Ubuntu Security Advisories

USN-8447-1 fixed vulnerabilities in Go Cryptography. This update provides the corresponding updates for Go Cryptography code embedded in LXD for CVE-2026-39830, CVE-2026-39833, CVE-2026-39834, and CVE-2026-42508. Original advisory details: It was discovered that Go Cryptography did not properly handle SSH global request responses. A remote attacker could possibly use this issue to cause a denial of service. (CVE-2026-39830) It was discovered that Go Cryptography did not properly verify user presence when using FIDO/U2F security keys. An attacker could possibly use this issue to bypass user presence verification for hardware security keys. This issue only affected Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, and Ubuntu 26.04 LTS. (CVE-2026-39831) It was discovered that Go Cryptography did not properly serialize SSH agent key constraint extensions. An attacker could possibly use this issue to bypass intended key usage restrictions. This issue only affected Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, and Ubuntu 26.04 LTS. (CVE-2026-39832) It was discovered that Go Cryptography did not properly enforce the confirm-before-use constraint in the SSH agent keyring. An attacker could possibly use this issue to use SSH keys without the required user confirmation. (CVE-2026-39833) It was discovered that Go Cryptography had an integer overflow when handling large SSH channel writes. A remote attacker could possibly use this issue to cause a denial of service. (CVE-2026-39834) It was discovered that Go Cryptography did not properly check certificate authority key revocation. An attacker could possibly use this issue to bypass certificate authority revocation checks. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, and Ubuntu 26.04 LTS. (CVE-2026-42508) It was discovered that Go Cryptography did not properly enforce the source- address critical option for all SSH server callback types. An attacker could possibly use this issue to bypass source address authorization restrictions. This issue only affected Ubuntu 26.04 LTS. (CVE-2026-46595)

Elhanan Haenel discovered that libheif incorrectly handled certain malformed HEIF sequence files. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 25.10 and Ubuntu 26.04 LTS. (CVE-2026-32738) Elhanan Haenel discovered that libheif incorrectly handled certain malformed HEIF sequence files, leading to an infinite loop. An attacker could possibly use this issue to cause libheif to use excessive resources, resulting in a denial of service. This issue only affected Ubuntu 25.10 and Ubuntu 26.04 LTS. (CVE-2026-32739) Elhanan Haenel discovered that libheif incorrectly handled certain crafted HEIF/AVIF image files. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code. This issue only affected Ubuntu 25.10 and Ubuntu 26.04 LTS. (CVE-2026-32740) It was discovered that libheif incorrectly handled certain crafted HEIF files containing mask images. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code. This issue only affected Ubuntu 24.04 LTS, Ubuntu 25.10, and Ubuntu 26.04 LTS. (CVE-2026-32741) It was discovered that libheif incorrectly handled certain crafted grid-based HEIF/AVIF files. An attacker could possibly use this issue to obtain sensitive information. This issue only affected Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, Ubuntu 25.10, and Ubuntu 26.04 LTS. (CVE-2026-32814) It was discovered that libheif incorrectly handled certain crafted HEIF files when compositing overlay images. An attacker could possibly use this issue to cause a denial of service or obtain sensitive information. (CVE-2026-32882) It was discovered that libheif incorrectly handled certain crafted files. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 25.10 and Ubuntu 26.04 LTS. (CVE-2026-3950) It was discovered that libheif incorrectly handled certain malformed HEIF sequence files. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 25.10 and Ubuntu 26.04 LTS. (CVE-2026-41069) It was discovered that libheif incorrectly handled certain crafted HEIF sequence files. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 25.10 and Ubuntu 26.04 LTS. (CVE-2026-41071)

Nikita Skovoroda discovered that pbkdf2 did not properly validate certain algorithm names. An attacker could possibly use this issue to generate predictable cryptographic keys, resulting in signature spoofing.

