NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

sha256crypt and sha512crypt through 0.6 allow attackers to cause a denial of service (CPU consumption) because the algorithm's runtime is proportional to the square of the length of the password.

Remediation

There is no fixed version for Ubuntu:22.04 glibc.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-20013
• https://akkadia.org/drepper/SHA-crypt.txt
• https://pthree.org/2018/05/23/do-not-use-sha256crypt-sha512crypt-theyre-dangerous/
• https://twitter.com/solardiz/status/795601240151457793

NVD Description

Note: Versions mentioned in the description apply only to the upstream libzstd package and not the libzstd package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

A vulnerability was found in zstd v1.4.10, where an attacker can supply empty string as an argument to the command line tool to cause buffer overrun.

Remediation

There is no fixed version for Ubuntu:22.04 libzstd.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2022-4899
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/C63HAGVLQA6FJNDCHR7CNZZL6VSLILB2/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JEHRBBYYTPA4DETOM5XAKGCP37NUTLOA/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QYLDK6ODVC4LJSDULLX6Q2YHTFOWABCN/
• https://github.com/facebook/zstd/issues/3200
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/C63HAGVLQA6FJNDCHR7CNZZL6VSLILB2/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JEHRBBYYTPA4DETOM5XAKGCP37NUTLOA/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QYLDK6ODVC4LJSDULLX6Q2YHTFOWABCN/
• https://security.netapp.com/advisory/ntap-20230725-0005/

NVD Description

Note: Versions mentioned in the description apply only to the upstream pcre2 package and not the pcre2 package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

Integer overflow vulnerability in pcre2test before 10.41 allows attackers to cause a denial of service or other unspecified impacts via negative input.

Remediation

There is no fixed version for Ubuntu:22.04 pcre2.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2022-41409
• https://github.com/PCRE2Project/pcre2/commit/94e1c001761373b7d9450768aa15d04c25547a35
• https://github.com/PCRE2Project/pcre2/issues/141

NVD Description

Note: Versions mentioned in the description apply only to the upstream pcre3 package and not the pcre3 package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

In PCRE 8.41, the OP_KETRMAX feature in the match function in pcre_exec.c allows stack exhaustion (uncontrolled recursion) when processing a crafted regular expression.

Remediation

There is no fixed version for Ubuntu:22.04 pcre3.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-11164
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11164
• https://security-tracker.debian.org/tracker/CVE-2017-11164
• https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772@%3Cdev.mina.apache.org%3E
• http://openwall.com/lists/oss-security/2017/07/11/3
• http://www.securityfocus.com/bid/99575
• http://www.openwall.com/lists/oss-security/2023/04/11/1
• http://www.openwall.com/lists/oss-security/2023/04/12/1
• https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E

NVD Description

Note: Versions mentioned in the description apply only to the upstream coreutils package and not the coreutils package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

chroot in GNU coreutils, when used with --userspec, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.

Remediation

There is no fixed version for Ubuntu:22.04 coreutils.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-2781
• https://security-tracker.debian.org/tracker/CVE-2016-2781
• https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772@%3Cdev.mina.apache.org%3E
• http://www.openwall.com/lists/oss-security/2016/02/28/2
• http://www.openwall.com/lists/oss-security/2016/02/28/3
• https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E

NVD Description

Note: Versions mentioned in the description apply only to the upstream ncurses package and not the ncurses package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

NCurse v6.4-20230418 was discovered to contain a segmentation fault via the component _nc_wrap_entry().

Remediation

There is no fixed version for Ubuntu:22.04 ncurses.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2023-50495
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LU4MYMKFEZQ5VSCVLRIZGDQOUW3T44GT/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LU4MYMKFEZQ5VSCVLRIZGDQOUW3T44GT/
• https://lists.gnu.org/archive/html/bug-ncurses/2023-04/msg00020.html
• https://lists.gnu.org/archive/html/bug-ncurses/2023-04/msg00029.html
• https://security.netapp.com/advisory/ntap-20240119-0008/

NVD Description

Note: Versions mentioned in the description apply only to the upstream systemd package and not the systemd package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

A vulnerability was found in systemd-resolved. This issue may allow systemd-resolved to accept records of DNSSEC-signed domains even when they have no signature, allowing man-in-the-middles (or the upstream DNS resolver) to manipulate records.

Remediation

There is no fixed version for Ubuntu:22.04 systemd.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2023-7008
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4GMDEG5PKONWNHOEYSUDRT6JEOISRMN2/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QHNBXGKJWISJETTTDTZKTBFIBJUOSLKL/
• https://security.netapp.com/advisory/ntap-20241122-0004/
• https://access.redhat.com/errata/RHSA-2024:2463
• https://access.redhat.com/errata/RHSA-2024:3203
• https://access.redhat.com/security/cve/CVE-2023-7008
• https://bugzilla.redhat.com/show_bug.cgi?id=2222261
• https://bugzilla.redhat.com/show_bug.cgi?id=2222672
• https://github.com/systemd/systemd/issues/25676
• https://lists.debian.org/debian-lts-announce/2024/09/msg00001.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream gcc-12 package and not the gcc-12 package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

libiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in demangle_const, as demonstrated by nm-new.

