{ "summary": { "snap": { "added": [], "removed": [], "diff": [] }, "deb": { "added": [ "linux-image-6.8.0-124-generic", "linux-modules-6.8.0-124-generic" ], "removed": [ "linux-image-6.8.0-117-generic", "linux-modules-6.8.0-117-generic" ], "diff": [ "apparmor", "ca-certificates", "cloud-init", "libapparmor1", "libgcrypt20", "liblzma5", "libpam-systemd", "libssl3t64", "libsystemd-shared", "libsystemd0", "libudev1", "linux-image-virtual", "openssl", "python3-urllib3", "snapd", "systemd", "systemd-dev", "systemd-resolved", "systemd-sysv", "systemd-timesyncd", "udev", "xxd", "xz-utils" ] } }, "diff": { "deb": [ { "name": "apparmor", "from_version": { "source_package_name": "apparmor", "source_package_version": "4.0.1really4.0.1-0ubuntu0.24.04.6", "version": "4.0.1really4.0.1-0ubuntu0.24.04.6" }, "to_version": { "source_package_name": "apparmor", "source_package_version": "4.0.1really4.0.1-0ubuntu0.24.04.7", "version": "4.0.1really4.0.1-0ubuntu0.24.04.7" }, "cves": [], "launchpad_bugs_fixed": [ 2148074, 2148074 ], "changes": [ { "cves": [], "log": [ "", " * Revert the removal of the nautilus profile (LP: #2148074):", " - d/p/u/delete-the-busybox-and-nautilus-profiles.patch ->", " d/p/u/delete-the-busybox-profile.patch", " * debian/apparmor.install:", " - Re-enable the nautilus profile", " - Install migration to clear nautilus failed thumbnail cache", " * Add migration to clear nautilus failed thumbnail cache (LP: #2148074):", " - debian/nautilus_thumbnail_cache_clear.sh", " * debian/apparmor.postinst: signal the need for a reboot upon upgrade", "" ], "package": "apparmor", "version": "4.0.1really4.0.1-0ubuntu0.24.04.7", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2148074, 2148074 ], "author": "Ryan Lee ", "date": "Mon, 13 Apr 2026 15:29:23 -0700" } ], "notes": null, "is_version_downgrade": false }, { "name": "ca-certificates", "from_version": { "source_package_name": "ca-certificates", "source_package_version": "20240203", "version": "20240203" }, "to_version": { "source_package_name": "ca-certificates", "source_package_version": "20260601~24.04.1", "version": "20260601~24.04.1" }, "cves": [], "launchpad_bugs_fixed": [ 2156786 ], "changes": [ { "cves": [], "log": [ "", " * Update Mozilla certificate authority bundle to version 2.86", " (LP: #2156786)", " The following certificate authority was added (+):", " + e-Szigno TLS Root CA 2023", " The following certificate authorities were removed (-):", " - QuoVadis Root CA 2", " - QuoVadis Root CA 3", " - DigiCert Assured ID Root CA", " - DigiCert Global Root CA", " - DigiCert High Assurance EV Root CA", " - SwissSign Gold CA - G2", " - SecureTrust CA", " - Secure Global CA", " - COMODO Certification Authority", " - Certigna", " - certSIGN ROOT CA", " - AffirmTrust Commercial", " - AffirmTrust Networking", " - AffirmTrust Premium", " - AffirmTrust Premium ECC", " - TeliaSonera Root CA v1", " - Entrust Root Certification Authority - G2", " - Entrust Root Certification Authority - EC1", " - Trustwave Global Certification Authority", " - Trustwave Global ECC P256 Certification Authority", " - Trustwave Global ECC P384 Certification Authority", " - GLOBALTRUST 2020", " - GTS Root R2", " - FIRMAPROFESIONAL CA ROOT-A WEB", " The following certificate authority was renamed (~):", " ~ \"OISTE Server Root RSA G1\" (removed leading space)", " * Update Mozilla certificate authority bundle to version 2.82", " The following certificate authorities were added (+):", " + TrustAsia TLS ECC Root CA", " + TrustAsia TLS RSA Root CA", " + SwissSign RSA TLS Root CA 2022 - 1", " + OISTE Server Root ECC G1", " + OISTE Server Root RSA G1", " The following certificate authorities were removed (-):", " - GlobalSign Root CA", " - Entrust.net Premium 2048 Secure Server CA", " - Baltimore CyberTrust Root (closes: #1121936)", " - Comodo AAA Services root", " - XRamp Global CA Root", " - Go Daddy Class 2 CA", " - Starfield Class 2 CA", " - CommScope Public Trust ECC Root-01", " - CommScope Public Trust ECC Root-02", " - CommScope Public Trust RSA Root-01", " - CommScope Public Trust RSA Root-02", " * Update Mozilla certificate authority bundle to version 2.74.", " The following certificate authorities were added (+):", " + D-TRUST BR Root CA 2 2023", " + D-TRUST EV Root CA 2 2023", " The following certificate authorities were removed (-):", " - Entrust Root Certification Authority - G4", " - SecureSign RootCA11", " - Security Communication RootCA3", " - SwissSign Silver CA - G2", " * Update Mozilla certificate authority bundle to version 2.70.", " The following certificate authorities were added (+):", " + Telekom Security TLS ECC Root 2020", " + Telekom Security TLS RSA Root 2023", " + FIRMAPROFESIONAL CA ROOT-A WEB", " + TWCA CYBER Root CA", " + SecureSign Root CA12", " + SecureSign Root CA14", " + SecureSign Root CA15", " The following certificate authorities were removed (-):", " - Security Communication Root CA (closes: #1063093)", "" ], "package": "ca-certificates", "version": "20260601~24.04.1", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [ 2156786 ], "author": "Marc Deslauriers ", "date": "Mon, 15 Jun 2026 12:17:29 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "cloud-init", "from_version": { "source_package_name": "cloud-init", "source_package_version": "25.3-0ubuntu1~24.04.1", "version": "25.3-0ubuntu1~24.04.1" }, "to_version": { "source_package_name": "cloud-init", "source_package_version": "26.1-0ubuntu1~24.04.1", "version": "26.1-0ubuntu1~24.04.1" }, "cves": [], "launchpad_bugs_fixed": [ 2146833 ], "changes": [ { "cves": [], "log": [ "", " * d/rules: replace DOWNSTREAM_VERSION with packaged DEB_VERSION value", " * d/p/0001-Revert-fix-DNS-resolution-performance-regression-dur.patch revert Ec2 URL change", " * d/p/0001-Revert-fix-support-bond-names-in-network_data.patch revert bond name change", " * refresh patches:", " - d/p/no-nocloud-network.patch", " - d/p/no-single-process.patch", " - d/p/grub-dpkg-support.patch", " - d/p/retain-setuptools.patch. Use PACKAGED_VERSION environment variable.", " build tools and tests.", " * Upstream snapshot based on upstream/main at 090026a3.", " * Upstream snapshot based on 26.1. (LP: #2146833).", " List of changes from upstream can be found at", " https://raw.githubusercontent.com/canonical/cloud-init/26.1/ChangeLog", "" ], "package": "cloud-init", "version": "26.1-0ubuntu1~24.04.1", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2146833 ], "author": "Chad Smith ", "date": "Mon, 30 Mar 2026 12:55:18 -0600" } ], "notes": null, "is_version_downgrade": false }, { "name": "libapparmor1", "from_version": { "source_package_name": "apparmor", "source_package_version": "4.0.1really4.0.1-0ubuntu0.24.04.6", "version": "4.0.1really4.0.1-0ubuntu0.24.04.6" }, "to_version": { "source_package_name": "apparmor", "source_package_version": "4.0.1really4.0.1-0ubuntu0.24.04.7", "version": "4.0.1really4.0.1-0ubuntu0.24.04.7" }, "cves": [], "launchpad_bugs_fixed": [ 2148074, 2148074 ], "changes": [ { "cves": [], "log": [ "", " * Revert the removal of the nautilus profile (LP: #2148074):", " - d/p/u/delete-the-busybox-and-nautilus-profiles.patch ->", " d/p/u/delete-the-busybox-profile.patch", " * debian/apparmor.install:", " - Re-enable the nautilus profile", " - Install migration to clear nautilus failed thumbnail cache", " * Add migration to clear nautilus failed thumbnail cache (LP: #2148074):", " - debian/nautilus_thumbnail_cache_clear.sh", " * debian/apparmor.postinst: signal the need for a reboot upon upgrade", "" ], "package": "apparmor", "version": "4.0.1really4.0.1-0ubuntu0.24.04.7", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2148074, 2148074 ], "author": "Ryan Lee ", "date": "Mon, 13 Apr 2026 15:29:23 -0700" } ], "notes": null, "is_version_downgrade": false }, { "name": "libgcrypt20", "from_version": { "source_package_name": "libgcrypt20", "source_package_version": "1.10.3-2build1", "version": "1.10.3-2build1" }, "to_version": { "source_package_name": "libgcrypt20", "source_package_version": "1.10.3-2ubuntu0.1", "version": "1.10.3-2ubuntu0.1" }, "cves": [ { "cve": "CVE-2026-41989", "url": "https://ubuntu.com/security/CVE-2026-41989", "cve_description": "Libgcrypt before 1.12.2 sometimes allows a heap-based buffer overflow and denial of service via crafted ECDH ciphertext to gcry_pk_decrypt.", "cve_priority": "medium", "cve_public_date": "2026-04-23 05:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-41989", "url": "https://ubuntu.com/security/CVE-2026-41989", "cve_description": "Libgcrypt before 1.12.2 sometimes allows a heap-based buffer overflow and denial of service via crafted ECDH ciphertext to gcry_pk_decrypt.", "cve_priority": "medium", "cve_public_date": "2026-04-23 05:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Heap-based buffer overflow via crafted ECDH ciphertext", " - debian/patches/CVE-2026-41989.patch: cipher:ecc: Fix decoding a point on", " Montgomery curve. in cipher/ecc-misc.c.", " - CVE-2026-41989", "" ], "package": "libgcrypt20", "version": "1.10.3-2ubuntu0.1", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Tue, 12 May 2026 14:17:24 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "liblzma5", "from_version": { "source_package_name": "xz-utils", "source_package_version": "5.6.1+really5.4.5-1ubuntu0.2", "version": "5.6.1+really5.4.5-1ubuntu0.2" }, "to_version": { "source_package_name": "xz-utils", "source_package_version": "5.6.1+really5.4.5-1ubuntu0.3", "version": "5.6.1+really5.4.5-1ubuntu0.3" }, "cves": [ { "cve": "CVE-2026-34743", "url": "https://ubuntu.com/security/CVE-2026-34743", "cve_description": "XZ Utils provide a general-purpose data-compression library plus command-line tools. Prior to version 5.8.3, if lzma_index_decoder() was used to decode an Index that contained no Records, the resulting lzma_index was left in a state where where a subsequent lzma_index_append() would allocate too little memory, and a buffer overflow would occur. This issue has been patched in version 5.8.3.", "cve_priority": "low", "cve_public_date": "2026-04-02 19:21:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-34743", "url": "https://ubuntu.com/security/CVE-2026-34743", "cve_description": "XZ Utils provide a general-purpose data-compression library plus command-line tools. Prior to version 5.8.3, if lzma_index_decoder() was used to decode an Index that contained no Records, the resulting lzma_index was left in a state where where a subsequent lzma_index_append() would allocate too little memory, and a buffer overflow would occur. This issue has been patched in version 5.8.3.", "cve_priority": "low", "cve_public_date": "2026-04-02 19:21:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: heap buffer overflow", " - debian/patches/CVE-2026-34743.patch: adds a check to", " lzma_index_prealloc() to default to a safe size when decoding empty", " indexes in src/liblzma/common/index.c.", " - CVE-2026-34743", "" ], "package": "xz-utils", "version": "5.6.1+really5.4.5-1ubuntu0.3", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [], "author": "Ian Constantin ", "date": "Thu, 28 May 2026 19:06:47 +0300" } ], "notes": null, "is_version_downgrade": false }, { "name": "libpam-systemd", "from_version": { "source_package_name": "systemd", "source_package_version": "255.4-1ubuntu8.15", "version": "255.4-1ubuntu8.15" }, "to_version": { "source_package_name": "systemd", "source_package_version": "255.4-1ubuntu8.16", "version": "255.4-1ubuntu8.16" }, "cves": [ { "cve": "CVE-2026-40226", "url": "https://ubuntu.com/security/CVE-2026-40226", "cve_description": "In nspawn in systemd 233 through 259 before 260, an escape-to-host action can occur via a crafted optional config file.", "cve_priority": "medium", "cve_public_date": "2026-04-10 16:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-40226", "url": "https://ubuntu.com/security/CVE-2026-40226", "cve_description": "In nspawn in systemd 233 through 259 before 260, an escape-to-host action can occur via a crafted optional config file.", "cve_priority": "medium", "cve_public_date": "2026-04-10 16:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: escape-to-host via malformed optional config file", " - debian/patches/CVE-2026-40226-1.patch: nspawn: apply BindUser/Ephemeral", " from settings file only if trusted in src/nspawn/nspawn.c.", " - debian/patches/CVE-2026-40226-2.patch: nspawn: normalize pivot_root paths", " in src/nspawn/nspawn-mount.c.", " - CVE-2026-40226", "" ], "package": "systemd", "version": "255.4-1ubuntu8.16", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Fri, 05 Jun 2026 11:36:29 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "libssl3t64", "from_version": { "source_package_name": "openssl", "source_package_version": "3.0.13-0ubuntu3.9", "version": "3.0.13-0ubuntu3.9" }, "to_version": { "source_package_name": "openssl", "source_package_version": "3.0.13-0ubuntu3.11", "version": "3.0.13-0ubuntu3.11" }, "cves": [ { "cve": "CVE-2026-34180", "url": "https://ubuntu.com/security/CVE-2026-34180", "cve_description": "Issue summary: Parsing a crafted DER-encoded ASN.1 structure with a primitive element whose content exceeds 2 gigabytes in length may cause a heap buffer over-read on 64-bit Unix and Unix-like platforms. Impact summary: The heap buffer over-read may crash the application (Denial of Service) or to load into the decoded ASN.1 object contents of memory beyond the end of the input buffer. More typically such ASN.1 elements would instead be truncated. An integer truncation in OpenSSL's ASN.1 decoder causes the content length of an ASN.1 primitive element to be mishandled when it exceeds 2 gigabytes. In the worst case the truncated length is treated as a request to scan the binary content for a terminating zero byte, possibly causing OpenSSL to read either less than or beyond the end of the allocated buffer. Applications that pass attacker-supplied data to d2i_X509(), d2i_PKCS7(), or any other d2i_* decoding function are affected. OpenSSL's own command-line tools are not vulnerable, as data read through the BIO layer is checked before it reaches the affected code. The issue only affects 64-bit Unix and Unix-like platforms; 32-bit platforms and 64-bit Windows are not affected. The FIPS modules in 4.0, 3.6, 3.5, 3.4 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-34182", "url": "https://ubuntu.com/security/CVE-2026-34182", "cve_description": "Issue Summary: Cryptographic Message Services (CMS) processing fails to perform sufficient input validation on the cipher and tag length fields of AuthEnvelopedData containers, leading to various potential compromises. Impact Summary: Attackers making use of these vulnerabilities may achieve key-equivalent functionality for a given CMS recipient and/or bypass integrity validation for a given message. In one use case, an attacker may send a CMS message containing AuthEnvelopedData with the cipher specified as a non-AEAD cipher. OpenSSL erroneously allows this selection, and attempts to decrypt and validate the message. An on-path attacker who captures one legitimate AES-GCM AuthEnvelopedData addressed to the victim can re-emit it with the recipientInfos set left byte-for-byte intact, so the victim's private key still unwraps the genuine CEK (the content-encryption key), but with the inner OID rewritten to AES-256-OFB (Output Feedback Mode, an unauthenticated keystream mode) and with an attacker-chosen IV and ciphertext. The victim initializes AES-256-OFB under the real CEK, never consults the MAC field, and CMS_decrypt() returns success. If the application under attack responds to the attacker with any indicator showing success or failure of the decryption effort, it is possible for the attacker to use this as an oracle to obtain key equivalent functionality for the CEK used for the chosen recipient of the message. In another use case, an attacker can reduce the tag length of the chosen AEAD cipher for a given AuthEnvelopedData container to be a single byte long, allowing an attacker to brute force CMS decryption, producing an integrity bypass for applications that trust CMS_decrypt() to reject modified content. The FIPS modules are not affected by this issue.", "cve_priority": "medium", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-42766", "url": "https://ubuntu.com/security/CVE-2026-42766", "cve_description": "Issue summary: A specially crafted password-encrypted CMS message can trigger a NULL pointer dereference during CMS decryption. Impact summary: This NULL pointer dereference leads to an application crash and a Denial of Service. The CMS PasswordRecipientInfo.keyDerivationAlgorithm field is defined as OPTIONAL in the ASN.1 specification and may therefore be absent in specially crafted inputs. During the password-based CMS decryption the OpenSSL CMS implementation dereferences this field without first checking whether it was present. An attacker who supplies such a CMS message to an application performing password-based CMS decryption can trigger an application crash, leading to a Denial of Service. Applications that process password-encrypted CMS messages may be affected. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-42767", "url": "https://ubuntu.com/security/CVE-2026-42767", "cve_description": "Issue summary: An attacker-controlled CMP (Certificate Management Protocol) server could trigger a NULL pointer dereference in a CMP client application. Impact summary: A NULL pointer dereference causes a crash of the application and a Denial of Service. An attacker controlling a CMP server (or acting as a man-in-the-middle) could craft a CMP response containing a CRMF (Certificate Request Message Format) CertRepMessage with an EncryptedValue structure where the symmAlg field has an algorithm OID but no parameters field. When the OpenSSL CMP client processes this response, the NULL dereference occurs, causing a crash of the CMP client. Applications that process untrusted CMP/CRMF messages may be affected. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-42770", "url": "https://ubuntu.com/security/CVE-2026-42770", "cve_description": "Issue summary: When EVP_PKEY_derive_set_peer() is called with a DHX (X9.42) peer key, the peer key is not properly checked for the subgroup membership. Impact summary: A malicious peer which presents an X9.42 key carrying the victim's p and g parameters, a forged q = r (a small prime factor of the cofactor (p−1)/q_local), and a public value Y of order r can recover the victim's private key after a small number of key exchange attempts. When EVP_PKEY_derive_set_peer() is called with a DHX (X9.42) peer key, the subgroup membership check Y^q ≡ 1 (mod p) is performed using the peer's own q parameter, not the local key's q. The peer's domain parameters are then matched against the domain parameters of the private key, but the value of q is not compared. A malicious peer who presents an X9.42 key carrying the victim's p, g, a forged q = r (a small prime factor of the cofactor), and a public value Y of order r passes all checks. The shared secret then takes only r distinct values, leaking priv mod r. Repeating for each small-prime factor of the cofactor and combining via CRT recovers the full private key (Lim–Lee / small-subgroup-confinement attack). The realistic attack surface is narrow: principally CMP deployments with long-lived RA/CA DHX keys and bespoke enterprise or government applications using X9.42 DHX static keys with interactive protocols and therefore this issue was assigned Low severity. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are affected by this issue.