It was discovered that Net::CIDR::Lite incorrectly validated IP address and CIDR mask inputs. An attacker could possibly use this issue to bypass IP access control lists. (CVE-2026-45190) It was discovered that Net::CIDR::Lite incorrectly handled extraneous zero characters in CIDR mask values. An attacker could possibly use this issue to bypass IP access control lists. (CVE-2026-45191)

Srinivas Piskala Ganesh Babu discovered that Vim incorrectly handled directory names when serializing browsed paths to the netrw history file. An attacker could possibly use this issue to execute arbitrary code. (CVE-2026-47162) It was discovered that Vim incorrectly handled step-definition patterns in the cucumber filetype plugin. An attacker could possibly use this issue to execute arbitrary code. (CVE-2026-47167) It was discovered that Vim incorrectly handled import statements during Python omni-completion. An attacker could possibly use this issue to execute arbitrary code. (CVE-2026-52858) Andrej Tomči discovered that Vim incorrectly handled certain terminal screen cells when taking a snapshot, leading to an out-of-bounds read. An attacker could possibly use this issue to cause Vim to crash, resulting in a denial of service. (CVE-2026-52859) David Carliez discovered that Vim incorrectly handled reconstructed function and class definitions during Python omni-completion. An attacker could possibly use this issue to execute arbitrary code. (CVE-2026-52860)

It was discovered that Tomcat did not properly limit the size of WebDAV LOCK and PROPFIND request bodies. A remote attacker could possibly use this issue to cause Tomcat to consume excessive memory, resulting in a denial of service. (CVE-2026-41284) It was discovered that Tomcat incorrectly validated HTTP/2 header fields. A remote attacker could use this issue to cause Tomcat to crash or possibly execute arbitrary code. (CVE-2026-41293) It was discovered that Tomcat did not properly clear HTTP authentication headers during WebSocket connection upgrades and redirects. A remote attacker could possibly use this issue to obtain sensitive credentials. (CVE-2026-42498) It was discovered that Tomcat incorrectly handled authorization when multiple method constraints defined the same HTTP method. A remote attacker could possibly use this issue to bypass authorization restrictions. (CVE-2026-43515)

Pablo Ruiz discovered that ldns did not properly validate DNS responses when used as a stub resolver over UDP. A remote attacker could possibly use this issue to inject arbitrary DNS responses.

It was discovered that kitty incorrectly handled certain image data. An attacker able to write to the terminal's input could possibly use this issue to cause kitty to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2026-33633) It was discovered that kitty incorrectly handled certain graphics commands. An attacker able to write escape sequences to a kitty terminal could possibly use this issue to cause kitty to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2026-33642)

It was discovered that the Linux kernel did not properly handle shared page fragments during socket buffer operations, collectively known as Dirty Frag. A logic flaw existed in the XFRM ESP-in-TCP subsystem and in the RxRPC networking subsystem when processing paged fragments. A local attacker could use this to escalate privileges, or possibly escape a container.

It was discovered that the Linux kernel algif_aead module did not properly handle in-place cryptographic operations. This flaw is known as Copy Fail. A local attacker could use this to escalate privileges, or possibly escape a container. (CVE-2026-31431) Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system. This update corrects flaws in the following subsystems: - Cryptographic API; - Packet sockets; (CVE-2026-31504, CVE-2026-43033, CVE-2026-43077, CVE-2026-43078, CVE-2026-46028)

A security issue was discovered in the Linux kernel. An attacker could possibly use this to compromise the system. This update corrects flaws in the following subsystem: - Packet sockets; (CVE-2026-31504)

