. If the same code path is used to compute the authentication tag, the tag depends only on the (key, IV) pair and not on the plaintext or ciphertext, allowing universal forgery of arbitrary ciphertext from a single captured message. OpenSSL provides two ways to drive a cipher: the documented streaming interface (EVP_CipherUpdate / EVP_CipherFinal_ex) and a lower-level one-shot, EVP_Cipher(), whose documentation explicitly recommends against use by applications in favour of EVP_CipherUpdate() and EVP_CipherFinal_ex(). The OCB provider's streaming handler flushes the application-supplied IV into the OCB context before processing data; the one-shot handler did not. Every call to EVP_Cipher() on an AES-OCB context therefore ran with the all-zero key-derived offset state left by cipher initialisation, regardless of the caller's IV. If EVP_EncryptFinal_ex() is subsequently used to obtain the authentication tag, the deferred IV setup runs at that point and clears the running checksum that should have been accumulated over the plaintext. The resulting tag is a function of (key, IV) only and verifies against any ciphertext produced under the same (key, IV) pair. The OpenSSL SSL/TLS implementation is not affected: AES-OCB is not a TLS cipher suite, and libssl does not call EVP_Cipher() in any case. Applications that drive AES-OCB through the documented streaming AEAD API (EVP_CipherUpdate / EVP_CipherFinal_ex) are not affected. Only applications that combine the AES-OCB cipher with the EVP_Cipher() one-shot API are vulnerable. The FIPS modules in 4.0, 3.6, 3.5, 3.4 and 3.0 are not affected by this issue, as AES-OCB is outside the OpenSSL FIPS module boundary.", "cve_priority": "medium", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-45446", "url": "https://ubuntu.com/security/CVE-2026-45446", "cve_description": "Issue summary: The implementations of AES-SIV (RFC 5297) and AES-GCM-SIV (RFC 8452) mishandle the authentication of AAD (Additional Authenticated Data) with an empty ciphertext allowing a forgery of such messages. Impact summary: An attacker can forge empty messages with arbitrary AAD to the victim's application using these ciphers. AES-SIV (RFC 5297) and AES-GCM-SIV (RFC 8452) are nonce-misuse-resistant AEAD modes: they accept a key, nonce, optional AAD (bytes that are authenticated but not encrypted), and plaintext, and produces ciphertext plus a 16-byte tag. On decrypt, `EVP_DecryptFinal_ex()` is documented to return success only if the tag is verified succesfully. In OpenSSL's provider implementation of these ciphers, the expected tag is computed only when decryption function is invoked with non-empty data. If the caller supplies AAD and then calls `EVP_DecryptFinal_ex()` without invocation of the ciphertext update, which can happen when the received ciphertext length is zero, the tag is never recalculated and still holds its all-zeros value. When AES-GCM-SIV is used, an attacker who sends arbitrary AAD, empty ciphertext, and all-zeros tag passes authentication under any key they do not know, single-shot. When AES-SIV is used, for mounting the attack it's necessary for the application to reuse the decryption context without resetting the key. AES-SIV is implemented since OpenSSL 3.0. AES-GCM-SIV is implemented since OpenSSL 3.2. No protocols implemented in OpenSSL itself (TLS/CMS/PKCS7/HPKE/QUIC) support either AES-GCM-SIV or AES-SIV. To mount an attack, the applications must implement their own protocol and use the EVP interface. Also they must skip the ciphertext update when a message with an empty ciphertext arrives. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as these algorithms are not FIPS approved and the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-45447", "url": "https://ubuntu.com/security/CVE-2026-45447", "cve_description": "Issue summary: A specially crafted PKCS#7 or S/MIME signed message could trigger a use-after-free during PKCS#7 signature verification. Impact summary: A use-after-free may result in process crashes, heap corruption, or potentially remote code execution. When processing a PKCS#7 or S/MIME signed message, if the SignedData digestAlgorithms field is present as an empty ASN.1 SET, OpenSSL may incorrectly free a caller-owned BIO during PKCS7_verify(). A subsequent use of the BIO by the calling application results in a use-after-free condition. In the common case this occurs when the application later calls BIO_free() on the BIO originally passed to PKCS7_verify(). Depending on allocator behavior and application-specific BIO usage patterns, this may result in a crash or other memory corruption. In some application contexts this may potentially be exploitable for remote code execution. Applications that process PKCS#7 or S/MIME signed messages using OpenSSL PKCS#7 APIs may be affected. Applications using the CMS APIs for this processing are not affected. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "high", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-7383", "url": "https://ubuntu.com/security/CVE-2026-7383", "cve_description": "Issue summary: A signed integer overflow when sizing the destination buffer for Unicode output in ASN1_mbstring_ncopy() can lead to a heap buffer overflow. Impact summary: A heap buffer overflow may lead to a crash or possibly attacker controlled code execution or other undefined behaviour. In ASN1_mbstring_copy() and ASN1_mbstring_ncopy() the destination size for Unicode output is computed in a signed int: by left shift of the input character count for BMPSTRING (UTF-16) and UNIVERSALSTRING (UTF-32), and by summing per-character byte counts for UTF8STRING. The calculation overflows when the input reaches around 2^30 characters. In the worst case (UNIVERSALSTRING at 2^30 characters) the size wraps to zero, OPENSSL_malloc(1) is called, and the subsequent character copy writes several gigabytes past the one-byte allocation. X.509 certificate processing routes through ASN1_STRING_set_by_NID(), whose DIRSTRING_TYPE mask excludes UNIVERSALSTRING and whose per-NID size limits cap the input length; no network protocol or certificate-handling path in OpenSSL exercises the overflow. Triggering the bug requires an application that calls ASN1_mbstring_copy() or ASN1_mbstring_ncopy() directly, or registers a custom string type via ASN1_STRING_TABLE_add(), with attacker-controlled input on the order of half a gigabyte or more. For these reasons this issue was assigned Low severity. The FIPS modules in 4.0, 3.6, 3.5, 3.4 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-9076", "url": "https://ubuntu.com/security/CVE-2026-9076", "cve_description": "Issue summary: When CMS password-based decryption (RFC 3211 / PWRI key unwrap) processes attacker-supplied CMS data, an attacker-chosen stream-mode KEK cipher can trigger a heap out-of-bounds read in kek_unwrap_key(). Impact summary: A heap buffer over-read may trigger a crash which leads to Denial of Service for an application if the input buffer ends at a memory page boundary and the following page is unmapped. There is no information disclosure as the over-read bytes are not revealed to the attacker. The key unwrapping function performs a check-byte test as specified in the RFC that reads 7 bytes from a heap allocation that is based on the wrapped key length from the message. There is a minimum length check based on the block length of the wrapping cipher. However the cipher is selected from an OID carried in the attacker's PWRI keyEncryptionAlgorithm with no requirement that the cipher be a block cipher. When an attacker selects a stream-mode cipher the guard will be ineffective and the allocated buffer containing the unwrapped key can be too small to fit the check-bytes specified in the RFC and a buffer over-read can happen. Applications calling CMS_decrypt() or CMS_decrypt_set1_password() (equivalently openssl cms -decrypt -pwri_password ...) on untrusted CMS data are vulnerable to this issue. No password knowledge is required: the over-read happens during the unwrap attempt before any authentication succeeds. The over-read is limited to a few bytes and is not written to output, so there is no information disclosure. Triggering a crash requires the allocation to border unmapped memory, which is unlikely with the normal allocator. The FIPS modules are not affected by this issue.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-34180", "url": "https://ubuntu.com/security/CVE-2026-34180", "cve_description": "Issue summary: Parsing a crafted DER-encoded ASN.1 structure with a primitive element whose content exceeds 2 gigabytes in length may cause a heap buffer over-read on 64-bit Unix and Unix-like platforms. Impact summary: The heap buffer over-read may crash the application (Denial of Service) or to load into the decoded ASN.1 object contents of memory beyond the end of the input buffer. More typically such ASN.1 elements would instead be truncated. An integer truncation in OpenSSL's ASN.1 decoder causes the content length of an ASN.1 primitive element to be mishandled when it exceeds 2 gigabytes. In the worst case the truncated length is treated as a request to scan the binary content for a terminating zero byte, possibly causing OpenSSL to read either less than or beyond the end of the allocated buffer. Applications that pass attacker-supplied data to d2i_X509(), d2i_PKCS7(), or any other d2i_* decoding function are affected. OpenSSL's own command-line tools are not vulnerable, as data read through the BIO layer is checked before it reaches the affected code. The issue only affects 64-bit Unix and Unix-like platforms; 32-bit platforms and 64-bit Windows are not affected. The FIPS modules in 4.0, 3.6, 3.5, 3.4 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-34181", "url": "https://ubuntu.com/security/CVE-2026-34181", "cve_description": "Issue Summary: The PKCS#12 file processing fails to perform sufficient input validation for files that use Password-Based Message Authentication Code 1 (PBMAC1) integrity mechanism allowing a certificate and private key forgery. Impact Summary: An attacker impersonating a user can cause a service reading PKCS#12 files to accept forged certificates and private keys with a 1 in 256 probability. If a service accepting PKCS#12 files is using passwords for authenticating the received files, the attacker can create unencrypted PKCS#12 files that use PBMAC1 authentication that specifies an HMAC key of only one byte, allowing them to craft a file that will be accepted with a 1 in 256 probability. That would then cause the service to accept a certificate and private key controlled by the attacker. The FIPS modules are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-34182", "url": "https://ubuntu.com/security/CVE-2026-34182", "cve_description": "Issue Summary: Cryptographic Message Services (CMS) processing fails to perform sufficient input validation on the cipher and tag length fields of AuthEnvelopedData containers, leading to various potential compromises. Impact Summary: Attackers making use of these vulnerabilities may achieve key-equivalent functionality for a given CMS recipient and/or bypass integrity validation for a given message. In one use case, an attacker may send a CMS message containing AuthEnvelopedData with the cipher specified as a non-AEAD cipher. OpenSSL erroneously allows this selection, and attempts to decrypt and validate the message. An on-path attacker who captures one legitimate AES-GCM AuthEnvelopedData addressed to the victim can re-emit it with the recipientInfos set left byte-for-byte intact, so the victim's private key still unwraps the genuine CEK (the content-encryption key), but with the inner OID rewritten to AES-256-OFB (Output Feedback Mode, an unauthenticated keystream mode) and with an attacker-chosen IV and ciphertext. The victim initializes AES-256-OFB under the real CEK, never consults the MAC field, and CMS_decrypt() returns success. If the application under attack responds to the attacker with any indicator showing success or failure of the decryption effort, it is possible for the attacker to use this as an oracle to obtain key equivalent functionality for the CEK used for the chosen recipient of the message. In another use case, an attacker can reduce the tag length of the chosen AEAD cipher for a given AuthEnvelopedData container to be a single byte long, allowing an attacker to brute force CMS decryption, producing an integrity bypass for applications that trust CMS_decrypt() to reject modified content. The FIPS modules are not affected by this issue.", "cve_priority": "medium", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-34183", "url": "https://ubuntu.com/security/CVE-2026-34183", "cve_description": "Issue summary: Remote peer may exhaust heap memory of the QUIC server or client by flooding it with packets containing PATH_CHALLENGE frames. Impact summary: A malicious remote peer can cause an unbounded memory allocation which can lead to an abnormal termination of the application acting as a QUIC client or server and a Denial of Service. A remote peer may exhaust heap memory by flooding the local QUIC stack with PATH_CHALLENGE frames. The local QUIC stack allocates a PATH_RESPONSE frame for every PATH_CHALLENGE it receives. The allocated PATH_RESPONSE frame gets freed only when the remote peer acknowledges reception of the PATH_RESPONSE frame which will not be done by a malicious peer. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue. The QUIC stack is outside of OpenSSL FIPS module boundary.", "cve_priority": "medium", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-42764", "url": "https://ubuntu.com/security/CVE-2026-42764", "cve_description": "Issue summary: Receiving a QUIC initial packet with an invalid token may trigger a NULL pointer dereference in the OpenSSL QUIC server with address validation disabled. Impact summary: NULL pointer dereference typically causes abnormal termination of the affected QUIC server process and a Denial of Service. If the address validation is disabled in the OpenSSL QUIC server implementation, an attacker can crash the server by sending an initial packet with an invalid or expired token. By default, the client address validation is enabled in the OpenSSL QUIC server implementation, which makes the default configuration not vulnerable to this issue. However if the SSL_LISTENER_FLAG_NO_VALIDATE is used with the SSL_new_listener() call, the address validation is disabled making the vulnerable code reachable. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "medium", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-42766", "url": "https://ubuntu.com/security/CVE-2026-42766", "cve_description": "Issue summary: A specially crafted password-encrypted CMS message can trigger a NULL pointer dereference during CMS decryption. Impact summary: This NULL pointer dereference leads to an application crash and a Denial of Service. The CMS PasswordRecipientInfo.keyDerivationAlgorithm field is defined as OPTIONAL in the ASN.1 specification and may therefore be absent in specially crafted inputs. During the password-based CMS decryption the OpenSSL CMS implementation dereferences this field without first checking whether it was present. An attacker who supplies such a CMS message to an application performing password-based CMS decryption can trigger an application crash, leading to a Denial of Service. Applications that process password-encrypted CMS messages may be affected. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-42767", "url": "https://ubuntu.com/security/CVE-2026-42767", "cve_description": "Issue summary: An attacker-controlled CMP (Certificate Management Protocol) server could trigger a NULL pointer dereference in a CMP client application. Impact summary: A NULL pointer dereference causes a crash of the application and a Denial of Service. An attacker controlling a CMP server (or acting as a man-in-the-middle) could craft a CMP response containing a CRMF (Certificate Request Message Format) CertRepMessage with an EncryptedValue structure where the symmAlg field has an algorithm OID but no parameters field. When the OpenSSL CMP client processes this response, the NULL dereference occurs, causing a crash of the CMP client. Applications that process untrusted CMP/CRMF messages may be affected. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-42768", "url": "https://ubuntu.com/security/CVE-2026-42768", "cve_description": "Issue summary: The CMS_decrypt and PKCS7_decrypt functions are vulnerable to Bleichenbacher-style attack when an attacker is able to provide the CMS or S/MIME messages and observe the error code and/or decryption output. Impact summary: The Bleichenbacher-style attack allows an attacker to use the victim's vulnerable application as a way to decrypt or sign messages with the victim's private RSA key. The attack is possible in 2 variants. 1. The decryption API (CMS_decrypt(), PKCS7_decrypt()) is used without providing the recipient certificate. In this case OpenSSL iterates over every KeyTransRecipientInfo (KTRI) without stopping at the first success. An attacker who authors a message with two KTRI entries — the first one wrapping a real CEK under the victim's public key, the second with an arbitrary probe ciphertext — obtains opportunity to iterate the 2nd KTRI to get a valid PKCS#1 v1.5 padding if the error code of the application is available. That is a Bleichenbacher oracle (Bleichenbacher, CRYPTO '98): an adaptive-chosen-ciphertext side channel from which the attacker decrypts any RSA ciphertext to the victim's key or forges any PKCS#1 v1.5 signature under it. 2. When the decryption API (CMS_decrypt(), PKCS7_decrypt()) is provided with the recipient certificate, and the recipient is not found, a random key is substituted. An attacker who authors a message and is able to compare both error code and the result of the decryption, can mount a Bleichenbacher oracle. We are not aware of any applications that provide a remote attacker an opportunity to mount an attack described in these scenarios. We consider the existence of such application very unlikely, and for this reason this CVE has been evaluated as Low severity. To avoid these attacks, when RSA PKCS#1 v1.5 Key Transport is in use, the invoked EVP_PKEY_decrypt() will use the implicit rejection mechanism described in draft-irtf-cfrg-rsa-guidance. In previous OpenSSL releases the implicit rejection was explicitly disabled. The implicit rejection mechanism always returns a plaintext value, the symmetric key. This result is deterministic for the ciphertext and the private key. The length of the decryption result can happen to match the length of the key of the symmetric cipher that was used for the content encryption. When a certificate is not provided, the last RecipientInfo producing a key that looks valid will be used. It may cause getting garbage content on decryption. As a proper way to deal with this a recipient certificate has to be provided to identify the particular RecipientInfo for decryption. The FIPS modules in 4.0, 3.6, 3.5, and 3.4 are not affected by this issue, as CMS and S/MIME processing happens outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-42769", "url": "https://ubuntu.com/security/CVE-2026-42769", "cve_description": "Issue Summary: An error in the callback used to verify the certificate provided in a Root CA key update Certificate Management Protocol (CMP) message response rendered the certificate validation ineffectual, which could lead to escalation of credentials from the Registration Authority (RA) level to the root Certification Authority (root CA) level. Impact Summary: The Registration Autority could replace the root CA certificate for the CMP clients with an arbitrary root CA certificate. One of the parts of the Certificate Management Protocol (CMP), specified in RFC 9810, is Root Certification Authority (root CA) key Rollover, which is sent by the server in a message with type 'id-it-rootCaKeyUpdate'. As part of these messages, 'newWithOld' certificate, the new root CA certificate signed with the old root CA key, is provided, and verifying its signature is crucial for transferring the trust from the old CA key to the new one. The 'id-it-rootCaKeyUpdate' messages are expected to be processed with OSSL_CMP_get1_rootCaKeyUpdate(), that is expected to verify the 'newWithOld' certificate. A typo in the certificate chain building code led to adding an incorrect certificate ('newWithOld' instead of 'oldRoot') to the certificate chain, rendering the certificate verification process ineffectual (only the issuer name and the algorithm OIDs were verified by other parts of the verification code). An attacker who already has credentials that satisfy the CMP message protection checks can generate a new key pair and use a crafted self-signed certificate in its 'id-it-rootCaKeyUpdate' CMP messages which affected CMP clients would accept as a new trust anchor. Significant preconditions for the attack (having valid RA-level credentials) are the reason the issue was assigned Low severity. The FIPS modules are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-42770", "url": "https://ubuntu.com/security/CVE-2026-42770", "cve_description": "Issue summary: When EVP_PKEY_derive_set_peer() is called with a DHX (X9.42) peer key, the peer key is not properly checked for the subgroup membership. Impact summary: A malicious peer which presents an X9.42 key carrying the victim's p and g parameters, a forged q = r (a small prime factor of the cofactor (p−1)/q_local), and a public value Y of order r can recover the victim's private key after a small number of key exchange attempts. When EVP_PKEY_derive_set_peer() is called with a DHX (X9.42) peer key, the subgroup membership check Y^q ≡ 1 (mod p) is performed using the peer's own q parameter, not the local key's q. The peer's domain parameters are then matched against the domain parameters of the private key, but the value of q is not compared. A malicious peer who presents an X9.42 key carrying the victim's p, g, a forged q = r (a small prime factor of the cofactor), and a public value Y of order r passes all checks. The shared secret then takes only r distinct values, leaking priv mod r. Repeating for each small-prime factor of the cofactor and combining via CRT recovers the full private key (Lim–Lee / small-subgroup-confinement attack). The realistic attack surface is narrow: principally CMP deployments with long-lived RA/CA DHX keys and bespoke enterprise or government applications using X9.42 DHX static keys with interactive protocols and therefore this issue was assigned Low severity. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are affected by this issue.