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-45445", "url": "https://ubuntu.com/security/CVE-2026-45445", "cve_description": "Issue summary: When an application drives an AES-OCB context through the public EVP_Cipher() one-shot interface, the application-supplied initialisation vector (IV) is silently discarded. Impact summary: Every message encrypted under the same key uses the same effective nonce regardless of the IV supplied by the caller, resulting in (key, nonce) reuse and loss of confidentiality. If the same code path is used to compute the authentication tag, the tag depends only on the (key, IV) pair and not on the plaintext or ciphertext, allowing universal forgery of arbitrary ciphertext from a single captured message. OpenSSL provides two ways to drive a cipher: the documented streaming interface (EVP_CipherUpdate / EVP_CipherFinal_ex) and a lower-level one-shot, EVP_Cipher(), whose documentation explicitly recommends against use by applications in favour of EVP_CipherUpdate() and EVP_CipherFinal_ex(). The OCB provider's streaming handler flushes the application-supplied IV into the OCB context before processing data; the one-shot handler did not. Every call to EVP_Cipher() on an AES-OCB context therefore ran with the all-zero key-derived offset state left by cipher initialisation, regardless of the caller's IV. If EVP_EncryptFinal_ex() is subsequently used to obtain the authentication tag, the deferred IV setup runs at that point and clears the running checksum that should have been accumulated over the plaintext. The resulting tag is a function of (key, IV) only and verifies against any ciphertext produced under the same (key, IV) pair. The OpenSSL SSL/TLS implementation is not affected: AES-OCB is not a TLS cipher suite, and libssl does not call EVP_Cipher() in any case. Applications that drive AES-OCB through the documented streaming AEAD API (EVP_CipherUpdate / EVP_CipherFinal_ex) are not affected. Only applications that combine the AES-OCB cipher with the EVP_Cipher() one-shot API are vulnerable. The FIPS modules in 4.0, 3.6, 3.5, 3.4 and 3.0 are not affected by this issue, as AES-OCB is outside the OpenSSL FIPS module boundary.", "cve_priority": "medium", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-45446", "url": "https://ubuntu.com/security/CVE-2026-45446", "cve_description": "Issue summary: The implementations of AES-SIV (RFC 5297) and AES-GCM-SIV (RFC 8452) mishandle the authentication of AAD (Additional Authenticated Data) with an empty ciphertext allowing a forgery of such messages. Impact summary: An attacker can forge empty messages with arbitrary AAD to the victim's application using these ciphers. AES-SIV (RFC 5297) and AES-GCM-SIV (RFC 8452) are nonce-misuse-resistant AEAD modes: they accept a key, nonce, optional AAD (bytes that are authenticated but not encrypted), and plaintext, and produces ciphertext plus a 16-byte tag. On decrypt, `EVP_DecryptFinal_ex()` is documented to return success only if the tag is verified succesfully. In OpenSSL's provider implementation of these ciphers, the expected tag is computed only when decryption function is invoked with non-empty data. If the caller supplies AAD and then calls `EVP_DecryptFinal_ex()` without invocation of the ciphertext update, which can happen when the received ciphertext length is zero, the tag is never recalculated and still holds its all-zeros value. When AES-GCM-SIV is used, an attacker who sends arbitrary AAD, empty ciphertext, and all-zeros tag passes authentication under any key they do not know, single-shot. When AES-SIV is used, for mounting the attack it's necessary for the application to reuse the decryption context without resetting the key. AES-SIV is implemented since OpenSSL 3.0. AES-GCM-SIV is implemented since OpenSSL 3.2. No protocols implemented in OpenSSL itself (TLS/CMS/PKCS7/HPKE/QUIC) support either AES-GCM-SIV or AES-SIV. To mount an attack, the applications must implement their own protocol and use the EVP interface. Also they must skip the ciphertext update when a message with an empty ciphertext arrives. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as these algorithms are not FIPS approved and the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-45447", "url": "https://ubuntu.com/security/CVE-2026-45447", "cve_description": "Issue summary: A specially crafted PKCS#7 or S/MIME signed message could trigger a use-after-free during PKCS#7 signature verification. Impact summary: A use-after-free may result in process crashes, heap corruption, or potentially remote code execution. When processing a PKCS#7 or S/MIME signed message, if the SignedData digestAlgorithms field is present as an empty ASN.1 SET, OpenSSL may incorrectly free a caller-owned BIO during PKCS7_verify(). A subsequent use of the BIO by the calling application results in a use-after-free condition. In the common case this occurs when the application later calls BIO_free() on the BIO originally passed to PKCS7_verify(). Depending on allocator behavior and application-specific BIO usage patterns, this may result in a crash or other memory corruption. In some application contexts this may potentially be exploitable for remote code execution. Applications that process PKCS#7 or S/MIME signed messages using OpenSSL PKCS#7 APIs may be affected. Applications using the CMS APIs for this processing are not affected. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "high", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-7383", "url": "https://ubuntu.com/security/CVE-2026-7383", "cve_description": "Issue summary: A signed integer overflow when sizing the destination buffer for Unicode output in ASN1_mbstring_ncopy() can lead to a heap buffer overflow. Impact summary: A heap buffer overflow may lead to a crash or possibly attacker controlled code execution or other undefined behaviour. In ASN1_mbstring_copy() and ASN1_mbstring_ncopy() the destination size for Unicode output is computed in a signed int: by left shift of the input character count for BMPSTRING (UTF-16) and UNIVERSALSTRING (UTF-32), and by summing per-character byte counts for UTF8STRING. The calculation overflows when the input reaches around 2^30 characters. In the worst case (UNIVERSALSTRING at 2^30 characters) the size wraps to zero, OPENSSL_malloc(1) is called, and the subsequent character copy writes several gigabytes past the one-byte allocation. X.509 certificate processing routes through ASN1_STRING_set_by_NID(), whose DIRSTRING_TYPE mask excludes UNIVERSALSTRING and whose per-NID size limits cap the input length; no network protocol or certificate-handling path in OpenSSL exercises the overflow. Triggering the bug requires an application that calls ASN1_mbstring_copy() or ASN1_mbstring_ncopy() directly, or registers a custom string type via ASN1_STRING_TABLE_add(), with attacker-controlled input on the order of half a gigabyte or more. For these reasons this issue was assigned Low severity. The FIPS modules in 4.0, 3.6, 3.5, 3.4 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-9076", "url": "https://ubuntu.com/security/CVE-2026-9076", "cve_description": "Issue summary: When CMS password-based decryption (RFC 3211 / PWRI key unwrap) processes attacker-supplied CMS data, an attacker-chosen stream-mode KEK cipher can trigger a heap out-of-bounds read in kek_unwrap_key(). Impact summary: A heap buffer over-read may trigger a crash which leads to Denial of Service for an application if the input buffer ends at a memory page boundary and the following page is unmapped. There is no information disclosure as the over-read bytes are not revealed to the attacker. The key unwrapping function performs a check-byte test as specified in the RFC that reads 7 bytes from a heap allocation that is based on the wrapped key length from the message. There is a minimum length check based on the block length of the wrapping cipher. However the cipher is selected from an OID carried in the attacker's PWRI keyEncryptionAlgorithm with no requirement that the cipher be a block cipher. When an attacker selects a stream-mode cipher the guard will be ineffective and the allocated buffer containing the unwrapped key can be too small to fit the check-bytes specified in the RFC and a buffer over-read can happen. Applications calling CMS_decrypt() or CMS_decrypt_set1_password() (equivalently openssl cms -decrypt -pwri_password ...) on untrusted CMS data are vulnerable to this issue. No password knowledge is required: the over-read happens during the unwrap attempt before any authentication succeeds. The over-read is limited to a few bytes and is not written to output, so there is no information disclosure. Triggering a crash requires the allocation to border unmapped memory, which is unlikely with the normal allocator. The FIPS modules are not affected by this issue.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-34180", "url": "https://ubuntu.com/security/CVE-2026-34180", "cve_description": "Issue summary: Parsing a crafted DER-encoded ASN.1 structure with a primitive element whose content exceeds 2 gigabytes in length may cause a heap buffer over-read on 64-bit Unix and Unix-like platforms. Impact summary: The heap buffer over-read may crash the application (Denial of Service) or to load into the decoded ASN.1 object contents of memory beyond the end of the input buffer. More typically such ASN.1 elements would instead be truncated. An integer truncation in OpenSSL's ASN.1 decoder causes the content length of an ASN.1 primitive element to be mishandled when it exceeds 2 gigabytes. In the worst case the truncated length is treated as a request to scan the binary content for a terminating zero byte, possibly causing OpenSSL to read either less than or beyond the end of the allocated buffer. Applications that pass attacker-supplied data to d2i_X509(), d2i_PKCS7(), or any other d2i_* decoding function are affected. OpenSSL's own command-line tools are not vulnerable, as data read through the BIO layer is checked before it reaches the affected code. The issue only affects 64-bit Unix and Unix-like platforms; 32-bit platforms and 64-bit Windows are not affected. The FIPS modules in 4.0, 3.6, 3.5, 3.4 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-34182", "url": "https://ubuntu.com/security/CVE-2026-34182", "cve_description": "Issue Summary: Cryptographic Message Services (CMS) processing fails to perform sufficient input validation on the cipher and tag length fields of AuthEnvelopedData containers, leading to various potential compromises. Impact Summary: Attackers making use of these vulnerabilities may achieve key-equivalent functionality for a given CMS recipient and/or bypass integrity validation for a given message. In one use case, an attacker may send a CMS message containing AuthEnvelopedData with the cipher specified as a non-AEAD cipher. OpenSSL erroneously allows this selection, and attempts to decrypt and validate the message. An on-path attacker who captures one legitimate AES-GCM AuthEnvelopedData addressed to the victim can re-emit it with the recipientInfos set left byte-for-byte intact, so the victim's private key still unwraps the genuine CEK (the content-encryption key), but with the inner OID rewritten to AES-256-OFB (Output Feedback Mode, an unauthenticated keystream mode) and with an attacker-chosen IV and ciphertext. The victim initializes AES-256-OFB under the real CEK, never consults the MAC field, and CMS_decrypt() returns success. If the application under attack responds to the attacker with any indicator showing success or failure of the decryption effort, it is possible for the attacker to use this as an oracle to obtain key equivalent functionality for the CEK used for the chosen recipient of the message. In another use case, an attacker can reduce the tag length of the chosen AEAD cipher for a given AuthEnvelopedData container to be a single byte long, allowing an attacker to brute force CMS decryption, producing an integrity bypass for applications that trust CMS_decrypt() to reject modified content. The FIPS modules are not affected by this issue.", "cve_priority": "medium", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-42766", "url": "https://ubuntu.com/security/CVE-2026-42766", "cve_description": "Issue summary: A specially crafted password-encrypted CMS message can trigger a NULL pointer dereference during CMS decryption. Impact summary: This NULL pointer dereference leads to an application crash and a Denial of Service. The CMS PasswordRecipientInfo.keyDerivationAlgorithm field is defined as OPTIONAL in the ASN.1 specification and may therefore be absent in specially crafted inputs. During the password-based CMS decryption the OpenSSL CMS implementation dereferences this field without first checking whether it was present. An attacker who supplies such a CMS message to an application performing password-based CMS decryption can trigger an application crash, leading to a Denial of Service. Applications that process password-encrypted CMS messages may be affected. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-42767", "url": "https://ubuntu.com/security/CVE-2026-42767", "cve_description": "Issue summary: An attacker-controlled CMP (Certificate Management Protocol) server could trigger a NULL pointer dereference in a CMP client application. Impact summary: A NULL pointer dereference causes a crash of the application and a Denial of Service. An attacker controlling a CMP server (or acting as a man-in-the-middle) could craft a CMP response containing a CRMF (Certificate Request Message Format) CertRepMessage with an EncryptedValue structure where the symmAlg field has an algorithm OID but no parameters field. When the OpenSSL CMP client processes this response, the NULL dereference occurs, causing a crash of the CMP client. Applications that process untrusted CMP/CRMF messages may be affected. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-42770", "url": "https://ubuntu.com/security/CVE-2026-42770", "cve_description": "Issue summary: When EVP_PKEY_derive_set_peer() is called with a DHX (X9.42) peer key, the peer key is not properly checked for the subgroup membership. Impact summary: A malicious peer which presents an X9.42 key carrying the victim's p and g parameters, a forged q = r (a small prime factor of the cofactor (p−1)/q_local), and a public value Y of order r can recover the victim's private key after a small number of key exchange attempts. When EVP_PKEY_derive_set_peer() is called with a DHX (X9.42) peer key, the subgroup membership check Y^q ≡ 1 (mod p) is performed using the peer's own q parameter, not the local key's q. The peer's domain parameters are then matched against the domain parameters of the private key, but the value of q is not compared. A malicious peer who presents an X9.42 key carrying the victim's p, g, a forged q = r (a small prime factor of the cofactor), and a public value Y of order r passes all checks. The shared secret then takes only r distinct values, leaking priv mod r. Repeating for each small-prime factor of the cofactor and combining via CRT recovers the full private key (Lim–Lee / small-subgroup-confinement attack). The realistic attack surface is narrow: principally CMP deployments with long-lived RA/CA DHX keys and bespoke enterprise or government applications using X9.42 DHX static keys with interactive protocols and therefore this issue was assigned Low severity. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are affected by this issue.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-45445", "url": "https://ubuntu.com/security/CVE-2026-45445", "cve_description": "Issue summary: When an application drives an AES-OCB context through the public EVP_Cipher() one-shot interface, the application-supplied initialisation vector (IV) is silently discarded. Impact summary: Every message encrypted under the same key uses the same effective nonce regardless of the IV supplied by the caller, resulting in (key, nonce) reuse and loss of confidentiality. If the same code path is used to compute the authentication tag, the tag depends only on the (key, IV) pair and not on the plaintext or ciphertext, allowing universal forgery of arbitrary ciphertext from a single captured message. OpenSSL provides two ways to drive a cipher: the documented streaming interface (EVP_CipherUpdate / EVP_CipherFinal_ex) and a lower-level one-shot, EVP_Cipher(), whose documentation explicitly recommends against use by applications in favour of EVP_CipherUpdate() and EVP_CipherFinal_ex(). The OCB provider's streaming handler flushes the application-supplied IV into the OCB context before processing data; the one-shot handler did not. Every call to EVP_Cipher() on an AES-OCB context therefore ran with the all-zero key-derived offset state left by cipher initialisation, regardless of the caller's IV. If EVP_EncryptFinal_ex() is subsequently used to obtain the authentication tag, the deferred IV setup runs at that point and clears the running checksum that should have been accumulated over the plaintext. The resulting tag is a function of (key, IV) only and verifies against any ciphertext produced under the same (key, IV) pair. The OpenSSL SSL/TLS implementation is not affected: AES-OCB is not a TLS cipher suite, and libssl does not call EVP_Cipher() in any case. Applications that drive AES-OCB through the documented streaming AEAD API (EVP_CipherUpdate / EVP_CipherFinal_ex) are not affected. Only applications that combine the AES-OCB cipher with the EVP_Cipher() one-shot API are vulnerable. The FIPS modules in 4.0, 3.6, 3.5, 3.4 and 3.0 are not affected by this issue, as AES-OCB is outside the OpenSSL FIPS module boundary.", "cve_priority": "medium", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-45446", "url": "https://ubuntu.com/security/CVE-2026-45446", "cve_description": "Issue summary: The implementations of AES-SIV (RFC 5297) and AES-GCM-SIV (RFC 8452) mishandle the authentication of AAD (Additional Authenticated Data) with an empty ciphertext allowing a forgery of such messages. Impact summary: An attacker can forge empty messages with arbitrary AAD to the victim's application using these ciphers. AES-SIV (RFC 5297) and AES-GCM-SIV (RFC 8452) are nonce-misuse-resistant AEAD modes: they accept a key, nonce, optional AAD (bytes that are authenticated but not encrypted), and plaintext, and produces ciphertext plus a 16-byte tag. On decrypt, `EVP_DecryptFinal_ex()` is documented to return success only if the tag is verified succesfully. In OpenSSL's provider implementation of these ciphers, the expected tag is computed only when decryption function is invoked with non-empty data. If the caller supplies AAD and then calls `EVP_DecryptFinal_ex()` without invocation of the ciphertext update, which can happen when the received ciphertext length is zero, the tag is never recalculated and still holds its all-zeros value. When AES-GCM-SIV is used, an attacker who sends arbitrary AAD, empty ciphertext, and all-zeros tag passes authentication under any key they do not know, single-shot. When AES-SIV is used, for mounting the attack it's necessary for the application to reuse the decryption context without resetting the key. AES-SIV is implemented since OpenSSL 3.0. AES-GCM-SIV is implemented since OpenSSL 3.2. No protocols implemented in OpenSSL itself (TLS/CMS/PKCS7/HPKE/QUIC) support either AES-GCM-SIV or AES-SIV. To mount an attack, the applications must implement their own protocol and use the EVP interface. Also they must skip the ciphertext update when a message with an empty ciphertext arrives. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as these algorithms are not FIPS approved and the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-45447", "url": "https://ubuntu.com/security/CVE-2026-45447", "cve_description": "Issue summary: A specially crafted PKCS#7 or S/MIME signed message could trigger a use-after-free during PKCS#7 signature verification. Impact summary: A use-after-free may result in process crashes, heap corruption, or potentially remote code execution. When processing a PKCS#7 or S/MIME signed message, if the SignedData digestAlgorithms field is present as an empty ASN.1 SET, OpenSSL may incorrectly free a caller-owned BIO during PKCS7_verify(). A subsequent use of the BIO by the calling application results in a use-after-free condition. In the common case this occurs when the application later calls BIO_free() on the BIO originally passed to PKCS7_verify(). Depending on allocator behavior and application-specific BIO usage patterns, this may result in a crash or other memory corruption. In some application contexts this may potentially be exploitable for remote code execution. Applications that process PKCS#7 or S/MIME signed messages using OpenSSL PKCS#7 APIs may be affected. Applications using the CMS APIs for this processing are not affected. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "high", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-7383", "url": "https://ubuntu.com/security/CVE-2026-7383", "cve_description": "Issue summary: A signed integer overflow when sizing the destination buffer for Unicode output in ASN1_mbstring_ncopy() can lead to a heap buffer overflow. Impact summary: A heap buffer overflow may lead to a crash or possibly attacker controlled code execution or other undefined behaviour. In ASN1_mbstring_copy() and ASN1_mbstring_ncopy() the destination size for Unicode output is computed in a signed int: by left shift of the input character count for BMPSTRING (UTF-16) and UNIVERSALSTRING (UTF-32), and by summing per-character byte counts for UTF8STRING. The calculation overflows when the input reaches around 2^30 characters. In the worst case (UNIVERSALSTRING at 2^30 characters) the size wraps to zero, OPENSSL_malloc(1) is called, and the subsequent character copy writes several gigabytes past the one-byte allocation. X.509 certificate processing routes through ASN1_STRING_set_by_NID(), whose DIRSTRING_TYPE mask excludes UNIVERSALSTRING and whose per-NID size limits cap the input length; no network protocol or certificate-handling path in OpenSSL exercises the overflow. Triggering the bug requires an application that calls ASN1_mbstring_copy() or ASN1_mbstring_ncopy() directly, or registers a custom string type via ASN1_STRING_TABLE_add(), with attacker-controlled input on the order of half a gigabyte or more. For these reasons this issue was assigned Low severity. The FIPS modules in 4.0, 3.6, 3.5, 3.4 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-9076", "url": "https://ubuntu.com/security/CVE-2026-9076", "cve_description": "Issue summary: When CMS password-based decryption (RFC 3211 / PWRI key unwrap) processes attacker-supplied CMS data, an attacker-chosen stream-mode KEK cipher can trigger a heap out-of-bounds read in kek_unwrap_key(). Impact summary: A heap buffer over-read may trigger a crash which leads to Denial of Service for an application if the input buffer ends at a memory page boundary and the following page is unmapped. There is no information disclosure as the over-read bytes are not revealed to the attacker. The key unwrapping function performs a check-byte test as specified in the RFC that reads 7 bytes from a heap allocation that is based on the wrapped key length from the message. There is a minimum length check based on the block length of the wrapping cipher. However the cipher is selected from an OID carried in the attacker's PWRI keyEncryptionAlgorithm with no requirement that the cipher be a block cipher. When an attacker selects a stream-mode cipher the guard will be ineffective and the allocated buffer containing the unwrapped key can be too small to fit the check-bytes specified in the RFC and a buffer over-read can happen. Applications calling CMS_decrypt() or CMS_decrypt_set1_password() (equivalently openssl cms -decrypt -pwri_password ...) on untrusted CMS data are vulnerable to this issue. No password knowledge is required: the over-read happens during the unwrap attempt before any authentication succeeds. The over-read is limited to a few bytes and is not written to output, so there is no information disclosure. Triggering a crash requires the allocation to border unmapped memory, which is unlikely with the normal allocator. The FIPS modules are not affected by this issue.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Heap Buffer Over-read in ASN.1 Content Parsing", " - debian/patches/CVE-2026-34180.patch: Avoid length truncation in", " ASN1_STRING_set in crypto/asn1/tasn_dec.c.", " - CVE-2026-34180", " * SECURITY UPDATE: CMS AuthEnvelopedData Processing May Accept Forged Messages", " - debian/patches/CVE-2026-34182-1.patch: CMS: Produce error when AEAD", " algorithms are used in enveloped data in crypto/cms/cms_enc.c,", " crypto/cms/cms_env.c, crypto/cms/cms_err.c, crypto/cms/cms_local.h,", " crypto/err/openssl.txt, include/openssl/cmserr.h, test/cms-msg/enveloped-", " content-type-for-aes-gcm.pem, test/cmsapitest.c,", " test/recipes/80-test_cms.t.", " - debian/patches/CVE-2026-34182-2.patch: Reject potentially forged encrypted", " CMS AuthEnvelopedData messages in crypto/cms/cms_enc.c.", " - debian/patches/CVE-2026-34182-3.patch: Add tests for CVE-2026-34182 in", " test/cmsapitest.c.", " - CVE-2026-34182", " * SECURITY UPDATE: Possible NULL Dereference in Password-Based CMS Decryption", " - debian/patches/CVE-2026-42766.patch: Fix potential NULL dereference", " processing CMS PasswordRecipientInfo in crypto/cms/cms_pwri.c.", " - CVE-2026-42766", " * SECURITY UPDATE: NULL Pointer Dereference in CRMF EncryptedValue Decryption", " - debian/patches/CVE-2026-42767.patch: Fix potential NULL dereference in", " OSSL_CRMF_ENCRYPTEDVALUE_decrypt() in crypto/crmf/crmf_lib.c.", " - CVE-2026-42767", " * SECURITY UPDATE: FFC-DH Peer Validation Uses Attacker-Supplied q", " - debian/patches/CVE-2026-42770.patch: Match the local q DHX parameter", " against the peer's q in providers/implementations/exchange/dh_exch.c.", " - CVE-2026-42770", " * SECURITY UPDATE: AES-OCB IV Ignored on EVP_Cipher() Path", " - debian/patches/CVE-2026-45445.patch: Apply the buffered IV on the AES-OCB", " EVP_Cipher() path in providers/implementations/ciphers/cipher_aes_ocb.c,", " test/evp_extra_test.c.", " - CVE-2026-45445", " * SECURITY UPDATE: Incorrect Tag Processing for Empty Messages in", " AES-GCM-SIV and AES-SIV modes", " - debian/patches/CVE-2026-45446.patch: Fix handling of empty-ciphertext", " messages in AES-SIV in providers/implementations/ciphers/cipher_aes_siv.c,", " test/evp_extra_test.c.", " - CVE-2026-45446", " * SECURITY UPDATE: Heap Use-After-Free in OpenSSL PKCS7_verify()", " - debian/patches/CVE-2026-45447-pre1.patch: Revert unnecessary", " PKCS7_verify() performance optimization in crypto/pkcs7/pk7_smime.c.", " - debian/patches/CVE-2026-45447-1.patch: Fix possible use-after-free in", " OpenSSL PKCS7_verify() in crypto/pkcs7/pk7_smime.c.", " - debian/patches/CVE-2026-45447-2.patch: Test for CVE-2026-45447 (UAF in", " PKCS7_verify) in test/recipes/80-test_cms.t, test/smime-eml/pkcs7-empty-", " digest-set.eml.", " - CVE-2026-45447", " * SECURITY UPDATE: Possible Heap Buffer Overflow in ASN.1 Multibyte String", " Conversion", " - debian/patches/CVE-2026-7383.patch: Reject oversized inputs in", " ASN1_mbstring_ncopy() in crypto/asn1/a_mbstr.c.", " - CVE-2026-7383", " * SECURITY UPDATE: Out-of-Bounds Read in CMS Password-Based Decryption", " - debian/patches/CVE-2026-9076.patch: cms: kek_unwrap_key: Fix out-of-bounds", " read in check-byte validation in crypto/cms/cms_pwri.c.", " - CVE-2026-9076", "" ], "package": "openssl", "version": "3.0.13-0ubuntu3.11", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Tue, 02 Jun 2026 15:33:25 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "libsystemd-shared", "from_version": { "source_package_name": "systemd", "source_package_version": "255.4-1ubuntu8.15", "version": "255.4-1ubuntu8.15" }, "to_version": { "source_package_name": "systemd", "source_package_version": "255.4-1ubuntu8.16", "version": "255.4-1ubuntu8.16" }, "cves": [ { "cve": "CVE-2026-40226", "url": "https://ubuntu.com/security/CVE-2026-40226", "cve_description": "In nspawn in systemd 233 through 259 before 260, an escape-to-host action can occur via a crafted optional config file.", "cve_priority": "medium", "cve_public_date": "2026-04-10 16:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-40226", "url": "https://ubuntu.com/security/CVE-2026-40226", "cve_description": "In nspawn in systemd 233 through 259 before 260, an escape-to-host action can occur via a crafted optional config file.", "cve_priority": "medium", "cve_public_date": "2026-04-10 16:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: escape-to-host via malformed optional config file", " - debian/patches/CVE-2026-40226-1.patch: nspawn: apply BindUser/Ephemeral", " from settings file only if trusted in src/nspawn/nspawn.c.", " - debian/patches/CVE-2026-40226-2.patch: nspawn: normalize pivot_root paths", " in src/nspawn/nspawn-mount.c.", " - CVE-2026-40226", "" ], "package": "systemd", "version": "255.4-1ubuntu8.16", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Fri, 05 Jun 2026 11:36:29 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "libsystemd0", "from_version": { "source_package_name": "systemd", "source_package_version": "255.4-1ubuntu8.15", "version": "255.4-1ubuntu8.15" }, "to_version": { "source_package_name": "systemd", "source_package_version": "255.4-1ubuntu8.16", "version": "255.4-1ubuntu8.16" }, "cves": [ { "cve": "CVE-2026-40226", "url": "https://ubuntu.com/security/CVE-2026-40226", "cve_description": "In nspawn in systemd 233 through 259 before 260, an escape-to-host action can occur via a crafted optional config file.", "cve_priority": "medium", "cve_public_date": "2026-04-10 16:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-40226", "url": "https://ubuntu.com/security/CVE-2026-40226", "cve_description": "In nspawn in systemd 233 through 259 before 260, an escape-to-host action can occur via a crafted optional config file.", "cve_priority": "medium", "cve_public_date": "2026-04-10 16:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: escape-to-host via malformed optional config file", " - debian/patches/CVE-2026-40226-1.patch: nspawn: apply BindUser/Ephemeral", " from settings file only if trusted in src/nspawn/nspawn.c.", " - debian/patches/CVE-2026-40226-2.patch: nspawn: normalize pivot_root paths", " in src/nspawn/nspawn-mount.c.", " - CVE-2026-40226", "" ], "package": "systemd", "version": "255.4-1ubuntu8.16", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Fri, 05 Jun 2026 11:36:29 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "libudev1", "from_version": { "source_package_name": "systemd", "source_package_version": "255.4-1ubuntu8.15", "version": "255.4-1ubuntu8.15" }, "to_version": { "source_package_name": "systemd", "source_package_version": "255.4-1ubuntu8.16", "version": "255.4-1ubuntu8.16" }, "cves": [ { "cve": "CVE-2026-40226", "url": "https://ubuntu.com/security/CVE-2026-40226", "cve_description": "In nspawn in systemd 233 through 259 before 260, an escape-to-host action can occur via a crafted optional config file.", "cve_priority": "medium", "cve_public_date": "2026-04-10 16:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-40226", "url": "https://ubuntu.com/security/CVE-2026-40226", "cve_description": "In nspawn in systemd 233 through 259 before 260, an escape-to-host action can occur via a crafted optional config file.", "cve_priority": "medium", "cve_public_date": "2026-04-10 16:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: escape-to-host via malformed optional config file", " - debian/patches/CVE-2026-40226-1.patch: nspawn: apply BindUser/Ephemeral", " from settings file only if trusted in src/nspawn/nspawn.c.", " - debian/patches/CVE-2026-40226-2.patch: nspawn: normalize pivot_root paths", " in src/nspawn/nspawn-mount.c.", " - CVE-2026-40226", "" ], "package": "systemd", "version": "255.4-1ubuntu8.16", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Fri, 05 Jun 2026 11:36:29 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "linux-image-virtual", "from_version": { "source_package_name": "linux-meta", "source_package_version": "6.8.0-117.117", "version": "6.8.0-117.117" }, "to_version": { "source_package_name": "linux-meta", "source_package_version": "6.8.0-124.124", "version": "6.8.0-124.124" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Main version: 6.8.0-124.124", "" ], "package": "linux-meta", "version": "6.8.0-124.124", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [], "author": "Manuel Diewald ", "date": "Tue, 26 May 2026 12:11:17 +0200" }, { "cves": [], "log": [ "", " * Main version: 6.8.0-123.123", "" ], "package": "linux-meta", "version": "6.8.0-123.123", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [], "author": "Manuel Diewald ", "date": "Mon, 25 May 2026 14:41:54 +0200" }, { "cves": [], "log": [ "", " * Main version: 6.8.0-121.121", "" ], "package": "linux-meta", "version": "6.8.0-121.121", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [], "author": "Manuel Diewald ", "date": "Fri, 22 May 2026 23:04:02 +0200" }, { "cves": [], "log": [ "", " * Main version: 6.8.0-120.120", "" ], "package": "linux-meta", "version": "6.8.0-120.120", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [], "author": "Manuel Diewald ", "date": "Fri, 22 May 2026 16:33:49 +0200" }, { "cves": [], "log": [ "", " * Main version: 6.8.0-119.119", "" ], "package": "linux-meta", "version": "6.8.0-119.119", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [], "author": "Edoardo Canepa ", "date": "Mon, 11 May 2026 15:45:09 +0200" }, { "cves": [], "log": [ "", " * Main version: 6.8.0-118.118", "" ], "package": "linux-meta", "version": "6.8.0-118.118", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [], "author": "Edoardo Canepa ", "date": "Sat, 09 May 2026 00:26:04 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "openssl", "from_version": { "source_package_name": "openssl", "source_package_version": "3.0.13-0ubuntu3.9", "version": "3.0.13-0ubuntu3.9" }, "to_version": { "source_package_name": "openssl", "source_package_version": "3.0.13-0ubuntu3.11", "version": "3.0.13-0ubuntu3.11" }, "cves": [ { "cve": "CVE-2026-34180", "url": "https://ubuntu.com/security/CVE-2026-34180", "cve_description": "Issue summary: Parsing a crafted DER-encoded ASN.1 structure with a primitive element whose content exceeds 2 gigabytes in length may cause a heap buffer over-read on 64-bit Unix and Unix-like platforms. Impact summary: The heap buffer over-read may crash the application (Denial of Service) or to load into the decoded ASN.1 object contents of memory beyond the end of the input buffer. More typically such ASN.1 elements would instead be truncated. An integer truncation in OpenSSL's ASN.1 decoder causes the content length of an ASN.1 primitive element to be mishandled when it exceeds 2 gigabytes. In the worst case the truncated length is treated as a request to scan the binary content for a terminating zero byte, possibly causing OpenSSL to read either less than or beyond the end of the allocated buffer. Applications that pass attacker-supplied data to d2i_X509(), d2i_PKCS7(), or any other d2i_* decoding function are affected. OpenSSL's own command-line tools are not vulnerable, as data read through the BIO layer is checked before it reaches the affected code. The issue only affects 64-bit Unix and Unix-like platforms; 32-bit platforms and 64-bit Windows are not affected. The FIPS modules in 4.0, 3.6, 3.5, 3.4 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-34182", "url": "https://ubuntu.com/security/CVE-2026-34182", "cve_description": "Issue Summary: Cryptographic Message Services (CMS) processing fails to perform sufficient input validation on the cipher and tag length fields of AuthEnvelopedData containers, leading to various potential compromises. Impact Summary: Attackers making use of these vulnerabilities may achieve key-equivalent functionality for a given CMS recipient and/or bypass integrity validation for a given message. In one use case, an attacker may send a CMS message containing AuthEnvelopedData with the cipher specified as a non-AEAD cipher. OpenSSL erroneously allows this selection, and attempts to decrypt and validate the message. An on-path attacker who captures one legitimate AES-GCM AuthEnvelopedData addressed to the victim can re-emit it with the recipientInfos set left byte-for-byte intact, so the victim's private key still unwraps the genuine CEK (the content-encryption key), but with the inner OID rewritten to AES-256-OFB (Output Feedback Mode, an unauthenticated keystream mode) and with an attacker-chosen IV and ciphertext. The victim initializes AES-256-OFB under the real CEK, never consults the MAC field, and CMS_decrypt() returns success. If the application under attack responds to the attacker with any indicator showing success or failure of the decryption effort, it is possible for the attacker to use this as an oracle to obtain key equivalent functionality for the CEK used for the chosen recipient of the message. In another use case, an attacker can reduce the tag length of the chosen AEAD cipher for a given AuthEnvelopedData container to be a single byte long, allowing an attacker to brute force CMS decryption, producing an integrity bypass for applications that trust CMS_decrypt() to reject modified content. The FIPS modules are not affected by this issue.", "cve_priority": "medium", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-42766", "url": "https://ubuntu.com/security/CVE-2026-42766", "cve_description": "Issue summary: A specially crafted password-encrypted CMS message can trigger a NULL pointer dereference during CMS decryption. Impact summary: This NULL pointer dereference leads to an application crash and a Denial of Service. The CMS PasswordRecipientInfo.keyDerivationAlgorithm field is defined as OPTIONAL in the ASN.1 specification and may therefore be absent in specially crafted inputs. During the password-based CMS decryption the OpenSSL CMS implementation dereferences this field without first checking whether it was present. An attacker who supplies such a CMS message to an application performing password-based CMS decryption can trigger an application crash, leading to a Denial of Service. Applications that process password-encrypted CMS messages may be affected. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-42767", "url": "https://ubuntu.com/security/CVE-2026-42767", "cve_description": "Issue summary: An attacker-controlled CMP (Certificate Management Protocol) server could trigger a NULL pointer dereference in a CMP client application. Impact summary: A NULL pointer dereference causes a crash of the application and a Denial of Service. An attacker controlling a CMP server (or acting as a man-in-the-middle) could craft a CMP response containing a CRMF (Certificate Request Message Format) CertRepMessage with an EncryptedValue structure where the symmAlg field has an algorithm OID but no parameters field. When the OpenSSL CMP client processes this response, the NULL dereference occurs, causing a crash of the CMP client. Applications that process untrusted CMP/CRMF messages may be affected. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-42770", "url": "https://ubuntu.com/security/CVE-2026-42770", "cve_description": "Issue summary: When EVP_PKEY_derive_set_peer() is called with a DHX (X9.42) peer key, the peer key is not properly checked for the subgroup membership. Impact summary: A malicious peer which presents an X9.42 key carrying the victim's p and g parameters, a forged q = r (a small prime factor of the cofactor (p−1)/q_local), and a public value Y of order r can recover the victim's private key after a small number of key exchange attempts. When EVP_PKEY_derive_set_peer() is called with a DHX (X9.42) peer key, the subgroup membership check Y^q ≡ 1 (mod p) is performed using the peer's own q parameter, not the local key's q. The peer's domain parameters are then matched against the domain parameters of the private key, but the value of q is not compared. A malicious peer who presents an X9.42 key carrying the victim's p, g, a forged q = r (a small prime factor of the cofactor), and a public value Y of order r passes all checks. The shared secret then takes only r distinct values, leaking priv mod r. Repeating for each small-prime factor of the cofactor and combining via CRT recovers the full private key (Lim–Lee / small-subgroup-confinement attack). The realistic attack surface is narrow: principally CMP deployments with long-lived RA/CA DHX keys and bespoke enterprise or government applications using X9.42 DHX static keys with interactive protocols and therefore this issue was assigned Low severity. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are affected by this issue.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-45445", "url": "https://ubuntu.com/security/CVE-2026-45445", "cve_description": "Issue summary: When an application drives an AES-OCB context through the public EVP_Cipher() one-shot interface, the application-supplied initialisation vector (IV) is silently discarded. Impact summary: Every message encrypted under the same key uses the same effective nonce regardless of the IV supplied by the caller, resulting in (key, nonce) reuse and loss of confidentiality. If the same code path is used to compute the authentication tag, the tag depends only on the (key, IV) pair and not on the plaintext or ciphertext, allowing universal forgery of arbitrary ciphertext from a single captured message. OpenSSL provides two ways to drive a cipher: the documented streaming interface (EVP_CipherUpdate / EVP_CipherFinal_ex) and a lower-level one-shot, EVP_Cipher(), whose documentation explicitly recommends against use by applications in favour of EVP_CipherUpdate() and EVP_CipherFinal_ex(). The OCB provider's streaming handler flushes the application-supplied IV into the OCB context before processing data; the one-shot handler did not. Every call to EVP_Cipher() on an AES-OCB context therefore ran with the all-zero key-derived offset state left by cipher initialisation, regardless of the caller's IV. If EVP_EncryptFinal_ex() is subsequently used to obtain the authentication tag, the deferred IV setup runs at that point and clears the running checksum that should have been accumulated over the plaintext. The resulting tag is a function of (key, IV) only and verifies against any ciphertext produced under the same (key, IV) pair. The OpenSSL SSL/TLS implementation is not affected: AES-OCB is not a TLS cipher suite, and libssl does not call EVP_Cipher() in any case. Applications that drive AES-OCB through the documented streaming AEAD API (EVP_CipherUpdate / EVP_CipherFinal_ex) are not affected. Only applications that combine the AES-OCB cipher with the EVP_Cipher() one-shot API are vulnerable. The FIPS modules in 4.0, 3.6, 3.5, 3.4 and 3.0 are not affected by this issue, as AES-OCB is outside the OpenSSL FIPS module boundary.", "cve_priority": "medium", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-45446", "url": "https://ubuntu.com/security/CVE-2026-45446", "cve_description": "Issue summary: The implementations of AES-SIV (RFC 5297) and AES-GCM-SIV (RFC 8452) mishandle the authentication of AAD (Additional Authenticated Data) with an empty ciphertext allowing a forgery of such messages. Impact summary: An attacker can forge empty messages with arbitrary AAD to the victim's application using these ciphers. AES-SIV (RFC 5297) and AES-GCM-SIV (RFC 8452) are nonce-misuse-resistant AEAD modes: they accept a key, nonce, optional AAD (bytes that are authenticated but not encrypted), and plaintext, and produces ciphertext plus a 16-byte tag. On decrypt, `EVP_DecryptFinal_ex()` is documented to return success only if the tag is verified succesfully. In OpenSSL's provider implementation of these ciphers, the expected tag is computed only when decryption function is invoked with non-empty data. If the caller supplies AAD and then calls `EVP_DecryptFinal_ex()` without invocation of the ciphertext update, which can happen when the received ciphertext length is zero, the tag is never recalculated and still holds its all-zeros value. When AES-GCM-SIV is used, an attacker who sends arbitrary AAD, empty ciphertext, and all-zeros tag passes authentication under any key they do not know, single-shot. When AES-SIV is used, for mounting the attack it's necessary for the application to reuse the decryption context without resetting the key. AES-SIV is implemented since OpenSSL 3.0. AES-GCM-SIV is implemented since OpenSSL 3.2. No protocols implemented in OpenSSL itself (TLS/CMS/PKCS7/HPKE/QUIC) support either AES-GCM-SIV or AES-SIV. To mount an attack, the applications must implement their own protocol and use the EVP interface. Also they must skip the ciphertext update when a message with an empty ciphertext arrives. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as these algorithms are not FIPS approved and the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-45447", "url": "https://ubuntu.com/security/CVE-2026-45447", "cve_description": "Issue summary: A specially crafted PKCS#7 or S/MIME signed message could trigger a use-after-free during PKCS#7 signature verification. Impact summary: A use-after-free may result in process crashes, heap corruption, or potentially remote code execution. When processing a PKCS#7 or S/MIME signed message, if the SignedData digestAlgorithms field is present as an empty ASN.1 SET, OpenSSL may incorrectly free a caller-owned BIO during PKCS7_verify(). A subsequent use of the BIO by the calling application results in a use-after-free condition. In the common case this occurs when the application later calls BIO_free() on the BIO originally passed to PKCS7_verify(). Depending on allocator behavior and application-specific BIO usage patterns, this may result in a crash or other memory corruption. In some application contexts this may potentially be exploitable for remote code execution. Applications that process PKCS#7 or S/MIME signed messages using OpenSSL PKCS#7 APIs may be affected. Applications using the CMS APIs for this processing are not affected. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "high", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-7383", "url": "https://ubuntu.com/security/CVE-2026-7383", "cve_description": "Issue summary: A signed integer overflow when sizing the destination buffer for Unicode output in ASN1_mbstring_ncopy() can lead to a heap buffer overflow. Impact summary: A heap buffer overflow may lead to a crash or possibly attacker controlled code execution or other undefined behaviour. In ASN1_mbstring_copy() and ASN1_mbstring_ncopy() the destination size for Unicode output is computed in a signed int: by left shift of the input character count for BMPSTRING (UTF-16) and UNIVERSALSTRING (UTF-32), and by summing per-character byte counts for UTF8STRING. The calculation overflows when the input reaches around 2^30 characters. In the worst case (UNIVERSALSTRING at 2^30 characters) the size wraps to zero, OPENSSL_malloc(1) is called, and the subsequent character copy writes several gigabytes past the one-byte allocation. X.509 certificate processing routes through ASN1_STRING_set_by_NID(), whose DIRSTRING_TYPE mask excludes UNIVERSALSTRING and whose per-NID size limits cap the input length; no network protocol or certificate-handling path in OpenSSL exercises the overflow. Triggering the bug requires an application that calls ASN1_mbstring_copy() or ASN1_mbstring_ncopy() directly, or registers a custom string type via ASN1_STRING_TABLE_add(), with attacker-controlled input on the order of half a gigabyte or more. For these reasons this issue was assigned Low severity. The FIPS modules in 4.0, 3.6, 3.5, 3.4 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-9076", "url": "https://ubuntu.com/security/CVE-2026-9076", "cve_description": "Issue summary: When CMS password-based decryption (RFC 3211 / PWRI key unwrap) processes attacker-supplied CMS data, an attacker-chosen stream-mode KEK cipher can trigger a heap out-of-bounds read in kek_unwrap_key(). Impact summary: A heap buffer over-read may trigger a crash which leads to Denial of Service for an application if the input buffer ends at a memory page boundary and the following page is unmapped. There is no information disclosure as the over-read bytes are not revealed to the attacker. The key unwrapping function performs a check-byte test as specified in the RFC that reads 7 bytes from a heap allocation that is based on the wrapped key length from the message. There is a minimum length check based on the block length of the wrapping cipher. However the cipher is selected from an OID carried in the attacker's PWRI keyEncryptionAlgorithm with no requirement that the cipher be a block cipher. When an attacker selects a stream-mode cipher the guard will be ineffective and the allocated buffer containing the unwrapped key can be too small to fit the check-bytes specified in the RFC and a buffer over-read can happen. Applications calling CMS_decrypt() or CMS_decrypt_set1_password() (equivalently openssl cms -decrypt -pwri_password ...) on untrusted CMS data are vulnerable to this issue. No password knowledge is required: the over-read happens during the unwrap attempt before any authentication succeeds. The over-read is limited to a few bytes and is not written to output, so there is no information disclosure. Triggering a crash requires the allocation to border unmapped memory, which is unlikely with the normal allocator. The FIPS modules are not affected by this issue.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-34180", "url": "https://ubuntu.com/security/CVE-2026-34180", "cve_description": "Issue summary: Parsing a crafted DER-encoded ASN.1 structure with a primitive element whose content exceeds 2 gigabytes in length may cause a heap buffer over-read on 64-bit Unix and Unix-like platforms. Impact summary: The heap buffer over-read may crash the application (Denial of Service) or to load into the decoded ASN.1 object contents of memory beyond the end of the input buffer. More typically such ASN.1 elements would instead be truncated. An integer truncation in OpenSSL's ASN.1 decoder causes the content length of an ASN.1 primitive element to be mishandled when it exceeds 2 gigabytes. In the worst case the truncated length is treated as a request to scan the binary content for a terminating zero byte, possibly causing OpenSSL to read either less than or beyond the end of the allocated buffer. Applications that pass attacker-supplied data to d2i_X509(), d2i_PKCS7(), or any other d2i_* decoding function are affected. OpenSSL's own command-line tools are not vulnerable, as data read through the BIO layer is checked before it reaches the affected code. The issue only affects 64-bit Unix and Unix-like platforms; 32-bit platforms and 64-bit Windows are not affected. The FIPS modules in 4.0, 3.6, 3.5, 3.4 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-34182", "url": "https://ubuntu.com/security/CVE-2026-34182", "cve_description": "Issue Summary: Cryptographic Message Services (CMS) processing fails to perform sufficient input validation on the cipher and tag length fields of AuthEnvelopedData containers, leading to various potential compromises. Impact Summary: Attackers making use of these vulnerabilities may achieve key-equivalent functionality for a given CMS recipient and/or bypass integrity validation for a given message. In one use case, an attacker may send a CMS message containing AuthEnvelopedData with the cipher specified as a non-AEAD cipher. OpenSSL erroneously allows this selection, and attempts to decrypt and validate the message. An on-path attacker who captures one legitimate AES-GCM AuthEnvelopedData addressed to the victim can re-emit it with the recipientInfos set left byte-for-byte intact, so the victim's private key still unwraps the genuine CEK (the content-encryption key), but with the inner OID rewritten to AES-256-OFB (Output Feedback Mode, an unauthenticated keystream mode) and with an attacker-chosen IV and ciphertext. The victim initializes AES-256-OFB under the real CEK, never consults the MAC field, and CMS_decrypt() returns success. If the application under attack responds to the attacker with any indicator showing success or failure of the decryption effort, it is possible for the attacker to use this as an oracle to obtain key equivalent functionality for the CEK used for the chosen recipient of the message. In another use case, an attacker can reduce the tag length of the chosen AEAD cipher for a given AuthEnvelopedData container to be a single byte long, allowing an attacker to brute force CMS decryption, producing an integrity bypass for applications that trust CMS_decrypt() to reject modified content. The FIPS modules are not affected by this issue.", "cve_priority": "medium", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-42766", "url": "https://ubuntu.com/security/CVE-2026-42766", "cve_description": "Issue summary: A specially crafted password-encrypted CMS message can trigger a NULL pointer dereference during CMS decryption. Impact summary: This NULL pointer dereference leads to an application crash and a Denial of Service. The CMS PasswordRecipientInfo.keyDerivationAlgorithm field is defined as OPTIONAL in the ASN.1 specification and may therefore be absent in specially crafted inputs. During the password-based CMS decryption the OpenSSL CMS implementation dereferences this field without first checking whether it was present. An attacker who supplies such a CMS message to an application performing password-based CMS decryption can trigger an application crash, leading to a Denial of Service. Applications that process password-encrypted CMS messages may be affected. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-42767", "url": "https://ubuntu.com/security/CVE-2026-42767", "cve_description": "Issue summary: An attacker-controlled CMP (Certificate Management Protocol) server could trigger a NULL pointer dereference in a CMP client application. Impact summary: A NULL pointer dereference causes a crash of the application and a Denial of Service. An attacker controlling a CMP server (or acting as a man-in-the-middle) could craft a CMP response containing a CRMF (Certificate Request Message Format) CertRepMessage with an EncryptedValue structure where the symmAlg field has an algorithm OID but no parameters field. When the OpenSSL CMP client processes this response, the NULL dereference occurs, causing a crash of the CMP client. Applications that process untrusted CMP/CRMF messages may be affected. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-42770", "url": "https://ubuntu.com/security/CVE-2026-42770", "cve_description": "Issue summary: When EVP_PKEY_derive_set_peer() is called with a DHX (X9.42) peer key, the peer key is not properly checked for the subgroup membership. Impact summary: A malicious peer which presents an X9.42 key carrying the victim's p and g parameters, a forged q = r (a small prime factor of the cofactor (p−1)/q_local), and a public value Y of order r can recover the victim's private key after a small number of key exchange attempts. When EVP_PKEY_derive_set_peer() is called with a DHX (X9.42) peer key, the subgroup membership check Y^q ≡ 1 (mod p) is performed using the peer's own q parameter, not the local key's q. The peer's domain parameters are then matched against the domain parameters of the private key, but the value of q is not compared. A malicious peer who presents an X9.42 key carrying the victim's p, g, a forged q = r (a small prime factor of the cofactor), and a public value Y of order r passes all checks. The shared secret then takes only r distinct values, leaking priv mod r. Repeating for each small-prime factor of the cofactor and combining via CRT recovers the full private key (Lim–Lee / small-subgroup-confinement attack). The realistic attack surface is narrow: principally CMP deployments with long-lived RA/CA DHX keys and bespoke enterprise or government applications using X9.42 DHX static keys with interactive protocols and therefore this issue was assigned Low severity. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are affected by this issue.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-45445", "url": "https://ubuntu.com/security/CVE-2026-45445", "cve_description": "Issue summary: When an application drives an AES-OCB context through the public EVP_Cipher() one-shot interface, the application-supplied initialisation vector (IV) is silently discarded. Impact summary: Every message encrypted under the same key uses the same effective nonce regardless of the IV supplied by the caller, resulting in (key, nonce) reuse and loss of confidentiality. If the same code path is used to compute the authentication tag, the tag depends only on the (key, IV) pair and not on the plaintext or ciphertext, allowing universal forgery of arbitrary ciphertext from a single captured message. OpenSSL provides two ways to drive a cipher: the documented streaming interface (EVP_CipherUpdate / EVP_CipherFinal_ex) and a lower-level one-shot, EVP_Cipher(), whose documentation explicitly recommends against use by applications in favour of EVP_CipherUpdate() and EVP_CipherFinal_ex(). The OCB provider's streaming handler flushes the application-supplied IV into the OCB context before processing data; the one-shot handler did not. Every call to EVP_Cipher() on an AES-OCB context therefore ran with the all-zero key-derived offset state left by cipher initialisation, regardless of the caller's IV. If EVP_EncryptFinal_ex() is subsequently used to obtain the authentication tag, the deferred IV setup runs at that point and clears the running checksum that should have been accumulated over the plaintext. The resulting tag is a function of (key, IV) only and verifies against any ciphertext produced under the same (key, IV) pair. The OpenSSL SSL/TLS implementation is not affected: AES-OCB is not a TLS cipher suite, and libssl does not call EVP_Cipher() in any case. Applications that drive AES-OCB through the documented streaming AEAD API (EVP_CipherUpdate / EVP_CipherFinal_ex) are not affected. Only applications that combine the AES-OCB cipher with the EVP_Cipher() one-shot API are vulnerable. The FIPS modules in 4.0, 3.6, 3.5, 3.4 and 3.0 are not affected by this issue, as AES-OCB is outside the OpenSSL FIPS module boundary.", "cve_priority": "medium", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-45446", "url": "https://ubuntu.com/security/CVE-2026-45446", "cve_description": "Issue summary: The implementations of AES-SIV (RFC 5297) and AES-GCM-SIV (RFC 8452) mishandle the authentication of AAD (Additional Authenticated Data) with an empty ciphertext allowing a forgery of such messages. Impact summary: An attacker can forge empty messages with arbitrary AAD to the victim's application using these ciphers. AES-SIV (RFC 5297) and AES-GCM-SIV (RFC 8452) are nonce-misuse-resistant AEAD modes: they accept a key, nonce, optional AAD (bytes that are authenticated but not encrypted), and plaintext, and produces ciphertext plus a 16-byte tag. On decrypt, `EVP_DecryptFinal_ex()` is documented to return success only if the tag is verified succesfully. In OpenSSL's provider implementation of these ciphers, the expected tag is computed only when decryption function is invoked with non-empty data. If the caller supplies AAD and then calls `EVP_DecryptFinal_ex()` without invocation of the ciphertext update, which can happen when the received ciphertext length is zero, the tag is never recalculated and still holds its all-zeros value. When AES-GCM-SIV is used, an attacker who sends arbitrary AAD, empty ciphertext, and all-zeros tag passes authentication under any key they do not know, single-shot. When AES-SIV is used, for mounting the attack it's necessary for the application to reuse the decryption context without resetting the key. AES-SIV is implemented since OpenSSL 3.0. AES-GCM-SIV is implemented since OpenSSL 3.2. No protocols implemented in OpenSSL itself (TLS/CMS/PKCS7/HPKE/QUIC) support either AES-GCM-SIV or AES-SIV. To mount an attack, the applications must implement their own protocol and use the EVP interface. Also they must skip the ciphertext update when a message with an empty ciphertext arrives. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as these algorithms are not FIPS approved and the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-45447", "url": "https://ubuntu.com/security/CVE-2026-45447", "cve_description": "Issue summary: A specially crafted PKCS#7 or S/MIME signed message could trigger a use-after-free during PKCS#7 signature verification. Impact summary: A use-after-free may result in process crashes, heap corruption, or potentially remote code execution. When processing a PKCS#7 or S/MIME signed message, if the SignedData digestAlgorithms field is present as an empty ASN.1 SET, OpenSSL may incorrectly free a caller-owned BIO during PKCS7_verify(). A subsequent use of the BIO by the calling application results in a use-after-free condition. In the common case this occurs when the application later calls BIO_free() on the BIO originally passed to PKCS7_verify(). Depending on allocator behavior and application-specific BIO usage patterns, this may result in a crash or other memory corruption. In some application contexts this may potentially be exploitable for remote code execution. Applications that process PKCS#7 or S/MIME signed messages using OpenSSL PKCS#7 APIs may be affected. Applications using the CMS APIs for this processing are not affected. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "high", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-7383", "url": "https://ubuntu.com/security/CVE-2026-7383", "cve_description": "Issue summary: A signed integer overflow when sizing the destination buffer for Unicode output in ASN1_mbstring_ncopy() can lead to a heap buffer overflow. Impact summary: A heap buffer overflow may lead to a crash or possibly attacker controlled code execution or other undefined behaviour. In ASN1_mbstring_copy() and ASN1_mbstring_ncopy() the destination size for Unicode output is computed in a signed int: by left shift of the input character count for BMPSTRING (UTF-16) and UNIVERSALSTRING (UTF-32), and by summing per-character byte counts for UTF8STRING. The calculation overflows when the input reaches around 2^30 characters. In the worst case (UNIVERSALSTRING at 2^30 characters) the size wraps to zero, OPENSSL_malloc(1) is called, and the subsequent character copy writes several gigabytes past the one-byte allocation. X.509 certificate processing routes through ASN1_STRING_set_by_NID(), whose DIRSTRING_TYPE mask excludes UNIVERSALSTRING and whose per-NID size limits cap the input length; no network protocol or certificate-handling path in OpenSSL exercises the overflow. Triggering the bug requires an application that calls ASN1_mbstring_copy() or ASN1_mbstring_ncopy() directly, or registers a custom string type via ASN1_STRING_TABLE_add(), with attacker-controlled input on the order of half a gigabyte or more. For these reasons this issue was assigned Low severity. The FIPS modules in 4.0, 3.6, 3.5, 3.4 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" }, { "cve": "CVE-2026-9076", "url": "https://ubuntu.com/security/CVE-2026-9076", "cve_description": "Issue summary: When CMS password-based decryption (RFC 3211 / PWRI key unwrap) processes attacker-supplied CMS data, an attacker-chosen stream-mode KEK cipher can trigger a heap out-of-bounds read in kek_unwrap_key(). Impact summary: A heap buffer over-read may trigger a crash which leads to Denial of Service for an application if the input buffer ends at a memory page boundary and the following page is unmapped. There is no information disclosure as the over-read bytes are not revealed to the attacker. The key unwrapping function performs a check-byte test as specified in the RFC that reads 7 bytes from a heap allocation that is based on the wrapped key length from the message. There is a minimum length check based on the block length of the wrapping cipher. However the cipher is selected from an OID carried in the attacker's PWRI keyEncryptionAlgorithm with no requirement that the cipher be a block cipher. When an attacker selects a stream-mode cipher the guard will be ineffective and the allocated buffer containing the unwrapped key can be too small to fit the check-bytes specified in the RFC and a buffer over-read can happen. Applications calling CMS_decrypt() or CMS_decrypt_set1_password() (equivalently openssl cms -decrypt -pwri_password ...) on untrusted CMS data are vulnerable to this issue. No password knowledge is required: the over-read happens during the unwrap attempt before any authentication succeeds. The over-read is limited to a few bytes and is not written to output, so there is no information disclosure. Triggering a crash requires the allocation to border unmapped memory, which is unlikely with the normal allocator. The FIPS modules are not affected by this issue.", "cve_priority": "low", "cve_public_date": "2026-06-09 17:17:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Heap Buffer Over-read in ASN.1 Content Parsing", " - debian/patches/CVE-2026-34180.patch: Avoid length truncation in", " ASN1_STRING_set in crypto/asn1/tasn_dec.c.", " - CVE-2026-34180", " * SECURITY UPDATE: CMS AuthEnvelopedData Processing May Accept Forged Messages", " - debian/patches/CVE-2026-34182-1.patch: CMS: Produce error when AEAD", " algorithms are used in enveloped data in crypto/cms/cms_enc.c,", " crypto/cms/cms_env.c, crypto/cms/cms_err.c, crypto/cms/cms_local.h,", " crypto/err/openssl.txt, include/openssl/cmserr.h, test/cms-msg/enveloped-", " content-type-for-aes-gcm.pem, test/cmsapitest.c,", " test/recipes/80-test_cms.t.", " - debian/patches/CVE-2026-34182-2.patch: Reject potentially forged encrypted", " CMS AuthEnvelopedData messages in crypto/cms/cms_enc.c.", " - debian/patches/CVE-2026-34182-3.patch: Add tests for CVE-2026-34182 in", " test/cmsapitest.c.", " - CVE-2026-34182", " * SECURITY UPDATE: Possible NULL Dereference in Password-Based CMS Decryption", " - debian/patches/CVE-2026-42766.patch: Fix potential NULL dereference", " processing CMS PasswordRecipientInfo in crypto/cms/cms_pwri.c.", " - CVE-2026-42766", " * SECURITY UPDATE: NULL Pointer Dereference in CRMF EncryptedValue Decryption", " - debian/patches/CVE-2026-42767.patch: Fix potential NULL dereference in", " OSSL_CRMF_ENCRYPTEDVALUE_decrypt() in crypto/crmf/crmf_lib.c.", " - CVE-2026-42767", " * SECURITY UPDATE: FFC-DH Peer Validation Uses Attacker-Supplied q", " - debian/patches/CVE-2026-42770.patch: Match the local q DHX parameter", " against the peer's q in providers/implementations/exchange/dh_exch.c.", " - CVE-2026-42770", " * SECURITY UPDATE: AES-OCB IV Ignored on EVP_Cipher() Path", " - debian/patches/CVE-2026-45445.patch: Apply the buffered IV on the AES-OCB", " EVP_Cipher() path in providers/implementations/ciphers/cipher_aes_ocb.c,", " test/evp_extra_test.c.", " - CVE-2026-45445", " * SECURITY UPDATE: Incorrect Tag Processing for Empty Messages in", " AES-GCM-SIV and AES-SIV modes", " - debian/patches/CVE-2026-45446.patch: Fix handling of empty-ciphertext", " messages in AES-SIV in providers/implementations/ciphers/cipher_aes_siv.c,", " test/evp_extra_test.c.", " - CVE-2026-45446", " * SECURITY UPDATE: Heap Use-After-Free in OpenSSL PKCS7_verify()", " - debian/patches/CVE-2026-45447-pre1.patch: Revert unnecessary", " PKCS7_verify() performance optimization in crypto/pkcs7/pk7_smime.c.", " - debian/patches/CVE-2026-45447-1.patch: Fix possible use-after-free in", " OpenSSL PKCS7_verify() in crypto/pkcs7/pk7_smime.c.", " - debian/patches/CVE-2026-45447-2.patch: Test for CVE-2026-45447 (UAF in", " PKCS7_verify) in test/recipes/80-test_cms.t, test/smime-eml/pkcs7-empty-", " digest-set.eml.", " - CVE-2026-45447", " * SECURITY UPDATE: Possible Heap Buffer Overflow in ASN.1 Multibyte String", " Conversion", " - debian/patches/CVE-2026-7383.patch: Reject oversized inputs in", " ASN1_mbstring_ncopy() in crypto/asn1/a_mbstr.c.", " - CVE-2026-7383", " * SECURITY UPDATE: Out-of-Bounds Read in CMS Password-Based Decryption", " - debian/patches/CVE-2026-9076.patch: cms: kek_unwrap_key: Fix out-of-bounds", " read in check-byte validation in crypto/cms/cms_pwri.c.", " - CVE-2026-9076", "" ], "package": "openssl", "version": "3.0.13-0ubuntu3.11", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Tue, 02 Jun 2026 15:33:25 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "python3-urllib3", "from_version": { "source_package_name": "python-urllib3", "source_package_version": "2.0.7-1ubuntu0.6", "version": "2.0.7-1ubuntu0.6" }, "to_version": { "source_package_name": "python-urllib3", "source_package_version": "2.0.7-1ubuntu0.7", "version": "2.0.7-1ubuntu0.7" }, "cves": [ { "cve": "CVE-2026-44431", "url": "https://ubuntu.com/security/CVE-2026-44431", "cve_description": "urllib3 is an HTTP client library for Python. From 1.23 to before 2.7.0, cross-origin redirects followed from the low-level API via ProxyManager.connection_from_url().urlopen(..., assert_same_host=False) still forward these sensitive headers. This vulnerability is fixed in 2.7.0.", "cve_priority": "medium", "cve_public_date": "2026-05-13 16:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-44431", "url": "https://ubuntu.com/security/CVE-2026-44431", "cve_description": "urllib3 is an HTTP client library for Python. From 1.23 to before 2.7.0, cross-origin redirects followed from the low-level API via ProxyManager.connection_from_url().urlopen(..., assert_same_host=False) still forward these sensitive headers. This vulnerability is fixed in 2.7.0.", "cve_priority": "medium", "cve_public_date": "2026-05-13 16:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: sensitive headers not stripped in cross-origin redirects", " - debian/patches/CVE-2026-44431.patch: remove sensitive headers in proxy", " pools too in src/urllib3/connectionpool.py,", " test/with_dummyserver/test_proxy_poolmanager.py.", " - CVE-2026-44431", "" ], "package": "python-urllib3", "version": "2.0.7-1ubuntu0.7", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Fri, 22 May 2026 13:32:42 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "snapd", "from_version": { "source_package_name": "snapd", "source_package_version": "2.74.1+ubuntu24.04.4", "version": "2.74.1+ubuntu24.04.4" }, "to_version": { "source_package_name": "snapd", "source_package_version": "2.75.2+ubuntu24.04", "version": "2.75.2+ubuntu24.04" }, "cves": [ { "cve": "CVE-2026-3888", "url": "https://ubuntu.com/security/CVE-2026-3888", "cve_description": "Local privilege escalation in snapd on Linux allows local attackers to get root privilege by re-creating snap's private /tmp directory when systemd-tmpfiles is configured to automatically clean up this directory. This issue affects Ubuntu 16.04 LTS, 18.04 LTS, 20.04 LTS, 22.04 LTS, and 24.04 LTS.", "cve_priority": "high", "cve_public_date": "2026-03-17 14:16:00 UTC" } ], "launchpad_bugs_fixed": [ 2143882, 2142130, 2137543, 2142655, 2139664, 2139065, 2002697, 2141461, 2138268, 2138629, 2141328, 2139611, 2139300, 2139099, 2141607, 2138629, 2116949, 2068493, 2134364, 2132084, 2127189, 1851490, 2121853, 2127214, 2127244, 2127766 ], "changes": [ { "cves": [], "log": [ "", " * New upstream release, LP: #2143882", " - Interfaces: network-setup-*| allow running python binaries from", " the base on UC26+", " - Cross-distro: modify SELinux policy to allow mounting on", " /var/snap//", " - Fix potential task deadlock by considering all tasks in a lane", " that might be waiting for a reboot when processing delayed", " security backend effects", "" ], "package": "snapd", "version": "2.75.2+ubuntu24.04", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2143882 ], "author": "Katie May ", "date": "Mon, 30 Mar 2026 17:06:36 +0200" }, { "cves": [ { "cve": "CVE-2026-3888", "url": "https://ubuntu.com/security/CVE-2026-3888", "cve_description": "Local privilege escalation in snapd on Linux allows local attackers to get root privilege by re-creating snap's private /tmp directory when systemd-tmpfiles is configured to automatically clean up this directory. This issue affects Ubuntu 16.04 LTS, 18.04 LTS, 20.04 LTS, 22.04 LTS, and 24.04 LTS.", "cve_priority": "high", "cve_public_date": "2026-03-17 14:16:00 UTC" } ], "log": [ "", " - FDE: limit number of boot check log entries", " - Allow a logged in user to refresh private snaps during a refresh", " with multiple snaps", " - Use precise prune pattern for tmpfiles (CVE-2026-3888)", "" ], "package": "snapd", "version": "2.75.1+ubuntu24.04", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [], "author": "Katie May ", "date": "Wed, 18 Mar 2026 09:59:01 +0100" }, { "cves": [], "log": [ "", " - FDE: run early boot check only once per boot", " - FDE: update secboot to revision 77bc2457cc76", " - FDE: add degraded state for status API", " - FDE: prevent resealing tasks from running together", " - FDE: enable using keyslot tokens to store protected keys for UC26+", " - FDE: early commit kcmdline config transaction in update-gadget-", " cmdline to mitigate possible race condition", " - FDE: ensure extra snapd kcmdline fragments are applied", " - FDE: remove old secboot activation API calls", " - LP: #2142130 update apparmor parser to 4.1.7", " - LP: #2137543 disable translations in formatted output for snapctl", " services", " - LP: #2142655 improve snap size reporting precision in snap info", " output", " - LP: #2139664 snap-confine: remove race condition triggered by hat", " profile", " - LP: #2139065 skip 70-snap.*.rules when building dracut initramfs", " - LP: #2002697 error early on removal without purge if home is in", " NFS mount", " - LP: #2141461 Intefaces: allow snap-update-ns to read", " /proc/pid/auxv", " - LP: #2138268 Interfaces: kerberos-tickets| new interface allow", " access to kerberos tickets stored in /tmp", " - Interfaces: block-devices| allow Xen block devices", " - Interfaces: u2f-devices| add Tokey 3 FIDO", " - Interfaces: devlxd| new interface allowing acccess to LXD devlxd", " socket and APIs", " - Interfaces: browser-support| allow reading pressure stall info", " information", " - Interfaces: network-setup-control| allow additional netplan files", " access", " - Interfaces: desktop| allow access kvantum, lxqt, and gtk4", " configuration files", " - Interfaces: system-observe| allow fdinfo access for GPU monitoring", " - Interfaces: ubuntu-pro-control| allow access to Ubuntu Advantage", " client configuration", " - Prompting: add API endpoint to ask whether application should have", " access", " - Prompting: add support for audio-record prompting via API endpoint", " - Prompting: store snap name instead of apparmor label in requests", " - Prompting: respond with 503 to API requests when prompting", " subsystem is shutting down", " - Prompting: generalize prompting subsystem to support requests from", " outside AppArmor", " - Confdb: unset data for missing paths in set request", " - Confdb: return 400 for API requests with missing filter", " constraints", " - Confdb: return 400 for API requests with unmatched filter", " constraints", " - Confdb: support typed constraints in confdb filtering", " - Confdb: fixed unmarshalling transaction with placeholder path in", " deltas", " - Confdb: refresh confdb-schema assertions during manual refresh", " - Remote device management (experimental): add skeleton device", " management manager", " - Remote device management (experimental): add message exchange loop", " - Components: add snap component command, include component summary", " in snap info output", " - Components: enforce validation sets when installing components", " - Configuration: add system.motd configuration option to customize", " message of the day (motd)", " - packaging: remove dependencies libbrotli1, libfreetype6, and", " libpng16-16 from snap", " - snap-bootstrap: use libblkid for disk information to speed up boot", " - snap-confine: improve data handling error", " - snap-confine: use ld cache from the app base for core26+", " - snap: add riscv ISA detection for snaps", " - squashfs: reduce memory footprint of single file extraction", " - Add experimental snap delta format", " - Enable early download of seed snaps during refresh", " - Enable parallel downloads of essential snaps during refresh", " - Disallow removing components required by validation sets", " - Make snap prepare-image fail on --validation=ignore if model has", " enforced validation-sets", " - Fix correctly handling interrupted snap downloads", " - Fix handling of store throttling for refresh-app-awareness", " monitored snaps", " - Stop removed \"endure\" services on refresh", " - Install by default from the initramfs for UC26+, removing the need", " for a reboot after installation", " - Keep minidebuginfo in snapd snap", " - Make snap-specific systemd cgroup mandatory for snaps using core26", " and later, improve messaging for failure scenarios", " - Preserve stale connections of broken snaps", " - Remove enforce-validation-sets need for network", " - Opportunistic discarding of mount namespace when updating slot", " providers", " - Support for delaying updates of snap mount namespaces when", " refreshing slot providers", " - Use application CommonID as default source for desktop ID", "" ], "package": "snapd", "version": "2.75+ubuntu24.04", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2142130, 2137543, 2142655, 2139664, 2139065, 2002697, 2141461, 2138268 ], "author": "Katie May ", "date": "Mon, 09 Mar 2026 17:10:13 +0100" }, { "cves": [], "log": [ "", " * New upstream release, LP: #2138629", " - FDE: measure DeployedMode and AuditMode variables if they appear", " as disabled in the event log to avoid a potential reseal-failure", " boot loop", " - LP: #2141328 FDE: reuse preinstall check context during install to", " account for user-ignored errors", " - LP: #2139611 FDE: fix db updates by allowing multiple payloads", " - LP: #2139300 snap-confine: add CAP_SYS_RESOURCE to allow raising", " memory lock limit when required", " - LP: #2139099 snap-confine: bump the max element count of the BPF", " map used to store IDs of allowed/matched devices to 1000", " - LP: #2141607 Desktop: revert change that caused user daemons", " declaring the desktop plug to implicitly depend on graphical-", " session.target", " - Interfaces: Added pidfd_open and memfd_secret to seccomp template", " - Interfaces: camera | add locking permission for /dev/video", "" ], "package": "snapd", "version": "2.74.1", "urgency": "medium", "distributions": "xenial", "launchpad_bugs_fixed": [ 2138629, 2141328, 