NVD Description

Note: Versions mentioned in the description apply only to the upstream gnutls28 package and not the gnutls28 package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

A flaw was found in gnutls. Servers configured with RSA-PSK (Rivest–Shamir–Adleman – Pre-Shared Key) wrongfully matched usernames containing a NUL character with truncated usernames. A remote attacker could exploit this by sending a specially crafted username, leading to an authentication bypass. This vulnerability allows an attacker to gain unauthorized access by circumventing the authentication process.

Remediation

Upgrade Ubuntu:22.04 gnutls28 to version 3.7.3-4ubuntu1.9 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-42010
• https://access.redhat.com/security/cve/CVE-2026-42010
• https://bugzilla.redhat.com/show_bug.cgi?id=2467289
• https://access.redhat.com/errata/RHSA-2026:13274

NVD Description

Note: Versions mentioned in the description apply only to the upstream gnutls28 package and not the gnutls28 package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

A flaw in GnuTLS DTLS handshake parsing allows malformed fragments with zero length and non-zero offset, leading to an integer underflow during reassembly and resulting in an out-of-bounds read. This issue is remotely exploitable and may cause information disclosure or denial of service.

Remediation

Upgrade Ubuntu:22.04 gnutls28 to version 3.7.3-4ubuntu1.9 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-33845
• https://access.redhat.com/errata/RHSA-2026:13274
• https://access.redhat.com/security/cve/CVE-2026-33845
• https://bugzilla.redhat.com/show_bug.cgi?id=2450624

NVD Description

Note: Versions mentioned in the description apply only to the upstream git package and not the git package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

Git is a source code management tool. When cloning from a server (or fetching, or pushing), informational or error messages are transported from the remote Git process to the client via the so-called "sideband channel". These messages will be prefixed with "remote:" and printed directly to the standard error output. Typically, this standard error output is connected to a terminal that understands ANSI escape sequences, which Git did not protect against. Most modern terminals support control sequences that can be used by a malicious actor to hide and misrepresent information, or to mislead the user into executing untrusted scripts. As requested on the git-security mailing list, the patches are under discussion on the public mailing list. Users are advised to update as soon as possible. Users unable to upgrade should avoid recursive clones unless they are from trusted sources.

Remediation

There is no fixed version for Ubuntu:22.04 git.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-52005
• https://github.com/git/git/security/advisories/GHSA-7jjc-gg6m-3329
• https://lore.kernel.org/git/1M9FnZ-1taoNo1wwh-00ESSd@mail.gmx.net

NVD Description

Note: Versions mentioned in the description apply only to the upstream pam package and not the pam package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

A flaw was found in linux-pam. The pam_namespace module may improperly handle user-controlled paths, allowing local users to exploit symlink attacks and race conditions to elevate their privileges to root. This CVE provides a "complete" fix for CVE-2025-6020.

Remediation

There is no fixed version for Ubuntu:22.04 pam.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-8941
• https://access.redhat.com/security/cve/CVE-2025-8941
• https://bugzilla.redhat.com/show_bug.cgi?id=2388220
• https://access.redhat.com/errata/RHSA-2025:14557
• https://access.redhat.com/errata/RHSA-2025:15100
• https://access.redhat.com/errata/RHSA-2025:15104
• https://access.redhat.com/errata/RHSA-2025:15107
• https://access.redhat.com/errata/RHSA-2025:15099
• https://access.redhat.com/errata/RHSA-2025:15101
• https://access.redhat.com/errata/RHSA-2025:15102
• https://access.redhat.com/errata/RHSA-2025:15103
• https://access.redhat.com/errata/RHSA-2025:15105
• https://access.redhat.com/errata/RHSA-2025:15106
• https://access.redhat.com/errata/RHSA-2025:15709
• https://access.redhat.com/errata/RHSA-2025:15828
• https://access.redhat.com/errata/RHSA-2025:15827
• https://access.redhat.com/errata/RHSA-2025:16524
• https://access.redhat.com/errata/RHSA-2025:18219
• https://access.redhat.com/errata/RHSA-2025:17181
• https://access.redhat.com/errata/RHSA-2025:21885

NVD Description

Note: Versions mentioned in the description apply only to the upstream gnutls28 package and not the gnutls28 package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

A heap buffer overflow vulnerability exists in the DTLS handshake fragment reassembly logic of GnuTLS. The issue arises in merge_handshake_packet() where incoming handshake fragments are matched and merged based solely on handshake type, without validating that the message_length field remains consistent across all fragments of the same logical message. An attacker can exploit this by sending crafted DTLS fragments with conflicting message_length values, causing the implementation to allocate a buffer based on a smaller initial fragment and subsequently write beyond its bounds using larger, inconsistent fragments. Because the merge operation does not enforce proper bounds checking against the allocated buffer size, this results in an out-of-bounds write on the heap. The vulnerability is remotely exploitable without authentication via the DTLS handshake path and can lead to application crashes or potential memory corruption.

