Ubuntu Security Advisories

Jean-Claude Graf, Sandro Rüegge, Ali Hajiabadi, and Kaveh Razavi discovered that the Linux kernel contained insufficient branch predictor isolation between a guest and a userspace hypervisor for certain processors. This flaw is known as VMSCAPE. An attacker in a guest VM could possibly use this to expose sensitive information from the host OS. (CVE-2025-40300) Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system. This update corrects flaws in the following subsystems: - HSI subsystem; - Bluetooth subsystem; - Timer subsystem; (CVE-2025-37838, CVE-2025-38118, CVE-2025-38352)

Jean-Claude Graf, Sandro Rüegge, Ali Hajiabadi, and Kaveh Razavi discovered that the Linux kernel contained insufficient branch predictor isolation between a guest and a userspace hypervisor for certain processors. This flaw is known as VMSCAPE. An attacker in a guest VM could possibly use this to expose sensitive information from the host OS. (CVE-2025-40300) Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system. This update corrects flaws in the following subsystems: - DMA engine subsystem; - GPU drivers; - HSI subsystem; - Media drivers; - Ethernet team driver; - SPI subsystem; - USB core drivers; - Framebuffer layer; - BTRFS file system; - Ext4 file system; - Network file system (NFS) server daemon; - NILFS2 file system; - Timer subsystem; - DCCP (Datagram Congestion Control Protocol); - IPv6 networking; - NET/ROM layer; - Packet sockets; - Network traffic control; - SCTP protocol; - VMware vSockets driver; - USB sound devices; (CVE-2023-52477, CVE-2023-52574, CVE-2023-52650, CVE-2024-27074, CVE-2024-35849, CVE-2024-41006, CVE-2024-47685, CVE-2024-49924, CVE-2024-50006, CVE-2024-50051, CVE-2024-50202, CVE-2024-50299, CVE-2024-53124, CVE-2024-53130, CVE-2024-53131, CVE-2024-53150, CVE-2024-56767, CVE-2024-57996, CVE-2025-21796, CVE-2025-37752, CVE-2025-37785, CVE-2025-37838, CVE-2025-38350, CVE-2025-38352, CVE-2025-38477, CVE-2025-38617, CVE-2025-38618)

Jean-Claude Graf, Sandro Rüegge, Ali Hajiabadi, and Kaveh Razavi discovered that the Linux kernel contained insufficient branch predictor isolation between a guest and a userspace hypervisor for certain processors. This flaw is known as VMSCAPE. An attacker in a guest VM could possibly use this to expose sensitive information from the host OS. (CVE-2025-40300) Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system. This update corrects flaws in the following subsystems: - HSI subsystem; - I3C subsystem; - SMB network file system; - Padata parallel execution mechanism; - Timer subsystem; - Networking core; (CVE-2023-52854, CVE-2024-35867, CVE-2024-50061, CVE-2024-56664, CVE-2025-21727, CVE-2025-37838, CVE-2025-38352)

Jean-Claude Graf, Sandro Rüegge, Ali Hajiabadi, and Kaveh Razavi discovered that the Linux kernel contained insufficient branch predictor isolation between a guest and a userspace hypervisor for certain processors. This flaw is known as VMSCAPE. An attacker in a guest VM could possibly use this to expose sensitive information from the host OS. (CVE-2025-40300) Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system. This update corrects flaws in the following subsystems: - HSI subsystem; - I3C subsystem; - SMB network file system; - Padata parallel execution mechanism; - Timer subsystem; - Networking core; (CVE-2023-52854, CVE-2024-35867, CVE-2024-50061, CVE-2024-56664, CVE-2025-21727, CVE-2025-37838, CVE-2025-38352)