2139611, 2139300, 2139099, 2141607 ], "author": "Ernest Lotter ", "date": "Thu, 12 Feb 2026 21:27:23 +0200" }, { "cves": [], "log": [ "", " * New upstream release, LP: #2138629", " - FDE: use new activation API from secboot", " - FDE: use activation API also with non keydata keys", " - FDE: ignore internal recovery key expiration during install", " - FDE: support adding/removing PINs post-installation", " - FDE: support changing PINs post-installation", " - FDE: support adding a recovery key post-installation", " - FDE: provide activation status via new endpoint v2/system-", " info/storage-encrypted", " - FDE: support sealing and resealing using the preinstall check", " result", " - FDE: disable passphrase support during install", " - FDE: add keyboard configuration helpers", " - FDE: lazily inject keyboard layout configuration in kernel cmdline", " - FDE: enable pin tries and limits PIN entry attempts to 3", " - FDE: extend secureboot endpoint to accept DB, KEK, and PK", " - FDE: simplify /v2/system-volumes keyslots handling by allowing", " name-only entries, implicitly expanding to all system containers", " - FDE: support extra non-system key slot names to support agents", " such as Landscape to set dedicated recovery keys", " - FDE: initialize fde state after device state", " - FDE: use device node to find the storage container and keys", " - FDE: provide user visible name for disk based on ID_MODEL", " - FDE: update secboot in snapd with latest additions and fixes", " - core-initrd: add systemd service for setting plymouth keyboard", " layout and X11 keyboard layouts", " - core-initrd: set plymouth cleartext toggle option", " - core-initrd: fix plymouth missing font issue", " - core-initrd: update dependency from libteec1 to libteec2", " - core-initrd: add new dlopened libs", " - LP: #2116949 Preseeding: add support for preseeding of hybrid", " systems via the installer API$", " - Preseeding: check whether a path is a mountpoint before remounting", " - Confdb: support tagging paths as secret in storage schemas", " - Confdb: support filtering on placeholder sub-keys", " - Confdb: support filtering in API and confdbstate", " - Confdb: support field filtering on reads", " - Confdb: support \"parameters\" stanza and check filters against them", " - Confdb: add support for '--with' contraints", " - Confdb: parsing fixes and error handling improvements", " - Assertions: restrict serials to new format in confdb-control", " - Assertions: add verify signature function", " - Remote device management: modify request-message assertion to", " expose its time constraints for remote device management", " - Remote device management: support polling of store messages", " - Remote device management: add signing of response messages with", " device key", " - Prompting: enable notify protocol v5 and test prompt restoration", " after snapd restart", " - snap: change malformed '--channel=' warning to error", " - snap: add 'snap report-issue' command to get the available contact", " details for the specified snap", " - snap: add 'snap version --verbose' flag to include information on", " snap binaries origin", " - snap: create the XDG_RUNTIME_DIR folder", " - LP: #2068493 snap: add support for 'snap refresh --tracking'", " - snapctl: add '--tracking' flag to 'snapctl refresh'", " - Reexec: include the info filepath in the version compare debug log", " - Reexec: add support for forcing reexec into and older snapd snap", " by setting SNAP_REEXEC=force in the environment", " - snap-confine: correct error message related to snap-confine group", " policy validation", " - snap-confine: ensure we only mount existing directories", " - LP: #2134364 snap-confine: handle potential race when creating", " /tmp/snap-private-tmp when lacking systemd-tmpfiles support", " - snap-confine: filter plus characters from security tags", " - Desktop: use desktop file IDs as desktop IDs", " - Desktop: store the common ID in the desktop file", " - Desktop: allow graphical daemons to show icons in the dock", " - Desktop: change user daemons with desktop plug defined to depend", " on graphical-session.target", " - dm-verity for essential snaps: made change to prerequisite struct", " - Cross-distro: modify SELinux profile to allow connecting to squid", " proxy", " - Cross-distro: add support for migrating snap mount directory", " - Packaging: drop ubuntu-14.04 packaging", " - Packaging: drop ubuntu-{14.04,16.04} transitional binary packages", " - Packaging: remove desktop files and state lock file during snapd", " purge", " - Packaging: fix inhibition hint file being left behind on failed", " unlink-current-snap", " - Disallow timeouts < 1us in systemd units", " - Add snap-store to the user-daemons support overrides", " - Support for SuccessExitStatus= generation for systemd daemon", " - Make standby output more verbose", " - Add prepare-serial-request hook", " - Try to discard snap mount namespaces when no processes are running", " during snap updates", " - Improve handling of snap downloads cache by introducing periodic", " cleanup with more aggressive policy", " - Interfaces: mediatek-accel | create new interface", " - Interfaces: nvidia-video-driver-libs | create new interface", " - Interfaces: *-driver-libs | accept component paths", " - Interfaces: desktop-legacy, unity7 | remove workaround for slash", " filtering in ibus address", " - Interfaces: fwupd | allow writing reboot notification in /run", " - Interfaces: add 'install' coreutil to base AppArmor template", " - Interfaces: u2f-devices | add apparmor permissions to allow the", " use of the libfido2 library in snaps", " - Interfaces: u2f-devices | add support for Thetis security key", " - Interfaces: add AppArmor workaround for mmap MAP_HUGETLB", " - Interfaces: timeserver-control | manage per-link ntp settings via", " systemd-networkd", "" ], "package": "snapd", "version": "2.74", "urgency": "medium", "distributions": "xenial", "launchpad_bugs_fixed": [ 2138629, 2116949, 2068493, 2134364 ], "author": "Ernest Lotter ", "date": "Tue, 20 Jan 2026 18:54:17 +0200" }, { "cves": [], "log": [ "", " * New upstream release, LP: #2132084", " - FDE: do not save incomplete FDE state when resealing was skipped", " - FDE: warn of inconsistent primary or policy counter", " - Confdb: document confdb in snapctl help messages", " - Confdb: only confdb hooks wait if snaps are disabled", " - Confdb: relax confdb change conflict checks", " - Confdb: remove empty parent when removing last leaf", " - Confdb: support parsing field filters", " - Confdb: wrap confdb write values under \"values\" key", " - dm-verity for essential snaps: add new naming convention for", " verity files", " - dm-verity for essential snaps: add snap integrity discovery", " - dm-verity for essential snaps: fix verity salt calculation", " - Assertions: add hardware identity assertion", " - Assertions: add integrity stanza in snap resources revisions", " - Assertions: add request message assertion required for remote", " device management", " - Assertions: add response-message assertion for secure remote", " device management", " - Assertions: expose WithStackedBackstore in RODatabase", " - Packaging: cross-distro | install upstream NEWS file into relevant", " snapd package doc directory", " - Packaging: cross-distro | tweak how the blocks injecting", " $SNAP_MOUNT_DIR/bin are generated as required for openSUSE", " - Packaging: remove deprecated snap-gdb-shim and all references now", " that snap run --gdb is unsupported and replaced by --gdbserver", " - Preseed: call systemd-tmpfiles instead handle-writable-paths on", " uc26", " - Preseed: do not remove the /snap dir but rather all its contents", " during reset", " - snap-confine: attach name derived from security tag to BPF maps", " and programs", " - snap-confine: ensure permitted capabilities match expectation", " - snap-confine: fix cached snap-confine profile cleanup to report", " the correct error instead of masking backend setup failures", " - snap-confine: Improve validation of user controlled paths", " - snap-confine: tighten snap cgroup checks to ensure a snap cannot", " start another snap in the same cgroup, preventing incorrect", " device-filter installation", " - core-initrd: add 26.04 ubuntu-core-initramfs package", " - core-initrd: add missing order dependency for setting default", " system files", " - core-initrd: avoid scanning loop and mmc boot partitions as the", " boot disk won't be any of these", " - core-initrd: make cpio a Depends and remove from Build-Depends", " - core-initrd: start plymouth sooner and reload when gadget is", " available", " - Cross-distro: modify syscheck to account for differences in", " openSUSE 16.0+", " - Validation sets: use in-flight validation sets when calling", " 'snapctl install' from hook", " - Prompting: enable prompting for the camera interface", " - Prompting: remove polkit authentication when modifying/deleting", " prompting rules", " - LP: #2127189 Prompting: do not record notices for unchanged rules", " on snapd startup", " - AppArmor: add free and pidof to the template", " - AppArmor: adjust interfaces/profiles to cope with coreutils paths", " - Interfaces: add support for compatibility expressions", " - Interfaces: checkbox-support | complete overhaul", " - Interfaces: define vulkan-driver-libs, cuda-driver-libs, egl-", " driver-libs, gbm-driver-libs, opengl-driver-libs, and opengles-", " driver-libs", " - Interfaces: allow snaps on classic access to nvidia graphics", " libraries exported by *-driver-libs interfaces", " - Interfaces: fwupd | broaden access to /boot/efi/EFI", " - Interfaces: gsettings | set dconf-service as profile for", " ca.desrt.dconf.Writer", " - Interfaces: iscsi-initiator, dm-multipath, nvme-control | add new", " interfaces", " - Interfaces: opengl | grant read/write permission to /run/nvidia-", " persistenced/socket", " - interfaces: ros-snapd-support | add access to /v2/changes/", " - Interfaces: system-observe | read access to btrfs/ext4/zfs", " filesystem information", " - Interfaces: system-trace | allow /sys/kernel/tracing/** rw", " - Interfaces: usb-gadget | add support for ffs mounts in attributes", " - Add autocompletion to run command", " - Introduce option for disallowing auto-connection of a specific", " interface", " - Only log errors for user service operations performed as a part of", " snap removal", " - Patch snap names in service requests for parallel installed snaps", " - Simplify traits for eMMC special partitions", " - Strip apparmor_parser from debug symbols shrinking snapd size by", " ~3MB", " - Fix InstallPathMany skipping refresh control", " - Fix waiting for GDB helper to stop before attaching gdbserver", " - Protect the per-snap tmp directory against being reaped by age", " - Prevent disabling base snaps to ensure dependent snaps can be", " removed", " - Modify API endpoint /v2/logs to reject n <= 0 (except for special", " case -1 meaning all)", " - Avoid potential deadlock when task is injected after the change", " was aborted", " - Avoid race between store download stream and cache cleanup", " executing in parallel when invoked by snap download task", " - LP: #1851490 Use \"current\" instead of revision number for icons", " - LP: #2121853 Add snapctl version command", " - LP: #2127214 Ensure no more than one partition on disk can match a", " gadget partition", " - LP: #2127244 snap-confine: update AppArmor profile to allow", " read/write to journal as workaround for snap-confine fd", " inheritance prevented by newer AppArmor", " - LP: #2127766 Add new tracing mechanism with independently running", " strace and shim synchronization", "" ], "package": "snapd", "version": "2.73", "urgency": "medium", "distributions": "xenial", "launchpad_bugs_fixed": [ 2132084, 2127189, 1851490, 2121853, 2127214, 2127244, 2127766 ], "author": "Ernest Lotter ", "date": "Fri, 21 Nov 2025 09:08:02 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "systemd", "from_version": { "source_package_name": "systemd", "source_package_version": "255.4-1ubuntu8.15", "version": "255.4-1ubuntu8.15" }, "to_version": { "source_package_name": "systemd", "source_package_version": "255.4-1ubuntu8.16", "version": "255.4-1ubuntu8.16" }, "cves": [ { "cve": "CVE-2026-40226", "url": "https://ubuntu.com/security/CVE-2026-40226", "cve_description": "In nspawn in systemd 233 through 259 before 260, an escape-to-host action can occur via a crafted optional config file.", "cve_priority": "medium", "cve_public_date": "2026-04-10 16:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-40226", "url": "https://ubuntu.com/security/CVE-2026-40226", "cve_description": "In nspawn in systemd 233 through 259 before 260, an escape-to-host action can occur via a crafted optional config file.", "cve_priority": "medium", "cve_public_date": "2026-04-10 16:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: escape-to-host via malformed optional config file", " - debian/patches/CVE-2026-40226-1.patch: nspawn: apply BindUser/Ephemeral", " from settings file only if trusted in src/nspawn/nspawn.c.", " - debian/patches/CVE-2026-40226-2.patch: nspawn: normalize pivot_root paths", " in src/nspawn/nspawn-mount.c.", " - CVE-2026-40226", "" ], "package": "systemd", "version": "255.4-1ubuntu8.16", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Fri, 05 Jun 2026 11:36:29 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "systemd-dev", "from_version": { "source_package_name": "systemd", "source_package_version": "255.4-1ubuntu8.15", "version": "255.4-1ubuntu8.15" }, "to_version": { "source_package_name": "systemd", "source_package_version": "255.4-1ubuntu8.16", "version": "255.4-1ubuntu8.16" }, "cves": [ { "cve": "CVE-2026-40226", "url": "https://ubuntu.com/security/CVE-2026-40226", "cve_description": "In nspawn in systemd 233 through 259 before 260, an escape-to-host action can occur via a crafted optional config file.", "cve_priority": "medium", "cve_public_date": "2026-04-10 16:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-40226", "url": "https://ubuntu.com/security/CVE-2026-40226", "cve_description": "In nspawn in systemd 233 through 259 before 260, an escape-to-host action can occur via a crafted optional config file.", "cve_priority": "medium", "cve_public_date": "2026-04-10 16:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: escape-to-host via malformed optional config file", " - debian/patches/CVE-2026-40226-1.patch: nspawn: apply BindUser/Ephemeral", " from settings file only if trusted in src/nspawn/nspawn.c.", " - debian/patches/CVE-2026-40226-2.patch: nspawn: normalize pivot_root paths", " in src/nspawn/nspawn-mount.c.", " - CVE-2026-40226", "" ], "package": "systemd", "version": "255.4-1ubuntu8.16", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Fri, 05 Jun 2026 11:36:29 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "systemd-resolved", "from_version": { "source_package_name": "systemd", "source_package_version": "255.4-1ubuntu8.15", "version": "255.4-1ubuntu8.15" }, "to_version": { "source_package_name": "systemd", "source_package_version": "255.4-1ubuntu8.16", "version": "255.4-1ubuntu8.16" }, "cves": [ { "cve": "CVE-2026-40226", "url": "https://ubuntu.com/security/CVE-2026-40226", "cve_description": "In nspawn in systemd 233 through 259 before 260, an escape-to-host action can occur via a crafted optional config file.", "cve_priority": "medium", "cve_public_date": "2026-04-10 16:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-40226", "url": "https://ubuntu.com/security/CVE-2026-40226", "cve_description": "In nspawn in systemd 233 through 259 before 260, an escape-to-host action can occur via a crafted optional config file.", "cve_priority": "medium", "cve_public_date": "2026-04-10 16:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: escape-to-host via malformed optional config file", " - debian/patches/CVE-2026-40226-1.patch: nspawn: apply BindUser/Ephemeral", " from settings file only if trusted in src/nspawn/nspawn.c.", " - debian/patches/CVE-2026-40226-2.patch: nspawn: normalize pivot_root paths", " in src/nspawn/nspawn-mount.c.", " - CVE-2026-40226", "" ], "package": "systemd", "version": "255.4-1ubuntu8.16", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Fri, 05 Jun 2026 11:36:29 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "systemd-sysv", "from_version": { "source_package_name": "systemd", "source_package_version": "255.4-1ubuntu8.15", "version": "255.4-1ubuntu8.15" }, "to_version": { "source_package_name": "systemd", "source_package_version": "255.4-1ubuntu8.16", "version": "255.4-1ubuntu8.16" }, "cves": [ { "cve": "CVE-2026-40226", "url": "https://ubuntu.com/security/CVE-2026-40226", "cve_description": "In nspawn in systemd 233 through 259 before 260, an escape-to-host action can occur via a crafted optional config file.", "cve_priority": "medium", "cve_public_date": "2026-04-10 16:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-40226", "url": "https://ubuntu.com/security/CVE-2026-40226", "cve_description": "In nspawn in systemd 233 through 259 before 260, an escape-to-host action can occur via a crafted optional config file.", "cve_priority": "medium", "cve_public_date": "2026-04-10 16:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: escape-to-host via malformed optional config file", " - debian/patches/CVE-2026-40226-1.patch: nspawn: apply BindUser/Ephemeral", " from settings file only if trusted in src/nspawn/nspawn.c.", " - debian/patches/CVE-2026-40226-2.patch: nspawn: normalize pivot_root paths", " in src/nspawn/nspawn-mount.c.", " - CVE-2026-40226", "" ], "package": "systemd", "version": "255.4-1ubuntu8.16", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Fri, 05 Jun 2026 11:36:29 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "systemd-timesyncd", "from_version": { "source_package_name": "systemd", "source_package_version": "255.4-1ubuntu8.15", "version": "255.4-1ubuntu8.15" }, "to_version": { "source_package_name": "systemd", "source_package_version": "255.4-1ubuntu8.16", "version": "255.4-1ubuntu8.16" }, "cves": [ { "cve": "CVE-2026-40226", "url": "https://ubuntu.com/security/CVE-2026-40226", "cve_description": "In nspawn in systemd 233 through 259 before 260, an escape-to-host action can occur via a crafted optional config file.", "cve_priority": "medium", "cve_public_date": "2026-04-10 16:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-40226", "url": "https://ubuntu.com/security/CVE-2026-40226", "cve_description": "In nspawn in systemd 233 through 259 before 260, an escape-to-host action can occur via a crafted optional config file.", "cve_priority": "medium", "cve_public_date": "2026-04-10 16:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: escape-to-host via malformed optional config file", " - debian/patches/CVE-2026-40226-1.patch: nspawn: apply BindUser/Ephemeral", " from settings file only if trusted in src/nspawn/nspawn.c.", " - debian/patches/CVE-2026-40226-2.patch: nspawn: normalize pivot_root paths", " in src/nspawn/nspawn-mount.c.", " - CVE-2026-40226", "" ], "package": "systemd", "version": "255.4-1ubuntu8.16", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Fri, 05 Jun 2026 11:36:29 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "udev", "from_version": { "source_package_name": "systemd", "source_package_version": "255.4-1ubuntu8.15", "version": "255.4-1ubuntu8.15" }, "to_version": { "source_package_name": "systemd", "source_package_version": "255.4-1ubuntu8.16", "version": "255.4-1ubuntu8.16" }, "cves": [ { "cve": "CVE-2026-40226", "url": "https://ubuntu.com/security/CVE-2026-40226", "cve_description": "In nspawn in systemd 233 through 259 before 260, an escape-to-host action can occur via a crafted optional