Josh Eads, Kristoffer Janke, Eduardo Vela Nava, Tavis Ormandy, and Matteo Rizzo discovered that some AMD Zen processors did not properly verify the signature of CPU microcode. This flaw is known as EntrySign. A privileged attacker could possibly use this issue to cause load malicious CPU microcode causing loss of integrity and confidentiality. (CVE-2024-36347) It was discovered that the Linux kernel algif_aead module did not properly handle in-place cryptographic operations. This flaw is known as Copy Fail. A local attacker could use this to escalate privileges, or possibly escape a container. (CVE-2026-31431) It was discovered that the Linux kernel did not properly handle shared page fragments during socket buffer operations, collectively known as Dirty Frag. A logic flaw existed in the XFRM ESP-in-TCP subsystem and in the RxRPC networking subsystem when processing paged fragments. A local attacker could use this to escalate privileges, or possibly escape a container. (CVE-2026-43284, CVE-2026-43500, CVE-2026-45998, CVE-2026-46000) It was discovered that a logic flaw existed in the XFRM ESP-in-TCP subsystem in the Linux kernel when handling socket buffer fragments. This flaw is known as Fragnesia. A local attacker could use this to escalate privileges, or possibly escape a container. (CVE-2026-43503, CVE-2026-46300) Qualys discovered that a race condition existed in the ptrace subsystem of the Linux kernel when privileged processes are exiting. An unprivileged local attacker could use this issue to expose sensitive information. (CVE-2026-46333) Tristan Madani discovered that Ubuntu Linux kernel 6.8, 6.17 and 7.0 contain a memory leak when handling AppArmor notifications. A local attacker could use this to cause resource exhaustion. (CVE-2026-47326) Tristan Madani discovered that Ubuntu Linux kernel 6.8, 6.17 and 7.0 contain a NULL pointer dereference when handling AppArmor notifications. A local attacker could use this to cause a kernel oops. (CVE-2026-47327) Tristan Madani discovered that Ubuntu Linux kernel 6.8, 6.17 and 7.0 contained an invalid free when handling AppArmor notifications. A local attacker could use this to corrupt kernel memory. (CVE-2026-47328) Tristan Madani discovered that Ubuntu Linux kernel 6.8, 6.17 and 7.0 contained insufficient validation of AppArmor notification responses. A local attacker could use this to allow crafted responses to be processed. (CVE-2026-47329) Tristan Madani discovered that Ubuntu Linux kernel 6.8, 6.17 and 7.0 used an uninitialized variable when handling AppArmor notifications. A local attacker could use this to cause incorrect caching of data. (CVE-2026-47330) Tristan Madani discovered that Ubuntu Linux kernel 6.8 contained a use- after-free (UAF) bug. A local attacker could use this to cause memory corruption and, theoretically, arbitrary code execution. (CVE-2026-47331) Tristan Madani discovered that Ubuntu Linux kernel 6.8, 6.17 and 7.0 contained an out-of-bounds (OOB) read when handling AppArmor notifications. A local attacker could use this to cause information disclosure of kernel memory. (CVE-2026-47332) Tristan Madani discovered that Ubuntu Linux kernel 6.8, 6.17 and 7.0 contained a out-of-bounds (OOB) read when handling AppArmor notifications. A local attacker could use this to cause kernel memory corruption and, theoretically, influence processing of AppArmor policies. (CVE-2026-47333) Tristan Madani discovered that Ubuntu Linux kernel 6.8, 6.17 and 7.0 contained incorrect holding of locks when handling AppArmor notifications. A local attacker could use this to cause a kernel panic or deadlock. (CVE-2026-47334) Tristan Madani discovered that Ubuntu Linux kernel 6.8 contained a NULL pointer dereference when handling AppArmor notifications. A local attacker could use this to cause a kernel panic. (CVE-2026-47335) Tristan Madani discovered that Ubuntu Linux kernel 6.8 used an uninitialized variable when handling AppArmor AF_INET/AF_INET6 socket mediation. A local attacker could use this to influence processing of fine- grained network socket mediation. (CVE-2026-47336) Tristan Madani and Trevor Lawrence have each independently discovered that Ubuntu Linux kernel 6.8, 6.17 and 7.0 contained a NULL pointer dereference when handling AppArmor network socket mediation. A local attacker could use this to cause a kernel oops. (CVE-2026-47337) Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system. This update corrects flaws in the following subsystems: - ARM64 architecture; - MIPS architecture; - PowerPC architecture; - x86 architecture; - Block layer