Ubuntu Security Advisories

It was discovered that Sudo incorrectly checked return codes when dropping privileges to run the mailer. A local attacker could possibly use this issue to escalate privileges.

It was discovered that the util-linux su utility did not drop capabilities when being used with the --pty option. While not a security issue by itself, a local attacker could possibly use the su tool to exploit vulnerabilities in other applications.

USN-8090-1 fixed vulnerabilities in OpenSSH. This update provides the corresponding updates for Ubuntu 20.04 LTS. Original advisory details: Jeremy Brown discovered that the OpenSSH GSSAPI Key Exchange incorrectly handled disconnecting clients. In non-default configurations where the GSSAPIKeyExchange setting is enabled, a remote attacker could use this issue to cause OpenSSH to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2026-3497) David Leadbeater discovered that OpenSSH incorrectly handled certain control characters in usernames. When untrusted usernames and the ProxyCommand are being used, an attacker could possibly use this issue to execute arbitrary code. (CVE-2025-61984) David Leadbeater discovered that OpenSSH incorrectly handled NULL characters in ssh:// URIs. When the ProxyCommand is being used, an attacker could possibly use this issue to execute arbitrary code. (CVE-2025-61985)

Jeremy Brown discovered that the OpenSSH GSSAPI Key Exchange incorrectly handled disconnecting clients. In non-default configurations where the GSSAPIKeyExchange setting is enabled, a remote attacker could use this issue to cause OpenSSH to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2026-3497) David Leadbeater discovered that OpenSSH incorrectly handled certain control characters in usernames. When untrusted usernames and the ProxyCommand are being used, an attacker could possibly use this issue to execute arbitrary code. (CVE-2025-61984) David Leadbeater discovered that OpenSSH incorrectly handled NULL characters in ssh:// URIs. When the ProxyCommand is being used, an attacker could possibly use this issue to execute arbitrary code. (CVE-2025-61985)

Bahruz Jabiyev, Tommaso Innocenti, Anthony Gavazzi, Steven Sprecher, and Kaan Onarlioglu discovered that servers using Go Networking could hang during shutdown if preempted by a fatal error. An attacker could possibly use this to cause a denial of service. This issue only affected Ubuntu 22.04 LTS. (CVE-2022-27664) Arpad Ryszka and Jakob Ackermann discovered that a maliciously crafted stream could cause excessive CPU usage in Go Networking's HPACK decoder. An attacker could possibly use this to cause a denial of service. This issue only affected Ubuntu 22.04 LTS. (CVE-2022-41723) Mohammad Thoriq Aziz discovered that Go Networking did not properly sanitize some text nodes. An attacker could possibly use this to execute arbitrary code. This issue only affected Ubuntu 22.04 LTS. (CVE-2023-3978) Sean Ng discovered an error in Go Networking's HTML tag handling. An attacker could possibly use this to cause a denial of service. (CVE-2025-22872) Guido Vranken and Jakub Ciolek discovered that a maliciously crafted HTML document could exhaust system resources on servers using Go Networking. An attacker could possibly use this to cause a denial of service. (CVE-2025-47911) Guido Vranken discovered that a maliciously crafted HTML document could put servers using Go Networking into an infinite loop. An attacker could possibly use this to cause a denial of service. (CVE-2025-58190)

Ionut Lalu discovered that go-git incorrectly handled certain specially crafted Git server responses. An attacker could possibly use this issue to cause a denial of service. (CVE-2023-49568, CVE-2025-21614) Ionut Lalu discovered that go-git incorrectly handled file system paths when using the ChrootOS implementation. A remote attacker could possibly use this issue to perform a path traversal and create or modify arbitrary files, leading to remote code execution. (CVE-2023-49569) It was discovered that go-git did not properly sanitize arguments when invoking git-upload-pack using the file transport protocol. An attacker could possibly use this issue to inject arbitrary flag values when interacting with local Git repositories. (CVE-2025-21613) It was discovered that go-git did not properly verify integrity checks for pack and index files. An attacker could possibly use this issue to cause go-git to process corrupted repository data, resulting in unexpected errors or an incorrect repository state. (CVE-2026-25934)

It was discovered that python-cryptography incorrectly handled subgroup validation for SECT curves. A remote attacker could use this issue to perform a subgroup attack and possibly recover the least significant bits of private keys.

It was discovered that FreeType did not correctly handle certain integer arithmetic. An attacker could possibly use this issue to leak sensitive information.