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-45445", "url": "https://ubuntu.com/security/CVE-2026-45445", "cve_description": "Issue summary: When an application drives an AES-OCB context through the public EVP_Cipher() one-shot interface, the application-supplied initialisation vector (IV) is silently discarded. Impact summary: Every message encrypted under the same key uses the same effective nonce regardless of the IV supplied by the caller, resulting in (key, nonce) reuse and loss of confidentiality. If the same code path is used to compute the authentication tag, the tag depends only on the (key, IV) pair and not on the plaintext or ciphertext, allowing universal forgery of arbitrary ciphertext from a single captured message. OpenSSL provides two ways to drive a cipher: the documented streaming interface (EVP_CipherUpdate / EVP_CipherFinal_ex) and a lower-level one-shot, EVP_Cipher(), whose documentation explicitly recommends against use by applications in favour of EVP_CipherUpdate() and EVP_CipherFinal_ex(). The OCB provider's streaming handler flushes the application-supplied IV into the OCB context before processing data; the one-shot handler did not. Every call to EVP_Cipher() on an AES-OCB context therefore ran with the all-zero key-derived offset state left by cipher initialisation, regardless of the caller's IV. If EVP_EncryptFinal_ex() is subsequently used to obtain the authentication tag, the deferred IV setup runs at that point and clears the running checksum that should have been accumulated over the plaintext. The resulting tag is a function of (key, IV) only and verifies against any ciphertext produced under the same (key, IV) pair. The OpenSSL SSL/TLS implementation is not affected: AES-OCB is not a TLS cipher suite, and libssl does not call EVP_Cipher() in any case. Applications that drive AES-OCB through the documented streaming AEAD API (EVP_CipherUpdate / EVP_CipherFinal_ex) are not affected. Only applications that combine the AES-OCB cipher with the EVP_Cipher() one-shot API are vulnerable. The FIPS modules in 4.0, 3.6, 3.5, 3.4 and 3.0 are not affected by this issue, as AES-OCB is outside the OpenSSL FIPS module boundary.", "cve_priority": "medium", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-45446", "url": "https://ubuntu.com/security/CVE-2026-45446", "cve_description": "Issue summary: The implementations of AES-SIV (RFC 5297) and AES-GCM-SIV (RFC 8452) mishandle the authentication of AAD (Additional Authenticated Data) with an empty ciphertext allowing a forgery of such messages. Impact summary: An attacker can forge empty messages with arbitrary AAD to the victim's application using these ciphers. AES-SIV (RFC 5297) and AES-GCM-SIV (RFC 8452) are nonce-misuse-resistant AEAD modes: they accept a key, nonce, optional AAD (bytes that are authenticated but not encrypted), and plaintext, and produces ciphertext plus a 16-byte tag. On decrypt, `EVP_DecryptFinal_ex()` is documented to return success only if the tag is verified succesfully. In OpenSSL's provider implementation of these ciphers, the expected tag is computed only when decryption function is invoked with non-empty data. If the caller supplies AAD and then calls `EVP_DecryptFinal_ex()` without invocation of the ciphertext update, which can happen when the received ciphertext length is zero, the tag is never recalculated and still holds its all-zeros value. When AES-GCM-SIV is used, an attacker who sends arbitrary AAD, empty ciphertext, and all-zeros tag passes authentication under any key they do not know, single-shot. When AES-SIV is used, for mounting the attack it's necessary for the application to reuse the decryption context without resetting the key. AES-SIV is implemented since OpenSSL 3.0. AES-GCM-SIV is implemented since OpenSSL 3.2. No protocols implemented in OpenSSL itself (TLS/CMS/PKCS7/HPKE/QUIC) support either AES-GCM-SIV or AES-SIV. To mount an attack, the applications must implement their own protocol and use the EVP interface. Also they must skip the ciphertext update when a message with an empty ciphertext arrives. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as these algorithms are not FIPS approved and the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-45447", "url": "https://ubuntu.com/security/CVE-2026-45447", "cve_description": "Issue summary: A specially crafted PKCS#7 or S/MIME signed message could trigger a use-after-free during PKCS#7 signature verification. Impact summary: A use-after-free may result in process crashes, heap corruption, or potentially remote code execution. When processing a PKCS#7 or S/MIME signed message, if the SignedData digestAlgorithms field is present as an empty ASN.1 SET, OpenSSL may incorrectly free a caller-owned BIO during PKCS7_verify(). A subsequent use of the BIO by the calling application results in a use-after-free condition. In the common case this occurs when the application later calls BIO_free() on the BIO originally passed to PKCS7_verify(). Depending on allocator behavior and application-specific BIO usage patterns, this may result in a crash or other memory corruption. In some application contexts this may potentially be exploitable for remote code execution. Applications that process PKCS#7 or S/MIME signed messages using OpenSSL PKCS#7 APIs may be affected. Applications using the CMS APIs for this processing are not affected. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "high", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-7383", "url": "https://ubuntu.com/security/CVE-2026-7383", "cve_description": "Issue summary: A signed integer overflow when sizing the destination buffer for Unicode output in ASN1_mbstring_ncopy() can lead to a heap buffer overflow. Impact summary: A heap buffer overflow may lead to a crash or possibly attacker controlled code execution or other undefined behaviour. In ASN1_mbstring_copy() and ASN1_mbstring_ncopy() the destination size for Unicode output is computed in a signed int: by left shift of the input character count for BMPSTRING (UTF-16) and UNIVERSALSTRING (UTF-32), and by summing per-character byte counts for UTF8STRING. The calculation overflows when the input reaches around 2^30 characters. In the worst case (UNIVERSALSTRING at 2^30 characters) the size wraps to zero, OPENSSL_malloc(1) is called, and the subsequent character copy writes several gigabytes past the one-byte allocation. X.509 certificate processing routes through ASN1_STRING_set_by_NID(), whose DIRSTRING_TYPE mask excludes UNIVERSALSTRING and whose per-NID size limits cap the input length; no network protocol or certificate-handling path in OpenSSL exercises the overflow. Triggering the bug requires an application that calls ASN1_mbstring_copy() or ASN1_mbstring_ncopy() directly, or registers a custom string type via ASN1_STRING_TABLE_add(), with attacker-controlled input on the order of half a gigabyte or more. For these reasons this issue was assigned Low severity. The FIPS modules in 4.0, 3.6, 3.5, 3.4 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-9076", "url": "https://ubuntu.com/security/CVE-2026-9076", "cve_description": "Issue summary: When CMS password-based decryption (RFC 3211 / PWRI key unwrap) processes attacker-supplied CMS data, an attacker-chosen stream-mode KEK cipher can trigger a heap out-of-bounds read in kek_unwrap_key(). Impact summary: A heap buffer over-read may trigger a crash which leads to Denial of Service for an application if the input buffer ends at a memory page boundary and the following page is unmapped. There is no information disclosure as the over-read bytes are not revealed to the attacker. The key unwrapping function performs a check-byte test as specified in the RFC that reads 7 bytes from a heap allocation that is based on the wrapped key length from the message. There is a minimum length check based on the block length of the wrapping cipher. However the cipher is selected from an OID carried in the attacker's PWRI keyEncryptionAlgorithm with no requirement that the cipher be a block cipher. When an attacker selects a stream-mode cipher the guard will be ineffective and the allocated buffer containing the unwrapped key can be too small to fit the check-bytes specified in the RFC and a buffer over-read can happen. Applications calling CMS_decrypt() or CMS_decrypt_set1_password() (equivalently openssl cms -decrypt -pwri_password ...) on untrusted CMS data are vulnerable to this issue. No password knowledge is required: the over-read happens during the unwrap attempt before any authentication succeeds. The over-read is limited to a few bytes and is not written to output, so there is no information disclosure. Triggering a crash requires the allocation to border unmapped memory, which is unlikely with the normal allocator. The FIPS modules are not affected by this issue.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Heap Buffer Over-read in ASN.1 Content Parsing", " - debian/patches/CVE-2026-34180.patch: Avoid length truncation in", " ASN1_STRING_set in crypto/asn1/tasn_dec.c.", " - CVE-2026-34180", " * SECURITY UPDATE: PKCS#12 Files with PBMAC1 Are Accepted with Short HMAC Keys", " - debian/patches/CVE-2026-34181.patch: pkcs12: verify that the pbmac1 key", " length is safe in crypto/pkcs12/p12_mutl.c.", " - CVE-2026-34181", " * SECURITY UPDATE: CMS AuthEnvelopedData Processing May Accept Forged Messages", " - debian/patches/CVE-2026-34182-1.patch: Reject potentially forged encrypted", " CMS AuthEnvelopedData messages in crypto/cms/cms_enc.c.", " - debian/patches/CVE-2026-34182-2.patch: Add tests for CVE-2026-34182 in", " test/cmsapitest.c.", " - CVE-2026-34182", " * SECURITY UPDATE: Unbounded Memory Growth in the QUIC PATH_CHALLENGE Handler", " - debian/patches/CVE-2026-34183-1.patch: QUIC stack must limit the number of", " PATH_CHALLENGE frames processed in RX in include/internal/quic_cfq.h,", " include/internal/quic_channel.h, include/internal/quic_fifd.h,", " ssl/quic/quic_cfq.c, ssl/quic/quic_channel.c,", " ssl/quic/quic_channel_local.h, ssl/quic/quic_fifd.c,", " ssl/quic/quic_rx_depack.c, ssl/quic/quic_txp.c.", " - debian/patches/CVE-2026-34183-2.patch: Add test for path challenge flood", " mitigation in include/internal/quic_channel.h, ssl/quic/quic_channel.c,", " ssl/quic/quic_channel_local.h, ssl/quic/quic_rx_depack.c,", " test/radix/quic_tests.c.", " - CVE-2026-34183", " * SECURITY UPDATE: NULL pointer dereference in QUIC server initial packet", " handling", " - debian/patches/CVE-2026-42764.patch: Fix NULL dereference in QUIC address", " validation in ssl/quic/quic_port.c.", " - CVE-2026-42764", " * SECURITY UPDATE: Possible NULL Dereference in Password-Based CMS Decryption", " - debian/patches/CVE-2026-42766.patch: Fix potential NULL dereference", " processing CMS PasswordRecipientInfo in crypto/cms/cms_pwri.c.", " - CVE-2026-42766", " * SECURITY UPDATE: NULL Pointer Dereference in CRMF EncryptedValue Decryption", " - debian/patches/CVE-2026-42767.patch: Fix potential NULL dereference in", " OSSL_CRMF_ENCRYPTEDVALUE_decrypt() in crypto/crmf/crmf_lib.c.", " - CVE-2026-42767", " * SECURITY UPDATE: Multi-RecipientInfo Bleichenbacher Oracle in CMS_decrypt()", " and PKCS7_decrypt()", " - debian/patches/CVE-2026-42768.patch: Enforce implicit rejection for", " CMS/PKCS#7 decryption in crypto/cms/cms_env.c, crypto/pkcs7/pk7_doit.c,", " doc/man3/CMS_decrypt.pod, doc/man3/PKCS7_decrypt.pod.", " - CVE-2026-42768", " * SECURITY UPDATE: Trust-Anchor Substitution via cert/issuer Typo in CMP", " rootCaKeyUpdate", " - debian/patches/CVE-2026-42769.patch: Use the correct issuer when", " validating rootCAKeyUpdate in crypto/cmp/cmp_genm.c.", " - CVE-2026-42769", " * SECURITY UPDATE: FFC-DH Peer Validation Uses Attacker-Supplied q", " - debian/patches/CVE-2026-42770.patch: Match the local q DHX parameter", " against the peer's q in providers/implementations/exchange/dh_exch.c.", " - CVE-2026-42770", " * SECURITY UPDATE: AES-OCB IV Ignored on EVP_Cipher() Path", " - debian/patches/CVE-2026-45445.patch: Apply the buffered IV on the AES-OCB", " EVP_Cipher() path in providers/implementations/ciphers/cipher_aes_ocb.c,", " test/evp_extra_test.c.", " - CVE-2026-45445", " * SECURITY UPDATE: Incorrect Tag Processing for Empty Messages in", " AES-GCM-SIV and AES-SIV modes", " - debian/patches/CVE-2026-45446.patch: Fix handling of empty-ciphertext", " messages in AES-GCM-SIV and AES-SIV in", " providers/implementations/ciphers/cipher_aes_gcm_siv_hw.c,", " providers/implementations/ciphers/cipher_aes_siv.c, test/evp_extra_test.c.", " - CVE-2026-45446", " * SECURITY UPDATE: Heap Use-After-Free in OpenSSL PKCS7_verify()", " - debian/patches/CVE-2026-45447-1.patch: Fix possible use-after-free in", " OpenSSL PKCS7_verify() in crypto/pkcs7/pk7_smime.c.", " - debian/patches/CVE-2026-45447-2.patch: Test for CVE-2026-45447 (UAF in", " PKCS7_verify) in test/recipes/80-test_cms.t, test/smime-eml/pkcs7-empty-", " digest-set.eml.", " - CVE-2026-45447", " * SECURITY UPDATE: Possible Heap Buffer Overflow in ASN.1 Multibyte String", " Conversion", " - debian/patches/CVE-2026-7383.patch: Reject oversized inputs in", " ASN1_mbstring_ncopy() in crypto/asn1/a_mbstr.c.", " - CVE-2026-7383", " * SECURITY UPDATE: Out-of-Bounds Read in CMS Password-Based Decryption", " - debian/patches/CVE-2026-9076.patch: cms: kek_unwrap_key: Fix out-of-", " bounds read in check-byte validation in crypto/cms/cms_pwri.c.", " - CVE-2026-9076", " * Fix ppc64 FTBFS because of incorrect regex match (LP: 2137464)", " - debian/patches/regex_match_ecp_nistp521-ppc64.patch: removed,", " incomplete version.", " - debian/patches/fix_ppc64_regex_match.patch: match last filename for", " output in ecp_nistp*-ppc64.pl.", "" ], "package": "openssl", "version": "3.5.5-1ubuntu3.2", "urgency": "medium", "distributions": "resolute-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Tue, 02 Jun 2026 13:21:36 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "linux-image-virtual", "from_version": { "source_package_name": "linux-meta", "source_package_version": "7.0.0-15.15", "version": "7.0.0-15.15" }, "to_version": { "source_package_name": "linux-meta", "source_package_version": "7.0.0-22.22", "version": "7.0.0-22.22" }, "cves": [], "launchpad_bugs_fixed": [ 1786013 ], "changes": [ { "cves": [], "log": [ "", " * Main version: 7.0.0-22.22", "" ], "package": "linux-meta", "version": "7.0.0-22.22", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Manuel Diewald ", "date": "Mon, 25 May 2026 14:42:10 +0200" }, { "cves": [], "log": [ "", " * Main version: 7.0.0-20.20", "" ], "package": "linux-meta", "version": "7.0.0-20.20", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Manuel Diewald ", "date": "Fri, 22 May 2026 23:04:12 +0200" }, { "cves": [], "log": [ "", " * Main version: 7.0.0-19.19", "" ], "package": "linux-meta", "version": "7.0.0-19.19", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Manuel Diewald ", "date": "Fri, 22 May 2026 16:38:56 +0200" }, { "cves": [], "log": [ "", " * Main version: 7.0.0-18.18", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian/dkms-versions -- resync from main package", "" ], "package": "linux-meta", "version": "7.0.0-18.18", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 1786013 ], "author": "Edoardo Canepa ", "date": "Fri, 08 May 2026 23:34:15 +0200" }, { "cves": [], "log": [ "", " * Main version: 7.0.0-17.17", "" ], "package": "linux-meta", "version": "7.0.0-17.17", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Timo Aaltonen ", "date": "Tue, 05 May 2026 16:54:03 +0300" }, { "cves": [], "log": [ "", " * Main version: 7.0.0-16.16", "" ], "package": "linux-meta", "version": "7.0.0-16.16", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Timo Aaltonen ", "date": "Thu, 30 Apr 2026 23:57:01 +0300" } ], "notes": null, "is_version_downgrade": false }, { "name": "openssl", "from_version": { "source_package_name": "openssl", "source_package_version": "3.5.5-1ubuntu3", "version": "3.5.5-1ubuntu3" }, "to_version": { "source_package_name": "openssl", "source_package_version": "3.5.5-1ubuntu3.2", "version": "3.5.5-1ubuntu3.2" }, "cves": [ { "cve": "CVE-2026-34180", "url": "https://ubuntu.com/security/CVE-2026-34180", "cve_description": "Issue summary: Parsing a crafted DER-encoded ASN.1 structure with a primitive element whose content exceeds 2 gigabytes in length may cause a heap buffer over-read on 64-bit Unix and Unix-like platforms. Impact summary: The heap buffer over-read may crash the application (Denial of Service) or to load into the decoded ASN.1 object contents of memory beyond the end of the input buffer. More typically such ASN.1 elements would instead be truncated. An integer truncation in OpenSSL's ASN.1 decoder causes the content length of an ASN.1 primitive element to be mishandled when it exceeds 2 gigabytes. In the worst case the truncated length is treated as a request to scan the binary content for a terminating zero byte, possibly causing OpenSSL to read either less than or beyond the end of the allocated buffer. Applications that pass attacker-supplied data to d2i_X509(), d2i_PKCS7(), or any other d2i_* decoding function are affected. OpenSSL's own command-line tools are not vulnerable, as data read through the BIO layer is checked before it reaches the affected code. The issue only affects 64-bit Unix and Unix-like platforms; 32-bit platforms and 64-bit Windows are not affected. The FIPS modules in 4.0, 3.6, 3.5, 3.4 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-34181", "url": "https://ubuntu.com/security/CVE-2026-34181", "cve_description": "Issue Summary: The PKCS#12 file processing fails to perform sufficient input validation for files that use Password-Based Message Authentication Code 1 (PBMAC1) integrity mechanism allowing a certificate and private key forgery. Impact Summary: An attacker impersonating a user can cause a service reading PKCS#12 files to accept forged certificates and private keys with a 1 in 256 probability. If a service accepting PKCS#12 files is using passwords for authenticating the received files, the attacker can create unencrypted PKCS#12 files that use PBMAC1 authentication that specifies an HMAC key of only one byte, allowing them to craft a file that will be accepted with a 1 in 256 probability. That would then cause the service to accept a certificate and private key controlled by the attacker. The FIPS modules are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-34182", "url": "https://ubuntu.com/security/CVE-2026-34182", "cve_description": "Issue Summary: Cryptographic Message Services (CMS) processing fails to perform sufficient input validation on the cipher and tag length fields of AuthEnvelopedData containers, leading to various potential compromises. Impact Summary: Attackers making use of these vulnerabilities may achieve key-equivalent functionality for a given CMS recipient and/or bypass integrity validation for a given message. In one use case, an attacker may send a CMS message containing AuthEnvelopedData with the cipher specified as a non-AEAD cipher. OpenSSL erroneously allows this selection, and attempts to decrypt and validate the message. An on-path attacker who captures one legitimate AES-GCM AuthEnvelopedData addressed to the victim can re-emit it with the recipientInfos set left byte-for-byte intact, so the victim's private key still unwraps the genuine CEK (the content-encryption key), but with the inner OID rewritten to AES-256-OFB (Output Feedback Mode, an unauthenticated keystream mode) and with an attacker-chosen IV and ciphertext. The victim initializes AES-256-OFB under the real CEK, never consults the MAC field, and CMS_decrypt() returns success. If the application under attack responds to the attacker with any indicator showing success or failure of the decryption effort, it is possible for the attacker to use this as an oracle to obtain key equivalent functionality for the CEK used for the chosen recipient of the message. In another use case, an attacker can reduce the tag length of the chosen AEAD cipher for a given AuthEnvelopedData container to be a single byte long, allowing an attacker to brute force CMS decryption, producing an integrity bypass for applications that trust CMS_decrypt() to reject modified content. The FIPS modules are not affected by this issue.", "cve_priority": "medium", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-34183", "url": "https://ubuntu.com/security/CVE-2026-34183", "cve_description": "Issue summary: Remote peer may exhaust heap memory of the QUIC server or client by flooding it with packets containing PATH_CHALLENGE frames. Impact summary: A malicious remote peer can cause an unbounded memory allocation which can lead to an abnormal termination of the application acting as a QUIC client or server and a Denial of Service. A remote peer may exhaust heap memory by flooding the local QUIC stack with PATH_CHALLENGE frames. The local QUIC stack allocates a PATH_RESPONSE frame for every PATH_CHALLENGE it receives. The allocated PATH_RESPONSE frame gets freed only when the remote peer acknowledges reception of the PATH_RESPONSE frame which will not be done by a malicious peer. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue. The QUIC stack is outside of OpenSSL FIPS module boundary.", "cve_priority": "medium", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-42764", "url": "https://ubuntu.com/security/CVE-2026-42764", "cve_description": "Issue summary: Receiving a QUIC initial packet with an invalid token may trigger a NULL pointer dereference in the OpenSSL QUIC server with address validation disabled. Impact summary: NULL pointer dereference typically causes abnormal termination of the affected QUIC server process and a Denial of Service. If the address validation is disabled in the OpenSSL QUIC server implementation, an attacker can crash the server by sending an initial packet with an invalid or expired token. By default, the client address validation is enabled in the OpenSSL QUIC server implementation, which makes the default configuration not vulnerable to this issue. However if the SSL_LISTENER_FLAG_NO_VALIDATE is used with the SSL_new_listener() call, the address validation is disabled making the vulnerable code reachable. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "medium", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-42766", "url": "https://ubuntu.com/security/CVE-2026-42766", "cve_description": "Issue summary: A specially crafted password-encrypted CMS message can trigger a NULL pointer dereference during CMS decryption. Impact summary: This NULL pointer dereference leads to an application crash and a Denial of Service. The CMS PasswordRecipientInfo.keyDerivationAlgorithm field is defined as OPTIONAL in the ASN.1 specification and may therefore be absent in specially crafted inputs. During the password-based CMS decryption the OpenSSL CMS implementation dereferences this field without first checking whether it was present. An attacker who supplies such a CMS message to an application performing password-based CMS decryption can trigger an application crash, leading to a Denial of Service. Applications that process password-encrypted CMS messages may be affected. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-42767", "url": "https://ubuntu.com/security/CVE-2026-42767", "cve_description": "Issue summary: An attacker-controlled CMP (Certificate Management Protocol) server could trigger a NULL pointer dereference in a CMP client application. Impact summary: A NULL pointer dereference causes a crash of the application and a Denial of Service. An attacker controlling a CMP server (or acting as a man-in-the-middle) could craft a CMP response containing a CRMF (Certificate Request Message Format) CertRepMessage with an EncryptedValue structure where the symmAlg field has an algorithm OID but no parameters field. When the OpenSSL CMP client processes this response, the NULL dereference occurs, causing a crash of the CMP client. Applications that process untrusted CMP/CRMF messages may be affected. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-42768", "url": "https://ubuntu.com/security/CVE-2026-42768", "cve_description": "Issue summary: The CMS_decrypt and PKCS7_decrypt functions are vulnerable to Bleichenbacher-style attack when an attacker is able to provide the CMS or S/MIME messages and observe the error code and/or decryption output. Impact summary: The Bleichenbacher-style attack allows an attacker to use the victim's vulnerable application as a way to decrypt or sign messages with the victim's private RSA key. The attack is possible in 2 variants. 1. The decryption API (CMS_decrypt(), PKCS7_decrypt()) is used without providing the recipient certificate. In this case OpenSSL iterates over every KeyTransRecipientInfo (KTRI) without stopping at the first success. An attacker who authors a message with two KTRI entries — the first one wrapping a real CEK under the victim's public key, the second with an arbitrary probe ciphertext — obtains opportunity to iterate the 2nd KTRI to get a valid PKCS#1 v1.5 padding if the error code of the application is available. That is a Bleichenbacher oracle (Bleichenbacher, CRYPTO '98): an adaptive-chosen-ciphertext side channel from which the attacker decrypts any RSA ciphertext to the victim's key or forges any PKCS#1 v1.5 signature under it. 2. When the decryption API (CMS_decrypt(), PKCS7_decrypt()) is provided with the recipient certificate, and the recipient is not found, a random key is substituted. An attacker who authors a message and is able to compare both error code and the result of the decryption, can mount a Bleichenbacher oracle. We are not aware of any applications that provide a remote attacker an opportunity to mount an attack described in these scenarios. We consider the existence of such application very unlikely, and for this reason this CVE has been evaluated as Low severity. To avoid these attacks, when RSA PKCS#1 v1.5 Key Transport is in use, the invoked EVP_PKEY_decrypt() will use the implicit rejection mechanism described in draft-irtf-cfrg-rsa-guidance. In previous OpenSSL releases the implicit rejection was explicitly disabled. The implicit rejection mechanism always returns a plaintext value, the symmetric key. This result is deterministic for the ciphertext and the private key. The length of the decryption result can happen to match the length of the key of the symmetric cipher that was used for the content encryption. When a certificate is not provided, the last RecipientInfo producing a key that looks valid will be used. It may cause getting garbage content on decryption. As a proper way to deal with this a recipient certificate has to be provided to identify the particular RecipientInfo for decryption. The FIPS modules in 4.0, 3.6, 3.5, and 3.4 are not affected by this issue, as CMS and S/MIME processing happens outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-42769", "url": "https://ubuntu.com/security/CVE-2026-42769", "cve_description": "Issue Summary: An error in the callback used to verify the certificate provided in a Root CA key update Certificate Management Protocol (CMP) message response rendered the certificate validation ineffectual, which could lead to escalation of credentials from the Registration Authority (RA) level to the root Certification Authority (root CA) level. Impact Summary: The Registration Autority could replace the root CA certificate for the CMP clients with an arbitrary root CA certificate. One of the parts of the Certificate Management Protocol (CMP), specified in RFC 9810, is Root Certification Authority (root CA) key Rollover, which is sent by the server in a message with type 'id-it-rootCaKeyUpdate'. As part of these messages, 'newWithOld' certificate, the new root CA certificate signed with the old root CA key, is provided, and verifying its signature is crucial for transferring the trust from the old CA key to the new one. The 'id-it-rootCaKeyUpdate' messages are expected to be processed with OSSL_CMP_get1_rootCaKeyUpdate(), that is expected to verify the 'newWithOld' certificate. A typo in the certificate chain building code led to adding an incorrect certificate ('newWithOld' instead of 'oldRoot') to the certificate chain, rendering the certificate verification process ineffectual (only the issuer name and the algorithm OIDs were verified by other parts of the verification code). An attacker who already has credentials that satisfy the CMP message protection checks can generate a new key pair and use a crafted self-signed certificate in its 'id-it-rootCaKeyUpdate' CMP messages which affected CMP clients would accept as a new trust anchor. Significant preconditions for the attack (having valid RA-level credentials) are the reason the issue was assigned Low severity. The FIPS modules are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-42770", "url": "https://ubuntu.com/security/CVE-2026-42770", "cve_description": "Issue summary: When EVP_PKEY_derive_set_peer() is called with a DHX (X9.42) peer key, the peer key is not properly checked for the subgroup membership. Impact summary: A malicious peer which presents an X9.42 key carrying the victim's p and g parameters, a forged q = r (a small prime factor of the cofactor (p−1)/q_local), and a public value Y of order r can recover the victim's private key after a small number of key exchange attempts. When EVP_PKEY_derive_set_peer() is called with a DHX (X9.42) peer key, the subgroup membership check Y^q ≡ 1 (mod p) is performed using the peer's own q parameter, not the local key's q. The peer's domain parameters are then matched against the domain parameters of the private key, but the value of q is not compared. A malicious peer who presents an X9.42 key carrying the victim's p, g, a forged q = r (a small prime factor of the cofactor), and a public value Y of order r passes all checks. The shared secret then takes only r distinct values, leaking priv mod r. Repeating for each small-prime factor of the cofactor and combining via CRT recovers the full private key (Lim–Lee / small-subgroup-confinement attack). The realistic attack surface is narrow: principally CMP deployments with long-lived RA/CA DHX keys and bespoke enterprise or government applications using X9.42 DHX static keys with interactive protocols and therefore this issue was assigned Low severity. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are affected by this issue.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-45445", "url": "https://ubuntu.com/security/CVE-2026-45445", "cve_description": "Issue summary: When an application drives an AES-OCB context through the public EVP_Cipher() one-shot interface, the application-supplied initialisation vector (IV) is silently discarded. Impact summary: Every message encrypted under the same key uses the same effective nonce regardless of the IV supplied by the caller, resulting in (key, nonce) reuse and loss of confidentiality. If the same code path is used to compute the authentication tag, the tag depends only on the (key, IV) pair and not on the plaintext or ciphertext, allowing universal forgery of arbitrary ciphertext from a single captured message. OpenSSL provides two ways to drive a cipher: the documented streaming interface (EVP_CipherUpdate / EVP_CipherFinal_ex) and a lower-level one-shot, EVP_Cipher(), whose documentation explicitly recommends against use by applications in favour of EVP_CipherUpdate() and EVP_CipherFinal_ex(). The OCB provider's streaming handler flushes the application-supplied IV into the OCB context before processing data; the one-shot handler did not. Every call to EVP_Cipher() on an AES-OCB context therefore ran with the all-zero key-derived offset state left by cipher initialisation, regardless of the caller's IV. If EVP_EncryptFinal_ex() is subsequently used to obtain the authentication tag, the deferred IV setup runs at that point and clears the running checksum that should have been accumulated over the plaintext. The resulting tag is a function of (key, IV) only and verifies against any ciphertext produced under the same (key, IV) pair. The OpenSSL SSL/TLS implementation is not affected: AES-OCB is not a TLS cipher suite, and libssl does not call EVP_Cipher() in any case. Applications that drive AES-OCB through the documented streaming AEAD API (EVP_CipherUpdate / EVP_CipherFinal_ex) are not affected. Only applications that combine the AES-OCB cipher with the EVP_Cipher() one-shot API are vulnerable. The FIPS modules in 4.0, 3.6, 3.5, 3.4 and 3.0 are not affected by this issue, as AES-OCB is outside the OpenSSL FIPS module boundary.", "cve_priority": "medium", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-45446", "url": "https://ubuntu.com/security/CVE-2026-45446", "cve_description": "Issue summary: The implementations of AES-SIV (RFC 5297) and AES-GCM-SIV (RFC 8452) mishandle the authentication of AAD (Additional Authenticated Data) with an empty ciphertext allowing a forgery of such messages. Impact summary: An attacker can forge empty messages with arbitrary AAD to the victim's application using these ciphers. AES-SIV (RFC 5297) and AES-GCM-SIV (RFC 8452) are nonce-misuse-resistant AEAD modes: they accept a key, nonce, optional AAD (bytes that are authenticated but not encrypted), and plaintext, and produces ciphertext plus a 16-byte tag. On decrypt, `EVP_DecryptFinal_ex()` is documented to return success only if the tag is verified succesfully. In OpenSSL's provider implementation of these ciphers, the expected tag is computed only when decryption function is invoked with non-empty data. If the caller supplies AAD and then calls `EVP_DecryptFinal_ex()` without invocation of the ciphertext update, which can happen when the received ciphertext length is zero, the tag is never recalculated and still holds its all-zeros value. When AES-GCM-SIV is used, an attacker who sends arbitrary AAD, empty ciphertext, and all-zeros tag passes authentication under any key they do not know, single-shot. When AES-SIV is used, for mounting the attack it's necessary for the application to reuse the decryption context without resetting the key. AES-SIV is implemented since OpenSSL 3.0. AES-GCM-SIV is implemented since OpenSSL 3.2. No protocols implemented in OpenSSL itself (TLS/CMS/PKCS7/HPKE/QUIC) support either AES-GCM-SIV or AES-SIV. To mount an attack, the applications must implement their own protocol and use the EVP interface. Also they must skip the ciphertext update when a message with an empty ciphertext arrives. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as these algorithms are not FIPS approved and the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-45447", "url": "https://ubuntu.com/security/CVE-2026-45447", "cve_description": "Issue summary: A specially crafted PKCS#7 or S/MIME signed message could trigger a use-after-free during PKCS#7 signature verification. Impact summary: A use-after-free may result in process crashes, heap corruption, or potentially remote code execution. When processing a PKCS#7 or S/MIME signed message, if the SignedData digestAlgorithms field is present as an empty ASN.1 SET, OpenSSL may incorrectly free a caller-owned BIO during PKCS7_verify(). A subsequent use of the BIO by the calling application results in a use-after-free condition. In the common case this occurs when the application later calls BIO_free() on the BIO originally passed to PKCS7_verify(). Depending on allocator behavior and application-specific BIO usage patterns, this may result in a crash or other memory corruption. In some application contexts this may potentially be exploitable for remote code execution. Applications that process PKCS#7 or S/MIME signed messages using OpenSSL PKCS#7 APIs may be affected. Applications using the CMS APIs for this processing are not affected. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "high", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-7383", "url": "https://ubuntu.com/security/CVE-2026-7383", "cve_description": "Issue summary: A signed integer overflow when sizing the destination buffer for Unicode output in ASN1_mbstring_ncopy() can lead to a heap buffer overflow. Impact summary: A heap buffer overflow may lead to a crash or possibly attacker controlled code execution or other undefined behaviour. In ASN1_mbstring_copy() and ASN1_mbstring_ncopy() the destination size for Unicode output is computed in a signed int: by left shift of the input character count for BMPSTRING (UTF-16) and UNIVERSALSTRING (UTF-32), and by summing per-character byte counts for UTF8STRING. The calculation overflows when the input reaches around 2^30 characters. In the worst case (UNIVERSALSTRING at 2^30 characters) the size wraps to zero, OPENSSL_malloc(1) is called, and the subsequent character copy writes several gigabytes past the one-byte allocation. X.509 certificate processing routes through ASN1_STRING_set_by_NID(), whose DIRSTRING_TYPE mask excludes UNIVERSALSTRING and whose per-NID size limits cap the input length; no network protocol or certificate-handling path in OpenSSL exercises the overflow. Triggering the bug requires an application that calls ASN1_mbstring_copy() or ASN1_mbstring_ncopy() directly, or registers a custom string type via ASN1_STRING_TABLE_add(), with attacker-controlled input on the order of half a gigabyte or more. For these reasons this issue was assigned Low severity. The FIPS modules in 4.0, 3.6, 3.5, 3.4 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-9076", "url": "https://ubuntu.com/security/CVE-2026-9076", "cve_description": "Issue summary: When CMS password-based decryption (RFC 3211 / PWRI key unwrap) processes attacker-supplied CMS data, an attacker-chosen stream-mode KEK cipher can trigger a heap out-of-bounds read in kek_unwrap_key(). Impact summary: A heap buffer over-read may trigger a crash which leads to Denial of Service for an application if the input buffer ends at a memory page boundary and the following page is unmapped. There is no information disclosure as the over-read bytes are not revealed to the attacker. The key unwrapping function performs a check-byte test as specified in the RFC that reads 7 bytes from a heap allocation that is based on the wrapped key length from the message. There is a minimum length check based on the block length of the wrapping cipher. However the cipher is selected from an OID carried in the attacker's PWRI keyEncryptionAlgorithm with no requirement that the cipher be a block cipher. When an attacker selects a stream-mode cipher the guard will be ineffective and the allocated buffer containing the unwrapped key can be too small to fit the check-bytes specified in the RFC and a buffer over-read can happen. Applications calling CMS_decrypt() or CMS_decrypt_set1_password() (equivalently openssl cms -decrypt -pwri_password ...) on untrusted CMS data are vulnerable to this issue. No password knowledge is required: the over-read happens during the unwrap attempt before any authentication succeeds. The over-read is limited to a few bytes and is not written to output, so there is no information disclosure. Triggering a crash requires the allocation to border unmapped memory, which is unlikely with the normal allocator. The FIPS modules are not affected by this issue.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-34180", "url": "https://ubuntu.com/security/CVE-2026-34180", "cve_description": "Issue summary: Parsing a crafted DER-encoded ASN.1 structure with a primitive element whose content exceeds 2 gigabytes in length may cause a heap buffer over-read on 64-bit Unix and Unix-like platforms. Impact summary: The heap buffer over-read may crash the application (Denial of Service) or to load into the decoded ASN.1 object contents of memory beyond the end of the input buffer. More typically such ASN.1 elements would instead be truncated. An integer truncation in OpenSSL's ASN.1 decoder causes the content length of an ASN.1 primitive element to be mishandled when it exceeds 2 gigabytes. In the worst case the truncated length is treated as a request to scan the binary content for a terminating zero byte, possibly causing OpenSSL to read either less than or beyond the end of the allocated buffer. Applications that pass attacker-supplied data to d2i_X509(), d2i_PKCS7(), or any other d2i_* decoding function are affected. OpenSSL's own command-line tools are not vulnerable, as data read through the BIO layer is checked before it reaches the affected code. The issue only affects 64-bit Unix and Unix-like platforms; 32-bit platforms and 64-bit Windows are not affected. The FIPS modules in 4.0, 3.6, 3.5, 3.4 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-34181", "url": "https://ubuntu.com/security/CVE-2026-34181", "cve_description": "Issue Summary: The PKCS#12 file processing fails to perform sufficient input validation for files that use Password-Based Message Authentication Code 1 (PBMAC1) integrity mechanism allowing a certificate and private key forgery. Impact Summary: An attacker impersonating a user can cause a service reading PKCS#12 files to accept forged certificates and private keys with a 1 in 256 probability. If a service accepting PKCS#12 files is using passwords for authenticating the received files, the attacker can create unencrypted PKCS#12 files that use PBMAC1 authentication that specifies an HMAC key of only one byte, allowing them to craft a file that will be accepted with a 1 in 256 probability. That would then cause the service to accept a certificate and private key controlled by the attacker. The FIPS modules are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-34182", "url": "https://ubuntu.com/security/CVE-2026-34182", "cve_description": "Issue Summary: Cryptographic Message Services (CMS) processing fails to perform sufficient input validation on the cipher and tag length fields of AuthEnvelopedData containers, leading to various potential compromises. Impact Summary: Attackers making use of these vulnerabilities may achieve key-equivalent functionality for a given CMS recipient and/or bypass integrity validation for a given message. In one use case, an attacker may send a CMS message containing AuthEnvelopedData with the cipher specified as a non-AEAD cipher. OpenSSL erroneously allows this selection, and attempts to decrypt and validate the message. An on-path attacker who captures one legitimate AES-GCM AuthEnvelopedData addressed to the victim can re-emit it with the recipientInfos set left byte-for-byte intact, so the victim's private key still unwraps the genuine CEK (the content-encryption key), but with the inner OID rewritten to AES-256-OFB (Output Feedback Mode, an unauthenticated keystream mode) and with an attacker-chosen IV and ciphertext. The victim initializes AES-256-OFB under the real CEK, never consults the MAC field, and CMS_decrypt() returns success. If the application under attack responds to the attacker with any indicator showing success or failure of the decryption effort, it is possible for the attacker to use this as an oracle to obtain key equivalent functionality for the CEK used for the chosen recipient of the message. In another use case, an attacker can reduce the tag length of the chosen AEAD cipher for a given AuthEnvelopedData container to be a single byte long, allowing an attacker to brute force CMS decryption, producing an integrity bypass for applications that trust CMS_decrypt() to reject modified content. The FIPS modules are not affected by this issue.", "cve_priority": "medium", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-34183", "url": "https://ubuntu.com/security/CVE-2026-34183", "cve_description": "Issue summary: Remote peer may exhaust heap memory of the QUIC server or client by flooding it with packets containing PATH_CHALLENGE frames. Impact summary: A malicious remote peer can cause an unbounded memory allocation which can lead to an abnormal termination of the application acting as a QUIC client or server and a Denial of Service. A remote peer may exhaust heap memory by flooding the local QUIC stack with PATH_CHALLENGE frames. The local QUIC stack allocates a PATH_RESPONSE frame for every PATH_CHALLENGE it receives. The allocated PATH_RESPONSE frame gets freed only when the remote peer acknowledges reception of the PATH_RESPONSE frame which will not be done by a malicious peer. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue. The QUIC stack is outside of OpenSSL FIPS module boundary.", "cve_priority": "medium", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-42764", "url": "https://ubuntu.com/security/CVE-2026-42764", "cve_description": "Issue summary: Receiving a QUIC initial packet with an invalid token may trigger a NULL pointer dereference in the OpenSSL QUIC server with address validation disabled. Impact summary: NULL pointer dereference typically causes abnormal termination of the affected QUIC server process and a Denial of Service. If the address validation is disabled in the OpenSSL QUIC server implementation, an attacker can crash the server by sending an initial packet with an invalid or expired token. By default, the client address validation is enabled in the OpenSSL QUIC server implementation, which makes the default configuration not vulnerable to this issue. However if the SSL_LISTENER_FLAG_NO_VALIDATE is used with the SSL_new_listener() call, the address validation is disabled making the vulnerable code reachable. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "medium", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-42766", "url": "https://ubuntu.com/security/CVE-2026-42766", "cve_description": "Issue summary: A specially crafted password-encrypted CMS message can trigger a NULL pointer dereference during CMS decryption. Impact summary: This NULL pointer dereference leads to an application crash and a Denial of Service. The CMS PasswordRecipientInfo.keyDerivationAlgorithm field is defined as OPTIONAL in the ASN.1 specification and may therefore be absent in specially crafted inputs. During the password-based CMS decryption the OpenSSL CMS implementation dereferences this field without first checking whether it was present. An attacker who supplies such a CMS message to an application performing password-based CMS decryption can trigger an application crash, leading to a Denial of Service. Applications that process password-encrypted CMS messages may be affected. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-42767", "url": "https://ubuntu.com/security/CVE-2026-42767", "cve_description": "Issue summary: An attacker-controlled CMP (Certificate Management Protocol) server could trigger a NULL pointer dereference in a CMP client application. Impact summary: A NULL pointer dereference causes a crash of the application and a Denial of Service. An attacker controlling a CMP server (or acting as a man-in-the-middle) could craft a CMP response containing a CRMF (Certificate Request Message Format) CertRepMessage with an EncryptedValue structure where the symmAlg field has an algorithm OID but no parameters field. When the OpenSSL CMP client processes this response, the NULL dereference occurs, causing a crash of the CMP client. Applications that process untrusted CMP/CRMF messages may be affected. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-42768", "url": "https://ubuntu.com/security/CVE-2026-42768", "cve_description": "Issue summary: The CMS_decrypt and PKCS7_decrypt functions are vulnerable to Bleichenbacher-style attack when an attacker is able to provide the CMS or S/MIME messages and observe the error code and/or decryption output. Impact summary: The Bleichenbacher-style attack allows an attacker to use the victim's vulnerable application as a way to decrypt or sign messages with the victim's private RSA key. The attack is possible in 2 variants. 1. The decryption API (CMS_decrypt(), PKCS7_decrypt()) is used without providing the recipient certificate. In this case OpenSSL iterates over every KeyTransRecipientInfo (KTRI) without stopping at the first success. An attacker who authors a message with two KTRI entries — the first one wrapping a real CEK under the victim's public key, the second with an arbitrary probe ciphertext — obtains opportunity to iterate the 2nd KTRI to get a valid PKCS#1 v1.5 padding if the error code of the application is available. That is a Bleichenbacher oracle (Bleichenbacher, CRYPTO '98): an adaptive-chosen-ciphertext side channel from which the attacker decrypts any RSA ciphertext to the victim's key or forges any PKCS#1 v1.5 signature under it. 2. When the decryption API (CMS_decrypt(), PKCS7_decrypt()) is provided with the recipient certificate, and the recipient is not found, a random key is substituted. An attacker who authors a message and is able to compare both error code and the result of the decryption, can mount a Bleichenbacher oracle. We are not aware of any applications that provide a remote attacker an opportunity to mount an attack described in these scenarios. We consider the existence of such application very unlikely, and for this reason this CVE has been evaluated as Low severity. To avoid these attacks, when RSA PKCS#1 v1.5 Key Transport is in use, the invoked EVP_PKEY_decrypt() will use the implicit rejection mechanism described in draft-irtf-cfrg-rsa-guidance. In previous OpenSSL releases the implicit rejection was explicitly disabled. The implicit rejection mechanism always returns a plaintext value, the symmetric key. This result is deterministic for the ciphertext and the private key. The length of the decryption result can happen to match the length of the key of the symmetric cipher that was used for the content encryption. When a certificate is not provided, the last RecipientInfo producing a key that looks valid will be used. It may cause getting garbage content on decryption. As a proper way to deal with this a recipient certificate has to be provided to identify the particular RecipientInfo for decryption. The FIPS modules in 4.0, 3.6, 3.5, and 3.4 are not affected by this issue, as CMS and S/MIME processing happens outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-42769", "url": "https://ubuntu.com/security/CVE-2026-42769", "cve_description": "Issue Summary: An error in the callback used to verify the certificate provided in a Root CA key update Certificate Management Protocol (CMP) message response rendered the certificate validation ineffectual, which could lead to escalation of credentials from the Registration Authority (RA) level to the root Certification Authority (root CA) level. Impact Summary: The Registration Autority could replace the root CA certificate for the CMP clients with an arbitrary root CA certificate. One of the parts of the Certificate Management Protocol (CMP), specified in RFC 9810, is Root Certification Authority (root CA) key Rollover, which is sent by the server in a message with type 'id-it-rootCaKeyUpdate'. As part of these messages, 'newWithOld' certificate, the new root CA certificate signed with the old root CA key, is provided, and verifying its signature is crucial for transferring the trust from the old CA key to the new one. The 'id-it-rootCaKeyUpdate' messages are expected to be processed with OSSL_CMP_get1_rootCaKeyUpdate(), that is expected to verify the 'newWithOld' certificate. A typo in the certificate chain building code led to adding an incorrect certificate ('newWithOld' instead of 'oldRoot') to the certificate chain, rendering the certificate verification process ineffectual (only the issuer name and the algorithm OIDs were verified by other parts of the verification code). An attacker who already has credentials that satisfy the CMP message protection checks can generate a new key pair and use a crafted self-signed certificate in its 'id-it-rootCaKeyUpdate' CMP messages which affected CMP clients would accept as a new trust anchor. Significant preconditions for the attack (having valid RA-level credentials) are the reason the issue was assigned Low severity. The FIPS modules are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-42770", "url": "https://ubuntu.com/security/CVE-2026-42770", "cve_description": "Issue summary: When EVP_PKEY_derive_set_peer() is called with a DHX (X9.42) peer key, the peer key is not properly checked for the subgroup membership. Impact summary: A malicious peer which presents an X9.42 key carrying the victim's p and g parameters, a forged q = r (a small prime factor of the cofactor (p−1)/q_local), and a public value Y of order r can recover the victim's private key after a small number of key exchange attempts. When EVP_PKEY_derive_set_peer() is called with a DHX (X9.42) peer key, the subgroup membership check Y^q ≡ 1 (mod p) is performed using the peer's own q parameter, not the local key's q. The peer's domain parameters are then matched against the domain parameters of the private key, but the value of q is not compared. A malicious peer who presents an X9.42 key carrying the victim's p, g, a forged q = r (a small prime factor of the cofactor), and a public value Y of order r passes all checks. The shared secret then takes only r distinct values, leaking priv mod r. Repeating for each small-prime factor of the cofactor and combining via CRT recovers the full private key (Lim–Lee / small-subgroup-confinement attack). The realistic attack surface is narrow: principally CMP deployments with long-lived RA/CA DHX keys and bespoke enterprise or government applications using X9.42 DHX static keys with interactive protocols and therefore this issue was assigned Low severity. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are affected by this issue.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-45445", "url": "https://ubuntu.com/security/CVE-2026-45445", "cve_description": "Issue summary: When an application drives an AES-OCB context through the public EVP_Cipher() one-shot interface, the application-supplied initialisation vector (IV) is silently discarded. Impact summary: Every message encrypted under the same key uses the same effective nonce regardless of the IV supplied by the caller, resulting in (key, nonce) reuse and loss of confidentiality. If the same code path is used to compute the authentication tag, the tag depends only on the (key, IV) pair and not on the plaintext or ciphertext, allowing universal forgery of arbitrary ciphertext from a single captured message. OpenSSL provides two ways to drive a cipher: the documented streaming interface (EVP_CipherUpdate / EVP_CipherFinal_ex) and a lower-level one-shot, EVP_Cipher(), whose documentation explicitly recommends against use by applications in favour of EVP_CipherUpdate() and EVP_CipherFinal_ex(). The OCB provider's streaming handler flushes the application-supplied IV into the OCB context before processing data; the one-shot handler did not. Every call to EVP_Cipher() on an AES-OCB context therefore ran with the all-zero key-derived offset state left by cipher initialisation, regardless of the caller's IV. If EVP_EncryptFinal_ex() is subsequently used to obtain the authentication tag, the deferred IV setup runs at that point and clears the running checksum that should have been accumulated over the plaintext. The resulting tag is a function of (key, IV) only and verifies against any ciphertext produced under the same (key, IV) pair. The OpenSSL SSL/TLS implementation is not affected: AES-OCB is not a TLS cipher suite, and libssl does not call EVP_Cipher() in any case. Applications that drive AES-OCB through the documented streaming AEAD API (EVP_CipherUpdate / EVP_CipherFinal_ex) are not affected. Only applications that combine the AES-OCB cipher with the EVP_Cipher() one-shot API are vulnerable. The FIPS modules in 4.0, 3.6, 3.5, 3.4 and 3.0 are not affected by this issue, as AES-OCB is outside the OpenSSL FIPS module boundary.", "cve_priority": "medium", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-45446", "url": "https://ubuntu.com/security/CVE-2026-45446", "cve_description": "Issue summary: The implementations of AES-SIV (RFC 5297) and AES-GCM-SIV (RFC 8452) mishandle the authentication of AAD (Additional Authenticated Data) with an empty ciphertext allowing a forgery of such messages. Impact summary: An attacker can forge empty messages with arbitrary AAD to the victim's application using these ciphers. AES-SIV (RFC 5297) and AES-GCM-SIV (RFC 8452) are nonce-misuse-resistant AEAD modes: they accept a key, nonce, optional AAD (bytes that are authenticated but not encrypted), and plaintext, and produces ciphertext plus a 16-byte tag. On decrypt, `EVP_DecryptFinal_ex()` is documented to return success only if the tag is verified succesfully. In OpenSSL's provider implementation of these ciphers, the expected tag is computed only when decryption function is invoked with non-empty data. If the caller supplies AAD and then calls `EVP_DecryptFinal_ex()` without invocation of the ciphertext update, which can happen when the received ciphertext length is zero, the tag is never recalculated and still holds its all-zeros value. When AES-GCM-SIV is used, an attacker who sends arbitrary AAD, empty ciphertext, and all-zeros tag passes authentication under any key they do not know, single-shot. When AES-SIV is used, for mounting the attack it's necessary for the application to reuse the decryption context without resetting the key. AES-SIV is implemented since OpenSSL 3.0. AES-GCM-SIV is implemented since OpenSSL 3.2. No protocols implemented in OpenSSL itself (TLS/CMS/PKCS7/HPKE/QUIC) support either AES-GCM-SIV or AES-SIV. To mount an attack, the applications must implement their own protocol and use the EVP interface. Also they must skip the ciphertext update when a message with an empty ciphertext arrives. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as these algorithms are not FIPS approved and the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-45447", "url": "https://ubuntu.com/security/CVE-2026-45447", "cve_description": "Issue summary: A specially crafted PKCS#7 or S/MIME signed message could trigger a use-after-free during PKCS#7 signature verification. Impact summary: A use-after-free may result in process crashes, heap corruption, or potentially remote code execution. When processing a PKCS#7 or S/MIME signed message, if the SignedData digestAlgorithms field is present as an empty ASN.1 SET, OpenSSL may incorrectly free a caller-owned BIO during PKCS7_verify(). A subsequent use of the BIO by the calling application results in a use-after-free condition. In the common case this occurs when the application later calls BIO_free() on the BIO originally passed to PKCS7_verify(). Depending on allocator behavior and application-specific BIO usage patterns, this may result in a crash or other memory corruption. In some application contexts this may potentially be exploitable for remote code execution. Applications that process PKCS#7 or S/MIME signed messages using OpenSSL PKCS#7 APIs may be affected. Applications using the CMS APIs for this processing are not affected. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "high", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-7383", "url": "https://ubuntu.com/security/CVE-2026-7383", "cve_description": "Issue summary: A signed integer overflow when sizing the destination buffer for Unicode output in ASN1_mbstring_ncopy() can lead to a heap buffer overflow. Impact summary: A heap buffer overflow may lead to a crash or possibly attacker controlled code execution or other undefined behaviour. In ASN1_mbstring_copy() and ASN1_mbstring_ncopy() the destination size for Unicode output is computed in a signed int: by left shift of the input character count for BMPSTRING (UTF-16) and UNIVERSALSTRING (UTF-32), and by summing per-character byte counts for UTF8STRING. The calculation overflows when the input reaches around 2^30 characters. In the worst case (UNIVERSALSTRING at 2^30 characters) the size wraps to zero, OPENSSL_malloc(1) is called, and the subsequent character copy writes several gigabytes past the one-byte allocation. X.509 certificate processing routes through ASN1_STRING_set_by_NID(), whose DIRSTRING_TYPE mask excludes UNIVERSALSTRING and whose per-NID size limits cap the input length; no network protocol or certificate-handling path in OpenSSL exercises the overflow. Triggering the bug requires an application that calls ASN1_mbstring_copy() or ASN1_mbstring_ncopy() directly, or registers a custom string type via ASN1_STRING_TABLE_add(), with attacker-controlled input on the order of half a gigabyte or more. For these reasons this issue was assigned Low severity. The FIPS modules in 4.0, 3.6, 3.5, 3.4 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-9076", "url": "https://ubuntu.com/security/CVE-2026-9076", "cve_description": "Issue summary: When CMS password-based decryption (RFC 3211 / PWRI key unwrap) processes attacker-supplied CMS data, an attacker-chosen stream-mode KEK cipher can trigger a heap out-of-bounds read in kek_unwrap_key(). Impact summary: A heap buffer over-read may trigger a crash which leads to Denial of Service for an application if the input buffer ends at a memory page boundary and the following page is unmapped. There is no information disclosure as the over-read bytes are not revealed to the attacker. The key unwrapping function performs a check-byte test as specified in the RFC that reads 7 bytes from a heap allocation that is based on the wrapped key length from the message. There is a minimum length check based on the block length of the wrapping cipher. However the cipher is selected from an OID carried in the attacker's PWRI keyEncryptionAlgorithm with no requirement that the cipher be a block cipher. When an attacker selects a stream-mode cipher the guard will be ineffective and the allocated buffer containing the unwrapped key can be too small to fit the check-bytes specified in the RFC and a buffer over-read can happen. Applications calling CMS_decrypt() or CMS_decrypt_set1_password() (equivalently openssl cms -decrypt -pwri_password ...) on untrusted CMS data are vulnerable to this issue. No password knowledge is required: the over-read happens during the unwrap attempt before any authentication succeeds. The over-read is limited to a few bytes and is not written to output, so there is no information disclosure. Triggering a crash requires the allocation to border unmapped memory, which is unlikely with the normal allocator. The FIPS modules are not affected by this issue.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Heap Buffer Over-read in ASN.1 Content Parsing", " - debian/patches/CVE-2026-34180.patch: Avoid length truncation in", " ASN1_STRING_set in crypto/asn1/tasn_dec.c.", " - CVE-2026-34180", " * SECURITY UPDATE: PKCS#12 Files with PBMAC1 Are Accepted with Short HMAC Keys", " - debian/patches/CVE-2026-34181.patch: pkcs12: verify that the pbmac1 key", " length is safe in crypto/pkcs12/p12_mutl.c.", " - CVE-2026-34181", " * SECURITY UPDATE: CMS AuthEnvelopedData Processing May Accept Forged Messages", " - debian/patches/CVE-2026-34182-1.patch: Reject potentially forged encrypted", " CMS AuthEnvelopedData messages in crypto/cms/cms_enc.c.", " - debian/patches/CVE-2026-34182-2.patch: Add tests for CVE-2026-34182 in", " test/cmsapitest.c.", " - CVE-2026-34182", " * SECURITY UPDATE: Unbounded Memory Growth in the QUIC PATH_CHALLENGE Handler", " - debian/patches/CVE-2026-34183-1.patch: QUIC stack must limit the number of", " PATH_CHALLENGE frames processed in RX in include/internal/quic_cfq.h,", " include/internal/quic_channel.h, include/internal/quic_fifd.h,", " ssl/quic/quic_cfq.c, ssl/quic/quic_channel.c,", " ssl/quic/quic_channel_local.h, ssl/quic/quic_fifd.c,", " ssl/quic/quic_rx_depack.c, ssl/quic/quic_txp.c.", " - debian/patches/CVE-2026-34183-2.patch: Add test for path challenge flood", " mitigation in include/internal/quic_channel.h, ssl/quic/quic_channel.c,", " ssl/quic/quic_channel_local.h, ssl/quic/quic_rx_depack.c,", " test/radix/quic_tests.c.", " - CVE-2026-34183", " * SECURITY UPDATE: NULL pointer dereference in QUIC server initial packet", " handling", " - debian/patches/CVE-2026-42764.patch: Fix NULL dereference in QUIC address", " validation in ssl/quic/quic_port.c.", " - CVE-2026-42764", " * SECURITY UPDATE: Possible NULL Dereference in Password-Based CMS Decryption", " - debian/patches/CVE-2026-42766.patch: Fix potential NULL dereference", " processing CMS PasswordRecipientInfo in crypto/cms/cms_pwri.c.", " - CVE-2026-42766", " * SECURITY UPDATE: NULL Pointer Dereference in CRMF EncryptedValue Decryption", " - debian/patches/CVE-2026-42767.patch: Fix potential NULL dereference in", " OSSL_CRMF_ENCRYPTEDVALUE_decrypt() in crypto/crmf/crmf_lib.c.", " - CVE-2026-42767", " * SECURITY UPDATE: Multi-RecipientInfo Bleichenbacher Oracle in CMS_decrypt()", " and PKCS7_decrypt()", " - debian/patches/CVE-2026-42768.patch: Enforce implicit rejection for", " CMS/PKCS#7 decryption in crypto/cms/cms_env.c, crypto/pkcs7/pk7_doit.c,", " doc/man3/CMS_decrypt.pod, doc/man3/PKCS7_decrypt.pod.", " - CVE-2026-42768", " * SECURITY UPDATE: Trust-Anchor Substitution via cert/issuer Typo in CMP", " rootCaKeyUpdate", " - debian/patches/CVE-2026-42769.patch: Use the correct issuer when", " validating rootCAKeyUpdate in crypto/cmp/cmp_genm.c.", " - CVE-2026-42769", " * SECURITY UPDATE: FFC-DH Peer Validation Uses Attacker-Supplied q", " - debian/patches/CVE-2026-42770.patch: Match the local q DHX parameter", " against the peer's q in providers/implementations/exchange/dh_exch.c.", " - CVE-2026-42770", " * SECURITY UPDATE: AES-OCB IV Ignored on EVP_Cipher() Path", " - debian/patches/CVE-2026-45445.patch: Apply the buffered IV on the AES-OCB", " EVP_Cipher() path in providers/implementations/ciphers/cipher_aes_ocb.c,", " test/evp_extra_test.c.", " - CVE-2026-45445", " * SECURITY UPDATE: Incorrect Tag Processing for Empty Messages in", " AES-GCM-SIV and AES-SIV modes", " - debian/patches/CVE-2026-45446.patch: Fix handling of empty-ciphertext", " messages in AES-GCM-SIV and AES-SIV in", " providers/implementations/ciphers/cipher_aes_gcm_siv_hw.c,", " providers/implementations/ciphers/cipher_aes_siv.c, test/evp_extra_test.c.", " - CVE-2026-45446", " * SECURITY UPDATE: Heap Use-After-Free in OpenSSL PKCS7_verify()", " - debian/patches/CVE-2026-45447-1.patch: Fix possible use-after-free in", " OpenSSL PKCS7_verify() in crypto/pkcs7/pk7_smime.c.", " - debian/patches/CVE-2026-45447-2.patch: Test for CVE-2026-45447 (UAF in", " PKCS7_verify) in test/recipes/80-test_cms.t, test/smime-eml/pkcs7-empty-", " digest-set.eml.", " - CVE-2026-45447", " * SECURITY UPDATE: Possible Heap Buffer Overflow in ASN.1 Multibyte String", " Conversion", " - debian/patches/CVE-2026-7383.patch: Reject oversized inputs in", " ASN1_mbstring_ncopy() in crypto/asn1/a_mbstr.c.", " - CVE-2026-7383", " * SECURITY UPDATE: Out-of-Bounds Read in CMS Password-Based Decryption", " - debian/patches/CVE-2026-9076.patch: cms: kek_unwrap_key: Fix out-of-", " bounds read in check-byte validation in crypto/cms/cms_pwri.c.", " - CVE-2026-9076", " * Fix ppc64 FTBFS because of incorrect regex match (LP: 2137464)", " - debian/patches/regex_match_ecp_nistp521-ppc64.patch: removed,", " incomplete version.", " - debian/patches/fix_ppc64_regex_match.patch: match last filename for", " output in ecp_nistp*-ppc64.pl.", "" ], "package": "openssl", "version": "3.5.5-1ubuntu3.2", "urgency": "medium", "distributions": "resolute-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Tue, 02 Jun 2026 13:21:36 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "openssl-provider-legacy", "from_version": { "source_package_name": "openssl", "source_package_version": "3.5.5-1ubuntu3", "version": "3.5.5-1ubuntu3" }, "to_version": { "source_package_name": "openssl", "source_package_version": "3.5.5-1ubuntu3.2", "version": "3.5.5-1ubuntu3.2" }, "cves": [ { "cve": "CVE-2026-34180", "url": "https://ubuntu.com/security/CVE-2026-34180", "cve_description": "Issue summary: Parsing a crafted DER-encoded ASN.1 structure with a primitive element whose content exceeds 2 gigabytes in length may cause a heap buffer over-read on 64-bit Unix and Unix-like platforms. Impact summary: The heap buffer over-read may crash the application (Denial of Service) or to load into the decoded ASN.1 object contents of memory beyond the end of the input buffer. More typically such ASN.1 elements would instead be truncated. An integer truncation in OpenSSL's ASN.1 decoder causes the content length of an ASN.1 primitive element to be mishandled when it exceeds 2 gigabytes. In the worst case the truncated length is treated as a request to scan the binary content for a terminating zero byte, possibly causing OpenSSL to read either less than or beyond the end of the allocated buffer. Applications that pass attacker-supplied data to d2i_X509(), d2i_PKCS7(), or any other d2i_* decoding function are affected. OpenSSL's own command-line tools are not vulnerable, as data read through the BIO layer is checked before it reaches the affected code. The issue only affects 64-bit Unix and Unix-like platforms; 32-bit platforms and 64-bit Windows are not affected. The FIPS modules in 4.0, 3.6, 3.5, 3.4 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-34181", "url": "https://ubuntu.com/security/CVE-2026-34181", "cve_description": "Issue Summary: The PKCS#12 file processing fails to perform sufficient input validation for files that use Password-Based Message Authentication Code 1 (PBMAC1) integrity mechanism allowing a certificate and private key forgery. Impact Summary: An attacker impersonating a user can cause a service reading PKCS#12 files to accept forged certificates and private keys with a 1 in 256 probability. If a service accepting PKCS#12 files is using passwords for authenticating the received files, the attacker can create unencrypted PKCS#12 files that use PBMAC1 authentication that specifies an HMAC key of only one byte, allowing them to craft a file that will be accepted with a 1 in 256 probability. That would then cause the service to accept a certificate and private key controlled by the attacker. The FIPS modules are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-34182", "url": "https://ubuntu.com/security/CVE-2026-34182", "cve_description": "Issue Summary: Cryptographic Message Services (CMS) processing fails to perform sufficient input validation on the cipher and tag length fields of AuthEnvelopedData containers, leading to various potential compromises. Impact Summary: Attackers making use of these vulnerabilities may achieve key-equivalent functionality for a given CMS recipient and/or bypass integrity validation for a given message. In one use case, an attacker may send a CMS message containing AuthEnvelopedData with the cipher specified as a non-AEAD cipher. OpenSSL erroneously allows this selection, and attempts to decrypt and validate the message. An on-path attacker who captures one legitimate AES-GCM AuthEnvelopedData addressed to the victim can re-emit it with the recipientInfos set left byte-for-byte intact, so the victim's private key still unwraps the genuine CEK (the content-encryption key), but with the inner OID rewritten to AES-256-OFB (Output Feedback Mode, an unauthenticated keystream mode) and with an attacker-chosen IV and ciphertext. The victim initializes AES-256-OFB under the real CEK, never consults the MAC field, and CMS_decrypt() returns success. If the application under attack responds to the attacker with any indicator showing success or failure of the decryption effort, it is possible for the attacker to use this as an oracle to obtain key equivalent functionality for the CEK used for the chosen recipient of the message. In another use case, an attacker can reduce the tag length of the chosen AEAD cipher for a given AuthEnvelopedData container to be a single byte long, allowing an attacker to brute force CMS decryption, producing an integrity bypass for applications that trust CMS_decrypt() to reject modified content. The FIPS modules are not affected by this issue.", "cve_priority": "medium", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-34183", "url": "https://ubuntu.com/security/CVE-2026-34183", "cve_description": "Issue summary: Remote peer may exhaust heap memory of the QUIC server or client by flooding it with packets containing PATH_CHALLENGE frames. Impact summary: A malicious remote peer can cause an unbounded memory allocation which can lead to an abnormal termination of the application acting as a QUIC client or server and a Denial of Service. A remote peer may exhaust heap memory by flooding the local QUIC stack with PATH_CHALLENGE frames. The local QUIC stack allocates a PATH_RESPONSE frame for every PATH_CHALLENGE it receives. The allocated PATH_RESPONSE frame gets freed only when the remote peer acknowledges reception of the PATH_RESPONSE frame which will not be done by a malicious peer. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue. The QUIC stack is outside of OpenSSL FIPS module boundary.", "cve_priority": "medium", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-42764", "url": "https://ubuntu.com/security/CVE-2026-42764", "cve_description": "Issue summary: Receiving a QUIC initial packet with an invalid token may trigger a NULL pointer dereference in the OpenSSL QUIC server with address validation disabled. Impact summary: NULL pointer dereference typically causes abnormal termination of the affected QUIC server process and a Denial of Service. If the address validation is disabled in the OpenSSL QUIC server implementation, an attacker can crash the server by sending an initial packet with an invalid or expired token. By default, the client address validation is enabled in the OpenSSL QUIC server implementation, which makes the default configuration not vulnerable to this issue. However if the SSL_LISTENER_FLAG_NO_VALIDATE is used with the SSL_new_listener() call, the address validation is disabled making the vulnerable code reachable. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "medium", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-42766", "url": "https://ubuntu.com/security/CVE-2026-42766", "cve_description": "Issue summary: A specially crafted password-encrypted CMS message can trigger a NULL pointer dereference during CMS decryption. Impact summary: This NULL pointer dereference leads to an application crash and a Denial of Service. The CMS PasswordRecipientInfo.keyDerivationAlgorithm field is defined as OPTIONAL in the ASN.1 specification and may therefore be absent in specially crafted inputs. During the password-based CMS decryption the OpenSSL CMS implementation dereferences this field without first checking whether it was present. An attacker who supplies such a CMS message to an application performing password-based CMS decryption can trigger an application crash, leading to a Denial of Service. Applications that process password-encrypted CMS messages may be affected. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-42767", "url": "https://ubuntu.com/security/CVE-2026-42767", "cve_description": "Issue summary: An attacker-controlled CMP (Certificate Management Protocol) server could trigger a NULL pointer dereference in a CMP client application. Impact summary: A NULL pointer dereference causes a crash of the application and a Denial of Service. An attacker controlling a CMP server (or acting as a man-in-the-middle) could craft a CMP response containing a CRMF (Certificate Request Message Format) CertRepMessage with an EncryptedValue structure where the symmAlg field has an algorithm OID but no parameters field. When the OpenSSL CMP client processes this response, the NULL dereference occurs, causing a crash of the CMP client. Applications that process untrusted CMP/CRMF messages may be affected. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-42768", "url": "https://ubuntu.com/security/CVE-2026-42768", "cve_description": "Issue summary: The CMS_decrypt and PKCS7_decrypt functions are vulnerable to Bleichenbacher-style attack when an attacker is able to provide the CMS or S/MIME messages and observe the error code and/or decryption output. Impact summary: The Bleichenbacher-style attack allows an attacker to use the victim's vulnerable application as a way to decrypt or sign messages with the victim's private RSA key. The attack is possible in 2 variants. 1. The decryption API (CMS_decrypt(), PKCS7_decrypt()) is used without providing the recipient certificate. In this case OpenSSL iterates over every KeyTransRecipientInfo (KTRI) without stopping at the first success. An attacker who authors a message with two KTRI entries — the first one wrapping a real CEK under the victim's public key, the second with an arbitrary probe ciphertext — obtains opportunity to iterate the 2nd KTRI to get a valid PKCS#1 v1.5 padding if the error code of the application is available. That is a Bleichenbacher oracle (Bleichenbacher, CRYPTO '98): an adaptive-chosen-ciphertext side channel from which the attacker decrypts any RSA ciphertext to the victim's key or forges any PKCS#1 v1.5 signature under it. 2. When the decryption API (CMS_decrypt(), PKCS7_decrypt()) is provided with the recipient certificate, and the recipient is not found, a random key is substituted. An attacker who authors a message and is able to compare both error code and the result of the decryption, can mount a Bleichenbacher oracle. We are not aware of any applications that provide a remote attacker an opportunity to mount an attack described in these scenarios. We consider the existence of such application very unlikely, and for this reason this CVE has been evaluated as Low severity. To avoid these attacks, when RSA PKCS#1 v1.5 Key Transport is in use, the invoked EVP_PKEY_decrypt() will use the implicit rejection mechanism described in draft-irtf-cfrg-rsa-guidance. In previous OpenSSL releases the implicit rejection was explicitly disabled. The implicit rejection mechanism always returns a plaintext value, the symmetric key. This result is deterministic for the ciphertext and the private key. The length of the decryption result can happen to match the length of the key of the symmetric cipher that was used for the content encryption. When a certificate is not provided, the last RecipientInfo producing a key that looks valid will be used. It may cause getting garbage content on decryption. As a proper way to deal with this a recipient certificate has to be provided to identify the particular RecipientInfo for decryption. The FIPS modules in 4.0, 3.6, 3.5, and 3.4 are not affected by this issue, as CMS and S/MIME processing happens outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-42769", "url": "https://ubuntu.com/security/CVE-2026-42769", "cve_description": "Issue Summary: An error in the callback used to verify the certificate provided in a Root CA key update Certificate Management Protocol (CMP) message response rendered the certificate validation ineffectual, which could lead to escalation of credentials from the Registration Authority (RA) level to the root Certification Authority (root CA) level. Impact Summary: The Registration Autority could replace the root CA certificate for the CMP clients with an arbitrary root CA certificate. One of the parts of the Certificate Management Protocol (CMP), specified in RFC 9810, is Root Certification Authority (root CA) key Rollover, which is sent by the server in a message with type 'id-it-rootCaKeyUpdate'. As part of these messages, 'newWithOld' certificate, the new root CA certificate signed with the old root CA key, is provided, and verifying its signature is crucial for transferring the trust from the old CA key to the new one. The 'id-it-rootCaKeyUpdate' messages are expected to be processed with OSSL_CMP_get1_rootCaKeyUpdate(), that is expected to verify the 'newWithOld' certificate. A typo in the certificate chain building code led to adding an incorrect certificate ('newWithOld' instead of 'oldRoot') to the certificate chain, rendering the certificate verification process ineffectual (only the issuer name and the algorithm OIDs were verified by other parts of the verification code). An attacker who already has credentials that satisfy the CMP message protection checks can generate a new key pair and use a crafted self-signed certificate in its 'id-it-rootCaKeyUpdate' CMP messages which affected CMP clients would accept as a new trust anchor. Significant preconditions for the attack (having valid RA-level credentials) are the reason the issue was assigned Low severity. The FIPS modules are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-42770", "url": "https://ubuntu.com/security/CVE-2026-42770", "cve_description": "Issue summary: When EVP_PKEY_derive_set_peer() is called with a DHX (X9.42) peer key, the peer key is not properly checked for the subgroup membership. Impact summary: A malicious peer which presents an X9.42 key carrying the victim's p and g parameters, a forged q = r (a small prime factor of the cofactor (p−1)/q_local), and a public value Y of order r can recover the victim's private key after a small number of key exchange attempts. When EVP_PKEY_derive_set_peer() is called with a DHX (X9.42) peer key, the subgroup membership check Y^q ≡ 1 (mod p) is performed using the peer's own q parameter, not the local key's q. The peer's domain parameters are then matched against the domain parameters of the private key, but the value of q is not compared. A malicious peer who presents an X9.42 key carrying the victim's p, g, a forged q = r (a small prime factor of the cofactor), and a public value Y of order r passes all checks. The shared secret then takes only r distinct values, leaking priv mod r. Repeating for each small-prime factor of the cofactor and combining via CRT recovers the full private key (Lim–Lee / small-subgroup-confinement attack). The realistic attack surface is narrow: principally CMP deployments with long-lived RA/CA DHX keys and bespoke enterprise or government applications using X9.42 DHX static keys with interactive protocols and therefore this issue was assigned Low severity. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are affected by this issue.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-45445", "url": "https://ubuntu.com/security/CVE-2026-45445", "cve_description": "Issue summary: When an application drives an AES-OCB context through the public EVP_Cipher() one-shot interface, the application-supplied initialisation vector (IV) is silently discarded. Impact summary: Every message encrypted under the same key uses the same effective nonce regardless of the IV supplied by the caller, resulting in (key, nonce) reuse and loss of confidentiality. If the same code path is used to compute the authentication tag, the tag depends only on the (key, IV) pair and not on the plaintext or ciphertext, allowing universal forgery of arbitrary ciphertext from a single captured message. OpenSSL provides two ways to drive a cipher: the documented streaming interface (EVP_CipherUpdate / EVP_CipherFinal_ex) and a lower-level one-shot, EVP_Cipher(), whose documentation explicitly recommends against use by applications in favour of EVP_CipherUpdate() and EVP_CipherFinal_ex(). The OCB provider's streaming handler flushes the application-supplied IV into the OCB context before processing data; the one-shot handler did not. Every call to EVP_Cipher() on an AES-OCB context therefore ran with the all-zero key-derived offset state left by cipher initialisation, regardless of the caller's IV. If EVP_EncryptFinal_ex() is subsequently used to obtain the authentication tag, the deferred IV setup runs at that point and clears the running checksum that should have been accumulated over the plaintext. The resulting tag is a function of (key, IV) only and verifies against any ciphertext produced under the same (key, IV) pair. The OpenSSL SSL/TLS implementation is not affected: AES-OCB is not a TLS cipher suite, and libssl does not call EVP_Cipher() in any case. Applications that drive AES-OCB through the documented streaming AEAD API (EVP_CipherUpdate / EVP_CipherFinal_ex) are not affected. Only applications that combine the AES-OCB cipher with the EVP_Cipher() one-shot API are vulnerable. The FIPS modules in 4.0, 3.6, 3.5, 3.4 and 3.0 are not affected by this issue, as AES-OCB is outside the OpenSSL FIPS module boundary.", "cve_priority": "medium", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-45446", "url": "https://ubuntu.com/security/CVE-2026-45446", "cve_description": "Issue summary: The implementations of AES-SIV (RFC 5297) and AES-GCM-SIV (RFC 8452) mishandle the authentication of AAD (Additional Authenticated Data) with an empty ciphertext allowing a forgery of such messages. Impact summary: An attacker can forge empty messages with arbitrary AAD to the victim's application using these ciphers. AES-SIV (RFC 5297) and AES-GCM-SIV (RFC 8452) are nonce-misuse-resistant AEAD modes: they accept a key, nonce, optional AAD (bytes that are authenticated but not encrypted), and plaintext, and produces ciphertext plus a 16-byte tag. On decrypt, `EVP_DecryptFinal_ex()` is documented to return success only if the tag is verified succesfully. In OpenSSL's provider implementation of these ciphers, the expected tag is computed only when decryption function is invoked with non-empty data. If the caller supplies AAD and then calls `EVP_DecryptFinal_ex()` without invocation of the ciphertext update, which can happen when the received ciphertext length is zero, the tag is never recalculated and still holds its all-zeros value. When AES-GCM-SIV is used, an attacker who sends arbitrary AAD, empty ciphertext, and all-zeros tag passes authentication under any key they do not know, single-shot. When AES-SIV is used, for mounting the attack it's necessary for the application to reuse the decryption context without resetting the key. AES-SIV is implemented since OpenSSL 3.0. AES-GCM-SIV is implemented since OpenSSL 3.2. No protocols implemented in OpenSSL itself (TLS/CMS/PKCS7/HPKE/QUIC) support either AES-GCM-SIV or AES-SIV. To mount an attack, the applications must implement their own protocol and use the EVP interface. Also they must skip the ciphertext update when a message with an empty ciphertext arrives. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as these algorithms are not FIPS approved and the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-45447", "url": "https://ubuntu.com/security/CVE-2026-45447", "cve_description": "Issue summary: A specially crafted PKCS#7 or S/MIME signed message could trigger a use-after-free during PKCS#7 signature verification. Impact summary: A use-after-free may result in process crashes, heap corruption, or potentially remote code execution. When processing a PKCS#7 or S/MIME signed message, if the SignedData digestAlgorithms field is present as an empty ASN.1 SET, OpenSSL may incorrectly free a caller-owned BIO during PKCS7_verify(). A subsequent use of the BIO by the calling application results in a use-after-free condition. In the common case this occurs when the application later calls BIO_free() on the BIO originally passed to PKCS7_verify(). Depending on allocator behavior and application-specific BIO usage patterns, this may result in a crash or other memory corruption. In some application contexts this may potentially be exploitable for remote code execution. Applications that process PKCS#7 or S/MIME signed messages using OpenSSL PKCS#7 APIs may be affected. Applications using the CMS APIs for this processing are not affected. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "high", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-7383", "url": "https://ubuntu.com/security/CVE-2026-7383", "cve_description": "Issue summary: A signed integer overflow when sizing the destination buffer for Unicode output in ASN1_mbstring_ncopy() can lead to a heap buffer overflow. Impact summary: A heap buffer overflow may lead to a crash or possibly attacker controlled code execution or other undefined behaviour. In ASN1_mbstring_copy() and ASN1_mbstring_ncopy() the destination size for Unicode output is computed in a signed int: by left shift of the input character count for BMPSTRING (UTF-16) and UNIVERSALSTRING (UTF-32), and by summing per-character byte counts for UTF8STRING. The calculation overflows when the input reaches around 2^30 characters. In the worst case (UNIVERSALSTRING at 2^30 characters) the size wraps to zero, OPENSSL_malloc(1) is called, and the subsequent character copy writes several gigabytes past the one-byte allocation. X.509 certificate processing routes through ASN1_STRING_set_by_NID(), whose DIRSTRING_TYPE mask excludes UNIVERSALSTRING and whose per-NID size limits cap the input length; no network protocol or certificate-handling path in OpenSSL exercises the overflow. Triggering the bug requires an application that calls ASN1_mbstring_copy() or ASN1_mbstring_ncopy() directly, or registers a custom string type via ASN1_STRING_TABLE_add(), with attacker-controlled input on the order of half a gigabyte or more. For these reasons this issue was assigned Low severity. The FIPS modules in 4.0, 3.6, 3.5, 3.4 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-9076", "url": "https://ubuntu.com/security/CVE-2026-9076", "cve_description": "Issue summary: When CMS password-based decryption (RFC 3211 / PWRI key unwrap) processes attacker-supplied CMS data, an attacker-chosen stream-mode KEK cipher can trigger a heap out-of-bounds read in kek_unwrap_key(). Impact summary: A heap buffer over-read may trigger a crash which leads to Denial of Service for an application if the input buffer ends at a memory page boundary and the following page is unmapped. There is no information disclosure as the over-read bytes are not revealed to the attacker. The key unwrapping function performs a check-byte test as specified in the RFC that reads 7 bytes from a heap allocation that is based on the wrapped key length from the message. There is a minimum length check based on the block length of the wrapping cipher. However the cipher is selected from an OID carried in the attacker's PWRI keyEncryptionAlgorithm with no requirement that the cipher be a block cipher. When an attacker selects a stream-mode cipher the guard will be ineffective and the allocated buffer containing the unwrapped key can be too small to fit the check-bytes specified in the RFC and a buffer over-read can happen. Applications calling CMS_decrypt() or CMS_decrypt_set1_password() (equivalently openssl cms -decrypt -pwri_password ...) on untrusted CMS data are vulnerable to this issue. No password knowledge is required: the over-read happens during the unwrap attempt before any authentication succeeds. The over-read is limited to a few bytes and is not written to output, so there is no information disclosure. Triggering a crash requires the allocation to border unmapped memory, which is unlikely with the normal allocator. The FIPS modules are not affected by this issue.