{ "summary": { "snap": { "added": [], "removed": [], "diff": [] }, "deb": { "added": [ "linux-headers-5.15.0-1101-kvm", "linux-image-5.15.0-1101-kvm", "linux-kvm-headers-5.15.0-1101", "linux-modules-5.15.0-1101-kvm" ], "removed": [ "linux-headers-5.15.0-1100-kvm", "linux-image-5.15.0-1100-kvm", "linux-kvm-headers-5.15.0-1100", "linux-modules-5.15.0-1100-kvm" ], "diff": [ "libnss-systemd", "libpam-systemd", "libssl3", "libsystemd0", "libudev1", "linux-headers-kvm", "linux-image-kvm", "linux-kvm", "openssl", "systemd", "systemd-sysv", "systemd-timesyncd", "udev", "xxd" ] } }, "diff": { "deb": [ { "name": "libnss-systemd", "from_version": { "source_package_name": "systemd", "source_package_version": "249.11-0ubuntu3.20", "version": "249.11-0ubuntu3.20" }, "to_version": { "source_package_name": "systemd", "source_package_version": "249.11-0ubuntu3.21", "version": "249.11-0ubuntu3.21" }, "cves": [ { "cve": "CVE-2023-7008", "url": "https://ubuntu.com/security/CVE-2023-7008", "cve_description": "A vulnerability was found in systemd-resolved. This issue may allow systemd-resolved to accept records of DNSSEC-signed domains even when they have no signature, allowing man-in-the-middles (or the upstream DNS resolver) to manipulate records.", "cve_priority": "low", "cve_public_date": "2023-12-23 13:15:00 UTC" }, { "cve": "CVE-2026-40226", "url": "https://ubuntu.com/security/CVE-2026-40226", "cve_description": "In nspawn in systemd 233 through 259 before 260, an escape-to-host action can occur via a crafted optional config file.", "cve_priority": "medium", "cve_public_date": "2026-04-10 16:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2023-7008", "url": "https://ubuntu.com/security/CVE-2023-7008", "cve_description": "A vulnerability was found in systemd-resolved. This issue may allow systemd-resolved to accept records of DNSSEC-signed domains even when they have no signature, allowing man-in-the-middles (or the upstream DNS resolver) to manipulate records.", "cve_priority": "low", "cve_public_date": "2023-12-23 13:15:00 UTC" }, { "cve": "CVE-2026-40226", "url": "https://ubuntu.com/security/CVE-2026-40226", "cve_description": "In nspawn in systemd 233 through 259 before 260, an escape-to-host action can occur via a crafted optional config file.", "cve_priority": "medium", "cve_public_date": "2026-04-10 16:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: MITM via DNSSEC-signed domains with no signature", " - debian/patches/CVE-2023-7008.patch: resolved: actually check authenticated", " flag of SOA transaction in src/resolve/resolved-dns-transaction.c.", " - CVE-2023-7008", " * SECURITY UPDATE: escape-to-host via malformed optional config file", " - debian/patches/CVE-2026-40226-1.patch: nspawn: apply BindUser/Ephemeral", " from settings file only if trusted in src/nspawn/nspawn.c.", " - debian/patches/CVE-2026-40226-2.patch: nspawn: normalize pivot_root paths", " in src/nspawn/nspawn-mount.c.", " - CVE-2026-40226", "" ], "package": "systemd", "version": "249.11-0ubuntu3.21", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Fri, 05 Jun 2026 11:40:28 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "libpam-systemd", "from_version": { "source_package_name": "systemd", "source_package_version": "249.11-0ubuntu3.20", "version": "249.11-0ubuntu3.20" }, "to_version": { "source_package_name": "systemd", "source_package_version": "249.11-0ubuntu3.21", "version": "249.11-0ubuntu3.21" }, "cves": [ { "cve": "CVE-2023-7008", "url": "https://ubuntu.com/security/CVE-2023-7008", "cve_description": "A vulnerability was found in systemd-resolved. This issue may allow systemd-resolved to accept records of DNSSEC-signed domains even when they have no signature, allowing man-in-the-middles (or the upstream DNS resolver) to manipulate records.", "cve_priority": "low", "cve_public_date": "2023-12-23 13:15:00 UTC" }, { "cve": "CVE-2026-40226", "url": "https://ubuntu.com/security/CVE-2026-40226", "cve_description": "In nspawn in systemd 233 through 259 before 260, an escape-to-host action can occur via a crafted optional config file.", "cve_priority": "medium", "cve_public_date": "2026-04-10 16:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2023-7008", "url": "https://ubuntu.com/security/CVE-2023-7008", "cve_description": "A vulnerability was found in systemd-resolved. This issue may allow systemd-resolved to accept records of DNSSEC-signed domains even when they have no signature, allowing man-in-the-middles (or the upstream DNS resolver) to manipulate records.", "cve_priority": "low", "cve_public_date": "2023-12-23 13:15:00 UTC" }, { "cve": "CVE-2026-40226", "url": "https://ubuntu.com/security/CVE-2026-40226", "cve_description": "In nspawn in systemd 233 through 259 before 260, an escape-to-host action can occur via a crafted optional config file.", "cve_priority": "medium", "cve_public_date": "2026-04-10 16:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: MITM via DNSSEC-signed domains with no signature", " - debian/patches/CVE-2023-7008.patch: resolved: actually check authenticated", " flag of SOA transaction in src/resolve/resolved-dns-transaction.c.", " - CVE-2023-7008", " * SECURITY UPDATE: escape-to-host via malformed optional config file", " - debian/patches/CVE-2026-40226-1.patch: nspawn: apply BindUser/Ephemeral", " from settings file only if trusted in src/nspawn/nspawn.c.", " - debian/patches/CVE-2026-40226-2.patch: nspawn: normalize pivot_root paths", " in src/nspawn/nspawn-mount.c.", " - CVE-2026-40226", "" ], "package": "systemd", "version": "249.11-0ubuntu3.21", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Fri, 05 Jun 2026 11:40:28 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "libssl3", "from_version": { "source_package_name": "openssl", "source_package_version": "3.0.2-0ubuntu1.23", "version": "3.0.2-0ubuntu1.23" }, "to_version": { "source_package_name": "openssl", "source_package_version": "3.0.2-0ubuntu1.25", "version": "3.0.2-0ubuntu1.25" }, "cves": [ { "cve": "CVE-2026-34180", "url": "https://ubuntu.com/security/CVE-2026-34180", "cve_description": "Issue summary: Parsing a crafted DER-encoded ASN.1 structure with a primitive element whose content exceeds 2 gigabytes in length may cause a heap buffer over-read on 64-bit Unix and Unix-like platforms. Impact summary: The heap buffer over-read may crash the application (Denial of Service) or to load into the decoded ASN.1 object contents of memory beyond the end of the input buffer. More typically such ASN.1 elements would instead be truncated. An integer truncation in OpenSSL's ASN.1 decoder causes the content length of an ASN.1 primitive element to be mishandled when it exceeds 2 gigabytes. In the worst case the truncated length is treated as a request to scan the binary content for a terminating zero byte, possibly causing OpenSSL to read either less than or beyond the end of the allocated buffer. Applications that pass attacker-supplied data to d2i_X509(), d2i_PKCS7(), or any other d2i_* decoding function are affected. OpenSSL's own command-line tools are not vulnerable, as data read through the BIO layer is checked before it reaches the affected code. The issue only affects 64-bit Unix and Unix-like platforms; 32-bit platforms and 64-bit Windows are not affected. The FIPS modules in 4.0, 3.6, 3.5, 3.4 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-34182", "url": "https://ubuntu.com/security/CVE-2026-34182", "cve_description": "Issue Summary: Cryptographic Message Services (CMS) processing fails to perform sufficient input validation on the cipher and tag length fields of AuthEnvelopedData containers, leading to various potential compromises. Impact Summary: Attackers making use of these vulnerabilities may achieve key-equivalent functionality for a given CMS recipient and/or bypass integrity validation for a given message. In one use case, an attacker may send a CMS message containing AuthEnvelopedData with the cipher specified as a non-AEAD cipher. OpenSSL erroneously allows this selection, and attempts to decrypt and validate the message. An on-path attacker who captures one legitimate AES-GCM AuthEnvelopedData addressed to the victim can re-emit it with the recipientInfos set left byte-for-byte intact, so the victim's private key still unwraps the genuine CEK (the content-encryption key), but with the inner OID rewritten to AES-256-OFB (Output Feedback Mode, an unauthenticated keystream mode) and with an attacker-chosen IV and ciphertext. The victim initializes AES-256-OFB under the real CEK, never consults the MAC field, and CMS_decrypt() returns success. If the application under attack responds to the attacker with any indicator showing success or failure of the decryption effort, it is possible for the attacker to use this as an oracle to obtain key equivalent functionality for the CEK used for the chosen recipient of the message. In another use case, an attacker can reduce the tag length of the chosen AEAD cipher for a given AuthEnvelopedData container to be a single byte long, allowing an attacker to brute force CMS decryption, producing an integrity bypass for applications that trust CMS_decrypt() to reject modified content. The FIPS modules are not affected by this issue.", "cve_priority": "medium", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-42766", "url": "https://ubuntu.com/security/CVE-2026-42766", "cve_description": "Issue summary: A specially crafted password-encrypted CMS message can trigger a NULL pointer dereference during CMS decryption. Impact summary: This NULL pointer dereference leads to an application crash and a Denial of Service. The CMS PasswordRecipientInfo.keyDerivationAlgorithm field is defined as OPTIONAL in the ASN.1 specification and may therefore be absent in specially crafted inputs. During the password-based CMS decryption the OpenSSL CMS implementation dereferences this field without first checking whether it was present. An attacker who supplies such a CMS message to an application performing password-based CMS decryption can trigger an application crash, leading to a Denial of Service. Applications that process password-encrypted CMS messages may be affected. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-42767", "url": "https://ubuntu.com/security/CVE-2026-42767", "cve_description": "Issue summary: An attacker-controlled CMP (Certificate Management Protocol) server could trigger a NULL pointer dereference in a CMP client application. Impact summary: A NULL pointer dereference causes a crash of the application and a Denial of Service. An attacker controlling a CMP server (or acting as a man-in-the-middle) could craft a CMP response containing a CRMF (Certificate Request Message Format) CertRepMessage with an EncryptedValue structure where the symmAlg field has an algorithm OID but no parameters field. When the OpenSSL CMP client processes this response, the NULL dereference occurs, causing a crash of the CMP client. Applications that process untrusted CMP/CRMF messages may be affected. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-42770", "url": "https://ubuntu.com/security/CVE-2026-42770", "cve_description": "Issue summary: When EVP_PKEY_derive_set_peer() is called with a DHX (X9.42) peer key, the peer key is not properly checked for the subgroup membership. Impact summary: A malicious peer which presents an X9.42 key carrying the victim's p and g parameters, a forged q = r (a small prime factor of the cofactor (p−1)/q_local), and a public value Y of order r can recover the victim's private key after a small number of key exchange attempts. When EVP_PKEY_derive_set_peer() is called with a DHX (X9.42) peer key, the subgroup membership check Y^q ≡ 1 (mod p) is performed using the peer's own q parameter, not the local key's q. The peer's domain parameters are then matched against the domain parameters of the private key, but the value of q is not compared. A malicious peer who presents an X9.42 key carrying the victim's p, g, a forged q = r (a small prime factor of the cofactor), and a public value Y of order r passes all checks. The shared secret then takes only r distinct values, leaking priv mod r. Repeating for each small-prime factor of the cofactor and combining via CRT recovers the full private key (Lim–Lee / small-subgroup-confinement attack). The realistic attack surface is narrow: principally CMP deployments with long-lived RA/CA DHX keys and bespoke enterprise or government applications using X9.42 DHX static keys with interactive protocols and therefore this issue was assigned Low severity. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are affected by this issue.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-45445", "url": "https://ubuntu.com/security/CVE-2026-45445", "cve_description": "Issue summary: When an application drives an AES-OCB context through the public EVP_Cipher() one-shot interface, the application-supplied initialisation vector (IV) is silently discarded. Impact summary: Every message encrypted under the same key uses the same effective nonce regardless of the IV supplied by the caller, resulting in (key, nonce) reuse and loss of confidentiality. If the same code path is used to compute the authentication tag, the tag depends only on the (key, IV) pair and not on the plaintext or ciphertext, allowing universal forgery of arbitrary ciphertext from a single captured message. OpenSSL provides two ways to drive a cipher: the documented streaming interface (EVP_CipherUpdate / EVP_CipherFinal_ex) and a lower-level one-shot, EVP_Cipher(), whose documentation explicitly recommends against use by applications in favour of EVP_CipherUpdate() and EVP_CipherFinal_ex(). The OCB provider's streaming handler flushes the application-supplied IV into the OCB context before processing data; the one-shot handler did not. Every call to EVP_Cipher() on an AES-OCB context therefore ran with the all-zero key-derived offset state left by cipher initialisation, regardless of the caller's IV. If EVP_EncryptFinal_ex() is subsequently used to obtain the authentication tag, the deferred IV setup runs at that point and clears the running checksum that should have been accumulated over the plaintext. The resulting tag is a function of (key, IV) only and verifies against any ciphertext produced under the same (key, IV) pair. The OpenSSL SSL/TLS implementation is not affected: AES-OCB is not a TLS cipher suite, and libssl does not call EVP_Cipher() in any case. Applications that drive AES-OCB through the documented streaming AEAD API (EVP_CipherUpdate / EVP_CipherFinal_ex) are not affected. Only applications that combine the AES-OCB cipher with the EVP_Cipher() one-shot API are vulnerable. The FIPS modules in 4.0, 3.6, 3.5, 3.4 and 3.0 are not affected by this issue, as AES-OCB is outside the OpenSSL FIPS module boundary.", "cve_priority": "medium", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-45446", "url": "https://ubuntu.com/security/CVE-2026-45446", "cve_description": "Issue summary: The implementations of AES-SIV (RFC 5297) and AES-GCM-SIV (RFC 8452) mishandle the authentication of AAD (Additional Authenticated Data) with an empty ciphertext allowing a forgery of such messages. Impact summary: An attacker can forge empty messages with arbitrary AAD to the victim's application using these ciphers. AES-SIV (RFC 5297) and AES-GCM-SIV (RFC 8452) are nonce-misuse-resistant AEAD modes: they accept a key, nonce, optional AAD (bytes that are authenticated but not encrypted), and plaintext, and produces ciphertext plus a 16-byte tag. On decrypt, `EVP_DecryptFinal_ex()` is documented to return success only if the tag is verified succesfully. In OpenSSL's provider implementation of these ciphers, the expected tag is computed only when decryption function is invoked with non-empty data. If the caller supplies AAD and then calls `EVP_DecryptFinal_ex()` without invocation of the ciphertext update, which can happen when the received ciphertext length is zero, the tag is never recalculated and still holds its all-zeros value. When AES-GCM-SIV is used, an attacker who sends arbitrary AAD, empty ciphertext, and all-zeros tag passes authentication under any key they do not know, single-shot. When AES-SIV is used, for mounting the attack it's necessary for the application to reuse the decryption context without resetting the key. AES-SIV is implemented since OpenSSL 3.0. AES-GCM-SIV is implemented since OpenSSL 3.2. No protocols implemented in OpenSSL itself (TLS/CMS/PKCS7/HPKE/QUIC) support either AES-GCM-SIV or AES-SIV. To mount an attack, the applications must implement their own protocol and use the EVP interface. Also they must skip the ciphertext update when a message with an empty ciphertext arrives. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as these algorithms are not FIPS approved and the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-45447", "url": "https://ubuntu.com/security/CVE-2026-45447", "cve_description": "Issue summary: A specially crafted PKCS#7 or S/MIME signed message could trigger a use-after-free during PKCS#7 signature verification. Impact summary: A use-after-free may result in process crashes, heap corruption, or potentially remote code execution. When processing a PKCS#7 or S/MIME signed message, if the SignedData digestAlgorithms field is present as an empty ASN.1 SET, OpenSSL may incorrectly free a caller-owned BIO during PKCS7_verify(). A subsequent use of the BIO by the calling application results in a use-after-free condition. In the common case this occurs when the application later calls BIO_free() on the BIO originally passed to PKCS7_verify(). Depending on allocator behavior and application-specific BIO usage patterns, this may result in a crash or other memory corruption. In some application contexts this may potentially be exploitable for remote code execution. Applications that process PKCS#7 or S/MIME signed messages using OpenSSL PKCS#7 APIs may be affected. Applications using the CMS APIs for this processing are not affected. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "high", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-7383", "url": "https://ubuntu.com/security/CVE-2026-7383", "cve_description": "Issue summary: A signed integer overflow when sizing the destination buffer for Unicode output in ASN1_mbstring_ncopy() can lead to a heap buffer overflow. Impact summary: A heap buffer overflow may lead to a crash or possibly attacker controlled code execution or other undefined behaviour. In ASN1_mbstring_copy() and ASN1_mbstring_ncopy() the destination size for Unicode output is computed in a signed int: by left shift of the input character count for BMPSTRING (UTF-16) and UNIVERSALSTRING (UTF-32), and by summing per-character byte counts for UTF8STRING. The calculation overflows when the input reaches around 2^30 characters. In the worst case (UNIVERSALSTRING at 2^30 characters) the size wraps to zero, OPENSSL_malloc(1) is called, and the subsequent character copy writes several gigabytes past the one-byte allocation. X.509 certificate processing routes through ASN1_STRING_set_by_NID(), whose DIRSTRING_TYPE mask excludes UNIVERSALSTRING and whose per-NID size limits cap the input length; no network protocol or certificate-handling path in OpenSSL exercises the overflow. Triggering the bug requires an application that calls ASN1_mbstring_copy() or ASN1_mbstring_ncopy() directly, or registers a custom string type via ASN1_STRING_TABLE_add(), with attacker-controlled input on the order of half a gigabyte or more. For these reasons this issue was assigned Low severity. The FIPS modules in 4.0, 3.6, 3.5, 3.4 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-9076", "url": "https://ubuntu.com/security/CVE-2026-9076", "cve_description": "Issue summary: When CMS password-based decryption (RFC 3211 / PWRI key unwrap) processes attacker-supplied CMS data, an attacker-chosen stream-mode KEK cipher can trigger a heap out-of-bounds read in kek_unwrap_key(). Impact summary: A heap buffer over-read may trigger a crash which leads to Denial of Service for an application if the input buffer ends at a memory page boundary and the following page is unmapped. There is no information disclosure as the over-read bytes are not revealed to the attacker. The key unwrapping function performs a check-byte test as specified in the RFC that reads 7 bytes from a heap allocation that is based on the wrapped key length from the message. There is a minimum length check based on the block length of the wrapping cipher. However the cipher is selected from an OID carried in the attacker's PWRI keyEncryptionAlgorithm with no requirement that the cipher be a block cipher. When an attacker selects a stream-mode cipher the guard will be ineffective and the allocated buffer containing the unwrapped key can be too small to fit the check-bytes specified in the RFC and a buffer over-read can happen. Applications calling CMS_decrypt() or CMS_decrypt_set1_password() (equivalently openssl cms -decrypt -pwri_password ...) on untrusted CMS data are vulnerable to this issue. No password knowledge is required: the over-read happens during the unwrap attempt before any authentication succeeds. The over-read is limited to a few bytes and is not written to output, so there is no information disclosure. Triggering a crash requires the allocation to border unmapped memory, which is unlikely with the normal allocator. The FIPS modules are not affected by this issue.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-34180", "url": "https://ubuntu.com/security/CVE-2026-34180", "cve_description": "Issue summary: Parsing a crafted DER-encoded ASN.1 structure with a primitive element whose content exceeds 2 gigabytes in length may cause a heap buffer over-read on 64-bit Unix and Unix-like platforms. Impact summary: The heap buffer over-read may crash the application (Denial of Service) or to load into the decoded ASN.1 object contents of memory beyond the end of the input buffer. More typically such ASN.1 elements would instead be truncated. An integer truncation in OpenSSL's ASN.1 decoder causes the content length of an ASN.1 primitive element to be mishandled when it exceeds 2 gigabytes. In the worst case the truncated length is treated as a request to scan the binary content for a terminating zero byte, possibly causing OpenSSL to read either less than or beyond the end of the allocated buffer. Applications that pass attacker-supplied data to d2i_X509(), d2i_PKCS7(), or any other d2i_* decoding function are affected. OpenSSL's own command-line tools are not vulnerable, as data read through the BIO layer is checked before it reaches the affected code. The issue only affects 64-bit Unix and Unix-like platforms; 32-bit platforms and 64-bit Windows are not affected. The FIPS modules in 4.0, 3.6, 3.5, 3.4 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-34182", "url": "https://ubuntu.com/security/CVE-2026-34182", "cve_description": "Issue Summary: Cryptographic Message Services (CMS) processing fails to perform sufficient input validation on the cipher and tag length fields of AuthEnvelopedData containers, leading to various potential compromises. Impact Summary: Attackers making use of these vulnerabilities may achieve key-equivalent functionality for a given CMS recipient and/or bypass integrity validation for a given message. In one use case, an attacker may send a CMS message containing AuthEnvelopedData with the cipher specified as a non-AEAD cipher. OpenSSL erroneously allows this selection, and attempts to decrypt and validate the message. An on-path attacker who captures one legitimate AES-GCM AuthEnvelopedData addressed to the victim can re-emit it with the recipientInfos set left byte-for-byte intact, so the victim's private key still unwraps the genuine CEK (the content-encryption key), but with the inner OID rewritten to AES-256-OFB (Output Feedback Mode, an unauthenticated keystream mode) and with an attacker-chosen IV and ciphertext. The victim initializes AES-256-OFB under the real CEK, never consults the MAC field, and CMS_decrypt() returns success. If the application under attack responds to the attacker with any indicator showing success or failure of the decryption effort, it is possible for the attacker to use this as an oracle to obtain key equivalent functionality for the CEK used for the chosen recipient of the message. In another use case, an attacker can reduce the tag length of the chosen AEAD cipher for a given AuthEnvelopedData container to be a single byte long, allowing an attacker to brute force CMS decryption, producing an integrity bypass for applications that trust CMS_decrypt() to reject modified content. The FIPS modules are not affected by this issue.", "cve_priority": "medium", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-42766", "url": "https://ubuntu.com/security/CVE-2026-42766", "cve_description": "Issue summary: A specially crafted password-encrypted CMS message can trigger a NULL pointer dereference during CMS decryption. Impact summary: This NULL pointer dereference leads to an application crash and a Denial of Service. The CMS PasswordRecipientInfo.keyDerivationAlgorithm field is defined as OPTIONAL in the ASN.1 specification and may therefore be absent in specially crafted inputs. During the password-based CMS decryption the OpenSSL CMS implementation dereferences this field without first checking whether it was present. An attacker who supplies such a CMS message to an application performing password-based CMS decryption can trigger an application crash, leading to a Denial of Service. Applications that process password-encrypted CMS messages may be affected. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-42767", "url": "https://ubuntu.com/security/CVE-2026-42767", "cve_description": "Issue summary: An attacker-controlled CMP (Certificate Management Protocol) server could trigger a NULL pointer dereference in a CMP client application. Impact summary: A NULL pointer dereference causes a crash of the application and a Denial of Service. An attacker controlling a CMP server (or acting as a man-in-the-middle) could craft a CMP response containing a CRMF (Certificate Request Message Format) CertRepMessage with an EncryptedValue structure where the symmAlg field has an algorithm OID but no parameters field. When the OpenSSL CMP client processes this response, the NULL dereference occurs, causing a crash of the CMP client. Applications that process untrusted CMP/CRMF messages may be affected. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-42770", "url": "https://ubuntu.com/security/CVE-2026-42770", "cve_description": "Issue summary: When EVP_PKEY_derive_set_peer() is called with a DHX (X9.42) peer key, the peer key is not properly checked for the subgroup membership. Impact summary: A malicious peer which presents an X9.42 key carrying the victim's p and g parameters, a forged q = r (a small prime factor of the cofactor (p−1)/q_local), and a public value Y of order r can recover the victim's private key after a small number of key exchange attempts. When EVP_PKEY_derive_set_peer() is called with a DHX (X9.42) peer key, the subgroup membership check Y^q ≡ 1 (mod p) is performed using the peer's own q parameter, not the local key's q. The peer's domain parameters are then matched against the domain parameters of the private key, but the value of q is not compared. A malicious peer who presents an X9.42 key carrying the victim's p, g, a forged q = r (a small prime factor of the cofactor), and a public value Y of order r passes all checks. The shared secret then takes only r distinct values, leaking priv mod r. Repeating for each small-prime factor of the cofactor and combining via CRT recovers the full private key (Lim–Lee / small-subgroup-confinement attack). The realistic attack surface is narrow: principally CMP deployments with long-lived RA/CA DHX keys and bespoke enterprise or government applications using X9.42 DHX static keys with interactive protocols and therefore this issue was assigned Low severity. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are affected by this issue.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-45445", "url": "https://ubuntu.com/security/CVE-2026-45445", "cve_description": "Issue summary: When an application drives an AES-OCB context through the public EVP_Cipher() one-shot interface, the application-supplied initialisation vector (IV) is silently discarded. Impact summary: Every message encrypted under the same key uses the same effective nonce regardless of the IV supplied by the caller, resulting in (key, nonce) reuse and loss of confidentiality. If the same code path is used to compute the authentication tag, the tag depends only on the (key, IV) pair and not on the plaintext or ciphertext, allowing universal forgery of arbitrary ciphertext from a single captured message. OpenSSL provides two ways to drive a cipher: the documented streaming interface (EVP_CipherUpdate / EVP_CipherFinal_ex) and a lower-level one-shot, EVP_Cipher(), whose documentation explicitly recommends against use by applications in favour of EVP_CipherUpdate() and EVP_CipherFinal_ex(). The OCB provider's streaming handler flushes the application-supplied IV into the OCB context before processing data; the one-shot handler did not. Every call to EVP_Cipher() on an AES-OCB context therefore ran with the all-zero key-derived offset state left by cipher initialisation, regardless of the caller's IV. If EVP_EncryptFinal_ex() is subsequently used to obtain the authentication tag, the deferred IV setup runs at that point and clears the running checksum that should have been accumulated over the plaintext. The resulting tag is a function of (key, IV) only and verifies against any ciphertext produced under the same (key, IV) pair. The OpenSSL SSL/TLS implementation is not affected: AES-OCB is not a TLS cipher suite, and libssl does not call EVP_Cipher() in any case. Applications that drive AES-OCB through the documented streaming AEAD API (EVP_CipherUpdate / EVP_CipherFinal_ex) are not affected. Only applications that combine the AES-OCB cipher with the EVP_Cipher() one-shot API are vulnerable. The FIPS modules in 4.0, 3.6, 3.5, 3.4 and 3.0 are not affected by this issue, as AES-OCB is outside the OpenSSL FIPS module boundary.", "cve_priority": "medium", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-45446", "url": "https://ubuntu.com/security/CVE-2026-45446", "cve_description": "Issue summary: The implementations of AES-SIV (RFC 5297) and AES-GCM-SIV (RFC 8452) mishandle the authentication of AAD (Additional Authenticated Data) with an empty ciphertext allowing a forgery of such messages. Impact summary: An attacker can forge empty messages with arbitrary AAD to the victim's application using these ciphers. AES-SIV (RFC 5297) and AES-GCM-SIV (RFC 8452) are nonce-misuse-resistant AEAD modes: they accept a key, nonce, optional AAD (bytes that are authenticated but not encrypted), and plaintext, and produces ciphertext plus a 16-byte tag. On decrypt, `EVP_DecryptFinal_ex()` is documented to return success only if the tag is verified succesfully. In OpenSSL's provider implementation of these ciphers, the expected tag is computed only when decryption function is invoked with non-empty data. If the caller supplies AAD and then calls `EVP_DecryptFinal_ex()` without invocation of the ciphertext update, which can happen when the received ciphertext length is zero, the tag is never recalculated and still holds its all-zeros value. When AES-GCM-SIV is used, an attacker who sends arbitrary AAD, empty ciphertext, and all-zeros tag passes authentication under any key they do not know, single-shot. When AES-SIV is used, for mounting the attack it's necessary for the application to reuse the decryption context without resetting the key. AES-SIV is implemented since OpenSSL 3.0. AES-GCM-SIV is implemented since OpenSSL 3.2. No protocols implemented in OpenSSL itself (TLS/CMS/PKCS7/HPKE/QUIC) support either AES-GCM-SIV or AES-SIV. To mount an attack, the applications must implement their own protocol and use the EVP interface. Also they must skip the ciphertext update when a message with an empty ciphertext arrives. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as these algorithms are not FIPS approved and the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-45447", "url": "https://ubuntu.com/security/CVE-2026-45447", "cve_description": "Issue summary: A specially crafted PKCS#7 or S/MIME signed message could trigger a use-after-free during PKCS#7 signature verification. Impact summary: A use-after-free may result in process crashes, heap corruption, or potentially remote code execution. When processing a PKCS#7 or S/MIME signed message, if the SignedData digestAlgorithms field is present as an empty ASN.1 SET, OpenSSL may incorrectly free a caller-owned BIO during PKCS7_verify(). A subsequent use of the BIO by the calling application results in a use-after-free condition. In the common case this occurs when the application later calls BIO_free() on the BIO originally passed to PKCS7_verify(). Depending on allocator behavior and application-specific BIO usage patterns, this may result in a crash or other memory corruption. In some application contexts this may potentially be exploitable for remote code execution. Applications that process PKCS#7 or S/MIME signed messages using OpenSSL PKCS#7 APIs may be affected. Applications using the CMS APIs for this processing are not affected. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "high", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-7383", "url": "https://ubuntu.com/security/CVE-2026-7383", "cve_description": "Issue summary: A signed integer overflow when sizing the destination buffer for Unicode output in ASN1_mbstring_ncopy() can lead to a heap buffer overflow. Impact summary: A heap buffer overflow may lead to a crash or possibly attacker controlled code execution or other undefined behaviour. In ASN1_mbstring_copy() and ASN1_mbstring_ncopy() the destination size for Unicode output is computed in a signed int: by left shift of the input character count for BMPSTRING (UTF-16) and UNIVERSALSTRING (UTF-32), and by summing per-character byte counts for UTF8STRING. The calculation overflows when the input reaches around 2^30 characters. In the worst case (UNIVERSALSTRING at 2^30 characters) the size wraps to zero, OPENSSL_malloc(1) is called, and the subsequent character copy writes several gigabytes past the one-byte allocation. X.509 certificate processing routes through ASN1_STRING_set_by_NID(), whose DIRSTRING_TYPE mask excludes UNIVERSALSTRING and whose per-NID size limits cap the input length; no network protocol or certificate-handling path in OpenSSL exercises the overflow. Triggering the bug requires an application that calls ASN1_mbstring_copy() or ASN1_mbstring_ncopy() directly, or registers a custom string type via ASN1_STRING_TABLE_add(), with attacker-controlled input on the order of half a gigabyte or more. For these reasons this issue was assigned Low severity. The FIPS modules in 4.0, 3.6, 3.5, 3.4 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-9076", "url": "https://ubuntu.com/security/CVE-2026-9076", "cve_description": "Issue summary: When CMS password-based decryption (RFC 3211 / PWRI key unwrap) processes attacker-supplied CMS data, an attacker-chosen stream-mode KEK cipher can trigger a heap out-of-bounds read in kek_unwrap_key(). Impact summary: A heap buffer over-read may trigger a crash which leads to Denial of Service for an application if the input buffer ends at a memory page boundary and the following page is unmapped. There is no information disclosure as the over-read bytes are not revealed to the attacker. The key unwrapping function performs a check-byte test as specified in the RFC that reads 7 bytes from a heap allocation that is based on the wrapped key length from the message. There is a minimum length check based on the block length of the wrapping cipher. However the cipher is selected from an OID carried in the attacker's PWRI keyEncryptionAlgorithm with no requirement that the cipher be a block cipher. When an attacker selects a stream-mode cipher the guard will be ineffective and the allocated buffer containing the unwrapped key can be too small to fit the check-bytes specified in the RFC and a buffer over-read can happen. Applications calling CMS_decrypt() or CMS_decrypt_set1_password() (equivalently openssl cms -decrypt -pwri_password ...) on untrusted CMS data are vulnerable to this issue. No password knowledge is required: the over-read happens during the unwrap attempt before any authentication succeeds. The over-read is limited to a few bytes and is not written to output, so there is no information disclosure. Triggering a crash requires the allocation to border unmapped memory, which is unlikely with the normal allocator. The FIPS modules are not affected by this issue.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Heap Buffer Over-read in ASN.1 Content Parsing", " - debian/patches/CVE-2026-34180.patch: Avoid length truncation in", " ASN1_STRING_set in crypto/asn1/tasn_dec.c.", " - CVE-2026-34180", " * SECURITY UPDATE: CMS AuthEnvelopedData Processing May Accept Forged Messages", " - debian/patches/CVE-2026-34182-pre1.patch: Ensure", " ossl_cms_EncryptedContent_init_bio() reports an error on no OID in", " crypto/cms/cms_enc.c, crypto/cms/cms_err.c, crypto/err/openssl.txt,", " include/openssl/cmserr.h.", " - debian/patches/CVE-2026-34182-1.patch: CMS: Produce error when AEAD", " algorithms are used in enveloped data in crypto/cms/cms_enc.c,", " crypto/cms/cms_env.c, crypto/cms/cms_err.c, crypto/cms/cms_local.h,", " crypto/err/openssl.txt, include/openssl/cmserr.h, test/cms-msg/enveloped-", " content-type-for-aes-gcm.pem, test/cmsapitest.c,", " test/recipes/80-test_cms.t.", " - debian/patches/CVE-2026-34182-2.patch: Reject potentially forged encrypted", " CMS AuthEnvelopedData messages in crypto/cms/cms_enc.c.", " - debian/patches/CVE-2026-34182-3.patch: Add tests for CVE-2026-34182 in", " test/cmsapitest.c.", " - CVE-2026-34182", " * SECURITY UPDATE: Possible NULL Dereference in Password-Based CMS Decryption", " - debian/patches/CVE-2026-42766.patch: Fix potential NULL dereference", " processing CMS PasswordRecipientInfo in crypto/cms/cms_pwri.c.", " - CVE-2026-42766", " * SECURITY UPDATE: NULL Pointer Dereference in CRMF EncryptedValue Decryption", " - debian/patches/CVE-2026-42767.patch: Fix potential NULL dereference in", " OSSL_CRMF_ENCRYPTEDVALUE_decrypt() in crypto/crmf/crmf_lib.c.", " - CVE-2026-42767", " * SECURITY UPDATE: FFC-DH Peer Validation Uses Attacker-Supplied q", " - debian/patches/CVE-2026-42770.patch: Match the local q DHX parameter", " against the peer's q in providers/implementations/exchange/dh_exch.c.", " - CVE-2026-42770", " * SECURITY UPDATE: AES-OCB IV Ignored on EVP_Cipher() Path", " - debian/patches/CVE-2026-45445.patch: Apply the buffered IV on the AES-OCB", " EVP_Cipher() path in providers/implementations/ciphers/cipher_aes_ocb.c,", " test/evp_extra_test.c.", " - CVE-2026-45445", " * SECURITY UPDATE: Incorrect Tag Processing for Empty Messages in", " AES-GCM-SIV and AES-SIV modes", " - debian/patches/CVE-2026-45446.patch: Fix handling of empty-ciphertext", " messages in AES-SIV in providers/implementations/ciphers/cipher_aes_siv.c,", " test/evp_extra_test.c.", " - CVE-2026-45446", " * SECURITY UPDATE: Heap Use-After-Free in OpenSSL PKCS7_verify()", " - debian/patches/CVE-2026-45447-pre1.patch: Revert unnecessary", " PKCS7_verify() performance optimization in crypto/pkcs7/pk7_smime.c.", " - debian/patches/CVE-2026-45447-1.patch: Fix possible use-after-free in", " OpenSSL PKCS7_verify() in crypto/pkcs7/pk7_smime.c.", " - debian/patches/CVE-2026-45447-2.patch: Test for CVE-2026-45447 (UAF in", " PKCS7_verify) in test/recipes/80-test_cms.t, test/smime-eml/pkcs7-empty-", " digest-set.eml.", " - CVE-2026-45447", " * SECURITY UPDATE: Possible Heap Buffer Overflow in ASN.1 Multibyte String", " Conversion", " - debian/patches/CVE-2026-7383.patch: Reject oversized inputs in", " ASN1_mbstring_ncopy() in crypto/asn1/a_mbstr.c.", " - CVE-2026-7383", " * SECURITY UPDATE: Out-of-Bounds Read in CMS Password-Based Decryption", " - debian/patches/CVE-2026-9076.patch: cms: kek_unwrap_key: Fix out-of-bounds", " read in check-byte validation in crypto/cms/cms_pwri.c.", " - CVE-2026-9076", "" ], "package": "openssl", "version": "3.0.2-0ubuntu1.25", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Tue, 02 Jun 2026 15:33:25 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "libsystemd0", "from_version": { "source_package_name": "systemd", "source_package_version": "249.11-0ubuntu3.20", "version": "249.11-0ubuntu3.20" }, "to_version": { "source_package_name": "systemd", "source_package_version": "249.11-0ubuntu3.21", "version": "249.11-0ubuntu3.21" }, "cves": [ { "cve": "CVE-2023-7008", "url": "https://ubuntu.com/security/CVE-2023-7008", "cve_description": "A vulnerability was found in systemd-resolved. This issue may allow systemd-resolved to accept records of DNSSEC-signed domains even when they have no signature, allowing man-in-the-middles (or the upstream DNS resolver) to manipulate records.", "cve_priority": "low", "cve_public_date": "2023-12-23 13:15:00 UTC" }, { "cve": "CVE-2026-40226", "url": "https://ubuntu.com/security/CVE-2026-40226", "cve_description": "In nspawn in systemd 233 through 259 before 260, an escape-to-host action can occur via a crafted optional config file.", "cve_priority": "medium", "cve_public_date": "2026-04-10 16:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2023-7008", "url": "https://ubuntu.com/security/CVE-2023-7008", "cve_description": "A vulnerability was found in systemd-resolved. This issue may allow systemd-resolved to accept records of DNSSEC-signed domains even when they have no signature, allowing man-in-the-middles (or the upstream DNS resolver) to manipulate records.", "cve_priority": "low", "cve_public_date": "2023-12-23 13:15:00 UTC" }, { "cve": "CVE-2026-40226", "url": "https://ubuntu.com/security/CVE-2026-40226", "cve_description": "In nspawn in systemd 233 through 259 before 260, an escape-to-host action can occur via a crafted optional config file.", "cve_priority": "medium", "cve_public_date": "2026-04-10 16:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: MITM via DNSSEC-signed domains with no signature", " - debian/patches/CVE-2023-7008.patch: resolved: actually check authenticated", " flag of SOA transaction in src/resolve/resolved-dns-transaction.c.", " - CVE-2023-7008", " * SECURITY UPDATE: escape-to-host via malformed optional config file", " - debian/patches/CVE-2026-40226-1.patch: nspawn: apply BindUser/Ephemeral", " from settings file only if trusted in src/nspawn/nspawn.c.", " - debian/patches/CVE-2026-40226-2.patch: nspawn: normalize pivot_root paths", " in src/nspawn/nspawn-mount.c.", " - CVE-2026-40226", "" ], "package": "systemd", "version": "249.11-0ubuntu3.21", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Fri, 05 Jun 2026 11:40:28 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "libudev1", "from_version": { "source_package_name": "systemd", "source_package_version": "249.11-0ubuntu3.20", "version": "249.11-0ubuntu3.20" }, "to_version": { "source_package_name": "systemd", "source_package_version": "249.11-0ubuntu3.21", "version": "249.11-0ubuntu3.21" }, "cves": [ { "cve": "CVE-2023-7008", "url": "https://ubuntu.com/security/CVE-2023-7008", "cve_description": "A vulnerability was found in systemd-resolved. This issue may allow systemd-resolved to accept records of DNSSEC-signed domains even when they have no signature, allowing man-in-the-middles (or the upstream DNS resolver) to manipulate records.", "cve_priority": "low", "cve_public_date": "2023-12-23 13:15:00 UTC" }, { "cve": "CVE-2026-40226", "url": "https://ubuntu.com/security/CVE-2026-40226", "cve_description": "In nspawn in systemd 233 through 259 before 260, an escape-to-host action can occur via a crafted optional config file.", "cve_priority": "medium", "cve_public_date": "2026-04-10 16:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2023-7008", "url": "https://ubuntu.com/security/CVE-2023-7008", "cve_description": "A vulnerability was found in systemd-resolved. This issue may allow systemd-resolved to accept records of DNSSEC-signed domains even when they have no signature, allowing man-in-the-middles (or the upstream DNS resolver) to manipulate records.", "cve_priority": "low", "cve_public_date": "2023-12-23 13:15:00 UTC" }, { "cve": "CVE-2026-40226", "url": "https://ubuntu.com/security/CVE-2026-40226", "cve_description": "In nspawn in systemd 233 through 259 before 260, an escape-to-host action can occur via a crafted optional config file.", "cve_priority": "medium", "cve_public_date": "2026-04-10 16:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: MITM via DNSSEC-signed domains with no signature", " - debian/patches/CVE-2023-7008.patch: resolved: actually check authenticated", " flag of SOA transaction in src/resolve/resolved-dns-transaction.c.", " - CVE-2023-7008", " * SECURITY UPDATE: escape-to-host via malformed optional config file", " - debian/patches/CVE-2026-40226-1.patch: nspawn: apply BindUser/Ephemeral", " from settings file only if trusted in src/nspawn/nspawn.c.", " - debian/patches/CVE-2026-40226-2.patch: nspawn: normalize pivot_root paths", " in src/nspawn/nspawn-mount.c.", " - CVE-2026-40226", "" ], "package": "systemd", "version": "249.11-0ubuntu3.21", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Fri, 05 Jun 2026 11:40:28 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "linux-headers-kvm", "from_version": { "source_package_name": "linux-meta-kvm", "source_package_version": "5.15.0.1100.96", "version": "5.15.0.1100.96" }, "to_version": { "source_package_name": "linux-meta-kvm", "source_package_version": "5.15.0.1101.97", "version": "5.15.0.1101.97" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Bump ABI 5.15.0-1101", "" ], "package": "linux-meta-kvm", "version": "5.15.0.1101.97", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [], "author": "Edoardo Canepa ", "date": "Mon, 25 May 2026 17:48:44 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "linux-image-kvm", "from_version": { "source_package_name": "linux-meta-kvm", "source_package_version": "5.15.0.1100.96", "version": "5.15.0.1100.96" }, "to_version": { "source_package_name": "linux-meta-kvm", "source_package_version": "5.15.0.1101.97", "version": "5.15.0.1101.97" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Bump ABI 5.15.0-1101", "" ], "package": "linux-meta-kvm", "version": "5.15.0.1101.97", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [], "author": "Edoardo Canepa ", "date": "Mon, 25 May 2026 17:48:44 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "linux-kvm", "from_version": { "source_package_name": "linux-meta-kvm", "source_package_version": "5.15.0.1100.96", "version": "5.15.0.1100.96" }, "to_version": { "source_package_name": "linux-meta-kvm", "source_package_version": "5.15.0.1101.97", "version": "5.15.0.1101.97" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Bump ABI 5.15.0-1101", "" ], "package": "linux-meta-kvm", "version": "5.15.0.1101.97", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [], "author": "Edoardo Canepa ", "date": "Mon, 25 May 2026 17:48:44 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "openssl", "from_version": { "source_package_name": "openssl", "source_package_version": "3.0.2-0ubuntu1.23", "version": "3.0.2-0ubuntu1.23" }, "to_version": { "source_package_name": "openssl", "source_package_version": "3.0.2-0ubuntu1.25", "version": "3.0.2-0ubuntu1.25" }, "cves": [ { "cve": "CVE-2026-34180", "url": "https://ubuntu.com/security/CVE-2026-34180", "cve_description": "Issue summary: Parsing a crafted DER-encoded ASN.1 structure with a primitive element whose content exceeds 2 gigabytes in length may cause a heap buffer over-read on 64-bit Unix and Unix-like platforms. Impact summary: The heap buffer over-read may crash the application (Denial of Service) or to load into the decoded ASN.1 object contents of memory beyond the end of the input buffer. More typically such ASN.1 elements would instead be truncated. An integer truncation in OpenSSL's ASN.1 decoder causes the content length of an ASN.1 primitive element to be mishandled when it exceeds 2 gigabytes. In the worst case the truncated length is treated as a request to scan the binary content for a terminating zero byte, possibly causing OpenSSL to read either less than or beyond the end of the allocated buffer. Applications that pass attacker-supplied data to d2i_X509(), d2i_PKCS7(), or any other d2i_* decoding function are affected. OpenSSL's own command-line tools are not vulnerable, as data read through the BIO layer is checked before it reaches the affected code. The issue only affects 64-bit Unix and Unix-like platforms; 32-bit platforms and 64-bit Windows are not affected. The FIPS modules in 4.0, 3.6, 3.5, 3.4 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-34182", "url": "https://ubuntu.com/security/CVE-2026-34182", "cve_description": "Issue Summary: Cryptographic Message Services (CMS) processing fails to perform sufficient input validation on the cipher and tag length fields of AuthEnvelopedData containers, leading to various potential compromises. Impact Summary: Attackers making use of these vulnerabilities may achieve key-equivalent functionality for a given CMS recipient and/or bypass integrity validation for a given message. In one use case, an attacker may send a CMS message containing AuthEnvelopedData with the cipher specified as a non-AEAD cipher. OpenSSL erroneously allows this selection, and attempts to decrypt and validate the message. An on-path attacker who captures one legitimate AES-GCM AuthEnvelopedData addressed to the victim can re-emit it with the recipientInfos set left byte-for-byte intact, so the victim's private key still unwraps the genuine CEK (the content-encryption key), but with the inner OID rewritten to AES-256-OFB (Output Feedback Mode, an unauthenticated keystream mode) and with an attacker-chosen IV and ciphertext. The victim initializes AES-256-OFB under the real CEK, never consults the MAC field, and CMS_decrypt() returns success. If the application under attack responds to the attacker with any indicator showing success or failure of the decryption effort, it is possible for the attacker to use this as an oracle to obtain key equivalent functionality for the CEK used for the chosen recipient of the message. In another use case, an attacker can reduce the tag length of the chosen AEAD cipher for a given AuthEnvelopedData container to be a single byte long, allowing an attacker to brute force CMS decryption, producing an integrity bypass for applications that trust CMS_decrypt() to reject modified content. The FIPS modules are not affected by this issue.", "cve_priority": "medium", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-42766", "url": "https://ubuntu.com/security/CVE-2026-42766", "cve_description": "Issue summary: A specially crafted password-encrypted CMS message can trigger a NULL pointer dereference during CMS decryption. Impact summary: This NULL pointer dereference leads to an application crash and a Denial of Service. The CMS PasswordRecipientInfo.keyDerivationAlgorithm field is defined as OPTIONAL in the ASN.1 specification and may therefore be absent in specially crafted inputs. During the password-based CMS decryption the OpenSSL CMS implementation dereferences this field without first checking whether it was present. An attacker who supplies such a CMS message to an application performing password-based CMS decryption can trigger an application crash, leading to a Denial of Service. Applications that process password-encrypted CMS messages may be affected. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-42767", "url": "https://ubuntu.com/security/CVE-2026-42767", "cve_description": "Issue summary: An attacker-controlled CMP (Certificate Management Protocol) server could trigger a NULL pointer dereference in a CMP client application. Impact summary: A NULL pointer dereference causes a crash of the application and a Denial of Service. An attacker controlling a CMP server (or acting as a man-in-the-middle) could craft a CMP response containing a CRMF (Certificate Request Message Format) CertRepMessage with an EncryptedValue structure where the symmAlg field has an algorithm OID but no parameters field. When the OpenSSL CMP client processes this response, the NULL dereference occurs, causing a crash of the CMP client. Applications that process untrusted CMP/CRMF messages may be affected. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-42770", "url": "https://ubuntu.com/security/CVE-2026-42770", "cve_description": "Issue summary: When EVP_PKEY_derive_set_peer() is called with a DHX (X9.42) peer key, the peer key is not properly checked for the subgroup membership. Impact summary: A malicious peer which presents an X9.42 key carrying the victim's p and g parameters, a forged q = r (a small prime factor of the cofactor (p−1)/q_local), and a public value Y of order r can recover the victim's private key after a small number of key exchange attempts. When EVP_PKEY_derive_set_peer() is called with a DHX (X9.42) peer key, the subgroup membership check Y^q ≡ 1 (mod p) is performed using the peer's own q parameter, not the local key's q. The peer's domain parameters are then matched against the domain parameters of the private key, but the value of q is not compared. A malicious peer who presents an X9.42 key carrying the victim's p, g, a forged q = r (a small prime factor of the cofactor), and a public value Y of order r passes all checks. The shared secret then takes only r distinct values, leaking priv mod r. Repeating for each small-prime factor of the cofactor and combining via CRT recovers the full private key (Lim–Lee / small-subgroup-confinement attack). The realistic attack surface is narrow: principally CMP deployments with long-lived RA/CA DHX keys and bespoke enterprise or government applications using X9.42 DHX static keys with interactive protocols and therefore this issue was assigned Low severity. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are affected by this issue.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-45445", "url": "https://ubuntu.com/security/CVE-2026-45445", "cve_description": "Issue summary: When an application drives an AES-OCB context through the public EVP_Cipher() one-shot interface, the application-supplied initialisation vector (IV) is silently discarded. Impact summary: Every message encrypted under the same key uses the same effective nonce regardless of the IV supplied by the caller, resulting in (key, nonce) reuse and loss of confidentiality. If the same code path is used to compute the authentication tag, the tag depends only on the (key, IV) pair and not on the plaintext or ciphertext, allowing universal forgery of arbitrary ciphertext from a single captured message. OpenSSL provides two ways to drive a cipher: the documented streaming interface (EVP_CipherUpdate / EVP_CipherFinal_ex) and a lower-level one-shot, EVP_Cipher(), whose documentation explicitly recommends against use by applications in favour of EVP_CipherUpdate() and EVP_CipherFinal_ex(). The OCB provider's streaming handler flushes the application-supplied IV into the OCB context before processing data; the one-shot handler did not. Every call to EVP_Cipher() on an AES-OCB context therefore ran with the all-zero key-derived offset state left by cipher initialisation, regardless of the caller's IV. If EVP_EncryptFinal_ex() is subsequently used to obtain the authentication tag, the deferred IV setup runs at that point and clears the running checksum that should have been accumulated over the plaintext. The resulting tag is a function of (key, IV) only and verifies against any ciphertext produced under the same (key, IV) pair. The OpenSSL SSL/TLS implementation is not affected: AES-OCB is not a TLS cipher suite, and libssl does not call EVP_Cipher() in any case. Applications that drive AES-OCB through the documented streaming AEAD API (EVP_CipherUpdate / EVP_CipherFinal_ex) are not affected. Only applications that combine the AES-OCB cipher with the EVP_Cipher() one-shot API are vulnerable. The FIPS modules in 4.0, 3.6, 3.5, 3.4 and 3.0 are not affected by this issue, as AES-OCB is outside the OpenSSL FIPS module boundary.", "cve_priority": "medium", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-45446", "url": "https://ubuntu.com/security/CVE-2026-45446", "cve_description": "Issue summary: The implementations of AES-SIV (RFC 5297) and AES-GCM-SIV (RFC 8452) mishandle the authentication of AAD (Additional Authenticated Data) with an empty ciphertext allowing a forgery of such messages. Impact summary: An attacker can forge empty messages with arbitrary AAD to the victim's application using these ciphers. AES-SIV (RFC 5297) and AES-GCM-SIV (RFC 8452) are nonce-misuse-resistant AEAD modes: they accept a key, nonce, optional AAD (bytes that are authenticated but not encrypted), and plaintext, and produces ciphertext plus a 16-byte tag. On decrypt, `EVP_DecryptFinal_ex()` is documented to return success only if the tag is verified succesfully. In OpenSSL's provider implementation of these ciphers, the expected tag is computed only when decryption function is invoked with non-empty data. If the caller supplies AAD and then calls `EVP_DecryptFinal_ex()` without invocation of the ciphertext update, which can happen when the received ciphertext length is zero, the tag is never recalculated and still holds its all-zeros value. When AES-GCM-SIV is used, an attacker who sends arbitrary AAD, empty ciphertext, and all-zeros tag passes authentication under any key they do not know, single-shot. When AES-SIV is used, for mounting the attack it's necessary for the application to reuse the decryption context without resetting the key. AES-SIV is implemented since OpenSSL 3.0. AES-GCM-SIV is implemented since OpenSSL 3.2. No protocols implemented in OpenSSL itself (TLS/CMS/PKCS7/HPKE/QUIC) support either AES-GCM-SIV or AES-SIV. To mount an attack, the applications must implement their own protocol and use the EVP interface. Also they must skip the ciphertext update when a message with an empty ciphertext arrives. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as these algorithms are not FIPS approved and the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-45447", "url": "https://ubuntu.com/security/CVE-2026-45447", "cve_description": "Issue summary: A specially crafted PKCS#7 or S/MIME signed message could trigger a use-after-free during PKCS#7 signature verification. Impact summary: A use-after-free may result in process crashes, heap corruption, or potentially remote code execution. When processing a PKCS#7 or S/MIME signed message, if the SignedData digestAlgorithms field is present as an empty ASN.1 SET, OpenSSL may incorrectly free a caller-owned BIO during PKCS7_verify(). A subsequent use of the BIO by the calling application results in a use-after-free condition. In the common case this occurs when the application later calls BIO_free() on the BIO originally passed to PKCS7_verify(). Depending on allocator behavior and application-specific BIO usage patterns, this may result in a crash or other memory corruption. In some application contexts this may potentially be exploitable for remote code execution. Applications that process PKCS#7 or S/MIME signed messages using OpenSSL PKCS#7 APIs may be affected. Applications using the CMS APIs for this processing are not affected. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "high", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-7383", "url": "https://ubuntu.com/security/CVE-2026-7383", "cve_description": "Issue summary: A signed integer overflow when sizing the destination buffer for Unicode output in ASN1_mbstring_ncopy() can lead to a heap buffer overflow. Impact summary: A heap buffer overflow may lead to a crash or possibly attacker controlled code execution or other undefined behaviour. In ASN1_mbstring_copy() and ASN1_mbstring_ncopy() the destination size for Unicode output is computed in a signed int: by left shift of the input character count for BMPSTRING (UTF-16) and UNIVERSALSTRING (UTF-32), and by summing per-character byte counts for UTF8STRING. The calculation overflows when the input reaches around 2^30 characters. In the worst case (UNIVERSALSTRING at 2^30 characters) the size wraps to zero, OPENSSL_malloc(1) is called, and the subsequent character copy writes several gigabytes past the one-byte allocation. X.509 certificate processing routes through ASN1_STRING_set_by_NID(), whose DIRSTRING_TYPE mask excludes UNIVERSALSTRING and whose per-NID size limits cap the input length; no network protocol or certificate-handling path in OpenSSL exercises the overflow. Triggering the bug requires an application that calls ASN1_mbstring_copy() or ASN1_mbstring_ncopy() directly, or registers a custom string type via ASN1_STRING_TABLE_add(), with attacker-controlled input on the order of half a gigabyte or more. For these reasons this issue was assigned Low severity. The FIPS modules in 4.0, 3.6, 3.5, 3.4 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-9076", "url": "https://ubuntu.com/security/CVE-2026-9076", "cve_description": "Issue summary: When CMS password-based decryption (RFC 3211 / PWRI key unwrap) processes attacker-supplied CMS data, an attacker-chosen stream-mode KEK cipher can trigger a heap out-of-bounds read in kek_unwrap_key(). Impact summary: A heap buffer over-read may trigger a crash which leads to Denial of Service for an application if the input buffer ends at a memory page boundary and the following page is unmapped. There is no information disclosure as the over-read bytes are not revealed to the attacker. The key unwrapping function performs a check-byte test as specified in the RFC that reads 7 bytes from a heap allocation that is based on the wrapped key length from the message. There is a minimum length check based on the block length of the wrapping cipher. However the cipher is selected from an OID carried in the attacker's PWRI keyEncryptionAlgorithm with no requirement that the cipher be a block cipher. When an attacker selects a stream-mode cipher the guard will be ineffective and the allocated buffer containing the unwrapped key can be too small to fit the check-bytes specified in the RFC and a buffer over-read can happen. Applications calling CMS_decrypt() or CMS_decrypt_set1_password() (equivalently openssl cms -decrypt -pwri_password ...) on untrusted CMS data are vulnerable to this issue. No password knowledge is required: the over-read happens during the unwrap attempt before any authentication succeeds. The over-read is limited to a few bytes and is not written to output, so there is no information disclosure. Triggering a crash requires the allocation to border unmapped memory, which is unlikely with the normal allocator. The FIPS modules are not affected by this issue.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-34180", "url": "https://ubuntu.com/security/CVE-2026-34180", "cve_description": "Issue summary: Parsing a crafted DER-encoded ASN.1 structure with a primitive element whose content exceeds 2 gigabytes in length may cause a heap buffer over-read on 64-bit Unix and Unix-like platforms. Impact summary: The heap buffer over-read may crash the application (Denial of Service) or to load into the decoded ASN.1 object contents of memory beyond the end of the input buffer. More typically such ASN.1 elements would instead be truncated. An integer truncation in OpenSSL's ASN.1 decoder causes the content length of an ASN.1 primitive element to be mishandled when it exceeds 2 gigabytes. In the worst case the truncated length is treated as a request to scan the binary content for a terminating zero byte, possibly causing OpenSSL to read either less than or beyond the end of the allocated buffer. Applications that pass attacker-supplied data to d2i_X509(), d2i_PKCS7(), or any other d2i_* decoding function are affected. OpenSSL's own command-line tools are not vulnerable, as data read through the BIO layer is checked before it reaches the affected code. The issue only affects 64-bit Unix and Unix-like platforms; 32-bit platforms and 64-bit Windows are not affected. The FIPS modules in 4.0, 3.6, 3.5, 3.4 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-34182", "url": "https://ubuntu.com/security/CVE-2026-34182", "cve_description": "Issue Summary: Cryptographic Message Services (CMS) processing fails to perform sufficient input validation on the cipher and tag length fields of AuthEnvelopedData containers, leading to various potential compromises. Impact Summary: Attackers making use of these vulnerabilities may achieve key-equivalent functionality for a given CMS recipient and/or bypass integrity validation for a given message. In one use case, an attacker may send a CMS message containing AuthEnvelopedData with the cipher specified as a non-AEAD cipher. OpenSSL erroneously allows this selection, and attempts to decrypt and validate the message. An on-path attacker who captures one legitimate AES-GCM AuthEnvelopedData addressed to the victim can re-emit it with the recipientInfos set left byte-for-byte intact, so the victim's private key still unwraps the genuine CEK (the content-encryption key), but with the inner OID rewritten to AES-256-OFB (Output Feedback Mode, an unauthenticated keystream mode) and with an attacker-chosen IV and ciphertext. The victim initializes AES-256-OFB under the real CEK, never consults the MAC field, and CMS_decrypt() returns success. If the application under attack responds to the attacker with any indicator showing success or failure of the decryption effort, it is possible for the attacker to use this as an oracle to obtain key equivalent functionality for the CEK used for the chosen recipient of the message. In another use case, an attacker can reduce the tag length of the chosen AEAD cipher for a given AuthEnvelopedData container to be a single byte long, allowing an attacker to brute force CMS decryption, producing an integrity bypass for applications that trust CMS_decrypt() to reject modified content. The FIPS modules are not affected by this issue.", "cve_priority": "medium", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-42766", "url": "https://ubuntu.com/security/CVE-2026-42766", "cve_description": "Issue summary: A specially crafted password-encrypted CMS message can trigger a NULL pointer dereference during CMS decryption. Impact summary: This NULL pointer dereference leads to an application crash and a Denial of Service. The CMS PasswordRecipientInfo.keyDerivationAlgorithm field is defined as OPTIONAL in the ASN.1 specification and may therefore be absent in specially crafted inputs. During the password-based CMS decryption the OpenSSL CMS implementation dereferences this field without first checking whether it was present. An attacker who supplies such a CMS message to an application performing password-based CMS decryption can trigger an application crash, leading to a Denial of Service. Applications that process password-encrypted CMS messages may be affected. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-42767", "url": "https://ubuntu.com/security/CVE-2026-42767", "cve_description": "Issue summary: An attacker-controlled CMP (Certificate Management Protocol) server could trigger a NULL pointer dereference in a CMP client application. Impact summary: A NULL pointer dereference causes a crash of the application and a Denial of Service. An attacker controlling a CMP server (or acting as a man-in-the-middle) could craft a CMP response containing a CRMF (Certificate Request Message Format) CertRepMessage with an EncryptedValue structure where the symmAlg field has an algorithm OID but no parameters field. When the OpenSSL CMP client processes this response, the NULL dereference occurs, causing a crash of the CMP client. Applications that process untrusted CMP/CRMF messages may be affected. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-42770", "url": "https://ubuntu.com/security/CVE-2026-42770", "cve_description": "Issue summary: When EVP_PKEY_derive_set_peer() is called with a DHX (X9.42) peer key, the peer key is not properly checked for the subgroup membership. Impact summary: A malicious peer which presents an X9.42 key carrying the victim's p and g parameters, a forged q = r (a small prime factor of the cofactor (p−1)/q_local), and a public value Y of order r can recover the victim's private key after a small number of key exchange attempts. When EVP_PKEY_derive_set_peer() is called with a DHX (X9.42) peer key, the subgroup membership check Y^q ≡ 1 (mod p) is performed using the peer's own q parameter, not the local key's q. The peer's domain parameters are then matched against the domain parameters of the private key, but the value of q is not compared. A malicious peer who presents an X9.42 key carrying the victim's p, g, a forged q = r (a small prime factor of the cofactor), and a public value Y of order r passes all checks. The shared secret then takes only r distinct values, leaking priv mod r. Repeating for each small-prime factor of the cofactor and combining via CRT recovers the full private key (Lim–Lee / small-subgroup-confinement attack). The realistic attack surface is narrow: principally CMP deployments with long-lived RA/CA DHX keys and bespoke enterprise or government applications using X9.42 DHX static keys with interactive protocols and therefore this issue was assigned Low severity. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are affected by this issue.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-45445", "url": "https://ubuntu.com/security/CVE-2026-45445", "cve_description": "Issue summary: When an application drives an AES-OCB context through the public EVP_Cipher() one-shot interface, the application-supplied initialisation vector (IV) is silently discarded. Impact summary: Every message encrypted under the same key uses the same effective nonce regardless of the IV supplied by the caller, resulting in (key, nonce) reuse and loss of confidentiality. If the same code path is used to compute the authentication tag, the tag depends only on the (key, IV) pair and not on the plaintext or ciphertext, allowing universal forgery of arbitrary ciphertext from a single captured message. OpenSSL provides two ways to drive a cipher: the documented streaming interface (EVP_CipherUpdate / EVP_CipherFinal_ex) and a lower-level one-shot, EVP_Cipher(), whose documentation explicitly recommends against use by applications in favour of EVP_CipherUpdate() and EVP_CipherFinal_ex(). The OCB provider's streaming handler flushes the application-supplied IV into the OCB context before processing data; the one-shot handler did not. Every call to EVP_Cipher() on an AES-OCB context therefore ran with the all-zero key-derived offset state left by cipher initialisation, regardless of the caller's IV. If EVP_EncryptFinal_ex() is subsequently used to obtain the authentication tag, the deferred IV setup runs at that point and clears the running checksum that should have been accumulated over the plaintext. The resulting tag is a function of (key, IV) only and verifies against any ciphertext produced under the same (key, IV) pair. The OpenSSL SSL/TLS implementation is not affected: AES-OCB is not a TLS cipher suite, and libssl does not call EVP_Cipher() in any case. Applications that drive AES-OCB through the documented streaming AEAD API (EVP_CipherUpdate / EVP_CipherFinal_ex) are not affected. Only applications that combine the AES-OCB cipher with the EVP_Cipher() one-shot API are vulnerable. The FIPS modules in 4.0, 3.6, 3.5, 3.4 and 3.0 are not affected by this issue, as AES-OCB is outside the OpenSSL FIPS module boundary.", "cve_priority": "medium", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-45446", "url": "https://ubuntu.com/security/CVE-2026-45446", "cve_description": "Issue summary: The implementations of AES-SIV (RFC 5297) and AES-GCM-SIV (RFC 8452) mishandle the authentication of AAD (Additional Authenticated Data) with an empty ciphertext allowing a forgery of such messages. Impact summary: An attacker can forge empty messages with arbitrary AAD to the victim's application using these ciphers. AES-SIV (RFC 5297) and AES-GCM-SIV (RFC 8452) are nonce-misuse-resistant AEAD modes: they accept a key, nonce, optional AAD (bytes that are authenticated but not encrypted), and plaintext, and produces ciphertext plus a 16-byte tag. On decrypt, `EVP_DecryptFinal_ex()` is documented to return success only if the tag is verified succesfully. In OpenSSL's provider implementation of these ciphers, the expected tag is computed only when decryption function is invoked with non-empty data. If the caller supplies AAD and then calls `EVP_DecryptFinal_ex()` without invocation of the ciphertext update, which can happen when the received ciphertext length is zero, the tag is never recalculated and still holds its all-zeros value. When AES-GCM-SIV is used, an attacker who sends arbitrary AAD, empty ciphertext, and all-zeros tag passes authentication under any key they do not know, single-shot. When AES-SIV is used, for mounting the attack it's necessary for the application to reuse the decryption context without resetting the key. AES-SIV is implemented since OpenSSL 3.0. AES-GCM-SIV is implemented since OpenSSL 3.2. No protocols implemented in OpenSSL itself (TLS/CMS/PKCS7/HPKE/QUIC) support either AES-GCM-SIV or AES-SIV. To mount an attack, the applications must implement their own protocol and use the EVP interface. Also they must skip the ciphertext update when a message with an empty ciphertext arrives. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as these algorithms are not FIPS approved and the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-45447", "url": "https://ubuntu.com/security/CVE-2026-45447", "cve_description": "Issue summary: A specially crafted PKCS#7 or S/MIME signed message could trigger a use-after-free during PKCS#7 signature verification. Impact summary: A use-after-free may result in process crashes, heap corruption, or potentially remote code execution. When processing a PKCS#7 or S/MIME signed message, if the SignedData digestAlgorithms field is present as an empty ASN.1 SET, OpenSSL may incorrectly free a caller-owned BIO during PKCS7_verify(). A subsequent use of the BIO by the calling application results in a use-after-free condition. In the common case this occurs when the application later calls BIO_free() on the BIO originally passed to PKCS7_verify(). Depending on allocator behavior and application-specific BIO usage patterns, this may result in a crash or other memory corruption. In some application contexts this may potentially be exploitable for remote code execution. Applications that process PKCS#7 or S/MIME signed messages using OpenSSL PKCS#7 APIs may be affected. Applications using the CMS APIs for this processing are not affected. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "high", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-7383", "url": "https://ubuntu.com/security/CVE-2026-7383", "cve_description": "Issue summary: A signed integer overflow when sizing the destination buffer for Unicode output in ASN1_mbstring_ncopy() can lead to a heap buffer overflow. Impact summary: A heap buffer overflow may lead to a crash or possibly attacker controlled code execution or other undefined behaviour. In ASN1_mbstring_copy() and ASN1_mbstring_ncopy() the destination size for Unicode output is computed in a signed int: by left shift of the input character count for BMPSTRING (UTF-16) and UNIVERSALSTRING (UTF-32), and by summing per-character byte counts for UTF8STRING. The calculation overflows when the input reaches around 2^30 characters. In the worst case (UNIVERSALSTRING at 2^30 characters) the size wraps to zero, OPENSSL_malloc(1) is called, and the subsequent character copy writes several gigabytes past the one-byte allocation. X.509 certificate processing routes through ASN1_STRING_set_by_NID(), whose DIRSTRING_TYPE mask excludes UNIVERSALSTRING and whose per-NID size limits cap the input length; no network protocol or certificate-handling path in OpenSSL exercises the overflow. Triggering the bug requires an application that calls ASN1_mbstring_copy() or ASN1_mbstring_ncopy() directly, or registers a custom string type via ASN1_STRING_TABLE_add(), with attacker-controlled input on the order of half a gigabyte or more. For these reasons this issue was assigned Low severity. The FIPS modules in 4.0, 3.6, 3.5, 3.4 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-9076", "url": "https://ubuntu.com/security/CVE-2026-9076", "cve_description": "Issue summary: When CMS password-based decryption (RFC 3211 / PWRI key unwrap) processes attacker-supplied CMS data, an attacker-chosen stream-mode KEK cipher can trigger a heap out-of-bounds read in kek_unwrap_key(). Impact summary: A heap buffer over-read may trigger a crash which leads to Denial of Service for an application if the input buffer ends at a memory page boundary and the following page is unmapped. There is no information disclosure as the over-read bytes are not revealed to the attacker. The key unwrapping function performs a check-byte test as specified in the RFC that reads 7 bytes from a heap allocation that is based on the wrapped key length from the message. There is a minimum length check based on the block length of the wrapping cipher. However the cipher is selected from an OID carried in the attacker's PWRI keyEncryptionAlgorithm with no requirement that the cipher be a block cipher. When an attacker selects a stream-mode cipher the guard will be ineffective and the allocated buffer containing the unwrapped key can be too small to fit the check-bytes specified in the RFC and a buffer over-read can happen. Applications calling CMS_decrypt() or CMS_decrypt_set1_password() (equivalently openssl cms -decrypt -pwri_password ...) on untrusted CMS data are vulnerable to this issue. No password knowledge is required: the over-read happens during the unwrap attempt before any authentication succeeds. The over-read is limited to a few bytes and is not written to output, so there is no information disclosure. Triggering a crash requires the allocation to border unmapped memory, which is unlikely with the normal allocator. The FIPS modules are not affected by this issue.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Heap Buffer Over-read in ASN.1 Content Parsing", " - debian/patches/CVE-2026-34180.patch: Avoid length truncation in", " ASN1_STRING_set in crypto/asn1/tasn_dec.c.", " - CVE-2026-34180", " * SECURITY UPDATE: CMS AuthEnvelopedData Processing May Accept Forged Messages", " - debian/patches/CVE-2026-34182-pre1.patch: Ensure", " ossl_cms_EncryptedContent_init_bio() reports an error on no OID in", " crypto/cms/cms_enc.c, crypto/cms/cms_err.c, crypto/err/openssl.txt,", " include/openssl/cmserr.h.", " - debian/patches/CVE-2026-34182-1.patch: CMS: Produce error when AEAD", " algorithms are used in enveloped data in crypto/cms/cms_enc.c,", " crypto/cms/cms_env.c, crypto/cms/cms_err.c, crypto/cms/cms_local.h,", " crypto/err/openssl.txt, include/openssl/cmserr.h, test/cms-msg/enveloped-", " content-type-for-aes-gcm.pem, test/cmsapitest.c,", " test/recipes/80-test_cms.t.", " - debian/patches/CVE-2026-34182-2.patch: Reject potentially forged encrypted", " CMS AuthEnvelopedData messages in crypto/cms/cms_enc.c.", " - debian/patches/CVE-2026-34182-3.patch: Add tests for CVE-2026-34182 in", " test/cmsapitest.c.", " - CVE-2026-34182", " * SECURITY UPDATE: Possible NULL Dereference in Password-Based CMS Decryption", " - debian/patches/CVE-2026-42766.patch: Fix potential NULL dereference", " processing CMS PasswordRecipientInfo in crypto/cms/cms_pwri.c.", " - CVE-2026-42766", " * SECURITY UPDATE: NULL Pointer Dereference in CRMF EncryptedValue Decryption", " - debian/patches/CVE-2026-42767.patch: Fix potential NULL dereference in", " OSSL_CRMF_ENCRYPTEDVALUE_decrypt() in crypto/crmf/crmf_lib.c.", " - CVE-2026-42767", " * SECURITY UPDATE: FFC-DH Peer Validation Uses Attacker-Supplied q", " - debian/patches/CVE-2026-42770.patch: Match the local q DHX parameter", " against the peer's q in providers/implementations/exchange/dh_exch.c.", " - CVE-2026-42770", " * SECURITY UPDATE: AES-OCB IV Ignored on EVP_Cipher() Path", " - debian/patches/CVE-2026-45445.patch: Apply the buffered IV on the AES-OCB", " EVP_Cipher() path in providers/implementations/ciphers/cipher_aes_ocb.c,", " test/evp_extra_test.c.", " - CVE-2026-45445", " * SECURITY UPDATE: Incorrect Tag Processing for Empty Messages in", " AES-GCM-SIV and AES-SIV modes", " - debian/patches/CVE-2026-45446.patch: Fix handling of empty-ciphertext", " messages in AES-SIV in providers/implementations/ciphers/cipher_aes_siv.c,", " test/evp_extra_test.c.", " - CVE-2026-45446", " * SECURITY UPDATE: Heap Use-After-Free in OpenSSL PKCS7_verify()", " - debian/patches/CVE-2026-45447-pre1.patch: Revert unnecessary", " PKCS7_verify() performance optimization in crypto/pkcs7/pk7_smime.c.", " - debian/patches/CVE-2026-45447-1.patch: Fix possible use-after-free in", " OpenSSL PKCS7_verify() in crypto/pkcs7/pk7_smime.c.", " - debian/patches/CVE-2026-45447-2.patch: Test for CVE-2026-45447 (UAF in", " PKCS7_verify) in test/recipes/80-test_cms.t, test/smime-eml/pkcs7-empty-", " digest-set.eml.", " - CVE-2026-45447", " * SECURITY UPDATE: Possible Heap Buffer Overflow in ASN.1 Multibyte String", " Conversion", " - debian/patches/CVE-2026-7383.patch: Reject oversized inputs in", " ASN1_mbstring_ncopy() in crypto/asn1/a_mbstr.c.", " - CVE-2026-7383", " * SECURITY UPDATE: Out-of-Bounds Read in CMS Password-Based Decryption", " - debian/patches/CVE-2026-9076.patch: cms: kek_unwrap_key: Fix out-of-bounds", " read in check-byte validation in crypto/cms/cms_pwri.c.", " - CVE-2026-9076", "" ], "package": "openssl", "version": "3.0.2-0ubuntu1.25", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Tue, 02 Jun 2026 15:33:25 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "systemd", "from_version": { "source_package_name": "systemd", "source_package_version": "249.11-0ubuntu3.20", "version": "249.11-0ubuntu3.20" }, "to_version": { "source_package_name": "systemd", "source_package_version": "249.11-0ubuntu3.21", "version": "249.11-0ubuntu3.21" }, "cves": [ { "cve": "CVE-2023-7008", "url": "https://ubuntu.com/security/CVE-2023-7008", "cve_description": "A vulnerability was found in systemd-resolved. This issue may allow systemd-resolved to accept records of DNSSEC-signed domains even when they have no signature, allowing man-in-the-middles (or the upstream DNS resolver) to manipulate records.", "cve_priority": "low", "cve_public_date": "2023-12-23 13:15:00 UTC" }, { "cve": "CVE-2026-40226", "url": "https://ubuntu.com/security/CVE-2026-40226", "cve_description": "In nspawn in systemd 233 through 259 before 260, an escape-to-host action can occur via a crafted optional config file.", "cve_priority": "medium", "cve_public_date": "2026-04-10 16:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2023-7008", "url": "https://ubuntu.com/security/CVE-2023-7008", "cve_description": "A vulnerability was found in systemd-resolved. This issue may allow systemd-resolved to accept records of DNSSEC-signed domains even when they have no signature, allowing