{ "summary": { "snap": { "added": [], "removed": [], "diff": [] }, "deb": { "added": [ "linux-headers-5.15.0-1100-kvm", "linux-image-5.15.0-1100-kvm", "linux-kvm-headers-5.15.0-1100", "linux-modules-5.15.0-1100-kvm" ], "removed": [ "linux-headers-5.15.0-1098-kvm", "linux-image-5.15.0-1098-kvm", "linux-kvm-headers-5.15.0-1098", "linux-modules-5.15.0-1098-kvm" ], "diff": [ "cloud-init", "curl", "distro-info-data", "libcurl4", "libgcrypt20", "libgnutls30", "liblzma5", "libnetplan0", "libnghttp2-14", "libpng16-16", "linux-headers-kvm", "linux-image-kvm", "linux-kvm", "netplan-generator", "netplan.io", "python3-netplan", "sed", "snapd", "xxd", "xz-utils" ] } }, "diff": { "deb": [ { "name": "cloud-init", "from_version": { "source_package_name": "cloud-init", "source_package_version": "25.3-0ubuntu1~22.04.1", "version": "25.3-0ubuntu1~22.04.1" }, "to_version": { "source_package_name": "cloud-init", "source_package_version": "26.1-0ubuntu1~22.04.1", "version": "26.1-0ubuntu1~22.04.1" }, "cves": [], "launchpad_bugs_fixed": [ 2146833 ], "changes": [ { "cves": [], "log": [ "", " * d/p/0001-Revert-fix-DNS-resolution-performance-regression-dur.patch revert Ec2 URL change ", " * d/p/0001-Revert-fix-support-bond-names-in-network_data.patch revert bond name change", " * d/rules: provide PACKAGED_VERSION env var to force setuptools version to", " match downstream DEB_VERSION", " * refresh patches:", " - d/p/no-nocloud-network.patch", " - d/p/no-single-process.patch", " - d/p/retain-ec2-default-net-update-events.patch", " - d/p/retain-setuptools.patch. Read PACKAGED_VERSION environment variable", " - d/p/revert-551f560d-cloud-config-after-snap-seeding.patch", " - d/p/status-do-not-remove-duplicated-data.patch", " - d/p/status-retain-recoverable-error-exit-code.patch", " * Upstream snapshot based on upstream/main at 52ef4d17.", " * Upstream snapshot based on 26.1. (LP: #2146833).", " List of changes from upstream can be found at", " https://raw.githubusercontent.com/canonical/cloud-init/26.1/ChangeLog", "" ], "package": "cloud-init", "version": "26.1-0ubuntu1~22.04.1", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2146833 ], "author": "Chad Smith ", "date": "Mon, 30 Mar 2026 12:56:49 -0600" } ], "notes": null, "is_version_downgrade": false }, { "name": "curl", "from_version": { "source_package_name": "curl", "source_package_version": "7.81.0-1ubuntu1.23", "version": "7.81.0-1ubuntu1.23" }, "to_version": { "source_package_name": "curl", "source_package_version": "7.81.0-1ubuntu1.24", "version": "7.81.0-1ubuntu1.24" }, "cves": [ { "cve": "CVE-2026-4873", "url": "https://ubuntu.com/security/CVE-2026-4873", "cve_description": "A vulnerability exists where a connection requiring TLS incorrectly reuses an existing unencrypted connection from the same connection pool. If an initial transfer is made in clear-text (via IMAP, SMTP, or POP3), a subsequent request to that same host bypasses the TLS requirement and instead transmit data unencrypted.", "cve_priority": "low", "cve_public_date": "2026-05-13 13:01:00 UTC" }, { "cve": "CVE-2026-5545", "url": "https://ubuntu.com/security/CVE-2026-5545", "cve_description": "libcurl might in some circumstances reuse the wrong connection when asked to do an authenticated HTTP(S) request after a Negotiate-authenticated one, when both use the same host. libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead. When reusing a connection a range of criteria must be met. Due to a logical error in the code, a request that was issued by an application could wrongfully reuse an existing connection to the same server that was authenticated using different credentials. An application that first uses Negotiate authentication to a server with `user1:password1` and then does another operation to the same server asking for any authentication method but for `user2:password2` (while the previous connection is still alive) - the second request gets confused and wrongly reuses the same connection and sends the new request over that connection thinking it uses a mix of user1's and user2's credentials when it is in fact still using the connection authenticated for user1...", "cve_priority": "medium", "cve_public_date": "2026-05-13 13:01:00 UTC" }, { "cve": "CVE-2026-5773", "url": "https://ubuntu.com/security/CVE-2026-5773", "cve_description": "libcurl might in some circumstances reuse the wrong connection for SMB(S) transfers. libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead. When reusing a connection a range of criteria must be met. Due to a logical error in the code, a network transfer operation that was requested by an application could wrongfully reuse an existing SMB connection to the same server that was using a different 'share' than the new subsequent transfer should. This could in unlucky situations lead to the download of the wrong file or the upload of a file to the wrong place. When this happens, the same credentials are used and the server name is the same.", "cve_priority": "low", "cve_public_date": "2026-05-13 13:01:00 UTC" }, { "cve": "CVE-2026-6253", "url": "https://ubuntu.com/security/CVE-2026-6253", "cve_description": "curl might erroneously pass on credentials for a first proxy to a second proxy. This can happen when the following conditions are true: 1. curl is setup to use specific different proxies for different URL schemes 2. the first proxy needs credentials 3. the second proxy uses no credentials 4. while using the first proxy (using say `http://`), curl is asked to follow a redirect to a URL using another scheme (say `https://`), accessed using a second, different, proxy", "cve_priority": "medium", "cve_public_date": "2026-05-13 13:01:00 UTC" }, { "cve": "CVE-2026-6276", "url": "https://ubuntu.com/security/CVE-2026-6276", "cve_description": "Using libcurl, when a custom `Host:` header is first set for an HTTP request and a second request is subsequently done using the same *easy handle* but without the custom `Host:` header set, the second request would use stale information and pass on cookies meant for the first host in the second request. Leak them.", "cve_priority": "low", "cve_public_date": "2026-05-13 13:01:00 UTC" }, { "cve": "CVE-2026-6429", "url": "https://ubuntu.com/security/CVE-2026-6429", "cve_description": "When asked to both use a `.netrc` file for credentials and to follow HTTP redirects, libcurl could leak the password used for the first host to the followed-to host under certain circumstances.", "cve_priority": "medium", "cve_public_date": "2026-05-13 13:01:00 UTC" }, { "cve": "CVE-2026-7168", "url": "https://ubuntu.com/security/CVE-2026-7168", "cve_description": "Successfully using libcurl to do a transfer over a specific HTTP proxy (`proxyA`) with **Digest** authentication and then changing the proxy host to a second one (`proxyB`) for a second transfer, reusing the same handle, makes libcurl wrongly pass on the `Proxy-Authorization:` header field meant for `proxyA`, to `proxyB`.", "cve_priority": "medium", "cve_public_date": "2026-05-13 13:01:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-4873", "url": "https://ubuntu.com/security/CVE-2026-4873", "cve_description": "A vulnerability exists where a connection requiring TLS incorrectly reuses an existing unencrypted connection from the same connection pool. If an initial transfer is made in clear-text (via IMAP, SMTP, or POP3), a subsequent request to that same host bypasses the TLS requirement and instead transmit data unencrypted.", "cve_priority": "low", "cve_public_date": "2026-05-13 13:01:00 UTC" }, { "cve": "CVE-2026-5545", "url": "https://ubuntu.com/security/CVE-2026-5545", "cve_description": "libcurl might in some circumstances reuse the wrong connection when asked to do an authenticated HTTP(S) request after a Negotiate-authenticated one, when both use the same host. libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead. When reusing a connection a range of criteria must be met. Due to a logical error in the code, a request that was issued by an application could wrongfully reuse an existing connection to the same server that was authenticated using different credentials. An application that first uses Negotiate authentication to a server with `user1:password1` and then does another operation to the same server asking for any authentication method but for `user2:password2` (while the previous connection is still alive) - the second request gets confused and wrongly reuses the same connection and sends the new request over that connection thinking it uses a mix of user1's and user2's credentials when it is in fact still using the connection authenticated for user1...", "cve_priority": "medium", "cve_public_date": "2026-05-13 13:01:00 UTC" }, { "cve": "CVE-2026-5773", "url": "https://ubuntu.com/security/CVE-2026-5773", "cve_description": "libcurl might in some circumstances reuse the wrong connection for SMB(S) transfers. libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead. When reusing a connection a range of criteria must be met. Due to a logical error in the code, a network transfer operation that was requested by an application could wrongfully reuse an existing SMB connection to the same server that was using a different 'share' than the new subsequent transfer should. This could in unlucky situations lead to the download of the wrong file or the upload of a file to the wrong place. When this happens, the same credentials are used and the server name is the same.", "cve_priority": "low", "cve_public_date": "2026-05-13 13:01:00 UTC" }, { "cve": "CVE-2026-6253", "url": "https://ubuntu.com/security/CVE-2026-6253", "cve_description": "curl might erroneously pass on credentials for a first proxy to a second proxy. This can happen when the following conditions are true: 1. curl is setup to use specific different proxies for different URL schemes 2. the first proxy needs credentials 3. the second proxy uses no credentials 4. while using the first proxy (using say `http://`), curl is asked to follow a redirect to a URL using another scheme (say `https://`), accessed using a second, different, proxy", "cve_priority": "medium", "cve_public_date": "2026-05-13 13:01:00 UTC" }, { "cve": "CVE-2026-6276", "url": "https://ubuntu.com/security/CVE-2026-6276", "cve_description": "Using libcurl, when a custom `Host:` header is first set for an HTTP request and a second request is subsequently done using the same *easy handle* but without the custom `Host:` header set, the second request would use stale information and pass on cookies meant for the first host in the second request. Leak them.", "cve_priority": "low", "cve_public_date": "2026-05-13 13:01:00 UTC" }, { "cve": "CVE-2026-6429", "url": "https://ubuntu.com/security/CVE-2026-6429", "cve_description": "When asked to both use a `.netrc` file for credentials and to follow HTTP redirects, libcurl could leak the password used for the first host to the followed-to host under certain circumstances.", "cve_priority": "medium", "cve_public_date": "2026-05-13 13:01:00 UTC" }, { "cve": "CVE-2026-7168", "url": "https://ubuntu.com/security/CVE-2026-7168", "cve_description": "Successfully using libcurl to do a transfer over a specific HTTP proxy (`proxyA`) with **Digest** authentication and then changing the proxy host to a second one (`proxyB`) for a second transfer, reusing the same handle, makes libcurl wrongly pass on the `Proxy-Authorization:` header field meant for `proxyA`, to `proxyB`.", "cve_priority": "medium", "cve_public_date": "2026-05-13 13:01:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: connection reuse ignores TLS requirement", " - debian/patches/CVE-2026-4873.patch: do not reuse a non-tls starttls", " connection if new requires TLS in lib/url.c.", " - CVE-2026-4873", " * SECURITY UPDATE: wrong reuse of HTTP Negotiate connection", " - debian/patches/CVE-2026-5545.patch: improve connection reuse on", " negotiate in lib/url.c.", " - CVE-2026-5545", " * SECURITY UPDATE: wrong reuse of SMB connection", " - debian/patches/CVE-2026-5773.patch: disable connection reuse for", " SMB(S) in lib/smb.c.", " - CVE-2026-5773", " * SECURITY UPDATE: proxy credentials leak over redirect-to proxy", " - debian/patches/CVE-2026-6253.patch: clear the proxy credentials as", " well on port or scheme change in lib/transfer.*, tests/*.", " - CVE-2026-6253", " * SECURITY UPDATE: stale custom cookie host causes cookie leak", " - debian/patches/CVE-2026-6276.patch: move cookiehost to struct", " SingleRequest in lib/http.c, lib/url.c, lib/urldata.h, tests/*.", " - CVE-2026-6276", " * SECURITY UPDATE: netrc credential leak with reused proxy connection", " - debian/patches/CVE-2026-6429-pre1.patch: prevent secure schemes", " pushed over insecure connections in lib/http2.c.", " - debian/patches/CVE-2026-6429-pre2.patch: same origin tests in", " lib/http2.c, lib/urlapi-int.h, lib/urlapi.c.", " - debian/patches/CVE-2026-6429.patch: clear credentials better on", " redirect in lib/transfer.c, tests/*.", " - CVE-2026-6429", " * SECURITY UPDATE: cross-proxy Digest auth state leak", " - debian/patches/CVE-2026-7168.patch: clear proxy auth properties when", " switching in lib/setopt.c, lib/vauth/vauth.h, tests/*.", " - CVE-2026-7168", " * debian/rules: run test suite with extra debugging information.", "" ], "package": "curl", "version": "7.81.0-1ubuntu1.24", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Wed, 29 Apr 2026 07:35:43 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "distro-info-data", "from_version": { "source_package_name": "distro-info-data", "source_package_version": "0.52ubuntu0.11", "version": "0.52ubuntu0.11" }, "to_version": { "source_package_name": "distro-info-data", "source_package_version": "0.52ubuntu0.12", "version": "0.52ubuntu0.12" }, "cves": [], "launchpad_bugs_fixed": [ 2150234 ], "changes": [ { "cves": [], "log": [ "", " * Add Ubuntu 26.10 \"Stonking Stingray\" (LP: #2150234)", "" ], "package": "distro-info-data", "version": "0.52ubuntu0.12", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2150234 ], "author": "Oliver Reiche ", "date": "Tue, 28 Apr 2026 16:20:05 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "libcurl4", "from_version": { "source_package_name": "curl", "source_package_version": "7.81.0-1ubuntu1.23", "version": "7.81.0-1ubuntu1.23" }, "to_version": { "source_package_name": "curl", "source_package_version": "7.81.0-1ubuntu1.24", "version": "7.81.0-1ubuntu1.24" }, "cves": [ { "cve": "CVE-2026-4873", "url": "https://ubuntu.com/security/CVE-2026-4873", "cve_description": "A vulnerability exists where a connection requiring TLS incorrectly reuses an existing unencrypted connection from the same connection pool. If an initial transfer is made in clear-text (via IMAP, SMTP, or POP3), a subsequent request to that same host bypasses the TLS requirement and instead transmit data unencrypted.", "cve_priority": "low", "cve_public_date": "2026-05-13 13:01:00 UTC" }, { "cve": "CVE-2026-5545", "url": "https://ubuntu.com/security/CVE-2026-5545", "cve_description": "libcurl might in some circumstances reuse the wrong connection when asked to do an authenticated HTTP(S) request after a Negotiate-authenticated one, when both use the same host. libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead. When reusing a connection a range of criteria must be met. Due to a logical error in the code, a request that was issued by an application could wrongfully reuse an existing connection to the same server that was authenticated using different credentials. An application that first uses Negotiate authentication to a server with `user1:password1` and then does another operation to the same server asking for any authentication method but for `user2:password2` (while the previous connection is still alive) - the second request gets confused and wrongly reuses the same connection and sends the new request over that connection thinking it uses a mix of user1's and user2's credentials when it is in fact still using the connection authenticated for user1...", "cve_priority": "medium", "cve_public_date": "2026-05-13 13:01:00 UTC" }, { "cve": "CVE-2026-5773", "url": "https://ubuntu.com/security/CVE-2026-5773", "cve_description": "libcurl might in some circumstances reuse the wrong connection for SMB(S) transfers. libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead. When reusing a connection a range of criteria must be met. Due to a logical error in the code, a network transfer operation that was requested by an application could wrongfully reuse an existing SMB connection to the same server that was using a different 'share' than the new subsequent transfer should. This could in unlucky situations lead to the download of the wrong file or the upload of a file to the wrong place. When this happens, the same credentials are used and the server name is the same.", "cve_priority": "low", "cve_public_date": "2026-05-13 13:01:00 UTC" }, { "cve": "CVE-2026-6253", "url": "https://ubuntu.com/security/CVE-2026-6253", "cve_description": "curl might erroneously pass on credentials for a first proxy to a second proxy. This can happen when the following conditions are true: 1. curl is setup to use specific different proxies for different URL schemes 2. the first proxy needs credentials 3. the second proxy uses no credentials 4. while using the first proxy (using say `http://`), curl is asked to follow a redirect to a URL using another scheme (say `https://`), accessed using a second, different, proxy", "cve_priority": "medium", "cve_public_date": "2026-05-13 13:01:00 UTC" }, { "cve": "CVE-2026-6276", "url": "https://ubuntu.com/security/CVE-2026-6276", "cve_description": "Using libcurl, when a custom `Host:` header is first set for an HTTP request and a second request is subsequently done using the same *easy handle* but without the custom `Host:` header set, the second request would use stale information and pass on cookies meant for the first host in the second request. Leak them.", "cve_priority": "low", "cve_public_date": "2026-05-13 13:01:00 UTC" }, { "cve": "CVE-2026-6429", "url": "https://ubuntu.com/security/CVE-2026-6429", "cve_description": "When asked to both use a `.netrc` file for credentials and to follow HTTP redirects, libcurl could leak the password used for the first host to the followed-to host under certain circumstances.", "cve_priority": "medium", "cve_public_date": "2026-05-13 13:01:00 UTC" }, { "cve": "CVE-2026-7168", "url": "https://ubuntu.com/security/CVE-2026-7168", "cve_description": "Successfully using libcurl to do a transfer over a specific HTTP proxy (`proxyA`) with **Digest** authentication and then changing the proxy host to a second one (`proxyB`) for a second transfer, reusing the same handle, makes libcurl wrongly pass on the `Proxy-Authorization:` header field meant for `proxyA`, to `proxyB`.", "cve_priority": "medium", "cve_public_date": "2026-05-13 13:01:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-4873", "url": "https://ubuntu.com/security/CVE-2026-4873", "cve_description": "A vulnerability exists where a connection requiring TLS incorrectly reuses an existing unencrypted connection from the same connection pool. If an initial transfer is made in clear-text (via IMAP, SMTP, or POP3), a subsequent request to that same host bypasses the TLS requirement and instead transmit data unencrypted.", "cve_priority": "low", "cve_public_date": "2026-05-13 13:01:00 UTC" }, { "cve": "CVE-2026-5545", "url": "https://ubuntu.com/security/CVE-2026-5545", "cve_description": "libcurl might in some circumstances reuse the wrong connection when asked to do an authenticated HTTP(S) request after a Negotiate-authenticated one, when both use the same host. libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead. When reusing a connection a range of criteria must be met. Due to a logical error in the code, a request that was issued by an application could wrongfully reuse an existing connection to the same server that was authenticated using different credentials. An application that first uses Negotiate authentication to a server with `user1:password1` and then does another operation to the same server asking for any authentication method but for `user2:password2` (while the previous connection is still alive) - the second request gets confused and wrongly reuses the same connection and sends the new request over that connection thinking it uses a mix of user1's and user2's credentials when it is in fact still using the connection authenticated for user1...", "cve_priority": "medium", "cve_public_date": "2026-05-13 13:01:00 UTC" }, { "cve": "CVE-2026-5773", "url": "https://ubuntu.com/security/CVE-2026-5773", "cve_description": "libcurl might in some circumstances reuse the wrong connection for SMB(S) transfers. libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead. When reusing a connection a range of criteria must be met. Due to a logical error in the code, a network transfer operation that was requested by an application could wrongfully reuse an existing SMB connection to the same server that was using a different 'share' than the new subsequent transfer should. This could in unlucky situations lead to the download of the wrong file or the upload of a file to the wrong place. When this happens, the same credentials are used and the server name is the same.", "cve_priority": "low", "cve_public_date": "2026-05-13 13:01:00 UTC" }, { "cve": "CVE-2026-6253", "url": "https://ubuntu.com/security/CVE-2026-6253", "cve_description": "curl might erroneously pass on credentials for a first proxy to a second proxy. This can happen when the following conditions are true: 1. curl is setup to use specific different proxies for different URL schemes 2. the first proxy needs credentials 3. the second proxy uses no credentials 4. while using the first proxy (using say `http://`), curl is asked to follow a redirect to a URL using another scheme (say `https://`), accessed using a second, different, proxy", "cve_priority": "medium", "cve_public_date": "2026-05-13 13:01:00 UTC" }, { "cve": "CVE-2026-6276", "url": "https://ubuntu.com/security/CVE-2026-6276", "cve_description": "Using libcurl, when a custom `Host:` header is first set for an HTTP request and a second request is subsequently done using the same *easy handle* but without the custom `Host:` header set, the second request would use stale information and pass on cookies meant for the first host in the second request. Leak them.", "cve_priority": "low", "cve_public_date": "2026-05-13 13:01:00 UTC" }, { "cve": "CVE-2026-6429", "url": "https://ubuntu.com/security/CVE-2026-6429", "cve_description": "When asked to both use a `.netrc` file for credentials and to follow HTTP redirects, libcurl could leak the password used for the first host to the followed-to host under certain circumstances.", "cve_priority": "medium", "cve_public_date": "2026-05-13 13:01:00 UTC" }, { "cve": "CVE-2026-7168", "url": "https://ubuntu.com/security/CVE-2026-7168", "cve_description": "Successfully using libcurl to do a transfer over a specific HTTP proxy (`proxyA`) with **Digest** authentication and then changing the proxy host to a second one (`proxyB`) for a second transfer, reusing the same handle, makes libcurl wrongly pass on the `Proxy-Authorization:` header field meant for `proxyA`, to `proxyB`.", "cve_priority": "medium", "cve_public_date": "2026-05-13 13:01:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: connection reuse ignores TLS requirement", " - debian/patches/CVE-2026-4873.patch: do not reuse a non-tls starttls", " connection if new requires TLS in lib/url.c.", " - CVE-2026-4873", " * SECURITY UPDATE: wrong reuse of HTTP Negotiate connection", " - debian/patches/CVE-2026-5545.patch: improve connection reuse on", " negotiate in lib/url.c.", " - CVE-2026-5545", " * SECURITY UPDATE: wrong reuse of SMB connection", " - debian/patches/CVE-2026-5773.patch: disable connection reuse for", " SMB(S) in lib/smb.c.", " - CVE-2026-5773", " * SECURITY UPDATE: proxy credentials leak over redirect-to proxy", " - debian/patches/CVE-2026-6253.patch: clear the proxy credentials as", " well on port or scheme change in lib/transfer.