Ubuntu Security Advisories

It was discovered that kitty incorrectly handled certain image data. An attacker able to write to the terminal's input could possibly use this issue to cause kitty to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2026-33633) It was discovered that kitty incorrectly handled certain graphics commands. An attacker able to write escape sequences to a kitty terminal could possibly use this issue to cause kitty to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2026-33642)

It was discovered that the Linux kernel did not properly handle shared page fragments during socket buffer operations, collectively known as Dirty Frag. A logic flaw existed in the XFRM ESP-in-TCP subsystem and in the RxRPC networking subsystem when processing paged fragments. A local attacker could use this to escalate privileges, or possibly escape a container.

It was discovered that the Linux kernel algif_aead module did not properly handle in-place cryptographic operations. This flaw is known as Copy Fail. A local attacker could use this to escalate privileges, or possibly escape a container. (CVE-2026-31431) Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system. This update corrects flaws in the following subsystems: - Cryptographic API; - Packet sockets; (CVE-2026-31504, CVE-2026-43033, CVE-2026-43077, CVE-2026-43078, CVE-2026-46028)

A security issue was discovered in the Linux kernel. An attacker could possibly use this to compromise the system. This update corrects flaws in the following subsystem: - Packet sockets; (CVE-2026-31504)

Josh Eads, Kristoffer Janke, Eduardo Vela Nava, Tavis Ormandy, and Matteo Rizzo discovered that some AMD Zen processors did not properly verify the signature of CPU microcode. This flaw is known as EntrySign. A privileged attacker could possibly use this issue to cause load malicious CPU microcode causing loss of integrity and confidentiality. (CVE-2024-36347) It was discovered that the Linux kernel algif_aead module did not properly handle in-place cryptographic operations. This flaw is known as Copy Fail. A local attacker could use this to escalate privileges, or possibly escape a container. (CVE-2026-31431) It was discovered that the Linux kernel did not properly handle shared page fragments during socket buffer operations, collectively known as Dirty Frag. A logic flaw existed in the XFRM ESP-in-TCP subsystem and in the RxRPC networking subsystem when processing paged fragments. A local attacker could use this to escalate privileges, or possibly escape a container. (CVE-2026-43284, CVE-2026-43500, CVE-2026-45998, CVE-2026-46000) It was discovered that a logic flaw existed in the XFRM ESP-in-TCP subsystem in the Linux kernel when handling socket buffer fragments. This flaw is known as Fragnesia. A local attacker could use this to escalate privileges, or possibly escape a container. (CVE-2026-43503, CVE-2026-46300) Qualys discovered that a race condition existed in the ptrace subsystem of the Linux kernel when privileged processes are exiting. An unprivileged local attacker could use this issue to expose sensitive information. (CVE-2026-46333) Tristan Madani discovered that Ubuntu Linux kernel 6.8, 6.17 and 7.0 contain a memory leak when handling AppArmor notifications. A local attacker could use this to cause resource exhaustion. (CVE-2026-47326) Tristan Madani discovered that Ubuntu Linux kernel 6.8, 6.17 and 7.0 contain a NULL pointer dereference when handling AppArmor notifications. A local attacker could use this to cause a kernel oops. (CVE-2026-47327) Tristan Madani discovered that Ubuntu Linux kernel 6.8, 6.17 and 7.0 contained an invalid free when handling AppArmor notifications. A local attacker could use this to corrupt kernel memory. (CVE-2026-47328) Tristan Madani discovered that Ubuntu Linux kernel 6.8, 6.17 and 7.0 contained insufficient validation of AppArmor notification responses. A local attacker could use this to allow crafted responses to be processed. (CVE-2026-47329) Tristan Madani discovered that Ubuntu Linux kernel 6.8, 6.17 and 7.0 used an uninitialized variable when handling AppArmor notifications. A local attacker could use this to cause incorrect caching of data. (CVE-2026-47330) Tristan Madani discovered that Ubuntu Linux kernel 6.8 contained a use- after-free (UAF) bug. A local attacker could use this to cause memory corruption and, theoretically, arbitrary code execution. (CVE-2026-47331) Tristan Madani discovered that Ubuntu Linux kernel 6.8, 6.17 and 7.0 contained an out-of-bounds (OOB) read when handling AppArmor notifications. A local attacker could use this to cause information disclosure of kernel memory. (CVE-2026-47332) Tristan Madani discovered that Ubuntu Linux kernel 6.8, 6.17 and 7.0 contained a out-of-bounds (OOB) read when handling AppArmor notifications. A local attacker could use this to cause kernel memory corruption and, theoretically, influence processing of AppArmor policies. (CVE-2026-47333) Tristan Madani discovered that Ubuntu Linux kernel 6.8, 6.17 and 7.0 contained incorrect holding of locks when handling AppArmor