subsystem; - Cryptographic API; - Compute Acceleration Framework; - ACPI drivers; - Drivers core; - Network block device driver; - Null block device driver; - Ublk userspace block driver; - Bluetooth drivers; - Character device driver; - TPM device driver; - Clock framework and drivers; - Data acquisition framework and drivers; - Counter interface drivers; - Hardware crypto device drivers; - DMA engine subsystem; - DPLL subsystem; - GPU drivers; - HID subsystem; - Hardware monitoring drivers; - Intel Trace Hub HW tracing drivers; - IIO ADC drivers; - IIO subsystem; - InfiniBand drivers; - Input Device core drivers; - On-Chip Interconnect management framework; - IOMMU subsystem; - IRQ chip drivers; - Modular ISDN driver; - LED subsystem; - Macintosh device drivers; - Multiple devices driver; - Media drivers; - UACCE accelerator framework; - MMC subsystem; - Ethernet bonding driver; - Network drivers; - Mellanox network drivers; - STMicroelectronics network drivers; - Ethernet team driver; - MediaTek network drivers; - NVME drivers; - PA-RISC drivers; - PHY drivers; - Chrome hardware platform drivers; - x86 platform drivers; - i.MX PM domains; - Voltage and Current Regulator drivers; - SCSI subsystem; - SLIMbus drivers; - SPI subsystem; - Media Oriented Systems Transport (MOST) driver; - Realtek RTL8723BS SDIO drivers; - TCM subsystem; - USB Host Controller drivers; - USB Type-C Connector System Software Interface driver; - Backlight driver; - W1 Dallas's 1-wire bus driver; - Watchdog drivers; - Xen hypervisor drivers; - BFS file system; - BTRFS file system; - EFI Variable file system; - exFAT file system; - Ext4 file system; - F2FS file system; - FUSE (File system in Userspace); - HFS+ file system; - File systems infrastructure; - Journaling layer for block devices (JBD2); - Network file system (NFS) client; - Network file system (NFS) server daemon; - File system notification infrastructure; - NTFS3 file system; - OCFS2 file system; - SMB network file system; - BPF subsystem; - Ethernet bridge; - Scheduler infrastructure; - Netfilter; - NFC subsystem; - Tracing infrastructure; - io_uring subsystem; - Perf events; - Locking primitives; - Shadow Call Stack mechanism; - Floating proportions library; - Memory management; - Bluetooth subsystem; - CAIF protocol; - CAN network layer; - Ceph Core library; - Networking core; - Ethtool driver; - Handshake API; - HSR network protocol; - IPv4 networking; - IPv6 networking; - L2TP protocol; - MAC80211 subsystem; - Multipath TCP; - NET/ROM layer; - Open vSwitch; - Packet sockets; - RDS protocol; - Rose network layer; - RxRPC session sockets; - Network traffic control; - SCTP protocol; - Network sockets; - Sun RPC protocol; - TLS protocol; - Unix domain sockets; - VMware vSockets driver; - Wireless networking; - Integrity Measurement Architecture(IMA) framework; - Key management; - Simplified Mandatory Access Control Kernel framework; - ALSA AC97 driver; - Generic PCM loopback sound driver; - FireWire sound drivers; - HD-audio driver; - Turtle Beach Wavefront ALSA driver; - Creative Sound Blaster X-Fi driver; - AMD SoC Alsa drivers; - Texas InstrumentS Audio (ASoC/HDA) drivers; - STMicroelectronics SoC drivers; - USB sound devices; - KVM subsystem; (CVE-2024-50004, CVE-2024-57795, CVE-2024-58096, CVE-2024-58097, CVE-2025-22022, CVE-2025-22111, CVE-2025-37926, CVE-2025-38022, CVE-2025-38201, CVE-2025-38234, CVE-2025-38591, CVE-2025-40039, CVE-2025-40082, CVE-2025-40149, CVE-2025-40164, CVE-2025-40325, CVE-2025-68206, CVE-2025-68254, CVE-2025-68255, CVE-2025-68256, CVE-2025-68257, CVE-2025-68258, CVE-2025-68259, CVE-2025-68261, CVE-2025-68263, CVE-2025-68264, CVE-2025-68265, CVE-2025-68266, CVE-2025-68291, CVE-2025-68325, CVE-2025-68332, CVE-2025-68335, CVE-2025-68336, CVE-2025-68337, CVE-2025-68344, CVE-2025-68345, CVE-2025-68346, CVE-2025-68347, CVE-2025-68349, CVE-2025-68351, CVE-2025-68354, CVE-2025-68358, CVE-2025-68362, CVE-2025-68363, CVE-2025-68364, CVE-2025-68365, CVE-2025-68366, CVE-2025-68367, CVE-2025-68369, CVE-2025-68371, CVE-2025-68372, CVE-2025-68374, CVE-2025-68378, CVE-2025-68379, CVE-2025-68380, CVE-2025-68724, CVE-2025-68725, CVE-2025-68727, CVE-2025-68728, CVE-2025-68732, CVE-2025-68733, CVE-2025-68740, CVE-2025-68741, CVE-2025-68742, CVE-2025-68744, CVE-2025-68746, CVE-2025-68749, CVE-2025-68753, CVE-2025-68755, CVE-2025-68756, CVE-2025-68757, CVE-2025-68758, CVE-2025-68759, CVE-2025-68763, CVE-2025-68764, CVE-2025-68765, CVE-2025-68766, CVE-2025-68767, CVE-2025-68769, CVE-2025-68770, CVE-2025-68771, CVE-2025-68772, CVE-2025-68773, CVE-2025-68774, CVE-2025-68775