It was discovered that the .NET Microsoft.Bcl.Memory NuGet package did not properly handle certain malformed Base64Url encoded input. An attacker could possibly use this issue to cause .NET to crash, resulting in a denial of service. This issue only affected .NET 9.0 and .NET 10.0. (CVE-2026-26127) Bartłomiej Dach discovered that .NET's SignalR server component did not properly manage resource consumption when processing certain messages. An attacker could possibly use this issue to exhaust internal buffers, resulting in a denial of service. (CVE-2026-26130)

Zhicheng Chen discovered that curl could incorrectly reuse the wrong connection for Negotiate-authenticated HTTP or HTTPS requests. This could result in the use of credentials from a different connection, contrary to expectations. (CVE-2026-1965) It was discovered that curl incorrectly leaked OAuth2 bearer tokens when following a redirect. This could result in tokens being sent to the wrong host, contrary to expectations. (CVE-2026-3783) Muhamad Arga Reksapati discovered that curl incorrectly reused existing HTTP proxy connections even if the request used different credentials. This could result in the use of incorrect credentials, contrary to expectations. (CVE-2026-3784) Daniel Wade discovered that curl incorrectly handled certain memory operations when doing a second SMB request to the same host. An attacker could use this issue to cause curl to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 25.10. (CVE-2026-3805) Yihang Zhou discovered that curl incorrectly reused .netrc file credentials when following redirects. This could result in the use of credentials for a different host, contrary to expectations. This issue only affected Ubuntu 22.04 LTS and Ubuntu 24.04 LTS. (CVE-2025-0167)

It was discovered that libpng did not properly handle memory when processing certain PNG files. An attacker could possibly use this issue to cause libpng to crash, resulting in a denial of service, or disclose sensitive information. (CVE-2025-64505) Joshua Inscoe discovered that libpng did not properly handle memory when processing certain PNG files. An attacker could possibly use this issue to cause libpng to crash, resulting in a denial of service, disclose sensitive information, or execute arbitrary code. (CVE-2026-25646)

It was discovered that GeoPandas incorrectly handled certain input. An attacker could possibly use this issue to perform SQL injection attacks.

Michael Randrianantenaina discovered that GIMP incorrectly handled certain malformed ICO files. An attacker could possibly use this to cause a denial of service or execute arbitrary code. (CVE-2025-5473) Seungho Kim discovered that GIMP incorrectly handled certain memory operations when running the despeckle plugin. An attacker could possibly use this to cause a denial of service or execute arbitrary code. (CVE-2025-6035)

Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system. This update corrects flaws in the following subsystems: - GPU drivers; - MMC subsystem; (CVE-2022-49267, CVE-2025-21780)

Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system. This update corrects flaws in the following subsystems: - SMB network file system; (CVE-2025-22037, CVE-2025-37899)

Kamil Frankowicz discovered that a number of YARA's functions generated memory exceptions when processing specially crafted rules or files. A remote attacker could possibly use these issues to cause YARA to crash, resulting in a denial of service. These issues only affected Ubuntu 16.04 LTS. (CVE-2016-10211, CVE-2017-5923, CVE-2017-5924, CVE-2017-8294, CVE-2017-8929, CVE-2017-9304, CVE-2017-9438, CVE-2017-9465) Jurriaan Bremer discovered that YARA's yr_object_array_set_limit() function could result in a heap buffer overflow when scanning specially crafted .NET files. A remote attacker could possibly use this issue to cause YARA to crash, resulting in a denial of service. This issue only affected Ubuntu 16.04 LTS. (CVE-2017-11328) It was discovered that YARA's yr_execute_code() function could cause an out-of-bounds read or write when parsing specially crafted compiled rule files. A remote attacker could possibly use these issues to cause YARA to crash, resulting in a denial of service. These issues only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. (CVE-2018-12034, CVE-2018-12035) It was discovered that YARA's virtual machine could be escaped in certain instances. A remote attacker could possibly use these issues to execute arbitrary code. These issues only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. (CVE-2018-19974, CVE-2018-19975, CVE-2018-19976) It was discovered that YARA's macho_parse_file() function would generate an out-of-bounds memory access error when parsing a specially crafted Mach-O file. A remote attacker could possibly use this issue to cause YARA to crash, resulting in a denial of service, or execute arbitrary code. This issue only affected Ubuntu 20.04 LTS. (CVE-2019-19648) It was discovered that YARA's macho.c implementation contained several overflow reads, which could be triggered when parsing specially crafted Mach-O files. A remote attacker could possibly use this issue to cause YARA to crash, resulting in a denial of service, or to learn sensitive information. This issue only affected Ubuntu 20.04 LTS. (CVE-2021-3402) It was discovered that YARA's yr_set_configuration() function could trigger a buffer overflow when parsing specially crafted rules. A remote attacker could possibly use this issue to cause YARA to crash, resulting in a denial of service. This issue only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. (CVE-2021-45429)