notifications. A local attacker could use this to cause a kernel panic or deadlock. (CVE-2026-47334) Tristan Madani discovered that Ubuntu Linux kernel 6.8 contained a NULL pointer dereference when handling AppArmor notifications. A local attacker could use this to cause a kernel panic. (CVE-2026-47335) Tristan Madani discovered that Ubuntu Linux kernel 6.8 used an uninitialized variable when handling AppArmor AF_INET/AF_INET6 socket mediation. A local attacker could use this to influence processing of fine- grained network socket mediation. (CVE-2026-47336) Tristan Madani and Trevor Lawrence have each independently discovered that Ubuntu Linux kernel 6.8, 6.17 and 7.0 contained a NULL pointer dereference when handling AppArmor network socket mediation. A local attacker could use this to cause a kernel oops. (CVE-2026-47337) Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system. This update corrects flaws in the following subsystems: - ARM64 architecture; - MIPS architecture; - PowerPC architecture; - x86 architecture; - Block layer subsystem; - Cryptographic API; - Compute Acceleration Framework; - ACPI drivers; - Drivers core; - Network block device driver; - Null block device driver; - Ublk userspace block driver; - Bluetooth drivers; - Character device driver; - TPM device driver; - Clock framework and drivers; - Data acquisition framework and drivers; - Counter interface drivers; - Hardware crypto device drivers; - DMA engine subsystem; - DPLL subsystem; - GPU drivers; - HID subsystem; - Hardware monitoring drivers; - Intel Trace Hub HW tracing drivers; - IIO ADC drivers; - IIO subsystem; - InfiniBand drivers; - Input Device core drivers; - On-Chip Interconnect management framework; - IOMMU subsystem; - IRQ chip drivers; - Modular ISDN driver; - LED subsystem; - Macintosh device drivers; - Multiple devices driver; - Media drivers; - UACCE accelerator framework; - MMC subsystem; - Ethernet bonding driver; - Network drivers; - Mellanox network drivers; - STMicroelectronics network drivers; - Ethernet team driver; - MediaTek network drivers; - NVME drivers; - PA-RISC drivers; - PHY drivers; - Chrome hardware platform drivers; - x86 platform drivers; - i.MX PM domains; - Voltage and Current Regulator drivers; - SCSI subsystem; - SLIMbus drivers; - SPI subsystem; - Media Oriented Systems Transport (MOST) driver; - Realtek RTL8723BS SDIO drivers; - TCM subsystem; - USB Host Controller drivers; - USB Type-C Connector System Software Interface driver; - Backlight driver; - W1 Dallas's 1-wire bus driver; - Watchdog drivers; - Xen hypervisor drivers; - BFS file system; - BTRFS file system; - EFI Variable file system; - exFAT file system; - Ext4 file system; - F2FS file system; - FUSE (File system in Userspace); - HFS+ file system; - File systems infrastructure; - Journaling layer for block devices (JBD2); - Network file system (NFS) client; - Network file system (NFS) server daemon; - File system notification infrastructure; - NTFS3 file system; - OCFS2 file system; - SMB network file system; - BPF subsystem; - Ethernet bridge; - Scheduler infrastructure; - Netfilter; - NFC subsystem; - Tracing infrastructure; - io_uring subsystem; - Perf events; - Locking primitives; - Shadow Call Stack mechanism; - Floating proportions library; - Memory management; - Bluetooth subsystem; - CAIF protocol; - CAN network layer; - Ceph Core library; - Networking core; - Ethtool driver; - Handshake API; - HSR network protocol; - IPv4 networking; - IPv6 networking; - L2TP protocol; - MAC80211 subsystem; - Multipath TCP; - NET/ROM layer; - Open vSwitch; - Packet sockets; - RDS protocol; - Rose network layer; - RxRPC session sockets; - Network traffic control; - SCTP protocol; - Network sockets; - Sun RPC protocol; - TLS protocol; - Unix domain sockets; - VMware vSockets driver; - Wireless networking; - Integrity Measurement Architecture(IMA) framework; - Key management; - Simplified Mandatory Access Control Kernel framework; - ALSA AC97 driver; - Generic PCM loopback sound driver; - FireWire sound drivers; - HD-audio driver; - Turtle Beach Wavefront ALSA driver; - Creative Sound Blaster X-Fi driver; - AMD SoC Alsa drivers; - Texas InstrumentS Audio (ASoC/HDA) drivers; - STMicroelectronics SoC drivers; - USB sound devices; - KVM subsystem; (CVE-2024-50004, CVE-2024-57795, CVE-2024-58096, CVE-2024-58097, CVE-2025-22022, CVE-2025-22111, CVE-2025-37926, CVE-2025-38022, CVE-2025-38201, CVE-2025-38234, CVE-2025-38591, CVE-2025-40039, CVE-2025-40082, CVE-2025-40149, CVE-2025-40164, CVE-2025-40325, CVE-2025-68206, CVE-2025-68254, CVE-2025-68255, CVE-2025-68256, CVE-2025-68257, CVE-2025-68258, CVE-2025-68259, CVE-2025-68261, CVE-2025-68263, CVE-2025-68264, CVE-2025-68265, CVE-2025-68266, CVE-2025-68291, CVE-2025-68325, CVE-2025-68332, CVE-2025-68335, CVE-2025-68336, CVE-2025-68337, CVE-2025-68344, CVE-2025-68345, CVE-2025-68346, CVE-2025-68347, CVE-2025-68349, CVE-2025-68351, CVE-2025-68354, CVE-2025-68358, CVE-2025-68362, CVE-2025-68363, CVE-2025-68364, CVE-2025-68365, CVE-2025-68366, CVE-2025-68367, CVE-2025-68369, CVE-2025-68371, CVE-2025-68372, CVE-2025-68374, CVE-2025-68378, CVE-2025-68379, CVE-2025-68380, CVE-2025-68724, CVE-2025-68725, CVE-2025-68727, CVE-2025-68728, CVE-2025-68732, CVE-2025-68733, CVE-2025-68740, CVE-2025-68741, CVE-2025-68742, CVE-2025-68744, CVE-2025-68746, CVE-2025-68749, CVE-2025-68753, CVE-2025-68755, CVE-2025-68756, CVE-2025-68757, CVE-2025-68758, CVE-2025-68759, CVE-2025-68763, CVE-2025-68764, CVE-2025-68765, CVE-2025-68766, CVE-2025-68767, CVE-2025-68769, CVE-2025-68770, CVE-2025-68771, CVE-2025-68772, CVE-2025-68773, CVE-2025-68774, CVE-2025-68775, CVE-2025-68776, CVE-2025-68777, CVE-2025-68778, CVE-2025-68780, CVE-2025-68782, CVE-2025-68783, CVE-2025-68785, CVE-2025-68786, CVE-2025-68787, CVE-2025-68788, CVE-2025-68794, CVE-2025-68795, CVE-2025-68796, CVE-2025-68797, CVE-2025-68798, CVE-2025-68799, CVE-2025-68800, CVE-2025-68801, CVE-2025-68803, CVE-2025-68804, CVE-2025-68806, CVE-2025-68808, CVE-2025-68809, CVE-2025-68810, CVE-2025-68811, CVE-2025-68813, CVE-2025-68814, CVE-2025-68815, CVE-2025-68816, CVE-2025-68817, CVE-2025-68818, CVE-2025-68819, CVE-2025-68820, CVE-2025-68821, CVE-2025-68823, CVE-2025-71064, CVE-2025-71065, CVE-2025-71066, CVE-2025-71067, CVE-2025-71068, CVE-2025-71069, CVE-2025-71071, CVE-2025-71072, CVE-2025-71075, CVE-2025-71077, CVE-2025-71078, CVE-2025-71079, CVE-2025-71081, CVE-2025-71082, CVE-2025-71083, CVE-2025-71084, CVE-2025-71085, CVE-2025-71086, CVE-2025-71087, CVE-2025-71088, CVE-2025-71089, CVE-2025-71091, CVE-2025-71093, CVE-2025-71094, CVE-2025-71095, CVE-2025-71096, CVE-2025-71097, CVE-2025-71098, CVE-2025-71101, CVE-2025-71102, CVE-2025-71104, CVE-2025-71105, CVE-2025-71107, CVE-2025-71108, CVE-2025-71109, CVE-2025-71111, CVE-2025-71112, CVE-2025-71113, CVE-2025-71114, CVE-2025-71116, CVE-2025-71118, CVE-2025-71119, CVE-2025-71120, CVE-2025-71121, CVE-2025-71122, CVE-2025-71123, CVE-2025-71125, CVE-2025-71126, CVE-2025-71127, CVE-2025-71130, CVE-2025-71131, CVE-2025-71132, CVE-2025-71133, CVE-2025-71135, CVE-2025-71136, CVE-2025-71137, CVE-2025-71138, CVE-2025-71140, CVE-2025-71141, CVE-2025-71143, CVE-2025-71144, CVE-2025-71147, CVE-2025-71148, CVE-2025-71150, CVE-2025-71151, CVE-2025-71153, CVE-2025-71154, CVE-2025-71160, CVE-2025-71162, CVE-2025-71163, CVE-2025-71180, CVE-2025-71182, CVE-2025-71183, CVE-2025-71184, CVE-2025-71185, CVE-2025-71186, CVE-2025-71188, CVE-2025-71189, CVE-2025-71190, CVE-2025-71191, CVE-2025-71192, CVE-2025-71193, CVE-2025-71194, CVE-2025-71195, CVE-2025-71196, CVE-2025-71197, CVE-2025-71198, CVE-2025-71199, CVE-2025-71200, CVE-2025-71220, CVE-2025-71222, CVE-2025-71224, CVE-2025-71225, CVE-2025-71268, CVE-2026-22976, CVE-2026-22977, CVE-2026-22978, CVE-2026-22979, CVE-2026-22980, CVE-2026-22982, CVE-2026-22984, CVE-2026-22990, CVE-2026-22991, CVE-2026-22992, CVE-2026-22994, CVE-2026-22996, CVE-2026-22997, CVE-2026-22998, CVE-2026-22999, CVE-2026-23000, CVE-2026-23001, CVE-2026-23003, CVE-2026-23005, CVE-2026-23006, CVE-2026-23010, CVE-2026-23011, CVE-2026-23019, CVE-2026-23020, CVE-2026-23021, CVE-2026-23025, CVE-2026-23026, CVE-2026-23030, CVE-2026-23031, CVE-2026-23032, CVE-2026-23033, CVE-2026-23035, CVE-2026-23037, CVE-2026-23038, CVE-2026-23047, CVE-2026-23049, CVE-2026-23050, CVE-2026-23053, CVE-2026-23054, CVE-2026-23056, CVE-2026-23057, CVE-2026-23058, CVE-2026-23059, CVE-2026-23061, CVE-2026-23062, CVE-2026-23063, CVE-2026-23064, CVE-2026-23065, CVE-2026-23068, CVE-2026-23069, CVE-2026-23071, CVE-2026-23073, CVE-2026-23075, CVE-2026-23076, CVE-2026-23078, CVE-2026-23080, CVE-2026-23083, CVE-2026-23084, CVE-2026-23085, CVE-2026-23086, CVE-2026-23087, CVE-2026-23088, CVE-2026-23089, CVE-2026-23090, CVE-2026-23091, CVE-2026-23093, CVE-2026-23094, CVE-2026-23095, CVE-2026-23096, CVE-2026-23097, CVE-2026-23098, CVE-2026-23099, CVE-2026-23101, CVE-2026-23102, CVE-2026-23103, CVE-2026-23105, CVE-2026-23107, CVE-2026-23108, CVE-2026-23110, CVE-2026-23112, CVE-2026-23113, CVE-2026-23116, CVE-2026-23119, CVE-2026-23120, CVE-2026-23121, CVE-2026-23123, CVE-2026-23124, CVE-2026-23125, CVE-2026-23126, CVE-2026-23128, CVE-2026-23129, CVE-2026-23131, CVE-2026-23133, CVE-2026-23135, CVE-2026-23136, CVE-2026-23139, CVE-2026-23140, CVE-2026-23141, CVE-2026-23142, CVE-2026-23144, CVE-2026-23145, CVE-2026-23146, CVE-2026-23148, CVE-2026-23150, CVE-2026-23151, CVE-2026-23156, CVE-2026-23159, CVE-2026-23160, CVE-2026-23163, CVE-2026-23164, CVE-2026-23166, CVE-2026-23167, CVE-2026-23168, CVE-2026-23170, CVE-2026-23172, CVE-2026-23173, CVE-2026-23176, CVE-2026-23178, CVE-2026-23179, CVE-2026-23180, CVE-2026-23182, CVE-2026-23187, CVE-2026-23190, CVE-2026-23191, CVE-2026-23193, CVE-2026-23198, CVE-2026-23204, CVE-2026-23205, CVE-2026-23206, CVE-2026-23209, CVE-2026-23212, CVE-2026-23213, CVE-2026-23214, CVE-2026-23215, CVE-2026-23216, CVE-2026-23231, CVE-2026-23254, CVE-2026-23256, CVE-2026-23257, CVE-2026-23258, CVE-2026-23260, CVE-2026-23261, CVE-2026-23262, CVE-2026-23264, CVE-2026-23274, CVE-2026-23351, CVE-2026-23394, CVE-2026-31419, CVE-2026-31504, CVE-2026-31533, CVE-2026-31676, CVE-2026-43033, CVE-2026-43077, CVE-2026-43078, CVE-2026-43362, CVE-2026-43494, CVE-2026-46028, CVE-2026-46323)