config file.", "cve_priority": "medium", "cve_public_date": "2026-04-10 16:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-40226", "url": "https://ubuntu.com/security/CVE-2026-40226", "cve_description": "In nspawn in systemd 233 through 259 before 260, an escape-to-host action can occur via a crafted optional config file.", "cve_priority": "medium", "cve_public_date": "2026-04-10 16:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: escape-to-host via malformed optional config file", " - debian/patches/CVE-2026-40226-1.patch: nspawn: apply BindUser/Ephemeral", " from settings file only if trusted in src/nspawn/nspawn.c.", " - debian/patches/CVE-2026-40226-2.patch: nspawn: normalize pivot_root paths", " in src/nspawn/nspawn-mount.c.", " - CVE-2026-40226", "" ], "package": "systemd", "version": "255.4-1ubuntu8.16", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Fri, 05 Jun 2026 11:36:29 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "xxd", "from_version": { "source_package_name": "vim", "source_package_version": "2:9.1.0016-1ubuntu7.13", "version": "2:9.1.0016-1ubuntu7.13" }, "to_version": { "source_package_name": "vim", "source_package_version": "2:9.1.0016-1ubuntu7.15", "version": "2:9.1.0016-1ubuntu7.15" }, "cves": [ { "cve": "CVE-2026-46483", "url": "https://ubuntu.com/security/CVE-2026-46483", "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0479, a command injection vulnerability exists in tar#Vimuntar() in runtime/autoload/tar.vim when decompressing .tgz archives on Unix-like systems. The function builds :!gunzip and :!gzip -d commands using shellescape(tartail) without the {special} flag, allowing a crafted archive filename to trigger Vim cmdline-special expansion and execute shell commands in the user's context. This vulnerability is fixed in 9.2.0479.", "cve_priority": "medium", "cve_public_date": "2026-05-15 15:16:00 UTC" }, { "cve": "CVE-2026-43961", "url": "https://ubuntu.com/security/CVE-2026-43961", "cve_description": "[Unknown description]", "cve_priority": "medium", "cve_public_date": "2026-05-20" }, { "cve": "CVE-2026-42307", "url": "https://ubuntu.com/security/CVE-2026-42307", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0383, an OS command injection vulnerability exists in the netrw standard plugin bundled with Vim. By inducing a user to open a crafted URL (e.g., using the sftp:// or file:// protocol handlers), an attacker can execute arbitrary shell commands with the privileges of the Vim process. This issue has been patched in version 9.2.0383.", "cve_priority": "medium", "cve_public_date": "2026-05-08 23:16:00 UTC" }, { "cve": "CVE-2026-44656", "url": "https://ubuntu.com/security/CVE-2026-44656", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0435, an OS command injection vulnerability exists in Vim's :find command-line completion. When the path option contains backtick-enclosed shell commands, those commands are executed during file name completion. Because the path option lacks the P_SECURE flag, it can be set from a modeline, allowing an attacker who controls the contents of a file to execute arbitrary shell commands when the user opens that file in Vim and triggers :find completion. This issue has been patched in version 9.2.0435.", "cve_priority": "medium", "cve_public_date": "2026-05-08 23:16:00 UTC" }, { "cve": "CVE-2026-45130", "url": "https://ubuntu.com/security/CVE-2026-45130", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0450, a heap buffer overflow exists in read_compound() in src/spellfile.c when loading a crafted spell file (.spl) with UTF-8 encoding active. An attacker-controlled length field in the spell file's compound section overflows a 32-bit signed integer multiplication, causing a small buffer to be allocated for a write loop that runs many iterations, overflowing the heap. Because the 'spelllang' option can be set from a modeline, a text file modeline can trigger spell file loading if a malicious .spl file has been planted on the runtimepath. This issue has been patched in version 9.2.0450.", "cve_priority": "medium", "cve_public_date": "2026-05-08 23:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-46483", "url": "https://ubuntu.com/security/CVE-2026-46483", "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0479, a command injection vulnerability exists in tar#Vimuntar() in runtime/autoload/tar.vim when decompressing .tgz archives on Unix-like systems. The function builds :!gunzip and :!gzip -d commands using shellescape(tartail) without the {special} flag, allowing a crafted archive filename to trigger Vim cmdline-special expansion and execute shell commands in the user's context. This vulnerability is fixed in 9.2.0479.", "cve_priority": "medium", "cve_public_date": "2026-05-15 15:16:00 UTC" }, { "cve": "CVE-2026-43961", "url": "https://ubuntu.com/security/CVE-2026-43961", "cve_description": "[Unknown description]", "cve_priority": "medium", "cve_public_date": "2026-05-20" } ], "log": [ "", " * SECURITY UPDATE: Command injection in tar plugin.", " - debian/patches/CVE-2026-46483.patch: Use the correct shell-escape in", " runtime/autoload/tar.vim.", " - CVE-2026-46483", " * SECURITY UPDATE: Code injection via mf command.", " - debian/patches/CVE-2026-43961.patch: Avoid string concatenation for", " filter commands in runtime/autoload/netrw.vim.", " - CVE-2026-43961", "" ], "package": "vim", "version": "2:9.1.0016-1ubuntu7.15", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [], "author": "Kyle Kernick ", "date": "Tue, 02 Jun 2026 16:00:15 -0600" }, { "cves": [ { "cve": "CVE-2026-42307", "url": "https://ubuntu.com/security/CVE-2026-42307", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0383, an OS command injection vulnerability exists in the netrw standard plugin bundled with Vim. By inducing a user to open a crafted URL (e.g., using the sftp:// or file:// protocol handlers), an attacker can execute arbitrary shell commands with the privileges of the Vim process. This issue has been patched in version 9.2.0383.", "cve_priority": "medium", "cve_public_date": "2026-05-08 23:16:00 UTC" }, { "cve": "CVE-2026-44656", "url": "https://ubuntu.com/security/CVE-2026-44656", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0435, an OS command injection vulnerability exists in Vim's :find command-line completion. When the path option contains backtick-enclosed shell commands, those commands are executed during file name completion. Because the path option lacks the P_SECURE flag, it can be set from a modeline, allowing an attacker who controls the contents of a file to execute arbitrary shell commands when the user opens that file in Vim and triggers :find completion. This issue has been patched in version 9.2.0435.", "cve_priority": "medium", "cve_public_date": "2026-05-08 23:16:00 UTC" }, { "cve": "CVE-2026-45130", "url": "https://ubuntu.com/security/CVE-2026-45130", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0450, a heap buffer overflow exists in read_compound() in src/spellfile.c when loading a crafted spell file (.spl) with UTF-8 encoding active. An attacker-controlled length field in the spell file's compound section overflows a 32-bit signed integer multiplication, causing a small buffer to be allocated for a write loop that runs many iterations, overflowing the heap. Because the 'spelllang' option can be set from a modeline, a text file modeline can trigger spell file loading if a malicious .spl file has been planted on the runtimepath. This issue has been patched in version 9.2.0450.", "cve_priority": "medium", "cve_public_date": "2026-05-08 23:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Command injection in netrw plugin.", " - debian/patches/CVE-2026-42307.patch: Escape file names and harden regex", " patterns in runtime/autoload/netrw.vim", " - CVE-2026-42307", " * SECURITY UPDATE: Shell execution in completion.", " - debian/patches/CVE-2026-44656.patch: Skip path entries containing", " backticks and add P_SECURE option in src/findfile.c and src/optiondefs.h", " - CVE-2026-44656", " * SECURITY UPDATE: Heap overflow in spellfile.", " - debian/patches/CVE-2026-45130.patch: Enforce a maximum compound length", " in src/spellfile.c", " - CVE-2026-45130", "" ], "package": "vim", "version": "2:9.1.0016-1ubuntu7.14", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [], "author": "Kyle Kernick ", "date": "Thu, 21 May 2026 13:51:48 -0600" } ], "notes": null, "is_version_downgrade": false }, { "name": "xz-utils", "from_version": { "source_package_name": "xz-utils", "source_package_version": "5.6.1+really5.4.5-1ubuntu0.2", "version": "5.6.1+really5.4.5-1ubuntu0.2" }, "to_version": { "source_package_name": "xz-utils", "source_package_version": "5.6.1+really5.4.5-1ubuntu0.3", "version": "5.6.1+really5.4.5-1ubuntu0.3" }, "cves": [ { "cve": "CVE-2026-34743", "url": "https://ubuntu.com/security/CVE-2026-34743", "cve_description": "XZ Utils provide a general-purpose data-compression library plus command-line tools. Prior to version 5.8.3, if lzma_index_decoder() was used to decode an Index that contained no Records, the resulting lzma_index was left in a state where where a subsequent lzma_index_append() would allocate too little memory, and a buffer overflow would occur. This issue has been patched in version 5.8.3.", "cve_priority": "low", "cve_public_date": "2026-04-02 19:21:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-34743", "url": "https://ubuntu.com/security/CVE-2026-34743", "cve_description": "XZ Utils provide a general-purpose data-compression library plus command-line tools. Prior to version 5.8.3, if lzma_index_decoder() was used to decode an Index that contained no Records, the resulting lzma_index was left in a state where where a subsequent lzma_index_append() would allocate too little memory, and a buffer overflow would occur. This issue has been patched in version 5.8.3.", "cve_priority": "low", "cve_public_date": "2026-04-02 19:21:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: heap buffer overflow", " - debian/patches/CVE-2026-34743.patch: adds a check to", " lzma_index_prealloc() to default to a safe size when decoding empty", " indexes in src/liblzma/common/index.c.", " - CVE-2026-34743", "" ], "package": "xz-utils", "version": "5.6.1+really5.4.5-1ubuntu0.3", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [], "author": "Ian Constantin ", "date": "Thu, 28 May 2026 19:06:47 +0300" } ], "notes": null, "is_version_downgrade": false } ], "snap": [] }, "added": { "deb": [ { "name": "linux-image-6.8.0-124-generic", "from_version": { "source_package_name": "linux-signed", "source_package_version": "6.8.0-117.117", "version": null }, "to_version": { "source_package_name": "linux-signed", "source_package_version": "6.8.0-124.124", "version": "6.8.0-124.124" }, "cves": [], "launchpad_bugs_fixed": [ 1786013, 1786013, 1786013 ], "changes": [ { "cves": [], "log": [ "", " * Main version: 6.8.0-124.124", "" ], "package": "linux-signed", "version": "6.8.0-124.124", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [], "author": "Manuel Diewald ", "date": "Tue, 26 May 2026 12:11:27 +0200" }, { "cves": [], "log": [ "", " * Main version: 6.8.0-123.123", "" ], "package": "linux-signed", "version": "6.8.0-123.123", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [], "author": "Manuel Diewald ", "date": "Mon, 25 May 2026 14:42:03 +0200" }, { "cves": [], "log": [ "", " * Main version: 6.8.0-121.121", "" ], "package": "linux-signed", "version": "6.8.0-121.121", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [], "author": "Manuel Diewald ", "date": "Fri, 22 May 2026 23:04:11 +0200" }, { "cves": [], "log": [ "", " * Main version: 6.8.0-120.120", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian/tracking-bug -- resync from main package", "" ], "package": "linux-signed", "version": "6.8.0-120.120", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 1786013 ], "author": "Manuel Diewald ", "date": "Fri, 22 May 2026 16:33:59 +0200" }, { "cves": [], "log": [ "", " * Main version: 6.8.0-119.119", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian/tracking-bug -- resync from main package", "" ], "package": "linux-signed", "version": "6.8.0-119.119", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 1786013 ], "author": "Edoardo Canepa ", "date": "Mon, 11 May 2026 15:45:29 +0200" }, { "cves": [], "log": [ "", " * Main version: 6.8.0-118.118", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian/tracking-bug -- resync from main package", "" ], "package": "linux-signed", "version": "6.8.0-118.118", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 1786013 ], "author": "Edoardo Canepa ", "date": "Sat, 09 May 2026 00:26:13 +0200" } ], "notes": "linux-image-6.8.0-124-generic version '6.8.0-124.124' (source package linux-signed version '6.8.0-124.124') was added. linux-image-6.8.0-124-generic version '6.8.0-124.124' has the same source package name, linux-signed, as removed package linux-image-6.8.0-117-generic. As such we can use the source package version of the removed package, '6.8.0-117.117', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package.", "is_version_downgrade": false }, { "name": "linux-modules-6.8.0-124-generic", "from_version": { "source_package_name": "linux", "source_package_version": "6.8.0-117.117", "version": null }, "to_version": { "source_package_name": "linux", "source_package_version": "6.8.0-124.124", "version": "6.8.0-124.124" }, "cves": [ { "cve": "CVE-2026-47337", "url": "https://ubuntu.com/security/CVE-2026-47337", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a possible NULL pointer dereference in the handling of AF_INET/AF_INET6 socket mediation. The bug can be triggered by an unprivileged local user. This can lead to a kernel oops.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47336", "url": "https://ubuntu.com/security/CVE-2026-47336", "cve_description": "Ubuntu Linux 6.8 contains SAUCE patches with a possible use of an uninitialized variable in AppArmor AF_INET/AF_INET6 socket mediation code. The bug can be triggered by an unprivileged local user and could result in incorrect fine-grained mediation of network sockets.", "cve_priority": "low", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47335", "url": "https://ubuntu.com/security/CVE-2026-47335", "cve_description": "Ubuntu Linux 6.8 contains SAUCE patches with a possible NULL pointer dereference in the handling of AppArmor notifications. The bug can be triggered by an unprivileged local user. This can lead to a kernel panic.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47334", "url": "https://ubuntu.com/security/CVE-2026-47334", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly sleep while holding a spinlock in notification handling code. The bug can be triggered by an unprivileged local user and can result in kernel panic or deadlock.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47333", "url": "https://ubuntu.com/security/CVE-2026-47333", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which can potentially incorrectly compute the size of an internal buffer, leading to a heap memory out-of-bounds read in notification handling code. The bug can be triggered by an unprivileged local user and can result in invalid data being processed by the AppArmor DFA policy engine.", "cve_priority": "high", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47332", "url": "https://ubuntu.com/security/CVE-2026-47332", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly validate the size of an internal structure, leading to an out-of-bounds read in notification handling code. The bug can be triggered by an unprivileged local user and can result in information disclosure from adjacent slab objects.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47331", "url": "https://ubuntu.com/security/CVE-2026-47331", "cve_description": "Ubuntu Linux 6.8 contains AppArmor SAUCE patches which fail to acquire a lock when modifying a linked list. An unprivileged local user could trigger the race condition that can lead to a use-after-free (UAF) and, theoretically, arbitrary code execution.", "cve_priority": "high", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47330", "url": "https://ubuntu.com/security/CVE-2026-47330", "cve_description": "Ubuntu Linux 6.8, 7.17 and 7.0 contain AppArmor SAUCE patches which can, under certain circumstances, use an uninitialized variable in notification handling code. The bug can be triggered by an unprivileged local user and can result in the incorrect caching of AppArmor notification responses.", "cve_priority": "low", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47329", "url": "https://ubuntu.com/security/CVE-2026-47329", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches which fail to validate invalid sizes of the name field in AppAmor notification responses. The bug can be triggered by an unprivileged local user and could result in handling of crafted responses.", "cve_priority": "low", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47327", "url": "https://ubuntu.com/security/CVE-2026-47327", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a possible NULL pointer dereference in the handling of AppArmor notifications. The bug can be triggered by an unprivileged local user. This can lead to a kernel oops.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47328", "url": "https://ubuntu.com/security/CVE-2026-47328", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly attempt to free a pointer which was not previously kmalloc()d, while at the same time leaking allocated memory. The bug can be triggered by an unprivileged local user and can result in the corruption of slab metadata and could lead to resource exhaustion.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47326", "url": "https://ubuntu.com/security/CVE-2026-47326", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a memory leak in the handling of big responses to AppArmor notifications. The bug can be triggered by an unprivileged local user. The memory leak could lead to resource exhaustion.