, CVE-2025-68776, CVE-2025-68777, CVE-2025-68778, CVE-2025-68780, CVE-2025-68782, CVE-2025-68783, CVE-2025-68785, CVE-2025-68786, CVE-2025-68787, CVE-2025-68788, CVE-2025-68794, CVE-2025-68795, CVE-2025-68796, CVE-2025-68797, CVE-2025-68798, CVE-2025-68799, CVE-2025-68800, CVE-2025-68801, CVE-2025-68803, CVE-2025-68804, CVE-2025-68806, CVE-2025-68808, CVE-2025-68809, CVE-2025-68810, CVE-2025-68811, CVE-2025-68813, CVE-2025-68814, CVE-2025-68815, CVE-2025-68816, CVE-2025-68817, CVE-2025-68818, CVE-2025-68819, CVE-2025-68820, CVE-2025-68821, CVE-2025-68823, CVE-2025-71064, CVE-2025-71065, CVE-2025-71066, CVE-2025-71067, CVE-2025-71068, CVE-2025-71069, CVE-2025-71071, CVE-2025-71072, CVE-2025-71075, CVE-2025-71077, CVE-2025-71078, CVE-2025-71079, CVE-2025-71081, CVE-2025-71082, CVE-2025-71083, CVE-2025-71084, CVE-2025-71085, CVE-2025-71086, CVE-2025-71087, CVE-2025-71088, CVE-2025-71089, CVE-2025-71091, CVE-2025-71093, CVE-2025-71094, CVE-2025-71095, CVE-2025-71096, CVE-2025-71097, CVE-2025-71098, CVE-2025-71101, CVE-2025-71102, CVE-2025-71104, CVE-2025-71105, CVE-2025-71107, CVE-2025-71108, CVE-2025-71109, CVE-2025-71111, CVE-2025-71112, CVE-2025-71113, CVE-2025-71114, CVE-2025-71116, CVE-2025-71118, CVE-2025-71119, CVE-2025-71120, CVE-2025-71121, CVE-2025-71122, CVE-2025-71123, CVE-2025-71125, CVE-2025-71126, CVE-2025-71127, CVE-2025-71130, CVE-2025-71131, CVE-2025-71132, CVE-2025-71133, CVE-2025-71135, CVE-2025-71136, CVE-2025-71137, CVE-2025-71138, CVE-2025-71140, CVE-2025-71141, CVE-2025-71143, CVE-2025-71144, CVE-2025-71147, CVE-2025-71148, CVE-2025-71150, CVE-2025-71151, CVE-2025-71153, CVE-2025-71154, CVE-2025-71160, CVE-2025-71162, CVE-2025-71163, CVE-2025-71180, CVE-2025-71182, CVE-2025-71183, CVE-2025-71184, CVE-2025-71185, CVE-2025-71186, CVE-2025-71188, CVE-2025-71189, CVE-2025-71190, CVE-2025-71191, CVE-2025-71192, CVE-2025-71193, CVE-2025-71194, CVE-2025-71195, CVE-2025-71196, CVE-2025-71197, CVE-2025-71198, CVE-2025-71199, CVE-2025-71200, CVE-2025-71220, CVE-2025-71222, CVE-2025-71224, CVE-2025-71225, CVE-2025-71268, CVE-2026-22976, CVE-2026-22977, CVE-2026-22978, CVE-2026-22979, CVE-2026-22980, CVE-2026-22982, CVE-2026-22984, CVE-2026-22990, CVE-2026-22991, CVE-2026-22992, CVE-2026-22994, CVE-2026-22996, CVE-2026-22997, CVE-2026-22998, CVE-2026-22999, CVE-2026-23000, CVE-2026-23001, CVE-2026-23003, CVE-2026-23005, CVE-2026-23006, CVE-2026-23010, CVE-2026-23011, CVE-2026-23019, CVE-2026-23020, CVE-2026-23021, CVE-2026-23025, CVE-2026-23026, CVE-2026-23030, CVE-2026-23031, CVE-2026-23032, CVE-2026-23033, CVE-2026-23035, CVE-2026-23037, CVE-2026-23038, CVE-2026-23047, CVE-2026-23049, CVE-2026-23050, CVE-2026-23053, CVE-2026-23054, CVE-2026-23056, CVE-2026-23057, CVE-2026-23058, CVE-2026-23059, CVE-2026-23061, CVE-2026-23062, CVE-2026-23063, CVE-2026-23064, CVE-2026-23065, CVE-2026-23068, CVE-2026-23069, CVE-2026-23071, CVE-2026-23073, CVE-2026-23075, CVE-2026-23076, CVE-2026-23078, CVE-2026-23080, CVE-2026-23083, CVE-2026-23084, CVE-2026-23085, CVE-2026-23086, CVE-2026-23087, CVE-2026-23088, CVE-2026-23089, CVE-2026-23090, CVE-2026-23091, CVE-2026-23093, CVE-2026-23094, CVE-2026-23095, CVE-2026-23096, CVE-2026-23097, CVE-2026-23098, CVE-2026-23099, CVE-2026-23101, CVE-2026-23102, CVE-2026-23103, CVE-2026-23105, CVE-2026-23107, CVE-2026-23108, CVE-2026-23110, CVE-2026-23112, CVE-2026-23113, CVE-2026-23116, CVE-2026-23119, CVE-2026-23120, CVE-2026-23121, CVE-2026-23123, CVE-2026-23124, CVE-2026-23125, CVE-2026-23126, CVE-2026-23128, CVE-2026-23129, CVE-2026-23131, CVE-2026-23133, CVE-2026-23135, CVE-2026-23136, CVE-2026-23139, CVE-2026-23140, CVE-2026-23141, CVE-2026-23142, CVE-2026-23144, CVE-2026-23145, CVE-2026-23146, CVE-2026-23148, CVE-2026-23150, CVE-2026-23151, CVE-2026-23156, CVE-2026-23159, CVE-2026-23160, CVE-2026-23163, CVE-2026-23164, CVE-2026-23166, CVE-2026-23167, CVE-2026-23168, CVE-2026-23170, CVE-2026-23172, CVE-2026-23173, CVE-2026-23176, CVE-2026-23178, CVE-2026-23179, CVE-2026-23180, CVE-2026-23182, CVE-2026-23187, CVE-2026-23190, CVE-2026-23191, CVE-2026-23193, CVE-2026-23198, CVE-2026-23204, CVE-2026-23205, CVE-2026-23206, CVE-2026-23209, CVE-2026-23212, CVE-2026-23213, CVE-2026-23214, CVE-2026-23215, CVE-2026-23216, CVE-2026-23231, CVE-2026-23254, CVE-2026-23256, CVE-2026-23257, CVE-2026-23258, CVE-2026-23260, CVE-2026-23261, CVE-2026-23262, CVE-2026-23264, CVE-2026-23274, CVE-2026-23351, CVE-2026-23394, CVE-2026-31419, CVE-2026-31504, CVE-2026-31533, CVE-2026-31676, CVE-2026-43033, CVE-2026-43077, CVE-2026-43078, CVE-2026-43362, CVE-2026-43494, CVE-2026-46028, CVE-2026-46323)