It was discovered that the Linux kernel algif_aead module did not properly handle in-place cryptographic operations. This flaw is known as Copy Fail. A local attacker could use this to escalate privileges, or possibly escape a container. (CVE-2026-31431) It was discovered that the Linux kernel did not properly handle shared page fragments during socket buffer operations, collectively known as Dirty Frag. A logic flaw existed in the XFRM ESP-in-TCP subsystem and in the RxRPC networking subsystem when processing paged fragments. A local attacker could use this to escalate privileges, or possibly escape a container. (CVE-2026-43284, CVE-2026-43500) It was discovered that a logic flaw existed in the XFRM ESP-in-TCP subsystem in the Linux kernel when handling socket buffer fragments. This flaw is known as Fragnesia. A local attacker could use this to escalate privileges, or possibly escape a container. (CVE-2026-43503, CVE-2026-46300) Qualys discovered that a race condition existed in the ptrace subsystem of the Linux kernel when privileged processes are exiting. An unprivileged local attacker could use this issue to expose sensitive information. (CVE-2026-46333) Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system. This update corrects flaws in the following subsystems: - Cryptographic API; - Ethernet bonding driver; - SMB network file system; - Netfilter; - io_uring subsystem; - Packet sockets; - RDS protocol; - TLS protocol; (CVE-2024-35862, CVE-2024-50060, CVE-2026-23274, CVE-2026-23351, CVE-2026-31419, CVE-2026-31504, CVE-2026-31533, CVE-2026-43033, CVE-2026-43077, CVE-2026-43078, CVE-2026-43494, CVE-2026-46028)

