Ubuntu Security Advisories

USN-8414-1 fixed several vulnerabilities in OpenSSL. This update provides the corresponding update for Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, and Ubuntu 20.04 LTS. Original advisory details: Frank Buss discovered that OpenSSL had a heap buffer over-read in ASN.1 content parsing. An attacker could possibly use this issue to cause OpenSSL to crash, resulting in a denial of service, or obtain sensitive information. (CVE-2026-34180) Asim Viladi Oglu Manizada and Alex Gaynor discovered that OpenSSL could accept forged CMS AuthEnvelopedData messages. An attacker could possibly use this issue to bypass message authentication checks. (CVE-2026-34182) Mayank Jangid, Kushal Khemka, Hari Priandana, Bhabani Sankar Das, and Qifan Zhang discovered that OpenSSL had a possible NULL dereference in password- based CMS decryption. An attacker could possibly use this issue to cause OpenSSL to crash, resulting in a denial of service. (CVE-2026-42766) Zhanpeng Liu, Guannan Wang, and Guancheng Li discovered that OpenSSL had a NULL pointer dereference in CRMF EncryptedValue decryption. An attacker could possibly use this issue to cause OpenSSL to crash, resulting in a denial of service. (CVE-2026-42767) Thai Duong discovered that OpenSSL had a heap use-after-free in PKCS7_verify(). An attacker could possibly use this issue to cause OpenSSL to crash, resulting in a denial of service, or execute arbitrary code. (CVE-2026-45447) Zehua Qiao and Jinwen He discovered that OpenSSL had a possible heap buffer overflow in ASN.1 multibyte string conversion. An attacker could possibly use this issue to cause OpenSSL to crash, resulting in a denial of service, or execute arbitrary code. (CVE-2026-7383) Bhabani Sankar Das discovered that OpenSSL had an out-of-bounds read in CMS password-based decryption. An attacker could possibly use this issue to cause OpenSSL to crash, resulting in a denial of service. (CVE-2026-9076)

It was discovered that Go Networking incorrectly handled certain Punycode-encoded labels in the idna package. An attacker could possibly use this issue to bypass hostname-based access restrictions.

USN-8156-1 fixed a vulnerability in GDK-PixBuf. This update provides the corresponding update for Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, and Ubuntu 20.04 LTS. Original advisory details: It was discovered that GDK-PixBuf incorrectly handled certain JPEG files. An attacker could use this issue to cause GDK-PixBuf to crash, resulting in a denial of service, or possibly execute arbitrary code.