man-in-the-middles (or the upstream DNS resolver) to manipulate records.", "cve_priority": "low", "cve_public_date": "2023-12-23 13:15:00 UTC" }, { "cve": "CVE-2026-40226", "url": "https://ubuntu.com/security/CVE-2026-40226", "cve_description": "In nspawn in systemd 233 through 259 before 260, an escape-to-host action can occur via a crafted optional config file.", "cve_priority": "medium", "cve_public_date": "2026-04-10 16:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: MITM via DNSSEC-signed domains with no signature", " - debian/patches/CVE-2023-7008.patch: resolved: actually check authenticated", " flag of SOA transaction in src/resolve/resolved-dns-transaction.c.", " - CVE-2023-7008", " * SECURITY UPDATE: escape-to-host via malformed optional config file", " - debian/patches/CVE-2026-40226-1.patch: nspawn: apply BindUser/Ephemeral", " from settings file only if trusted in src/nspawn/nspawn.c.", " - debian/patches/CVE-2026-40226-2.patch: nspawn: normalize pivot_root paths", " in src/nspawn/nspawn-mount.c.", " - CVE-2026-40226", "" ], "package": "systemd", "version": "249.11-0ubuntu3.21", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Fri, 05 Jun 2026 11:40:28 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "systemd-sysv", "from_version": { "source_package_name": "systemd", "source_package_version": "249.11-0ubuntu3.20", "version": "249.11-0ubuntu3.20" }, "to_version": { "source_package_name": "systemd", "source_package_version": "249.11-0ubuntu3.21", "version": "249.11-0ubuntu3.21" }, "cves": [ { "cve": "CVE-2023-7008", "url": "https://ubuntu.com/security/CVE-2023-7008", "cve_description": "A vulnerability was found in systemd-resolved. This issue may allow systemd-resolved to accept records of DNSSEC-signed domains even when they have no signature, allowing man-in-the-middles (or the upstream DNS resolver) to manipulate records.", "cve_priority": "low", "cve_public_date": "2023-12-23 13:15:00 UTC" }, { "cve": "CVE-2026-40226", "url": "https://ubuntu.com/security/CVE-2026-40226", "cve_description": "In nspawn in systemd 233 through 259 before 260, an escape-to-host action can occur via a crafted optional config file.", "cve_priority": "medium", "cve_public_date": "2026-04-10 16:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2023-7008", "url": "https://ubuntu.com/security/CVE-2023-7008", "cve_description": "A vulnerability was found in systemd-resolved. This issue may allow systemd-resolved to accept records of DNSSEC-signed domains even when they have no signature, allowing man-in-the-middles (or the upstream DNS resolver) to manipulate records.", "cve_priority": "low", "cve_public_date": "2023-12-23 13:15:00 UTC" }, { "cve": "CVE-2026-40226", "url": "https://ubuntu.com/security/CVE-2026-40226", "cve_description": "In nspawn in systemd 233 through 259 before 260, an escape-to-host action can occur via a crafted optional config file.", "cve_priority": "medium", "cve_public_date": "2026-04-10 16:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: MITM via DNSSEC-signed domains with no signature", " - debian/patches/CVE-2023-7008.patch: resolved: actually check authenticated", " flag of SOA transaction in src/resolve/resolved-dns-transaction.c.", " - CVE-2023-7008", " * SECURITY UPDATE: escape-to-host via malformed optional config file", " - debian/patches/CVE-2026-40226-1.patch: nspawn: apply BindUser/Ephemeral", " from settings file only if trusted in src/nspawn/nspawn.c.", " - debian/patches/CVE-2026-40226-2.patch: nspawn: normalize pivot_root paths", " in src/nspawn/nspawn-mount.c.", " - CVE-2026-40226", "" ], "package": "systemd", "version": "249.11-0ubuntu3.21", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Fri, 05 Jun 2026 11:40:28 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "systemd-timesyncd", "from_version": { "source_package_name": "systemd", "source_package_version": "249.11-0ubuntu3.20", "version": "249.11-0ubuntu3.20" }, "to_version": { "source_package_name": "systemd", "source_package_version": "249.11-0ubuntu3.21", "version": "249.11-0ubuntu3.21" }, "cves": [ { "cve": "CVE-2023-7008", "url": "https://ubuntu.com/security/CVE-2023-7008", "cve_description": "A vulnerability was found in systemd-resolved. This issue may allow systemd-resolved to accept records of DNSSEC-signed domains even when they have no signature, allowing man-in-the-middles (or the upstream DNS resolver) to manipulate records.", "cve_priority": "low", "cve_public_date": "2023-12-23 13:15:00 UTC" }, { "cve": "CVE-2026-40226", "url": "https://ubuntu.com/security/CVE-2026-40226", "cve_description": "In nspawn in systemd 233 through 259 before 260, an escape-to-host action can occur via a crafted optional config file.", "cve_priority": "medium", "cve_public_date": "2026-04-10 16:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2023-7008", "url": "https://ubuntu.com/security/CVE-2023-7008", "cve_description": "A vulnerability was found in systemd-resolved. This issue may allow systemd-resolved to accept records of DNSSEC-signed domains even when they have no signature, allowing man-in-the-middles (or the upstream DNS resolver) to manipulate records.", "cve_priority": "low", "cve_public_date": "2023-12-23 13:15:00 UTC" }, { "cve": "CVE-2026-40226", "url": "https://ubuntu.com/security/CVE-2026-40226", "cve_description": "In nspawn in systemd 233 through 259 before 260, an escape-to-host action can occur via a crafted optional config file.", "cve_priority": "medium", "cve_public_date": "2026-04-10 16:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: MITM via DNSSEC-signed domains with no signature", " - debian/patches/CVE-2023-7008.patch: resolved: actually check authenticated", " flag of SOA transaction in src/resolve/resolved-dns-transaction.c.", " - CVE-2023-7008", " * SECURITY UPDATE: escape-to-host via malformed optional config file", " - debian/patches/CVE-2026-40226-1.patch: nspawn: apply BindUser/Ephemeral", " from settings file only if trusted in src/nspawn/nspawn.c.", " - debian/patches/CVE-2026-40226-2.patch: nspawn: normalize pivot_root paths", " in src/nspawn/nspawn-mount.c.", " - CVE-2026-40226", "" ], "package": "systemd", "version": "249.11-0ubuntu3.21", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Fri, 05 Jun 2026 11:40:28 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "udev", "from_version": { "source_package_name": "systemd", "source_package_version": "249.11-0ubuntu3.20", "version": "249.11-0ubuntu3.20" }, "to_version": { "source_package_name": "systemd", "source_package_version": "249.11-0ubuntu3.21", "version": "249.11-0ubuntu3.21" }, "cves": [ { "cve": "CVE-2023-7008", "url": "https://ubuntu.com/security/CVE-2023-7008", "cve_description": "A vulnerability was found in systemd-resolved. This issue may allow systemd-resolved to accept records of DNSSEC-signed domains even when they have no signature, allowing man-in-the-middles (or the upstream DNS resolver) to manipulate records.", "cve_priority": "low", "cve_public_date": "2023-12-23 13:15:00 UTC" }, { "cve": "CVE-2026-40226", "url": "https://ubuntu.com/security/CVE-2026-40226", "cve_description": "In nspawn in systemd 233 through 259 before 260, an escape-to-host action can occur via a crafted optional config file.", "cve_priority": "medium", "cve_public_date": "2026-04-10 16:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2023-7008", "url": "https://ubuntu.com/security/CVE-2023-7008", "cve_description": "A vulnerability was found in systemd-resolved. This issue may allow systemd-resolved to accept records of DNSSEC-signed domains even when they have no signature, allowing man-in-the-middles (or the upstream DNS resolver) to manipulate records.", "cve_priority": "low", "cve_public_date": "2023-12-23 13:15:00 UTC" }, { "cve": "CVE-2026-40226", "url": "https://ubuntu.com/security/CVE-2026-40226", "cve_description": "In nspawn in systemd 233 through 259 before 260, an escape-to-host action can occur via a crafted optional config file.", "cve_priority": "medium", "cve_public_date": "2026-04-10 16:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: MITM via DNSSEC-signed domains with no signature", " - debian/patches/CVE-2023-7008.patch: resolved: actually check authenticated", " flag of SOA transaction in src/resolve/resolved-dns-transaction.c.", " - CVE-2023-7008", " * SECURITY UPDATE: escape-to-host via malformed optional config file", " - debian/patches/CVE-2026-40226-1.patch: nspawn: apply BindUser/Ephemeral", " from settings file only if trusted in src/nspawn/nspawn.c.", " - debian/patches/CVE-2026-40226-2.patch: nspawn: normalize pivot_root paths", " in src/nspawn/nspawn-mount.c.", " - CVE-2026-40226", "" ], "package": "systemd", "version": "249.11-0ubuntu3.21", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Fri, 05 Jun 2026 11:40:28 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "xxd", "from_version": { "source_package_name": "vim", "source_package_version": "2:8.2.3995-1ubuntu2.30", "version": "2:8.2.3995-1ubuntu2.30" }, "to_version": { "source_package_name": "vim", "source_package_version": "2:8.2.3995-1ubuntu2.31", "version": "2:8.2.3995-1ubuntu2.31" }, "cves": [ { "cve": "CVE-2026-46483", "url": "https://ubuntu.com/security/CVE-2026-46483", "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0479, a command injection vulnerability exists in tar#Vimuntar() in runtime/autoload/tar.vim when decompressing .tgz archives on Unix-like systems. The function builds :!gunzip and :!gzip -d commands using shellescape(tartail) without the {special} flag, allowing a crafted archive filename to trigger Vim cmdline-special expansion and execute shell commands in the user's context. This vulnerability is fixed in 9.2.0479.", "cve_priority": "medium", "cve_public_date": "2026-05-15 15:16:00 UTC" }, { "cve": "CVE-2026-43961", "url": "https://ubuntu.com/security/CVE-2026-43961", "cve_description": "[Unknown description]", "cve_priority": "medium", "cve_public_date": "2026-05-20" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-46483", "url": "https://ubuntu.com/security/CVE-2026-46483", "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0479, a command injection vulnerability exists in tar#Vimuntar() in runtime/autoload/tar.vim when decompressing .tgz archives on Unix-like systems. The function builds :!gunzip and :!gzip -d commands using shellescape(tartail) without the {special} flag, allowing a crafted archive filename to trigger Vim cmdline-special expansion and execute shell commands in the user's context. This vulnerability is fixed in 9.2.0479.", "cve_priority": "medium", "cve_public_date": "2026-05-15 15:16:00 UTC" }, { "cve": "CVE-2026-43961", "url": "https://ubuntu.com/security/CVE-2026-43961", "cve_description": "[Unknown description]", "cve_priority": "medium", "cve_public_date": "2026-05-20" } ], "log": [ "", " * SECURITY UPDATE: Command injection in tar plugin.", " - debian/patches/CVE-2026-46483.patch: Use the correct shell-escape in", " runtime/autoload/tar.vim.", " - CVE-2026-46483", " * SECURITY UPDATE: Code injection via mf command.", " - debian/patches/CVE-2026-43961.patch: Avoid string concatenation for", " filter commands in runtime/autoload/netrw.vim.", " - CVE-2026-43961", "" ], "package": "vim", "version": "2:8.2.3995-1ubuntu2.31", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Kyle Kernick ", "date": "Wed, 03 Jun 2026 10:41:25 -0600" } ], "notes": null, "is_version_downgrade": false } ], "snap": [] }, "added": { "deb": [ { "name": "linux-headers-5.15.0-1101-kvm", "from_version": { "source_package_name": "linux-kvm", "source_package_version": "5.15.0-1100.105", "version": null }, "to_version": { "source_package_name": "linux-kvm", "source_package_version": "5.15.0-1101.106", "version": "5.15.0-1101.106" }, "cves": [ { "cve": "CVE-2026-46300", "url": "https://ubuntu.com/security/CVE-2026-46300", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: skbuff: preserve shared-frag marker during coalescing skb_try_coalesce() can attach paged frags from @from to @to. If @from has SKBFL_SHARED_FRAG set, the resulting @to skb can contain the same externally-owned or page-cache-backed frags, but the shared-frag marker is currently lost. That breaks the invariant relied on by later in-place writers. In particular, ESP input checks skb_has_shared_frag() before deciding whether an uncloned nonlinear skb can skip skb_cow_data(). If TCP receive coalescing has moved shared frags into an unmarked skb, ESP can see skb_has_shared_frag() as false and decrypt in place over page-cache backed frags. Propagate SKBFL_SHARED_FRAG when skb_try_coalesce() transfers paged frags. The tailroom copy path does not need the marker because it copies bytes into @to's linear data rather than transferring frag descriptors.", "cve_priority": "high", "cve_public_date": "2026-05-23 12:17:00 UTC" }, { "cve": "CVE-2026-46333", "url": "https://ubuntu.com/security/CVE-2026-46333", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ptrace: slightly saner 'get_dumpable()' logic The 'dumpability' of a task is fundamentally about the memory image of the task - the concept comes from whether it can core dump or not - and makes no sense when you don't have an associated mm. And almost all users do in fact use it only for the case where the task has a mm pointer. But we have one odd special case: ptrace_may_access() uses 'dumpable' to check various other things entirely independently of the MM (typically explicitly using flags like PTRACE_MODE_READ_FSCREDS). Including for threads that no longer have a VM (and maybe never did, like most kernel threads). It's not what this flag was designed for, but it is what it is. The ptrace code does check that the uid/gid matches, so you do have to be uid-0 to see kernel thread details, but this means that the traditional \"drop capabilities\" model doesn't make any difference for this all. Make it all make a *bit* more sense by saying that if you don't have a MM pointer, we'll use a cached \"last dumpability\" flag if the thread ever had a MM (it will be zero for kernel threads since it is never set), and require a proper CAP_SYS_PTRACE capability to override.", "cve_priority": "high", "cve_public_date": "2026-05-15 14:16:00 UTC" }, { "cve": "CVE-2026-43500", "url": "https://ubuntu.com/security/CVE-2026-43500", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present The DATA-packet handler in rxrpc_input_call_event() and the RESPONSE handler in rxrpc_verify_response() copy the skb to a linear one before calling into the security ops only when skb_cloned() is true. An skb that is not cloned but still carries externally-owned paged fragments (e.g. SKBFL_SHARED_FRAG set by splice() into a UDP socket via __ip_append_data, or a chained skb_has_frag_list()) falls through to the in-place decryption path, which binds the frag pages directly into the AEAD/skcipher SGL via skb_to_sgvec(). Extend the gate to also unshare when skb_has_frag_list() or skb_has_shared_frag() is true. This catches the splice-loopback vector and other externally-shared frag sources while preserving the zero-copy fast path for skbs whose frags are kernel-private (e.g. NIC page_pool RX, GRO). The OOM/trace handling already in place is reused.", "cve_priority": "high", "cve_public_date": "2026-05-11 08:16:00 UTC" }, { "cve": "CVE-2026-43284", "url": "https://ubuntu.com/security/CVE-2026-43284", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: xfrm: esp: avoid in-place decrypt on shared skb frags MSG_SPLICE_PAGES can attach pages from a pipe directly to an skb. TCP marks such skbs with SKBFL_SHARED_FRAG after skb_splice_from_iter(), so later paths that may modify packet data can first make a private copy. The IPv4/IPv6 datagram append paths did not set this flag when splicing pages into UDP skbs. That leaves an ESP-in-UDP packet made from shared pipe pages looking like an ordinary uncloned nonlinear skb. ESP input then takes the no-COW fast path for uncloned skbs without a frag_list and decrypts in place over data that is not owned privately by the skb. Mark IPv4/IPv6 datagram splice frags with SKBFL_SHARED_FRAG, matching TCP. Also make ESP input fall back to skb_cow_data() when the flag is present, so ESP does not decrypt externally backed frags in place. Private nonlinear skb frags still use the existing fast path. This intentionally does not change ESP output. In esp_output_head(), the path that appends the ESP trailer to existing skb tailroom without calling skb_cow_data() is not reachable for nonlinear skbs: skb_tailroom() returns zero when skb->data_len is nonzero, while ESP tailen is positive. Thus ESP output will either use the separate destination-frag path or fall back to skb_cow_data().", "cve_priority": "high", "cve_public_date": "2026-05-08 08:16:00 