*, tests/*.", " - CVE-2026-6253", " * SECURITY UPDATE: stale custom cookie host causes cookie leak", " - debian/patches/CVE-2026-6276.patch: move cookiehost to struct", " SingleRequest in lib/http.c, lib/url.c, lib/urldata.h, tests/*.", " - CVE-2026-6276", " * SECURITY UPDATE: netrc credential leak with reused proxy connection", " - debian/patches/CVE-2026-6429-pre1.patch: prevent secure schemes", " pushed over insecure connections in lib/http2.c.", " - debian/patches/CVE-2026-6429-pre2.patch: same origin tests in", " lib/http2.c, lib/urlapi-int.h, lib/urlapi.c.", " - debian/patches/CVE-2026-6429.patch: clear credentials better on", " redirect in lib/transfer.c, tests/*.", " - CVE-2026-6429", " * SECURITY UPDATE: cross-proxy Digest auth state leak", " - debian/patches/CVE-2026-7168.patch: clear proxy auth properties when", " switching in lib/setopt.c, lib/vauth/vauth.h, tests/*.", " - CVE-2026-7168", " * debian/rules: run test suite with extra debugging information.", "" ], "package": "curl", "version": "7.81.0-1ubuntu1.24", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Wed, 29 Apr 2026 07:35:43 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "libgcrypt20", "from_version": { "source_package_name": "libgcrypt20", "source_package_version": "1.9.4-3ubuntu3", "version": "1.9.4-3ubuntu3" }, "to_version": { "source_package_name": "libgcrypt20", "source_package_version": "1.9.4-3ubuntu3.2", "version": "1.9.4-3ubuntu3.2" }, "cves": [ { "cve": "CVE-2026-41989", "url": "https://ubuntu.com/security/CVE-2026-41989", "cve_description": "Libgcrypt before 1.12.2 sometimes allows a heap-based buffer overflow and denial of service via crafted ECDH ciphertext to gcry_pk_decrypt.", "cve_priority": "medium", "cve_public_date": "2026-04-23 05:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-41989", "url": "https://ubuntu.com/security/CVE-2026-41989", "cve_description": "Libgcrypt before 1.12.2 sometimes allows a heap-based buffer overflow and denial of service via crafted ECDH ciphertext to gcry_pk_decrypt.", "cve_priority": "medium", "cve_public_date": "2026-04-23 05:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Heap-based buffer overflow via crafted ECDH ciphertext", " - debian/patches/CVE-2026-41989.patch: cipher:ecc: Fix decoding a point on", " Montgomery curve. in cipher/ecc-misc.c.", " - CVE-2026-41989", " * This package does _not_ contain the changes from 1.9.4-3ubuntu3.1 in", " jammy-proposed.", "" ], "package": "libgcrypt20", "version": "1.9.4-3ubuntu3.2", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Tue, 12 May 2026 14:17:54 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "libgnutls30", "from_version": { "source_package_name": "gnutls28", "source_package_version": "3.7.3-4ubuntu1.8", "version": "3.7.3-4ubuntu1.8" }, "to_version": { "source_package_name": "gnutls28", "source_package_version": "3.7.3-4ubuntu1.9", "version": "3.7.3-4ubuntu1.9" }, "cves": [ { "cve": "CVE-2026-33846", "url": "https://ubuntu.com/security/CVE-2026-33846", "cve_description": "A heap buffer overflow vulnerability exists in the DTLS handshake fragment reassembly logic of GnuTLS. The issue arises in merge_handshake_packet() where incoming handshake fragments are matched and merged based solely on handshake type, without validating that the message_length field remains consistent across all fragments of the same logical message. An attacker can exploit this by sending crafted DTLS fragments with conflicting message_length values, causing the implementation to allocate a buffer based on a smaller initial fragment and subsequently write beyond its bounds using larger, inconsistent fragments. Because the merge operation does not enforce proper bounds checking against the allocated buffer size, this results in an out-of-bounds write on the heap. The vulnerability is remotely exploitable without authentication via the DTLS handshake path and can lead to application crashes or potential memory corruption.", "cve_priority": "medium", "cve_public_date": "2026-05-04 10:15:00 UTC" }, { "cve": "CVE-2026-42009", "url": "https://ubuntu.com/security/CVE-2026-42009", "cve_description": "A flaw was found in gnutls. A remote attacker could exploit an issue in the Datagram Transport Layer Security (DTLS) packet reordering logic. The comparator function, responsible for ordering DTLS packets by sequence numbers, did not correctly handle packets with duplicate sequence numbers. This could lead to unstable packet ordering or undefined behavior, resulting in a denial of service.", "cve_priority": "medium", "cve_public_date": "2026-05-18 13:16:00 UTC" }, { "cve": "CVE-2026-33845", "url": "https://ubuntu.com/security/CVE-2026-33845", "cve_description": "A flaw in GnuTLS DTLS handshake parsing allows malformed fragments with zero length and non-zero offset, leading to an integer underflow during reassembly and resulting in an out-of-bounds read. This issue is remotely exploitable and may cause information disclosure or denial of service.", "cve_priority": "medium", "cve_public_date": "2026-04-30 18:16:00 UTC" }, { "cve": "CVE-2026-3832", "url": "https://ubuntu.com/security/CVE-2026-3832", "cve_description": "A flaw was found in gnutls. A remote attacker could exploit this vulnerability by presenting a specially crafted Online Certificate Status Protocol (OCSP) response during a TLS handshake. Due to a logic error in how gnutls processes multi-record OCSP responses, a client with OCSP verification enabled may incorrectly accept a revoked server certificate, potentially leading to a compromise of trust.", "cve_priority": "medium", "cve_public_date": "2026-04-30 18:16:00 UTC" }, { "cve": "CVE-2026-3833", "url": "https://ubuntu.com/security/CVE-2026-3833", "cve_description": "A flaw was found in gnutls. This vulnerability occurs because gnutls performs case-sensitive comparisons of `nameConstraints` labels, specifically for `dNSName` (DNS) or `rfc822Name` (email) constraints within `excludedSubtrees` or `permittedSubtrees`. A remote attacker can exploit this by crafting a leaf certificate with casing differences in the Subject Alternative Name (SAN), leading to a policy bypass where a certificate that should be rejected is instead accepted. This could result in unauthorized access or information disclosure.", "cve_priority": "medium", "cve_public_date": "2026-04-30 18:16:00 UTC" }, { "cve": "CVE-2026-42011", "url": "https://ubuntu.com/security/CVE-2026-42011", "cve_description": "A flaw was found in gnutls. This vulnerability occurs because permitted name constraints were incorrectly ignored when previous Certificate Authorities (CAs) only had excluded name constraints. A remote attacker could exploit this to bypass critical name constraint checks during certificate validation. This bypass could lead to the acceptance of invalid certificates, potentially enabling spoofing or man-in-the-middle attacks against affected systems.", "cve_priority": "medium", "cve_public_date": "2026-05-07 15:16:00 UTC" }, { "cve": "CVE-2026-42010", "url": "https://ubuntu.com/security/CVE-2026-42010", "cve_description": "A flaw was found in gnutls. Servers configured with RSA-PSK (Rivest–Shamir–Adleman – Pre-Shared Key) wrongfully matched usernames containing a NUL character with truncated usernames. A remote attacker could exploit this by sending a specially crafted username, leading to an authentication bypass. This vulnerability allows an attacker to gain unauthorized access by circumventing the authentication process.", "cve_priority": "medium", "cve_public_date": "2026-05-07 12:16:00 UTC" }, { "cve": "CVE-2026-5260", "url": "https://ubuntu.com/security/CVE-2026-5260", "cve_description": "A flaw was found in libgnutls. A remote attacker, by sending an extremely short premaster secret during an RSA key exchange to a server using an RSA key backed by a PKCS#11 token, could trigger a short heap overread. This memory corruption vulnerability could lead to information disclosure.", "cve_priority": "medium", "cve_public_date": "2026-05-26 22:16:00 UTC" }, { "cve": "CVE-2026-42012", "url": "https://ubuntu.com/security/CVE-2026-42012", "cve_description": "A flaw was found in gnutls. A remote attacker could exploit this vulnerability by presenting a specially crafted certificate that contains Uniform Resource Identifier (URI) or Service (SRV) Subject Alternative Names (SANs). This could cause the certificate validation process to incorrectly fall back to checking DNS hostnames against the Common Name (CN), potentially allowing the attacker to spoof legitimate services or intercept sensitive information.", "cve_priority": "medium", "cve_public_date": "2026-05-26 22:16:00 UTC" }, { "cve": "CVE-2026-42013", "url": "https://ubuntu.com/security/CVE-2026-42013", "cve_description": "A flaw was found in gnutls. When validating certificates, an oversized Subject Alternative Name (SAN) could cause the validation process to incorrectly fall back to checking the Common Name (CN) field. This could allow a remote attacker to bypass proper certificate validation, potentially leading to spoofing or man-in-the-middle attacks.", "cve_priority": "medium", "cve_public_date": "2026-05-26 22:16:00 UTC" }, { "cve": "CVE-2026-42014", "url": "https://ubuntu.com/security/CVE-2026-42014", "cve_description": "Changing the Security Officer PIN with gnutls_pkcs11_token_set_pin() with oldpin == NULL for a token lacking a protected authentication path led to a use-after-free.", "cve_priority": "medium", "cve_public_date": "2026-04-30" }, { "cve": "CVE-2026-42015", "url": "https://ubuntu.com/security/CVE-2026-42015", "cve_description": "A flaw was found in gnutls. An off-by-one error exists in the PKCS#12 bag element bounds check. This vulnerability allows an remote attacker to write past the internal array of a PKCS#12 bag when appending to a bag that already contains 32 elements. This memory corruption could lead to a denial of service (DoS) or potentially other unspecified impacts.", "cve_priority": "medium", "cve_public_date": "2026-05-26 22:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-33846", "url": "https://ubuntu.com/security/CVE-2026-33846", "cve_description": "A heap buffer overflow vulnerability exists in the DTLS handshake fragment reassembly logic of GnuTLS. The issue arises in merge_handshake_packet() where incoming handshake fragments are matched and merged based solely on handshake type, without validating that the message_length field remains consistent across all fragments of the same logical message. An attacker can exploit this by sending crafted DTLS fragments with conflicting message_length values, causing the implementation to allocate a buffer based on a smaller initial fragment and subsequently write beyond its bounds using larger, inconsistent fragments. Because the merge operation does not enforce proper bounds checking against the allocated buffer size, this results in an out-of-bounds write on the heap. The vulnerability is remotely exploitable without authentication via the DTLS handshake path and can lead to application crashes or potential memory corruption.", "cve_priority": "medium", "cve_public_date": "2026-05-04 10:15:00 UTC" }, { "cve": "CVE-2026-42009", "url": "https://ubuntu.com/security/CVE-2026-42009", "cve_description": "A flaw was found in gnutls. A remote attacker could exploit an issue in the Datagram Transport Layer Security (DTLS) packet reordering logic. The comparator function, responsible for ordering DTLS packets by sequence numbers, did not correctly handle packets with duplicate sequence numbers. This could lead to unstable packet ordering or undefined behavior, resulting in a denial of service.", "cve_priority": "medium", "cve_public_date": "2026-05-18 13:16:00 UTC" }, { "cve": "CVE-2026-33845", "url": "https://ubuntu.com/security/CVE-2026-33845", "cve_description": "A flaw in GnuTLS DTLS handshake parsing allows malformed fragments with zero length and non-zero offset, leading to an integer underflow during reassembly and resulting in an out-of-bounds read. This issue is remotely exploitable and may cause information disclosure or denial of service.", "cve_priority": "medium", "cve_public_date": "2026-04-30 18:16:00 UTC" }, { "cve": "CVE-2026-3832", "url": "https://ubuntu.com/security/CVE-2026-3832", "cve_description": "A flaw was found in gnutls. A remote attacker could exploit this vulnerability by presenting a specially crafted Online Certificate Status Protocol (OCSP) response during a TLS handshake. Due to a logic error in how gnutls processes multi-record OCSP responses, a client with OCSP verification enabled may incorrectly accept a revoked server certificate, potentially leading to a compromise of trust.", "cve_priority": "medium", "cve_public_date": "2026-04-30 18:16:00 UTC" }, { "cve": "CVE-2026-3833", "url": "https://ubuntu.com/security/CVE-2026-3833", "cve_description": "A flaw was found in gnutls. This vulnerability occurs because gnutls performs case-sensitive comparisons of `nameConstraints` labels, specifically for `dNSName` (DNS) or `rfc822Name` (email) constraints within `excludedSubtrees` or `permittedSubtrees`. A remote attacker can exploit this by crafting a leaf certificate with casing differences in the Subject Alternative Name (SAN), leading to a policy bypass where a certificate that should be rejected is instead accepted. This could result in unauthorized access or information disclosure.", "cve_priority": "medium", "cve_public_date": "2026-04-30 18:16:00 UTC" }, { "cve": "CVE-2026-42011", "url": "https://ubuntu.com/security/CVE-2026-42011", "cve_description": "A flaw was found in gnutls. This vulnerability occurs because permitted name constraints were incorrectly ignored when previous Certificate Authorities (CAs) only had excluded name constraints. A remote attacker could exploit this to bypass critical name constraint checks during certificate validation. This bypass could lead to the acceptance of invalid certificates, potentially enabling spoofing or man-in-the-middle attacks against affected systems.", "cve_priority": "medium", "cve_public_date": "2026-05-07 15:16:00 UTC" }, { "cve": "CVE-2026-42010", "url": "https://ubuntu.com/security/CVE-2026-42010", "cve_description": "A flaw was found in gnutls. Servers configured with RSA-PSK (Rivest–Shamir–Adleman – Pre-Shared Key) wrongfully matched usernames containing a NUL character with truncated usernames. A remote attacker could exploit this by sending a specially crafted username, leading to an authentication bypass. This vulnerability allows an attacker to gain unauthorized access by circumventing the authentication process.", "cve_priority": "medium", "cve_public_date": "2026-05-07 12:16:00 UTC" }, { "cve": "CVE-2026-5260", "url": "https://ubuntu.com/security/CVE-2026-5260", "cve_description": "A flaw was found in libgnutls. A remote attacker, by sending an extremely short premaster secret during an RSA key exchange to a server using an RSA key backed by a PKCS#11 token, could trigger a short heap overread. This memory corruption vulnerability could lead to information disclosure.", "cve_priority": "medium", "cve_public_date": "2026-05-26 22:16:00 UTC" }, { "cve": "CVE-2026-42012", "url": "https://ubuntu.com/security/CVE-2026-42012", "cve_description": "A flaw was found in gnutls. A remote attacker could exploit this vulnerability by presenting a specially crafted certificate that contains Uniform Resource Identifier (URI) or Service (SRV) Subject Alternative Names (SANs). This could cause the certificate validation process to incorrectly fall back to checking DNS hostnames against the Common Name (CN), potentially allowing the attacker to spoof legitimate services or intercept sensitive information.", "cve_priority": "medium", "cve_public_date": "2026-05-26 22:16:00 UTC" }, { "cve": "CVE-2026-42013", "url": "https://ubuntu.com/security/CVE-2026-42013", "cve_description": "A flaw was found in gnutls. When validating certificates, an oversized Subject Alternative Name (SAN) could cause the validation process to incorrectly fall back to checking the Common Name (CN) field. This could allow a remote attacker to bypass proper certificate validation, potentially leading to spoofing or man-in-the-middle attacks.", "cve_priority": "medium", "cve_public_date": "2026-05-26 22:16:00 UTC" }, { "cve": "CVE-2026-42014", "url": "https://ubuntu.com/security/CVE-2026-42014", "cve_description": "Changing the Security Officer PIN with gnutls_pkcs11_token_set_pin() with oldpin == NULL for a token lacking a protected authentication path led to a use-after-free.", "cve_priority": "medium", "cve_public_date": "2026-04-30" }, { "cve": "CVE-2026-42015", "url": "https://ubuntu.com/security/CVE-2026-42015", "cve_description": "A flaw was found in gnutls. An off-by-one error exists in the PKCS#12 bag element bounds check. This vulnerability allows an remote attacker to write past the internal array of a PKCS#12 bag when appending to a bag that already contains 32 elements. This memory corruption could lead to a denial of service (DoS) or potentially other unspecified impacts.", "cve_priority": "medium", "cve_public_date": "2026-05-26 22:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: buffer overflow in DTLS handshake fragment reassembly", " - debian/patches/CVE-2026-33846-pre1.patch: buffers: shorten", " merge_handshake_packet using recv_buf in lib/buffers.c.", " - debian/patches/CVE-2026-33846.patch: buffers: add more checks to DTLS", " reassembly in lib/buffers.c.", " - CVE-2026-33846", " * SECURITY UPDATE: DTLS packets sequence number ordering issue", " - debian/patches/CVE-2026-42009-pre1.patch: buffers: match DTLS datagrams by", " sequence number in lib/buffers.c.", " - debian/patches/CVE-2026-42009-1.patch: lib/buffers: ensure packets have", " differing sequence numbers in lib/buffers.c.", " - debian/patches/CVE-2026-42009-2.patch: buffers: fix handshake_compare when", " sequence numbers match in lib/buffers.c.", " - CVE-2026-42009", " * SECURITY UPDATE: OOB read via malformed fragments with zero length and", " non-zero offset", " - debian/patches/CVE-2026-33845-pre1.patch: buffers: rename a variable in", " parse_handshake_header in lib/buffers.c.", " - debian/patches/CVE-2026-33845.patch: buffers: switch from end_offset over", " to frag_length in lib/buffers.c, lib/gnutls_int.h.", " - debian/patches/CVE-2026-33845-2.patch: buffers: simplify and tighten", " parse_handshake_header checks in lib/buffers.c.", " - CVE-2026-33845", " * SECURITY UPDATE: malformed OCSP response issue", " - debian/patches/CVE-2026-3832-pre1.patch: iterate ocsp response records", " for matching certificate in doc/examples/ex-ocsp-client.c,", " lib/cert-session.c, lib/ocsp-api.c, src/ocsptool-common.c.", " - debian/patches/CVE-2026-3832-pre2.patch: fix formatting in", " doc/examples/ex-ocsp-client.c, lib/cert-session.c, lib/ocsp-api.c,", " src/ocsptool-common.c.", " - debian/patches/CVE-2026-3832.patch: cert-session: fix multi-entry OCSP", " revocation bypass in lib/cert-session.c.", " - CVE-2026-3832", " * SECURITY UPDATE: policy bypass via x509 case-sensitive comparisons", " - debian/patches/CVE-2026-3833.patch: x509/name-constraints: compare domain", " names case-insensitive in lib/x509/name_constraints.c.", " - CVE-2026-3833", " * SECURITY UPDATE: permitted name constrains were incorrectly ignored", " - debian/patches/CVE-2026-42011.patch: x509/name_constraints: fix", " intersecting empty constraints in lib/x509/name_constraints.c.", " - CVE-2026-42011", " * SECURITY UPDATE: ", " - debian/patches/CVE-2026-42010.patch: lib/auth/rsa_psk: fix binary PSK", " identity lookup in lib/auth/rsa_psk.c.", " - CVE-2026-42010", " * SECURITY UPDATE: incorrect username parsing with NUL characters", " - debian/patches/CVE-2026-5260-1.patch: lib/auth/rsa: check that ciphertext", " matches the modulus size in lib/auth/rsa.c, lib/auth/rsa_psk.c.", " - debian/patches/CVE-2026-5260-2.patch: lib/pkcs11_privkey: guard against", " overreading on short ciphertexts in lib/pkcs11_privkey.c.", " - CVE-2026-5260", " * SECURITY UPDATE: ", " - debian/patches/CVE-2026-42012-pre1.patch: x509/hostname-verify: refactor", " and simplify CN fallback logic in lib/x509/hostname-verify.c.", " - debian/patches/CVE-2026-42012-pre2.patch: Fix for #1132 in", " lib/includes/gnutls/gnutls.h.in, lib/x509/common.h,", " lib/x509/name_constraints.c, lib/x509/output.c, lib/x509/virt-san.c,", " lib/x509/x509.c, tests/Makefile.am, tests/x509-upnconstraint.c.", " - debian/patches/CVE-2026-42012-pre3.patch: x509: add bare-bones awareness", " of SRV virtual SAN in lib/includes/gnutls/gnutls.h.in, lib/x509/common.h,", " lib/x509/name_constraints.c, lib/x509/output.c, lib/x509/virt-san.c,", " lib/x509/x509.c.", " - debian/patches/CVE-2026-42012-pre4.patch: datum, mem, str: add helper", " functions to steal pointers in lib/datum.h, lib/mem.h, lib/str.h.", " - debian/patches/CVE-2026-42012.patch: x509/hostname-verify: make URI/SRV", " SAN preclude CN fallback in lib/x509/hostname-verify.c.", " - CVE-2026-42012", " * SECURITY UPDATE: incorrect URI or SRV Subject Alternative Names checking", " - debian/patches/CVE-2026-42013-pre1.patch: x509/email-verify: call", " fallback DN fallback in lib/x509/email-verify.c.", " - debian/patches/CVE-2026-42013.patch: x509: prevent fallback on oversized", " SAN in lib/x509/email-verify.c, lib/x509/hostname-verify.c.", " - CVE-2026-42013", " * SECURITY UPDATE: UaF when changing the Security Officer PIN", " - debian/patches/CVE-2026-42014.patch: pkcs11_write: fix UAF and leak in", " gnutls_pkcs11_token_set_pin in lib/pkcs11_write.c.", " - CVE-2026-42014", " * SECURITY UPDATE: buffer overflow when appending to a PKCS#12 bag", " - debian/patches/CVE-2026-42015.patch: x509/pkcs12_bag: fix off-by-one in", " bag element bounds check in lib/x509/pkcs12_bag.c.", " - CVE-2026-42015", "" ], "package": "gnutls28", "version": "3.7.3-4ubuntu1.9", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Fri, 08 May 2026 14:50:04 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "liblzma5", "from_version": { "source_package_name": "xz-utils", "source_package_version": "5.2.5-2ubuntu1", "version": "5.2.5-2ubuntu1" }, "to_version": { "source_package_name": "xz-utils", "source_package_version": "5.2.5-2ubuntu1.1", "version": "5.2.5-2ubuntu1.1" }, "cves": [ { "cve": "CVE-2026-34743", "url": "https://ubuntu.com/security/CVE-2026-34743", "cve_description": "XZ Utils provide a general-purpose data-compression library plus command-line tools. Prior to version 5.8.3, if lzma_index_decoder() was used to decode an Index that contained no Records, the resulting lzma_index was left in a state where where a subsequent lzma_index_append() would allocate too little memory, and a buffer overflow would occur. This issue has been patched in version 5.8.3.", "cve_priority": "low", "cve_public_date": "2026-04-02 