Felipe Franciosi, Raphael Norwitz, and Peter Turschmid discovered that the iSCSI block driver in QEMU incorrectly handled certain responses from an iSCSI server. A remote attacker could possibly use this issue to cause QEMU to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 14.04 LTS. (CVE-2020-1711) It was discovered that the iSCSI block driver in QEMU incorrectly handled certain memory operations, leading to a heap-based buffer over-read. An attacker could possibly use this issue to expose sensitive information from the host. This issue only affected Ubuntu 14.04 LTS. (CVE-2020-11947) Ziming Zhang discovered that the SM501 display driver in QEMU contained an integer overflow. A local attacker could possibly use this issue to cause QEMU to crash, resulting in a denial of service. This issue only affected Ubuntu 14.04 LTS. (CVE-2020-12829) Gaoning Pan and Xingwei Li discovered that the USB xHCI controller implementation in QEMU contained an infinite loop. An attacker inside the guest could possibly use this issue to cause QEMU to hang, resulting in a denial of service. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, and Ubuntu 18.04 LTS. (CVE-2020-14394) Lei Sun discovered that QEMU incorrectly handled certain MemoryRegionOps objects, leading to a NULL pointer dereference. An attacker inside the guest could possibly use this issue to cause QEMU to crash, resulting in a denial of service. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2020-15469) Alexander Bulekov discovered that the e1000e network device implementation in QEMU contained a use-after-free. An attacker inside the guest could possibly use this issue to cause QEMU to crash, resulting in a denial of service. This issue only affected Ubuntu 14.04 LTS. (CVE-2020-15859) Ziming Zhang discovered that the XGMAC Ethernet controller in QEMU contained a buffer overflow. An attacker inside the guest could possibly use this issue to cause QEMU to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 14.04 LTS. (CVE-2020-15863) Alexander Bulekov discovered that the SDHCI device emulation in QEMU contained a heap-based buffer overflow. An attacker inside the guest could possibly use this issue to cause QEMU to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 14.04 LTS. (CVE-2020-17380) Sergej Schumilo, Cornelius Aschermann, and Simon Wörner discovered that the USB xHCI controller implementation in QEMU did not check a return value, leading to a use-after-free. An attacker inside the guest could possibly use this issue to cause QEMU to crash, resulting in a denial of service. This issue only affected Ubuntu 14.04 LTS. (CVE-2020-25084) Gaoning Pan, Yongkang Jia, and Yi Ren discovered that the USB OHCI controller implementation in QEMU contained a stack-based buffer over-read. An attacker inside the guest could possibly use this issue to cause QEMU to crash, resulting in a denial of service. This issue only affected Ubuntu 14.04 LTS. (CVE-2020-25624) It was discovered that the USB OHCI controller implementation in QEMU contained an infinite loop. An attacker inside the guest could possibly use this issue to cause QEMU to consume resources, resulting in a denial of service. This issue only affected Ubuntu 14.04 LTS. (CVE-2020-25625) Cheolwoo Myung discovered that the USB EHCI emulation in QEMU did not handle DMA memory map failures, leading to a reachable assertion. An attacker inside the guest could possibly use this issue to cause QEMU to crash, resulting in a denial of service. This issue only affected Ubuntu 14.04 LTS. (CVE-2020-25723) Gaoning Pan discovered that the network device emulation in QEMU could be made to trigger an assertion failure when processing packets that lacked a valid layer 3 protocol. An attacker inside the guest could possibly use this issue to cause QEMU to crash, resulting in a denial of service. This issue only affected Ubuntu 14.04 LTS. (CVE-2020-27617) Wenxiang Qian discovered that the ATAPI emulation in QEMU did not properly validate a buffer index, leading to an out-of-bounds read. An attacker inside the guest could possibly use this issue to expose sensitive information or cause QEMU to crash, resulting in a denial of service. This issue only affected Ubuntu 14.04 LTS. (CVE-2020-29443) Cheolwoo Myung discovered that the ESP SCSI emulation in QEMU contained a NULL pointer dereference. An attacker inside the guest could possibly use this issue to cause QEMU to crash, resulting in a denial of service. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2020-35504) Cheolwoo Myung discovered that the am53c974 SCSI host bus adapter emulation in QEMU contained a NULL pointer dereference. An attacker inside the guest could possibly use this issue to cause QEMU to crash, resulting in a denial of service. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2020-35505) It was discovered that the SDHCI controller emulation in QEMU contained out-of-bounds read and write issues. An attacker inside the guest could possibly use this issue to cause QEMU to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2021-3409) It was discovered that several network device emulations in QEMU contained an infinite loop when operating in loopback mode. An attacker inside the guest could possibly use this issue to cause QEMU to crash, resulting in a denial of service. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2021-3416) Alexander Bulekov discovered that the floppy disk emulation in QEMU contained a heap-based buffer overflow. An attacker inside the guest could possibly use this issue to expose sensitive information or cause QEMU to crash, resulting in a denial of service. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2021-3507) Remy Noel discovered that the USB redirector device emulation in QEMU performed an unbounded stack allocation when combining USB packets. An attacker inside the guest could possibly use this issue to cause QEMU to crash, resulting in a denial of service. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2021-3527) It was discovered that the QXL display device emulation in QEMU contained an integer overflow, leading to a heap-based buffer overflow. An attacker inside the guest could possibly use this issue to cause QEMU to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2021-4206) It was discovered that the QXL display device emulation in QEMU performed a double fetch of guest-controlled values, leading to a heap-based buffer overflow. An attacker inside the guest could possibly use this issue to cause QEMU to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2021-4207) It was discovered that the 9pfs server implementation in QEMU contained a race condition, leading to a use-after-free. A malicious 9p client could possibly use this issue to escalate privileges. This issue only affected Ubuntu 14.04 LTS. (CVE-2021-20181) Gaoning Pan discovered that the floppy disk emulation in QEMU contained a NULL pointer dereference. An attacker inside the guest could possibly use this issue to cause QEMU to crash, resulting in a denial of service. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2021-20196) Gaoning Pan discovered that the vmxnet3 network device emulation in QEMU contained an integer overflow. An attacker inside the guest could possibly use this issue to cause QEMU to crash, resulting in a denial of service. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2021-20203) It was discovered that the ARM Generic Interrupt Controller emulation in QEMU contained an out-of-bounds heap access. An attacker inside the guest could possibly use this issue to cause QEMU to crash, resulting in a denial of service. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2021-20221) Alexander Bulekov, Cheolwoo Myung, Sergej Schumilo, Cornelius Aschermann, and Simon Wörner discovered that the e1000 network device emulation in QEMU contained an infinite loop. An attacker inside the guest could possibly use this issue to cause QEMU to consume resources, resulting in a denial of service. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2021-20257) It was discovered that the 9p passthrough file system implementation in QEMU did not prevent opening special files on the host. A malicious guest could possibly use this issue to escape the exported 9p tree. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, and Ubuntu 18.04 LTS. (CVE-2023-2861) It was discovered that the virtio crypto device emulation in QEMU did not properly validate certain buffer lengths, leading to a heap buffer overflow. An attacker inside the guest could possibly use this issue to cause QEMU to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 18.04 LTS. (CVE-2023-3180) It was discovered that the built-in VNC server in QEMU contained a NULL pointer dereference when cleaning up a connection that failed during the handshake. A remote attacker could possibly use this issue to cause QEMU to crash, resulting in a denial of service. This issue only affected Ubuntu 18.04 LTS. (CVE-2023-3354) It was discovered that QEMU could incorrectly direct a guest I/O operation to disk offset 0 instead of the intended offset. An attacker inside the guest could possibly use this issue to read or overwrite sensitive data, potentially gaining control of the host. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, and Ubuntu 18.04 LTS. (CVE-2023-5088) It was discovered that several virtio device emulations in QEMU did not properly guard against DMA reentrancy, leading to a double free. An attacker inside the guest could possibly use this issue to cause QEMU to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2024-3446) It was discovered that the SDHCI device emulation in QEMU contained a heap- based buffer overflow. An attacker inside the guest could possibly use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2024-3447) It was discovered that the QEMU disk image utility (qemu-img) did not properly handle certain crafted image files. An attacker could possibly use this issue to cause qemu-img to consume excessive resources or access an unintended external file, resulting in a denial of service. This issue only affected Ubuntu 20.04 LTS. (CVE-2024-4467) Cyrille Chatras discovered that the LSI53C895A SCSI Host Bus Adapter emulation in QEMU contained a use-after-free. An attacker inside the guest could possibly use this issue to cause QEMU to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2024-6519) It was discovered that the NBD server in QEMU contained an improper synchronization issue during socket closure. A remote attacker could possibly use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2024-7409) It was discovered that the USB emulation in QEMU contained a reachable assertion. An attacker inside the guest could possibly use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2024-8354) It was discovered that QEMU incorrectly handled resources during the VNC WebSocket handshake, leading to a use-after-free. A remote attacker could possibly use this issue to cause QEMU to crash, resulting in a denial of service. This issue only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. (CVE-2025-11234) It was discovered that QEMU could be made to read out of bounds when reading VMDK images. An attacker could possibly use this issue to expose sensitive information or cause QEMU to crash, resulting in a denial of service. (CVE-2026-2243)