Remediation

Upgrade Ubuntu:22.04 gnutls28 to version 3.7.3-4ubuntu1.9 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-33846
• https://access.redhat.com/security/cve/CVE-2026-33846
• https://bugzilla.redhat.com/show_bug.cgi?id=2450625
• https://access.redhat.com/errata/RHSA-2026:13274

NVD Description

Note: Versions mentioned in the description apply only to the upstream gnutls28 package and not the gnutls28 package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

A flaw was found in gnutls. A remote attacker could exploit an issue in the Datagram Transport Layer Security (DTLS) packet reordering logic. The comparator function, responsible for ordering DTLS packets by sequence numbers, did not correctly handle packets with duplicate sequence numbers. This could lead to unstable packet ordering or undefined behavior, resulting in a denial of service.

Remediation

Upgrade Ubuntu:22.04 gnutls28 to version 3.7.3-4ubuntu1.9 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-42009
• https://access.redhat.com/security/cve/CVE-2026-42009
• https://bugzilla.redhat.com/show_bug.cgi?id=2467279

NVD Description

Note: Versions mentioned in the description apply only to the upstream gnutls28 package and not the gnutls28 package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

A flaw was found in gnutls. This vulnerability occurs because permitted name constraints were incorrectly ignored when previous Certificate Authorities (CAs) only had excluded name constraints. A remote attacker could exploit this to bypass critical name constraint checks during certificate validation. This bypass could lead to the acceptance of invalid certificates, potentially enabling spoofing or man-in-the-middle attacks against affected systems.

Remediation

Upgrade Ubuntu:22.04 gnutls28 to version 3.7.3-4ubuntu1.9 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-42011
• https://access.redhat.com/security/cve/CVE-2026-42011
• https://bugzilla.redhat.com/show_bug.cgi?id=2467437
• https://access.redhat.com/errata/RHSA-2026:13274

NVD Description

Note: Versions mentioned in the description apply only to the upstream gnutls28 package and not the gnutls28 package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

A flaw was found in gnutls. This vulnerability occurs because gnutls performs case-sensitive comparisons of nameConstraints labels, specifically for dNSName (DNS) or rfc822Name (email) constraints within excludedSubtrees or permittedSubtrees. A remote attacker can exploit this by crafting a leaf certificate with casing differences in the Subject Alternative Name (SAN), leading to a policy bypass where a certificate that should be rejected is instead accepted. This could result in unauthorized access or information disclosure.

Remediation

Upgrade Ubuntu:22.04 gnutls28 to version 3.7.3-4ubuntu1.9 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-3833
• https://access.redhat.com/errata/RHSA-2026:13274
• https://access.redhat.com/security/cve/CVE-2026-3833
• https://bugzilla.redhat.com/show_bug.cgi?id=2445763
• https://gitlab.com/gnutls/gnutls/-/issues/1803

NVD Description

Note: Versions mentioned in the description apply only to the upstream wget package and not the wget package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

GNU Wget through 1.21.1 does not omit the Authorization header upon a redirect to a different origin, a related issue to CVE-2018-1000007.

Remediation

There is no fixed version for Ubuntu:22.04 wget.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2021-31879
• https://security.netapp.com/advisory/ntap-20210618-0002/
• https://mail.gnu.org/archive/html/bug-wget/2021-02/msg00002.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream expat package and not the expat package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

In libexpat through 2.7.3, a crafted file with an approximate size of 2 MiB can lead to dozens of seconds of processing time.

Remediation

There is no fixed version for Ubuntu:22.04 expat.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-66382
• https://github.com/libexpat/libexpat/issues/1076
• http://www.openwall.com/lists/oss-security/2025/12/02/1
• https://cert-portal.siemens.com/productcert/html/ssa-082556.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream tar package and not the tar package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

A flaw was found in tar. A remote attacker could exploit this vulnerability by crafting a malicious archive, leading to hidden file injection with fully attacker-controlled content. This bypasses pre-extraction inspection mechanisms, potentially allowing an attacker to introduce malicious files onto a system without detection.

Remediation

There is no fixed version for Ubuntu:22.04 tar.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-5704
• https://access.redhat.com/security/cve/CVE-2026-5704
• https://bugzilla.redhat.com/show_bug.cgi?id=2455360
• http://www.openwall.com/lists/oss-security/2026/04/11/10
• http://www.openwall.com/lists/oss-security/2026/04/11/11
• http://www.openwall.com/lists/oss-security/2026/04/12/2

NVD Description

Note: Versions mentioned in the description apply only to the upstream gnupg2 package and not the gnupg2 package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

In GnuPG through 2.4.8, if a signed message has \f at the end of a plaintext line, an adversary can construct a modified message that places additional text after the signed material, such that signature verification of the modified message succeeds (although an "invalid armor" message is printed during verification). This is related to use of \f as a marker to denote truncation of a long plaintext line.