19:21:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-34743", "url": "https://ubuntu.com/security/CVE-2026-34743", "cve_description": "XZ Utils provide a general-purpose data-compression library plus command-line tools. Prior to version 5.8.3, if lzma_index_decoder() was used to decode an Index that contained no Records, the resulting lzma_index was left in a state where where a subsequent lzma_index_append() would allocate too little memory, and a buffer overflow would occur. This issue has been patched in version 5.8.3.", "cve_priority": "low", "cve_public_date": "2026-04-02 19:21:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: heap buffer overflow", " - debian/patches/CVE-2026-34743.patch: adds a check to", " lzma_index_prealloc() to default to a safe size when decoding empty", " indexes in src/liblzma/common/index.c.", " - CVE-2026-34743", "" ], "package": "xz-utils", "version": "5.2.5-2ubuntu1.1", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Ian Constantin ", "date": "Thu, 28 May 2026 19:06:40 +0300" } ], "notes": null, "is_version_downgrade": false }, { "name": "libnetplan0", "from_version": { "source_package_name": "netplan.io", "source_package_version": "0.107.1-3ubuntu0.22.04.3", "version": "0.107.1-3ubuntu0.22.04.3" }, "to_version": { "source_package_name": "netplan.io", "source_package_version": "0.107.1-3ubuntu0.22.04.4", "version": "0.107.1-3ubuntu0.22.04.4" }, "cves": [], "launchpad_bugs_fixed": [ 2076319 ], "changes": [ { "cves": [], "log": [ "", " * d/p/lp2076319-fix-dir-permissions.patch:", " Change default umask when creating dirctories (LP: #2076319)", "" ], "package": "netplan.io", "version": "0.107.1-3ubuntu0.22.04.4", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2076319 ], "author": "Robert Malz ", "date": "Wed, 23 Apr 2026 14:17:38 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "libnghttp2-14", "from_version": { "source_package_name": "nghttp2", "source_package_version": "1.43.0-1ubuntu0.2", "version": "1.43.0-1ubuntu0.2" }, "to_version": { "source_package_name": "nghttp2", "source_package_version": "1.43.0-1ubuntu0.3", "version": "1.43.0-1ubuntu0.3" }, "cves": [ { "cve": "CVE-2026-27135", "url": "https://ubuntu.com/security/CVE-2026-27135", "cve_description": "nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. Prior to version 1.68.1, the nghttp2 library stops reading the incoming data when user facing public API `nghttp2_session_terminate_session` or `nghttp2_session_terminate_session2` is called by the application. They might be called internally by the library when it detects the situation that is subject to connection error. Due to the missing internal state validation, the library keeps reading the rest of the data after one of those APIs is called. Then receiving a malformed frame that causes FRAME_SIZE_ERROR causes assertion failure. nghttp2 v1.68.1 adds missing state validation to avoid assertion failure. No known workarounds are available.", "cve_priority": "medium", "cve_public_date": "2026-03-18 18:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-27135", "url": "https://ubuntu.com/security/CVE-2026-27135", "cve_description": "nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. Prior to version 1.68.1, the nghttp2 library stops reading the incoming data when user facing public API `nghttp2_session_terminate_session` or `nghttp2_session_terminate_session2` is called by the application. They might be called internally by the library when it detects the situation that is subject to connection error. Due to the missing internal state validation, the library keeps reading the rest of the data after one of those APIs is called. Then receiving a malformed frame that causes FRAME_SIZE_ERROR causes assertion failure. nghttp2 v1.68.1 adds missing state validation to avoid assertion failure. No known workarounds are available.", "cve_priority": "medium", "cve_public_date": "2026-03-18 18:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Denial of service through assertion failure.", " - debian/patches/CVE-2026-27135-pre1.patch: Add iframe->state ==", " NGHTTP2_IB_IGN_ALL checks in lib/nghttp2_session.c.", " - debian/patches/CVE-2026-27135-pre2.patch: Add iframe->state ==", " NGHTTP2_IB_IGN_ALL checks in lib/nghttp2_session.c.", " - debian/patches/CVE-2026-27135.patch: Add iframe->state ==", " NGHTTP2_IB_IGN_ALL checks in lib/nghttp2_session.c.", " - debian/patches/CVE-2026-27135-post1.patch: Add iframe->state ==", " NGHTTP2_IB_IGN_ALL checks in lib/nghttp2_session.c.", " - CVE-2026-27135", "" ], "package": "nghttp2", "version": "1.43.0-1ubuntu0.3", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Hlib Korzhynskyy ", "date": "Tue, 28 Apr 2026 16:49:21 -0230" } ], "notes": null, "is_version_downgrade": false }, { "name": "libpng16-16", "from_version": { "source_package_name": "libpng1.6", "source_package_version": "1.6.37-3ubuntu0.4", "version": "1.6.37-3ubuntu0.4" }, "to_version": { "source_package_name": "libpng1.6", "source_package_version": "1.6.37-3ubuntu0.5", "version": "1.6.37-3ubuntu0.5" }, "cves": [ { "cve": "CVE-2026-33416", "url": "https://ubuntu.com/security/CVE-2026-33416", "cve_description": "LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. In versions 1.2.1 through 1.6.55, `png_set_tRNS` and `png_set_PLTE` each alias a heap-allocated buffer between `png_struct` and `png_info`, sharing a single allocation across two structs with independent lifetimes. The `trans_alpha` aliasing has been present since at least libpng 1.0, and the `palette` aliasing since at least 1.2.1. Both affect all prior release lines `png_set_tRNS` sets `png_ptr->trans_alpha = info_ptr->trans_alpha` (256-byte buffer) and `png_set_PLTE` sets `info_ptr->palette = png_ptr->palette` (768-byte buffer). In both cases, calling `png_free_data` (with `PNG_FREE_TRNS` or `PNG_FREE_PLTE`) frees the buffer through `info_ptr` while the corresponding `png_ptr` pointer remains dangling. Subsequent row-transform functions dereference and, in some code paths, write to the freed memory. A second call to `png_set_tRNS` or `png_set_PLTE` has the same effect, because both functions call `png_free_data` internally before reallocating the `info_ptr` buffer. Version 1.6.56 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-03-26 17:16:00 UTC" }, { "cve": "CVE-2026-33636", "url": "https://ubuntu.com/security/CVE-2026-33636", "cve_description": "LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. In versions 1.6.36 through 1.6.55, an out-of-bounds read and write exists in libpng's ARM/AArch64 Neon-optimized palette expansion path. When expanding 8-bit paletted rows to RGB or RGBA, the Neon loop processes a final partial chunk without verifying that enough input pixels remain. Because the implementation works backward from the end of the row, the final iteration dereferences pointers before the start of the row buffer (OOB read) and writes expanded pixel data to the same underflowed positions (OOB write). This is reachable via normal decoding of attacker-controlled PNG input if Neon is enabled. Version 1.6.56 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-03-26 17:16:00 UTC" }, { "cve": "CVE-2026-34757", "url": "https://ubuntu.com/security/CVE-2026-34757", "cve_description": "LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From 1.0.9 to before 1.6.57, passing a pointer obtained from png_get_PLTE, png_get_tRNS, or png_get_hIST back into the corresponding setter on the same png_struct/png_info pair causes the setter to read from freed memory and copy its contents into the replacement buffer. The setter frees the internal buffer before copying from the caller-supplied pointer, which now dangles. The freed region may contain stale data (producing silently corrupted chunk metadata) or data from subsequent heap allocations (leaking unrelated heap contents into the chunk struct). This vulnerability is fixed in 1.6.57.", "cve_priority": "medium", "cve_public_date": "2026-04-09 15:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-33416", "url": "https://ubuntu.com/security/CVE-2026-33416", "cve_description": "LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. In versions 1.2.1 through 1.6.55, `png_set_tRNS` and `png_set_PLTE` each alias a heap-allocated buffer between `png_struct` and `png_info`, sharing a single allocation across two structs with independent lifetimes. The `trans_alpha` aliasing has been present since at least libpng 1.0, and the `palette` aliasing since at least 1.2.1. Both affect all prior release lines `png_set_tRNS` sets `png_ptr->trans_alpha = info_ptr->trans_alpha` (256-byte buffer) and `png_set_PLTE` sets `info_ptr->palette = png_ptr->palette` (768-byte buffer). In both cases, calling `png_free_data` (with `PNG_FREE_TRNS` or `PNG_FREE_PLTE`) frees the buffer through `info_ptr` while the corresponding `png_ptr` pointer remains dangling. Subsequent row-transform functions dereference and, in some code paths, write to the freed memory. A second call to `png_set_tRNS` or `png_set_PLTE` has the same effect, because both functions call `png_free_data` internally before reallocating the `info_ptr` buffer. Version 1.6.56 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-03-26 17:16:00 UTC" }, { "cve": "CVE-2026-33636", "url": "https://ubuntu.com/security/CVE-2026-33636", "cve_description": "LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. In versions 1.6.36 through 1.6.55, an out-of-bounds read and write exists in libpng's ARM/AArch64 Neon-optimized palette expansion path. When expanding 8-bit paletted rows to RGB or RGBA, the Neon loop processes a final partial chunk without verifying that enough input pixels remain. Because the implementation works backward from the end of the row, the final iteration dereferences pointers before the start of the row buffer (OOB read) and writes expanded pixel data to the same underflowed positions (OOB write). This is reachable via normal decoding of attacker-controlled PNG input if Neon is enabled. Version 1.6.56 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-03-26 17:16:00 UTC" }, { "cve": "CVE-2026-34757", "url": "https://ubuntu.com/security/CVE-2026-34757", "cve_description": "LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From 1.0.9 to before 1.6.57, passing a pointer obtained from png_get_PLTE, png_get_tRNS, or png_get_hIST back into the corresponding setter on the same png_struct/png_info pair causes the setter to read from freed memory and copy its contents into the replacement buffer. The setter frees the internal buffer before copying from the caller-supplied pointer, which now dangles. The freed region may contain stale data (producing silently corrupted chunk metadata) or data from subsequent heap allocations (leaking unrelated heap contents into the chunk struct). This vulnerability is fixed in 1.6.57.", "cve_priority": "medium", "cve_public_date": "2026-04-09 15:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: use-after-free via shared buffers", " - debian/patches/CVE-2026-33416-pre1.patch: Fix a memory leak in", " png_set_tRNS in pngset.c.", " - debian/patches/CVE-2026-33416-pre2.patch: Avoid a memory leak when", " allocation of a pCAL buffer fails in pngset.c.", " - debian/patches/CVE-2026-33416-1.patch: fix: Resolve use-after-free on", " `png_ptr->trans_alpha` in pngread.c, pngrutil.c, pngset.c, pngwrite.c.", " - debian/patches/CVE-2026-33416-2.patch: fix: Resolve use-after-free on", " `png_ptr->palette` in pngread.c, pngrtran.c, pngrutil.c, pngset.c,", " pngwrite.c.", " - debian/patches/CVE-2026-33416-3.patch: fix: Initialize tail bytes in", " `trans_alpha` buffers in pngset.c.", " - debian/patches/CVE-2026-33416-4.patch: fix: Sync `info_ptr->palette` after", " in-place transforms in pngrtran.c.", " - debian/patches/CVE-2026-33416-5.patch: fix: Sync `info_ptr->palette`", " unconditionally after in-place transforms in pngrtran.c.", " - CVE-2026-33416", " * SECURITY UPDATE: out-of-bounds access in ARM palette expansion path", " - debian/patches/CVE-2026-33636.patch: fix(arm): Resolve out-of-bounds", " read/write in NEON palette expansion in arm/palette_neon_intrinsics.c.", " - CVE-2026-33636", " * SECURITY UPDATE: getter-to-setter aliasing issues", " - debian/patches/CVE-2026-34757-1.patch: fix: Handle self-referencing", " pointers in getter-to-setter aliasing in CMakeLists.txt, Makefile.am,", " contrib/libtests/pnggetset.c, pngset.c, tests/pnggetset.", " - debian/patches/CVE-2026-34757-2.patch: fix: Handle getter-to-setter", " aliasing in append-style chunk setters in contrib/libtests/pnggetset.c,", " pngset.c.", " - debian/rules: set exec permissions on tests/pnggetset.", " - CVE-2026-34757", " * SECURITY UPDATE: integer overflow in rowbytes computation", " - debian/patches/rowbytes_overflow.patch: fix: Prevent integer overflow in", " rowbytes computation in pngrtran.c.", " - No CVE number", "" ], "package": "libpng1.6", "version": "1.6.37-3ubuntu0.5", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Tue, 05 May 2026 15:14:16 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "linux-headers-kvm", "from_version": { "source_package_name": "linux-meta-kvm", "source_package_version": "5.15.0.1098.94", "version": "5.15.0.1098.94" }, "to_version": { "source_package_name": "linux-meta-kvm", "source_package_version": "5.15.0.1100.96", "version": "5.15.0.1100.96" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Bump ABI 5.15.0-1100", "" ], "package": "linux-meta-kvm", "version": "5.15.0.1100.96", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [], "author": "Edoardo Canepa ", "date": "Wed, 06 May 2026 18:05:41 +0200" }, { "cves": [], "log": [ "", " * Bump ABI 5.15.0-1099", "" ], "package": "linux-meta-kvm", "version": "5.15.0.1099.95", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [], "author": "Stewart Hore ", "date": "Mon, 27 Apr 2026 16:07:25 +1000" } ], "notes": null, "is_version_downgrade": false }, { "name": "linux-image-kvm", "from_version": { "source_package_name": "linux-meta-kvm", "source_package_version": "5.15.0.1098.94", "version": "5.15.0.1098.94" }, "to_version": { "source_package_name": "linux-meta-kvm", "source_package_version": "5.15.0.1100.96", "version": "5.15.0.1100.96" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Bump ABI 5.15.0-1100", "" ], "package": "linux-meta-kvm", "version": "5.15.0.1100.96", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [], "author": "Edoardo Canepa ", "date": "Wed, 06 May 2026 18:05:41 +0200" }, { "cves": [], "log": [ "", " * Bump ABI 5.15.0-1099", "" ], "package": "linux-meta-kvm", "version": "5.15.0.1099.95", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [], "author": "Stewart Hore ", "date": "Mon, 27 Apr 2026 16:07:25 +1000" } ], "notes": null, "is_version_downgrade": false }, { "name": "linux-kvm", "from_version": { "source_package_name": "linux-meta-kvm", "source_package_version": "5.15.0.1098.94", "version": "5.15.0.1098.94" }, "to_version": { "source_package_name": "linux-meta-kvm", "source_package_version": "5.15.0.1100.96", "version": "5.15.0.1100.96" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Bump ABI 5.15.0-1100", "" ], "package": "linux-meta-kvm", "version": "5.15.0.1100.96", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [], "author": "Edoardo Canepa ", "date": "Wed, 06 May 2026 18:05:41 +0200" }, { "cves": [], "log": [ "", " * Bump ABI 5.15.0-1099", "" ], "package": "linux-meta-kvm", "version": "5.15.0.1099.95", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [], "author": "Stewart Hore ", "date": "Mon, 27 Apr 2026 16:07:25 +1000" } ], "notes": null, "is_version_downgrade": false }, { "name": "netplan-generator", "from_version": { "source_package_name": "netplan.io", "source_package_version": "0.107.1-3ubuntu0.22.04.3", "version": "0.107.1-3ubuntu0.22.04.3" }, "to_version": { "source_package_name": "netplan.io", "source_package_version": "0.107.1-3ubuntu0.22.04.4", "version": "0.107.1-3ubuntu0.22.04.4" }, "cves": [], "launchpad_bugs_fixed": [ 2076319 ], "changes": [ { "cves": [], "log": [ "", " * d/p/lp2076319-fix-dir-permissions.patch:", " Change default umask when creating dirctories (LP: #2076319)", "" ], "package": "netplan.io", "version": "0.107.1-3ubuntu0.22.04.4", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2076319 ], "author": "Robert Malz ", "date": "Wed, 23 Apr 2026 14:17:38 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "netplan.io", "from_version": { "source_package_name": "netplan.io", "source_package_version": "0.107.1-3ubuntu0.22.04.3", "version": "0.107.1-3ubuntu0.22.04.3" }, "to_version": { "source_package_name": "netplan.io", "source_package_version": "0.107.1-3ubuntu0.22.04.4", "version": "0.107.1-3ubuntu0.22.04.4" }, "cves": [], "launchpad_bugs_fixed": [ 2076319 ], "changes": [ { "cves": [], "log": [ "", " * d/p/lp2076319-fix-dir-permissions.patch:", " Change default umask when creating dirctories (LP: #2076319)", "" ], "package": "netplan.io", "version": "0.107.1-3ubuntu0.22.04.4", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2076319 ], "author": "Robert Malz ", "date": "Wed, 23 Apr 2026 14:17:38 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "python3-netplan", "from_version": { "source_package_name": "netplan.io", "source_package_version": "0.107.1-3ubuntu0.22.04.3", "version": "0.107.1-3ubuntu0.22.04.3" }, "to_version": { "source_package_name": "netplan.io", "source_package_version": "0.107.1-3ubuntu0.22.04.4", "version": "0.107.1-3ubuntu0.22.04.4" }, "cves": [], "launchpad_bugs_fixed": [ 2076319 ], "changes": [ { "cves": [], "log": [ "", " * d/p/lp2076319-fix-dir-permissions.patch:", " Change default umask when creating dirctories (LP: #2076319)", "" ], "package": "netplan.io", "version": "0.107.1-3ubuntu0.22.04.4", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2076319 ], "author": "Robert Malz ", "date": "Wed, 23 Apr 2026 14:17:38 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "sed", "from_version": { "source_package_name": "sed", "source_package_version": "4.8-1ubuntu2", "version": "4.8-1ubuntu2" }, "to_version": { "source_package_name": "sed", "source_package_version": "4.8-1ubuntu2.1", "version": "4.8-1ubuntu2.1" }, "cves": [ { "cve": "CVE-2026-5958", "url": "https://ubuntu.com/security/CVE-2026-5958", "cve_description": "When sed is invoked with both -i (in-place edit) and --follow-symlinks, the function open_next_file() performs two separate, non-atomic filesystem operations on the same path: 1. resolves symlink to its target and stores the resolved path for determining when output is written, 2. opens the original symlink path (not the resolved one) to read the file. Between these two calls there is a race window. If an attacker atomically replaces the symlink with a different target during that window, sed will: read content from the new (attacker-chosen) symlink target and write the processed result to the path recorded in step 1. This can lead to arbitrary file overwrite with attacker-controlled content in the context of the sed process. This issue was fixed in version 4.10.", "cve_priority": "medium", "cve_public_date": "2026-04-20 12:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-5958", "url": "https://ubuntu.com/security/CVE-2026-5958", "cve_description": "When sed is invoked with both -i (in-place edit) and --follow-symlinks, the function open_next_file() performs two separate, non-atomic filesystem operations on the same path: 1. resolves symlink to its target and stores the resolved path for determining when output is written, 2. opens the original symlink path (not the resolved one) to read the file. Between these two calls there is a race window. If an attacker atomically replaces the symlink with a different target during that window, sed will: read content from the new (attacker-chosen) symlink target and write the processed result to the path recorded in step 1. This can lead to arbitrary file overwrite with attacker-controlled content in the context of the sed process. This issue was fixed in version 4.10.", "cve_priority": "medium", "cve_public_date": "2026-04-20 12:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: TOCTOU race in sed -i --follow-symlinks", " - debian/patches/CVE-2026-5958.patch: open the already-resolved path", " instead of re-traversing the symlink in sed/execute.c.", " - CVE-2026-5958", "" ], "package": "sed", "version": "4.8-1ubuntu2.1", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Fri, 17 Apr 2026 14:02:54 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "snapd", "from_version": { "source_package_name": "snapd", "source_package_version": "2.74.1+ubuntu22.04.4", "version": "2.74.1+ubuntu22.04.4" }, "to_version": { "source_package_name": "snapd", "source_package_version": "2.75.2+ubuntu22.04", "version": "2.75.2+ubuntu22.04" }, "cves": [ { "cve": "CVE-2026-3888", "url": "https://ubuntu.com/security/CVE-2026-3888", "cve_description": "Local privilege escalation in snapd on Linux allows local attackers to get root privilege by re-creating snap's private /tmp directory when systemd-tmpfiles is configured to automatically clean up this directory. This issue affects Ubuntu 16.04 LTS, 18.04 LTS, 20.04 LTS, 22.04 LTS, and 24.04 LTS.", "cve_priority": "high", "cve_public_date": "2026-03-17 14:16:00 UTC" } ], "launchpad_bugs_fixed": [ 2143882, 2142130, 2137543, 2142655, 2139664, 2139065, 2002697, 2141461, 2138268, 2138629, 2141328, 2139611, 2139300, 2139099, 2141607, 2138629, 2116949, 2068493, 2134364, 2132084, 2127189, 1851490, 2121853, 2127214, 2127244, 2127766 ], "changes": [ { "cves": [], "log": [ "", " * New upstream release, LP: #2143882", " - Interfaces: network-setup-*| allow running python binaries from", " the base on UC26+", " - Cross-distro: modify SELinux policy to allow mounting on", " /var/snap//", " - Fix potential task deadlock by considering all tasks in a lane", " that might be waiting for a reboot when processing delayed", " security backend effects", "" ], "package": "snapd", "version": "2.75.2+ubuntu22.04", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2143882 ], "author": "Katie May ", "date": "Mon, 30 Mar 2026 17:06:36 +0200" }, { "cves": [ { "cve": "CVE-2026-3888", "url": "https://ubuntu.com/security/CVE-2026-3888", "cve_description": "Local privilege escalation in snapd on Linux allows local attackers to get root privilege by re-creating snap's private /tmp directory when systemd-tmpfiles is configured to automatically clean up this directory. This issue affects Ubuntu 16.04 LTS, 18.04 LTS, 20.04 LTS, 22.04 LTS, and 24.04 LTS.", "cve_priority": "high", "cve_public_date": "2026-03-17 14:16:00 UTC" } ], "log": [ "", " - FDE: limit number of boot check log entries", " - Allow a logged in user to refresh private snaps during a refresh", " with multiple snaps", " - Use precise prune pattern for tmpfiles (CVE-2026-3888)", "" ], "package": "snapd", "version": "2.75.1+ubuntu22.04", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [], "author": "Katie May ", "date": "Wed, 18 Mar 2026 09:59:01 +0100" }, { "cves": [], "log": [ "", " - FDE: run early boot check only once per boot", " - FDE: update secboot to revision 77bc2457cc76", " - FDE: add degraded state for status API", " - FDE: prevent resealing tasks from running together", " - FDE: enable using keyslot tokens to store protected keys for UC26+", " - FDE: early commit kcmdline config transaction in update-gadget-", " cmdline to mitigate possible race condition", " - FDE: ensure extra snapd kcmdline fragments are applied", " - FDE: remove old secboot activation API calls", " - LP: #2142130 update apparmor parser to 4.1.7", " - LP: #2137543 disable translations in formatted output for snapctl", " services", " - LP: #2142655 improve snap size reporting precision in snap info", " output", " - LP: #2139664 snap-confine: remove race condition triggered by hat", " profile", " - LP: #2139065 skip 70-snap.