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-46300", "url": "https://ubuntu.com/security/CVE-2026-46300", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: skbuff: preserve shared-frag marker during coalescing skb_try_coalesce() can attach paged frags from @from to @to. If @from has SKBFL_SHARED_FRAG set, the resulting @to skb can contain the same externally-owned or page-cache-backed frags, but the shared-frag marker is currently lost. That breaks the invariant relied on by later in-place writers. In particular, ESP input checks skb_has_shared_frag() before deciding whether an uncloned nonlinear skb can skip skb_cow_data(). If TCP receive coalescing has moved shared frags into an unmarked skb, ESP can see skb_has_shared_frag() as false and decrypt in place over page-cache backed frags. Propagate SKBFL_SHARED_FRAG when skb_try_coalesce() transfers paged frags. The tailroom copy path does not need the marker because it copies bytes into @to's linear data rather than transferring frag descriptors.", "cve_priority": "high", "cve_public_date": "2026-05-23 12:17:00 UTC" }, { "cve": "CVE-2026-46333", "url": "https://ubuntu.com/security/CVE-2026-46333", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ptrace: slightly saner 'get_dumpable()' logic The 'dumpability' of a task is fundamentally about the memory image of the task - the concept comes from whether it can core dump or not - and makes no sense when you don't have an associated mm. And almost all users do in fact use it only for the case where the task has a mm pointer. But we have one odd special case: ptrace_may_access() uses 'dumpable' to check various other things entirely independently of the MM (typically explicitly using flags like PTRACE_MODE_READ_FSCREDS). Including for threads that no longer have a VM (and maybe never did, like most kernel threads). It's not what this flag was designed for, but it is what it is. The ptrace code does check that the uid/gid matches, so you do have to be uid-0 to see kernel thread details, but this means that the traditional \"drop capabilities\" model doesn't make any difference for this all. Make it all make a *bit* more sense by saying that if you don't have a MM pointer, we'll use a cached \"last dumpability\" flag if the thread ever had a MM (it will be zero for kernel threads since it is never set), and require a proper CAP_SYS_PTRACE capability to override.", "cve_priority": "high", "cve_public_date": "2026-05-15 14:16:00 UTC" }, { "cve": "CVE-2026-43500", "url": "https://ubuntu.com/security/CVE-2026-43500", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present The DATA-packet handler in rxrpc_input_call_event() and the RESPONSE handler in rxrpc_verify_response() copy the skb to a linear one before calling into the security ops only when skb_cloned() is true. An skb that is not cloned but still carries externally-owned paged fragments (e.g. SKBFL_SHARED_FRAG set by splice() into a UDP socket via __ip_append_data, or a chained skb_has_frag_list()) falls through to the in-place decryption path, which binds the frag pages directly into the AEAD/skcipher SGL via skb_to_sgvec(). Extend the gate to also unshare when skb_has_frag_list() or skb_has_shared_frag() is true. This catches the splice-loopback vector and other externally-shared frag sources while preserving the zero-copy fast path for skbs whose frags are kernel-private (e.g. NIC page_pool RX, GRO). The OOM/trace handling already in place is reused.", "cve_priority": "high", "cve_public_date": "2026-05-11 08:16:00 UTC" }, { "cve": "CVE-2026-31676", "url": "https://ubuntu.com/security/CVE-2026-31676", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: rxrpc: only handle RESPONSE during service challenge Only process RESPONSE packets while the service connection is still in RXRPC_CONN_SERVICE_CHALLENGING. Check that state under state_lock before running response verification and security initialization, then use a local secured flag to decide whether to queue the secured-connection work after the state transition. This keeps duplicate or late RESPONSE packets from re-running the setup path and removes the unlocked post-transition state test.", "cve_priority": "medium", "cve_public_date": "2026-04-25 09:16:00 UTC" }, { "cve": "CVE-2026-43284", "url": "https://ubuntu.com/security/CVE-2026-43284", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: xfrm: esp: avoid in-place decrypt on shared skb frags MSG_SPLICE_PAGES can attach pages from a pipe directly to an skb. TCP marks such skbs with SKBFL_SHARED_FRAG after skb_splice_from_iter(), so later paths that may modify packet data can first make a private copy. The IPv4/IPv6 datagram append paths did not set this flag when splicing pages into UDP skbs. That leaves an ESP-in-UDP packet made from shared pipe pages looking like an ordinary uncloned nonlinear skb. ESP input then takes the no-COW fast path for uncloned skbs without a frag_list and decrypts in place over data that is not owned privately by the skb. Mark IPv4/IPv6 datagram splice frags with SKBFL_SHARED_FRAG, matching TCP. Also make ESP input fall back to skb_cow_data() when the flag is present, so ESP does not decrypt externally backed frags in place. Private nonlinear skb frags still use the existing fast path. This intentionally does not change ESP output. In esp_output_head(), the path that appends the ESP trailer to existing skb tailroom without calling skb_cow_data() is not reachable for nonlinear skbs: skb_tailroom() returns zero when skb->data_len is nonzero, while ESP tailen is positive. Thus ESP output will either use the separate destination-frag path or fall back to skb_cow_data().", "cve_priority": "high", "cve_public_date": "2026-05-08 08:16:00 UTC" } ], "launchpad_bugs_fixed": [ 2154172, 2151747, 2151747, 2151747, 2151747, 2151747, 2151747, 2151747, 2151747, 2148809, 2151747, 2151747, 2151747, 2153733, 1786013, 2153962 ], "changes": [ { "cves": [], "log": [ "", " * GRO managed-frag use-after-free leading to local privilege escalation", " (LP: #2154172)", " - net: gro: don't merge zcopy skbs", "" ], "package": "linux", "version": "6.8.0-124.124", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2154172 ], "author": "Manuel Diewald ", "date": "Tue, 26 May 2026 11:55:59 +0200" }, { "cves": [ { "cve": "CVE-2026-47337", "url": "https://ubuntu.com/security/CVE-2026-47337", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a possible NULL pointer dereference in the handling of AF_INET/AF_INET6 socket mediation. The bug can be triggered by an unprivileged local user. This can lead to a kernel oops.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47336", "url": "https://ubuntu.com/security/CVE-2026-47336", "cve_description": "Ubuntu Linux 6.8 contains SAUCE patches with a possible use of an uninitialized variable in AppArmor AF_INET/AF_INET6 socket mediation code. The bug can be triggered by an unprivileged local user and could result in incorrect fine-grained mediation of network sockets.", "cve_priority": "low", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47335", "url": "https://ubuntu.com/security/CVE-2026-47335", "cve_description": "Ubuntu Linux 6.8 contains SAUCE patches with a possible NULL pointer dereference in the handling of AppArmor notifications. The bug can be triggered by an unprivileged local user. This can lead to a kernel panic.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47334", "url": "https://ubuntu.com/security/CVE-2026-47334", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly sleep while holding a spinlock in notification handling code. The bug can be triggered by an unprivileged local user and can result in kernel panic or deadlock.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47333", "url": "https://ubuntu.com/security/CVE-2026-47333", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which can potentially incorrectly compute the size of an internal buffer, leading to a heap memory out-of-bounds read in notification handling code. The bug can be triggered by an unprivileged local user and can result in invalid data being processed by the AppArmor DFA policy engine.", "cve_priority": "high", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47332", "url": "https://ubuntu.com/security/CVE-2026-47332", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly validate the size of an internal structure, leading to an out-of-bounds read in notification handling code. The bug can be triggered by an unprivileged local user and can result in information disclosure from adjacent slab objects.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47331", "url": "https://ubuntu.com/security/CVE-2026-47331", "cve_description": "Ubuntu Linux 6.8 contains AppArmor SAUCE patches which fail to acquire a lock when modifying a linked list. An unprivileged local user could trigger the race condition that can lead to a use-after-free (UAF) and, theoretically, arbitrary code execution.", "cve_priority": "high", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47330", "url": "https://ubuntu.com/security/CVE-2026-47330", "cve_description": "Ubuntu Linux 6.8, 7.17 and 7.0 contain AppArmor SAUCE patches which can, under certain circumstances, use an uninitialized variable in notification handling code. The bug can be triggered by an unprivileged local user and can result in the incorrect caching of AppArmor notification responses.", "cve_priority": "low", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47329", "url": "https://ubuntu.com/security/CVE-2026-47329", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches which fail to validate invalid sizes of the name field in AppAmor notification responses. The bug can be triggered by an unprivileged local user and could result in handling of crafted responses.", "cve_priority": "low", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47327", "url": "https://ubuntu.com/security/CVE-2026-47327", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a possible NULL pointer dereference in the handling of AppArmor notifications. The bug can be triggered by an unprivileged local user. This can lead to a kernel oops.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47328", "url": "https://ubuntu.com/security/CVE-2026-47328", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly attempt to free a pointer which was not previously kmalloc()d, while at the same time leaking allocated memory. The bug can be triggered by an unprivileged local user and can result in the corruption of slab metadata and could lead to resource exhaustion.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" }, { "cve": "CVE-2026-47326", "url": "https://ubuntu.com/security/CVE-2026-47326", "cve_description": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a memory leak in the handling of big responses to AppArmor notifications. The bug can be triggered by an unprivileged local user. The memory leak could lead to resource exhaustion.", "cve_priority": "medium", "cve_public_date": "2026-05-28 19:16:00 UTC" } ], "log": [ "", " * apparmor (LP: #2151747)", " - apparmor: Fix incorrect profile->signal range check", " - SAUCE: apparmor: pass big_resp to handler", " - SAUCE: apparmor: remove redundant kref_init for listener->count", " - SAUCE: apparmor: fix NULL pointer dereference in unpack_pdb", "", " * apparmor (LP: #2151747) // CVE-2026-47337", " - SAUCE: apparmor: fix NULL pointer dereference in bind_map_addr", "", " * apparmor (LP: #2151747) // CVE-2026-47336", " - SAUCE: apparmor: fix use of unintialized variable in net opt level", "", " * apparmor (LP: #2151747) // CVE-2026-47335", " - SAUCE: apparmor: fix possible NULL pointer dereference by adding a NULL", " check", "", " * apparmor (LP: #2151747) // CVE-2026-47334", " - SAUCE: apparmor: fix sleep prone memory allocation under a spin_lock", "", " * apparmor (LP: #2151747) // CVE-2026-47333", " - SAUCE: apparmor: fix dfa unpacking size of the notification filter", "", " * apparmor (LP: #2151747) // CVE-2026-47332", " - SAUCE: apparmor: fix size check against type instead of pointer", "", " * apparmor (LP: #2151747) // CVE-2026-47331", " - SAUCE: apparmor: fix changing rules list without a lock", "", " * apparmor: LLVM/clang build failure due to uninitialized variable in", " notify.c (LP: #2148809) // CVE-2026-47330", " - SAUCE: apparmor: initialize variable used in uninitialized context", "", " * apparmor (LP: #2151747) // CVE-2026-47329", " - SAUCE: apparmor: fix name validation bypass on notification", "", " * apparmor (LP: #2151747) // CVE-2026-47327 // CVE-2026-47328", " - SAUCE: apparmor: fix glob memory leak after kstrdup", "", " * apparmor (LP: #2151747) // CVE-2026-47326", " - SAUCE: apparmor: fix inverted NULL check after aa_get_buffer", "" ], "package": "linux", "version": "6.8.0-121.121", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2151747, 2151747, 2151747, 2151747, 2151747, 2151747, 2151747, 2151747, 2148809, 2151747, 2151747, 2151747 ], "author": "Manuel Diewald ", "date": "Fri, 22 May 2026 22:55:39 +0200" }, { "cves": [ { "cve": "CVE-2026-46300", "url": "https://ubuntu.com/security/CVE-2026-46300", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: skbuff: preserve shared-frag marker during coalescing skb_try_coalesce() can attach paged frags from @from to @to. If @from has SKBFL_SHARED_FRAG set, the resulting @to skb can contain the same externally-owned or page-cache-backed frags, but the shared-frag marker is currently lost. That breaks the invariant relied on by later in-place writers. In particular, ESP input checks skb_has_shared_frag() before deciding whether an uncloned nonlinear skb can skip skb_cow_data(). If TCP receive coalescing has moved shared frags into an unmarked skb, ESP can see skb_has_shared_frag() as false and decrypt in place over page-cache backed frags. Propagate SKBFL_SHARED_FRAG when skb_try_coalesce() transfers paged frags. The tailroom copy path does not need the marker because it copies bytes into @to's linear data rather than transferring frag descriptors.", "cve_priority": "high", "cve_public_date": "2026-05-23 12:17:00 UTC" }, { "cve": "CVE-2026-46333", "url": "https://ubuntu.com/security/CVE-2026-46333", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ptrace: slightly saner 'get_dumpable()' logic The 'dumpability' of a task is fundamentally about the memory image of the task - the concept comes from whether it can core dump or not - and makes no sense when you don't have an associated mm. And almost all users do in fact use it only for the case where the task has a mm pointer. But we have one odd special case: ptrace_may_access() uses 'dumpable' to check various other things entirely independently of the MM (typically explicitly using flags like PTRACE_MODE_READ_FSCREDS). Including for threads that no longer have a VM (and maybe never did, like most kernel threads). It's not what this flag was designed for, but it is what it is. The ptrace code does check that the uid/gid matches, so you do have to be uid-0 to see kernel thread details, but this means that the traditional \"drop capabilities\" model doesn't make any difference for this all. Make it all make a *bit* more sense by saying that if you don't have a MM pointer, we'll use a cached \"last dumpability\" flag if the thread ever had a MM (it will be zero for kernel threads since it is never set), and require a proper CAP_SYS_PTRACE capability to override.", "cve_priority": "high", "cve_public_date": "2026-05-15 14:16:00 UTC" }, { "cve": "CVE-2026-43500", "url": "https://ubuntu.com/security/CVE-2026-43500", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present The DATA-packet handler in rxrpc_input_call_event() and the RESPONSE handler in rxrpc_verify_response() copy the skb to a linear one before calling into the security ops only when skb_cloned() is true. An skb that is not cloned but still carries externally-owned paged fragments (e.g. SKBFL_SHARED_FRAG set by splice() into a UDP socket via __ip_append_data, or a chained skb_has_frag_list()) falls through to the in-place decryption path, which binds the frag pages directly into the AEAD/skcipher SGL via skb_to_sgvec(). Extend the gate to also unshare when skb_has_frag_list() or skb_has_shared_frag() is true. This catches the splice-loopback vector and other externally-shared frag sources while preserving the zero-copy fast path for skbs whose frags are kernel-private (e.g. NIC page_pool RX, GRO). The OOM/trace handling already in place is reused.", "cve_priority": "high", "cve_public_date": "2026-05-11 08:16:00 UTC" }, { "cve": "CVE-2026-31676", "url": "https://ubuntu.com/security/CVE-2026-31676", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: rxrpc: only handle RESPONSE during service challenge Only process RESPONSE packets while the service connection is still in RXRPC_CONN_SERVICE_CHALLENGING. Check that state under state_lock before running response verification and security initialization, then use a local secured flag to decide whether to queue the secured-connection work after the state transition. This keeps duplicate or late RESPONSE packets from re-running the setup path and removes the unlocked post-transition state test.", "cve_priority": "medium", "cve_public_date": "2026-04-25 09:16:00 UTC" }, { "cve": "CVE-2026-43284", "url": "https://ubuntu.com/security/CVE-2026-43284", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: xfrm: esp: avoid in-place decrypt on shared skb frags MSG_SPLICE_PAGES can attach pages from a pipe directly to an skb. TCP marks such skbs with SKBFL_SHARED_FRAG after skb_splice_from_iter(), so later paths that may modify packet data can first make a private copy. The IPv4/IPv6 datagram append paths did not set this flag when splicing pages into UDP skbs. That leaves an ESP-in-UDP packet made from shared pipe pages looking like an ordinary uncloned nonlinear skb. ESP input then takes the no-COW fast path for uncloned skbs without a frag_list and decrypts in place over data that is not owned privately by the skb. Mark IPv4/IPv6 datagram splice frags with SKBFL_SHARED_FRAG, matching TCP. Also make ESP input fall back to skb_cow_data() when the flag is present, so ESP does not decrypt externally backed frags in place. Private nonlinear skb frags still use the existing fast path. This intentionally does not change ESP output. In esp_output_head(), the path that appends the ESP trailer to existing skb tailroom without calling skb_cow_data() is not reachable for nonlinear skbs: skb_tailroom() returns zero when skb->data_len is nonzero, while ESP tailen is positive. Thus ESP output will either use the separate destination-frag path or fall back to skb_cow_data().", "cve_priority": "high", "cve_public_date": "2026-05-08 08:16:00 UTC" } ], "log": [ "", " * noble/linux: 6.8.0-120.120 -proposed tracker (LP: #2153733)", "", " * Packaging resync (LP: #1786013)", " - [Packaging] update annotations scripts", "", " * CVE-2026-46300", " - net: skbuff: preserve shared-frag marker during coalescing", " - net: skbuff: propagate shared-frag marker through frag-transfer helpers", "", " * net/rds: reset op_nents when zerocopy page pin fails (LP: #2153962)", " - net/rds: reset op_nents when zerocopy page pin fails", "", " * CVE-2026-46333", " - ptrace: slightly saner 'get_dumpable()' logic", "", " * CVE-2026-43500", " - rxrpc: Fix conn-level packet handling to unshare RESPONSE packets", " - rxrpc: Parse received packets before dealing with timeouts", " - rxrpc: Fix potential UAF after skb_unshare() failure", " - rxrpc: Fix rxrpc_input_call_event() to only unshare DATA packets", " - rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present", "", " * CVE-2026-31676 // CVE-2026-43500", " - rxrpc: only handle RESPONSE during service challenge", "", " * CVE-2026-43284", " - xfrm: esp: avoid in-place decrypt on shared skb frags", "" ], "package": "linux", "version": "6.8.0-120.120", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2153733, 1786013, 2153962 ], "author": "Manuel Diewald ", "date": "Fri, 22 May 2026 16:06:43 +0200" } ], "notes": "linux-modules-6.8.0-124-generic version '6.8.0-124.124' (source package linux version '6.8.0-124.124') was added. linux-modules-6.8.0-124-generic version '6.8.0-124.124' has the same source package name, linux, as removed package linux-modules-6.8.0-117-generic. As such we can use the source package version of the removed package, '6.8.0-117.117', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package.", "is_version_downgrade": false } ], "snap": [] }, "removed": { "deb": [ { "name": "linux-image-6.8.0-117-generic", "from_version": { "source_package_name": "linux-signed", "source_package_version": "6.8.0-117.117", "version": "6.8.0-117.117" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null, "is_version_downgrade": false }, { "name": "linux-modules-6.8.0-117-generic", "from_version": { "source_package_name": "linux", "source_package_version": "6.8.0-117.117", "version": "6.8.0-117.117" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null, "is_version_downgrade": false } ], "snap": [] }, "notes": "Changelog diff for Ubuntu 24.04 noble image from release image serial 20260521 to 20260617", "from_series": "noble", "to_series": "noble", "from_serial": "20260521", "to_serial": "20260617", "from_manifest_filename": "release_manifest.previous", "to_manifest_filename": "manifest.current" }