Remediation

There is no fixed version for Ubuntu:22.04 gnupg2.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-68972
• https://media.ccc.de/v/39c3-to-sign-or-not-to-sign-practical-vulnerabilities-i
• https://news.ycombinator.com/item?id=46404339
• https://gpg.fail/formfeed

NVD Description

Note: Versions mentioned in the description apply only to the upstream subversion package and not the subversion package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

Insufficient validation of filenames against control characters in Apache Subversion repositories served via mod_dav_svn allows authenticated users with commit access to commit a corrupted revision, leading to disruption for users of the repository.

All versions of Subversion up to and including Subversion 1.14.4 are affected if serving repositories via mod_dav_svn. Users are recommended to upgrade to version 1.14.5, which fixes this issue.

Repositories served via other access methods are not affected.

Remediation

Upgrade Ubuntu:22.04 subversion to version 1.14.1-3ubuntu0.22.04.1+esm1 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-46901
• https://subversion.apache.org/security/CVE-2024-46901-advisory.txt
• https://lists.debian.org/debian-lts-announce/2025/04/msg00023.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream gnutls28 package and not the gnutls28 package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

A flaw was found in gnutls. A remote attacker could exploit this vulnerability by presenting a specially crafted Online Certificate Status Protocol (OCSP) response during a TLS handshake. Due to a logic error in how gnutls processes multi-record OCSP responses, a client with OCSP verification enabled may incorrectly accept a revoked server certificate, potentially leading to a compromise of trust.

Remediation

Upgrade Ubuntu:22.04 gnutls28 to version 3.7.3-4ubuntu1.9 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-3832
• https://access.redhat.com/errata/RHSA-2026:13274
• https://access.redhat.com/security/cve/CVE-2026-3832
• https://bugzilla.redhat.com/show_bug.cgi?id=2445762
• https://gitlab.com/gnutls/gnutls/-/issues/1801

NVD Description

Note: Versions mentioned in the description apply only to the upstream dpkg package and not the dpkg package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

It was discovered that dpkg-deb (a component of dpkg, the Debian package management system) does not properly validate the end of the data stream when uncompressing a zstd-compressed .deb archive, which may result in denial of service (infinite loop spinning the CPU).

Remediation

There is no fixed version for Ubuntu:22.04 dpkg.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-2219
• https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=6610297a62c0780dd0e80b0e302ef64fdcc9d313
• https://bugs.debian.org/1129722

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

The iconv() function in the GNU C Library versions 2.43 and earlier may crash due to an assertion failure when converting inputs from the IBM1390 or IBM1399 character sets, which may be used to remotely crash an application.

This vulnerability can be trivially mitigated by removing the IBM1390 and IBM1399 character sets from systems that do not need them.

Remediation

There is no fixed version for Ubuntu:22.04 glibc.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-4046
• https://sourceware.org/bugzilla/show_bug.cgi?id=33980
• https://sourceware.org/git/?p=glibc.git;a=blob_plain;f=advisories/GLIBC-SA-2026-0007;hb=HEAD
• https://inbox.sourceware.org/libc-announce/76814edf-cf7f-47ec-979d-2dce0a2c76bf@gotplt.org/T/#u

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

Calling gethostbyaddr or gethostbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend in the GNU C Library version 2.34 to version 2.43 could, with a crafted response from the configured DNS server, result in a violation of the DNS specification that causes the application to treat a non-answer section of the DNS response as a valid answer.

Remediation

There is no fixed version for Ubuntu:22.04 glibc.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-4437
• https://sourceware.org/bugzilla/show_bug.cgi?id=34014

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

Calling gethostbyaddr or gethostbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend in the GNU C library version 2.34 to version 2.43 could result in an invalid DNS hostname being returned to the caller in violation of the DNS specification.

Remediation

There is no fixed version for Ubuntu:22.04 glibc.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-4438
• https://sourceware.org/bugzilla/show_bug.cgi?id=34015

NVD Description

This vulnerability has not been analyzed by NVD yet.

Remediation

Upgrade Ubuntu:22.04 gnutls28 to version 3.7.3-4ubuntu1.9 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-42012

NVD Description

This vulnerability has not been analyzed by NVD yet.

Remediation

Upgrade Ubuntu:22.04 gnutls28 to version 3.7.3-4ubuntu1.9 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-42013

NVD Description

This vulnerability has not been analyzed by NVD yet.

Remediation

Upgrade Ubuntu:22.04 gnutls28 to version 3.7.3-4ubuntu1.9 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-42014

NVD Description

This vulnerability has not been analyzed by NVD yet.