*.rules when building dracut initramfs", " - LP: #2002697 error early on removal without purge if home is in", " NFS mount", " - LP: #2141461 Intefaces: allow snap-update-ns to read", " /proc/pid/auxv", " - LP: #2138268 Interfaces: kerberos-tickets| new interface allow", " access to kerberos tickets stored in /tmp", " - Interfaces: block-devices| allow Xen block devices", " - Interfaces: u2f-devices| add Tokey 3 FIDO", " - Interfaces: devlxd| new interface allowing acccess to LXD devlxd", " socket and APIs", " - Interfaces: browser-support| allow reading pressure stall info", " information", " - Interfaces: network-setup-control| allow additional netplan files", " access", " - Interfaces: desktop| allow access kvantum, lxqt, and gtk4", " configuration files", " - Interfaces: system-observe| allow fdinfo access for GPU monitoring", " - Interfaces: ubuntu-pro-control| allow access to Ubuntu Advantage", " client configuration", " - Prompting: add API endpoint to ask whether application should have", " access", " - Prompting: add support for audio-record prompting via API endpoint", " - Prompting: store snap name instead of apparmor label in requests", " - Prompting: respond with 503 to API requests when prompting", " subsystem is shutting down", " - Prompting: generalize prompting subsystem to support requests from", " outside AppArmor", " - Confdb: unset data for missing paths in set request", " - Confdb: return 400 for API requests with missing filter", " constraints", " - Confdb: return 400 for API requests with unmatched filter", " constraints", " - Confdb: support typed constraints in confdb filtering", " - Confdb: fixed unmarshalling transaction with placeholder path in", " deltas", " - Confdb: refresh confdb-schema assertions during manual refresh", " - Remote device management (experimental): add skeleton device", " management manager", " - Remote device management (experimental): add message exchange loop", " - Components: add snap component command, include component summary", " in snap info output", " - Components: enforce validation sets when installing components", " - Configuration: add system.motd configuration option to customize", " message of the day (motd)", " - packaging: remove dependencies libbrotli1, libfreetype6, and", " libpng16-16 from snap", " - snap-bootstrap: use libblkid for disk information to speed up boot", " - snap-confine: improve data handling error", " - snap-confine: use ld cache from the app base for core26+", " - snap: add riscv ISA detection for snaps", " - squashfs: reduce memory footprint of single file extraction", " - Add experimental snap delta format", " - Enable early download of seed snaps during refresh", " - Enable parallel downloads of essential snaps during refresh", " - Disallow removing components required by validation sets", " - Make snap prepare-image fail on --validation=ignore if model has", " enforced validation-sets", " - Fix correctly handling interrupted snap downloads", " - Fix handling of store throttling for refresh-app-awareness", " monitored snaps", " - Stop removed \"endure\" services on refresh", " - Install by default from the initramfs for UC26+, removing the need", " for a reboot after installation", " - Keep minidebuginfo in snapd snap", " - Make snap-specific systemd cgroup mandatory for snaps using core26", " and later, improve messaging for failure scenarios", " - Preserve stale connections of broken snaps", " - Remove enforce-validation-sets need for network", " - Opportunistic discarding of mount namespace when updating slot", " providers", " - Support for delaying updates of snap mount namespaces when", " refreshing slot providers", " - Use application CommonID as default source for desktop ID", "" ], "package": "snapd", "version": "2.75+ubuntu22.04", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2142130, 2137543, 2142655, 2139664, 2139065, 2002697, 2141461, 2138268 ], "author": "Katie May ", "date": "Mon, 09 Mar 2026 17:10:13 +0100" }, { "cves": [], "log": [ "", " * New upstream release, LP: #2138629", " - FDE: measure DeployedMode and AuditMode variables if they appear", " as disabled in the event log to avoid a potential reseal-failure", " boot loop", " - LP: #2141328 FDE: reuse preinstall check context during install to", " account for user-ignored errors", " - LP: #2139611 FDE: fix db updates by allowing multiple payloads", " - LP: #2139300 snap-confine: add CAP_SYS_RESOURCE to allow raising", " memory lock limit when required", " - LP: #2139099 snap-confine: bump the max element count of the BPF", " map used to store IDs of allowed/matched devices to 1000", " - LP: #2141607 Desktop: revert change that caused user daemons", " declaring the desktop plug to implicitly depend on graphical-", " session.target", " - Interfaces: Added pidfd_open and memfd_secret to seccomp template", " - Interfaces: camera | add locking permission for /dev/video", "" ], "package": "snapd", "version": "2.74.1", "urgency": "medium", "distributions": "xenial", "launchpad_bugs_fixed": [ 2138629, 2141328, 2139611, 2139300, 2139099, 2141607 ], "author": "Ernest Lotter ", "date": "Thu, 12 Feb 2026 21:27:23 +0200" }, { "cves": [], "log": [ "", " * New upstream release, LP: #2138629", " - FDE: use new activation API from secboot", " - FDE: use activation API also with non keydata keys", " - FDE: ignore internal recovery key expiration during install", " - FDE: support adding/removing PINs post-installation", " - FDE: support changing PINs post-installation", " - FDE: support adding a recovery key post-installation", " - FDE: provide activation status via new endpoint v2/system-", " info/storage-encrypted", " - FDE: support sealing and resealing using the preinstall check", " result", " - FDE: disable passphrase support during install", " - FDE: add keyboard configuration helpers", " - FDE: lazily inject keyboard layout configuration in kernel cmdline", " - FDE: enable pin tries and limits PIN entry attempts to 3", " - FDE: extend secureboot endpoint to accept DB, KEK, and PK", " - FDE: simplify /v2/system-volumes keyslots handling by allowing", " name-only entries, implicitly expanding to all system containers", " - FDE: support extra non-system key slot names to support agents", " such as Landscape to set dedicated recovery keys", " - FDE: initialize fde state after device state", " - FDE: use device node to find the storage container and keys", " - FDE: provide user visible name for disk based on ID_MODEL", " - FDE: update secboot in snapd with latest additions and fixes", " - core-initrd: add systemd service for setting plymouth keyboard", " layout and X11 keyboard layouts", " - core-initrd: set plymouth cleartext toggle option", " - core-initrd: fix plymouth missing font issue", " - core-initrd: update dependency from libteec1 to libteec2", " - core-initrd: add new dlopened libs", " - LP: #2116949 Preseeding: add support for preseeding of hybrid", " systems via the installer API$", " - Preseeding: check whether a path is a mountpoint before remounting", " - Confdb: support tagging paths as secret in storage schemas", " - Confdb: support filtering on placeholder sub-keys", " - Confdb: support filtering in API and confdbstate", " - Confdb: support field filtering on reads", " - Confdb: support \"parameters\" stanza and check filters against them", " - Confdb: add support for '--with' contraints", " - Confdb: parsing fixes and error handling improvements", " - Assertions: restrict serials to new format in confdb-control", " - Assertions: add verify signature function", " - Remote device management: modify request-message assertion to", " expose its time constraints for remote device management", " - Remote device management: support polling of store messages", " - Remote device management: add signing of response messages with", " device key", " - Prompting: enable notify protocol v5 and test prompt restoration", " after snapd restart", " - snap: change malformed '--channel=' warning to error", " - snap: add 'snap report-issue' command to get the available contact", " details for the specified snap", " - snap: add 'snap version --verbose' flag to include information on", " snap binaries origin", " - snap: create the XDG_RUNTIME_DIR folder", " - LP: #2068493 snap: add support for 'snap refresh --tracking'", " - snapctl: add '--tracking' flag to 'snapctl refresh'", " - Reexec: include the info filepath in the version compare debug log", " - Reexec: add support for forcing reexec into and older snapd snap", " by setting SNAP_REEXEC=force in the environment", " - snap-confine: correct error message related to snap-confine group", " policy validation", " - snap-confine: ensure we only mount existing directories", " - LP: #2134364 snap-confine: handle potential race when creating", " /tmp/snap-private-tmp when lacking systemd-tmpfiles support", " - snap-confine: filter plus characters from security tags", " - Desktop: use desktop file IDs as desktop IDs", " - Desktop: store the common ID in the desktop file", " - Desktop: allow graphical daemons to show icons in the dock", " - Desktop: change user daemons with desktop plug defined to depend", " on graphical-session.target", " - dm-verity for essential snaps: made change to prerequisite struct", " - Cross-distro: modify SELinux profile to allow connecting to squid", " proxy", " - Cross-distro: add support for migrating snap mount directory", " - Packaging: drop ubuntu-14.04 packaging", " - Packaging: drop ubuntu-{14.04,16.04} transitional binary packages", " - Packaging: remove desktop files and state lock file during snapd", " purge", " - Packaging: fix inhibition hint file being left behind on failed", " unlink-current-snap", " - Disallow timeouts < 1us in systemd units", " - Add snap-store to the user-daemons support overrides", " - Support for SuccessExitStatus= generation for systemd daemon", " - Make standby output more verbose", " - Add prepare-serial-request hook", " - Try to discard snap mount namespaces when no processes are running", " during snap updates", " - Improve handling of snap downloads cache by introducing periodic", " cleanup with more aggressive policy", " - Interfaces: mediatek-accel | create new interface", " - Interfaces: nvidia-video-driver-libs | create new interface", " - Interfaces: *-driver-libs | accept component paths", " - Interfaces: desktop-legacy, unity7 | remove workaround for slash", " filtering in ibus address", " - Interfaces: fwupd | allow writing reboot notification in /run", " - Interfaces: add 'install' coreutil to base AppArmor template", " - Interfaces: u2f-devices | add apparmor permissions to allow the", " use of the libfido2 library in snaps", " - Interfaces: u2f-devices | add support for Thetis security key", " - Interfaces: add AppArmor workaround for mmap MAP_HUGETLB", " - Interfaces: timeserver-control | manage per-link ntp settings via", " systemd-networkd", "" ], "package": "snapd", "version": "2.74", "urgency": "medium", "distributions": "xenial", "launchpad_bugs_fixed": [ 2138629, 2116949, 2068493, 2134364 ], "author": "Ernest Lotter ", "date": "Tue, 20 Jan 2026 18:54:17 +0200" }, { "cves": [], "log": [ "", " * New upstream release, LP: #2132084", " - FDE: do not save incomplete FDE state when resealing was skipped", " - FDE: warn of inconsistent primary or policy counter", " - Confdb: document confdb in snapctl help messages", " - Confdb: only confdb hooks wait if snaps are disabled", " - Confdb: relax confdb change conflict checks", " - Confdb: remove empty parent when removing last leaf", " - Confdb: support parsing field filters", " - Confdb: wrap confdb write values under \"values\" key", " - dm-verity for essential snaps: add new naming convention for", " verity files", " - dm-verity for essential snaps: add snap integrity discovery", " - dm-verity for essential snaps: fix verity salt calculation", " - Assertions: add hardware identity assertion", " - Assertions: add integrity stanza in snap resources revisions", " - Assertions: add request message assertion required for remote", " device management", " - Assertions: add response-message assertion for secure remote", " device management", " - Assertions: expose WithStackedBackstore in RODatabase", " - Packaging: cross-distro | install upstream NEWS file into relevant", " snapd package doc directory", " - Packaging: cross-distro | tweak how the blocks injecting", " $SNAP_MOUNT_DIR/bin are generated as required for openSUSE", " - Packaging: remove deprecated snap-gdb-shim and all references now", " that snap run --gdb is unsupported and replaced by --gdbserver", " - Preseed: call systemd-tmpfiles instead handle-writable-paths on", " uc26", " - Preseed: do not remove the /snap dir but rather all its contents", " during reset", " - snap-confine: attach name derived from security tag to BPF maps", " and programs", " - snap-confine: ensure permitted capabilities match expectation", " - snap-confine: fix cached snap-confine profile cleanup to report", " the correct error instead of masking backend setup failures", " - snap-confine: Improve validation of user controlled paths", " - snap-confine: tighten snap cgroup checks to ensure a snap cannot", " start another snap in the same cgroup, preventing incorrect", " device-filter installation", " - core-initrd: add 26.04 ubuntu-core-initramfs package", " - core-initrd: add missing order dependency for setting default", " system files", " - core-initrd: avoid scanning loop and mmc boot partitions as the", " boot disk won't be any of these", " - core-initrd: make cpio a Depends and remove from Build-Depends", " - core-initrd: start plymouth sooner and reload when gadget is", " available", " - Cross-distro: modify syscheck to account for differences in", " openSUSE 16.0+", " - Validation sets: use in-flight validation sets when calling", " 'snapctl install' from hook", " - Prompting: enable prompting for the camera interface", " - Prompting: remove polkit authentication when modifying/deleting", " prompting rules", " - LP: #2127189 Prompting: do not record notices for unchanged rules", " on snapd startup", " - AppArmor: add free and pidof to the template", " - AppArmor: adjust interfaces/profiles to cope with coreutils paths", " - Interfaces: add support for compatibility expressions", " - Interfaces: checkbox-support | complete overhaul", " - Interfaces: define vulkan-driver-libs, cuda-driver-libs, egl-", " driver-libs, gbm-driver-libs, opengl-driver-libs, and opengles-", " driver-libs", " - Interfaces: allow snaps on classic access to nvidia graphics", " libraries exported by *-driver-libs interfaces", " - Interfaces: fwupd | broaden access to /boot/efi/EFI", " - Interfaces: gsettings | set dconf-service as profile for", " ca.desrt.dconf.Writer", " - Interfaces: iscsi-initiator, dm-multipath, nvme-control | add new", " interfaces", " - Interfaces: opengl | grant read/write permission to /run/nvidia-", " persistenced/socket", " - interfaces: ros-snapd-support | add access to /v2/changes/", " - Interfaces: system-observe | read access to btrfs/ext4/zfs", " filesystem information", " - Interfaces: system-trace | allow /sys/kernel/tracing/** rw", " - Interfaces: usb-gadget | add support for ffs mounts in attributes", " - Add autocompletion to run command", " - Introduce option for disallowing auto-connection of a specific", " interface", " - Only log errors for user service operations performed as a part of", " snap removal", " - Patch snap names in service requests for parallel installed snaps", " - Simplify traits for eMMC special partitions", " - Strip apparmor_parser from debug symbols shrinking snapd size by", " ~3MB", " - Fix InstallPathMany skipping refresh control", " - Fix waiting for GDB helper to stop before attaching gdbserver", " - Protect the per-snap tmp directory against being reaped by age", " - Prevent disabling base snaps to ensure dependent snaps can be", " removed", " - Modify API endpoint /v2/logs to reject n <= 0 (except for special", " case -1 meaning all)", " - Avoid potential deadlock when task is injected after the change", " was aborted", " - Avoid race between store download stream and cache cleanup", " executing in parallel when invoked by snap download task", " - LP: #1851490 Use \"current\" instead of revision number for icons", " - LP: #2121853 Add snapctl version command", " - LP: #2127214 Ensure no more than one partition on disk can match a", " gadget partition", " - LP: #2127244 snap-confine: update AppArmor profile to allow", " read/write to journal as workaround for snap-confine fd", " inheritance prevented by newer AppArmor", " - LP: #2127766 Add new tracing mechanism with independently running", " strace and shim synchronization", "" ], "package": "snapd", "version": "2.73", "urgency": "medium", "distributions": "xenial", "launchpad_bugs_fixed": [ 2132084, 2127189, 1851490, 2121853, 2127214, 2127244, 2127766 ], "author": "Ernest Lotter ", "date": "Fri, 21 Nov 2025 09:08:02 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "xxd", "from_version": { "source_package_name": "vim", "source_package_version": "2:8.2.3995-1ubuntu2.28", "version": "2:8.2.3995-1ubuntu2.28" }, "to_version": { "source_package_name": "vim", "source_package_version": "2:8.2.3995-1ubuntu2.30", "version": "2:8.2.3995-1ubuntu2.30" }, "cves": [ { "cve": "CVE-2026-42307", "url": "https://ubuntu.com/security/CVE-2026-42307", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0383, an OS command injection vulnerability exists in the netrw standard plugin bundled with Vim. By inducing a user to open a crafted URL (e.g., using the sftp:// or file:// protocol handlers), an attacker can execute arbitrary shell commands with the privileges of the Vim process. This issue has been patched in version 9.2.0383.", "cve_priority": "medium", "cve_public_date": "2026-05-08 23:16:00 UTC" }, { "cve": "CVE-2026-44656", "url": "https://ubuntu.com/security/CVE-2026-44656", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0435, an OS command injection vulnerability exists in Vim's :find command-line completion. When the path option contains backtick-enclosed shell commands, those commands are executed during file name completion. Because the path option lacks the P_SECURE flag, it can be set from a modeline, allowing an attacker who controls the contents of a file to execute arbitrary shell commands when the user opens that file in Vim and triggers :find completion. This issue has been patched in version 9.2.0435.", "cve_priority": "medium", "cve_public_date": "2026-05-08 23:16:00 UTC" }, { "cve": "CVE-2026-45130", "url": "https://ubuntu.com/security/CVE-2026-45130", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0450, a heap buffer overflow exists in read_compound() in src/spellfile.c when loading a crafted spell file (.spl) with UTF-8 encoding active. An attacker-controlled length field in the spell file's compound section overflows a 32-bit signed integer multiplication, causing a small buffer to be allocated for a write loop that runs many iterations, overflowing the heap. Because the 'spelllang' option can be set from a modeline, a text file modeline can trigger spell file loading if a malicious .spl file has been planted on the runtimepath. This issue has been patched in version 9.2.0450.", "cve_priority": "medium", "cve_public_date": "2026-05-08 23:16:00 UTC" }, { "cve": "CVE-2026-41411", "url": "https://ubuntu.com/security/CVE-2026-41411", "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0357, A command injection vulnerability exists in Vim's tag file processing. When resolving a tag, the filename field from the tags file is passed through wildcard expansion to resolve environment variables and wildcards. If the filename field contains backtick syntax (e.g., `command`), Vim executes the embedded command via the system shell with the full privileges of the running user.", "cve_priority": "medium", "cve_public_date": "2026-04-24 17:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-42307", "url": "https://ubuntu.com/security/CVE-2026-42307", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0383, an OS command injection vulnerability exists in the netrw standard plugin bundled with Vim. By inducing a user to open a crafted URL (e.g., using the sftp:// or file:// protocol handlers), an attacker can execute arbitrary shell commands with the privileges of the Vim process. This issue has been patched in version 9.2.0383.", "cve_priority": "medium", "cve_public_date": "2026-05-08 23:16:00 UTC" }, { "cve": "CVE-2026-44656", "url": "https://ubuntu.com/security/CVE-2026-44656", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0435, an OS command injection vulnerability exists in Vim's :find command-line completion. When the path option contains backtick-enclosed shell commands, those commands are executed during file name completion. Because the path option lacks the P_SECURE flag, it can be set from a modeline, allowing an attacker who controls the contents of a file to execute arbitrary shell commands when the user opens that file in Vim and triggers :find completion. This issue has been patched in version 9.2.0435.", "cve_priority": "medium", "cve_public_date": "2026-05-08 23:16:00 UTC" }, { "cve": "CVE-2026-45130", "url": "https://ubuntu.com/security/CVE-2026-45130", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0450, a heap buffer overflow exists in read_compound() in src/spellfile.c when loading a crafted spell file (.spl) with UTF-8 encoding active. An attacker-controlled length field in the spell file's compound section overflows a 32-bit signed integer multiplication, causing a small buffer to be allocated for a write loop that runs many iterations, overflowing the heap. Because the 'spelllang' option can be set from a modeline, a text file modeline can trigger spell file loading if a malicious .spl file has been planted on the runtimepath. This issue has been patched in version 9.2.0450.", "cve_priority": "medium", "cve_public_date": "2026-05-08 23:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Command injection in netrw plugin.", " - debian/patches/CVE-2026-42307.patch: Escape file names and harden regex", " patterns in runtime/autoload/netrw.vim", " - CVE-2026-42307", " * SECURITY UPDATE: Shell execution in completion.", " - debian/patches/CVE-2026-44656.patch: Skip path entries containing", " backticks and add P_SECURE option in src/findfile.c and src/optiondefs.h", " - CVE-2026-44656", " * SECURITY UPDATE: Heap overflow in spellfile.", " - debian/patches/CVE-2026-45130.patch: Enforce a maximum compound length", " in src/spellfile.c", " - CVE-2026-45130", "" ], "package": "vim", "version": "2:8.2.3995-1ubuntu2.30", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Kyle Kernick ", "date": "Wed, 20 May 2026 15:28:11 -0600" }, { "cves": [ { "cve": "CVE-2026-41411", "url": "https://ubuntu.com/security/CVE-2026-41411", "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0357, A command injection vulnerability exists in Vim's tag file processing. When resolving a tag, the filename field from the tags file is passed through wildcard expansion to resolve environment variables and wildcards. If the filename field contains backtick syntax (e.g., `command`), Vim executes the