In the Linux kernel, the following vulnerability has been resolved: net: atlantic: eliminate double free in error handling logic Driver has a logic leak in ring data allocation/free, where aq_ring_free could be called multiple times on same ring, if system is under stress and got memory allocation error. In the Linux kernel, the following vulnerability has been resolved: sctp: properly validate chunk size in sctp_sf_ootb() A size validation fix similar to that in Commit 50619dbf8db7 ('sctp: add size validation when walking chunks') is also required in sctp_sf_ootb() to address a crash reported by syzbot: BUG: KMSAN: uninit-value in sctp_sf_ootb+0x7f5/0xce0 net/sctp/sm_statefuns.c:3712 sctp_sf_ootb+0x7f5/0xce0 net/sctp/sm_statefuns.c:3712 sctp_do_sm+0x181/0x93d0 net/sctp/sm_sideeffect.c:1166 sctp_endpoint_bh_rcv+0xc38/0xf90 net/sctp/endpointola.c:407 sctp_inq_push+0x2ef/0x380 net/sctp/inqueue.c:88 sctp_rcv+0x3831/0x3b20 net/sctp/input.c:243 sctp4_rcv+0x42/0x50 net/sctp/protocol.c:1159 ip_protocol_deliver_rcu+0xb51/0x13d0 net/ipv4/ip_input.c:205 ip_local_deliver_finish+0x336/0x500 net/ipv4/ip_input.c:233)(CVE-2024-50299). In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix out of bounds reads when finding clock sources The current USB-audio driver code doesn't check bLength of each descriptor at traversing for clock descriptors. In the Linux kernel, the following vulnerability has been resolved: ubifs: authentication: Fix use-after-free in ubifs_tnc_end_commit After an insertion in TNC, the tree might split and cause a node to change its `znode->parent`. In the Linux kernel, the following vulnerability has been resolved: NFSD: Prevent NULL dereference in nfsd4_process_cb_update() @ses is initialized to NULL. In the Linux kernel, the following vulnerability has been resolved: padata: fix UAF in padata_reorder A bug was found when run ltp test: BUG: KASAN: slab-use-after-free in padata_find_next+0x29/0x1a0 Read of size 4 at addr ffff88bbfe003524 by task kworker/u113:2/3039206 CPU: 0 PID: 3039206 Comm: kworker/u113:2 Kdump: loaded Not tainted 6.6.0+ Workqueue: pdecrypt_parallel padata_parallel_worker Call Trace: dump_stack_lvl+0x32/0x50 print_address_description.constprop.0+0x6b/0x3d0 print_report+0xdd/0x2c0 kasan_report+0xa5/0xd0 padata_find_next+0x29/0x1a0 padata_reorder+0x131/0x220 padata_parallel_worker+0x3d/0xc0 process_one_work+0x2ec/0x5a0 If 'mdelay(10)' is added before calling 'padata_find_next' in the 'padata_reorder' function, this issue could be reproduced easily with ltp test (pcrypt_aead01). In the Linux kernel, the following vulnerability has been resolved: posix-cpu-timers: fix race between handle_posix_cpu_timers() and posix_cpu_timer_del() If an exiting non-autoreaping task has already passed exit_notify() and calls handle_posix_cpu_timers() from IRQ, it can be reaped by its parent or debugger right after unlock_task_sighand().

It was discovered that Freeglut incorrectly managed memory, resulting in a memory leak. An attacker could possibly use this issue to cause a denial of service.

It was discovered that FFmpeg incorrectly handled memory allocation in the ALS audio decoder. If a user was tricked into loading a crafted media file, a remote attacker could possibly use this issue to make FFmpeg crash, resulting in a denial of service.

Jean-Claude Graf, Sandro Rüegge, Ali Hajiabadi, and Kaveh Razavi discovered that the Linux kernel contained insufficient branch predictor isolation between a guest and a userspace hypervisor for certain processors. This flaw is known as VMSCAPE. An attacker in a guest VM could possibly use this to expose sensitive information from the host OS.

Jean-Claude Graf, Sandro Rüegge, Ali Hajiabadi, and Kaveh Razavi discovered that the Linux kernel contained insufficient branch predictor isolation between a guest and a userspace hypervisor for certain processors. This flaw is known as VMSCAPE. An attacker in a guest VM could possibly use this to expose sensitive information from the host OS. (CVE-2025-40300) Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system. This update corrects flaws in the following subsystems: - HSI subsystem; - Bluetooth subsystem; - Timer subsystem; (CVE-2025-37838, CVE-2025-38118, CVE-2025-38352)

Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system. This update corrects flaws in the following subsystems: - ARM64 architecture; - PowerPC architecture; - x86 architecture; - ACPI drivers; - Ublk userspace block driver; - Clock framework and drivers; - GPU drivers; - IIO subsystem; - InfiniBand drivers; - Media drivers; - MemoryStick subsystem; - Network drivers; - NTB driver; - PCI subsystem; - Remote Processor subsystem; - Thermal drivers; - Virtio Host (VHOST) subsystem; - 9P distributed file system; - File systems infrastructure; - JFS file system; - Network file system (NFS) server daemon; - NTFS3 file system; - SMB network file system; - Memory management; - RDMA verbs API; - Kernel fork() syscall; - Tracing infrastructure; - Watch queue notification mechanism; - Asynchronous Transfer Mode (ATM) subsystem; - Networking core; - IPv4 networking; - IPv6 networking; - Netfilter; - Network traffic control; - SCTP protocol; - TLS protocol; - SoC Audio for Freescale CPUs drivers; (CVE-2025-39728, CVE-2025-23136, CVE-2025-22062, CVE-2025-22035, CVE-2025-22020, CVE-2025-22083, CVE-2025-22071, CVE-2025-22060, CVE-2025-22073, CVE-2025-22044, CVE-2025-22063, CVE-2025-22079, CVE-2025-22057, CVE-2025-22095, CVE-2025-39735, CVE-2025-39682, CVE-2025-22058, CVE-2025-22021, CVE-2025-22018, CVE-2025-22056, CVE-2025-22054, CVE-2025-22080, CVE-2025-22039, CVE-2025-22019, CVE-2025-22038, CVE-2025-22028, CVE-2023-53034, CVE-2024-58092, CVE-2025-38637, CVE-2025-22089, CVE-2025-40114, CVE-2025-22068, CVE-2025-37937, CVE-2025-22070, CVE-2025-22072, CVE-2025-22086, CVE-2025-22050, CVE-2025-22040, CVE-2025-22065, CVE-2025-38575, CVE-2025-22064, CVE-2025-22033, CVE-2025-22041, CVE-2025-22090, CVE-2025-22036, CVE-2025-23138, CVE-2025-22047, CVE-2025-38240, CVE-2025-22066, CVE-2025-22042, CVE-2025-38152, CVE-2025-22055, CVE-2025-22081, CVE-2025-22045, CVE-2025-22053, CVE-2025-22075, CVE-2025-22027, CVE-2025-22025, CVE-2025-22097)

USN-7836-1 fixed vulnerabilities in Bind. This update provides the corresponding fixes for Ubuntu 20.04 LTS. Original advisory details: Zuyao Xu and Xiang Li discovered that Bind incorrectly handled certain malformed DNSKEY records. A remote attacker could possibly use this issue to cause Bind to consume resources, resulting in a denial of service. (CVE-2025-8677) Yuxiao Wu, Yunyi Zhang, Baojun Liu, and Haixin Duan discovered that Bind incorrectly accepted certain records from answers. A remote attacker could possibly use this issue to perform a cache poisoning attack. (CVE-2025-40778) Amit Klein and Omer Ben Simhon discovered that Bind used a weak PRNG. A remote attacker could possibly use this issue to perform a cache poisoning attack. (CVE-2025-40780)

Hanno Böck discovered that Raptor incorrectly handled memory operations when processing certain input files. An attacker could possibly use this issue to cause Raptor to crash, resulting in a denial of service. (CVE-2020-25713) Pedro Ribeiro discovered that Raptor incorrectly handled parsing certain tuples. An attacker could possibly use this issue to cause Raptor to crash, resulting in a denial of service. (CVE-2024-57822) Pedro Ribeiro discovered that Raptor incorrectly handled parsing certain turtles. An attacker could use this issue to cause Raptor to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2024-57823)

Hanno Böck discovered that Raptor incorrectly handled memory operations when processing certain input files. An attacker could use this issue to cause Raptor to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2017-18926) Hanno Böck discovered that Raptor incorrectly handled memory operations when processing certain input files. An attacker could possibly use this issue to cause Raptor to crash, resulting in a denial of service. (CVE-2020-25713)

Barak Gross discovered that some Intel® Xeon® processors with SGX enabled did not properly handle buffer restrictions. A local authenticated user could potentially use this issue to escalate their privileges. (CVE-2025-20053) Avinash Maddy discovered that some Intel® processors did not properly isolate or compartmentalize the stream cache mechanisms. A local authenticated user could potentially use this issue to escalate their privileges. (CVE-2025-20109) Joseph Nuzman discovered that some Intel® Xeon® processors did not properly manage references to active allocate resources. A local authenticated user could potentially use this issue to cause a denial of service (system crash). (CVE-2025-21090) It was discovered that some Intel® Xeon® 6 processors did not properly provide sufficient granularity of access control in the out of band management service module (OOB-MSM). An authenticated user could potentially use this issue to escalate their privileges. (CVE-2025-22839) It was discovered that some Intel® Xeon® 6 Scalable processors did not properly handle a specific sequence of processor instructions, leading to unexpected behavior. A local authenticated user could potentially use this issue to escalate their privileges. (CVE-2025-22840) Joseph Nuzman discovered that some Intel® Xeon® 6 processors with Intel® Trust Domain Extensions (Intel® TDX) did not properly handle overlap between protected memory ranges. A local authenticated user could potentially use this issue to escalate their privileges. (CVE-2025-22889) Avraham Shalev discovered that some Intel® Xeon® processors did not properly provide sufficient control flow management in the Alias Checking Trusted Module (ACTM) firmware. A local authenticated user could potentially use this issue to escalate their privileges. (CVE-2025-24305) Aviv Eisen and Avraham Shalev discovered that some Intel® Xeon® 6 processors when using Intel® SGX or Intel® TDX did not properly protect against out-of-bounds writes in the memory subsystem. A local authenticated user could potentially use this issue to escalate their privileges. (CVE-2025-26403) Aviv Eisen and Avraham Shalev discovered that some Intel® Xeon® 6 processors when using Intel® SGX or Intel® TDX did not properly implement security checks in the DDRIO configuration. A local authenticated user could potentially use this issue to escalate their privileges. (CVE-2025-32086)