It was discovered that Cyborg did not properly enforce project ownership in the Accelerator Request (ARQ) API. An authenticated user could possibly use this issue to delete ARQs bound to other projects' instances, resulting in a cross-tenant denial of service. (CVE-2026-40214) It was discovered that Cyborg used a permissive default policy that authorized any request carrying a valid authentication token, regardless of roles or scope, for multiple API endpoints. An authenticated user could possibly use this issue to perform unauthorized actions, such as reprogramming FPGA bitstreams on arbitrary compute nodes. (CVE-2026-40213)

It was discovered that Lodash was vulnerable to a prototype pollution issue in the zipObjectDeep function. An attacker could possibly use this issue to modify application behavior. This issue only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. (CVE-2020-8203) Liyuan Chen discovered that Lodash was vulnerable to a regular expression denial of service issue in the toNumber, trim, and trimEnd functions. An attacker could possibly use this issue to consume excessive system resources, resulting in a denial of service. This issue only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. (CVE-2020-28500) Marc Hassan discovered that Lodash did not properly sanitize input to the template function. An attacker could possibly use this issue to inject and execute arbitrary commands. This issue only affected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, and Ubuntu 20.04 LTS. (CVE-2021-23337) It was discovered that Lodash was vulnerable to a prototype pollution issue in the unset and omit functions. An attacker could possibly use this issue to delete properties from global prototypes, resulting in security restrictions being bypassed. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, and Ubuntu 25.10. (CVE-2025-13465) It was discovered that Lodash was vulnerable to a prototype pollution issue in the unset and omit functions. An attacker could possibly use this issue to delete properties from built-in prototypes, resulting in security restrictions being bypassed. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, Ubuntu 25.10, and Ubuntu 26.04 LTS. (CVE-2026-2950) It was discovered that Lodash did not properly validate certain inputs to the template function. An attacker could possibly use this issue to inject malicious code during template processing, resulting in arbitrary code execution. (CVE-2026-4800)