embedded command via the system shell with the full privileges of the running user.", "cve_priority": "medium", "cve_public_date": "2026-04-24 17:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Command injection via backtick expansion in tag files", " - debian/patches/CVE-2026-41411.patch: Disallow backticks before attempting", " to expand filenames", " - CVE-2026-41411", "" ], "package": "vim", "version": "2:8.2.3995-1ubuntu2.29", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Federico Quattrin ", "date": "Wed, 06 May 2026 13:56:18 -0300" } ], "notes": null, "is_version_downgrade": false }, { "name": "xz-utils", "from_version": { "source_package_name": "xz-utils", "source_package_version": "5.2.5-2ubuntu1", "version": "5.2.5-2ubuntu1" }, "to_version": { "source_package_name": "xz-utils", "source_package_version": "5.2.5-2ubuntu1.1", "version": "5.2.5-2ubuntu1.1" }, "cves": [ { "cve": "CVE-2026-34743", "url": "https://ubuntu.com/security/CVE-2026-34743", "cve_description": "XZ Utils provide a general-purpose data-compression library plus command-line tools. Prior to version 5.8.3, if lzma_index_decoder() was used to decode an Index that contained no Records, the resulting lzma_index was left in a state where where a subsequent lzma_index_append() would allocate too little memory, and a buffer overflow would occur. This issue has been patched in version 5.8.3.", "cve_priority": "low", "cve_public_date": "2026-04-02 19:21:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-34743", "url": "https://ubuntu.com/security/CVE-2026-34743", "cve_description": "XZ Utils provide a general-purpose data-compression library plus command-line tools. Prior to version 5.8.3, if lzma_index_decoder() was used to decode an Index that contained no Records, the resulting lzma_index was left in a state where where a subsequent lzma_index_append() would allocate too little memory, and a buffer overflow would occur. This issue has been patched in version 5.8.3.", "cve_priority": "low", "cve_public_date": "2026-04-02 19:21:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: heap buffer overflow", " - debian/patches/CVE-2026-34743.patch: adds a check to", " lzma_index_prealloc() to default to a safe size when decoding empty", " indexes in src/liblzma/common/index.c.", " - CVE-2026-34743", "" ], "package": "xz-utils", "version": "5.2.5-2ubuntu1.1", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Ian Constantin ", "date": "Thu, 28 May 2026 19:06:40 +0300" } ], "notes": null, "is_version_downgrade": false } ], "snap": [] }, "added": { "deb": [ { "name": "linux-headers-5.15.0-1100-kvm", "from_version": { "source_package_name": "linux-kvm", "source_package_version": "5.15.0-1098.103", "version": null }, "to_version": { "source_package_name": "linux-kvm", "source_package_version": "5.15.0-1100.105", "version": "5.15.0-1100.105" }, "cves": [ { "cve": "CVE-2026-31419", "url": "https://ubuntu.com/security/CVE-2026-31419", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: bonding: fix use-after-free in bond_xmit_broadcast() bond_xmit_broadcast() reuses the original skb for the last slave (determined by bond_is_last_slave()) and clones it for others. Concurrent slave enslave/release can mutate the slave list during RCU-protected iteration, changing which slave is \"last\" mid-loop. This causes the original skb to be double-consumed (double-freed). Replace the racy bond_is_last_slave() check with a simple index comparison (i + 1 == slaves_count) against the pre-snapshot slave count taken via READ_ONCE() before the loop. This preserves the zero-copy optimization for the last slave while making the \"last\" determination stable against concurrent list mutations. The UAF can trigger the following crash: ================================================================== BUG: KASAN: slab-use-after-free in skb_clone Read of size 8 at addr ffff888100ef8d40 by task exploit/147 CPU: 1 UID: 0 PID: 147 Comm: exploit Not tainted 7.0.0-rc3+ #4 PREEMPTLAZY Call Trace: dump_stack_lvl (lib/dump_stack.c:123) print_report (mm/kasan/report.c:379 mm/kasan/report.c:482) kasan_report (mm/kasan/report.c:597) skb_clone (include/linux/skbuff.h:1724 include/linux/skbuff.h:1792 include/linux/skbuff.h:3396 net/core/skbuff.c:2108) bond_xmit_broadcast (drivers/net/bonding/bond_main.c:5334) bond_start_xmit (drivers/net/bonding/bond_main.c:5567 drivers/net/bonding/bond_main.c:5593) dev_hard_start_xmit (include/linux/netdevice.h:5325 include/linux/netdevice.h:5334 net/core/dev.c:3871 net/core/dev.c:3887) __dev_queue_xmit (include/linux/netdevice.h:3601 net/core/dev.c:4838) ip6_finish_output2 (include/net/neighbour.h:540 include/net/neighbour.h:554 net/ipv6/ip6_output.c:136) ip6_finish_output (net/ipv6/ip6_output.c:208 net/ipv6/ip6_output.c:219) ip6_output (net/ipv6/ip6_output.c:250) ip6_send_skb (net/ipv6/ip6_output.c:1985) udp_v6_send_skb (net/ipv6/udp.c:1442) udpv6_sendmsg (net/ipv6/udp.c:1733) __sys_sendto (net/socket.c:730 net/socket.c:742 net/socket.c:2206) __x64_sys_sendto (net/socket.c:2209) do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) Allocated by task 147: Freed by task 147: The buggy address belongs to the object at ffff888100ef8c80 which belongs to the cache skbuff_head_cache of size 224 The buggy address is located 192 bytes inside of freed 224-byte region [ffff888100ef8c80, ffff888100ef8d60) Memory state around the buggy address: ffff888100ef8c00: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc ffff888100ef8c80: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff888100ef8d00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ^ ffff888100ef8d80: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb ffff888100ef8e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================", "cve_priority": "medium", "cve_public_date": "2026-04-13 14:16:00 UTC" }, { "cve": "CVE-2026-31431", "url": "https://ubuntu.com/security/CVE-2026-31431", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: algif_aead - Revert to operating out-of-place This mostly reverts commit 72548b093ee3 except for the copying of the associated data. There is no benefit in operating in-place in algif_aead since the source and destination come from different mappings. Get rid of all the complexity added for in-place operation and just copy the AD directly.", "cve_priority": "high", "cve_public_date": "2026-04-22 09:16:00 UTC" }, { "cve": "CVE-2026-31533", "url": "https://ubuntu.com/security/CVE-2026-31533", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/tls: fix use-after-free in -EBUSY error path of tls_do_encryption The -EBUSY handling in tls_do_encryption(), introduced by commit 859054147318 (\"net: tls: handle backlogging of crypto requests\"), has a use-after-free due to double cleanup of encrypt_pending and the scatterlist entry. When crypto_aead_encrypt() returns -EBUSY, the request is enqueued to the cryptd backlog and the async callback tls_encrypt_done() will be invoked upon completion. That callback unconditionally restores the scatterlist entry (sge->offset, sge->length) and decrements ctx->encrypt_pending. However, if tls_encrypt_async_wait() returns an error, the synchronous error path in tls_do_encryption() performs the same cleanup again, double-decrementing encrypt_pending and double-restoring the scatterlist. The double-decrement corrupts the encrypt_pending sentinel (initialized to 1), making tls_encrypt_async_wait() permanently skip the wait for pending async callbacks. A subsequent sendmsg can then free the tls_rec via bpf_exec_tx_verdict() while a cryptd callback is still pending, resulting in a use-after-free when the callback fires on the freed record. Fix this by skipping the synchronous cleanup when the -EBUSY async wait returns an error, since the callback has already handled encrypt_pending and sge restoration.", "cve_priority": "medium", "cve_public_date": "2026-04-23 18:16:00 UTC" }, { "cve": "CVE-2026-31504", "url": "https://ubuntu.com/security/CVE-2026-31504", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: fix fanout UAF in packet_release() via NETDEV_UP race `packet_release()` has a race window where `NETDEV_UP` can re-register a socket into a fanout group's `arr[]` array. The re-registration is not cleaned up by `fanout_release()`, leaving a dangling pointer in the fanout array. `packet_release()` does NOT zero `po->num` in its `bind_lock` section. After releasing `bind_lock`, `po->num` is still non-zero and `po->ifindex` still matches the bound device. A concurrent `packet_notifier(NETDEV_UP)` that already found the socket in `sklist` can re-register the hook. For fanout sockets, this re-registration calls `__fanout_link(sk, po)` which adds the socket back into `f->arr[]` and increments `f->num_members`, but does NOT increment `f->sk_ref`. The fix sets `po->num` to zero in `packet_release` while `bind_lock` is held to prevent NETDEV_UP from linking, preventing the race window. This bug was found following an additional audit with Claude Code based on CVE-2025-38617.", "cve_priority": "medium", "cve_public_date": "2026-04-22 14:16:00 UTC" }, { "cve": "CVE-2024-50060", "url": "https://ubuntu.com/security/CVE-2024-50060", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: io_uring: check if we need to reschedule during overflow flush In terms of normal application usage, this list will always be empty. And if an application does overflow a bit, it'll have a few entries. However, nothing obviously prevents syzbot from running a test case that generates a ton of overflow entries, and then flushing them can take quite a while. Check for needing to reschedule while flushing, and drop our locks and do so if necessary. There's no state to maintain here as overflows always prune from head-of-list, hence it's fine to drop and reacquire the locks at the end of the loop.", "cve_priority": "medium", "cve_public_date": "2024-10-21 20:15:00 UTC" }, { "cve": "CVE-2024-35862", "url": "https://ubuntu.com/security/CVE-2024-35862", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb: client: fix potential UAF in smb2_is_network_name_deleted() Skip sessions that are being teared down (status == SES_EXITING) to avoid UAF.", "cve_priority": "medium", "cve_public_date": "2024-05-19 09:15:00 UTC" }, { "cve": "CVE-2026-23274", "url": "https://ubuntu.com/security/CVE-2026-23274", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: xt_IDLETIMER: reject rev0 reuse of ALARM timer labels IDLETIMER revision 0 rules reuse existing timers by label and always call mod_timer() on timer->timer. If the label was created first by revision 1 with XT_IDLETIMER_ALARM, the object uses alarm timer semantics and timer->timer is never initialized. Reusing that object from revision 0 causes mod_timer() on an uninitialized timer_list, triggering debugobjects warnings and possible panic when panic_on_warn=1. Fix this by rejecting revision 0 rule insertion when an existing timer with the same label is of ALARM type.", "cve_priority": "medium", "cve_public_date": "2026-03-20 09:16:00 UTC" }, { "cve": "CVE-2026-23351", "url": "https://ubuntu.com/security/CVE-2026-23351", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_pipapo: split gc into unlink and reclaim phase Yiming Qian reports Use-after-free in the pipapo set type: Under a large number of expired elements, commit-time GC can run for a very long time in a non-preemptible context, triggering soft lockup warnings and RCU stall reports (local denial of service). We must split GC in an unlink and a reclaim phase. We cannot queue elements for freeing until pointers have been swapped. Expired elements are still exposed to both the packet path and userspace dumpers via the live copy of the data structure. call_rcu() does not protect us: dump operations or element lookups starting after call_rcu has fired can still observe the free'd element, unless the commit phase has made enough progress to swap the clone and live pointers before any new reader has picked up the old version. This a similar approach as done recently for the rbtree backend in commit 35f83a75529a (\"netfilter: nft_set_rbtree: don't gc elements on insert\").", "cve_priority": "medium", "cve_public_date": "2026-03-25 11:16:00 UTC" }, { "cve": "CVE-2026-23209", "url": "https://ubuntu.com/security/CVE-2026-23209", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: macvlan: fix error recovery in macvlan_common_newlink() valis provided a nice repro to crash the kernel: ip link add p1 type veth peer p2 ip link set address 00:00:00:00:00:20 dev p1 ip link set up dev p1 ip link set up dev p2 ip link add mv0 link p2 type macvlan mode source ip link add invalid% link p2 type macvlan mode source macaddr add 00:00:00:00:00:20 ping -c1 -I p1 1.2.3.4 He also gave a very detailed analysis: The issue is triggered when a new macvlan link is created with MACVLAN_MODE_SOURCE mode and MACVLAN_MACADDR_ADD (or MACVLAN_MACADDR_SET) parameter, lower device already has a macvlan port and register_netdevice() called from macvlan_common_newlink() fails (e.g. because of the invalid link name). In this case macvlan_hash_add_source is called from macvlan_change_sources() / macvlan_common_newlink(): This adds a reference to vlan to the port's vlan_source_hash using macvlan_source_entry. vlan is a pointer to the priv data of the link that is being created. When register_netdevice() fails, the error is returned from macvlan_newlink() to rtnl_newlink_create(): if (ops->newlink) err = ops->newlink(dev, ¶ms, extack); else err = register_netdevice(dev); if (err < 0) { free_netdev(dev); goto out; } and free_netdev() is called, causing a kvfree() on the struct net_device that is still referenced in the source entry attached to the lower device's macvlan port. Now all packets sent on the macvlan port with a matching source mac address will trigger a use-after-free in macvlan_forward_source(). With all that, my fix is to make sure we call macvlan_flush_sources() regardless of @create value whenever \"goto destroy_macvlan_port;\" path is taken. Many thanks to valis for following up on this issue.", "cve_priority": "medium", "cve_public_date": "2026-02-14 17:15:00 UTC" }, { "cve": "CVE-2023-2640", "url": "https://ubuntu.com/security/CVE-2023-2640", "cve_description": "On Ubuntu kernels carrying both c914c0e27eb0 and \"UBUNTU: SAUCE: overlayfs: Skip permission checking for trusted.overlayfs.* xattrs\", an unprivileged user may set privileged extended attributes on the mounted files, leading them to be set on the upper files without the appropriate security checks.", "cve_priority": "high", "cve_public_date": "2023-07-26 02:15:00 UTC" }, { "cve": "CVE-2023-32629", "url": "https://ubuntu.com/security/CVE-2023-32629", "cve_description": "Local privilege escalation vulnerability in Ubuntu Kernels overlayfs ovl_copy_up_meta_inode_data skip permission checks when calling ovl_do_setxattr on Ubuntu kernels", "cve_priority": "high", "cve_public_date": "2023-07-26 02:15:00 UTC" }, { "cve": "CVE-2026-23112", "url": "https://ubuntu.com/security/CVE-2026-23112", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nvmet-tcp: add bounds checks in nvmet_tcp_build_pdu_iovec nvmet_tcp_build_pdu_iovec() could walk past cmd->req.sg when a PDU length or offset exceeds sg_cnt and then use bogus sg->length/offset values, leading to _copy_to_iter() GPF/KASAN. Guard sg_idx, remaining entries, and sg->length/offset before building the bvec.", "cve_priority": "high", "cve_public_date": "2026-02-13 14:16:00 UTC" } ], "launchpad_bugs_fixed": [ 2151000, 2151014, 2148441, 2148097, 2147447, 2144060, 2144380 ], "changes": [ { "cves": [ { "cve": "CVE-2026-31419", "url": "https://ubuntu.com/security/CVE-2026-31419", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: bonding: fix use-after-free in bond_xmit_broadcast() bond_xmit_broadcast() reuses the original skb for the last slave (determined by bond_is_last_slave()) and clones it for others. Concurrent slave enslave/release can mutate the slave list during RCU-protected iteration, changing which slave is \"last\" mid-loop. This causes the original skb to be double-consumed (double-freed). Replace the racy bond_is_last_slave() check with a simple index comparison (i + 1 == slaves_count) against the pre-snapshot slave count taken via READ_ONCE() before the loop. This preserves the zero-copy optimization for the last slave while making the \"last\" determination stable against concurrent list mutations. The UAF can trigger the following crash: ================================================================== BUG: KASAN: slab-use-after-free in skb_clone Read of size 8 at addr ffff888100ef8d40 by task exploit/147 CPU: 1 UID: 0 PID: 147 Comm: exploit Not tainted 7.0.0-rc3+ #4 PREEMPTLAZY Call Trace: dump_stack_lvl (lib/dump_stack.c:123) print_report (mm/kasan/report.c:379 mm/kasan/report.c:482) kasan_report (mm/kasan/report.c:597) skb_clone (include/linux/skbuff.h:1724 include/linux/skbuff.h:1792 include/linux/skbuff.h:3396 net/core/skbuff.c:2108) bond_xmit_broadcast (drivers/net/bonding/bond_main.c:5334) bond_start_xmit (drivers/net/bonding/bond_main.c:5567 drivers/net/bonding/bond_main.c:5593) dev_hard_start_xmit (include/linux/netdevice.h:5325 include/linux/netdevice.h:5334 net/core/dev.c:3871 net/core/dev.c:3887) __dev_queue_xmit (include/linux/netdevice.h:3601 net/core/dev.c:4838) ip6_finish_output2 (include/net/neighbour.h:540 include/net/neighbour.h:554 net/ipv6/ip6_output.c:136) ip6_finish_output (net/ipv6/ip6_output.c:208 net/ipv6/ip6_output.c:219) ip6_output (net/ipv6/ip6_output.c:250) ip6_send_skb (net/ipv6/ip6_output.c:1985) udp_v6_send_skb (net/ipv6/udp.c:1442) udpv6_sendmsg (net/ipv6/udp.c:1733) __sys_sendto (net/socket.c:730 net/socket.c:742 net/socket.c:2206) __x64_sys_sendto (net/socket.c:2209) do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) Allocated by task 147: Freed by task 147: The buggy address belongs to the object at ffff888100ef8c80 which belongs to the cache skbuff_head_cache of size 224 The buggy address is located 192 bytes inside of freed 224-byte region [ffff888100ef8c80, ffff888100ef8d60) Memory state around the buggy address: ffff888100ef8c00: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc ffff888100ef8c80: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff888100ef8d00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ^ ffff888100ef8d80: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb ffff888100ef8e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================", "cve_priority": "medium", "cve_public_date": "2026-04-13 14:16:00 UTC" }, { "cve": "CVE-2026-31431", "url": "https://ubuntu.com/security/CVE-2026-31431", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: algif_aead - Revert to operating out-of-place This mostly reverts commit 72548b093ee3 except for the copying of the associated data. There is no benefit in operating in-place in algif_aead since the source and destination come from different mappings. Get rid of all the complexity added for in-place operation and just copy the AD directly.", "cve_priority": "high", "cve_public_date": "2026-04-22 09:16:00 UTC" }, { "cve": "CVE-2026-31533", "url": "https://ubuntu.com/security/CVE-2026-31533", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/tls: fix use-after-free in -EBUSY error path of tls_do_encryption The -EBUSY handling in tls_do_encryption(), introduced by commit 859054147318 (\"net: tls: handle backlogging of crypto requests\"), has a use-after-free due to double cleanup of encrypt_pending and the scatterlist entry. When crypto_aead_encrypt() returns -EBUSY, the request is enqueued to the cryptd backlog and the async callback tls_encrypt_done() will be invoked upon completion. That callback unconditionally restores the scatterlist entry (sge->offset, sge->length) and decrements ctx->encrypt_pending. However, if tls_encrypt_async_wait() returns an error, the synchronous error path in tls_do_encryption() performs the same cleanup again, double-decrementing encrypt_pending and double-restoring the scatterlist. The double-decrement corrupts the encrypt_pending sentinel (initialized to 1), making tls_encrypt_async_wait() permanently skip the wait for pending async callbacks. A subsequent sendmsg can then free the tls_rec via bpf_exec_tx_verdict() while a cryptd callback is still pending, resulting in a use-after-free when the callback fires on the freed record. Fix this by skipping the synchronous cleanup when the -EBUSY async wait returns an error, since the callback has already handled encrypt_pending and sge restoration.", "cve_priority": "medium", "cve_public_date": "2026-04-23 18:16:00 UTC" }, { "cve": "CVE-2026-31504", "url": "https://ubuntu.com/security/CVE-2026-31504", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: fix fanout UAF in packet_release() via NETDEV_UP race `packet_release()` has a race window where `NETDEV_UP` can re-register a socket into a fanout group's `arr[]` array. The re-registration is not cleaned up by `fanout_release()`, leaving a dangling pointer in the fanout array. `packet_release()` does NOT zero `po->num` in its `bind_lock` section. After releasing `bind_lock`, `po->num` is still non-zero and `po->ifindex` still matches the bound device. A concurrent `packet_notifier(NETDEV_UP)` that already found the socket in `sklist` can re-register the hook. For fanout sockets, this re-registration calls `__fanout_link(sk, po)` which adds the socket back into `f->arr[]` and increments `f->num_members`, but does NOT increment `f->sk_ref`. The fix sets `po->num` to zero in `packet_release` while `bind_lock` is held to prevent NETDEV_UP from linking, preventing the race window. This bug was found following an additional audit with Claude Code based on CVE-2025-38617.", "cve_priority": "medium", "cve_public_date": "2026-04-22 14:16:00 UTC" } ], "log": [ "", " * jammy/linux-kvm: 5.15.0-1100.105 -proposed tracker (LP: #2151000)", "", " [ Ubuntu: 5.15.0-179.189 ]", "", " * jammy/linux: 5.15.0-179.189 -proposed tracker (LP: #2151014)", " * CVE-2026-31419", " - net: bonding: fix use-after-free in bond_xmit_broadcast()", " * CVE-2026-31431", " - crypto: scatterwalk - Backport memcpy_sglist()", " - crypto: algif_aead - use memcpy_sglist() instead of null skcipher", " - crypto: algif_aead - Revert to operating out-of-place", " - crypto: algif_aead - snapshot IV for async AEAD requests", " - crypto: authenc - use memcpy_sglist() instead of null skcipher", " - crypto: authencesn - Do not place hiseq at end of dst for out-of-place", " decryption", " - crypto: authencesn - Fix src offset when decrypting in-place", " - crypto: af_alg - Fix page reassignment overflow in af_alg_pull_tsgl", " - crypto: algif_aead - Fix minimum RX size check for decryption", " * CVE-2026-31533", " - net/tls: fix use-after-free in -EBUSY error path of tls_do_encryption", " * CVE-2026-31504", " - net: fix fanout UAF in packet_release() via NETDEV_UP race", "" ], "package": "linux-kvm", "version": "5.15.0-1100.105", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2151000, 2151014 ], "author": "Edoardo Canepa ", "date": "Wed, 06 May 2026 18:05:31 +0200" }, { "cves": [ { "cve": "CVE-2024-50060", "url": "https://ubuntu.com/security/CVE-2024-50060", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: io_uring: check if we need to reschedule during overflow flush In terms of normal application usage, this list will always be empty. And if an application does overflow a bit, it'll have a few entries. However, nothing obviously prevents syzbot from running a test