It was discovered that sudo-rs incorrectly handled passwords when timeouts occurred and the pwfeedback default was not set. This could result in a partially typed password being output to standard input, contrary to expectations. It was discovered that sudo-rs incorrectly handled the targetpw and rootpw default settings when creating timestamp files. A local attacker could possibly use this issue to bypass authentication in certain configurations.

Jean-Claude Graf, Sandro Rüegge, Ali Hajiabadi, and Kaveh Razavi discovered that the Linux kernel contained insufficient branch predictor isolation between a guest and a userspace hypervisor for certain processors. This flaw is known as VMSCAPE. An attacker in a guest VM could possibly use this to expose sensitive information from the host OS. (CVE-2025-40300) Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system. This update corrects flaws in the following subsystems: - Virtio block driver; - DMA engine subsystem; - GPU drivers; - HSI subsystem; - Media drivers; - Network drivers; - Ethernet team driver; - TTY drivers; - Framebuffer layer; - BTRFS file system; - Ext4 file system; - Network file system (NFS) server daemon; - Timer subsystem; - DCCP (Datagram Congestion Control Protocol); - IPv6 networking; - NET/ROM layer; - Packet sockets; - SCTP protocol; - VMware vSockets driver; - USB sound devices; (CVE-2021-47149, CVE-2021-47294, CVE-2021-47319, CVE-2021-47330, CVE-2021-47589, CVE-2023-52574, CVE-2023-52650, CVE-2024-27078, CVE-2024-35849, CVE-2024-49924, CVE-2024-50006, CVE-2024-50299, CVE-2024-53124, CVE-2024-53150, CVE-2024-56767, CVE-2025-21796, CVE-2025-37785, CVE-2025-37838, CVE-2025-38352, CVE-2025-38617, CVE-2025-38618)

Jean-Claude Graf, Sandro Rüegge, Ali Hajiabadi, and Kaveh Razavi discovered that the Linux kernel contained insufficient branch predictor isolation between a guest and a userspace hypervisor for certain processors. This flaw is known as VMSCAPE. An attacker in a guest VM could possibly use this to expose sensitive information from the host OS.

Jean-Claude Graf, Sandro Rüegge, Ali Hajiabadi, and Kaveh Razavi discovered that the Linux kernel contained insufficient branch predictor isolation between a guest and a userspace hypervisor for certain processors. This flaw is known as VMSCAPE. An attacker in a guest VM could possibly use this to expose sensitive information from the host OS.

Jean-Claude Graf, Sandro Rüegge, Ali Hajiabadi, and Kaveh Razavi discovered that the Linux kernel contained insufficient branch predictor isolation between a guest and a userspace hypervisor for certain processors. This flaw is known as VMSCAPE. An attacker in a guest VM could possibly use this to expose sensitive information from the host OS. (CVE-2025-40300) Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system. This update corrects flaws in the following subsystems: - DMA engine subsystem; - GPU drivers; - HSI subsystem; - Ethernet team driver; - Ext4 file system; - Timer subsystem; - DCCP (Datagram Congestion Control Protocol); - IPv6 networking; - NET/ROM layer; - SCTP protocol; - USB sound devices; (CVE-2023-52574, CVE-2023-52650, CVE-2024-41006, CVE-2024-50006, CVE-2024-50299, CVE-2024-53124, CVE-2024-53150, CVE-2024-56767, CVE-2025-37838, CVE-2025-38352)

Jean-Claude Graf, Sandro Rüegge, Ali Hajiabadi, and Kaveh Razavi discovered that the Linux kernel contained insufficient branch predictor isolation between a guest and a userspace hypervisor for certain processors. This flaw is known as VMSCAPE. An attacker in a guest VM could possibly use this to expose sensitive information from the host OS.