It was discovered that the Linux kernel algif_aead module did not properly handle in-place cryptographic operations. This flaw is known as Copy Fail. A local attacker could use this to escalate privileges, or possibly escape a container. (CVE-2026-31431) It was discovered that the Linux kernel did not properly handle shared page fragments during socket buffer operations, collectively known as Dirty Frag. A logic flaw existed in the XFRM ESP-in-TCP subsystem and in the RxRPC networking subsystem when processing paged fragments. A local attacker could use this to escalate privileges, or possibly escape a container. (CVE-2026-43284, CVE-2026-43500) It was discovered that a logic flaw existed in the XFRM ESP-in-TCP subsystem in the Linux kernel when handling socket buffer fragments. This flaw is known as Fragnesia. A local attacker could use this to escalate privileges, or possibly escape a container. (CVE-2026-43503, CVE-2026-46300) Qualys discovered that a race condition existed in the ptrace subsystem of the Linux kernel when privileged processes are exiting. An unprivileged local attacker could use this issue to expose sensitive information. (CVE-2026-46333) Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system. This update corrects flaws in the following subsystems: - Cryptographic API; - Ethernet bonding driver; - SMB network file system; - Netfilter; - io_uring subsystem; - Packet sockets; - RDS protocol; - TLS protocol; (CVE-2024-35862, CVE-2024-50060, CVE-2026-23274, CVE-2026-23351, CVE-2026-31419, CVE-2026-31504, CVE-2026-31533, CVE-2026-43033, CVE-2026-43077, CVE-2026-43078, CVE-2026-43494, CVE-2026-46028)