Remediation

Upgrade Ubuntu:22.04 gnutls28 to version 3.7.3-4ubuntu1.9 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-42015

NVD Description

This vulnerability has not been analyzed by NVD yet.

Remediation

Upgrade Ubuntu:22.04 gnutls28 to version 3.7.3-4ubuntu1.9 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-5260

NVD Description

Note: Versions mentioned in the description apply only to the upstream python3.10 package and not the python3.10 package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

The import hook in CPython that handles legacy *.pyc files (SourcelessFileLoader) is incorrectly handled in FileLoader (a base class) and so does not use io.open_code() to read the .pyc files. sys.audit handlers for this audit event therefore do not fire.

Remediation

There is no fixed version for Ubuntu:22.04 python3.10.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-2297
• https://github.com/python/cpython/commit/482d6f8bdba9da3725d272e8bb4a2d25fb6a603e
• https://github.com/python/cpython/commit/a51b1b512de1d56b3714b65628a2eae2b07e535e
• https://github.com/python/cpython/commit/e58e9802b9bec5cdbf48fc9bf1da5f4fda482e86
• https://github.com/python/cpython/issues/145506
• https://github.com/python/cpython/pull/145507
• http://www.openwall.com/lists/oss-security/2026/03/05/6
• https://github.com/python/cpython/commit/69ddd9bb2cc4bd69b1565647c18659c6a789ccd9
• https://github.com/python/cpython/commit/876858c9f65d9ab656c7fa639f268ce7856d89dd

NVD Description

Note: Versions mentioned in the description apply only to the upstream tar package and not the tar package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

GNU Tar through 1.35 allows file overwrite via directory traversal in crafted TAR archives, with a certain two-step process. First, the victim must extract an archive that contains a ../ symlink to a critical directory. Second, the victim must extract an archive that contains a critical file, specified via a relative pathname that begins with the symlink name and ends with that critical file's name. Here, the extraction follows the symlink and overwrites the critical file. This bypasses the protection mechanism of "Member name contains '..'" that would occur for a single TAR archive that attempted to specify the critical file via a ../ approach. For example, the first archive can contain "x -> ../../../../../home/victim/.ssh" and the second archive can contain x/authorized_keys. This can affect server applications that automatically extract any number of user-supplied TAR archives, and were relying on the blocking of traversal. This can also affect software installation processes in which "tar xf" is run more than once (e.g., when installing a package can automatically install two dependencies that are set up as untrusted tarballs instead of official packages). NOTE: the official GNU Tar manual has an otherwise-empty directory for each "tar xf" in its Security Rules of Thumb; however, third-party advice leads users to run "tar xf" more than once into the same directory.

Remediation

There is no fixed version for Ubuntu:22.04 tar.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-45582
• https://github.com/i900008/vulndb/blob/main/Gnu_tar_vuln.md
• https://www.gnu.org/software/tar/
• https://lists.gnu.org/archive/html/bug-tar/2025-08/msg00012.html
• https://www.gnu.org/software/tar/manual/html_node/Integrity.html
• https://www.gnu.org/software/tar/manual/html_node/Security-rules-of-thumb.html
• http://www.openwall.com/lists/oss-security/2025/11/01/6

NVD Description

Note: Versions mentioned in the description apply only to the upstream util-linux package and not the util-linux package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

util-linux is a random collection of Linux utilities. Prior to version 2.41.4, a TOCTOU (Time-of-Check-Time-of-Use) vulnerability has been identified in the SUID binary /usr/bin/mount from util-linux. The mount binary, when setting up loop devices, validates the source file path with user privileges via fork() + setuid() + realpath(), but subsequently re-canonicalizes and opens it with root privileges (euid=0) without verifying that the path has not been replaced between both operations. Neither O_NOFOLLOW, nor inode comparison, nor post-open fstat() are employed. This allows a local unprivileged user to replace the source file with a symlink pointing to any root-owned file or device during the race window, causing the SUID binary to open and mount it as root. Exploitation requires an /etc/fstab entry with user,loop options whose path points to a directory where the attacker has write permission, and that /usr/bin/mount has the SUID bit set (the default configuration on virtually all Linux distributions). The impact is unauthorized read access to root-protected files and block devices, including backup images, disk volumes, and any file containing a valid filesystem. This issue has been patched in version 2.41.4.

Remediation

There is no fixed version for Ubuntu:22.04 util-linux.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-27456
• https://github.com/util-linux/util-linux/commit/5e390467b26a3cf3fecc04e1a0d482dff3162fc4
• https://github.com/util-linux/util-linux/releases/tag/v2.41.4
• https://github.com/util-linux/util-linux/security/advisories/GHSA-qq4x-vfq4-9h9g