Remediation

There is no fixed version for Ubuntu:22.04 gcc-12.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2022-27943
• https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105039
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/H424YXGW7OKXS2NCAP35OP6Y4P4AW6VG/
• https://sourceware.org/bugzilla/show_bug.cgi?id=28995
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H424YXGW7OKXS2NCAP35OP6Y4P4AW6VG/

NVD Description

Note: Versions mentioned in the description apply only to the upstream gnupg2 package and not the gnupg2 package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

GnuPG can be made to spin on a relatively small input by (for example) crafting a public key with thousands of signatures attached, compressed down to just a few KB.

Remediation

There is no fixed version for Ubuntu:22.04 gnupg2.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2022-3219
• https://access.redhat.com/security/cve/CVE-2022-3219
• https://bugzilla.redhat.com/show_bug.cgi?id=2127010
• https://dev.gnupg.org/D556
• https://dev.gnupg.org/T5993
• https://marc.info/?l=oss-security&m=165696590211434&w=4
• https://security.netapp.com/advisory/ntap-20230324-0001/

NVD Description

Note: Versions mentioned in the description apply only to the upstream shadow package and not the shadow package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

In Shadow 4.13, it is possible to inject control characters into fields provided to the SUID program chfn (change finger). Although it is not possible to exploit this directly (e.g., adding a new user fails because \n is in the block list), it is possible to misrepresent the /etc/passwd file when viewed. Use of \r manipulations and Unicode characters to work around blocking of the : character make it possible to give the impression that a new user has been added. In other words, an adversary may be able to convince a system administrator to take the system offline (an indirect, social-engineered denial of service) by demonstrating that "cat /etc/passwd" shows a rogue user account.

Remediation

There is no fixed version for Ubuntu:22.04 shadow.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2023-29383
• https://github.com/shadow-maint/shadow/commit/e5905c4b84d4fb90aefcd96ee618411ebfac663d
• https://github.com/shadow-maint/shadow/pull/687
• https://lists.debian.org/debian-lts-announce/2025/04/msg00026.html
• https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/cve-2023-29383-abusing-linux-chfn-to-misrepresent-etc-passwd/
• https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=31797

NVD Description

Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

When asked to use a .netrc file for credentials and to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances.

This flaw only manifests itself if the netrc file has a default entry that omits both login and password. A rare circumstance.

Remediation

There is no fixed version for Ubuntu:22.04 curl.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-0167
• https://curl.se/docs/CVE-2025-0167.json
• https://hackerone.com/reports/2917232
• https://security.netapp.com/advisory/ntap-20250306-0008/
• https://curl.se/docs/CVE-2025-0167.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

When doing SSH-based transfers using either SCP or SFTP, and setting the known_hosts file, libcurl could still mistakenly accept connecting to hosts not present in the specified file if they were added as recognized in the libssh global known_hosts file.

Remediation

There is no fixed version for Ubuntu:22.04 curl.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-15079
• https://curl.se/docs/CVE-2025-15079.html
• https://curl.se/docs/CVE-2025-15079.json
• https://hackerone.com/reports/3477116
• http://www.openwall.com/lists/oss-security/2026/01/07/6

NVD Description

Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

When doing SSH-based transfers using either SCP or SFTP, and asked to do public key authentication, curl would wrongly still ask and authenticate using a locally running SSH agent.

Remediation

There is no fixed version for Ubuntu:22.04 curl.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-15224
• https://curl.se/docs/CVE-2025-15224.html
• https://curl.se/docs/CVE-2025-15224.json
• https://hackerone.com/reports/3480925
• http://www.openwall.com/lists/oss-security/2026/01/07/7

NVD Description

Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a cross-protocol redirect to a second URL that uses an IMAP, LDAP, POP3 or SMTP scheme, curl might wrongly pass on the bearer token to the new target host.

Remediation

There is no fixed version for Ubuntu:22.04 curl.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-14524
• https://curl.se/docs/CVE-2025-14524.html
• https://curl.se/docs/CVE-2025-14524.json
• https://hackerone.com/reports/3459417
• http://www.openwall.com/lists/oss-security/2026/01/07/4

NVD Description

Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

1. A cookie is set using the secure keyword for https://target
2. curl is redirected to or otherwise made to speak with http://target (same hostname, but using clear text HTTP) using the same cookie set
3. The same cookie name is set - but with just a slash as path (path=\"/\",). Since this site is not secure, the cookie should just be ignored.
4. A bug in the path comparison logic makes curl read outside a heap buffer boundary

The bug either causes a crash or it potentially makes the comparison come to the wrong conclusion and lets the clear-text site override the contents of the secure cookie, contrary to expectations and depending on the memory contents immediately following the single-byte allocation that holds the path.