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-34180", "url": "https://ubuntu.com/security/CVE-2026-34180", "cve_description": "Issue summary: Parsing a crafted DER-encoded ASN.1 structure with a primitive element whose content exceeds 2 gigabytes in length may cause a heap buffer over-read on 64-bit Unix and Unix-like platforms. Impact summary: The heap buffer over-read may crash the application (Denial of Service) or to load into the decoded ASN.1 object contents of memory beyond the end of the input buffer. More typically such ASN.1 elements would instead be truncated. An integer truncation in OpenSSL's ASN.1 decoder causes the content length of an ASN.1 primitive element to be mishandled when it exceeds 2 gigabytes. In the worst case the truncated length is treated as a request to scan the binary content for a terminating zero byte, possibly causing OpenSSL to read either less than or beyond the end of the allocated buffer. Applications that pass attacker-supplied data to d2i_X509(), d2i_PKCS7(), or any other d2i_* decoding function are affected. OpenSSL's own command-line tools are not vulnerable, as data read through the BIO layer is checked before it reaches the affected code. The issue only affects 64-bit Unix and Unix-like platforms; 32-bit platforms and 64-bit Windows are not affected. The FIPS modules in 4.0, 3.6, 3.5, 3.4 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-34181", "url": "https://ubuntu.com/security/CVE-2026-34181", "cve_description": "Issue Summary: The PKCS#12 file processing fails to perform sufficient input validation for files that use Password-Based Message Authentication Code 1 (PBMAC1) integrity mechanism allowing a certificate and private key forgery. Impact Summary: An attacker impersonating a user can cause a service reading PKCS#12 files to accept forged certificates and private keys with a 1 in 256 probability. If a service accepting PKCS#12 files is using passwords for authenticating the received files, the attacker can create unencrypted PKCS#12 files that use PBMAC1 authentication that specifies an HMAC key of only one byte, allowing them to craft a file that will be accepted with a 1 in 256 probability. That would then cause the service to accept a certificate and private key controlled by the attacker. The FIPS modules are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-34182", "url": "https://ubuntu.com/security/CVE-2026-34182", "cve_description": "Issue Summary: Cryptographic Message Services (CMS) processing fails to perform sufficient input validation on the cipher and tag length fields of AuthEnvelopedData containers, leading to various potential compromises. Impact Summary: Attackers making use of these vulnerabilities may achieve key-equivalent functionality for a given CMS recipient and/or bypass integrity validation for a given message. In one use case, an attacker may send a CMS message containing AuthEnvelopedData with the cipher specified as a non-AEAD cipher. OpenSSL erroneously allows this selection, and attempts to decrypt and validate the message. An on-path attacker who captures one legitimate AES-GCM AuthEnvelopedData addressed to the victim can re-emit it with the recipientInfos set left byte-for-byte intact, so the victim's private key still unwraps the genuine CEK (the content-encryption key), but with the inner OID rewritten to AES-256-OFB (Output Feedback Mode, an unauthenticated keystream mode) and with an attacker-chosen IV and ciphertext. The victim initializes AES-256-OFB under the real CEK, never consults the MAC field, and CMS_decrypt() returns success. If the application under attack responds to the attacker with any indicator showing success or failure of the decryption effort, it is possible for the attacker to use this as an oracle to obtain key equivalent functionality for the CEK used for the chosen recipient of the message. In another use case, an attacker can reduce the tag length of the chosen AEAD cipher for a given AuthEnvelopedData container to be a single byte long, allowing an attacker to brute force CMS decryption, producing an integrity bypass for applications that trust CMS_decrypt() to reject modified content. The FIPS modules are not affected by this issue.", "cve_priority": "medium", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-34183", "url": "https://ubuntu.com/security/CVE-2026-34183", "cve_description": "Issue summary: Remote peer may exhaust heap memory of the QUIC server or client by flooding it with packets containing PATH_CHALLENGE frames. Impact summary: A malicious remote peer can cause an unbounded memory allocation which can lead to an abnormal termination of the application acting as a QUIC client or server and a Denial of Service. A remote peer may exhaust heap memory by flooding the local QUIC stack with PATH_CHALLENGE frames. The local QUIC stack allocates a PATH_RESPONSE frame for every PATH_CHALLENGE it receives. The allocated PATH_RESPONSE frame gets freed only when the remote peer acknowledges reception of the PATH_RESPONSE frame which will not be done by a malicious peer. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue. The QUIC stack is outside of OpenSSL FIPS module boundary.", "cve_priority": "medium", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-42764", "url": "https://ubuntu.com/security/CVE-2026-42764", "cve_description": "Issue summary: Receiving a QUIC initial packet with an invalid token may trigger a NULL pointer dereference in the OpenSSL QUIC server with address validation disabled. Impact summary: NULL pointer dereference typically causes abnormal termination of the affected QUIC server process and a Denial of Service. If the address validation is disabled in the OpenSSL QUIC server implementation, an attacker can crash the server by sending an initial packet with an invalid or expired token. By default, the client address validation is enabled in the OpenSSL QUIC server implementation, which makes the default configuration not vulnerable to this issue. However if the SSL_LISTENER_FLAG_NO_VALIDATE is used with the SSL_new_listener() call, the address validation is disabled making the vulnerable code reachable. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "medium", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-42766", "url": "https://ubuntu.com/security/CVE-2026-42766", "cve_description": "Issue summary: A specially crafted password-encrypted CMS message can trigger a NULL pointer dereference during CMS decryption. Impact summary: This NULL pointer dereference leads to an application crash and a Denial of Service. The CMS PasswordRecipientInfo.keyDerivationAlgorithm field is defined as OPTIONAL in the ASN.1 specification and may therefore be absent in specially crafted inputs. During the password-based CMS decryption the OpenSSL CMS implementation dereferences this field without first checking whether it was present. An attacker who supplies such a CMS message to an application performing password-based CMS decryption can trigger an application crash, leading to a Denial of Service. Applications that process password-encrypted CMS messages may be affected. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-42767", "url": "https://ubuntu.com/security/CVE-2026-42767", "cve_description": "Issue summary: An attacker-controlled CMP (Certificate Management Protocol) server could trigger a NULL pointer dereference in a CMP client application. Impact summary: A NULL pointer dereference causes a crash of the application and a Denial of Service. An attacker controlling a CMP server (or acting as a man-in-the-middle) could craft a CMP response containing a CRMF (Certificate Request Message Format) CertRepMessage with an EncryptedValue structure where the symmAlg field has an algorithm OID but no parameters field. When the OpenSSL CMP client processes this response, the NULL dereference occurs, causing a crash of the CMP client. Applications that process untrusted CMP/CRMF messages may be affected. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-42768", "url": "https://ubuntu.com/security/CVE-2026-42768", "cve_description": "Issue summary: The CMS_decrypt and PKCS7_decrypt functions are vulnerable to Bleichenbacher-style attack when an attacker is able to provide the CMS or S/MIME messages and observe the error code and/or decryption output. Impact summary: The Bleichenbacher-style attack allows an attacker to use the victim's vulnerable application as a way to decrypt or sign messages with the victim's private RSA key. The attack is possible in 2 variants. 1. The decryption API (CMS_decrypt(), PKCS7_decrypt()) is used without providing the recipient certificate. In this case OpenSSL iterates over every KeyTransRecipientInfo (KTRI) without stopping at the first success. An attacker who authors a message with two KTRI entries — the first one wrapping a real CEK under the victim's public key, the second with an arbitrary probe ciphertext — obtains opportunity to iterate the 2nd KTRI to get a valid PKCS#1 v1.5 padding if the error code of the application is available. That is a Bleichenbacher oracle (Bleichenbacher, CRYPTO '98): an adaptive-chosen-ciphertext side channel from which the attacker decrypts any RSA ciphertext to the victim's key or forges any PKCS#1 v1.5 signature under it. 2. When the decryption API (CMS_decrypt(), PKCS7_decrypt()) is provided with the recipient certificate, and the recipient is not found, a random key is substituted. An attacker who authors a message and is able to compare both error code and the result of the decryption, can mount a Bleichenbacher oracle. We are not aware of any applications that provide a remote attacker an opportunity to mount an attack described in these scenarios. We consider the existence of such application very unlikely, and for this reason this CVE has been evaluated as Low severity. To avoid these attacks, when RSA PKCS#1 v1.5 Key Transport is in use, the invoked EVP_PKEY_decrypt() will use the implicit rejection mechanism described in draft-irtf-cfrg-rsa-guidance. In previous OpenSSL releases the implicit rejection was explicitly disabled. The implicit rejection mechanism always returns a plaintext value, the symmetric key. This result is deterministic for the ciphertext and the private key. The length of the decryption result can happen to match the length of the key of the symmetric cipher that was used for the content encryption. When a certificate is not provided, the last RecipientInfo producing a key that looks valid will be used. It may cause getting garbage content on decryption. As a proper way to deal with this a recipient certificate has to be provided to identify the particular RecipientInfo for decryption. The FIPS modules in 4.0, 3.6, 3.5, and 3.4 are not affected by this issue, as CMS and S/MIME processing happens outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-42769", "url": "https://ubuntu.com/security/CVE-2026-42769", "cve_description": "Issue Summary: An error in the callback used to verify the certificate provided in a Root CA key update Certificate Management Protocol (CMP) message response rendered the certificate validation ineffectual, which could lead to escalation of credentials from the Registration Authority (RA) level to the root Certification Authority (root CA) level. Impact Summary: The Registration Autority could replace the root CA certificate for the CMP clients with an arbitrary root CA certificate. One of the parts of the Certificate Management Protocol (CMP), specified in RFC 9810, is Root Certification Authority (root CA) key Rollover, which is sent by the server in a message with type 'id-it-rootCaKeyUpdate'. As part of these messages, 'newWithOld' certificate, the new root CA certificate signed with the old root CA key, is provided, and verifying its signature is crucial for transferring the trust from the old CA key to the new one. The 'id-it-rootCaKeyUpdate' messages are expected to be processed with OSSL_CMP_get1_rootCaKeyUpdate(), that is expected to verify the 'newWithOld' certificate. A typo in the certificate chain building code led to adding an incorrect certificate ('newWithOld' instead of 'oldRoot') to the certificate chain, rendering the certificate verification process ineffectual (only the issuer name and the algorithm OIDs were verified by other parts of the verification code). An attacker who already has credentials that satisfy the CMP message protection checks can generate a new key pair and use a crafted self-signed certificate in its 'id-it-rootCaKeyUpdate' CMP messages which affected CMP clients would accept as a new trust anchor. Significant preconditions for the attack (having valid RA-level credentials) are the reason the issue was assigned Low severity. The FIPS modules are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-42770", "url": "https://ubuntu.com/security/CVE-2026-42770", "cve_description": "Issue summary: When EVP_PKEY_derive_set_peer() is called with a DHX (X9.42) peer key, the peer key is not properly checked for the subgroup membership. Impact summary: A malicious peer which presents an X9.42 key carrying the victim's p and g parameters, a forged q = r (a small prime factor of the cofactor (p−1)/q_local), and a public value Y of order r can recover the victim's private key after a small number of key exchange attempts. When EVP_PKEY_derive_set_peer() is called with a DHX (X9.42) peer key, the subgroup membership check Y^q ≡ 1 (mod p) is performed using the peer's own q parameter, not the local key's q. The peer's domain parameters are then matched against the domain parameters of the private key, but the value of q is not compared. A malicious peer who presents an X9.42 key carrying the victim's p, g, a forged q = r (a small prime factor of the cofactor), and a public value Y of order r passes all checks. The shared secret then takes only r distinct values, leaking priv mod r. Repeating for each small-prime factor of the cofactor and combining via CRT recovers the full private key (Lim–Lee / small-subgroup-confinement attack). The realistic attack surface is narrow: principally CMP deployments with long-lived RA/CA DHX keys and bespoke enterprise or government applications using X9.42 DHX static keys with interactive protocols and therefore this issue was assigned Low severity. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are affected by this issue.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-45445", "url": "https://ubuntu.com/security/CVE-2026-45445", "cve_description": "Issue summary: When an application drives an AES-OCB context through the public EVP_Cipher() one-shot interface, the application-supplied initialisation vector (IV) is silently discarded. Impact summary: Every message encrypted under the same key uses the same effective nonce regardless of the IV supplied by the caller, resulting in (key, nonce) reuse and loss of confidentiality. If the same code path is used to compute the authentication tag, the tag depends only on the (key, IV) pair and not on the plaintext or ciphertext, allowing universal forgery of arbitrary ciphertext from a single captured message. OpenSSL provides two ways to drive a cipher: the documented streaming interface (EVP_CipherUpdate / EVP_CipherFinal_ex) and a lower-level one-shot, EVP_Cipher(), whose documentation explicitly recommends against use by applications in favour of EVP_CipherUpdate() and EVP_CipherFinal_ex(). The OCB provider's streaming handler flushes the application-supplied IV into the OCB context before processing data; the one-shot handler did not. Every call to EVP_Cipher() on an AES-OCB context therefore ran with the all-zero key-derived offset state left by cipher initialisation, regardless of the caller's IV. If EVP_EncryptFinal_ex() is subsequently used to obtain the authentication tag, the deferred IV setup runs at that point and clears the running checksum that should have been accumulated over the plaintext. The resulting tag is a function of (key, IV) only and verifies against any ciphertext produced under the same (key, IV) pair. The OpenSSL SSL/TLS implementation is not affected: AES-OCB is not a TLS cipher suite, and libssl does not call EVP_Cipher() in any case. Applications that drive AES-OCB through the documented streaming AEAD API (EVP_CipherUpdate / EVP_CipherFinal_ex) are not affected. Only applications that combine the AES-OCB cipher with the EVP_Cipher() one-shot API are vulnerable. The FIPS modules in 4.0, 3.6, 3.5, 3.4 and 3.0 are not affected by this issue, as AES-OCB is outside the OpenSSL FIPS module boundary.", "cve_priority": "medium", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-45446", "url": "https://ubuntu.com/security/CVE-2026-45446", "cve_description": "Issue summary: The implementations of AES-SIV (RFC 5297) and AES-GCM-SIV (RFC 8452) mishandle the authentication of AAD (Additional Authenticated Data) with an empty ciphertext allowing a forgery of such messages. Impact summary: An attacker can forge empty messages with arbitrary AAD to the victim's application using these ciphers. AES-SIV (RFC 5297) and AES-GCM-SIV (RFC 8452) are nonce-misuse-resistant AEAD modes: they accept a key, nonce, optional AAD (bytes that are authenticated but not encrypted), and plaintext, and produces ciphertext plus a 16-byte tag. On decrypt, `EVP_DecryptFinal_ex()` is documented to return success only if the tag is verified succesfully. In OpenSSL's provider implementation of these ciphers, the expected tag is computed only when decryption function is invoked with non-empty data. If the caller supplies AAD and then calls `EVP_DecryptFinal_ex()` without invocation of the ciphertext update, which can happen when the received ciphertext length is zero, the tag is never recalculated and still holds its all-zeros value. When AES-GCM-SIV is used, an attacker who sends arbitrary AAD, empty ciphertext, and all-zeros tag passes authentication under any key they do not know, single-shot. When AES-SIV is used, for mounting the attack it's necessary for the application to reuse the decryption context without resetting the key. AES-SIV is implemented since OpenSSL 3.0. AES-GCM-SIV is implemented since OpenSSL 3.2. No protocols implemented in OpenSSL itself (TLS/CMS/PKCS7/HPKE/QUIC) support either AES-GCM-SIV or AES-SIV. To mount an attack, the applications must implement their own protocol and use the EVP interface. Also they must skip the ciphertext update when a message with an empty ciphertext arrives. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as these algorithms are not FIPS approved and the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-45447", "url": "https://ubuntu.com/security/CVE-2026-45447", "cve_description": "Issue summary: A specially crafted PKCS#7 or S/MIME signed message could trigger a use-after-free during PKCS#7 signature verification. Impact summary: A use-after-free may result in process crashes, heap corruption, or potentially remote code execution. When processing a PKCS#7 or S/MIME signed message, if the SignedData digestAlgorithms field is present as an empty ASN.1 SET, OpenSSL may incorrectly free a caller-owned BIO during PKCS7_verify(). A subsequent use of the BIO by the calling application results in a use-after-free condition. In the common case this occurs when the application later calls BIO_free() on the BIO originally passed to PKCS7_verify(). Depending on allocator behavior and application-specific BIO usage patterns, this may result in a crash or other memory corruption. In some application contexts this may potentially be exploitable for remote code execution. Applications that process PKCS#7 or S/MIME signed messages using OpenSSL PKCS#7 APIs may be affected. Applications using the CMS APIs for this processing are not affected. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "high", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-7383", "url": "https://ubuntu.com/security/CVE-2026-7383", "cve_description": "Issue summary: A signed integer overflow when sizing the destination buffer for Unicode output in ASN1_mbstring_ncopy() can lead to a heap buffer overflow. Impact summary: A heap buffer overflow may lead to a crash or possibly attacker controlled code execution or other undefined behaviour. In ASN1_mbstring_copy() and ASN1_mbstring_ncopy() the destination size for Unicode output is computed in a signed int: by left shift of the input character count for BMPSTRING (UTF-16) and UNIVERSALSTRING (UTF-32), and by summing per-character byte counts for UTF8STRING. The calculation overflows when the input reaches around 2^30 characters. In the worst case (UNIVERSALSTRING at 2^30 characters) the size wraps to zero, OPENSSL_malloc(1) is called, and the subsequent character copy writes several gigabytes past the one-byte allocation. X.509 certificate processing routes through ASN1_STRING_set_by_NID(), whose DIRSTRING_TYPE mask excludes UNIVERSALSTRING and whose per-NID size limits cap the input length; no network protocol or certificate-handling path in OpenSSL exercises the overflow. Triggering the bug requires an application that calls ASN1_mbstring_copy() or ASN1_mbstring_ncopy() directly, or registers a custom string type via ASN1_STRING_TABLE_add(), with attacker-controlled input on the order of half a gigabyte or more. For these reasons this issue was assigned Low severity. The FIPS modules in 4.0, 3.6, 3.5, 3.4 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-9076", "url": "https://ubuntu.com/security/CVE-2026-9076", "cve_description": "Issue summary: When CMS password-based decryption (RFC 3211 / PWRI key unwrap) processes attacker-supplied CMS data, an attacker-chosen stream-mode KEK cipher can trigger a heap out-of-bounds read in kek_unwrap_key(). Impact summary: A heap buffer over-read may trigger a crash which leads to Denial of Service for an application if the input buffer ends at a memory page boundary and the following page is unmapped. There is no information disclosure as the over-read bytes are not revealed to the attacker. The key unwrapping function performs a check-byte test as specified in the RFC that reads 7 bytes from a heap allocation that is based on the wrapped key length from the message. There is a minimum length check based on the block length of the wrapping cipher. However the cipher is selected from an OID carried in the attacker's PWRI keyEncryptionAlgorithm with no requirement that the cipher be a block cipher. When an attacker selects a stream-mode cipher the guard will be ineffective and the allocated buffer containing the unwrapped key can be too small to fit the check-bytes specified in the RFC and a buffer over-read can happen. Applications calling CMS_decrypt() or CMS_decrypt_set1_password() (equivalently openssl cms -decrypt -pwri_password ...) on untrusted CMS data are vulnerable to this issue. No password knowledge is required: the over-read happens during the unwrap attempt before any authentication succeeds. The over-read is limited to a few bytes and is not written to output, so there is no information disclosure. Triggering a crash requires the allocation to border unmapped memory, which is unlikely with the normal allocator. The FIPS modules are not affected by this issue.