UTC" } ], "launchpad_bugs_fixed": [ 2153666, 1786013, 2153680, 1786013, 2153962 ], "changes": [ { "cves": [ { "cve": "CVE-2026-46300", "url": "https://ubuntu.com/security/CVE-2026-46300", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: skbuff: preserve shared-frag marker during coalescing skb_try_coalesce() can attach paged frags from @from to @to. If @from has SKBFL_SHARED_FRAG set, the resulting @to skb can contain the same externally-owned or page-cache-backed frags, but the shared-frag marker is currently lost. That breaks the invariant relied on by later in-place writers. In particular, ESP input checks skb_has_shared_frag() before deciding whether an uncloned nonlinear skb can skip skb_cow_data(). If TCP receive coalescing has moved shared frags into an unmarked skb, ESP can see skb_has_shared_frag() as false and decrypt in place over page-cache backed frags. Propagate SKBFL_SHARED_FRAG when skb_try_coalesce() transfers paged frags. The tailroom copy path does not need the marker because it copies bytes into @to's linear data rather than transferring frag descriptors.", "cve_priority": "high", "cve_public_date": "2026-05-23 12:17:00 UTC" }, { "cve": "CVE-2026-46333", "url": "https://ubuntu.com/security/CVE-2026-46333", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ptrace: slightly saner 'get_dumpable()' logic The 'dumpability' of a task is fundamentally about the memory image of the task - the concept comes from whether it can core dump or not - and makes no sense when you don't have an associated mm. And almost all users do in fact use it only for the case where the task has a mm pointer. But we have one odd special case: ptrace_may_access() uses 'dumpable' to check various other things entirely independently of the MM (typically explicitly using flags like PTRACE_MODE_READ_FSCREDS). Including for threads that no longer have a VM (and maybe never did, like most kernel threads). It's not what this flag was designed for, but it is what it is. The ptrace code does check that the uid/gid matches, so you do have to be uid-0 to see kernel thread details, but this means that the traditional \"drop capabilities\" model doesn't make any difference for this all. Make it all make a *bit* more sense by saying that if you don't have a MM pointer, we'll use a cached \"last dumpability\" flag if the thread ever had a MM (it will be zero for kernel threads since it is never set), and require a proper CAP_SYS_PTRACE capability to override.", "cve_priority": "high", "cve_public_date": "2026-05-15 14:16:00 UTC" }, { "cve": "CVE-2026-43500", "url": "https://ubuntu.com/security/CVE-2026-43500", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present The DATA-packet handler in rxrpc_input_call_event() and the RESPONSE handler in rxrpc_verify_response() copy the skb to a linear one before calling into the security ops only when skb_cloned() is true. An skb that is not cloned but still carries externally-owned paged fragments (e.g. SKBFL_SHARED_FRAG set by splice() into a UDP socket via __ip_append_data, or a chained skb_has_frag_list()) falls through to the in-place decryption path, which binds the frag pages directly into the AEAD/skcipher SGL via skb_to_sgvec(). Extend the gate to also unshare when skb_has_frag_list() or skb_has_shared_frag() is true. This catches the splice-loopback vector and other externally-shared frag sources while preserving the zero-copy fast path for skbs whose frags are kernel-private (e.g. NIC page_pool RX, GRO). The OOM/trace handling already in place is reused.", "cve_priority": "high", "cve_public_date": "2026-05-11 08:16:00 UTC" }, { "cve": "CVE-2026-43284", "url": "https://ubuntu.com/security/CVE-2026-43284", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: xfrm: esp: avoid in-place decrypt on shared skb frags MSG_SPLICE_PAGES can attach pages from a pipe directly to an skb. TCP marks such skbs with SKBFL_SHARED_FRAG after skb_splice_from_iter(), so later paths that may modify packet data can first make a private copy. The IPv4/IPv6 datagram append paths did not set this flag when splicing pages into UDP skbs. That leaves an ESP-in-UDP packet made from shared pipe pages looking like an ordinary uncloned nonlinear skb. ESP input then takes the no-COW fast path for uncloned skbs without a frag_list and decrypts in place over data that is not owned privately by the skb. Mark IPv4/IPv6 datagram splice frags with SKBFL_SHARED_FRAG, matching TCP. Also make ESP input fall back to skb_cow_data() when the flag is present, so ESP does not decrypt externally backed frags in place. Private nonlinear skb frags still use the existing fast path. This intentionally does not change ESP output. In esp_output_head(), the path that appends the ESP trailer to existing skb tailroom without calling skb_cow_data() is not reachable for nonlinear skbs: skb_tailroom() returns zero when skb->data_len is nonzero, while ESP tailen is positive. Thus ESP output will either use the separate destination-frag path or fall back to skb_cow_data().", "cve_priority": "high", "cve_public_date": "2026-05-08 08:16:00 UTC" } ], "log": [ "", " * jammy/linux-kvm: 5.15.0-1101.106 -proposed tracker (LP: #2153666)", "", " * Packaging resync (LP: #1786013)", " - [Packaging] resync retpoline extraction", "", " [ Ubuntu: 5.15.0-181.191 ]", "", " * jammy/linux: 5.15.0-181.191 -proposed tracker (LP: #2153680)", " * Packaging resync (LP: #1786013)", " - [Packaging] update annotations scripts", " - [Packaging] resync retpoline extraction", " * CVE-2026-46300", " - net: skbuff: preserve shared-frag marker during coalescing", " - net: skbuff: propagate shared-frag marker through frag-transfer helpers", " * net/rds: reset op_nents when zerocopy page pin fails (LP: #2153962)", " - net/rds: reset op_nents when zerocopy page pin fails", " * CVE-2026-46333", " - ptrace: slightly saner 'get_dumpable()' logic", " * CVE-2026-43500", " - rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present", " * CVE-2026-43284", " - xfrm: esp: avoid in-place decrypt on shared skb frags", " - xfrm: esp: ipv4: fix up flags setting", "" ], "package": "linux-kvm", "version": "5.15.0-1101.106", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2153666, 1786013, 2153680, 1786013, 2153962 ], "author": "Edoardo Canepa ", "date": "Mon, 25 May 2026 17:48:34 +0200" } ], "notes": "linux-headers-5.15.0-1101-kvm version '5.15.0-1101.106' (source package linux-kvm version '5.15.0-1101.106') was added. linux-headers-5.15.0-1101-kvm version '5.15.0-1101.106' has the same source package name, linux-kvm, as removed package linux-headers-5.15.0-1100-kvm. As such we can use the source package version of the removed package, '5.15.0-1100.105', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package.", "is_version_downgrade": false }, { "name": "linux-image-5.15.0-1101-kvm", "from_version": { "source_package_name": "linux-signed-kvm", "source_package_version": "5.15.0-1100.105", "version": null }, "to_version": { "source_package_name": "linux-signed-kvm", "source_package_version": "5.15.0-1101.106", "version": "5.15.0-1101.106" }, "cves": [], "launchpad_bugs_fixed": [ 1786013 ], "changes": [ { "cves": [], "log": [ "", " * Main version: 5.15.0-1101.106", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian/tracking-bug -- resync from main package", "" ], "package": "linux-signed-kvm", "version": "5.15.0-1101.106", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 1786013 ], "author": "Edoardo Canepa ", "date": "Mon, 25 May 2026 17:48:56 +0200" } ], "notes": "linux-image-5.15.0-1101-kvm version '5.15.0-1101.106' (source package linux-signed-kvm version '5.15.0-1101.106') was added. linux-image-5.15.0-1101-kvm version '5.15.0-1101.106' has the same source package name, linux-signed-kvm, as removed package linux-image-5.15.0-1100-kvm. As such we can use the source package version of the removed package, '5.15.0-1100.105', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package.", "is_version_downgrade": false }, { "name": "linux-kvm-headers-5.15.0-1101", "from_version": { "source_package_name": "linux-kvm", "source_package_version": "5.15.0-1100.105", "version": null }, "to_version": { "source_package_name": "linux-kvm", "source_package_version": "5.15.0-1101.106", "version": "5.15.0-1101.106" }, "cves": [ { "cve": "CVE-2026-46300", "url": "https://ubuntu.com/security/CVE-2026-46300", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: skbuff: preserve shared-frag marker during coalescing skb_try_coalesce() can attach paged frags from @from to @to. If @from has SKBFL_SHARED_FRAG set, the resulting @to skb can contain the same externally-owned or page-cache-backed frags, but the shared-frag marker is currently lost. That breaks the invariant relied on by later in-place writers. In particular, ESP input checks skb_has_shared_frag() before deciding whether an uncloned nonlinear skb can skip skb_cow_data(). If TCP receive coalescing has moved shared frags into an unmarked skb, ESP can see skb_has_shared_frag() as false and decrypt in place over page-cache backed frags. Propagate SKBFL_SHARED_FRAG when skb_try_coalesce() transfers paged frags. The tailroom copy path does not need the marker because it copies bytes into @to's linear data rather than transferring frag descriptors.", "cve_priority": "high", "cve_public_date": "2026-05-23 12:17:00 UTC" }, { "cve": "CVE-2026-46333", "url": "https://ubuntu.com/security/CVE-2026-46333", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ptrace: slightly saner 'get_dumpable()' logic The 'dumpability' of a task is fundamentally about the memory image of the task - the concept comes from whether it can core dump or not - and makes no sense when you don't have an associated mm. And almost all users do in fact use it only for the case where the task has a mm pointer. But we have one odd special case: ptrace_may_access() uses 'dumpable' to check various other things entirely independently of the MM (typically explicitly using flags like PTRACE_MODE_READ_FSCREDS). Including for threads that no longer have a VM (and maybe never did, like most kernel threads). It's not what this flag was designed for, but it is what it is. The ptrace code does check that the uid/gid matches, so you do have to be uid-0 to see kernel thread details, but this means that the traditional \"drop capabilities\" model doesn't make any difference for this all. Make it all make a *bit* more sense by saying that if you don't have a MM pointer, we'll use a cached \"last dumpability\" flag if the thread ever had a MM (it will be zero for kernel threads since it is never set), and require a proper CAP_SYS_PTRACE capability to override.", "cve_priority": "high", "cve_public_date": "2026-05-15 14:16:00 UTC" }, { "cve": "CVE-2026-43500", "url": "https://ubuntu.com/security/CVE-2026-43500", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present The DATA-packet handler in rxrpc_input_call_event() and the RESPONSE handler in rxrpc_verify_response() copy the skb to a linear one before calling into the security ops only when skb_cloned() is true. An skb that is not cloned but still carries externally-owned paged fragments (e.g. SKBFL_SHARED_FRAG set by splice() into a UDP socket via __ip_append_data, or a chained skb_has_frag_list()) falls through to the in-place decryption path, which binds the frag pages directly into the AEAD/skcipher SGL via skb_to_sgvec(). Extend the gate to also unshare when skb_has_frag_list() or skb_has_shared_frag() is true. This catches the splice-loopback vector and other externally-shared frag sources while preserving the zero-copy fast path for skbs whose frags are kernel-private (e.g. NIC page_pool RX, GRO). The OOM/trace handling already in place is reused.", "cve_priority": "high", "cve_public_date": "2026-05-11 08:16:00 UTC" }, { "cve": "CVE-2026-43284", "url": "https://ubuntu.com/security/CVE-2026-43284", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: xfrm: esp: avoid in-place decrypt on shared skb frags MSG_SPLICE_PAGES can attach pages from a pipe directly to an skb. TCP marks such skbs with SKBFL_SHARED_FRAG after skb_splice_from_iter(), so later paths that may modify packet data can first make a private copy. The IPv4/IPv6 datagram append paths did not set this flag when splicing pages into UDP skbs. That leaves an ESP-in-UDP packet made from shared pipe pages looking like an ordinary uncloned nonlinear skb. ESP input then takes the no-COW fast path for uncloned skbs without a frag_list and decrypts in place over data that is not owned privately by the skb. Mark IPv4/IPv6 datagram splice frags with SKBFL_SHARED_FRAG, matching TCP. Also make ESP input fall back to skb_cow_data() when the flag is present, so ESP does not decrypt externally backed frags in place. Private nonlinear skb frags still use the existing fast path. This intentionally does not change ESP output. In esp_output_head(), the path that appends the ESP trailer to existing skb tailroom without calling skb_cow_data() is not reachable for nonlinear skbs: skb_tailroom() returns zero when skb->data_len is nonzero, while ESP tailen is positive. Thus ESP output will either use the separate destination-frag path or fall back to skb_cow_data().", "cve_priority": "high", "cve_public_date": "2026-05-08 08:16:00 UTC" } ], "launchpad_bugs_fixed": [ 2153666, 1786013, 2153680, 1786013, 2153962 ], "changes": [ { "cves": [ { "cve": "CVE-2026-46300", "url": "https://ubuntu.com/security/CVE-2026-46300", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: skbuff: preserve shared-frag marker during coalescing skb_try_coalesce() can attach paged frags from @from to @to. If @from has SKBFL_SHARED_FRAG set, the resulting @to skb can contain the same externally-owned or page-cache-backed frags, but the shared-frag marker is currently lost. That breaks the invariant relied on by later in-place writers. In particular, ESP input checks skb_has_shared_frag() before deciding whether an uncloned nonlinear skb can skip skb_cow_data(). If TCP receive coalescing has moved shared frags into an unmarked skb, ESP can see skb_has_shared_frag() as false and decrypt in place over page-cache backed frags. Propagate SKBFL_SHARED_FRAG when skb_try_coalesce() transfers paged frags. The tailroom copy path does not need the marker because it copies bytes into @to's linear data rather than transferring frag descriptors.", "cve_priority": "high", "cve_public_date": "2026-05-23 12:17:00 UTC" }, { "cve": "CVE-2026-46333", "url": "https://ubuntu.com/security/CVE-2026-46333", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ptrace: slightly saner 'get_dumpable()' logic The 'dumpability' of a task is fundamentally about the memory image of the task - the concept comes from whether it can core dump or not - and makes no sense when you don't have an associated mm. And almost all users do in fact use it only for the case where the task has a mm pointer. But we have one odd special case: ptrace_may_access() uses 'dumpable' to check various other things entirely independently of the MM (typically explicitly using flags like PTRACE_MODE_READ_FSCREDS). Including for threads that no longer have a VM (and maybe never did, like most kernel threads). It's not what this flag was designed for, but it is what it is. The ptrace code does check that the uid/gid matches, so you do have to be uid-0 to see kernel thread details, but this means that the traditional \"drop capabilities\" model doesn't make any difference for this all. Make it all make a *bit* more sense by saying that if you don't have a MM pointer, we'll use a cached \"last dumpability\" flag if the thread ever had a MM (it will be zero for kernel threads since it is never set), and require a proper CAP_SYS_PTRACE capability to override.", "cve_priority": "high", "cve_public_date": "2026-05-15 14:16:00 UTC" }, { "cve": "CVE-2026-43500", "url": "https://ubuntu.com/security/CVE-2026-43500", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present The DATA-packet handler in rxrpc_input_call_event() and the RESPONSE handler in rxrpc_verify_response() copy the skb to a linear one before calling into the security ops only when skb_cloned() is true. An skb that is not cloned but still carries externally-owned paged fragments (e.g. SKBFL_SHARED_FRAG set by splice() into a UDP socket via __ip_append_data, or a chained skb_has_frag_list()) falls through to the in-place decryption path, which binds the frag pages directly into the AEAD/skcipher SGL via skb_to_sgvec(). Extend the gate to also unshare when skb_has_frag_list() or skb_has_shared_frag() is true. This catches the splice-loopback vector and other externally-shared frag sources while preserving the zero-copy fast path for skbs whose frags are kernel-private (e.g. NIC page_pool RX, GRO). The