It was discovered that OpenImageIO incorrectly performed bounds checking when processing SGI files. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code. (CVE-2026-43903) It was discovered that OpenImageIO incorrectly handled run-length encoding when processing Softimage PIC files. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code. (CVE-2026-43904) It was discovered that OpenImageIO incorrectly validated subimage metadata when processing HEIF files. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code. This issue only affected Ubuntu 20.04 LTS, Ubuntu 24.04 LTS and Ubuntu 26.04 LTS. (CVE-2026-43906) It was discovered that OpenImageIO contained multiple integer overflow vulnerabilities when processing DPX files. An attacker could possibly use these issues to cause a denial of service or execute arbitrary code. (CVE-2026-43907, CVE-2026-43908, CVE-2026-43909)

Stonejiajia, Shir Tamari and Sagi Tzadik discovered that the OverlayFS implementation in the Ubuntu Linux kernel did not properly perform permission checks in certain situations. A local attacker could possibly use this to gain elevated privileges. (CVE-2023-2640) Shir Tamari and Sagi Tzadik discovered that the OverlayFS implementation in the Ubuntu Linux kernel did not properly perform permission checks in certain situations. A local attacker could possibly use this to gain elevated privileges. (CVE-2023-32629) Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system. This update corrects flaws in the following subsystems: - Network drivers; - NVME drivers; - SMB network file system; - Netfilter; - io_uring subsystem; (CVE-2024-35862, CVE-2024-50060, CVE-2026-23112, CVE-2026-23273, CVE-2026-23274, CVE-2026-23351)