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Heap Buffer Over-read in ASN.1 Content Parsing", " - debian/patches/CVE-2026-34180.patch: Avoid length truncation in", " ASN1_STRING_set in crypto/asn1/tasn_dec.c.", " - CVE-2026-34180", " * SECURITY UPDATE: PKCS#12 Files with PBMAC1 Are Accepted with Short HMAC Keys", " - debian/patches/CVE-2026-34181.patch: pkcs12: verify that the pbmac1 key", " length is safe in crypto/pkcs12/p12_mutl.c.", " - CVE-2026-34181", " * SECURITY UPDATE: CMS AuthEnvelopedData Processing May Accept Forged Messages", " - debian/patches/CVE-2026-34182-1.patch: Reject potentially forged encrypted", " CMS AuthEnvelopedData messages in crypto/cms/cms_enc.c.", " - debian/patches/CVE-2026-34182-2.patch: Add tests for CVE-2026-34182 in", " test/cmsapitest.c.", " - CVE-2026-34182", " * SECURITY UPDATE: Unbounded Memory Growth in the QUIC PATH_CHALLENGE Handler", " - debian/patches/CVE-2026-34183-1.patch: QUIC stack must limit the number of", " PATH_CHALLENGE frames processed in RX in include/internal/quic_cfq.h,", " include/internal/quic_channel.h, include/internal/quic_fifd.h,", " ssl/quic/quic_cfq.c, ssl/quic/quic_channel.c,", " ssl/quic/quic_channel_local.h, ssl/quic/quic_fifd.c,", " ssl/quic/quic_rx_depack.c, ssl/quic/quic_txp.c.", " - debian/patches/CVE-2026-34183-2.patch: Add test for path challenge flood", " mitigation in include/internal/quic_channel.h, ssl/quic/quic_channel.c,", " ssl/quic/quic_channel_local.h, ssl/quic/quic_rx_depack.c,", " test/radix/quic_tests.c.", " - CVE-2026-34183", " * SECURITY UPDATE: NULL pointer dereference in QUIC server initial packet", " handling", " - debian/patches/CVE-2026-42764.patch: Fix NULL dereference in QUIC address", " validation in ssl/quic/quic_port.c.", " - CVE-2026-42764", " * SECURITY UPDATE: Possible NULL Dereference in Password-Based CMS Decryption", " - debian/patches/CVE-2026-42766.patch: Fix potential NULL dereference", " processing CMS PasswordRecipientInfo in crypto/cms/cms_pwri.c.", " - CVE-2026-42766", " * SECURITY UPDATE: NULL Pointer Dereference in CRMF EncryptedValue Decryption", " - debian/patches/CVE-2026-42767.patch: Fix potential NULL dereference in", " OSSL_CRMF_ENCRYPTEDVALUE_decrypt() in crypto/crmf/crmf_lib.c.", " - CVE-2026-42767", " * SECURITY UPDATE: Multi-RecipientInfo Bleichenbacher Oracle in CMS_decrypt()", " and PKCS7_decrypt()", " - debian/patches/CVE-2026-42768.patch: Enforce implicit rejection for", " CMS/PKCS#7 decryption in crypto/cms/cms_env.c, crypto/pkcs7/pk7_doit.c,", " doc/man3/CMS_decrypt.pod, doc/man3/PKCS7_decrypt.pod.", " - CVE-2026-42768", " * SECURITY UPDATE: Trust-Anchor Substitution via cert/issuer Typo in CMP", " rootCaKeyUpdate", " - debian/patches/CVE-2026-42769.patch: Use the correct issuer when", " validating rootCAKeyUpdate in crypto/cmp/cmp_genm.c.", " - CVE-2026-42769", " * SECURITY UPDATE: FFC-DH Peer Validation Uses Attacker-Supplied q", " - debian/patches/CVE-2026-42770.patch: Match the local q DHX parameter", " against the peer's q in providers/implementations/exchange/dh_exch.c.", " - CVE-2026-42770", " * SECURITY UPDATE: AES-OCB IV Ignored on EVP_Cipher() Path", " - debian/patches/CVE-2026-45445.patch: Apply the buffered IV on the AES-OCB", " EVP_Cipher() path in providers/implementations/ciphers/cipher_aes_ocb.c,", " test/evp_extra_test.c.", " - CVE-2026-45445", " * SECURITY UPDATE: Incorrect Tag Processing for Empty Messages in", " AES-GCM-SIV and AES-SIV modes", " - debian/patches/CVE-2026-45446.patch: Fix handling of empty-ciphertext", " messages in AES-GCM-SIV and AES-SIV in", " providers/implementations/ciphers/cipher_aes_gcm_siv_hw.c,", " providers/implementations/ciphers/cipher_aes_siv.c, test/evp_extra_test.c.", " - CVE-2026-45446", " * SECURITY UPDATE: Heap Use-After-Free in OpenSSL PKCS7_verify()", " - debian/patches/CVE-2026-45447-1.patch: Fix possible use-after-free in", " OpenSSL PKCS7_verify() in crypto/pkcs7/pk7_smime.c.", " - debian/patches/CVE-2026-45447-2.patch: Test for CVE-2026-45447 (UAF in", " PKCS7_verify) in test/recipes/80-test_cms.t, test/smime-eml/pkcs7-empty-", " digest-set.eml.", " - CVE-2026-45447", " * SECURITY UPDATE: Possible Heap Buffer Overflow in ASN.1 Multibyte String", " Conversion", " - debian/patches/CVE-2026-7383.patch: Reject oversized inputs in", " ASN1_mbstring_ncopy() in crypto/asn1/a_mbstr.c.", " - CVE-2026-7383", " * SECURITY UPDATE: Out-of-Bounds Read in CMS Password-Based Decryption", " - debian/patches/CVE-2026-9076.patch: cms: kek_unwrap_key: Fix out-of-", " bounds read in check-byte validation in crypto/cms/cms_pwri.c.", " - CVE-2026-9076", " * Fix ppc64 FTBFS because of incorrect regex match (LP: 2137464)", " - debian/patches/regex_match_ecp_nistp521-ppc64.patch: removed,", " incomplete version.", " - debian/patches/fix_ppc64_regex_match.patch: match last filename for", " output in ecp_nistp*-ppc64.pl.", "" ], "package": "openssl", "version": "3.5.5-1ubuntu3.2", "urgency": "medium", "distributions": "resolute-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Tue, 02 Jun 2026 13:21:36 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "python3-distupgrade", "from_version": { "source_package_name": "ubuntu-release-upgrader", "source_package_version": "1:26.04.18", "version": "1:26.04.18" }, "to_version": { "source_package_name": "ubuntu-release-upgrader", "source_package_version": "1:26.04.22", "version": "1:26.04.22" }, "cves": [], "launchpad_bugs_fixed": [ 2154602, 2154724, 2150319, 2151216 ], "changes": [ { "cves": [], "log": [ "", " [ Carlos Nihelton ]", " * data/release-upgrades: set Prompt=lts for resolute (LP: #2154602)", "", " [ Simon Johnsson ]", " * DistUpgradeQuirks: fix formatting and linting errors (LP: #2154724)", "" ], "package": "ubuntu-release-upgrader", "version": "1:26.04.22", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2154602, 2154724 ], "author": "Carlos Nihelton ", "date": "Fri, 29 May 2026 15:58:15 -0300" }, { "cves": [], "log": [ "", " * DistUpgradeQuirks: Fix log message when installing piboot-try", "" ], "package": "ubuntu-release-upgrader", "version": "1:26.04.21", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Dave Jones ", "date": "Fri, 22 May 2026 17:48:19 +0200" }, { "cves": [], "log": [ "", " * DistUpgradeQuirks: mark libfile-libmagic-perl for install on Noble if", " lintian is installed (LP: #2150319):", " - This fixes a resolver deadlock on systems with a lot of packages", " (such as having ubuntu-desktop installed) as the resolver would increase", " strictness and prefer not to install additional dependencies.", "" ], "package": "ubuntu-release-upgrader", "version": "1:26.04.20", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2150319 ], "author": "Simon Johnsson ", "date": "Mon, 04 May 2026 16:30:48 +0200" }, { "cves": [], "log": [ "", " * DistUpgradeQuirks: On Pi installations, force the installation of", " piboot-try over flash-kernel (LP: #2151216)", " * Use PostDistUpgradeCache for this and the dracut migration on Pi to ease", " upgrade calculation", "" ], "package": "ubuntu-release-upgrader", "version": "1:26.04.19", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2151216 ], "author": "Dave Jones ", "date": "Tue, 05 May 2026 11:58:10 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "python3-urllib3", "from_version": { "source_package_name": "python-urllib3", "source_package_version": "2.6.3-1ubuntu1", "version": "2.6.3-1ubuntu1" }, "to_version": { "source_package_name": "python-urllib3", "source_package_version": "2.6.3-1ubuntu1.1", "version": "2.6.3-1ubuntu1.1" }, "cves": [ { "cve": "CVE-2026-44431", "url": "https://ubuntu.com/security/CVE-2026-44431", "cve_description": "urllib3 is an HTTP client library for Python. From 1.23 to before 2.7.0, cross-origin redirects followed from the low-level API via ProxyManager.connection_from_url().urlopen(..., assert_same_host=False) still forward these sensitive headers. This vulnerability is fixed in 2.7.0.", "cve_priority": "medium", "cve_public_date": "2026-05-13 16:16:00 UTC" }, { "cve": "CVE-2026-44432", "url": "https://ubuntu.com/security/CVE-2026-44432", "cve_description": "urllib3 is an HTTP client library for Python. From 2.6.0 to before 2.7.0, urllib3 could decompress the whole response instead of the requested portion (1) during the second HTTPResponse.read(amt=N) call when the response was decompressed using the official Brotli library or (2) when HTTPResponse.drain_conn() was called after the response had been read and decompressed partially (compression algorithm did not matter here). These issues could cause urllib3 to fully decode a small amount of highly compressed data in a single operation. This could result in excessive resource consumption (high CPU usage and massive memory allocation for the decompressed data) on the client side. This vulnerability is fixed in 2.7.0.", "cve_priority": "medium", "cve_public_date": "2026-05-13 16:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-44431", "url": "https://ubuntu.com/security/CVE-2026-44431", "cve_description": "urllib3 is an HTTP client library for Python. From 1.23 to before 2.7.0, cross-origin redirects followed from the low-level API via ProxyManager.connection_from_url().urlopen(..., assert_same_host=False) still forward these sensitive headers. This vulnerability is fixed in 2.7.0.", "cve_priority": "medium", "cve_public_date": "2026-05-13 16:16:00 UTC" }, { "cve": "CVE-2026-44432", "url": "https://ubuntu.com/security/CVE-2026-44432", "cve_description": "urllib3 is an HTTP client library for Python. From 2.6.0 to before 2.7.0, urllib3 could decompress the whole response instead of the requested portion (1) during the second HTTPResponse.read(amt=N) call when the response was decompressed using the official Brotli library or (2) when HTTPResponse.drain_conn() was called after the response had been read and decompressed partially (compression algorithm did not matter here). These issues could cause urllib3 to fully decode a small amount of highly compressed data in a single operation. This could result in excessive resource consumption (high CPU usage and massive memory allocation for the decompressed data) on the client side. This vulnerability is fixed in 2.7.0.", "cve_priority": "medium", "cve_public_date": "2026-05-13 16:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: sensitive headers not stripped in cross-origin redirects", " - debian/patches/CVE-2026-44431.patch: remove sensitive headers in proxy", " pools too in dummyserver/asgi_proxy.py, src/urllib3/connectionpool.py,", " test/with_dummyserver/test_proxy_poolmanager.py.", " - CVE-2026-44431", " * SECURITY UPDATE: resource consumption via response decompression", " - debian/patches/CVE-2026-44432.patch: fix full decompression on the 2nd", " small read from response using Brotli in", " src/urllib3/response.py, test/test_response.py,", " test/with_dummyserver/test_connection.py.", " - CVE-2026-44432", "" ], "package": "python-urllib3", "version": "2.6.3-1ubuntu1.1", "urgency": "medium", "distributions": "resolute-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Fri, 22 May 2026 13:26:37 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "ubuntu-release-upgrader-core", "from_version": { "source_package_name": "ubuntu-release-upgrader", "source_package_version": "1:26.04.18", "version": "1:26.04.18" }, "to_version": { "source_package_name": "ubuntu-release-upgrader", "source_package_version": "1:26.04.22", "version": "1:26.04.22" }, "cves": [], "launchpad_bugs_fixed": [ 2154602, 2154724, 2150319, 2151216 ], "changes": [ { "cves": [], "log": [ "", " [ Carlos Nihelton ]", " * data/release-upgrades: set Prompt=lts for resolute (LP: #2154602)", "", " [ Simon Johnsson ]", " * DistUpgradeQuirks: fix formatting and linting errors (LP: #2154724)", "" ], "package": "ubuntu-release-upgrader", "version": "1:26.04.22", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2154602, 2154724 ], "author": "Carlos Nihelton ", "date": "Fri, 29 May 2026 15:58:15 -0300" }, { "cves": [], "log": [ "", " * DistUpgradeQuirks: Fix log message when installing piboot-try", "" ], "package": "ubuntu-release-upgrader", "version": "1:26.04.21", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Dave Jones ", "date": "Fri, 22 May 2026 17:48:19 +0200" }, { "cves": [], "log": [ "", " * DistUpgradeQuirks: mark libfile-libmagic-perl for install on Noble if", " lintian is installed (LP: #2150319):", " - This fixes a resolver deadlock on systems with a lot of packages", " (such as having ubuntu-desktop installed) as the resolver would increase", " strictness and prefer not to install additional dependencies.", "" ], "package": "ubuntu-release-upgrader", "version": "1:26.04.20", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2150319 ], "author": "Simon Johnsson ", "date": "Mon, 04 May 2026 16:30:48 +0200" }, { "cves": [], "log": [ "", " * DistUpgradeQuirks: On Pi installations, force the installation of", " piboot-try over flash-kernel (LP: #2151216)", " * Use PostDistUpgradeCache for this and the dracut migration on Pi to ease", " upgrade calculation", "" ], "package": "ubuntu-release-upgrader", "version": "1:26.04.19", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2151216 ], "author": "Dave Jones ", "date": "Tue, 05 May 2026 11:58:10 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "xxd", "from_version": { "source_package_name": "vim", "source_package_version": "2:9.1.2141-1ubuntu4.1", "version": "2:9.1.2141-1ubuntu4.1" }, "to_version": { "source_package_name": "vim", "source_package_version": "2:9.1.2141-1ubuntu4.3", "version": "2:9.1.2141-1ubuntu4.3" }, "cves": [ { "cve": "CVE-2026-46483", "url": "https://ubuntu.com/security/CVE-2026-46483", "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0479, a command injection vulnerability exists in tar#Vimuntar() in runtime/autoload/tar.vim when decompressing .tgz archives on Unix-like systems. The function builds :!gunzip and :!gzip -d commands using shellescape(tartail) without the {special} flag, allowing a crafted archive filename to trigger Vim cmdline-special expansion and execute shell commands in the user's context. This vulnerability is fixed in 9.2.0479.", "cve_priority": "medium", "cve_public_date": "2026-05-15 15:16:00 UTC" }, { "cve": "CVE-2026-43961", "url": "https://ubuntu.com/security/CVE-2026-43961", "cve_description": "[Unknown description]", "cve_priority": "medium", "cve_public_date": "2026-05-20" }, { "cve": "CVE-2026-42307", "url": "https://ubuntu.com/security/CVE-2026-42307", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0383, an OS command injection vulnerability exists in the netrw standard plugin bundled with Vim. By inducing a user to open a crafted URL (e.g., using the sftp:// or file:// protocol handlers), an attacker can execute arbitrary shell commands with the privileges of the Vim process. This issue has been patched in version 9.2.0383.", "cve_priority": "medium", "cve_public_date": "2026-05-08 23:16:00 UTC" }, { "cve": "CVE-2026-44656", "url": "https://ubuntu.com/security/CVE-2026-44656", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0435, an OS command injection vulnerability exists in Vim's :find command-line completion. When the path option contains backtick-enclosed shell commands, those commands are executed during file name completion. Because the path option lacks the P_SECURE flag, it can be set from a modeline, allowing an attacker who controls the contents of a file to execute arbitrary shell commands when the user opens that file in Vim and triggers :find completion. This issue has been patched in version 9.2.0435.", "cve_priority": "medium", "cve_public_date": "2026-05-08 23:16:00 UTC" }, { "cve": "CVE-2026-45130", "url": "https://ubuntu.com/security/CVE-2026-45130", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0450, a heap buffer overflow exists in read_compound() in src/spellfile.c when loading a crafted spell file (.spl) with UTF-8 encoding active. An attacker-controlled length field in the spell file's compound section overflows a 32-bit signed integer multiplication, causing a small buffer to be allocated for a write loop that runs many iterations, overflowing the heap. Because the 'spelllang' option can be set from a modeline, a text file modeline can trigger spell file loading if a malicious .spl file has been planted on the runtimepath. This issue has been patched in version 9.2.0450.", "cve_priority": "medium", "cve_public_date": "2026-05-08 23:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-46483", "url": "https://ubuntu.com/security/CVE-2026-46483", "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0479, a command injection vulnerability exists in tar#Vimuntar() in runtime/autoload/tar.vim when decompressing .tgz archives on Unix-like systems. The function builds :!gunzip and :!gzip -d commands using shellescape(tartail) without the {special} flag, allowing a crafted archive filename to trigger Vim cmdline-special expansion and execute shell commands in the user's context. This vulnerability is fixed in 9.2.0479.", "cve_priority": "medium", "cve_public_date": "2026-05-15 15:16:00 UTC" }, { "cve": "CVE-2026-43961", "url": "https://ubuntu.com/security/CVE-2026-43961", "cve_description": "[Unknown description]", "cve_priority": "medium", "cve_public_date": "2026-05-20" } ], "log": [ "", " * SECURITY UPDATE: Command injection in tar plugin.", " - debian/patches/CVE-2026-46483.patch: Use the correct shell-escape in", " runtime/autoload/tar.vim.", " - CVE-2026-46483", " * SECURITY UPDATE: Code injection via mf command.", " - debian/patches/CVE-2026-43961.patch: Avoid string concatenation for", " filter commands in runtime/pack/dist/opt/netrw/autoload/netrw.vim.", " - CVE-2026-43961", "" ], "package": "vim", "version": "2:9.1.2141-1ubuntu4.3", "urgency": "medium", "distributions": "resolute-security", "launchpad_bugs_fixed": [], "author": "Kyle Kernick ", "date": "Tue, 02 Jun 2026 15:57:23 -0600" }, { "cves": [ { "cve": "CVE-2026-42307", "url": "https://ubuntu.com/security/CVE-2026-42307", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0383, an OS command injection vulnerability exists in the netrw standard plugin bundled with Vim. By inducing a user to open a crafted URL (e.g., using the sftp:// or file:// protocol handlers), an attacker can execute arbitrary shell commands with the privileges of the Vim process. This issue has been patched in version 9.2.0383.", "cve_priority": "medium", "cve_public_date": "2026-05-08 23:16:00 UTC" }, { "cve": "CVE-2026-44656", "url": "https://ubuntu.com/security/CVE-2026-44656", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0435, an OS command injection vulnerability exists in Vim's :find command-line completion. When the path option contains backtick-enclosed shell commands, those commands are executed during file name completion. Because the path option lacks the P_SECURE flag, it can be set from a modeline, allowing an attacker who controls the contents of a file to execute arbitrary shell commands when the user opens that file in Vim and triggers :find completion. This issue has been patched in version 9.2.0435.", "cve_priority": "medium", "cve_public_date": "2026-05-08 23:16:00 UTC" }, { "cve": "CVE-2026-45130", "url": "https://ubuntu.com/security/CVE-2026-45130", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0450, a heap buffer overflow exists in read_compound() in src/spellfile.c when loading a crafted spell file (.spl) with UTF-8 encoding active. An attacker-controlled length field in the spell file's compound section overflows a 32-bit signed integer multiplication, causing a small buffer to be allocated for a write loop that runs many iterations, overflowing the heap. Because the 'spelllang' option can be set from a modeline, a text file modeline can trigger spell file loading if a malicious .spl file has been planted on the runtimepath. This issue has been patched in version 9.2.0450.", "cve_priority": "medium", "cve_public_date": "2026-05-08 23:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Command injection in netrw plugin.", " - debian/patches/CVE-2026-42307.patch: Escape file names and harden regex", " patterns in runtime/pack/dist/opt/netrw/autoload/netrw.vim", " - CVE-2026-42307", " * SECURITY UPDATE: Shell execution in completion.", " - debian/patches/CVE-2026-44656.patch: Skip path entries containing", " backticks and add P_SECURE option in src/findfile.c and src/optiondefs.h", " - CVE-2026-44656", " * SECURITY UPDATE: Heap overflow in spellfile.", " - debian/patches/CVE-2026-45130.patch: Enforce a maximum compound length", " in src/spellfile.c", " - CVE-2026-45130", "" ], "package": "vim", "version": "2:9.1.2141-1ubuntu4.2", "urgency": "medium", "distributions": "resolute-security", "launchpad_bugs_fixed": [], "author": "Kyle Kernick ", "date": "Wed, 20 May 2026 13:11:32 -0600" } ], "notes": null, "is_version_downgrade": false } ], "snap": [] }, "added": { "deb": [ { "name": "linux-image-7.0.0-22-generic", "from_version": { "source_package_name": "linux-signed", "source_package_version": "7.0.0-15.15", "version": null }, "to_version": { "source_package_name": "linux-signed", "source_package_version": "7.0.0-22.22", "version": "7.0.0-22.22" }, "cves": [], "launchpad_bugs_fixed": [ 1786013, 1786013, 1786013, 1786013 ], "changes": [ { "cves": [], "log": [ "", " * Main version: 7.0.0-22.22", "" ], "package": "linux-signed", "version": "7.0.0-22.22", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Manuel Diewald ", "date": "Mon, 25 May 2026 14:42:18 +0200" }, { "cves": [], "log": [ "", " * Main version: 7.0.0-20.20", "" ], "package": "linux-signed", "version": "7.0.0-20.20", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Manuel Diewald ", "date": "Fri, 22 May 2026 23:04:20 +0200" }, { "cves": [], "log": [ "", " * Main version: 7.0.0-19.19", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian/tracking-bug -- resync from main package", "" ], "package": "linux-signed", "version": "7.0.0-19.19", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 1786013 ], "author": "Manuel Diewald ", "date": "Fri, 22 May 2026 16:39:06 +0200" }, { "cves": [], "log": [ "", " * Main version: 7.0.0-18.18", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian/tracking-bug -- resync from main package", "" ], "package": "linux-signed", "version": "7.0.0-18.18", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 1786013 ], "author": "Edoardo Canepa ", "date": "Fri, 08 May 2026 23:34:30 +0200" }, { "cves": [], "log": [ "", " * Main version: 7.0.0-17.17", "", " * Packaging resync (LP: #1786013)", " - [Packaging] resync debian/templates", "" ], "package": "linux-signed", "version": "7.0.0-17.17", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 1786013 ], "author": "Timo Aaltonen ", "date": "Tue, 05 May 2026 16:54:11 +0300" }, { "cves": [], "log": [ "", " * Main version: 7.0.0-16.16", "", " * Packaging resync (LP: #1786013)", " - [Packaging] resync debian/templates", " - [Packaging] debian/tracking-bug -- resync from main package", "" ], "package": "linux-signed", "version": "7.0.0-16.16", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 1786013 ], "author": "Timo Aaltonen ", "date": "Thu, 30 Apr 2026 23:57:08 +0300" } ], "notes": "linux-image-7.0.0-22-generic version '7.0.0-22.22' (source package linux-signed version '7.0.0-22.22') was added. linux-image-7.0.0-22-generic version '7.0.0-22.22' has the same source package name, linux-signed, as removed package linux-image-7.0.0-15-generic. As such we can use the source package version of the removed package, '7.0.0-15.15', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package.", "is_version_downgrade": false }, { "name": "linux-main-modules-zfs-7.0.0-22-generic", "from_version": { "source_package_name": "linux-main-signed", "source_package_version": "7.0.0-15.15+1", "version": null }, "to_version": { "source_package_name": "linux-main-signed", "source_package_version": "7.0.0-22.22", "version": "7.0.0-22.22" }, "cves": [], "launchpad_bugs_fixed": [ 1786013, 1786013, 1786013 ], "changes": [ { "cves": [], "log": [ "", "", " * Miscellaneous upstream changes", " - lmm: Add synthetic dependency for LMM package, to stop early promotion", "" ], "package": "linux-main-signed", "version": "7.0.0-15.15+1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Timo Aaltonen ", "date": "Tue, 28 Apr 2026 16:51:29 +0300" }, { "cves": [], "log": [ "", " * Main version: 7.0.0-15.15", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian/tracking-bug -- resync from main package", "" ], "package": "linux-main-signed", "version": "7.0.0-15.15", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 1786013 ], "author": "Paolo Pisati ", "date": "Wed, 22 Apr 2026 16:06:36 +0200" }, { "cves": [], "log": [ "", "", " * Miscellaneous upstream changes", " - Revert \"lmm: Add synthetic dependency for LMM package, to stop early", " promotion\"", "" ], "package": "linux-main-signed", "version": "7.0.0-14.14+3", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Timo Aaltonen ", "date": "Tue, 14 Apr 2026 13:38:00 +0300" }, { "cves": [], "log": [ "", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian/dkms-versions -- update from kernel-versions", " (main/d2026.04.13)", "" ], "package": "linux-main-signed", "version": "7.0.0-14.14+2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 1786013 ], "author": "Timo Aaltonen ", "date": "Tue, 14 Apr 2026 09:23:27 +0300" }, { "cves": [], "log": [ "", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian/dkms-versions -- update from kernel-versions", " (main/d2026.04.13)", "" ], "package": "linux-main-signed", "version": "7.0.0-14.14+1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 1786013 ], "author": "Timo Aaltonen ", "date": "Mon, 13 Apr 2026 20:03:08 +0300" } ], "notes": "linux-main-modules-zfs-7.0.0-22-generic version '7.0.0-22.22' (source package linux-main-signed version '7.0.0-22.22') was added. linux-main-modules-zfs-7.0.0-22-generic version '7.0.0-22.22' has the same source package name, linux-main-signed, as removed package linux-main-modules-zfs-7.0.0-15-generic. As such we can use the source package version of the removed package, '7.0.0-15.15+1', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package.", "is_version_downgrade": false }, { "name": "linux-modules-7.0.0-22-generic", "from_version": { "source_package_name": "linux", "source_package_version": "7.0.0-15.15", "version": null }, "to_version": { "source_package_name": "linux", "source_package_version": "7.0.0-22.22", "version": "7.0.0-22.22" }, "cves": [ { "cve": "CVE-2026-47337", "url": "https://ubuntu.com/security/CVE-2026-47337", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a possible NULL pointer dereference in the handling of AF_INET/AF_INET6 socket mediation. The bug can be triggered by an unprivileged local user. This can lead to a kernel oops.