The presumed and correct behavior would be to plainly ignore the second set of the cookie since it was already set as secure on a secure host so overriding it on an insecure host should not be okay.

Remediation

There is no fixed version for Ubuntu:22.04 curl.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-9086
• https://curl.se/docs/CVE-2025-9086.html
• https://curl.se/docs/CVE-2025-9086.json
• https://hackerone.com/reports/3294999
• http://www.openwall.com/lists/oss-security/2025/09/10/1
• https://lists.debian.org/debian-lts-announce/2026/01/msg00002.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream libgcrypt20 package and not the libgcrypt20 package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

A timing-based side-channel flaw was found in libgcrypt's RSA implementation. This issue may allow a remote attacker to initiate a Bleichenbacher-style attack, which can lead to the decryption of RSA ciphertexts.

Remediation

There is no fixed version for Ubuntu:22.04 libgcrypt20.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-2236
• https://access.redhat.com/errata/RHSA-2024:9404
• https://bugzilla.redhat.com/show_bug.cgi?id=2268268
• https://access.redhat.com/errata/RHSA-2025:3534
• https://access.redhat.com/errata/RHSA-2025:3530
• https://access.redhat.com/security/cve/CVE-2024-2236
• https://bugzilla.redhat.com/show_bug.cgi?id=2245218

NVD Description

Note: Versions mentioned in the description apply only to the upstream ncurses package and not the ncurses package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.

Remediation

There is no fixed version for Ubuntu:22.04 ncurses.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2023-45918
• https://lists.gnu.org/archive/html/bug-ncurses/2023-06/msg00005.html
• https://security.netapp.com/advisory/ntap-20240315-0006/
• https://bugzilla.redhat.com/show_bug.cgi?id=2300290#c1

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssh package and not the openssh package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

ssh in OpenSSH before 10.1 allows control characters in usernames that originate from certain possibly untrusted sources, potentially leading to code execution when a ProxyCommand is used. The untrusted sources are the command line and %-sequence expansion of a configuration file. (A configuration file that provides a complete literal username is not categorized as an untrusted source.)

Remediation

There is no fixed version for Ubuntu:22.04 openssh.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-61984
• https://marc.info/?l=openssh-unix-dev&m=175974522032149&w=2
• https://www.openssh.com/releasenotes.html#10.1p1
• https://www.openwall.com/lists/oss-security/2025/10/06/1
• https://dgl.cx/2025/10/bash-a-newline-ssh-proxycommand-cve-2025-61984
• http://www.openwall.com/lists/oss-security/2025/10/07/1
• http://www.openwall.com/lists/oss-security/2025/10/12/1
• https://www.vicarius.io/vsociety/posts/cve-2025-61984-detection-script-remote-code-execution-vulnerability-affecting-openssh
• https://www.vicarius.io/vsociety/posts/cve-2025-61984-mitigation-script-remote-code-execution-vulnerability-affecting-openssh

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssh package and not the openssh package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

ssh in OpenSSH before 10.1 allows the '\0' character in an ssh:// URI, potentially leading to code execution when a ProxyCommand is used.

Remediation

There is no fixed version for Ubuntu:22.04 openssh.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-61985
• https://marc.info/?l=openssh-unix-dev&m=175974522032149&w=2
• https://www.openssh.com/releasenotes.html#10.1p1
• https://www.openwall.com/lists/oss-security/2025/10/06/1

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers (from the client side) to trigger unnecessarily expensive server-side DHE modular-exponentiation calculations. The client may cause asymmetric resource consumption. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE and validate the order of the public key.

Remediation

There is no fixed version for Ubuntu:22.04 openssl.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-41996
• https://dheatattack.gitlab.io/details/
• https://dheatattack.gitlab.io/faq/
• https://gist.github.com/c0r0n3r/abccc14d4d96c0442f3a77fa5ca255d1

NVD Description

Note: Versions mentioned in the description apply only to the upstream shadow package and not the shadow package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

shadow-utils (aka shadow) 4.4 through 4.17.0 establishes a default /etc/subuid behavior (e.g., uid 100000 through 165535 for the first user account) that can realistically conflict with the uids of users defined on locally administered networks, potentially leading to account takeover, e.g., by leveraging newuidmap for access to an NFS home directory (or same-host resources in the case of remote logins by these local network users). NOTE: it may also be argued that system administrators should not have assigned uids, within local networks, that are within the range that can occur in /etc/subuid.

Remediation

There is no fixed version for Ubuntu:22.04 shadow.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-56433
• https://github.com/shadow-maint/shadow/blob/e2512d5741d4a44bdd81a8c2d0029b6222728cf0/etc/login.defs#L238-L241
• https://github.com/shadow-maint/shadow/issues/1157
• https://github.com/shadow-maint/shadow/releases/tag/4.4