USN-8398-1 fixed a vulnerability in nginx. The update introduced a regression causing nginx to crash when being used with external modules. This update reverts the fix for CVE-2026-49975 pending further investigation. We apologize for the inconvenience. Original advisory details: It was discovered that nginx incorrectly handled certain cookie headers in the HTTP/2 implementation. A remote attacker could possibly use this issue to cause nginx to consume excessive resources, resulting in a denial of service.

USN-8044-1 fixed a vulnerability in alsa-lib. This update provides the corresponding fix for alsa-lib on Ubuntu 20.04 LTS. Original advisory details: It was discovered that alsa-lib incorrectly handled the topology mixer control decoder. A local attacker could use a specially crafted topology file to cause alsa-lib to crash, resulting in a denial of service, or possibly execute arbitrary code.

Akshat Sinha discovered that shell-quote improperly validated object-token inputs. An attacker could possibly use this issue to cause shell-quote to crash, resulting in a denial of service, or execute arbitrary code.

It was discovered that Twig did not properly validate PHP callables when using a source policy. An authenticated user could possibly use this issue to execute arbitrary code.

Elliott Childre discovered that strongSwan incorrectly handled the cloning of certain identities. A remote attacker could use this issue to cause strongSwan to crash, resulting in a denial of service, or possibly execute arbitrary code.

USN-8349-1 fixed vulnerabilities in rsync. The update introduced multiple regressions in rsync functionality. This update fixes the problem. Original advisory details: Calum Hutton discovered that rsync contained a heap-based out-of-bounds read when handling file transfers. A remote attacker with read access to an rsync server could possibly use this issue to cause a denial of service. (CVE-2025-10158) Batuhan Sancak, Damien Neil, and Michael Stapelberg discovered that rsync daemons configured without chroot protection were exposed to a race condition on parent path components. A local attacker with write access to a module could possibly use this issue to overwrite files, obtain sensitive information, or escalate privileges. (CVE-2026-29518) It was discovered that rsync did not properly validate a length value while sorting extended attributes. An attacker could possibly use this issue to cause a denial of service. (CVE-2026-41035) It was discovered that rsync performed reverse-DNS lookups after chrooting in some daemon configurations. A remote attacker could possibly use this issue to bypass hostname-based access controls and access network services. (CVE-2026-43617) Omar Elsayed discovered that rsync did not properly check for integer overflows while decoding compressed tokens. A remote attacker could possibly use this issue to obtain sensitive information. (CVE-2026-43618) Andrew Tridgell discovered that rsync did not fully fix a symlink race condition in path-based system calls for daemons configured without chroot protection. A local attacker could possibly use this issue to overwrite files, obtain sensitive information, or escalate privileges. (CVE-2026-43619) Pratham Gupta discovered that rsync did not properly validate an index while processing file lists. A remote attacker could possibly use this issue to cause rsync to crash, resulting in a denial of service. (CVE-2026-43620) Michal Ruprich discovered that rsync contained an off-by-one error while handling HTTP proxy responses. An attacker able to intercept network communications or a malicious proxy server could possibly use this issue to cause a denial of service. (CVE-2026-45232)

Dave Rolsky discovered that Net::CIDR::Lite did not properly handle extraneous zero characters at the beginning of an IP address string. A remote attacker could possibly use this issue to bypass access controls that are based on IP addresses. This issue only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. (CVE-2021-47154) It was discovered that Net::CIDR::Lite did not properly validate the IPv6 group count when handling uncompressed IPv6 addresses. A remote attacker could possibly use this issue to bypass access controls. (CVE-2026-40198) It was discovered that Net::CIDR::Lite mishandled IPv4 mapped IPv6 addresses. A remote attacker could possibly use this issue to bypass access controls that are based on IP addresses. (CVE-2026-40199)