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47334", "url": "https://ubuntu.com/security/CVE-2026-47334", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly sleep while holding a spinlock in notification handling code. The bug can be triggered by an unprivileged local user and can result in kernel panic or deadlock.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47333", "url": "https://ubuntu.com/security/CVE-2026-47333", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which can potentially incorrectly compute the size of an internal buffer, leading to a heap memory out-of-bounds read in notification handling code. The bug can be triggered by an unprivileged local user and can result in invalid data being processed by the AppArmor DFA policy engine.", "cve_priority": "high", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47332", "url": "https://ubuntu.com/security/CVE-2026-47332", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly validate the size of an internal structure, leading to an out-of-bounds read in notification handling code. The bug can be triggered by an unprivileged local user and can result in information disclosure from adjacent slab objects.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47330", "url": "https://ubuntu.com/security/CVE-2026-47330", "cve_description": "Ubuntu Linux 6.8, 7.17 and 7.0 contain AppArmor SAUCE patches which can, under certain circumstances, use an uninitialized variable in notification handling code. The bug can be triggered by an unprivileged local user and can result in the incorrect caching of AppArmor notification responses.", "cve_priority": "low", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47329", "url": "https://ubuntu.com/security/CVE-2026-47329", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches which fail to validate invalid sizes of the name field in AppAmor notification responses. The bug can be triggered by an unprivileged local user and could result in handling of crafted responses.", "cve_priority": "low", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47327", "url": "https://ubuntu.com/security/CVE-2026-47327", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a possible NULL pointer dereference in the handling of AppArmor notifications. The bug can be triggered by an unprivileged local user. This can lead to a kernel oops.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47328", "url": "https://ubuntu.com/security/CVE-2026-47328", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly attempt to free a pointer which was not previously kmalloc()d, while at the same time leaking allocated memory. The bug can be triggered by an unprivileged local user and can result in the corruption of slab metadata and could lead to resource exhaustion.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47326", "url": "https://ubuntu.com/security/CVE-2026-47326", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a memory leak in the handling of big responses to AppArmor notifications. The bug can be triggered by an unprivileged local user. The memory leak could lead to resource exhaustion.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-46300", "url": "https://ubuntu.com/security/CVE-2026-46300", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: skbuff: preserve shared-frag marker during coalescing skb_try_coalesce() can attach paged frags from @from to @to. If @from has SKBFL_SHARED_FRAG set, the resulting @to skb can contain the same externally-owned or page-cache-backed frags, but the shared-frag marker is currently lost. That breaks the invariant relied on by later in-place writers. In particular, ESP input checks skb_has_shared_frag() before deciding whether an uncloned nonlinear skb can skip skb_cow_data(). If TCP receive coalescing has moved shared frags into an unmarked skb, ESP can see skb_has_shared_frag() as false and decrypt in place over page-cache backed frags. Propagate SKBFL_SHARED_FRAG when skb_try_coalesce() transfers paged frags. The tailroom copy path does not need the marker because it copies bytes into @to's linear data rather than transferring frag descriptors.", "cve_priority": "high", "cve_public_date": "2026-05-23 12:17:00 UTC" }, { "cve": "CVE-2026-46333", "url": "https://ubuntu.com/security/CVE-2026-46333", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ptrace: slightly saner 'get_dumpable()' logic The 'dumpability' of a task is fundamentally about the memory image of the task - the concept comes from whether it can core dump or not - and makes no sense when you don't have an associated mm. And almost all users do in fact use it only for the case where the task has a mm pointer. But we have one odd special case: ptrace_may_access() uses 'dumpable' to check various other things entirely independently of the MM (typically explicitly using flags like PTRACE_MODE_READ_FSCREDS). Including for threads that no longer have a VM (and maybe never did, like most kernel threads). It's not what this flag was designed for, but it is what it is. The ptrace code does check that the uid/gid matches, so you do have to be uid-0 to see kernel thread details, but this means that the traditional \"drop capabilities\" model doesn't make any difference for this all. Make it all make a *bit* more sense by saying that if you don't have a MM pointer, we'll use a cached \"last dumpability\" flag if the thread ever had a MM (it will be zero for kernel threads since it is never set), and require a proper CAP_SYS_PTRACE capability to override.", "cve_priority": "high", "cve_public_date": "2026-05-15 14:16:00 UTC" }, { "cve": "CVE-2026-43500", "url": "https://ubuntu.com/security/CVE-2026-43500", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present The DATA-packet handler in rxrpc_input_call_event() and the RESPONSE handler in rxrpc_verify_response() copy the skb to a linear one before calling into the security ops only when skb_cloned() is true. An skb that is not cloned but still carries externally-owned paged fragments (e.g. SKBFL_SHARED_FRAG set by splice() into a UDP socket via __ip_append_data, or a chained skb_has_frag_list()) falls through to the in-place decryption path, which binds the frag pages directly into the AEAD/skcipher SGL via skb_to_sgvec(). Extend the gate to also unshare when skb_has_frag_list() or skb_has_shared_frag() is true. This catches the splice-loopback vector and other externally-shared frag sources while preserving the zero-copy fast path for skbs whose frags are kernel-private (e.g. NIC page_pool RX, GRO). The OOM/trace handling already in place is reused.", "cve_priority": "high", "cve_public_date": "2026-05-11 08:16:00 UTC" }, { "cve": "CVE-2026-43284", "url": "https://ubuntu.com/security/CVE-2026-43284", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: xfrm: esp: avoid in-place decrypt on shared skb frags MSG_SPLICE_PAGES can attach pages from a pipe directly to an skb. TCP marks such skbs with SKBFL_SHARED_FRAG after skb_splice_from_iter(), so later paths that may modify packet data can first make a private copy. The IPv4/IPv6 datagram append paths did not set this flag when splicing pages into UDP skbs. That leaves an ESP-in-UDP packet made from shared pipe pages looking like an ordinary uncloned nonlinear skb. ESP input then takes the no-COW fast path for uncloned skbs without a frag_list and decrypts in place over data that is not owned privately by the skb. Mark IPv4/IPv6 datagram splice frags with SKBFL_SHARED_FRAG, matching TCP. Also make ESP input fall back to skb_cow_data() when the flag is present, so ESP does not decrypt externally backed frags in place. Private nonlinear skb frags still use the existing fast path. This intentionally does not change ESP output. In esp_output_head(), the path that appends the ESP trailer to existing skb tailroom without calling skb_cow_data() is not reachable for nonlinear skbs: skb_tailroom() returns zero when skb->data_len is nonzero, while ESP tailen is positive. Thus ESP output will either use the separate destination-frag path or fall back to skb_cow_data().", "cve_priority": "high", "cve_public_date": "2026-05-08 08:16:00 UTC" } ], "launchpad_bugs_fixed": [ 2154172, 2151747, 2151747, 2151747, 2151747, 2151747, 2148809, 2151747, 2151747, 2151747, 2153786, 1786013, 2153962 ], "changes": [ { "cves": [], "log": [ "", " * GRO managed-frag use-after-free leading to local privilege escalation", " (LP: #2154172)", " - net: gro: don't merge zcopy skbs", "" ], "package": "linux", "version": "7.0.0-22.22", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2154172 ], "author": "Manuel Diewald ", "date": "Mon, 25 May 2026 14:41:37 +0200" }, { "cves": [ { "cve": "CVE-2026-47337", "url": "https://ubuntu.com/security/CVE-2026-47337", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a possible NULL pointer dereference in the handling of AF_INET/AF_INET6 socket mediation. The bug can be triggered by an unprivileged local user. This can lead to a kernel oops.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47334", "url": "https://ubuntu.com/security/CVE-2026-47334", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly sleep while holding a spinlock in notification handling code. The bug can be triggered by an unprivileged local user and can result in kernel panic or deadlock.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47333", "url": "https://ubuntu.com/security/CVE-2026-47333", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which can potentially incorrectly compute the size of an internal buffer, leading to a heap memory out-of-bounds read in notification handling code. The bug can be triggered by an unprivileged local user and can result in invalid data being processed by the AppArmor DFA policy engine.", "cve_priority": "high", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47332", "url": "https://ubuntu.com/security/CVE-2026-47332", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly validate the size of an internal structure, leading to an out-of-bounds read in notification handling code. The bug can be triggered by an unprivileged local user and can result in information disclosure from adjacent slab objects.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47330", "url": "https://ubuntu.com/security/CVE-2026-47330", "cve_description": "Ubuntu Linux 6.8, 7.17 and 7.0 contain AppArmor SAUCE patches which can, under certain circumstances, use an uninitialized variable in notification handling code. The bug can be triggered by an unprivileged local user and can result in the incorrect caching of AppArmor notification responses.", "cve_priority": "low", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47329", "url": "https://ubuntu.com/security/CVE-2026-47329", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches which fail to validate invalid sizes of the name field in AppAmor notification responses. The bug can be triggered by an unprivileged local user and could result in handling of crafted responses.", "cve_priority": "low", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47327", "url": "https://ubuntu.com/security/CVE-2026-47327", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a possible NULL pointer dereference in the handling of AppArmor notifications. The bug can be triggered by an unprivileged local user. This can lead to a kernel oops.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47328", "url": "https://ubuntu.com/security/CVE-2026-47328", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly attempt to free a pointer which was not previously kmalloc()d, while at the same time leaking allocated memory. The bug can be triggered by an unprivileged local user and can result in the corruption of slab metadata and could lead to resource exhaustion.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47326", "url": "https://ubuntu.com/security/CVE-2026-47326", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a memory leak in the handling of big responses to AppArmor notifications. The bug can be triggered by an unprivileged local user. The memory leak could lead to resource exhaustion.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" } ], "log": [ "", " * apparmor (LP: #2151747)", " - SAUCE: apparmor: pass big_resp to handler", " - SAUCE: apparmor: remove redundant kref_init for listener->count", " - SAUCE: apparmor: fix NULL pointer dereference in unpack_pdb", "", " * apparmor (LP: #2151747) // CVE-2026-47337", " - SAUCE: apparmor: fix NULL pointer dereference in bind_map_addr", "", " * apparmor (LP: #2151747) // CVE-2026-47334", " - SAUCE: apparmor: fix sleep prone memory allocation under a spin_lock", "", " * apparmor (LP: #2151747) // CVE-2026-47333", " - SAUCE: apparmor: fix dfa unpacking size of the notification filter", "", " * apparmor (LP: #2151747) // CVE-2026-47332", " - SAUCE: apparmor: fix size check against type instead of pointer", "", " * apparmor: LLVM/clang build failure due to uninitialized variable in", " notify.c (LP: #2148809) // CVE-2026-47330", " - SAUCE: apparmor: initialize variable used in uninitialized context", "", " * apparmor (LP: #2151747) // CVE-2026-47329", " - SAUCE: apparmor: fix name validation bypass on notification", "", " * apparmor (LP: #2151747) // CVE-2026-47327 // CVE-2026-47328", " - SAUCE: apparmor: fix glob memory leak after kstrdup", "", " * apparmor (LP: #2151747) // CVE-2026-47326", " - SAUCE: apparmor: fix inverted NULL check after aa_get_buffer", "" ], "package": "linux", "version": "7.0.0-20.20", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2151747, 2151747, 2151747, 2151747, 2151747, 2148809, 2151747, 2151747, 2151747 ], "author": "Manuel Diewald ", "date": "Fri, 22 May 2026 22:58:06 +0200" }, { "cves": [ { "cve": "CVE-2026-46300", "url": "https://ubuntu.com/security/CVE-2026-46300", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: skbuff: preserve shared-frag marker during coalescing skb_try_coalesce() can attach paged frags from @from to @to. If @from has SKBFL_SHARED_FRAG set, the resulting @to skb can contain the same externally-owned or page-cache-backed frags, but the shared-frag marker is currently lost. That breaks the invariant relied on by later in-place writers. In particular, ESP input checks skb_has_shared_frag() before deciding whether an uncloned nonlinear skb can skip skb_cow_data(). If TCP receive coalescing has moved shared frags into an unmarked skb, ESP can see skb_has_shared_frag() as false and decrypt in place over page-cache backed frags. Propagate SKBFL_SHARED_FRAG when skb_try_coalesce() transfers paged frags. The tailroom copy path does not need the marker because it copies bytes into @to's linear data rather than transferring frag descriptors.", "cve_priority": "high", "cve_public_date": "2026-05-23 12:17:00 UTC" }, { "cve": "CVE-2026-46333", "url": "https://ubuntu.com/security/CVE-2026-46333", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ptrace: slightly saner 'get_dumpable()' logic The 'dumpability' of a task is fundamentally about the memory image of the task - the concept comes from whether it can core dump or not - and makes no sense when you don't have an associated mm. And almost all users do in fact use it only for the case where the task has a mm pointer. But we have one odd special case: ptrace_may_access() uses 'dumpable' to check various other things entirely independently of the MM (typically explicitly using flags like PTRACE_MODE_READ_FSCREDS). Including for threads that no longer have a VM (and maybe never did, like most kernel threads). It's not what this flag was designed for, but it is what it is. The ptrace code does check that the uid/gid matches, so you do have to be uid-0 to see kernel thread details, but this means that the traditional \"drop capabilities\" model doesn't make any difference for this all. Make it all make a *bit* more sense by saying that if you don't have a MM pointer, we'll use a cached \"last dumpability\" flag if the thread ever had a MM (it will be zero for kernel threads since it is never set), and require a proper CAP_SYS_PTRACE capability to override.", "cve_priority": "high", "cve_public_date": "2026-05-15 14:16:00 UTC" }, { "cve": "CVE-2026-43500", "url": "https://ubuntu.com/security/CVE-2026-43500", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present The DATA-packet handler in rxrpc_input_call_event() and the RESPONSE handler in rxrpc_verify_response() copy the skb to a linear one before calling into the security ops only when skb_cloned() is true. An skb that is not cloned but still carries externally-owned paged fragments (e.g. SKBFL_SHARED_FRAG set by splice() into a UDP socket via __ip_append_data, or a chained skb_has_frag_list()) falls through to the in-place decryption path, which binds the frag pages directly into the AEAD/skcipher SGL via skb_to_sgvec(). Extend the gate to also unshare when skb_has_frag_list() or skb_has_shared_frag() is true. This catches the splice-loopback vector and other externally-shared frag sources while preserving the zero-copy fast path for skbs whose frags are kernel-private (e.g. NIC page_pool RX, GRO). The OOM/trace handling already in place is reused.", "cve_priority": "high", "cve_public_date": "2026-05-11 08:16:00 UTC" }, { "cve": "CVE-2026-43284", "url": "https://ubuntu.com/security/CVE-2026-43284", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: xfrm: esp: avoid in-place decrypt on shared skb frags MSG_SPLICE_PAGES can attach pages from a pipe directly to an skb. TCP marks such skbs with SKBFL_SHARED_FRAG after skb_splice_from_iter(), so later paths that may modify packet data can first make a private copy. The IPv4/IPv6 datagram append paths did not set this flag when splicing pages into UDP skbs. That leaves an ESP-in-UDP packet made from shared pipe pages looking like an ordinary uncloned nonlinear skb. ESP input then takes the no-COW fast path for uncloned skbs without a frag_list and decrypts in place over data that is not owned privately by the skb. Mark IPv4/IPv6 datagram splice frags with SKBFL_SHARED_FRAG, matching TCP. Also make ESP input fall back to skb_cow_data() when the flag is present, so ESP does not decrypt externally backed frags in place. Private nonlinear skb frags still use the existing fast path. This intentionally does not change ESP output. In esp_output_head(), the path that appends the ESP trailer to existing skb tailroom without calling skb_cow_data() is not reachable for nonlinear skbs: skb_tailroom() returns zero when skb->data_len is nonzero, while ESP tailen is positive. Thus ESP output will either use the separate destination-frag path or fall back to skb_cow_data().", "cve_priority": "high", "cve_public_date": "2026-05-08 08:16:00 UTC" } ], "log": [ "", " * resolute/linux: 7.0.0-19.19 -proposed tracker (LP: #2153786)", "", " * Packaging resync (LP: #1786013)", " - [Packaging] update annotations scripts", " - [Packaging] debian.master/dkms-versions -- remove dkms-versions", " (main/s2026.05.11)", "", " * CVE-2026-46300", " - net: skbuff: preserve shared-frag marker during coalescing", " - net: skbuff: propagate shared-frag marker through frag-transfer helpers", "", " * net/rds: reset op_nents when zerocopy page pin fails (LP: #2153962)", " - net/rds: reset op_nents when zerocopy page pin fails", "", " * CVE-2026-46333", " - ptrace: slightly saner 'get_dumpable()' logic", "", " * CVE-2026-43500", " - rxrpc: Fix conn-level packet handling to unshare RESPONSE packets", " - rxrpc: Fix potential UAF after skb_unshare() failure", " - rxrpc: Fix rxrpc_input_call_event() to only unshare DATA packets", " - rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present", "", " * CVE-2026-43284", " - xfrm: esp: avoid in-place decrypt on shared skb frags", "" ], "package": "linux", "version": "7.0.0-19.19", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2153786, 1786013, 2153962 ], "author": "Manuel Diewald ", "date": "Fri, 22 May 2026 16:12:08 +0200" } ], "notes": "linux-modules-7.0.0-22-generic version '7.0.0-22.22' (source package linux version '7.0.0-22.22') was added. linux-modules-7.0.0-22-generic version '7.0.0-22.22' has the same source package name, linux, as removed package linux-modules-7.0.0-15-generic. As such we can use the source package version of the removed package, '7.0.0-15.15', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package.", "is_version_downgrade": false } ], "snap": [] }, "removed": { "deb": [ { "name": "linux-image-7.0.0-15-generic", "from_version": { "source_package_name": "linux-signed", "source_package_version": "7.0.0-15.15", "version": "7.0.0-15.15" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null, "is_version_downgrade": false }, { "name": "linux-main-modules-zfs-7.0.0-15-generic", "from_version": { "source_package_name": "linux-main-signed", "source_package_version": "7.0.0-15.15+1", "version": "7.0.0-15.15+1" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null, "is_version_downgrade": false }, { "name": "linux-modules-7.0.0-15-generic", "from_version": { "source_package_name": "linux", "source_package_version": "7.0.0-15.15", "version": "7.0.0-15.15" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null, "is_version_downgrade": false } ], "snap": [] }, "notes": "Changelog diff for Ubuntu 26.04 resolute image from daily image serial 20260522 to 20260618", "from_series": "resolute", "to_series": "resolute", "from_serial": "20260522", "to_serial": "20260618", "from_manifest_filename": "daily_manifest.previous", "to_manifest_filename": "manifest.current" }