It was discovered that rabbitmq-c exposed credentials in command-line arguments under certain circumstances. A local attacker could possibly use this issue to obtain sensitive information. This issue only affected Ubuntu 22.04 LTS and Ubuntu 24.04 LTS. (CVE-2023-35789) It was discovered that rabbitmq-c incorrectly handled AMQP frame lengths under certain circumstances, which could lead to an out-of-bounds read. A remote attacker could possibly use this issue to cause rabbitmq-c to crash, resulting in a denial of service. (CVE-2026-44235) It was discovered that rabbitmq-c incorrectly handled AMQP login handshakes under certain circumstances, which could lead to a heap buffer overflow. A remote attacker could possibly use this issue to cause rabbitmq-c to crash, resulting in a denial of service, or execute arbitrary code. (CVE-2026-44236)

It was discovered that OpenStack Keystone allowed restricted application credentials to create EC2 credentials. An authenticated attacker with only a reader role could possibly use this issue to bypass the role restrictions imposed on the application credential. (CVE-2026-33551) It was discovered that the OpenStack Keystone LDAP identity backend did not correctly convert the user enabled attribute to a boolean value. An attacker could possibly use this issue to authenticate as a user disabled in LDAP. This issue only affected Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, and Ubuntu 25.10. (CVE-2026-40683) It was discovered that OpenStack Keystone's application credential authentication plugin did not verify that the user supplied in an authentication request matched the credential owner. An authenticated attacker could possibly impersonate another user and gain access to their tokens and credentials. (CVE-2026-42998) It was discovered that OpenStack Keystone's RBAC policy enforcer unconditionally merged the raw JSON request body into the policy enforcement dictionary, overwriting trusted target data. An authenticated attacker could possibly use this issue to inject arbitrary policy attributes to bypass RBAC checks. (CVE-2026-42999) It was discovered that OpenStack Keystone allowed an attacker with the member role to escalate privileges to admin by chaining application credential impersonation with Keystone trusts. An attacker could possibly use this issue to create a persistent trust delegating the victim's admin role to themselves. (CVE-2026-43000) It was discovered that OpenStack Keystone did not validate that the project_id for an EC2 credential matched the project of the authenticating application credential. An attacker with valid credentials for one project could possibly use this issue to create EC2 credentials targeting a different project. (CVE-2026-43001) It was discovered that OpenStack Keystone's federated token rescoping mechanism did not propagate the original token's expiry to the newly issued token. A remote attacker could possibly use this issue to maintain access indefinitely by repeatedly rescoping tokens before expiry. (CVE-2026-44394)

It was discovered that FreeRDP incorrectly handled memory under certain circumstances, which could lead to an out-of-bounds heap write. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code. (CVE-2026-45700) In addition, this update fixes a regression introduced in USN-8105-1. The update introduces a complete fix for CVE-2026-22858, CVE-2026-23732 and CVE-2026-25952 in Ubuntu 24.04 LTS and Ubuntu 25.10.