USN-7968-1 fixed vulnerabilities in Apache HTTP Server. The update introduced a regression in mod_md where the MDStapleOthers setting was ignored which resulted in OCSP being broken for some domains. This update fixes the problem. We apologize for the inconvenience. Original advisory details: It was discovered that the Apache HTTP Server incorrectly handled failed ACME certificate renewals. This could result in renewal attempts to be repeated without delays, possibly leading to a denial of service. (CVE-2025-55753) Anthony Parfenov discovered that the Apache HTTP Server would pass the query string to cmd directives when configured with Server Side Includes (SSI) enabled and mod_cgid. An attacker could possibly use this issue to execute arbitrary code. (CVE-2025-58098) Mattias Åsander discovered that the Apache HTTP Server incorrectly neutralized certain environment variables. This could result in unexpectedly superseding variables calculated by the server for CGI programs. (CVE-2025-65082) Mattias Åsander discovered that the Apache HTTP Server incorrectly handled AllowOverride FileInfo configurations when using mod_userdir with suexec. An attacker with access to use the RequestHeader directive in htaccess can cause some CGI scripts to run under an unexpected userid. (CVE-2025-66200)

USN-8018-1 fixed vulnerabilities in python3. That update introduced regressions. The patches for CVE-2025-15366 and CVE-2025-15367 caused behavior regressions in IMAP and POP3 handling, which upstream chose to avoid by not backporting them. Additionally, the patch for CVE-2026-0865 incorrectly rejected horizontal tabs in wsgiref headers. This update fixes these problems. We apologize for the inconvenience. Original advisory details: Denis Ledoux discovered that Python incorrectly parsed email message headers. An attacker could possibly use this issue to inject arbitrary headers into email messages. This issue only affected python3.6, python3.7, python3.8, python3.9, python3.10, python3.11, python3.12, python3.13, and python3.14 packages. (CVE-2025-11468) Jacob Walls, Shai Berger, and Natalia Bidart discovered that Python inefficiently parsed XML input with quadratic complexity. An attacker could possibly use this issue to cause a denial of service. (CVE-2025-12084) It was discovered that Python incorrectly parsed malicious plist files. An attacker could possibly use this issue to cause Python to use excessive resources, leading to a denial of service. This issue only affected python3.5, python3.6, python3.7, python3.8, python3.9, python3.10, python3.11, python3.12, python3.13, and python3.14 packages. (CVE-2025-13837) Omar Hasan discovered that Python incorrectly parsed URL mediatypes. An attacker could possibly use this issue to inject arbitrary HTTP headers. (CVE-2025-15282) Omar Hasan discovered that Python incorrectly parsed malicious IMAP inputs. An attacker could possibly use this issue to inject arbitrary IMAP commands. (CVE-2025-15366) Omar Hasan discovered that Python incorrectly parsed malicious POP3 inputs. An attacker could possibly use this issue to inject arbitrary POP3 commands. (CVE-2025-15367) Omar Hasan discovered that Python incorrectly parsed malicious HTTP cookie headers. An attacker could possibly use this issue to inject arbitrary HTTP headers. (CVE-2026-0672) Omar Hasan discovered that Python incorrectly parsed malicious HTTP header names and values. An attacker could possibly use this issue to inject arbitrary HTTP headers. (CVE-2026-0865)

It was discovered that Qt did not correctly handle OpenSSL's error queue. An attacker could possibly use this issue to cause a denial of service. This issue was only addressed in Ubuntu 20.04 LTS. (CVE-2020-13962) It was discovered that Qt incorrectly handled certain XBM image files. If a user or automated system were tricked into opening a specially crafted PPM file, a remote attacker could cause Qt to crash, resulting in a denial of service. This issue was only addressed in Ubuntu 16.04 LTS and Ubuntu 20.04 LTS. (CVE-2020-17507) It was discovered that Qt did not correctly handle executing specific binaries. If a user or automated system were tricked into executing a binary at a specific file path, an attacker could cause a denial of service or execute arbitrary code. This issue was only addressed in Ubuntu 20.04 LTS. (CVE-2022-25255) It was discovered that Qt did not correctly handle certain integer arithmetic. An attacker could possibly use this issue to cause a denial of service. This issue was only addressed in Ubuntu 18.04 LTS, Ubuntu 20.04 LTS and Ubuntu 22.04 LTS. (CVE-2023-51714) It was discovered that Qt did not correctly handle certain encrypted connections. An attacker could possibly use this issue to leak sensitive information. This issue was only addressed in Ubuntu 24.04 LTS. (CVE-2024-39936)

It was discovered that less incorrectly handled certain file names. An attacker could possibly use this issue to cause a denial of service or execute arbitrary commands.