It was discovered that OpenImageIO incorrectly performed bounds checking when processing SGI files. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code. (CVE-2026-43903) It was discovered that OpenImageIO incorrectly handled run-length encoding when processing Softimage PIC files. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code. (CVE-2026-43904) It was discovered that OpenImageIO incorrectly validated subimage metadata when processing HEIF files. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code. This issue only affected Ubuntu 20.04 LTS, Ubuntu 24.04 LTS and Ubuntu 26.04 LTS. (CVE-2026-43906) It was discovered that OpenImageIO contained multiple integer overflow vulnerabilities when processing DPX files. An attacker could possibly use these issues to cause a denial of service or execute arbitrary code. (CVE-2026-43907, CVE-2026-43908, CVE-2026-43909)

Stonejiajia, Shir Tamari and Sagi Tzadik discovered that the OverlayFS implementation in the Ubuntu Linux kernel did not properly perform permission checks in certain situations. A local attacker could possibly use this to gain elevated privileges. (CVE-2023-2640) Shir Tamari and Sagi Tzadik discovered that the OverlayFS implementation in the Ubuntu Linux kernel did not properly perform permission checks in certain situations. A local attacker could possibly use this to gain elevated privileges. (CVE-2023-32629) Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system. This update corrects flaws in the following subsystems: - Network drivers; - NVME drivers; - SMB network file system; - Netfilter; - io_uring subsystem; (CVE-2024-35862, CVE-2024-50060, CVE-2026-23112, CVE-2026-23273, CVE-2026-23274, CVE-2026-23351)