case that generates a ton of overflow entries, and then flushing them can take quite a while. Check for needing to reschedule while flushing, and drop our locks and do so if necessary. There's no state to maintain here as overflows always prune from head-of-list, hence it's fine to drop and reacquire the locks at the end of the loop.", "cve_priority": "medium", "cve_public_date": "2024-10-21 20:15:00 UTC" }, { "cve": "CVE-2024-35862", "url": "https://ubuntu.com/security/CVE-2024-35862", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb: client: fix potential UAF in smb2_is_network_name_deleted() Skip sessions that are being teared down (status == SES_EXITING) to avoid UAF.", "cve_priority": "medium", "cve_public_date": "2024-05-19 09:15:00 UTC" }, { "cve": "CVE-2026-23274", "url": "https://ubuntu.com/security/CVE-2026-23274", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: xt_IDLETIMER: reject rev0 reuse of ALARM timer labels IDLETIMER revision 0 rules reuse existing timers by label and always call mod_timer() on timer->timer. If the label was created first by revision 1 with XT_IDLETIMER_ALARM, the object uses alarm timer semantics and timer->timer is never initialized. Reusing that object from revision 0 causes mod_timer() on an uninitialized timer_list, triggering debugobjects warnings and possible panic when panic_on_warn=1. Fix this by rejecting revision 0 rule insertion when an existing timer with the same label is of ALARM type.", "cve_priority": "medium", "cve_public_date": "2026-03-20 09:16:00 UTC" }, { "cve": "CVE-2026-23351", "url": "https://ubuntu.com/security/CVE-2026-23351", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_pipapo: split gc into unlink and reclaim phase Yiming Qian reports Use-after-free in the pipapo set type: Under a large number of expired elements, commit-time GC can run for a very long time in a non-preemptible context, triggering soft lockup warnings and RCU stall reports (local denial of service). We must split GC in an unlink and a reclaim phase. We cannot queue elements for freeing until pointers have been swapped. Expired elements are still exposed to both the packet path and userspace dumpers via the live copy of the data structure. call_rcu() does not protect us: dump operations or element lookups starting after call_rcu has fired can still observe the free'd element, unless the commit phase has made enough progress to swap the clone and live pointers before any new reader has picked up the old version. This a similar approach as done recently for the rbtree backend in commit 35f83a75529a (\"netfilter: nft_set_rbtree: don't gc elements on insert\").", "cve_priority": "medium", "cve_public_date": "2026-03-25 11:16:00 UTC" }, { "cve": "CVE-2026-23209", "url": "https://ubuntu.com/security/CVE-2026-23209", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: macvlan: fix error recovery in macvlan_common_newlink() valis provided a nice repro to crash the kernel: ip link add p1 type veth peer p2 ip link set address 00:00:00:00:00:20 dev p1 ip link set up dev p1 ip link set up dev p2 ip link add mv0 link p2 type macvlan mode source ip link add invalid% link p2 type macvlan mode source macaddr add 00:00:00:00:00:20 ping -c1 -I p1 1.2.3.4 He also gave a very detailed analysis: The issue is triggered when a new macvlan link is created with MACVLAN_MODE_SOURCE mode and MACVLAN_MACADDR_ADD (or MACVLAN_MACADDR_SET) parameter, lower device already has a macvlan port and register_netdevice() called from macvlan_common_newlink() fails (e.g. because of the invalid link name). In this case macvlan_hash_add_source is called from macvlan_change_sources() / macvlan_common_newlink(): This adds a reference to vlan to the port's vlan_source_hash using macvlan_source_entry. vlan is a pointer to the priv data of the link that is being created. When register_netdevice() fails, the error is returned from macvlan_newlink() to rtnl_newlink_create(): if (ops->newlink) err = ops->newlink(dev, ¶ms, extack); else err = register_netdevice(dev); if (err < 0) { free_netdev(dev); goto out; } and free_netdev() is called, causing a kvfree() on the struct net_device that is still referenced in the source entry attached to the lower device's macvlan port. Now all packets sent on the macvlan port with a matching source mac address will trigger a use-after-free in macvlan_forward_source(). With all that, my fix is to make sure we call macvlan_flush_sources() regardless of @create value whenever \"goto destroy_macvlan_port;\" path is taken. Many thanks to valis for following up on this issue.", "cve_priority": "medium", "cve_public_date": "2026-02-14 17:15:00 UTC" }, { "cve": "CVE-2023-2640", "url": "https://ubuntu.com/security/CVE-2023-2640", "cve_description": "On Ubuntu kernels carrying both c914c0e27eb0 and \"UBUNTU: SAUCE: overlayfs: Skip permission checking for trusted.overlayfs.* xattrs\", an unprivileged user may set privileged extended attributes on the mounted files, leading them to be set on the upper files without the appropriate security checks.", "cve_priority": "high", "cve_public_date": "2023-07-26 02:15:00 UTC" }, { "cve": "CVE-2023-32629", "url": "https://ubuntu.com/security/CVE-2023-32629", "cve_description": "Local privilege escalation vulnerability in Ubuntu Kernels overlayfs ovl_copy_up_meta_inode_data skip permission checks when calling ovl_do_setxattr on Ubuntu kernels", "cve_priority": "high", "cve_public_date": "2023-07-26 02:15:00 UTC" }, { "cve": "CVE-2026-23112", "url": "https://ubuntu.com/security/CVE-2026-23112", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nvmet-tcp: add bounds checks in nvmet_tcp_build_pdu_iovec nvmet_tcp_build_pdu_iovec() could walk past cmd->req.sg when a PDU length or offset exceeds sg_cnt and then use bogus sg->length/offset values, leading to _copy_to_iter() GPF/KASAN. Guard sg_idx, remaining entries, and sg->length/offset before building the bvec.", "cve_priority": "high", "cve_public_date": "2026-02-13 14:16:00 UTC" } ], "log": [ "", " * jammy/linux-kvm: 5.15.0-1099.104 -proposed tracker (LP: #2148441)", "", " [ Ubuntu: 5.15.0-178.188 ]", "", " * jammy/linux: 5.15.0-178.188 -proposed tracker (LP: #2148097)", " * Canonical Kmod 2025 key rotation (LP: #2147447)", " - [Packaging] ubuntu-compatible-signing -- make Ubuntu-Compatible-Signing", " extensible", " - [Packaging] ubuntu-compatible-signing -- allow consumption of positive", " certs", " - [Packaging] ubuntu-compatible-signing -- report the livepatch:2025 key", " - [Config] prepare for Canonical Kmod key rotation", " - [Packaging] ubuntu-compatible-signing -- report the kmod:2025 key", " * ADATA SU680 causes repeated SATA resets and I/O errors on Ubuntu unless", " link power management is forced to max_performance (LP: #2144060)", " - ata: libata-core: disable LPM on ADATA SU680 SSD", " * CVE-2024-50060", " - io_uring: check if we need to reschedule during overflow flush", " * CVE-2024-35862", " - smb: client: fix potential UAF in smb2_is_network_name_deleted()", " * CVE-2026-23274", " - netfilter: xt_IDLETIMER: reject rev0 reuse of ALARM timer labels", " * CVE-2026-23351", " - netfilter: nf_tables: de-constify set commit ops function argument", " - netfilter: nft_set_pipapo: split gc into unlink and reclaim phase", " * macvlan: observe an RCU grace period in macvlan_common_newlink() error", " path (LP: #2144380) // CVE-2026-23209", " - macvlan: observe an RCU grace period in macvlan_common_newlink() error", " path", " * CVE-2023-2640 // CVE-2023-32629", " - SAUCE: overlayfs: default to userxattr when mounted from non initial", " user namespace", " * CVE-2023-2640 // CVE-2023-2640 and CVE-2023-32629. // CVE-2023-32629", " - SAUCE: Revert \"UBUNTU: SAUCE: overlayfs: Skip permission checking for", " trusted.overlayfs.* xattrs\"", " * CVE-2026-23112", " - nvmet-tcp: add bounds checks in nvmet_tcp_build_pdu_iovec", "" ], "package": "linux-kvm", "version": "5.15.0-1099.104", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2148441, 2148097, 2147447, 2144060, 2144380 ], "author": "Stewart Hore ", "date": "Mon, 27 Apr 2026 15:32:44 +1000" } ], "notes": "linux-headers-5.15.0-1100-kvm version '5.15.0-1100.105' (source package linux-kvm version '5.15.0-1100.105') was added. linux-headers-5.15.0-1100-kvm version '5.15.0-1100.105' has the same source package name, linux-kvm, as removed package linux-headers-5.15.0-1098-kvm. As such we can use the source package version of the removed package, '5.15.0-1098.103', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package.", "is_version_downgrade": false }, { "name": "linux-image-5.15.0-1100-kvm", "from_version": { "source_package_name": "linux-signed-kvm", "source_package_version": "5.15.0-1098.103", "version": null }, "to_version": { "source_package_name": "linux-signed-kvm", "source_package_version": "5.15.0-1100.105", "version": "5.15.0-1100.105" }, "cves": [], "launchpad_bugs_fixed": [ 1786013, 1786013 ], "changes": [ { "cves": [], "log": [ "", " * Main version: 5.15.0-1100.105", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian/tracking-bug -- resync from main package", "" ], "package": "linux-signed-kvm", "version": "5.15.0-1100.105", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 1786013 ], "author": "Edoardo Canepa ", "date": "Wed, 06 May 2026 18:05:48 +0200" }, { "cves": [], "log": [ "", " * Main version: 5.15.0-1099.104", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian/tracking-bug -- resync from main package", "" ], "package": "linux-signed-kvm", "version": "5.15.0-1099.104", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 1786013 ], "author": "Stewart Hore ", "date": "Mon, 27 Apr 2026 16:07:47 +1000" } ], "notes": "linux-image-5.15.0-1100-kvm version '5.15.0-1100.105' (source package linux-signed-kvm version '5.15.0-1100.105') was added. linux-image-5.15.0-1100-kvm version '5.15.0-1100.105' has the same source package name, linux-signed-kvm, as removed package linux-image-5.15.0-1098-kvm. As such we can use the source package version of the removed package, '5.15.0-1098.103', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package.", "is_version_downgrade": false }, { "name": "linux-kvm-headers-5.15.0-1100", "from_version": { "source_package_name": "linux-kvm", "source_package_version": "5.15.0-1098.103", "version": null }, "to_version": { "source_package_name": "linux-kvm", "source_package_version": "5.15.0-1100.105", "version": "5.15.0-1100.105" }, "cves": [ { "cve": "CVE-2026-31419", "url": "https://ubuntu.com/security/CVE-2026-31419", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: bonding: fix use-after-free in bond_xmit_broadcast() bond_xmit_broadcast() reuses the original skb for the last slave (determined by bond_is_last_slave()) and clones it for others. Concurrent slave enslave/release can mutate the slave list during RCU-protected iteration, changing which slave is \"last\" mid-loop. This causes the original skb to be double-consumed (double-freed). Replace the racy bond_is_last_slave() check with a simple index comparison (i + 1 == slaves_count) against the pre-snapshot slave count taken via READ_ONCE() before the loop. This preserves the zero-copy optimization for the last slave while making the \"last\" determination stable against concurrent list mutations. The UAF can trigger the following crash: ================================================================== BUG: KASAN: slab-use-after-free in skb_clone Read of size 8 at addr ffff888100ef8d40 by task exploit/147 CPU: 1 UID: 0 PID: 147 Comm: exploit Not tainted 7.0.0-rc3+ #4 PREEMPTLAZY Call Trace: dump_stack_lvl (lib/dump_stack.c:123) print_report (mm/kasan/report.c:379 mm/kasan/report.c:482) kasan_report (mm/kasan/report.c:597) skb_clone (include/linux/skbuff.h:1724 include/linux/skbuff.h:1792 include/linux/skbuff.h:3396 net/core/skbuff.c:2108) bond_xmit_broadcast (drivers/net/bonding/bond_main.c:5334) bond_start_xmit (drivers/net/bonding/bond_main.c:5567 drivers/net/bonding/bond_main.c:5593) dev_hard_start_xmit (include/linux/netdevice.h:5325 include/linux/netdevice.h:5334 net/core/dev.c:3871 net/core/dev.c:3887) __dev_queue_xmit (include/linux/netdevice.h:3601 net/core/dev.c:4838) ip6_finish_output2 (include/net/neighbour.h:540 include/net/neighbour.h:554 net/ipv6/ip6_output.c:136) ip6_finish_output (net/ipv6/ip6_output.c:208 net/ipv6/ip6_output.c:219) ip6_output (net/ipv6/ip6_output.c:250) ip6_send_skb (net/ipv6/ip6_output.c:1985) udp_v6_send_skb (net/ipv6/udp.c:1442) udpv6_sendmsg (net/ipv6/udp.c:1733) __sys_sendto (net/socket.c:730 net/socket.c:742 net/socket.c:2206) __x64_sys_sendto (net/socket.c:2209) do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) Allocated by task 147: Freed by task 147: The buggy address belongs to the object at ffff888100ef8c80 which belongs to the cache skbuff_head_cache of size 224 The buggy address is located 192 bytes inside of freed 224-byte region [ffff888100ef8c80, ffff888100ef8d60) Memory state around the buggy address: ffff888100ef8c00: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc ffff888100ef8c80: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff888100ef8d00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ^ ffff888100ef8d80: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb ffff888100ef8e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================", "cve_priority": "medium", "cve_public_date": "2026-04-13 14:16:00 UTC" }, { "cve": "CVE-2026-31431", "url": "https://ubuntu.com/security/CVE-2026-31431", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: algif_aead - Revert to operating out-of-place This mostly reverts commit 72548b093ee3 except for the copying of the associated data. There is no benefit in operating in-place in algif_aead since the source and destination come from different mappings. Get rid of all the complexity added for in-place operation and just copy the AD directly.", "cve_priority": "high", "cve_public_date": "2026-04-22 09:16:00 UTC" }, { "cve": "CVE-2026-31533", "url": "https://ubuntu.com/security/CVE-2026-31533", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/tls: fix use-after-free in -EBUSY error path of tls_do_encryption The -EBUSY handling in tls_do_encryption(), introduced by commit 859054147318 (\"net: tls: handle backlogging of crypto requests\"), has a use-after-free due to double cleanup of encrypt_pending and the scatterlist entry. When crypto_aead_encrypt() returns -EBUSY, the request is enqueued to the cryptd backlog and the async callback tls_encrypt_done() will be invoked upon completion. That callback unconditionally restores the scatterlist entry (sge->offset, sge->length) and decrements ctx->encrypt_pending. However, if tls_encrypt_async_wait() returns an error, the synchronous error path in tls_do_encryption() performs the same cleanup again, double-decrementing encrypt_pending and double-restoring the scatterlist. The double-decrement corrupts the encrypt_pending sentinel (initialized to 1), making tls_encrypt_async_wait() permanently skip the wait for pending async callbacks. A subsequent sendmsg can then free the tls_rec via bpf_exec_tx_verdict() while a cryptd callback is still pending, resulting in a use-after-free when the callback fires on the freed record. Fix this by skipping the synchronous cleanup when the -EBUSY async wait returns an error, since the callback has already handled encrypt_pending and sge restoration.", "cve_priority": "medium", "cve_public_date": "2026-04-23 18:16:00 UTC" }, { "cve": "CVE-2026-31504", "url": "https://ubuntu.com/security/CVE-2026-31504", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: fix fanout UAF in packet_release() via NETDEV_UP race `packet_release()` has a race window where `NETDEV_UP` can re-register a socket into a fanout group's `arr[]` array. The re-registration is not cleaned up by `fanout_release()`, leaving a dangling pointer in the fanout array. `packet_release()` does NOT zero `po->num` in its `bind_lock` section. After releasing `bind_lock`, `po->num` is still non-zero and `po->ifindex` still matches the bound device. A concurrent `packet_notifier(NETDEV_UP)` that already found the socket in `sklist` can re-register the hook. For fanout sockets, this re-registration calls `__fanout_link(sk, po)` which adds the socket back into `f->arr[]` and increments `f->num_members`, but does NOT increment `f->sk_ref`. The fix sets `po->num` to zero in `packet_release` while `bind_lock` is held to prevent NETDEV_UP from linking, preventing the race window. This bug was found following an additional audit with Claude Code based on CVE-2025-38617.", "cve_priority": "medium", "cve_public_date": "2026-04-22 14:16:00 UTC" }, { "cve": "CVE-2024-50060", "url": "https://ubuntu.com/security/CVE-2024-50060", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: io_uring: check if we need to reschedule during overflow flush In terms of normal application usage, this list will always be empty. And if an application does overflow a bit, it'll have a few entries. However, nothing obviously prevents syzbot from running a test case that generates a ton of overflow entries, and then flushing them can take quite a while. Check for needing to reschedule while flushing, and drop our locks and do so if necessary. There's no state to maintain here as overflows always prune from head-of-list, hence it's fine to drop and reacquire the locks at the end of the loop.", "cve_priority": "medium", "cve_public_date": "2024-10-21 20:15:00 UTC" }, { "cve": "CVE-2024-35862", "url": "https://ubuntu.com/security/CVE-2024-35862", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb: client: fix potential UAF in smb2_is_network_name_deleted() Skip sessions that are being teared down (status == SES_EXITING) to avoid UAF.", "cve_priority": "medium", "cve_public_date": "2024-05-19 09:15:00 UTC" }, { "cve": "CVE-2026-23274", "url": "https://ubuntu.com/security/CVE-2026-23274", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: xt_IDLETIMER: reject rev0 reuse of ALARM timer labels IDLETIMER revision 0 rules reuse existing timers by label and always call mod_timer() on timer->timer. If the label was created first by revision 1 with XT_IDLETIMER_ALARM, the object uses alarm timer semantics and timer->timer is never initialized. Reusing that object from revision 0 causes mod_timer() on an uninitialized timer_list, triggering debugobjects warnings and possible panic when panic_on_warn=1. Fix this by rejecting revision 0 rule insertion when an existing timer with the same label is of ALARM type.", "cve_priority": "medium", "cve_public_date": "2026-03-20 09:16:00 UTC" }, { "cve": "CVE-2026-23351", "url": "https://ubuntu.com/security/CVE-2026-23351", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_pipapo: split gc into unlink and reclaim phase Yiming Qian reports Use-after-free in the pipapo set type: Under a large number of expired elements, commit-time GC can run for a very long time in a non-preemptible context, triggering soft lockup warnings and RCU stall reports (local denial of service). We must split GC in an unlink and a reclaim phase. We cannot queue elements for freeing until pointers have been swapped. Expired elements are still exposed to both the packet path and userspace dumpers via the live copy of the data structure. call_rcu() does not protect us: dump operations or element lookups starting after call_rcu has fired can still observe the free'd element, unless the commit phase has made enough progress to swap the clone and live pointers before any new reader has picked up the old version. This a similar approach as done recently for the rbtree backend in commit 35f83a75529a (\"netfilter: nft_set_rbtree: don't gc elements on insert\").", "cve_priority": "medium", "cve_public_date": "2026-03-25 11:16:00 UTC" }, { "cve": "CVE-2026-23209", "url": "https://ubuntu.com/security/CVE-2026-23209", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: macvlan: fix error recovery in macvlan_common_newlink() valis provided a nice repro to crash the kernel: ip link add p1 type veth peer p2 ip link set address 00:00:00:00:00:20 dev p1 ip link set up dev p1 ip link set up dev p2 ip link add mv0 link p2 type macvlan mode source ip link add invalid% link p2 type macvlan mode source macaddr add 00:00:00:00:00:20 ping -c1 -I p1 1.2.3.4 He also gave a very detailed analysis: The issue is triggered when a new macvlan link is created with MACVLAN_MODE_SOURCE mode and MACVLAN_MACADDR_ADD (or MACVLAN_MACADDR_SET) parameter, lower device already has a macvlan port and register_netdevice() called from macvlan_common_newlink() fails (e.g. because of the invalid link name). In this case macvlan_hash_add_source is called from macvlan_change_sources() / macvlan_common_newlink(): This adds a reference to vlan to the port's vlan_source_hash using macvlan_source_entry. vlan is a pointer to the priv data of the link that is being created. When register_netdevice() fails, the error is returned from macvlan_newlink() to rtnl_newlink_create(): if (ops->newlink) err = ops->newlink(dev, ¶ms, extack); else err = register_netdevice(dev); if (err < 0) { free_netdev(dev); goto out; } and free_netdev() is called, causing a kvfree() on the struct net_device that is still referenced in the source entry attached to the lower device's macvlan port. Now all packets sent on the macvlan port with a matching source mac address will trigger a use-after-free in macvlan_forward_source(). With all that, my fix is to make sure we call macvlan_flush_sources() regardless of @create value whenever \"goto destroy_macvlan_port;\" path is taken. Many thanks to valis for following up on this issue.", "cve_priority": "medium", "cve_public_date": "2026-02-14 17:15:00 UTC" }, { "cve": "CVE-2023-2640", "url": "https://ubuntu.com/security/CVE-2023-2640", "cve_description": "On Ubuntu kernels carrying both c914c0e27eb0 and \"UBUNTU: SAUCE: overlayfs: Skip permission checking for trusted.overlayfs.