OOM/trace handling already in place is reused.", "cve_priority": "high", "cve_public_date": "2026-05-11 08:16:00 UTC" }, { "cve": "CVE-2026-43284", "url": "https://ubuntu.com/security/CVE-2026-43284", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: xfrm: esp: avoid in-place decrypt on shared skb frags MSG_SPLICE_PAGES can attach pages from a pipe directly to an skb. TCP marks such skbs with SKBFL_SHARED_FRAG after skb_splice_from_iter(), so later paths that may modify packet data can first make a private copy. The IPv4/IPv6 datagram append paths did not set this flag when splicing pages into UDP skbs. That leaves an ESP-in-UDP packet made from shared pipe pages looking like an ordinary uncloned nonlinear skb. ESP input then takes the no-COW fast path for uncloned skbs without a frag_list and decrypts in place over data that is not owned privately by the skb. Mark IPv4/IPv6 datagram splice frags with SKBFL_SHARED_FRAG, matching TCP. Also make ESP input fall back to skb_cow_data() when the flag is present, so ESP does not decrypt externally backed frags in place. Private nonlinear skb frags still use the existing fast path. This intentionally does not change ESP output. In esp_output_head(), the path that appends the ESP trailer to existing skb tailroom without calling skb_cow_data() is not reachable for nonlinear skbs: skb_tailroom() returns zero when skb->data_len is nonzero, while ESP tailen is positive. Thus ESP output will either use the separate destination-frag path or fall back to skb_cow_data().", "cve_priority": "high", "cve_public_date": "2026-05-08 08:16:00 UTC" } ], "log": [ "", " * jammy/linux-kvm: 5.15.0-1101.106 -proposed tracker (LP: #2153666)", "", " * Packaging resync (LP: #1786013)", " - [Packaging] resync retpoline extraction", "", " [ Ubuntu: 5.15.0-181.191 ]", "", " * jammy/linux: 5.15.0-181.191 -proposed tracker (LP: #2153680)", " * Packaging resync (LP: #1786013)", " - [Packaging] update annotations scripts", " - [Packaging] resync retpoline extraction", " * CVE-2026-46300", " - net: skbuff: preserve shared-frag marker during coalescing", " - net: skbuff: propagate shared-frag marker through frag-transfer helpers", " * net/rds: reset op_nents when zerocopy page pin fails (LP: #2153962)", " - net/rds: reset op_nents when zerocopy page pin fails", " * CVE-2026-46333", " - ptrace: slightly saner 'get_dumpable()' logic", " * CVE-2026-43500", " - rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present", " * CVE-2026-43284", " - xfrm: esp: avoid in-place decrypt on shared skb frags", " - xfrm: esp: ipv4: fix up flags setting", "" ], "package": "linux-kvm", "version": "5.15.0-1101.106", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2153666, 1786013, 2153680, 1786013, 2153962 ], "author": "Edoardo Canepa ", "date": "Mon, 25 May 2026 17:48:34 +0200" } ], "notes": "linux-kvm-headers-5.15.0-1101 version '5.15.0-1101.106' (source package linux-kvm version '5.15.0-1101.106') was added. linux-kvm-headers-5.15.0-1101 version '5.15.0-1101.106' has the same source package name, linux-kvm, as removed package linux-headers-5.15.0-1100-kvm. As such we can use the source package version of the removed package, '5.15.0-1100.105', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package.", "is_version_downgrade": false }, { "name": "linux-modules-5.15.0-1101-kvm", "from_version": { "source_package_name": "linux-kvm", "source_package_version": "5.15.0-1100.105", "version": null }, "to_version": { "source_package_name": "linux-kvm", "source_package_version": "5.15.0-1101.106", "version": "5.15.0-1101.106" }, "cves": [ { "cve": "CVE-2026-46300", "url": "https://ubuntu.com/security/CVE-2026-46300", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: skbuff: preserve shared-frag marker during coalescing skb_try_coalesce() can attach paged frags from @from to @to. If @from has SKBFL_SHARED_FRAG set, the resulting @to skb can contain the same externally-owned or page-cache-backed frags, but the shared-frag marker is currently lost. That breaks the invariant relied on by later in-place writers. In particular, ESP input checks skb_has_shared_frag() before deciding whether an uncloned nonlinear skb can skip skb_cow_data(). If TCP receive coalescing has moved shared frags into an unmarked skb, ESP can see skb_has_shared_frag() as false and decrypt in place over page-cache backed frags. Propagate SKBFL_SHARED_FRAG when skb_try_coalesce() transfers paged frags. The tailroom copy path does not need the marker because it copies bytes into @to's linear data rather than transferring frag descriptors.", "cve_priority": "high", "cve_public_date": "2026-05-23 12:17:00 UTC" }, { "cve": "CVE-2026-46333", "url": "https://ubuntu.com/security/CVE-2026-46333", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ptrace: slightly saner 'get_dumpable()' logic The 'dumpability' of a task is fundamentally about the memory image of the task - the concept comes from whether it can core dump or not - and makes no sense when you don't have an associated mm. And almost all users do in fact use it only for the case where the task has a mm pointer. But we have one odd special case: ptrace_may_access() uses 'dumpable' to check various other things entirely independently of the MM (typically explicitly using flags like PTRACE_MODE_READ_FSCREDS). Including for threads that no longer have a VM (and maybe never did, like most kernel threads). It's not what this flag was designed for, but it is what it is. The ptrace code does check that the uid/gid matches, so you do have to be uid-0 to see kernel thread details, but this means that the traditional \"drop capabilities\" model doesn't make any difference for this all. Make it all make a *bit* more sense by saying that if you don't have a MM pointer, we'll use a cached \"last dumpability\" flag if the thread ever had a MM (it will be zero for kernel threads since it is never set), and require a proper CAP_SYS_PTRACE capability to override.", "cve_priority": "high", "cve_public_date": "2026-05-15 14:16:00 UTC" }, { "cve": "CVE-2026-43500", "url": "https://ubuntu.com/security/CVE-2026-43500", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present The DATA-packet handler in rxrpc_input_call_event() and the RESPONSE handler in rxrpc_verify_response() copy the skb to a linear one before calling into the security ops only when skb_cloned() is true. An skb that is not cloned but still carries externally-owned paged fragments (e.g. SKBFL_SHARED_FRAG set by splice() into a UDP socket via __ip_append_data, or a chained skb_has_frag_list()) falls through to the in-place decryption path, which binds the frag pages directly into the AEAD/skcipher SGL via skb_to_sgvec(). Extend the gate to also unshare when skb_has_frag_list() or skb_has_shared_frag() is true. This catches the splice-loopback vector and other externally-shared frag sources while preserving the zero-copy fast path for skbs whose frags are kernel-private (e.g. NIC page_pool RX, GRO). The OOM/trace handling already in place is reused.", "cve_priority": "high", "cve_public_date": "2026-05-11 08:16:00 UTC" }, { "cve": "CVE-2026-43284", "url": "https://ubuntu.com/security/CVE-2026-43284", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: xfrm: esp: avoid in-place decrypt on shared skb frags MSG_SPLICE_PAGES can attach pages from a pipe directly to an skb. TCP marks such skbs with SKBFL_SHARED_FRAG after skb_splice_from_iter(), so later paths that may modify packet data can first make a private copy. The IPv4/IPv6 datagram append paths did not set this flag when splicing pages into UDP skbs. That leaves an ESP-in-UDP packet made from shared pipe pages looking like an ordinary uncloned nonlinear skb. ESP input then takes the no-COW fast path for uncloned skbs without a frag_list and decrypts in place over data that is not owned privately by the skb. Mark IPv4/IPv6 datagram splice frags with SKBFL_SHARED_FRAG, matching TCP. Also make ESP input fall back to skb_cow_data() when the flag is present, so ESP does not decrypt externally backed frags in place. Private nonlinear skb frags still use the existing fast path. This intentionally does not change ESP output. In esp_output_head(), the path that appends the ESP trailer to existing skb tailroom without calling skb_cow_data() is not reachable for nonlinear skbs: skb_tailroom() returns zero when skb->data_len is nonzero, while ESP tailen is positive. Thus ESP output will either use the separate destination-frag path or fall back to skb_cow_data().", "cve_priority": "high", "cve_public_date": "2026-05-08 08:16:00 UTC" } ], "launchpad_bugs_fixed": [ 2153666, 1786013, 2153680, 1786013, 2153962 ], "changes": [ { "cves": [ { "cve": "CVE-2026-46300", "url": "https://ubuntu.com/security/CVE-2026-46300", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: skbuff: preserve shared-frag marker during coalescing skb_try_coalesce() can attach paged frags from @from to @to. If @from has SKBFL_SHARED_FRAG set, the resulting @to skb can contain the same externally-owned or page-cache-backed frags, but the shared-frag marker is currently lost. That breaks the invariant relied on by later in-place writers. In particular, ESP input checks skb_has_shared_frag() before deciding whether an uncloned nonlinear skb can skip skb_cow_data(). If TCP receive coalescing has moved shared frags into an unmarked skb, ESP can see skb_has_shared_frag() as false and decrypt in place over page-cache backed frags. Propagate SKBFL_SHARED_FRAG when skb_try_coalesce() transfers paged frags. The tailroom copy path does not need the marker because it copies bytes into @to's linear data rather than transferring frag descriptors.", "cve_priority": "high", "cve_public_date": "2026-05-23 12:17:00 UTC" }, { "cve": "CVE-2026-46333", "url": "https://ubuntu.com/security/CVE-2026-46333", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ptrace: slightly saner 'get_dumpable()' logic The 'dumpability' of a task is fundamentally about the memory image of the task - the concept comes from whether it can core dump or not - and makes no sense when you don't have an associated mm. And almost all users do in fact use it only for the case where the task has a mm pointer. But we have one odd special case: ptrace_may_access() uses 'dumpable' to check various other things entirely independently of the MM (typically explicitly using flags like PTRACE_MODE_READ_FSCREDS). Including for threads that no longer have a VM (and maybe never did, like most kernel threads). It's not what this flag was designed for, but it is what it is. The ptrace code does check that the uid/gid matches, so you do have to be uid-0 to see kernel thread details, but this means that the traditional \"drop capabilities\" model doesn't make any difference for this all. Make it all make a *bit* more sense by saying that if you don't have a MM pointer, we'll use a cached \"last dumpability\" flag if the thread ever had a MM (it will be zero for kernel threads since it is never set), and require a proper CAP_SYS_PTRACE capability to override.", "cve_priority": "high", "cve_public_date": "2026-05-15 14:16:00 UTC" }, { "cve": "CVE-2026-43500", "url": "https://ubuntu.com/security/CVE-2026-43500", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present The DATA-packet handler in rxrpc_input_call_event() and the RESPONSE handler in rxrpc_verify_response() copy the skb to a linear one before calling into the security ops only when skb_cloned() is true. An skb that is not cloned but still carries externally-owned paged fragments (e.g. SKBFL_SHARED_FRAG set by splice() into a UDP socket via __ip_append_data, or a chained skb_has_frag_list()) falls through to the in-place decryption path, which binds the frag pages directly into the AEAD/skcipher SGL via skb_to_sgvec(). Extend the gate to also unshare when skb_has_frag_list() or skb_has_shared_frag() is true. This catches the splice-loopback vector and other externally-shared frag sources while preserving the zero-copy fast path for skbs whose frags are kernel-private (e.g. NIC page_pool RX, GRO). The OOM/trace handling already in place is reused.", "cve_priority": "high", "cve_public_date": "2026-05-11 08:16:00 UTC" }, { "cve": "CVE-2026-43284", "url": "https://ubuntu.com/security/CVE-2026-43284", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: xfrm: esp: avoid in-place decrypt on shared skb frags MSG_SPLICE_PAGES can attach pages from a pipe directly to an skb. TCP marks such skbs with SKBFL_SHARED_FRAG after skb_splice_from_iter(), so later paths that may modify packet data can first make a private copy. The IPv4/IPv6 datagram append paths did not set this flag when splicing pages into UDP skbs. That leaves an ESP-in-UDP packet made from shared pipe pages looking like an ordinary uncloned nonlinear skb. ESP input then takes the no-COW fast path for uncloned skbs without a frag_list and decrypts in place over data that is not owned privately by the skb. Mark IPv4/IPv6 datagram splice frags with SKBFL_SHARED_FRAG, matching TCP. Also make ESP input fall back to skb_cow_data() when the flag is present, so ESP does not decrypt externally backed frags in place. Private nonlinear skb frags still use the existing fast path. This intentionally does not change ESP output. In esp_output_head(), the path that appends the ESP trailer to existing skb tailroom without calling skb_cow_data() is not reachable for nonlinear skbs: skb_tailroom() returns zero when skb->data_len is nonzero, while ESP tailen is positive. Thus ESP output will either use the separate destination-frag path or fall back to skb_cow_data().", "cve_priority": "high", "cve_public_date": "2026-05-08 08:16:00 UTC" } ], "log": [ "", " * jammy/linux-kvm: 5.15.0-1101.106 -proposed tracker (LP: #2153666)", "", " * Packaging resync (LP: #1786013)", " - [Packaging] resync retpoline extraction", "", " [ Ubuntu: 5.15.0-181.191 ]", "", " * jammy/linux: 5.15.0-181.191 -proposed tracker (LP: #2153680)", " * Packaging resync (LP: #1786013)", " - [Packaging] update annotations scripts", " - [Packaging] resync retpoline extraction", " * CVE-2026-46300", " - net: skbuff: preserve shared-frag marker during coalescing", " - net: skbuff: propagate shared-frag marker through frag-transfer helpers", " * net/rds: reset op_nents when zerocopy page pin fails (LP: #2153962)", " - net/rds: reset op_nents when zerocopy page pin fails", " * CVE-2026-46333", " - ptrace: slightly saner 'get_dumpable()' logic", " * CVE-2026-43500", " - rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present", " * CVE-2026-43284", " - xfrm: esp: avoid in-place decrypt on shared skb frags", " - xfrm: esp: ipv4: fix up flags setting", "" ], "package": "linux-kvm", "version": "5.15.0-1101.106", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2153666, 1786013, 2153680, 1786013, 2153962 ], "author": "Edoardo Canepa ", "date": "Mon, 25 May 2026 17:48:34 +0200" } ], "notes": "linux-modules-5.15.0-1101-kvm version '5.15.0-1101.106' (source package linux-kvm version '5.15.0-1101.106') was added. linux-modules-5.15.0-1101-kvm version '5.15.0-1101.106' has the same source package name, linux-kvm, as removed package linux-headers-5.15.0-1100-kvm. As such we can use the source package version of the removed package, '5.15.0-1100.105', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package.", "is_version_downgrade": false } ], "snap": [] }, "removed": { "deb": [ { "name": "linux-headers-5.15.0-1100-kvm", "from_version": { "source_package_name": "linux-kvm", "source_package_version": "5.15.0-1100.105", "version": "5.15.0-1100.105" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null, "is_version_downgrade": false }, { "name": "linux-image-5.15.0-1100-kvm", "from_version": { "source_package_name": "linux-signed-kvm", "source_package_version": "5.15.0-1100.105", "version": "5.15.0-1100.105" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null, "is_version_downgrade": false }, { "name": "linux-kvm-headers-5.15.0-1100", "from_version": { "source_package_name": "linux-kvm", "source_package_version": "5.15.0-1100.105", "version": "5.15.0-1100.105" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null, "is_version_downgrade": false }, { "name": "linux-modules-5.15.0-1100-kvm", "from_version": { "source_package_name": "linux-kvm", "source_package_version": "5.15.0-1100.105", "version": "5.15.0-1100.105" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null, "is_version_downgrade": false } ], "snap": [] }, "notes": "Changelog diff for Ubuntu 22.04 jammy image from daily image serial 20260603 to 20260614", "from_series": "jammy", "to_series": "jammy", "from_serial": "20260603", "to_serial": "20260614", "from_manifest_filename": "daily_manifest.previous", "to_manifest_filename": "manifest.current" }