USN-8349-1 fixed vulnerabilities in rsync. Unfortunately that update introduced multiple regressions in rsync functionality. This update fixes the problem. We apologize for the inconvenience. Original advisory details: Calum Hutton discovered that rsync contained a heap-based out-of-bounds read when handling file transfers. A remote attacker with read access to an rsync server could possibly use this issue to cause a denial of service. (CVE-2025-10158) Batuhan Sancak, Damien Neil, and Michael Stapelberg discovered that rsync daemons configured without chroot protection were exposed to a race condition on parent path components. A local attacker with write access to a module could possibly use this issue to overwrite files, obtain sensitive information, or escalate privileges. (CVE-2026-29518) It was discovered that rsync did not properly validate a length value while sorting extended attributes. An attacker could possibly use this issue to cause a denial of service. (CVE-2026-41035) It was discovered that rsync performed reverse-DNS lookups after chrooting in some daemon configurations. A remote attacker could possibly use this issue to bypass hostname-based access controls and access network services. (CVE-2026-43617) Omar Elsayed discovered that rsync did not properly check for integer overflows while decoding compressed tokens. A remote attacker could possibly use this issue to obtain sensitive information. (CVE-2026-43618) Andrew Tridgell discovered that rsync did not fully fix a symlink race condition in path-based system calls for daemons configured without chroot protection. A local attacker could possibly use this issue to overwrite files, obtain sensitive information, or escalate privileges. (CVE-2026-43619) Pratham Gupta discovered that rsync did not properly validate an index while processing file lists. A remote attacker could possibly use this issue to cause rsync to crash, resulting in a denial of service. (CVE-2026-43620) Michal Ruprich discovered that rsync contained an off-by-one error while handling HTTP proxy responses. An attacker able to intercept network communications or a malicious proxy server could possibly use this issue to cause a denial of service. (CVE-2026-45232)

It was discovered that Ruby's Net::IMAP library did not properly verify that Transport Layer Security (TLS) encryption was started after issuing a STARTTLS command. A remote attacker could possibly use this issue to perform a machine-in-the-middle attack and silently bypass TLS encryption. (CVE-2026-42246) It was also discovered that Ruby's Net::IMAP library did not validate string arguments passed to certain commands. A remote attacker could possibly use this issue to inject arbitrary IMAP commands. (CVE-2026-42257)

It was discovered that ADSys did not properly handle certain HTTP/2 frames. A remote attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 26.04 LTS. (CVE-2026-27141) It was discovered that ADSys did not properly handle certain HTTP/2 SETTINGS frames. A remote attacker could possibly use this issue to cause a denial of service. (CVE-2026-33814)

It was discovered that tmux incorrectly handled image cleanup, leading to a use-after-free vulnerability. A local attacker could possibly use this issue to cause tmux to crash, resulting in a denial of service.

USN-8398-1 fixed a vulnerability in nginx. The update caused a regression and was temporarily reverted in USN-8398-2. This update introduces a complete fix for CVE-2026-49975. We apologize for the inconvenience. Original advisory details: It was discovered that nginx incorrectly handled certain cookie headers in the HTTP/2 implementation. A remote attacker could possibly use this issue to cause nginx to consume excessive resources, resulting in a denial of service.