Ariel Silver discovered that CUPS incorrectly handled username comparisons during authorization checks. A local attacker could possibly use this issue to gain unauthorized access to restricted operations. (CVE-2026-27447) Asim Viladi Oglu Manizada discovered that CUPS incorrectly handled notify-recipient-uri values in the RSS notifier. A remote attacker could possibly use this issue to overwrite lp-writable files and cause a denial of service. (CVE-2026-34978) Jacob Newman discovered that CUPS incorrectly handled filter option strings when processing job attributes. An attacker could use this issue to cause CUPS to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2026-34979) Asim Viladi Oglu Manizada discovered that CUPS incorrectly handled page-border values in shared PostScript queues. A remote attacker could possibly use this issue to execute arbitrary code. (CVE-2026-34980) Asim Viladi Oglu Manizada discovered that CUPS incorrectly handled localhost authentication to attacker-controlled IPP services. A local attacker could possibly use this issue to overwrite arbitrary files and execute arbitrary code. (CVE-2026-34990) Tomer Fichman discovered that CUPS incorrectly handled negative job-password-supported values. A local attacker could possibly use this issue to cause CUPS to crash, resulting in a denial of service. (CVE-2026-39314) Tomer Fichman discovered that CUPS incorrectly handled temporary printer deletion. An attacker could possibly use this issue to cause CUPS to crash, resulting in a denial of service, or to execute arbitrary code. (CVE-2026-39316) Tomer Fichman discovered that CUPS incorrectly handled certain malformed SNMP responses. An attacker could possibly use this issue to obtain sensitive information. (CVE-2026-41079)

It was discovered that Transmission had a clickjacking weakness in the browser-facing WebUI and RPC response paths. An attacker could possibly use this issue to trick users into performing unintended actions.

Ali Norouzi discovered that Kea DHCP did not properly handle maliciously crafted messages over configured API sockets and HA listeners. A remote attacker could possibly use this issue to cause Kea DHCP to crash, resulting in a denial of service.

It was discovered that Netty's HTTP proxy handler did not properly validate headers when constructing CONNECT requests. An attacker could possibly use this issue to inject arbitrary HTTP headers into CONNECT requests. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, and Ubuntu 26.04 LTS. (CVE-2026-42578) It was discovered that Netty's DNS codec did not properly enforce domain name constraints. An attacker could possibly use this issue to bypass domain name validation, or cause Netty to consume resources, leading to a denial of service. This issue only affected Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, and Ubuntu 26.04 LTS. (CVE-2026-42579) It was discovered that Netty did not correctly handle HTTP/1.0 requests containing both a Transfer-Encoding and Content-Length header. A remote attacker could possibly use this issue to perform HTTP request smuggling attacks. (CVE-2026-42581) Violeta Georgieva discovered that Netty incorrectly paired responses with requests when handling informational HTTP responses. A remote attacker could possibly use this issue to perform HTTP request smuggling attacks. (CVE-2026-42584) Violeta Georgieva discovered that Netty incorrectly parsed malformed Transfer-Encoding headers. A remote attacker could possibly use this issue to perform HTTP request smuggling attacks. (CVE-2026-42585) It was discovered that Netty's Redis encoder did not validate CRLF characters. An attacker could possibly use this issue to inject arbitrary Redis commands. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, and Ubuntu 26.04 LTS. (CVE-2026-42586)

It was discovered that systemd-nspawn incorrectly handled certain optional configuration files. A local attacker could possibly use this issue to escape to the host system and execute arbitrary code. (CVE-2026-40226) It was discovered that systemd-resolved incorrectly validated DNSSEC records for signed domains. An attacker could possibly use this issue to manipulate DNS records. This issue only affected Ubuntu 22.04 LTS. (CVE-2023-7008)

It was discovered that poppler incorrectly handled certain malformed PDF tiling patterns in the Splash backend. An attacker could possibly use this issue to execute arbitrary code, obtain sensitive information, or cause a denial of service.

It was discovered that Pillow incorrectly handled large glyph advance values in fonts. An attacker could possibly use this issue to cause Pillow to crash, resulting in a denial of service. (CVE-2026-42308) It was discovered that Pillow incorrectly handled nested coordinate lists in certain APIs. An attacker could possibly use this issue to cause Pillow to crash, resulting in a denial of service. This issue only affected Ubuntu 25.10 and Ubuntu 26.04 LTS. (CVE-2026-42309) It was discovered that Pillow incorrectly handled certain malformed PDF files. An attacker could possibly use this issue to cause Pillow to use excessive resources, leading to a denial of service. (CVE-2026-42310) It was discovered that Pillow incorrectly handled certain malformed PSD files. An attacker could possibly use this issue to cause Pillow to crash, resulting in a denial of service, or to execute arbitrary code. This issue only affected Ubuntu 25.10 and Ubuntu 26.04 LTS. (CVE-2026-42311)