* xattrs\", an unprivileged user may set privileged extended attributes on the mounted files, leading them to be set on the upper files without the appropriate security checks.", "cve_priority": "high", "cve_public_date": "2023-07-26 02:15:00 UTC" }, { "cve": "CVE-2023-32629", "url": "https://ubuntu.com/security/CVE-2023-32629", "cve_description": "Local privilege escalation vulnerability in Ubuntu Kernels overlayfs ovl_copy_up_meta_inode_data skip permission checks when calling ovl_do_setxattr on Ubuntu kernels", "cve_priority": "high", "cve_public_date": "2023-07-26 02:15:00 UTC" }, { "cve": "CVE-2026-23112", "url": "https://ubuntu.com/security/CVE-2026-23112", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nvmet-tcp: add bounds checks in nvmet_tcp_build_pdu_iovec nvmet_tcp_build_pdu_iovec() could walk past cmd->req.sg when a PDU length or offset exceeds sg_cnt and then use bogus sg->length/offset values, leading to _copy_to_iter() GPF/KASAN. Guard sg_idx, remaining entries, and sg->length/offset before building the bvec.", "cve_priority": "high", "cve_public_date": "2026-02-13 14:16:00 UTC" } ], "launchpad_bugs_fixed": [ 2151000, 2151014, 2148441, 2148097, 2147447, 2144060, 2144380 ], "changes": [ { "cves": [ { "cve": "CVE-2026-31419", "url": "https://ubuntu.com/security/CVE-2026-31419", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: bonding: fix use-after-free in bond_xmit_broadcast() bond_xmit_broadcast() reuses the original skb for the last slave (determined by bond_is_last_slave()) and clones it for others. Concurrent slave enslave/release can mutate the slave list during RCU-protected iteration, changing which slave is \"last\" mid-loop. This causes the original skb to be double-consumed (double-freed). Replace the racy bond_is_last_slave() check with a simple index comparison (i + 1 == slaves_count) against the pre-snapshot slave count taken via READ_ONCE() before the loop. This preserves the zero-copy optimization for the last slave while making the \"last\" determination stable against concurrent list mutations. The UAF can trigger the following crash: ================================================================== BUG: KASAN: slab-use-after-free in skb_clone Read of size 8 at addr ffff888100ef8d40 by task exploit/147 CPU: 1 UID: 0 PID: 147 Comm: exploit Not tainted 7.0.0-rc3+ #4 PREEMPTLAZY Call Trace: dump_stack_lvl (lib/dump_stack.c:123) print_report (mm/kasan/report.c:379 mm/kasan/report.c:482) kasan_report (mm/kasan/report.c:597) skb_clone (include/linux/skbuff.h:1724 include/linux/skbuff.h:1792 include/linux/skbuff.h:3396 net/core/skbuff.c:2108) bond_xmit_broadcast (drivers/net/bonding/bond_main.c:5334) bond_start_xmit (drivers/net/bonding/bond_main.c:5567 drivers/net/bonding/bond_main.c:5593) dev_hard_start_xmit (include/linux/netdevice.h:5325 include/linux/netdevice.h:5334 net/core/dev.c:3871 net/core/dev.c:3887) __dev_queue_xmit (include/linux/netdevice.h:3601 net/core/dev.c:4838) ip6_finish_output2 (include/net/neighbour.h:540 include/net/neighbour.h:554 net/ipv6/ip6_output.c:136) ip6_finish_output (net/ipv6/ip6_output.c:208 net/ipv6/ip6_output.c:219) ip6_output (net/ipv6/ip6_output.c:250) ip6_send_skb (net/ipv6/ip6_output.c:1985) udp_v6_send_skb (net/ipv6/udp.c:1442) udpv6_sendmsg (net/ipv6/udp.c:1733) __sys_sendto (net/socket.c:730 net/socket.c:742 net/socket.c:2206) __x64_sys_sendto (net/socket.c:2209) do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) Allocated by task 147: Freed by task 147: The buggy address belongs to the object at ffff888100ef8c80 which belongs to the cache skbuff_head_cache of size 224 The buggy address is located 192 bytes inside of freed 224-byte region [ffff888100ef8c80, ffff888100ef8d60) Memory state around the buggy address: ffff888100ef8c00: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc ffff888100ef8c80: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff888100ef8d00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ^ ffff888100ef8d80: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb ffff888100ef8e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================", "cve_priority": "medium", "cve_public_date": "2026-04-13 14:16:00 UTC" }, { "cve": "CVE-2026-31431", "url": "https://ubuntu.com/security/CVE-2026-31431", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: algif_aead - Revert to operating out-of-place This mostly reverts commit 72548b093ee3 except for the copying of the associated data. There is no benefit in operating in-place in algif_aead since the source and destination come from different mappings. Get rid of all the complexity added for in-place operation and just copy the AD directly.", "cve_priority": "high", "cve_public_date": "2026-04-22 09:16:00 UTC" }, { "cve": "CVE-2026-31533", "url": "https://ubuntu.com/security/CVE-2026-31533", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/tls: fix use-after-free in -EBUSY error path of tls_do_encryption The -EBUSY handling in tls_do_encryption(), introduced by commit 859054147318 (\"net: tls: handle backlogging of crypto requests\"), has a use-after-free due to double cleanup of encrypt_pending and the scatterlist entry. When crypto_aead_encrypt() returns -EBUSY, the request is enqueued to the cryptd backlog and the async callback tls_encrypt_done() will be invoked upon completion. That callback unconditionally restores the scatterlist entry (sge->offset, sge->length) and decrements ctx->encrypt_pending. However, if tls_encrypt_async_wait() returns an error, the synchronous error path in tls_do_encryption() performs the same cleanup again, double-decrementing encrypt_pending and double-restoring the scatterlist. The double-decrement corrupts the encrypt_pending sentinel (initialized to 1), making tls_encrypt_async_wait() permanently skip the wait for pending async callbacks. A subsequent sendmsg can then free the tls_rec via bpf_exec_tx_verdict() while a cryptd callback is still pending, resulting in a use-after-free when the callback fires on the freed record. Fix this by skipping the synchronous cleanup when the -EBUSY async wait returns an error, since the callback has already handled encrypt_pending and sge restoration.", "cve_priority": "medium", "cve_public_date": "2026-04-23 18:16:00 UTC" }, { "cve": "CVE-2026-31504", "url": "https://ubuntu.com/security/CVE-2026-31504", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: fix fanout UAF in packet_release() via NETDEV_UP race `packet_release()` has a race window where `NETDEV_UP` can re-register a socket into a fanout group's `arr[]` array. The re-registration is not cleaned up by `fanout_release()`, leaving a dangling pointer in the fanout array. `packet_release()` does NOT zero `po->num` in its `bind_lock` section. After releasing `bind_lock`, `po->num` is still non-zero and `po->ifindex` still matches the bound device. A concurrent `packet_notifier(NETDEV_UP)` that already found the socket in `sklist` can re-register the hook. For fanout sockets, this re-registration calls `__fanout_link(sk, po)` which adds the socket back into `f->arr[]` and increments `f->num_members`, but does NOT increment `f->sk_ref`. The fix sets `po->num` to zero in `packet_release` while `bind_lock` is held to prevent NETDEV_UP from linking, preventing the race window. This bug was found following an additional audit with Claude Code based on CVE-2025-38617.", "cve_priority": "medium", "cve_public_date": "2026-04-22 14:16:00 UTC" } ], "log": [ "", " * jammy/linux-kvm: 5.15.0-1100.105 -proposed tracker (LP: #2151000)", "", " [ Ubuntu: 5.15.0-179.189 ]", "", " * jammy/linux: 5.15.0-179.189 -proposed tracker (LP: #2151014)", " * CVE-2026-31419", " - net: bonding: fix use-after-free in bond_xmit_broadcast()", " * CVE-2026-31431", " - crypto: scatterwalk - Backport memcpy_sglist()", " - crypto: algif_aead - use memcpy_sglist() instead of null skcipher", " - crypto: algif_aead - Revert to operating out-of-place", " - crypto: algif_aead - snapshot IV for async AEAD requests", " - crypto: authenc - use memcpy_sglist() instead of null skcipher", " - crypto: authencesn - Do not place hiseq at end of dst for out-of-place", " decryption", " - crypto: authencesn - Fix src offset when decrypting in-place", " - crypto: af_alg - Fix page reassignment overflow in af_alg_pull_tsgl", " - crypto: algif_aead - Fix minimum RX size check for decryption", " * CVE-2026-31533", " - net/tls: fix use-after-free in -EBUSY error path of tls_do_encryption", " * CVE-2026-31504", " - net: fix fanout UAF in packet_release() via NETDEV_UP race", "" ], "package": "linux-kvm", "version": "5.15.0-1100.105", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2151000, 2151014 ], "author": "Edoardo Canepa ", "date": "Wed, 06 May 2026 18:05:31 +0200" }, { "cves": [ { "cve": "CVE-2024-50060", "url": "https://ubuntu.com/security/CVE-2024-50060", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: io_uring: check if we need to reschedule during overflow flush In terms of normal application usage, this list will always be empty. And if an application does overflow a bit, it'll have a few entries. However, nothing obviously prevents syzbot from running a test case that generates a ton of overflow entries, and then flushing them can take quite a while. Check for needing to reschedule while flushing, and drop our locks and do so if necessary. There's no state to maintain here as overflows always prune from head-of-list, hence it's fine to drop and reacquire the locks at the end of the loop.", "cve_priority": "medium", "cve_public_date": "2024-10-21 20:15:00 UTC" }, { "cve": "CVE-2024-35862", "url": "https://ubuntu.com/security/CVE-2024-35862", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb: client: fix potential UAF in smb2_is_network_name_deleted() Skip sessions that are being teared down (status == SES_EXITING) to avoid UAF.", "cve_priority": "medium", "cve_public_date": "2024-05-19 09:15:00 UTC" }, { "cve": "CVE-2026-23274", "url": "https://ubuntu.com/security/CVE-2026-23274", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: xt_IDLETIMER: reject rev0 reuse of ALARM timer labels IDLETIMER revision 0 rules reuse existing timers by label and always call mod_timer() on timer->timer. If the label was created first by revision 1 with XT_IDLETIMER_ALARM, the object uses alarm timer semantics and timer->timer is never initialized. Reusing that object from revision 0 causes mod_timer() on an uninitialized timer_list, triggering debugobjects warnings and possible panic when panic_on_warn=1. Fix this by rejecting revision 0 rule insertion when an existing timer with the same label is of ALARM type.", "cve_priority": "medium", "cve_public_date": "2026-03-20 09:16:00 UTC" }, { "cve": "CVE-2026-23351", "url": "https://ubuntu.com/security/CVE-2026-23351", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_pipapo: split gc into unlink and reclaim phase Yiming Qian reports Use-after-free in the pipapo set type: Under a large number of expired elements, commit-time GC can run for a very long time in a non-preemptible context, triggering soft lockup warnings and RCU stall reports (local denial of service). We must split GC in an unlink and a reclaim phase. We cannot queue elements for freeing until pointers have been swapped. Expired elements are still exposed to both the packet path and userspace dumpers via the live copy of the data structure. call_rcu() does not protect us: dump operations or element lookups starting after call_rcu has fired can still observe the free'd element, unless the commit phase has made enough progress to swap the clone and live pointers before any new reader has picked up the old version. This a similar approach as done recently for the rbtree backend in commit 35f83a75529a (\"netfilter: nft_set_rbtree: don't gc elements on insert\").", "cve_priority": "medium", "cve_public_date": "2026-03-25 11:16:00 UTC" }, { "cve": "CVE-2026-23209", "url": "https://ubuntu.com/security/CVE-2026-23209", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: macvlan: fix error recovery in macvlan_common_newlink() valis provided a nice repro to crash the kernel: ip link add p1 type veth peer p2 ip link set address 00:00:00:00:00:20 dev p1 ip link set up dev p1 ip link set up dev p2 ip link add mv0 link p2 type macvlan mode source ip link add invalid% link p2 type macvlan mode source macaddr add 00:00:00:00:00:20 ping -c1 -I p1 1.2.3.4 He also gave a very detailed analysis: The issue is triggered when a new macvlan link is created with MACVLAN_MODE_SOURCE mode and MACVLAN_MACADDR_ADD (or MACVLAN_MACADDR_SET) parameter, lower device already has a macvlan port and register_netdevice() called from macvlan_common_newlink() fails (e.g. because of the invalid link name). In this case macvlan_hash_add_source is called from macvlan_change_sources() / macvlan_common_newlink(): This adds a reference to vlan to the port's vlan_source_hash using macvlan_source_entry. vlan is a pointer to the priv data of the link that is being created. When register_netdevice() fails, the error is returned from macvlan_newlink() to rtnl_newlink_create(): if (ops->newlink) err = ops->newlink(dev, ¶ms, extack); else err = register_netdevice(dev); if (err < 0) { free_netdev(dev); goto out; } and free_netdev() is called, causing a kvfree() on the struct net_device that is still referenced in the source entry attached to the lower device's macvlan port. Now all packets sent on the macvlan port with a matching source mac address will trigger a use-after-free in macvlan_forward_source(). With all that, my fix is to make sure we call macvlan_flush_sources() regardless of @create value whenever \"goto destroy_macvlan_port;\" path is taken. Many thanks to valis for following up on this issue.", "cve_priority": "medium", "cve_public_date": "2026-02-14 17:15:00 UTC" }, { "cve": "CVE-2023-2640", "url": "https://ubuntu.com/security/CVE-2023-2640", "cve_description": "On Ubuntu kernels carrying both c914c0e27eb0 and \"UBUNTU: SAUCE: overlayfs: Skip permission checking for trusted.overlayfs.* xattrs\", an unprivileged user may set privileged extended attributes on the mounted files, leading them to be set on the upper files without the appropriate security checks.", "cve_priority": "high", "cve_public_date": "2023-07-26 02:15:00 UTC" }, { "cve": "CVE-2023-32629", "url": "https://ubuntu.com/security/CVE-2023-32629", "cve_description": "Local privilege escalation vulnerability in Ubuntu Kernels overlayfs ovl_copy_up_meta_inode_data skip permission checks when calling ovl_do_setxattr on Ubuntu kernels", "cve_priority": "high", "cve_public_date": "2023-07-26 02:15:00 UTC" }, { "cve": "CVE-2026-23112", "url": "https://ubuntu.com/security/CVE-2026-23112", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nvmet-tcp: add bounds checks in nvmet_tcp_build_pdu_iovec nvmet_tcp_build_pdu_iovec() could walk past cmd->req.sg when a PDU length or offset exceeds sg_cnt and then use bogus sg->length/offset values, leading to _copy_to_iter() GPF/KASAN. Guard sg_idx, remaining entries, and sg->length/offset before building the bvec.", "cve_priority": "high", "cve_public_date": "2026-02-13 14:16:00 UTC" } ], "log": [ "", " * jammy/linux-kvm: 5.15.0-1099.104 -proposed tracker (LP: #2148441)", "", " [ Ubuntu: 5.15.0-178.188 ]", "", " * jammy/linux: 5.15.0-178.188 -proposed tracker (LP: #2148097)", " * Canonical Kmod 2025 key rotation (LP: #2147447)", " - [Packaging] ubuntu-compatible-signing -- make Ubuntu-Compatible-Signing", " extensible", " - [Packaging] ubuntu-compatible-signing -- allow consumption of positive", " certs", " - [Packaging] ubuntu-compatible-signing -- report the livepatch:2025 key", " - [Config] prepare for Canonical Kmod key rotation", " - [Packaging] ubuntu-compatible-signing -- report the kmod:2025 key", " * ADATA SU680 causes repeated SATA resets and I/O errors on Ubuntu unless", " link power management is forced to max_performance (LP: #2144060)", " - ata: libata-core: disable LPM on ADATA SU680 SSD", " * CVE-2024-50060", " - io_uring: check if we need to reschedule during overflow flush", " * CVE-2024-35862", " - smb: client: fix potential UAF in smb2_is_network_name_deleted()", " * CVE-2026-23274", " - netfilter: xt_IDLETIMER: reject rev0 reuse of ALARM timer labels", " * CVE-2026-23351", " - netfilter: nf_tables: de-constify set commit ops function argument", " - netfilter: nft_set_pipapo: split gc into unlink and reclaim phase", " * macvlan: observe an RCU grace period in macvlan_common_newlink() error", " path (LP: #2144380) // CVE-2026-23209", " - macvlan: observe an RCU grace period in macvlan_common_newlink() error", " path", " * CVE-2023-2640 // CVE-2023-32629", " - SAUCE: overlayfs: default to userxattr when mounted from non initial", " user namespace", " * CVE-2023-2640 // CVE-2023-2640 and CVE-2023-32629. // CVE-2023-32629", " - SAUCE: Revert \"UBUNTU: SAUCE: overlayfs: Skip permission checking for", " trusted.overlayfs.* xattrs\"", " * CVE-2026-23112", " - nvmet-tcp: add bounds checks in nvmet_tcp_build_pdu_iovec", "" ], "package": "linux-kvm", "version": "5.15.0-1099.104", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2148441, 2148097, 2147447, 2144060, 2144380 ], "author": "Stewart Hore ", "date": "Mon, 27 Apr 2026 15:32:44 +1000" } ], "notes": "linux-kvm-headers-5.15.0-1100 version '5.15.0-1100.105' (source package linux-kvm version '5.15.0-1100.105') was added. linux-kvm-headers-5.15.0-1100 version '5.15.0-1100.105' has the same source package name, linux-kvm, as removed package linux-headers-5.15.0-1098-kvm. As such we can use the source package version of the removed package, '5.15.0-1098.103', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package.", "is_version_downgrade": false }, { "name": "linux-modules-5.15.0-1100-kvm", "from_version": { "source_package_name": "linux-kvm", "source_package_version": "5.15.0-1098.103", "version": null }, "to_version": { "source_package_name": "linux-kvm", "source_package_version": "5.15.0-1100.105", "version": "5.15.0-1100.105" }, "cves": [ { "cve": "CVE-2026-31419", "url": "https://ubuntu.com/security/CVE-2026-31419", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: bonding: fix use-after-free in bond_xmit_broadcast() bond_xmit_broadcast() reuses the original skb for the last slave (determined by bond_is_last_slave()) and clones it for others. Concurrent slave enslave/release can mutate the slave list during RCU-protected iteration, changing which slave is \"last\" mid-loop. This causes the original skb to be double-consumed (double-freed). Replace the racy bond_is_last_slave() check with a simple index comparison (i + 1 == slaves_count) against the pre-snapshot slave count taken via READ_ONCE() before the loop. This preserves the zero-copy optimization for the last slave while making the \"last\" determination stable against concurrent list mutations. The UAF can trigger the following crash: ================================================================== BUG: KASAN: slab-use-after-free in skb_clone Read of size 8 at addr ffff888100ef8d40 by task exploit/147 CPU: 1 UID: 0 PID: 147 Comm: exploit Not tainted 7.0.0-rc3+ #4 PREEMPTLAZY Call Trace: dump_stack_lvl (lib/dump_stack.c:123) print_report (mm/kasan/report.c:379 mm/kasan/report.c:482) kasan_report (mm/kasan/report.c:597) skb_clone (include/linux/skbuff.h:1724 include/linux/skbuff.h:1792 include/linux/skbuff.h:3396 net/core/skbuff.c:2108) bond_xmit_broadcast (drivers/net/bonding/bond_main.c:5334) bond_start_xmit (drivers/net/bonding/bond_main.c:5567 drivers/net/bonding/bond_main.c:5593) dev_hard_start_xmit (include/linux/netdevice.h:5325 include/linux/netdevice.h:5334 net/core/dev.c:3871 net/core/dev.c:3887) __dev_queue_xmit (include/linux/netdevice.h:3601 net/core/dev.c:4838) ip6_finish_output2 (include/net/neighbour.h:540 include/net/neighbour.h:554 net/ipv6/ip6_output.c:136) ip6_finish_output (net/ipv6/ip6_output.c:208 net/ipv6/ip6_output.c:219) ip6_output (net/ipv6/ip6_output.c:250) ip6_send_skb (net/ipv6/ip6_output.c:1985) udp_v6_send_skb (net/ipv6/udp.c:1442) udpv6_sendmsg (net/ipv6/udp.c:1733) __sys_sendto (net/socket.c:730 net/socket.c:742 net/socket.c:2206) __x64_sys_sendto (net/socket.c:2209) do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) Allocated by task 147: Freed by task 147: The buggy address belongs to the object at ffff888100ef8c80 which belongs to the cache skbuff_head_cache of size 224 The buggy address is located 192 bytes inside of freed 224-byte region [ffff888100ef8c80, ffff888100ef8d60) Memory state around the buggy address: ffff888100ef8c00: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc ffff888100ef8c80: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff888100ef8d00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ^ ffff888100ef8d80: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb ffff888100ef8e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================", "cve_priority": "medium", "cve_public_date": "2026-04-13 14:16:00 UTC" }, { "cve": "CVE-2026-31431", "url": "https://ubuntu.com/security/CVE-2026-31431", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: algif_aead - Revert to operating out-of-place This mostly reverts commit 72548b093ee3 except for the copying of the associated data. There is no benefit in operating in-place in algif_aead since the source and destination come from different mappings. Get rid of all the complexity added for in-place operation and just copy the AD directly.", "cve_priority": "high", "cve_public_date": "2026-04-22 09:16:00 UTC" }, { "cve": "CVE-2026-31533", "url": "https://ubuntu.com/security/CVE-2026-31533", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/tls: fix use-after-free in -EBUSY error path of tls_do_encryption The -EBUSY handling in tls_do_encryption(), introduced by commit 859054147318 (\"net: tls: handle backlogging of crypto requests\"), has a use-after-free due to double cleanup of encrypt_pending and the scatterlist entry. When crypto_aead_encrypt() returns -EBUSY, the request is enqueued to the cryptd backlog and the async callback tls_encrypt_done() will be invoked upon completion. That callback unconditionally restores the scatterlist entry (sge->offset, sge->length) and decrements ctx->encrypt_pending. However, if tls_encrypt_async_wait() returns an error, the synchronous error path in tls_do_encryption() performs the same cleanup again, double-decrementing encrypt_pending and double-restoring the scatterlist. The double-decrement corrupts the encrypt_pending sentinel (initialized to 1), making tls_encrypt_async_wait() permanently skip the wait for pending async callbacks. A subsequent sendmsg can then free the tls_rec via bpf_exec_tx_verdict() while a cryptd callback is still pending, resulting in a use-after-free when the callback fires on the freed record. Fix this by skipping the synchronous cleanup when the -EBUSY async wait returns an error, since the callback has already handled encrypt_pending and sge restoration.", "cve_priority": "medium", "cve_public_date": "2026-04-23 18:16:00 UTC" }, { "cve": "CVE-2026-31504", "url": "https://ubuntu.com/security/CVE-2026-31504", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: fix fanout UAF in packet_release() via NETDEV_UP race `packet_release()` has a race window where `NETDEV_UP` can re-register a socket into a fanout group's `arr[]` array. The re-registration is not cleaned up by `fanout_release()`, leaving a dangling pointer in the fanout array. `packet_release()` does NOT zero `po->num` in its `bind_lock` section. After releasing `bind_lock`, `po->num` is still non-zero and `po->ifindex` still matches the bound device. A concurrent `packet_notifier(NETDEV_UP)` that already found the socket in `sklist` can re-register the hook. For fanout sockets, this re-registration calls `__fanout_link(sk, po)` which adds the socket back into `f->arr[]` and increments `f->num_members`, but does NOT increment `f->sk_ref`. The fix sets `po->num` to zero in `packet_release` while `bind_lock` is held to prevent NETDEV_UP from linking, preventing the race window. This bug was found following an additional audit with Claude Code based on CVE-2025-38617.", "cve_priority": "medium", "cve_public_date": "2026-04-22 14:16:00 UTC" }, { "cve": "CVE-2024-50060", "url": "https://ubuntu.com/security/CVE-2024-50060", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: io_uring: check if we need to reschedule during overflow flush In terms of normal application usage, this list will always be empty. And if an application does overflow a bit, it'll have a few entries. However, nothing obviously prevents syzbot from running a test case that generates a ton of overflow entries, and then flushing them can take quite a while. Check for needing to reschedule while flushing, and drop our locks and do so if necessary. There's no state to maintain here as overflows always prune from head-of-list, hence it's fine to drop and reacquire the locks at the end of the loop.", "cve_priority": "medium", "cve_public_date": "2024-10-21 20:15:00 UTC" }, { "cve": "CVE-2024-35862", "url": "https://ubuntu.com/security/CVE-2024-35862", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb: client: fix potential UAF in smb2_is_network_name_deleted() Skip sessions that are being teared down (status == SES_EXITING) to avoid UAF.", "cve_priority": "medium", "cve_public_date": "2024-05-19 09:15:00 UTC" }, { "cve": "CVE-2026-23274", "url": "https://ubuntu.com/security/CVE-2026-23274", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: xt_IDLETIMER: reject rev0 reuse of ALARM timer labels IDLETIMER revision 0 rules reuse existing timers by label and always call mod_timer() on timer->timer. If the label was created first by revision 1 with XT_IDLETIMER_ALARM, the object uses alarm timer semantics and timer->timer is never initialized. Reusing that object from revision 0 causes mod_timer() on an uninitialized timer_list, triggering debugobjects warnings and possible panic when panic_on_warn=1. Fix this by rejecting revision 0 rule insertion when an existing timer with the same label is of ALARM type.", "cve_priority": "medium", "cve_public_date": "2026-03-20 09:16:00 UTC" }, { "cve": "CVE-2026-23351", "url": "https://ubuntu.com/security/CVE-2026-23351", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_pipapo: split gc into unlink and reclaim phase Yiming Qian reports Use-after-free in the pipapo set type: Under a large number of expired elements, commit-time GC can run for a very long time in a non-preemptible context, triggering soft lockup warnings and RCU stall reports (local denial of service). We must split GC in an unlink and a reclaim phase. We cannot queue elements for freeing until pointers have been swapped. Expired elements are still exposed to both the packet path and userspace dumpers via the live copy of the data structure. call_rcu() does not protect us: dump operations or element lookups starting after call_rcu has fired can still observe the free'd element, unless the commit phase has made enough progress to swap the clone and live pointers before any new reader has picked up the old version. This a similar approach as done recently for the rbtree backend in commit 35f83a75529a (\"netfilter: nft_set_rbtree: don't gc elements on insert\").", "cve_priority": "medium", "cve_public_date": "2026-03-25 11:16:00 UTC" }, { "cve": "CVE-2026-23209", "url": "https://ubuntu.com/security/CVE-2026-23209", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: macvlan: fix error recovery in macvlan_common_newlink() valis provided a nice repro to crash the kernel: ip link add p1 type veth peer p2 ip link set address 00:00:00:00:00:20 dev p1 ip link set up dev p1 ip link set up dev p2 ip link add mv0 link p2 type macvlan mode source ip link add invalid% link p2 type macvlan mode source macaddr add 00:00:00:00:00:20 ping -c1 -I p1 1.2.3.4 He also gave a very detailed analysis: The issue is triggered when a new macvlan link is created with MACVLAN_MODE_SOURCE mode and MACVLAN_MACADDR_ADD (or MACVLAN_MACADDR_SET) parameter, lower device already has a macvlan port and register_netdevice() called from macvlan_common_newlink() fails (e.g. because of the invalid link name). In this case macvlan_hash_add_source is called from macvlan_change_sources() / macvlan_common_newlink(): This adds a reference to vlan to the port's vlan_source_hash using macvlan_source_entry. vlan is a pointer to the priv data of the link that is being created. When register_netdevice() fails, the error is returned from macvlan_newlink() to rtnl_newlink_create(): if (ops->newlink) err = ops->newlink(dev, ¶ms, extack); else err = register_netdevice(dev); if (err < 0) { free_netdev(dev); goto out; } and free_netdev() is called, causing a kvfree() on the struct net_device that is still referenced in the source entry attached to the lower device's macvlan port. Now all packets sent on the macvlan port with a matching source mac address will trigger a use-after-free in macvlan_forward_source(). With all that, my fix is to make sure we call macvlan_flush_sources() regardless of @create value whenever \"goto destroy_macvlan_port;\" path is taken. Many thanks to valis for following up on this issue.", "cve_priority": "medium", "cve_public_date": "2026-02-14 17:15:00 UTC" }, { "cve": "CVE-2023-2640", "url": "https://ubuntu.com/security/CVE-2023-2640", "cve_description": "On Ubuntu kernels carrying both c914c0e27eb0 and \"UBUNTU: SAUCE: overlayfs: Skip permission checking for trusted.overlayfs.* xattrs\", an unprivileged user may set privileged extended attributes on the mounted files, leading them to be set on the upper files without the appropriate security checks.", "cve_priority": "high", "cve_public_date": "2023-07-26 02:15:00 UTC" }, { "cve": "CVE-2023-32629", "url": "https://ubuntu.com/security/CVE-2023-32629", "cve_description": "Local privilege escalation vulnerability in Ubuntu Kernels overlayfs ovl_copy_up_meta_inode_data skip permission checks when calling ovl_do_setxattr on Ubuntu kernels", "cve_priority": "high", "cve_public_date": "2023-07-26 02:15:00 UTC" }, { "cve": "CVE-2026-23112", "url": "https://ubuntu.com/security/CVE-2026-23112", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nvmet-tcp: add bounds checks in nvmet_tcp_build_pdu_iovec nvmet_tcp_build_pdu_iovec() could walk past cmd->req.sg when a PDU length or offset exceeds sg_cnt and then use bogus sg->length/offset values, leading to _copy_to_iter() GPF/KASAN. Guard sg_idx, remaining entries, and sg->length/offset before building the bvec.", "cve_priority": "high", "cve_public_date": "2026-02-13 14:16:00 UTC" } ], "launchpad_bugs_fixed": [ 2151000, 2151014, 2148441, 2148097, 2147447, 2144060, 2144380 ], "changes": [ { "cves": [ { "cve": "CVE-2026-31419", "url": "https://ubuntu.com/security/CVE-2026-31419", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: bonding: fix use-after-free in bond_xmit_broadcast() bond_xmit_broadcast() reuses the original skb for the last slave (determined by bond_is_last_slave()) and clones it for others. Concurrent slave enslave/release can mutate the slave list during RCU-protected iteration, changing which slave is \"last\" mid-loop. This causes the original skb to be double-consumed (double-freed). Replace the racy bond_is_last_slave() check with a simple index comparison (i + 1 == slaves_count) against the pre-snapshot slave count taken via READ_ONCE() before the loop. This preserves the zero-copy optimization for the last slave while making the \"last\" determination stable against concurrent list mutations. The UAF can trigger the following crash: ================================================================== BUG: KASAN: slab-use-after-free in skb_clone Read of size 8 at addr ffff888100ef8d40 by task exploit/147 CPU: 1 UID: 0 PID: 147 Comm: exploit Not tainted 7.0.0-rc3+ #4 PREEMPTLAZY Call Trace: dump_stack_lvl (lib/dump_stack.c:123) print_report (mm/kasan/report.c:379 mm/kasan/report.c:482) kasan_report (mm/kasan/report.c:597) skb_clone (include/linux/skbuff.h:1724 include/linux/skbuff.h:1792 include/linux/skbuff.h:3396 net/core/skbuff.c:2108) bond_xmit_broadcast (drivers/net/bonding/bond_main.c:5334) bond_start_xmit (drivers/net/bonding/bond_main.c:5567 drivers/net/bonding/bond_main.c:5593) dev_hard_start_xmit (include/linux/netdevice.h:5325 include/linux/netdevice.h:5334 net/core/dev.c:3871 net/core/dev.c:3887) __dev_queue_xmit (include/linux/netdevice.h:3601 net/core/dev.c:4838) ip6_finish_output2 (include/net/neighbour.h:540 include/net/neighbour.h:554 net/ipv6/ip6_output.c:136) ip6_finish_output (net/ipv6/ip6_output.c:208 net/ipv6/ip6_output.c:219) ip6_output (net/ipv6/ip6_output.c:250) ip6_send_skb (net/ipv6/ip6_output.c:1985) udp_v6_send_skb (net/ipv6/udp.c:1442) udpv6_sendmsg (net/ipv6/udp.c:1733) __sys_sendto (net/socket.c:730 net/socket.c:742 net/socket.c:2206) __x64_sys_sendto (net/socket.c:2209) do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) Allocated by task 147: Freed by task 147: The buggy address belongs to the object at ffff888100ef8c80 which belongs to the cache skbuff_head_cache of size 224 The buggy address is located 192 bytes inside of freed 224-byte region [ffff888100ef8c80, ffff888100ef8d60) Memory state around the buggy address: ffff888100ef8c00: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc ffff888100ef8c80: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff888100ef8d00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ^ ffff888100ef8d80: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb ffff888100ef8e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================", "cve_priority": "medium", "cve_public_date": "2026-04-13 14:16:00 UTC" }, { "cve": "CVE-2026-31431", "url": "https://ubuntu.com/security/CVE-2026-31431", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: algif_aead - Revert to operating out-of-place This mostly reverts commit 72548b093ee3 except for the copying of the associated data. There is no benefit in operating in-place in algif_aead since the source and destination come from different mappings. Get rid of all the complexity added for in-place operation and just copy the AD directly.", "cve_priority": "high", "cve_public_date": "2026-04-22 09:16:00 UTC" }, { "cve": "CVE-2026-31533", "url": "https://ubuntu.com/security/CVE-2026-31533", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/tls: fix use-after-free in -EBUSY error path of tls_do_encryption The -EBUSY handling in tls_do_encryption(), introduced by commit 859054147318 (\"net: tls: handle backlogging of crypto requests\"), has a use-after-free due to double cleanup of encrypt_pending and the scatterlist entry. When crypto_aead_encrypt() returns -EBUSY, the request is enqueued to the cryptd backlog and the async callback tls_encrypt_done() will be invoked upon completion. That callback unconditionally restores the scatterlist entry (sge->offset, sge->length) and decrements ctx->encrypt_pending. However, if tls_encrypt_async_wait() returns an error, the synchronous error path in tls_do_encryption() performs the same cleanup again, double-decrementing encrypt_pending and double-restoring the scatterlist. The double-decrement corrupts the encrypt_pending sentinel (initialized to 1), making tls_encrypt_async_wait() permanently skip the wait for pending async callbacks. A subsequent sendmsg can then free the tls_rec via bpf_exec_tx_verdict() while a cryptd callback is still pending, resulting in a use-after-free when the callback fires on the freed record. Fix this by skipping the synchronous cleanup when the -EBUSY async wait returns an error, since the callback has already handled encrypt_pending and sge restoration.", "cve_priority": "medium", "cve_public_date": "2026-04-23 18:16:00 UTC" }, { "cve": "CVE-2026-31504", "url": "https://ubuntu.com/security/CVE-2026-31504", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: fix fanout UAF in packet_release() via NETDEV_UP race `packet_release()` has a race window where `NETDEV_UP` can re-register a socket into a fanout group's `arr[]` array. The re-registration is not cleaned up by `fanout_release()`, leaving a dangling pointer in the fanout array. `packet_release()` does NOT zero `po->num` in its `bind_lock` section. After releasing `bind_lock`, `po->num` is still non-zero and `po->ifindex` still matches the bound device. A concurrent `packet_notifier(NETDEV_UP)` that already found the socket in `sklist` can re-register the hook. For fanout sockets, this re-registration calls `__fanout_link(sk, po)` which adds the socket back into `f->arr[]` and increments `f->num_members`, but does NOT increment `f->sk_ref`. The fix sets `po->num` to zero in `packet_release` while `bind_lock` is held to prevent NETDEV_UP from linking, preventing the race window. This bug was found following an additional audit with Claude Code based on CVE-2025-38617.", "cve_priority": "medium", "cve_public_date": "2026-04-22 14:16:00 UTC" } ], "log": [ "", " * jammy/linux-kvm: 5.15.0-1100.105 -proposed tracker (LP: #2151000)", "", " [ Ubuntu: 5.15.0-179.189 ]", "", " * jammy/linux: 5.15.0-179.189 -proposed tracker (LP: #2151014)", " * CVE-2026-31419", " - net: bonding: fix use-after-free in bond_xmit_broadcast()", " * CVE-2026-31431", " - crypto: scatterwalk - Backport memcpy_sglist()", " - crypto: algif_aead - use memcpy_sglist() instead of null skcipher", " - crypto: algif_aead - Revert to operating out-of-place", " - crypto: algif_aead - snapshot IV for async AEAD requests", " - crypto: authenc - use memcpy_sglist() instead of null skcipher", " - crypto: authencesn - Do not place hiseq at end of dst for out-of-place", " decryption", " - crypto: authencesn - Fix src offset when decrypting in-place", " - crypto: af_alg - Fix page reassignment overflow in af_alg_pull_tsgl", " - crypto: algif_aead - Fix minimum RX size check for decryption", " * CVE-2026-31533", " - net/tls: fix use-after-free in -EBUSY error path of tls_do_encryption", " * CVE-2026-31504", " - net: fix fanout UAF in packet_release() via NETDEV_UP race", "" ], "package": "linux-kvm", "version": "5.15.0-1100.105", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2151000, 2151014 ], "author": "Edoardo Canepa ", "date": "Wed, 06 May 2026 18:05:31 +0200" }, { "cves": [ { "cve": "CVE-2024-50060", "url": "https://ubuntu.com/security/CVE-2024-50060", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: io_uring: check if we need to reschedule during overflow flush In terms of normal application usage, this list will always be empty. And if an application does overflow a bit, it'll have a few entries. However, nothing obviously prevents syzbot from running a test case that generates a ton of overflow entries, and then flushing them can take quite a while. Check for needing to reschedule while flushing, and drop our locks and do so if necessary. There's no state to maintain here as overflows always prune from head-of-list, hence it's fine to drop and reacquire the locks at the end of the loop.", "cve_priority": "medium", "cve_public_date": "2024-10-21 20:15:00 UTC" }, { "cve": "CVE-2024-35862", "url": "https://ubuntu.com/security/CVE-2024-35862", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb: client: fix potential UAF in smb2_is_network_name_deleted() Skip sessions that are being teared down (status == SES_EXITING) to avoid UAF.", "cve_priority": "medium", "cve_public_date": "2024-05-19 09:15:00 UTC" }, { "cve": "CVE-2026-23274", "url": "https://ubuntu.com/security/CVE-2026-23274", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: xt_IDLETIMER: reject rev0 reuse of ALARM timer labels IDLETIMER revision 0 rules reuse existing timers by label and always call mod_timer() on timer->timer. If the label was created first by revision 1 with XT_IDLETIMER_ALARM, the object uses alarm timer semantics and timer->timer is never initialized. Reusing that object from revision 0 causes mod_timer() on an uninitialized timer_list, triggering debugobjects warnings and possible panic when panic_on_warn=1. Fix this by rejecting revision 0 rule insertion when an existing timer with the same label is of ALARM type.", "cve_priority": "medium", "cve_public_date": "2026-03-20 09:16:00 UTC" }, { "cve": "CVE-2026-23351", "url": "https://ubuntu.com/security/CVE-2026-23351", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_pipapo: split gc into unlink and reclaim phase Yiming Qian reports Use-after-free in the pipapo set type: Under a large number of expired elements, commit-time GC can run for a very long time in a non-preemptible context, triggering soft lockup warnings and RCU stall reports (local denial of service). We must split GC in an unlink and a reclaim phase. We cannot queue elements for freeing until pointers have been swapped. Expired elements are still exposed to both the packet path and userspace dumpers via the live copy of the data structure. call_rcu() does not protect us: dump operations or element lookups starting after call_rcu has fired can still observe the free'd element, unless the commit phase has made enough progress to swap the clone and live pointers before any new reader has picked up the old version. This a similar approach as done recently for the rbtree backend in commit 35f83a75529a (\"netfilter: nft_set_rbtree: don't gc elements on insert\").", "cve_priority": "medium", "cve_public_date": "2026-03-25 11:16:00 UTC" }, { "cve": "CVE-2026-23209", "url": "https://ubuntu.com/security/CVE-2026-23209", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: macvlan: fix error recovery in macvlan_common_newlink() valis provided a nice repro to crash the kernel: ip link add p1 type veth peer p2 ip link set address 00:00:00:00:00:20 dev p1 ip link set up dev p1 ip link set up dev p2 ip link add mv0 link p2 type macvlan mode source ip link add invalid% link p2 type macvlan mode source macaddr add 00:00:00:00:00:20 ping -c1 -I p1 1.2.3.4 He also gave a very detailed analysis: The issue is triggered when a new macvlan link is created with MACVLAN_MODE_SOURCE mode and MACVLAN_MACADDR_ADD (or MACVLAN_MACADDR_SET) parameter, lower device already has a macvlan port and register_netdevice() called from macvlan_common_newlink() fails (e.g. because of the invalid link name). In this case macvlan_hash_add_source is called from macvlan_change_sources() / macvlan_common_newlink(): This adds a reference to vlan to the port's vlan_source_hash using macvlan_source_entry. vlan is a pointer to the priv data of the link that is being created. When register_netdevice() fails, the error is returned from macvlan_newlink() to rtnl_newlink_create(): if (ops->newlink) err = ops->newlink(dev, ¶ms, extack); else err = register_netdevice(dev); if (err < 0) { free_netdev(dev); goto out; } and free_netdev() is called, causing a kvfree() on the struct net_device that is still referenced in the source entry attached to the lower device's macvlan port. Now all packets sent on the macvlan port with a matching source mac address will trigger a use-after-free in macvlan_forward_source(). With all that, my fix is to make sure we call macvlan_flush_sources() regardless of @create value whenever \"goto destroy_macvlan_port;\" path is taken. Many thanks to valis for following up on this issue.", "cve_priority": "medium", "cve_public_date": "2026-02-14 17:15:00 UTC" }, { "cve": "CVE-2023-2640", "url": "https://ubuntu.com/security/CVE-2023-2640", "cve_description": "On Ubuntu kernels carrying both c914c0e27eb0 and \"UBUNTU: SAUCE: overlayfs: Skip permission checking for trusted.overlayfs.* xattrs\", an unprivileged user may set privileged extended attributes on the mounted files, leading them to be set on the upper files without the appropriate security checks.", "cve_priority": "high", "cve_public_date": "2023-07-26 02:15:00 UTC" }, { "cve": "CVE-2023-32629", "url": "https://ubuntu.com/security/CVE-2023-32629", "cve_description": "Local privilege escalation vulnerability in Ubuntu Kernels overlayfs ovl_copy_up_meta_inode_data skip permission checks when calling ovl_do_setxattr on Ubuntu kernels", "cve_priority": "high", "cve_public_date": "2023-07-26 02:15:00 UTC" }, { "cve": "CVE-2026-23112", "url": "https://ubuntu.com/security/CVE-2026-23112", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nvmet-tcp: add bounds checks in nvmet_tcp_build_pdu_iovec nvmet_tcp_build_pdu_iovec() could walk past cmd->req.sg when a PDU length or offset exceeds sg_cnt and then use bogus sg->length/offset values, leading to _copy_to_iter() GPF/KASAN. Guard sg_idx, remaining entries, and sg->length/offset before building the bvec.", "cve_priority": "high", "cve_public_date": "2026-02-13 14:16:00 UTC" } ], "log": [ "", " * jammy/linux-kvm: 5.15.0-1099.104 -proposed tracker (LP: #2148441)", "", " [ Ubuntu: 5.15.0-178.188 ]", "", " * jammy/linux: 5.15.0-178.188 -proposed tracker (LP: #2148097)", " * Canonical Kmod 2025 key rotation (LP: #2147447)", " - [Packaging] ubuntu-compatible-signing -- make Ubuntu-Compatible-Signing", " extensible", " - [Packaging] ubuntu-compatible-signing -- allow consumption of positive", " certs", " - [Packaging] ubuntu-compatible-signing -- report the livepatch:2025 key", " - [Config] prepare for Canonical Kmod key rotation", " - [Packaging] ubuntu-compatible-signing -- report the kmod:2025 key", " * ADATA SU680 causes repeated SATA resets and I/O errors on Ubuntu unless", " link power management is forced to max_performance (LP: #2144060)", " - ata: libata-core: disable LPM on ADATA SU680 SSD", " * CVE-2024-50060", " - io_uring: check if we need to reschedule during overflow flush", " * CVE-2024-35862", " - smb: client: fix potential UAF in smb2_is_network_name_deleted()", " * CVE-2026-23274", " - netfilter: xt_IDLETIMER: reject rev0 reuse of ALARM timer labels", " * CVE-2026-23351", " - netfilter: nf_tables: de-constify set commit ops function argument", " - netfilter: nft_set_pipapo: split gc into unlink and reclaim phase", " * macvlan: observe an RCU grace period in macvlan_common_newlink() error", " path (LP: #2144380) // CVE-2026-23209", " - macvlan: observe an RCU grace period in macvlan_common_newlink() error", " path", " * CVE-2023-2640 // CVE-2023-32629", " - SAUCE: overlayfs: default to userxattr when mounted from non initial", " user namespace", " * CVE-2023-2640 // CVE-2023-2640 and CVE-2023-32629. // CVE-2023-32629", " - SAUCE: Revert \"UBUNTU: SAUCE: overlayfs: Skip permission checking for", " trusted.overlayfs.* xattrs\"", " * CVE-2026-23112", " - nvmet-tcp: add bounds checks in nvmet_tcp_build_pdu_iovec", "" ], "package": "linux-kvm", "version": "5.15.0-1099.104", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2148441, 2148097, 2147447, 2144060, 2144380 ], "author": "Stewart Hore ", "date": "Mon, 27 Apr 2026 15:32:44 +1000" } ], "notes": "linux-modules-5.15.0-1100-kvm version '5.15.0-1100.105' (source package linux-kvm version '5.15.0-1100.105') was added. linux-modules-5.15.0-1100-kvm version '5.15.0-1100.105' has the same source package name, linux-kvm, as removed package linux-headers-5.15.0-1098-kvm. As such we can use the source package version of the removed package, '5.15.0-1098.103', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package.", "is_version_downgrade": false } ], "snap": [] }, "removed": { "deb": [ { "name": "linux-headers-5.15.0-1098-kvm", "from_version": { "source_package_name": "linux-kvm", "source_package_version": "5.15.0-1098.103", "version": "5.15.0-1098.103" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null, "is_version_downgrade": false }, { "name": "linux-image-5.15.0-1098-kvm", "from_version": { "source_package_name": "linux-signed-kvm", "source_package_version": "5.15.0-1098.103", "version": "5.15.0-1098.103" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null, "is_version_downgrade": false }, { "name": "linux-kvm-headers-5.15.0-1098", "from_version": { "source_package_name": "linux-kvm", "source_package_version": "5.15.0-1098.103", "version": "5.15.0-1098.103" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null, "is_version_downgrade": false }, { "name": "linux-modules-5.15.0-1098-kvm", "from_version": { "source_package_name": "linux-kvm", "source_package_version": "5.15.0-1098.103", "version": "5.15.0-1098.103" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null, "is_version_downgrade": false } ], "snap": [] }, "notes": "Changelog diff for Ubuntu 22.04 jammy image from daily image serial 20260430 to 20260602", "from_series": "jammy", "to_series": "jammy", "from_serial": "20260430", "to_serial": "20260602", "from_manifest_filename": "daily_manifest.previous", "to_manifest_filename": "manifest.current" }