USN-8405-1 fixed vulnerabilities in CUPS. The update introduced a regression that cause CUPS to crash when parsing certain large printer PPD files. This update fixes the problem. Original advisory details: Ariel Silver discovered that CUPS incorrectly handled username comparisons during authorization checks. A local attacker could possibly use this issue to gain unauthorized access to restricted operations. (CVE-2026-27447) Asim Viladi Oglu Manizada discovered that CUPS incorrectly handled notify-recipient-uri values in the RSS notifier. A remote attacker could possibly use this issue to overwrite lp-writable files and cause a denial of service. (CVE-2026-34978) Jacob Newman discovered that CUPS incorrectly handled filter option strings when processing job attributes. An attacker could use this issue to cause CUPS to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2026-34979) Asim Viladi Oglu Manizada discovered that CUPS incorrectly handled page-border values in shared PostScript queues. A remote attacker could possibly use this issue to execute arbitrary code. (CVE-2026-34980) Asim Viladi Oglu Manizada discovered that CUPS incorrectly handled localhost authentication to attacker-controlled IPP services. A local attacker could possibly use this issue to overwrite arbitrary files and execute arbitrary code. (CVE-2026-34990) Tomer Fichman discovered that CUPS incorrectly handled negative job-password-supported values. A local attacker could possibly use this issue to cause CUPS to crash, resulting in a denial of service. (CVE-2026-39314) Tomer Fichman discovered that CUPS incorrectly handled temporary printer deletion. An attacker could possibly use this issue to cause CUPS to crash, resulting in a denial of service, or to execute arbitrary code. (CVE-2026-39316) Tomer Fichman discovered that CUPS incorrectly handled certain malformed SNMP responses. An attacker could possibly use this issue to obtain sensitive information. (CVE-2026-41079)

It was discovered that Mesa did not properly validate memory allocation sizes in WebGPU under certain circumstances. An attacker could use this issue to cause Mesa to crash, resulting in a denial of service, or possibly execute arbitrary code.

It was discovered that the Linux kernel algif_aead module did not properly handle in-place cryptographic operations. This flaw is known as Copy Fail. A local attacker could use this to escalate privileges, or possibly escape a container. (CVE-2026-31431) It was discovered that the Linux kernel did not properly handle shared page fragments during socket buffer operations, collectively known as Dirty Frag. A logic flaw existed in the XFRM ESP-in-TCP subsystem and in the RxRPC networking subsystem when processing paged fragments. A local attacker could use this to escalate privileges, or possibly escape a container. (CVE-2026-43284, CVE-2026-43500) It was discovered that a logic flaw existed in the XFRM ESP-in-TCP subsystem in the Linux kernel when handling socket buffer fragments. This flaw is known as Fragnesia. A local attacker could use this to escalate privileges, or possibly escape a container. (CVE-2026-43503, CVE-2026-46300) Qualys discovered that a race condition existed in the ptrace subsystem of the Linux kernel when privileged processes are exiting. An unprivileged local attacker could use this issue to expose sensitive information. (CVE-2026-46333) Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system. This update corrects flaws in the following subsystems: - Cryptographic API; - Ethernet bonding driver; - SMB network file system; - Netfilter; - io_uring subsystem; - Packet sockets; - RDS protocol; - TLS protocol; (CVE-2024-35862, CVE-2024-50060, CVE-2026-23274, CVE-2026-23351, CVE-2026-31419, CVE-2026-31504, CVE-2026-31533, CVE-2026-43033, CVE-2026-43077, CVE-2026-43078, CVE-2026-43494, CVE-2026-46028)

It was discovered that lwIP contained a buffer overflow in the EAP authentication handling code. An attacker could possibly use this issue to trigger a buffer overflow, resulting in arbitrary code execution or a denial of service. This issue only affected Ubuntu 20.04 LTS. (CVE-2020-8597) It was discovered that lwIP incorrectly handled certain ICMPv6 or 6LoWPAN packets. An attacker could possibly use this issue to trigger a buffer overflow, resulting in information disclosure. This issue only affected Ubuntu 20.04 LTS. (CVE-2020-22283, CVE-2020-22284) It was discovered that lwIP did not properly validate certain SNMPv3 authentication parameters. An attacker could possibly use this issue to trigger a stack-based buffer overflow, resulting in arbitrary code execution or a denial of service. (CVE-2026-8836)