It was discovered that rabbitmq-c exposed credentials in command-line arguments under certain circumstances. A local attacker could possibly use this issue to obtain sensitive information. This issue only affected Ubuntu 22.04 LTS and Ubuntu 24.04 LTS. (CVE-2023-35789) It was discovered that rabbitmq-c incorrectly handled AMQP frame lengths under certain circumstances, which could lead to an out-of-bounds read. A remote attacker could possibly use this issue to cause rabbitmq-c to crash, resulting in a denial of service. (CVE-2026-44235) It was discovered that rabbitmq-c incorrectly handled AMQP login handshakes under certain circumstances, which could lead to a heap buffer overflow. A remote attacker could possibly use this issue to cause rabbitmq-c to crash, resulting in a denial of service, or execute arbitrary code. (CVE-2026-44236)

It was discovered that OpenStack Keystone allowed restricted application credentials to create EC2 credentials. An authenticated attacker with only a reader role could possibly use this issue to bypass the role restrictions imposed on the application credential. (CVE-2026-33551) It was discovered that the OpenStack Keystone LDAP identity backend did not correctly convert the user enabled attribute to a boolean value. An attacker could possibly use this issue to authenticate as a user disabled in LDAP. This issue only affected Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, and Ubuntu 25.10. (CVE-2026-40683) It was discovered that OpenStack Keystone's application credential authentication plugin did not verify that the user supplied in an authentication request matched the credential owner. An authenticated attacker could possibly impersonate another user and gain access to their tokens and credentials. (CVE-2026-42998) It was discovered that OpenStack Keystone's RBAC policy enforcer unconditionally merged the raw JSON request body into the policy enforcement dictionary, overwriting trusted target data. An authenticated attacker could possibly use this issue to inject arbitrary policy attributes to bypass RBAC checks. (CVE-2026-42999) It was discovered that OpenStack Keystone allowed an attacker with the member role to escalate privileges to admin by chaining application credential impersonation with Keystone trusts. An attacker could possibly use this issue to create a persistent trust delegating the victim's admin role to themselves. (CVE-2026-43000) It was discovered that OpenStack Keystone did not validate that the project_id for an EC2 credential matched the project of the authenticating application credential. An attacker with valid credentials for one project could possibly use this issue to create EC2 credentials targeting a different project. (CVE-2026-43001) It was discovered that OpenStack Keystone's federated token rescoping mechanism did not propagate the original token's expiry to the newly issued token. A remote attacker could possibly use this issue to maintain access indefinitely by repeatedly rescoping tokens before expiry. (CVE-2026-44394)

It was discovered that FreeRDP incorrectly handled memory under certain circumstances, which could lead to an out-of-bounds heap write. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code. (CVE-2026-45700) In addition, this update fixes a regression introduced in USN-8105-1. The update introduces a complete fix for CVE-2026-22858, CVE-2026-23732 and CVE-2026-25952 in Ubuntu 24.04 LTS and Ubuntu 25.10.

USN-8349-1 fixed vulnerabilities in rsync. Unfortunately that update introduced multiple regressions in rsync functionality. This update fixes the problem. We apologize for the inconvenience. Original advisory details: Calum Hutton discovered that rsync contained a heap-based out-of-bounds read when handling file transfers. A remote attacker with read access to an rsync server could possibly use this issue to cause a denial of service. (CVE-2025-10158) Batuhan Sancak, Damien Neil, and Michael Stapelberg discovered that rsync daemons configured without chroot protection were exposed to a race condition on parent path components. A local attacker with write access to a module could possibly use this issue to overwrite files, obtain sensitive information, or escalate privileges. (CVE-2026-29518) It was discovered that rsync did not properly validate a length value while sorting extended attributes. An attacker could possibly use this issue to cause a denial of service. (CVE-2026-41035) It was discovered that rsync performed reverse-DNS lookups after chrooting in some daemon configurations. A remote attacker could possibly use this issue to bypass hostname-based access controls and access network services. (CVE-2026-43617) Omar Elsayed discovered that rsync did not properly check for integer overflows while decoding compressed tokens. A remote attacker could possibly use this issue to obtain sensitive information. (CVE-2026-43618) Andrew Tridgell discovered that rsync did not fully fix a symlink race condition in path-based system calls for daemons configured without chroot protection. A local attacker could possibly use this issue to overwrite files, obtain sensitive information, or escalate privileges. (CVE-2026-43619) Pratham Gupta discovered that rsync did not properly validate an index while processing file lists. A remote attacker could possibly use this issue to cause rsync to crash, resulting in a denial of service. (CVE-2026-43620) Michal Ruprich discovered that rsync contained an off-by-one error while handling HTTP proxy responses. An attacker able to intercept network communications or a malicious proxy server could possibly use this issue to cause a denial of service. (CVE-2026-45232)

It was discovered that Ruby's Net::IMAP library did not properly verify that Transport Layer Security (TLS) encryption was started after issuing a STARTTLS command. A remote attacker could possibly use this issue to perform a machine-in-the-middle attack and silently bypass TLS encryption. (CVE-2026-42246) It was also discovered that Ruby's Net::IMAP library did not validate string arguments passed to certain commands. A remote attacker could possibly use this issue to inject arbitrary IMAP commands. (CVE-2026-42257)